Les cookies nous permettent à Google de vous proposer des services plus facilement. En utilisant ces services, vous nous donnez expressément votre accord pour exploiter ces cookies.En savoir plus OK

Cisco Catalyst 9130 シリーズ アクセスポイント導入ガイド

Cisco Catalyst 9130 シリーズ アクセスポイント導入ガイド Revenir à l'accueil

Cliquez sur le pdf pour le télécharger

 

© 2020 Cisco and/or its affiliates. All rights reserved. 1/52 ページ Cisco Catalyst 9130 シリーズ アクセスポイント導入ガイド 導入ガイド Cisco Public © 2020 Cisco and/or its affiliates. All rights reserved. 2/52 ページ 目次 Cisco Catalyst 9130 シリーズの概要: 3 次世代モビリティに対応した設計 3 Cisco Catalyst 9130 シリーズの主な機能 3 Cisco Catalyst 9130 シリーズの主な機能 4 取り付けオプション 6 チャネルレールアダプタ 8 Power over Ethernet(PoE) 13 内蔵 Cisco RF ASIC 14 Cisco Catalyst 9130I 内部アンテナシステム 15 アンテナの改善 16 Cisco Catalyst 9130E(外部アンテナモデル) 19 レガシーアンテナのサポート 20 Self-Identifying Antenna について 25 フレキシブル ラジオ アサインメントについて 40 FRA とデュアル 5 GHz の動作 40 デュアル DFS - RF ASIC 43 FastLocate - RF ASIC 43 使用例 44 使用例 45 WLAN のベストプラクティス 48 設置に関する一般的な注意事項 49 アンテナケーブルの推奨事項 50 付録 52 © 2020 Cisco and/or its affiliates. All rights reserved. 3/52 ページ このマニュアルは、Cisco® ワイヤレス エンタープライズ ネットワーキングの既存製品ラインと機能に精通し、 トレーニングを受けた経験豊富な技術スタッフを対象としています。 Cisco Catalyst 9130 シリーズの概要: 次世代モビリティに対応した設計 Cisco Catalyst® 9130 シリーズ アクセスポイントは高性能な Wi-Fi 6 機能を搭載するほか、RF 性能とセキュリ ティ面および分析面の革新的な進化により、エンドツーエンドのデジタル化が可能になりました。従来の Wi-Fi を 超えるネットワーク性能で、ビジネスサービスの展開を加速させます。 ● 復元力:要求の厳しい環境でも、802.11ac アクセスポイントの最大 4 倍のキャパシティにより、効率性 とセルラーのような確定性が向上します ● セキュア:これらのアクセスポイントは、組み込みのセキュリティと Software-Defined Access(SD-Access) をサポートし、オープン Wi-Fi で標準に準拠した強化されたセキュリティを提供します ● インテリジェント:Internet of Things(IoT)デバイスと拡大されたエコシステム パートナーシップにとっ て最も重要なマルチ RF サポートにより、Catalyst 9100 ポートフォリオは、シスコ ネットワーク上のモ バイルデバイスからかつてないほどの可視性を実現し、Cisco DNA Assurance を強化します Catalyst 9100 アクセスポイントには、セキュアブート、ランタイム防御、イメージ署名、整合性の検証、ハー ドウェアの信頼性などのセキュリティ機能が組み込まれています。Wi-Fi 6 を備えた 9100 ポートフォリオは、 ブランチおよびキャンパスネットワーク導入のニーズを満たす信頼性の高いワイヤレスを提供します。 Cisco Catalyst 9130 シリーズの主な機能 ● 4x4 MIMO(Multi-Input Multi-Output)および 4 つの空間ストリームを備えた次世代 Wi-Fi 6(802.11ax) アクセスポイント: ◦ 5 GHz の 8x8:8 シングルまたはデュアル 4x4:4、およびダウンリンク/アップリンク直交周波数分割多重ア クセス(OFDMA) ◦ マルチユーザ MIMO(MU-MIMO)およびダウンリンク/アップリンク OFDMA を備えた 2.4 GHz の 4x4:4 ● Cisco DNA 対応 ● 次世代 Cisco CleanAir® およびアップグレード可能な RF 機能を備えた Cisco RF 特定用途向け集積回路(ASIC) ● 内蔵 Bluetooth Low Energy(BLE)無線(Bluetooth 5.0) © 2020 Cisco and/or its affiliates. All rights reserved. 4/52 ページ ● マルチギガビット イーサネット(1 Gbps、2.5 および 5 Gbps) ● USB ● 最大 500 台の Wi-Fi デバイスをサポート ● IoT 対応(Zigbee、Thread) ● 内部および外部アンテナオプション ● 9130I の動作温度:0 ~ 50°C(32 ~ 122°F) ● 9130E の動作温度:-20 ~ 50°C(-4 ~ 122°F) Cisco Catalyst 9130 シリーズの主な機能 ● OFDMA と MU-MIMO:高度なアプリケーションと IoT で、予測どおりのパフォーマンスを実現 ● RF シグネチャキャプチャ、不正検出、およびデバイス分類による優れたセキュリティ ● コンテナのサポート:IoT アプリケーションをホストする Docker サポート機能のある多言語アクセスポイント ● マルチギガビットのサポート:ボトルネックなしでネットワークトラフィックをシームレスにオフロードし、 最小のコストで高いスループットを実現 ● 内蔵 Bluetooth 5.0:IoT の使用を可能にするマルチ RF テクノロジー ● 内部および外部アンテナのサポート:さまざまなキャンパスタイプに柔軟に対応する導入オプション ● 802.3af(制限付き)から 802.3bt までの複数入力電源オプション また、Cisco Catalyst 9100 アクセスポイントは、シスコの先進的な企業向けアーキテクチャである SD-Access をサポートしています。 適切なアクセスポイントの選択(モデル 9130I および 9130E) 図 1. Cisco Catalyst 9130I(内部アンテナ付き)および 9130E(外部アンテナが必要)アクセスポイント © 2020 Cisco and/or its affiliates. All rights reserved. 5/52 ページ 9130I モデルの使用例 ● 美観(絨毯が敷かれた場所) ● アンテナの追加費用がない ● 設置するアイテム数が少ない ● 高い天井に適している場合がある 9130E モデルの使用例 ● 高温での動作を必要とする産業用途 ● 外部アンテナまたは指向性アンテナが必要(屋内/屋外で使用) ● 範囲が広いまたはエネルギーを集中する必要がある ● デュアル 5 GHz(異なるセル領域をカバー)指向性または全方位 ● レガシー シングルバンド アンテナまたは個別に 2.4 GHz および 5 GHz セルの使用 Cisco Catalyst 9130 シリーズの新しいメカニカルデザイン Cisco Catalyst 9100 アクセスポイントは設計段階から見直して開発が行われ、空気力学的な滑らかな外観に仕 上がっています。RF の優れた点と次世代のテクノロジーを取り入れ、妥協のない最高水準のワイヤレスエクス ペリエンスを提供します。複数の高性能な機能を揃えつつ、ハードウェアを再設計し、効率性を高める設計によ りフォームファクタをコンパクトに収めることで、Wi-Fi 導入を見た目から簡単なものにしています。 図 2. 寸法:9130I モデル © 2020 Cisco and/or its affiliates. All rights reserved. 6/52 ページ 図 3. 寸法:9130E モデル 注: 9130 シリーズは、Cisco Aironet® 2800 シリーズよりも約 13% 軽量で、25% 小型ですが、同じ AIR-BRACKET-1 および AIR-BRACKET-2 取り付け用部品を使用して簡単に導入できます。 取り付けオプション お客様の要件に応じて、さまざまな設置オプションを使用できます。ブラケットは、シスコおよびサード パーティ 企業から入手できます。発注段階で、お客様は 2 種類のブラケットのうち 1 種類を選択できます(両方は選択で きません)。各ブラケットは構成時の 0 ドル オプションです。お客様がブラケットを選択しない場合、デフォル トでは、天井設置用の一般的な AIR-AP-BRACKET-1 が選択されます。もう 1 つの選択肢は、製品番号 AIR-AP-BRACKET-2 のユニバーサルブラケットです。 図 4. 2 種類の取り付けブラケット © 2020 Cisco and/or its affiliates. All rights reserved. 7/52 ページ AP をグリッド構造の天井に直接取り付ける場合は、AIR-AP-BRACKET-1 ブラケットを使用すると、同一面上に 平らに取り付けることができ、最も目立ちません。ただし、電気制御ボックスやその他の配線器具、または NEMA (National Electrical Manufactuers Association)ラック内や壁面に AP を取り付ける場合は、AIR-AP-BRACKET-2 が適しています。このブラケットの余ったスペースを使って配線でき、追加の穴が多くの一般的な電気制御ボック スに合わせて並んでいます。ブラケットをグリッド構造の天井に取り付ける場合、天井タイルによっては埋め込み 型にするものもあります。したがって、2 つの違う形の天井クリップの、埋め込み型(Recessed)と同一面型(Flush) のレールを使用できます。以下の図を参照してください。 図 5. 天井グリッド構造に取り付けるためのクリップ 図 6. AP の固定 AP をブラケットに固定する必要がある場合は、上の図に示すように行うことができます。 © 2020 Cisco and/or its affiliates. All rights reserved. 8/52 ページ チャネルレールアダプタ 次の図に示すような天井チャネルレールに AP を取り付ける場合、オプションのチャネルアダプタ AIR-CHNL-ADAPTER を使用します。これは 2 個組で付属していて、天井グリッドクリップに取り付けます。 図 8 および 9 を参照してください。 図 7. チャネルレールの例 図 8. AIR-CHNL-ADAPTER(左)をレールにスライド 図 9. AIR-CHNL-ADAPTER をレールクリップ(左)に取り付けて設置完了(右) © 2020 Cisco and/or its affiliates. All rights reserved. 9/52 ページ AP の壁面取り付け 壁面への取り付けが必要な場合、壁はワイヤレス信号への物理的な障害物になる可能性があり、そのため 360 度 のカバレッジの維持が損なわれる可能性があることを理解する必要があります。外壁である場合や目標として 360 度の代わりに 180 度のパターンで信号を送信する場合、外部アンテナモデルの使用を想定して、「パッチ」アン テナと呼ばれることも多い指向性アンテナを選択する方がよい場合もあります。 内部アンテナモデルは天井に取り付けて 360 度のカバレッジを提供するように設計されているため、オプション の直角取り付け具(サードパーティ製)を使用する場合を除き、内部アンテナ付き AP の壁への取り付けは避け てください。 図 10. 9115AX、9117AX、9120AX、および 9130 シリーズ アクセスポイント用 AccelTex 壁面取り付けソリューション さまざまなタイプの取り付けソリューションが用意されているため、次のサードパーティ企業の製品を推奨します。 Oberon:www.beroninc.com/ AccelTex:www.acceltex.com/ Ventev:www.ventev.com/ 天井方向以外で壁面に取り付けられている場合は、信号がフロアの上や下を通り抜けることがあります。これが 原因で意図しないカバレッジが生じ、たとえば、Wi-Fi 電話器などのモビリティクライアントを持つユーザが隣 接フロアを歩くと、追加で不要なローミングアクセスが発生する可能性があります。 © 2020 Cisco and/or its affiliates. All rights reserved. 10/52 ページ 図 11. 9130 シリーズを壁面に取り付ける場合の注意事項 AP のカラーの変更 AP の色を変更したい場合には、AP に塗装すると保証が無効になるため、色付きビニールテープを使用するか、 Oberon の色付きプラスチックカバーを使用することを検討してください。 図 12. AP のカラー変更、カスタムロゴの追加、または LED を隠すための Oberon サードパーティオプション © 2020 Cisco and/or its affiliates. All rights reserved. 11/52 ページ 図 13. AccelTex のビニール「スキン」 もう 1 つのサードパーティオプションは、上図のようなビニール「スキン」です。 天井タイルの上 Cisco Catalyst 9130I および 9130E はプレナム空間(UL-2043)の設置に対して定格が定められています。天 井に何も見えないように AP を設置することを選ぶお客様も多くいます(美観上の理由)。その場合は、AP を 吊り天井の上に設置できます。この方法は、教室など盗難の多い場所や天井には目視できるものがないことがポ リシーで規定される場所にも適している場合があります。 これが厳しい要件である場合、Erico や Cooper などのサードパーティ企業が提供しているオプションの T バー ハンガーアクセサリを使用できます。Erico Caddy 512a や Cooper B-Line BA50a などの T バーグリッドを使 用できます。 詳細については、以下を参照してください。 Erico Eaton © 2020 Cisco and/or its affiliates. All rights reserved. 12/52 ページ 図 14. AP を天井タイルの上に吊り下げる方法の例 注: 天井の下への取り付けが選択できない場合のみ、天井タイルの上に AP を設置してください。タイルに 導電性がないことが必要です。このような設置では音声やロケーションなどの高度な RF 機能が低下するため、 カバレッジとパフォーマンスを検証してください。AP をタイルの内側中央にできるだけ近い場所に取り付け、 障害物のある領域は避けるようにしてください。 図 15. 天井タイルの上に AP を設置:障害物のない場所を選択し、天井の散乱物を避ける 高振動の領域 アクセスポイントが「サイドアーム」タイプの取り付け具で設置されているか、高振動が生じる可能性のある場 所に設置されている場合は、パッドロックまたは金属製ピンを使用して、AP が振動で緩んでブラケットから落 ちないようにすることが推奨されます。 © 2020 Cisco and/or its affiliates. All rights reserved. 13/52 ページ 図 16. 金属製ピンまたはパッドロックは経年劣化しないため、プラスチックタイより望ましい Power over Ethernet(PoE) 9130 シリーズは、802.3af の限られた電力でも柔軟な電源オプションを提供します。 表 1. 9130 シリーズの消費電力 Catalyst 9130AXI PoE 電力消費 2.4 GHz 無線 5 GHz 無線 リンク速度 USB LLDP 802.3at(PoE+) 4 X 4 8 x 8 5G N 25.5W 802.3at(PoE+) 4 X 4 4 X 4 5G ○ [4.5 w] 25.5W 802.3bt(UPoE) 4 X 4 8 x 8 5G ○ [4.5 w] 30.5W Catalyst 9130AXE PoE 電力消費 2.4 GHz 無線 5 GHz 無線 リンク速度 USB LLDP 802.3at(PoE+) 4 X 4 4 X 4 5G ○ [4.5 w] 25.5W 802.3bt(UPoE) 4 X 4 8 x 8 5G ○ [4.5 w] 30.5W Catalyst 9130AXI / 9130AXE PoE 電力消費 2.4 GHz 無線 5 GHz 無線 リンク速度 USB LLDP 802.3af PoE 1 x 1 1 x 1 1G N 13.4W 注: 推奨されるイーサネットケーブルは CAT-6 で、最大距離は 100 m(328 フィート)です。電源装置(PSE) で必要な電力は、ケーブル長およびその他の環境問題によって異なります。 © 2020 Cisco and/or its affiliates. All rights reserved. 14/52 ページ 図 17. シスコのマルチギガビット製品 シスコには、これらのアクセスポイントに簡単に電力を供給できるマルチギガビット製品があります。 内蔵 Cisco RF ASIC Cisco Catalyst 9130 シリーズに内蔵された RF ASIC は、アクセスポイントのクライアントサービス無線の RF ス ペクトルとパフォーマンスを向上させます。 Cisco Catalyst 9130 シリーズなどの次世代 Wi-Fi 6 アクセスポイントには、ASIC(アプリケーション独自の集 積回路)と呼ばれる、カスタム設計されたシスコ デバイスに基づく新しい無線が搭載されています。詳細な RF 分 析はすべて RF ASIC 上で実行されるため、この分析無線はアクセスポイントのクライアントサービス無線のパフォー マンスを向上させます。 Cisco RF ASIC(実際には 2 つの ASIC チップ)の機能は、対象の周波数または周波数範囲を分析し、受信した RF 信号を I/Q データと呼ばれる直角位相信号に変換します。その後、この I/Q データは専用のベースバンドプロセッ サである 2 番目の ASIC に渡されます。このベースバンドプロセッサは、詳細な RF 分析(検査対象の信号の位 相や振幅および変調特性の微妙な変化の判断)に使用されます。 Wi-Fi 以外の干渉源を特定するためにカスタム設計されたスペクトル解析エンジン(SAgE)は、最もシンプルか つ効果的な方法を使って、最大の解像度で I/Q データを評価します。 RF ASIC は、CleanAir と SAgE を含むだけでなく、はるかに高度で、将来のソフトウェアアップグレードで高 度な機能をサポートする独自のハードウェアです。 RF ASIC の初期機能には、CleanAir と SAgE のすべての機能に加えて、動的周波数選択(DFS)の提供無線の分 析を強化するために DFS イベントを検出する機能も含まれます。これにより、スペクトル分析が大幅に改善さ © 2020 Cisco and/or its affiliates. All rights reserved. 15/52 ページ れ、無線スペクトルの「セカンドオピニオン」が常に得られます。これは、デュアル DFS と呼ばれます。また、 RF ASIC はオフチャネル分析を提供することで、シスコの RRM(無線リソース管理)でも重要な役割を果たし ます。 図 18. Cisco RF ASIC チップを搭載した Cisco Catalyst 9130I Cisco Catalyst 9130I 内部アンテナシステム 図 19. 9130I 内部アンテナシステム 9130I には、アクセスポイントで使用できる最も高度なアンテナシステムの 1 つが搭載されています。 主要な提供無線のデフォルト設定は次のとおりです。 © 2020 Cisco and/or its affiliates. All rights reserved. 16/52 ページ ● 専用の 5 GHz 無線は、4 dBi のデュアルバンド クライアントサービス アンテナに接続されます。 ● 5 GHz 8x8 モードでは、4 つのデュアルバンドアンテナと 4 つのマイクロアンテナがすべて使用されます が、デュアルバンドアンテナを使用する 2.4 GHz 無線も 4x4 モードでアクティブになります。 ● 以前のモデルとは異なり、XOR(排他的論理和)無線は、(XoR の状態に関係なくアクティブである) 2.4 GHz 無線に関連付けられなくなりました。 ● デュアル 5 GHz モードでは、8x8 5 GHz 無線の状態が 8x8 から 4x4 に変わり、マイクロアンテナでセカ ンダリ 5 GHz 無線を独立して動作させることができるので、真のデュアルマイクロ/マクロセル方式を実 現できます。 提供無線アンテナに加えて、2 つのアンテナがあります。 ● ゲインが 2.5 dBi の BLE(IoT)アンテナ ● 2.4 GHz のゲインが 4.5 dBi で 5 GHz のゲインが 5 dBi の RF ASIC アンテナ RF ASIC アンテナは、スペクトル分析およびその他の高度な RF 機能のために、専用のソフトウェア定義型無線 に接続されます。RF ASIC アンテナは、提供無線アンテナと同じ設計で、提供無線と同様のネットワークビュー を提供します。 アンテナの改善 Cisco Catalyst 9130 シリーズの新しいアンテナ設計は、従来の Aironet 4800i を改良したものです。マイクロ セルアンテナのカバレッジが改善され、「meso」セルと呼ばれる新しい概念が導入されました。meso セルは、 マクロセルとマイクロセルのハイブリッドです。このハードウェアの革新により、新しいソフトウェアリリース でマイクロセルのカバレッジの改善が可能になります。 図 20. Cisco Catalyst 9130I と Aironet 4800 シリーズのアンテナカバレッジの比較 © 2020 Cisco and/or its affiliates. All rights reserved. 17/52 ページ 図 21. Cisco Catalyst 9130I アンテナパターン(デュアルバンド 5 GHz) 図 22. Cisco Catalyst 9130I アンテナパターン(シングルバンド 5 GHz) © 2020 Cisco and/or its affiliates. All rights reserved. 18/52 ページ 図 23. Cisco Catalyst 9130I アンテナパターン(デュアルバンド 2.4 GHz) 図 24. Cisco Catalyst 9130I アンテナパターン、RF ASIC(AUX デュアルバンド) © 2020 Cisco and/or its affiliates. All rights reserved. 19/52 ページ 図 25. Cisco Catalyst 9130I アンテナパターン、BLE および IoT Cisco Catalyst 9130E(外部アンテナモデル) 図 26. 9130E のアンテナコネクタ 注: 9130E では、外部アンテナシステムを使用する必要があります。黄色のカバー(左側)を取り外し、適 切なアンテナシステムを 8 ポートの DART「スマート」コネクタに取り付ける必要があります。このコネクタは、 黄色のカバーを取り外すと露出します。適切なアンテナがない状態で装置を操作しないでください。 © 2020 Cisco and/or its affiliates. All rights reserved. 20/52 ページ 図 27. 9130E アンテナコネクタの詳細 9130E はスマートアンテナコネクタ(上図)を使用します。内部アンテナや RP-TNC コネクタは含まれません。 RP-TNC コネクタまたは「N」型コネクタを備えた古いアンテナが必要な場合は、対応するアダプタケーブルを 使用できます。 スマートアンテナコネクタ(DART-8)について 9130E では、デュアル 5G、4x4 + 4x4 +(2.4 GHz で 4x4)などのモードで古い RP-TNC シングル RF コネク タは実用的ではありませんでした。シスコは設置を簡素化し、プロビジョニングと検出を自動化する回路を搭載 する Self-Identifying Antenna(SIA)の新しいラインに適合するシングル挿入ケーブルを作成するために DART-8 を開発しました。このコネクタがあるため、専門の作業者が設置する特別なモデル(製品番号の末尾に「-P」が 付くモデル)が今後は必要ありません。既存のアンテナをお持ちのお客様は、DART-8(スマートアダプタケー ブル)を介して 9130E に接続できます。 レガシーアンテナのサポート Cisco Catalyst 9130E は、スマートアンテナコネクタ(DART-8)で終端された SIA で使用するように設計されて います。DART アダプタケーブルを使用すると、AP はレガシーアンテナモードになります。使用するアダプタに 応じて、最大 6 dBi(RP-TNC を使用)または最大 13 dBi(「N」型コネクタを使用)のアンテナを使用できます。 図 28. 従来のアンテナ用 Cisco AIR-CAB-002-D8-R= コネクタ(最大 6 dBi、RP-TNC コネクタを使用) © 2020 Cisco and/or its affiliates. All rights reserved. 21/52 ページ 図 29. 従来のアンテナ用 Cisco AIR-CAB-003-D8-N=(最大 13 dBi、「N」型コネクタを使用) AIR-CAB-002-D8-N= を使用する場合は、以前の専門の作業者が設置するように設計されたアンテナ(モデル 番号の末尾が「-P」)を 9130E で使用できるため、9130E に「-P」モデルはありません。 注: Cisco Catalyst 9120AXE で使用される 4 ポート DART アダプタ(シスコ製品番号 AIR-CAB-002-DART-R=)は、新しい Cisco Catalyst 9130E アクセスポイントと互換性がありません。 Cisco Catalyst 9130 シリーズのトライ無線サポートについて 図 30. 9130 シリーズのデフォルトモード Cisco Catalyst 9130 シリーズは、8x8 またはデュアル 5 GHz 4x4 モードで 5 GHz を実行できます。 9130 シリーズのデフォルトモードは、5 GHz 8x8 および 2.4 GHz 4x4 モードです。このデフォルトモードでは、 主に MU-MIMO クライアント環境でパフォーマンスが向上し、1 つの無線あたりのスループットが最大になりま す。このモードでは、データレートは向上しますが、範囲は小さくなり、クライアントを受信するレシーバの数 が増えて、最大比合成(MRC)が向上します。 © 2020 Cisco and/or its affiliates. All rights reserved. 22/52 ページ 図 31. デュアル 5 GHz 4x4 モード 5 GHz 無線の動作を 8x8 から 2 つの独立した 5GHz 4x4 無線に変更すると効果的な場合があります。デュアル 5 GHz 4x4 無線の利点は、マクロ/マイクロセル動作が可能になることです。これは、高密度環境で非常に便利で す。また、Wi-Fi 6 対応クライアントが少ない場合や、2 つの異なる 5 GHz Wi-Fi カバレッジセルを作成したり、 モニタリングなどの動作モードを変更する必要が生じた場合にも、より多くのクライアントでパフォーマンスを 向上させることができます。 表 2. Cisco Catalyst 9130 シリーズの動作モードと基準の例 5 GHz 無線のロール ドライバ 無線 1 無線 2 8x8 クライアントサービス なし 160MHz または 80+80MHz での優先動作 MU-MIMO ステーション数が増加 チャネル再利用の要件が低い 空間ストリーム(SS)の必要数が増加 4x4 クライアントサービス 4x4 クライアントサービス クライアントの密度とキャパシティ要件が高い 指向性アンテナユニット(カバレッジスライス) 80MHz 以下として動作 4x4 クライアントサービス モニタ(Monitor) MU-MIMO ステーション数が減少 密度が低く、チャネル再利用は向上 モニタリング アプリケーションには 4x4 RX が必要 © 2020 Cisco and/or its affiliates. All rights reserved. 23/52 ページ Cisco Catalyst 9130 シリーズのトライ無線の設定 初期化時(デフォルト)、9130 シリーズは 2.4 GHz 4x4 および 1x 5 GHz 8x8 モードになります。無線インターフェイ スの設定レベルでは、デュアル無線モードは [Auto (disabled)] であることに注意してください。「Auto」は無線がフレ キシブル ラジオ アサインメント(FRA)によって割り当てられることを示し、「disabled」は 8x8 モードとして割り当 てられているか、FRA によってまだ評価されていないことを示します。FRA がデュアル 5 GHz モードを割り当てた場合 は、「disabled」は「enabled」になります。いずれの場合も、「Auto」は無線が FRA モードであり、手動でオーバー ライドされていないことを示します。8 つのアンテナすべてがこの単一のインターフェイスに割り当てられます。 また、インターフェイスリストには、同じ AP のスロット 1 と 2 の両方が表示されます。ただし、スロット 2 は すでにスロット 1 の 8x8 モードの一部としてアクティブになっており、スロット 2 としてアドレス指定できな いため、グレー表示されます。デュアルバンドモードを有効にするには、[Dual Radio Mode] で [Enabled] を選 択します。これにより、8x8 が 2 つの独立して機能する 4x4 無線に手動で分割されます。 スロット 1 の無線は、4 つのアンテナのみを使用するように切り替わります。スロット 2 の無線がアクティブに なり、4 つのアンテナチェーンも設定されます。各 4x4 無線は独立したインターフェイスになり、異なるチャネ ルを割り当てることができ、2 つの異なるユーザグループにサービスを提供します。 注: セカンダリ無線の管理ステータスが有効になったら、デュアル無線モードを無効にする場合、まずセカ ンダリ無線の管理ステータスを無効にする必要があります。そうしないと、次の警告が表示されます。 © 2020 Cisco and/or its affiliates. All rights reserved. 24/52 ページ つまり、デュアル 5 GHz を手動で割り当てた後、手動で 8x8 シングル無線モードに戻す場合は、最初に 2 番目 の 5 GHz インターフェイスを無効にして、スロット 1 のプライマリ無線に戻すために解放する必要があります。 スロット 1 とスロット 2 が有効になっており、スロット 2 には独立した設定があり、8 つの使用可能なアンテナ のうち 4 つが割り当てられています。 トライ無線の FRA 設定は、他の Cisco FRA 対応 AP の場合と同様です。FRA ロールを選択する必要があります。 [Auto] では FRA 制御となり、[Client Serving] ではクライアントとビーコンがアクティブなインターフェイスと して提供されます。[Monitor] では、5 GHz バンドのすべてのチャネルがスキャンされるだけです。 ロールの選択は、デュアル無線モードの設定に応じて、両方のインターフェイスまたは 1 つのインターフェイスだ けで使用できます。デュアル無線モードが有効になっている場合、両方のインターフェイスが FRA によって割り 当て可能であり、どちらにも独立したロール選択があります。[Auto] モードでは、FRA が選択できるのは [Client Serving] と [Monitor] のいずれかであり、使用可能なアクティブな 5 GHz インターフェイスの数と、1 番目と 2 番 目の 5 GHz インターフェイスに非干渉チャネルを割り当て可能かどうかに応じて、割り当てられます。 FRA の制御下では、5 GHz インターフェイスがクライアントサービスに割り当てられない可能性があります。こ れは、RRM の動的チャネル割り当て(DCA)に割り当て可能な非干渉チャネルがない場合に発生します。通常は、 Over-the-Air 測定に基づいたチャネルの枯渇(多数の 5 GHz インターフェイスが密集している)が原因で発生し ます。より多くのチャネルを解放するには、割り当てるチャネル帯域幅を確認します。チャネル帯域幅を 80 MHz に設定すると、インターフェイスごとに 4 つのチャネルを消費し、デュアル 5 GHz モードでは、1 つの AP に 8 つ のチャネルが必要です。チャネルを 40 MHz に再設定すると、デュアル 5 GHz AP ごとに 4 つのチャネルが解放 され、より多くのインターフェイスを干渉なしでアクティブにできます。 © 2020 Cisco and/or its affiliates. All rights reserved. 25/52 ページ Self-Identifying Antenna について 図 32. Self-Identifying Antenna 9130E のリリースに伴い、スマートアンテナコネクタを備えた 3 つの新しいアンテナが導入されました。これら のアンテナは、アクセスポイントを補完するように設計された新しいインダストリアルデザインを特長としてい ます。 注: これら 3 つのアンテナは、8x8 モードで 5 GHz、4x4 モードで 2.4 GHz を完全にサポートし、BLE/IoT お よび RF ASIC 機能を搭載しています。ただし、アンテナのサイズが小さいため、デュアル 5 GHz はサポートし ません。デュアル 5 GHz などの追加機能とモードを備えた高ゲインアンテナも予定されています。 C-ANT9101= 天井取り付け型全方位(AIR-ANT2524V4C-R= と類似) C-ANT9102= 壁面/支柱取り付け型全方位(AIR-ANT2544V4M-R= と類似) C-ANT9103= 壁面/支柱取り付け型パッチ(AIR-ANT2566D4M-R= と類似) 上記のアンテナには挿入ケーブルが 1 本付属しており、各アンテナはプロビジョニングと検出を自動化する SIA 回路を搭載しています。また、各アンテナには、アクセスポイントのライトと同様のインジケータライト(LED) があり、アンテナに「アクティブ」ステータスを表示できます。 図 33. C-ANT9101= 天井取り付け型全方位アンテナ © 2020 Cisco and/or its affiliates. All rights reserved. 26/52 ページ Cisco C-ANT9101 天井取り付け型全方位アンテナは、タイルの中央に取り付けることができ、天井レール(上 図の右側のアンテナの横)に取り付けられたアクセスポイントよりも目立ちません。これにより、AP を天井タ イルの上に配置できます。 図 34. C-ANT9101 アンテナパターン(2.4 GHz デュアルバンド) 図 35. C-ANT9101 アンテナパターン(5 GHz デュアルバンド) © 2020 Cisco and/or its affiliates. All rights reserved. 27/52 ページ 図 36. C-ANT9101 アンテナパターン(5 GHz シングルバンド) 図 37. C-ANT9101 アンテナパターン(2.4 GHz RF ASIC/AUX) © 2020 Cisco and/or its affiliates. All rights reserved. 28/52 ページ 図 38. C-ANT9101 アンテナパターン(5 GHz RF ASIC/AUX) 図 39. C-ANT9101 アンテナパターン(2.4-GHz BLE/IoT) © 2020 Cisco and/or its affiliates. All rights reserved. 29/52 ページ 図 40. C-ANT9102= 壁面/支柱取り付け型全方位アンテナ Cisco C-ANT9102 壁面/支柱取り付け型全方位アンテナは、製造現場や小売店など、柱や壁面に取り付ける必要 がある場所に設置できます。これは、アクセスポイントの LED と同様のアクティブ LED を備えた Self-Identifying Antenna です。レイドームの素材は Lexan EXL 9330 で、スマート 8 ポート DART アンテナコネクタで終端さ れています。 図 41. C-ANT9102 アンテナパターン(2.4 GHz デュアルバンド) © 2020 Cisco and/or its affiliates. All rights reserved. 30/52 ページ 図 42. C-ANT9102 アンテナパターン(5 GHz デュアルバンド) 図 43. C-ANT9102 アンテナパターン(5 GHz シングルバンド) © 2020 Cisco and/or its affiliates. All rights reserved. 31/52 ページ 図 44. C-ANT9102 アンテナパターン(2.4 GHz RF ASIC/AUX) 図 45. C-ANT9102 アンテナパターン(5 GHz RF ASIC/AUX) © 2020 Cisco and/or its affiliates. All rights reserved. 32/52 ページ 図 46. C-ANT9102 アンテナパターン(2.4-GHz BLE/IoT) 図 47. C-ANT9103= 6 dBi 壁面/支柱取り付け型指向性アンテナ Cisco C-ANT9103 壁面/支柱取り付け型指向性アンテナは、製造現場や小売店など、柱と壁面取り付けが必要な 場所に設置できます。これは、アクセスポイントの LED と同様のアクティブ LED を備えた Self-Identifying Antenna です。 © 2020 Cisco and/or its affiliates. All rights reserved. 33/52 ページ 図 48. C-ANT9103=(オプションの AP ブラケット AIR-AP-BRACKET-9= を使用) オプションのブラケットを使用すると、AP をアンテナの背後に取り付けることができます。 LED 付きのこのスマートアンテナには、AP の外観を洗練された「目立たない」状態にするための直角 DART コ ネクタがあります。 図 49. C-ANT9103 アンテナパターン(2.4 GHz デュアルバンド) © 2020 Cisco and/or its affiliates. All rights reserved. 34/52 ページ 図 50. C-ANT9103 アンテナパターン(5 GHz デュアルバンド) 図 51. C-ANT9103 アンテナパターン(5 GHz シングルバンド) © 2020 Cisco and/or its affiliates. All rights reserved. 35/52 ページ 図 52. C-ANT9103 アンテナパターン(2.4 GHz RF ASIC/AUX) 図 53. C-ANT9103 アンテナパターン(5 GHz RF ASIC/AUX) © 2020 Cisco and/or its affiliates. All rights reserved. 36/52 ページ 図 54. C-ANT9103 アンテナパターン(2.4-GHz BLE/IoT) Cisco Catalyst 9130E でサポートされる外部アンテナ 表 3. 外部アンテナ 製品番号 説明 ゲイン C-ANT9101= 天井取り付け式全方位性 Self-Identifying Antenna、8 ポート、DART コネクタ付き。 4 dBi(2.4 GHz) 4 dBi(5 GHz) C-ANT9102= 支柱または壁面取り付け式全方位性 Self-Identifying Antenna、Bluetooth、 8 ポート、DART コネクタ付き。 4 dBi(2.4 GHz) 4 dBi(5 GHz) C-ANT9103= 支柱または壁面取り付け式 75° 指向性 Self-Identifying Antenna、Bluetooth、 8 ポート、DART コネクタ付き。 6 dBi(2.4 GHz) 6 dBi(5 GHz) AIR-ANT2513P4M-N= パッチアンテナ、4 ポート、N コネクタ付き。 注:AIR-CAB003-D8-N= を使用して AP に接続します。 13 dBi(2.4 GHz) 13 dBi(5 GHz) AIR-ANT2524V4C-R 天井取り付け式全方位性アンテナ、4 ポート、RP-TNC コネクタ付き。 注:AIR-CAB002-D8-R= を使用して AP に接続します。 2 dBi(2.4 GHz) 4 dBi(5 GHz) AIR-ANT2524V4C-RS= 天井取り付け式全方位性 Self-Identifying Antenna、4 ポート、RP-TNC コネクタ付き。 2 dBi(2.4 GHz) 4 dBi(5 GHz) AIR-ANT2544V4M-R 壁取り付け式全方位性アンテナ、4 ポート、RP-TNC コネクタ付き。 注:AIR-CAB002-D8-R= を使用して AP に接続します。 4 dBi(2.4 GHz) 4 dBi(5 GHz) © 2020 Cisco and/or its affiliates. All rights reserved. 37/52 ページ 製品番号 説明 ゲイン AIR-ANT2544V4M-RS= 壁取り付け式全方位性 Self-Identifying Antenna、4 ポート、RP-TNC コ ネクタ付き。 4 dBi(2.4 GHz) 4 dBi(5 GHz) AIR-ANT2566D4M-R 60 度パッチアンテナ、4 ポート、RP-TNC コネクタ付き。1 注:AIR-CAB002-D8-R= を使用して AP に接続します。 6 dBi(2.4 GHz) 6 dBi(5 GHz) AIR-ANT2566D4M-RS= 60 度パッチ Self-Identifying Antenna、4 ポート、RP-TNC コネクタ付き。 6 dBi(2.4 GHz) 6 dBi(5 GHz) AIR-ANT2566P4W-R= 指向性アンテナ、4 ポート、RP-TNC コネクタ付き。 注:AIR-CAB002-D8-R= を使用して AP に接続します。 6 dBi(2.4 GHz) 6 dBi(5 GHz) AIR-ANT2566P4W-RS= 指向性 Self-Identifying Antenna、4 ポート、RP-TNC コネクタ付き。 6 dBi(2.4 GHz) 6 dBi(5 GHz) 1米国では、UNII-1 チャネルは屋内にのみ使用できます。 デュアル 5 GHz 動作および外部アンテナ 前述のように、AIR-ANT9101、AIR-ANT9102、および AIR-ANT9103 は、デュアル 5 GHz モードをサポート していません。これらのアンテナは、物理設計が小さく、デュアル 5 GHz 動作に十分な RF 分離が備わっていな いためです。 デュアル 5 GHz 動作をサポートする他のアンテナを開発中ですが、現在デュアル 5 GHz を使用する際は、9130I (内部アンテナモデル)を使用するか、9130E の場合はスマート DART-8 アダプタを使用します。このアダプタ によって、上の表にある現在のアンテナの多くがデュアル 5 GHz モードで使用できます。 図 55. 左:AIR-CAB-002-D8-R=(RP-TNC コネクタ)右:AIR-CAB-003-D8-N=(「N」型コネクタ) 以下の図では、DART アダプタによってケーブルが 4 つのアンテナからなる 2 つのグループに分割されています。 © 2020 Cisco and/or its affiliates. All rights reserved. 38/52 ページ 図 56. DART アダプタと RF 接続 DART ラベル RF 接続 A 2.4/5 GHz(デュアルバンド) B 2.4/5 GHz(デュアルバンド) C 2.4/5 GHz(デュアルバンド) D 2.4/5 GHz(デュアルバンド) E 5 GHz F 5 GHz G 5 GHz H 5 GHz Cisco DART ケーブルアセンブリでは、4 つのアンテナからなる 2 つのグループを使用できます。コネクタごとに ラベルが付けられています。 デュアル 5 GHz モードでは、ポート A 〜 D は 2.4 および 5 GHz(4x4 モード)で、ポート E 〜 H はセカンダリ 5 GHz 無線です。 これにより、指向性アンテナを使用して 2.4 または 5 GHz を一方位に送信し、セカンダリ 5 GHz をまったく異 なる方位に送信できます。 © 2020 Cisco and/or its affiliates. All rights reserved. 39/52 ページ 図 57. DART アダプタでの指向性アンテナの使用 この外部アンテナは柔軟な使用が可能なため、マイクロセルとマクロセルの任意の組み合わせができます。また、 必要に応じて(1 組の無線で病室、もう 1 組で廊下など)異なるセル領域(屋内/屋外)をカバーできます。DART ケーブルアダプタを使用すると、RF の柔軟性の真価が発揮できます。 ただし、性能低下が発生しないように、4x4 アンテナを相互に分離することが重要です。指向性アンテナを使用 するか、または全方位アンテナを使用する場合は、適切な間隔(2 メートル以上)にする必要があります。次に、 分離に関する一般的な考えを示します。 図 58. RF 分離の作成 アンテナは相互にできるだけ離して取り付け、次の FRA およびデュアル 5 GHz 動作に関するセクションの分離 ガイドラインに従ってください。 © 2020 Cisco and/or its affiliates. All rights reserved. 40/52 ページ フレキシブル ラジオ アサインメントについて Cisco Catalyst 9130 シリーズ アクセスポイントには、フレキシブル ラジオ アサインメント(FRA)機能があり ます。AP には、必要に応じて 2 つの個別の 4x4 無線に分割できる専用の柔軟な 8x8 5GHz 無線があるため、ト ライバンド無線です(アクセスポイントは、2 つの異なる 5 GHz 4x4 無線をサポートするので、クライアントに サービスを提供するように個別に設定できます)。 デュアル 5 GHz モードに移行するときに 2.4 GHz 無線を無効にする以前のシスコ製品とは異なり、9130 シリー ズ アクセスポイントには専用の 2.4 GHz 無線があり、この無線も(5 GHz の状態に関係なく)アクティブで、4 つのプライマリ デュアルバンド アンテナ(ポート A 〜 D)を 5 GHz 無線と共有するので、2.4 GHz 4x4 動作は 同時に機能します。 デュアル 5 GHz モードで動作している場合、プライマリアンテナポート A 〜 D はデュアルバンドモードで動作 し、2.4 GHz と 5 GHz の両方を同時にサポートします。 FRA とデュアル 5 GHz の動作 デュアル 5 GHz セルの管理は、FRA の機能の中で最も重要なものの 1 つです。デュアル 5 GHz の AP には、次 の 2 種類の動作モードがあります。 ● マクロ/マイクロ:より小さなセルが内部にある大きなセル。単一セルの範囲内でキャパシティを倍にし ます。 ● マクロ/マクロ:独立した 5 GHz のデュアルセル。単一の従来のデュアルバンド AP のカバレッジを倍に します(マクロ/マクロモードは、9120AXE と 9130E でのみサポートされています(これに対応する外 付けアンテナが使用されている場合))。 マクロ/マイクロモードは、内部アンテナがセル内セル展開をサポートするように設計されているため、Cisco Catalyst 9130I モデルに適用できます。この機能を効果的なものとするために、デバイスから 2 つのセルを分離させるこ とに設計上の多くの労力が傾けられました。その結果、アンテナ極性の分離と周波数の分離が実現しました。 FRA と DCA では、デュアル 5 GHz マクロ/マイクロとして動作する際に、多くの設定要件が必要とされます。 ● 最小 100 MHz でチャネルを分離(周波数の多様性) ● マイクロセル電力を最小に制限 ● 各セルのサービスセット識別子(SSID)が同じ マクロ/マイクロ セル アーキテクチャの導入は魅力的です。非常に多様なクライアント エクスペリエンスを実現 できる広範囲なセルを使用する際の問題が解決できるからです。AP に近いクライアントほど、より高いデータ レートを使用でき、セルのエッジ部分にあるクライアントよりも高い信号対雑音比(SNR)で動作できます。マ クロ/マイクロモードでは、セル内でそれぞれのクライアントを分離でき、全体的な効率性を向上させることで通 信時間を保持し、セルを最適な状態で使用できます。 © 2020 Cisco and/or its affiliates. All rights reserved. 41/52 ページ 図 59. マクロおよびマイクロセル 重要なポイント:マイクロおよびマクロセルを作成するデュアル 5 GHz 対応 Cisco Catalyst 9130I は、Wi-Fi 6 のすべての機能と利点を使用して、2 つの独立した 5 GHz アクセスポイントと同じように動作します。 9130I がデュアル 5 GHz モードで動作している場合、クライアントで同等の通信時間、チャネル利用率の低減、 クライアント接続データレートの向上、再試行回数の減少を実現します。 図 60. シングル 5 GHz チャネルとデュアル 5 GHz チャネル 左:シングルチャネルモデル - チャネル 36 の使用率が 60% 右:デュアルチャネルモデル - チャネル 36 では 20% に使用率が低下、チャネル 108 では 24% 上の図の左側では、すべてのクライアントが 1 つのチャネルに接続されているため、単一チャネルセル(チャネル 36)のチャネル使用率は 60% です。さらに悪いことに、近くにあるクライアントは遠くにあるクライアントより もはるかに高速で接続するため、接続速度は一定ではありません。 デュアルチャネルモデル(右側)では、2 つのチャネルを使用することで、明確に改善が見られます。これによ り、競合が大幅に減り、再試行が少なくなるため、ユーザエクスペリエンスがはるかに向上します。 注: この機能は、Aironet 2800/3800 シリーズで初めて導入され、2017 年にシスコのイノベーション Pioneer Award(エンジニアリングデザイン部門)を受賞しました。このモードは、遅延と小さなパケットに役立つ Wi-Fi 6 機能と組み合わせると、チャネル使用率を削減するという非常に大きな利点があります。 重要なポイント:デュアル 5 GHz を使用すると、データレートの高速化とチャネル使用率の低下により、スルー プットが向上し、再試行回数が減少するため、Wi-Fi エクスペリエンスが改善します。 © 2020 Cisco and/or its affiliates. All rights reserved. 42/52 ページ シスコの RF ASIC を使用した CleanAir スペクトル分析 Cisco CleanAir テクノロジーは、カスタム ハードウェア/ソフトウェア ソリューションです。 標準 Wi-Fi チップセットの解析力の限界を克服するために、シスコは、すべての RF アクティビティを分析して 分類するために特別に設計したソフトウェアと特許取得済みのチップを使用した統合ソリューションを構築しま した(このテクノロジーについては、これまでに 25 件以上の特許を取得しています)。 基本的には Cisco Spectrum Expert 分析ツールのベースとなっているテクノロジーを利用し、インフラストラク チャに直接統合しました。これには、専用のソフトウェア定義型無線(SDR)とカスタム RF ASIC の緊密な統合 が含まれます。これは大きな進歩であり、企業においてワイヤレスが「あれば便利」なものから「ビジネスに不 可欠」なものに変化したことを明確に示しています。 カスタム ソリューションは、Cisco RF ASIC カスタムデバイスに直接統合された Cisco SAgE ハードウェアコア から始まります。SAgE コアは、高分解能の高速フーリエ変換(FFT)やパルス検出など、非常に高い処理能力 が必要な動作を行います(パルスとは、周波数および時間における RF エネルギーのバーストのことです)。SAgE コアは、78.125 kHz という非常に細かいスペクトル分解能(最も近い競合ソリューションの 4 倍、ほとんどの チップセットの 64 倍)を備えています。 RF ASIC は、高度で包括的な干渉分析、検出、および緩和システムを AP に提供します。基本的に SAgE コアは、 リアルタイムでのソフトウェア処理や提供無線での処理ができないほどの高い処理能力が求められる基本レベル のスペクトル解析処理を行います。 利点:他の競合他社にはない包括的な RF 分析とスペクトル分析。アクセスポイントのクライアントサービスの パフォーマンスに影響を与えないように、(クライアントサービス無線とは別の)専用の SDR で干渉を明確に 識別します。 図 61. CleanAir は、専用の無線とカスタムデバイスを使用して干渉を明確に識別 © 2020 Cisco and/or its affiliates. All rights reserved. 43/52 ページ デュアル DFS - RF ASIC RF ASIC および CleanAir チップセットは、DFS 信号の判定を強化して、DFS を強化し、DFS の誤ったアラート を減らすため、AP がより安定して DFS チャネルに留まるようにします。また、専用の無線が干渉の軽減と最適 なチャネル選択のためにシスコの RRM に参加します。 図 62. DFS イベント(Wi-Fi チップセットによって検出)は、実際の DFS イベントであることを確認するために RF ASIC と比較される RF ASIC は、Wi-Fi チップセットで使用される DFS 検出よりもはるかに高度で、スペクトルの「第 2 の目」と して機能します。専用 SDR としての RF ASIC は、将来のソフトウェアアップグレードがリリースされると、新 しい機能でさらに拡張されます。 FastLocate - RF ASIC Cisco Connected Mobile Experiences(CMX)FastLocate テクノロジーを使用して、接続中の Wi-Fi クライア ントの位置を迅速に更新できます。データパケットとプローブフレームからの受信信号強度インジケータ(RSSI) が使用可能な場合は、この RSSI が位置の計算に使用されます。このテクノロジーは、中央でスイッチされる WLAN と Cisco FlexConnect®(ローカルでスイッチされる WLAN)の両方で使用できます。 利点:Cisco Catalyst 9130 シリーズは、オンボードの RF ASIC モニタリング無線により、さまざまなクライア ントサービス チャネル上のアクセスポイントが RF ASIC を使用して(チャネルに関係なく)目的の Wi-Fi クラ イアントのプローブとデータパケットをリッスンできるようにすることで、ロケーションを向上させます。 図 63. RF ASIC 無線は、提供チャネルに関係なく Wi-Fi クライアントを追跡できる © 2020 Cisco and/or its affiliates. All rights reserved. 44/52 ページ 使用例 製造業、保管倉庫、および工場 倉庫への設置は、天井が非常に高く、物が散乱していて、困難な場合がよくあります。カバレッジ調査(サイト 調査)を行うとき、保管倉庫内の物によって RF カバレッジが変わり、均一なカバレッジの喪失を招く可能性が あるため、「フルストック」レベルでのカバレッジを必ず確認します。また、できるだけユーザの近くに AP を 配置するようにし、可能であればアンテナの位置を低くしてください。AP が空中 30 フィートの位置にある場合、 信号は「最高条件で」30 フィート遠くまで到達する必要があります。通路にカバレッジを設定する場合は、壁面 に指向性(パッチ)アンテナを使用し、通路に届くようにします。または、天井に低ゲイン全方位アンテナ(ダ イポールなど)を使用するか、アンテナ内蔵タイプを使用します(高ゲイン全方位アンテナではカバレッジの抜 けが多く発生する傾向があるため)。 別の方法は、パイプおよび電気ボックスによる取り付け技法を使用して AP の取り付け位置を低くすることです。 次の例を参照してください。 図 64. 保管倉庫環境の AP 配置 (外部ダイポールの「e」シリーズまたは内部アンテナの「i」シリーズのバージョンが使用できます)。 © 2020 Cisco and/or its affiliates. All rights reserved. 45/52 ページ パイプの端部または電気コンジットボックスに AP を取り付けるには、ユニバーサルブラケットである Cisco AIR-AP-BRACKET-2 を使用します。これはほとんどの電気ボックスの穴に合わせて調整されているためです。 コンジットおよびアダプタは、ほとんどの電器店やホームセンターで購入できます。 図 65. AP を電気コンジットボックス(天井の T バーまたはコンジット)に取り付ける 使用例 医療機関/クリーンルーム Cisco Catalyst 9130 シリーズをクリーンルーム、病院または感染管理が必要な場所で使用するために化学薬品 で除菌する必要がある場合は、Steris 社の Spor-Klenz などのすぐに使用できる滅菌剤をお勧めします。一部の アクセスポイントとは異なり、9130 シリーズには通気口がないため、拭き取ることができます。プラスチック はこの減菌剤でテストされています。 Steris Spor-Klenz: https://www.sterislifesciences.com/products/surface-disinfectants/sporicide-cleaners-and-sterilant/sporklenz-ready-to-use-cold-sterilant 医療環境で金属製の天井やタイルが実用的ではない場所がある場合は、Oberon または AccelTex の金属製ラッ クを使用できます。 © 2020 Cisco and/or its affiliates. All rights reserved. 46/52 ページ 図 66. Oberon の金属製ラックはクリーンルームエリアの AP を保護し、しっかり固定する スタジアムおよび過酷な環境 運動用エリア、スタジアム、オープンな庭園空間、保管倉庫の冷凍庫など、AP が外気にさらされる可能性のあ る過酷な環境に AP を設置することを希望するお客様は、NEMA タイプのラックを使用することができます。 注: アクセスポイントによっては NEMA ラックでの屋外導入向けには保証されていない場合があります。こ れについては国によって異なります。たとえば規制機関によっては、AP が冷凍庫や庭園エリアなどの屋内で使 用される場合に AP 屋外 NEMA ラックを許可し、屋外での使用は禁じている場合があります。これは、気象レー ダーのコンプライアンス、多くの場合 UNII-1 に関して国ごとに異なるようです。シスコ アカウント チームまた は地元管轄の通信規制機関に確認してください。 図 67. AccelTex 12x10x6 NEMA ラックの例 NEMA タイプのラックおよびその他のアクセサリは次のようなサードパーティによって供給されています。 © 2020 Cisco and/or its affiliates. All rights reserved. 47/52 ページ Oberon:www.oberonwireless.com AccelTex:www.acceltex.com Ventev TerraWave:www.terra-wave.com NEMA タイプのラックを使用する場合は、雨水や湿気がケーブルを伝ってラック内に侵入しないように、ケーブ ルをラックの下部から外に出すようにしてください。また、ラックの色は、熱定格に影響を与えることもありま す。たとえば、日の当たる場所では、黒いラックは白いラックよりも非常に熱くなります。水分の蓄積を防ぐた めに圧力ベントを使用することもできます。 教育機関/学校 導入ガイドについては、次の URL を参照してください。 https://www.cisco.com/c/dam/en/us/td/docs/solutions/Verticals/Education/SRA_Schools/schoolSRA_wla n_sba.pdf 中間配線盤(IDF)クローゼット(電気通信機器またはその他の電気機器)内での設置 AP を他の電気機器または電気通信機器の近くに設置する場合、すべての配線および金属類をアンテナから離し、 電気配線の近くのアンテナの取り付けは避けてください。アンテナから近い場所(6 ~ 15 インチ)には電気配 線またはイーサネット配線を通さないでください。AP に最適な場所は可能な限りユーザに近い場所であること から、電気クローゼット内に AP を設置しないようにしてください。クローゼットからリモートアンテナをケー ブルでつなぐ場合、プレナム定格ケーブルの使用が要求される場合があります(詳しくは、現地の防災安全に関 する規定を確認してください)。 干渉について理解するための URL を以下に示します。 https://www.cisco.com/en/US/prod/collateral/wireless/ps9391/ps9393/ps9394/prod_white_paper0900ae cd807395a9_ns736_Networking_Solutions_White_Paper.html https://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wrlan_wp.pdf https://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps10981/white_paper_c11-609300.html エレベータの内部および周辺での設置 エレベータの場合は、エレベータに近い場所、一般にエレベータ扉の近くの各フロアに AP を配置してカバレッ ジを確保することがあります。多くの場合、エレベータには金属製のドアがあり、シャフトがコンクリートで固 められているか、Wi-Fi カバレッジを低下させるその他の材料を含んでいるため、エレベータ内部のカバレッジ を確認することが重要です。そのようなカバレッジが課題になる場合がありますが、多くの場合、特にエレベー タが少数のフロアだけで動作している場合は設置可能です。 高層ビルのエレベータでは、クライアントが多数の AP 間を高速に循環するため、ローミングの問題がより大き な課題となります。エレベータ内部に広告がある企業では、エレベータ シャフト内のフロアやエレベータのかご の底面にパッチアンテナ(または実際の AP)を配置する場合や、シャフトの側面に沿って漏洩同軸ケーブルを 使用する場合があります。 エレベータのかごやシャフトの中に Wi-Fi 機器を設置する場合は、安全性の理由から禁止されるか、またはビル の所有者や地域の消防署によって禁止されることが多いため、現地の規制に従う必要があります。また、危険で あるため、このような作業の経験があるエレベータ修理人や請負業者だけがそのような領域に入るようにしてく ださい。外部アンテナが必要な場合は、9130E モデルを再度配置して使用します。 © 2020 Cisco and/or its affiliates. All rights reserved. 48/52 ページ WLAN のベストプラクティス アクセスポイントのアンテナの配置 Cisco Catalyst 9130I アクセスポイントには高度なアンテナシステムが備わっていますが、AP を正しく配置す ることが重要です。 図 68. 天井への配置と全方位性放射で最適なカバレッジ 一般的な設計ガイドライン:アクセスポイントの推奨間隔 AP などの Wi-Fi デバイスがあり、異なるチャネル付近で別の AP を使用する場合は、AP の間隔を約 2 m(6 フィー ト)取ることが推奨されます。複数の AP または異なる AP のアンテナをクラスタリングするとパフォーマンス が低下するおそれがあるため避けてください。この推奨間隔は、両方のデバイスがライセンス不要の周波数帯で 動作し、RF エネルギーを 23 dB、つまり 200 mW を超えて送信しない前提に基づいています。これより多くの 電力を使用する場合、それに応じて間隔をさらにあけます。 たとえば、AP の周波数の近くで動作する周波数ホッピングのレガシー AP やその他のデバイス(2.4 および 5 GHz 帯近辺で動作)など、送信する別のデバイスがあり、特にそれらが同じ周波数範囲で動作する場合は、妥当な間 隔をあけてデバイスを移動したり、離したりすることを検討してください。デバイス間隔を設定したら、両方の デバイスを高使用率(負荷)で同時にテストして干渉があるかどうか調べ、次に各システムで個別に低下が見ら れるかどうか、低下していればどの程度か、特性を明らかにします。 Warning FCC、EU、および EFTA の RF ばく露制限に準拠するため、アンテナは身体から 20 cm(7.9 インチ)以上離れた場所に配置す る必要があります。詳細については、「適合宣言」に基づいた設置ガイドを参照してください。 © 2020 Cisco and/or its affiliates. All rights reserved. 49/52 ページ モデルやタイプが異なるアクセスポイントの混在 Cisco Catalyst 9130 シリーズは、Wi-Fi 6 機能をサポートする非常に高度なアクセスポイントであり、デュアル 5 GHz やシスコのカスタム RF ASIC デバイスを使用した高度な RF 検出などの独自の機能を備えています。 このため、アクセスポイントモデルを混在させること(「塩とコショウ」アプローチと呼ばれることもあります) は推奨されません。9130 シリーズでは、デュアル DFS 検出など、他のアクセスポイントが関与しないスペクト ル判定を行うことができるためです。 したがって、異なる種類の AP が混在している場合は、同種類のアクセスポイントをまとめてグループ化(たと えば、Aironet 3800 シリーズを 1 つの階に配置したら、Cisco Catalyst 9130 シリーズは別の階に配置)して、 混在させないことをお勧めします。 設置に関する一般的な注意事項 アクセスポイントの設置に関する重要なガイドラインは次のとおりです。 ● 最適なパフォーマンスを得るためにできるだけユーザの近くに AP を配置するようにします。環境を考慮 します。たとえば、病院には金属のドアがあり、ドアを閉じるとカバレッジが変化する可能性があります。 また、古い建物では石膏またはアスベストの中に金属グリッド構造が含まれている場合があります。カバ レッジ領域を変化させて、クライアントに影響を与える可能性があるため、AP またはアンテナを金属物 の近くに配置しないようにします。 ● 2.4 GHz 周波数を使用すると、5 GHz チャネル方式と同じ、1/6/11 チャネル方式が使用されます。同じ チャネルにすべての AP を配置せず、可能な場合はチャネルを再利用します。 ● Cisco RRM、FRA などの機能を利用するとプロセスを自動化できます。 ● どのクライアントが頻繁に使用されているかを判断し、そのクライアントを使用してカバレッジを確認してみ ます。たとえば、PDA や Wi-Fi 電話機はノートまたはタブレットと同じ範囲ではない可能性があります。 Tip 展開するクライアントで最もパフォーマンスの低いクライアントを使用してカバレッジを確認します。 ● サイト サーベイを強く推奨しますが、Cisco RRM を適切に使用すれば、小規模の予定地では設計にあま り時間をかけず、限定的なサイト サーベイ(カバレッジ チェック)で十分な場合があります。列車での 接続、石油/ガスの採掘現場、大規模病院のような非常に厳しい環境の場合は、シスコのアドバンスドサー ビスチームと契約して、短期間での設置の支援や設置自体を依頼することができます。詳細については、 シスコのアカウント チームにお問い合わせください。 図 69. 非重複チャネルを間隔をあけて配置するチャネルカバレッジモデルの例 © 2020 Cisco and/or its affiliates. All rights reserved. 50/52 ページ アンテナケーブルの推奨事項 実際的または可能であれば、アンテナケーブル区間をできるだけ短く保つようにしてください。シスコでは、Times Microwave LMR-400 および LMR-600 と同じ特性を持つ低損失(LL)と超低損失(ULL)ケーブルを提供しています。 シスコ製ケーブルの部品番号には AIR-CAB とその後に長さが付きます。たとえば、RP-TNC コネクタ付きの長 さ 20 フィートの LL ケーブルは、Cisco AIR-CAB-020LL-R になります。これらの重くて黒いケーブルはプレ ナム定格を満たしていないため、主に屋外か製造エリアで使用します。 図 70. RP-TNC コネクタ付きシスコ製ケーブル ケーブル用の穴を開ける場合は、コネクタのサイズ(上記の RP-TNC の場合、通常 5/8 インチドリルビット) を考慮します。「N」型や DART などの他のコネクタはサイズが大きくなります。 Wi-Fi 6 の設置とサイト調査に関する考慮事項 今日は何を設置するかを判断するときは、以下の WLAN ニーズの評価を行います。 ● Wi-Fi 6 に更新する前に、既存の WLAN の問題を確認し、新しい場所、BLE、または IoT の要件を特定します。 ● 1 対 1 の交換では、現在のカバレッジと密度の目標を満たす最適な場所に AP が設置されていることを前提 としています。 ● まだ対処していないカバレッジの問題はありますか。 ● 取り付け不良または最適ではない取り付けがありますか。 ● 理想的には、少なくとも 802.3at(30W PoE)が使用可能である必要があります。 ● Wi-Fi 6 は、設計の不備を軽減するのに役立つ可能性がありますが、すべて最初から設置する場合に勝る ものはありません。 サイト調査をモデル化して実行するためのツールは多数あります。シスコは最近、Ekahau と協力してそのアプリケー ションに Cisco AP とアンテナモデルをインポートしました。これには BLE のモデリング機能も含まれています。 図 71. Ekahau は、サイト調査および WLAN プランナーソフトウェアを提供している 配置のためにアクティブな調査を行う場合は、常に導入予定の機器を用意することをお勧めします。計画中の実 際のモデルを使用できるとは限りません。シスコでは、新しいモデルの AP の RF カバレッジを以前の AP モデ © 2020 Cisco and/or its affiliates. All rights reserved. 51/52 ページ ルと厳密に一致させて、AP の計画と交換のコストを削減することに注力しています。Cisco Catalyst 9130 シリー ズも例外ではありません。次の図は、Cisco Catalyst 9120AX シリーズと Aironet 3802i を同じチャネルと電力 で比較した例です。代替 AP を使用した調査は、部品表(BOM)の生成や既存の設置を更新する場合に適してい ます。重要なカバレッジは、結果を確実にするために、常に同じモデルを使用して測定する必要があります。 図 72. Over The Air で測定した Cisco Catalyst 9120AX シリーズと Aironet 3802i のカバレッジパターンの比較 注: 上図のセルサイズは、同様のセルサイズであるため、Cisco Catalyst 9130 シリーズにも適用されます。 建物がイーサネット用に配線されておらず、バッテリから Cisco Catalyst 9130 シリーズ アクセスポイントに電 力を供給する必要がある場合、AccelTex が提供するバッテリパックを使用できます。 図 73. AccelTex サイト調査用バッテリパック P/N ATS-SSBP-1 ©2020 Cisco Systems, Inc. All rights reserved. Cisco、Cisco Systems、およびCisco Systemsロゴは、Cisco Systems, Inc.またはその関連会社の米国およびその他の一定の国における登録商標または商標です。 本書類またはウェブサイトに掲載されているその他の商標はそれぞれの権利者の財産です。 「パートナー」または「partner」という用語の使用は Cisco と他社との間のパートナーシップ関係を意味するものではありません。(1502R) この資料の記載内容は2020年10月現在のものです。 この資料に記載された仕様は予告なく変更する場合があります。 シスコシステムズ合同会社 〒107‐6227 東京都港区赤坂9-7-1 ミッドタウン・タワー http://www.cisco.com/jp C07-743490-00JA 20.10 お問い合せ先 付録 参照 URL: ● Cisco CleanAir ホワイトペーパー: https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/cleanair-technology/white _paper_c11-599260.html ● フレキシブル ラジオ アサインメントとデュアル 5 GHz 動作: https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8- 3/b_RRM_White_Paper/b_RRM_White_Paper_chapter_01000.html ● Flexible radio Cisco Aironet 2800/3800 Series deployment guide: https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8- 3/b_cisco_aironet_series_2800_3800_access_point_deployment_guide.pdf ● シスコ マルチギガビットの概要とサポートされるスイッチ: https://www.cisco.com/c/en/us/solutions/enterprise-networks/catalyst-multigigabitswitching/index.html ● Cisco DNA の概要: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/cisco-digitalnetwork-architecture/solution-overview-c22-736580.pdf 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Cisco Systems, Inc. Corporate Headquarters Tel: 800 553-NETS (6387) 408 526-4000 Fax: 408 526-4100 Cisco IOS Dial Technologies Configuration Guide Release 12.2 Customer Order Number: DOC-7812090= Text Part Number: 78-12090-02 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0304R) Cisco IOS Dial Technologies Configuration Guide Copyright © 2002–2006 Cisco Systems, Inc. All rights reserved. iii Cisco IOS Dial Technologies Configuration Guide CONTENTS About Cisco IOS Software Documentation xxxvii Documentation Objectives xxxvii Audience xxxvii Documentation Organization xxxvii Documentation Modules xxxvii Master Indexes xl Supporting Documents and Resources xl New and Changed Information xli Document Conventions xli Obtaining Documentation xlii World Wide Web xlii Documentation CD-ROM xliii Ordering Documentation xliii Documentation Feedback xliii Obtaining Technical Assistance xliii Cisco.com xliv Technical Assistance Center xliv Contacting TAC by Using the Cisco TAC Website xliv Contacting TAC by Telephone xliv Using Cisco IOS Software xlvii Understanding Command Modes xlvii Getting Help xlviii Example: How to Find Command Options xlix Using the no and default Forms of Commands li Saving Configuration Changes lii Filtering Output from the show and more Commands lii Identifying Supported Platforms liii Using Feature Navigator liii Using Software Release Notes liii Contents iv Cisco IOS Dial Technologies Configuration Guide DIAL INTERFACES, CONTROLLERS, AND LINES Overview of Dial Interfaces, Controllers, and Lines DC-3 Cisco IOS Dial Components DC-3 Logical Constructs DC-5 Asynchronous Interfaces DC-5 Group Asynchronous Interfaces DC-6 Virtual Template Interfaces DC-6 Templates for Virtual Access Interfaces DC-7 Templates for Protocol Translation DC-7 Logical Interfaces DC-7 Dialer Interfaces DC-8 Virtual Access Interfaces DC-9 Virtual Asynchronous Interfaces DC-10 Circuit-Switched Digital Calls DC-10 T1 and E1 Controllers DC-11 Non-ISDN Channelized T1 and Channelized E1 Lines DC-11 ISDN Service DC-12 ISDN BRI DC-13 ISDN PRI DC-13 Line Types DC-15 Relationship Between Lines and Interfaces DC-16 Asynchronous Interfaces and Physical Terminal Lines DC-16 Synchronous Interfaces and Virtual Terminal Lines DC-17 Encapsulation Types DC-18 Configuring Asynchronous Lines and Interfaces DC-19 How to Configure Asynchronous Interfaces and Lines DC-19 Configuring a Typical Asynchronous Interface DC-20 Monitoring and Maintaining Asynchronous Connections DC-20 Creating a Group Asynchronous Interface DC-21 Verifying the Group Interface Configuration DC-22 Configuring Asynchronous Rotary Line Queueing DC-25 Verifying Asynchronous Rotary Line Queueing DC-26 Troubleshooting Asynchronous Rotary Lines DC-26 Monitoring and Maintaining Asynchronous Rotary Line Queues DC-27 Configuring Autoselect DC-27 Verifying Autoselect PPP DC-28 Verifying Autoselect ARA DC-28 Contents v Cisco IOS Dial Technologies Configuration Guide How to Configure Other Asynchronous Line and Interface Features DC-29 Configuring the Auxiliary (AUX) Port DC-29 Establishing and Controlling the EXEC Process DC-30 Enabling Routing on Asynchronous Interfaces DC-31 Configuring Dedicated or Interactive PPP and SLIP Sessions DC-31 Conserving Network Addresses DC-32 Using Advanced Addressing Methods for Remote Devices DC-33 Assigning a Default Asynchronous Address DC-33 Allowing an Asynchronous Address to Be Assigned Dynamically DC-33 Optimizing Available Bandwidth DC-34 Configuring Header Compression DC-34 Forcing Header Compression at the EXEC Level DC-35 Configuration Examples for Asynchronous Interfaces and Lines DC-35 Interface and Line Configuration Examples DC-36 Asynchronous Interface Backup DDR Configuration Example DC-36 Passive Header Compression and Default Address Example DC-36 High-Density Dial-In Solution Using Autoselect and EXEC Control Example DC-36 Asynchronous Line Backup DDR Configuration Example DC-37 Line AUX Configuration Example DC-37 Rotary Group Examples DC-37 Dedicated Asynchronous Interface Configuration Example DC-38 Access Restriction on the Asynchronous Interface Example DC-38 Group and Member Asynchronous Interface Examples DC-38 Asynchronous Group Interface Examples DC-39 Modem Asynchronous Group Example DC-39 High-Density Dial-In Solution Using an Asynchronous Group DC-40 Asynchronous Interface Address Pool Examples DC-40 DHCP Pooling Example DC-40 Local Pooling Example DC-40 Configuring Specific IP Addresses for an Interface DC-41 IP and SLIP Using an Asynchronous Interface Example DC-41 IP and PPP Asynchronous Interface Configuration Example DC-41 Asynchronous Routing and Dynamic Addressing Configuration Example DC-42 TCP Header Compression Configuration Example DC-42 Network Address Conservation Using the ip unnumbered Command Example DC-42 Asynchronous Interface As the Only Network Interface Example DC-43 Routing on a Dedicated Dial-In Router Example DC-43 IGRP Configuration Example DC-44 Contents vi Cisco IOS Dial Technologies Configuration Guide Configuring Asynchronous Serial Traffic over UDP DC-45 UDPTN Overview DC-45 How to Configure Asynchronous Serial Traffic over UDP DC-46 Preparing to Configure Asynchronous Serial Traffic over UDP DC-46 Configuring a Line for UDPTN DC-46 Enabling UDPTN DC-47 Verifying UDPTN Traffic DC-47 Configuration Examples for UDPTN DC-48 Multicast UDPTN Example DC-48 Broadcast UDPTN Example DC-49 Point-to-Point UDPTN Example DC-49 MODEM CONFIGURATION AND MANAGEMENT Overview of Modem Interfaces DC-53 Cisco Modems and Cisco IOS Modem Features DC-53 Cisco IOS Modem Components DC-54 Logical Constructs in Modem Configurations DC-56 Asynchronous Interfaces DC-56 Group Asynchronous Interfaces DC-57 Modem Lines and Asynchronous Interfaces DC-58 Modem Calls DC-59 Asynchronous Line Configuration DC-59 Absolute Versus Relative Line Numbers DC-59 Line and Modem Numbering Issues DC-60 Decimal TCP Port Numbers for Line Connections DC-61 Signal and Flow Control Overview DC-62 Configuring and Managing Integrated Modems DC-63 Modems and Modem Feature Support DC-63 V.90 Modem Standard DC-64 V.110 Bit Rate Adaption Standard DC-64 V.120 Bit Rate Adaptation Standard DC-66 Managing Modems DC-66 Managing SPE Firmware DC-67 Configuring Modems in Cisco Access Servers DC-69 Configuring Modem Lines DC-69 Verifying the Dial-In Connection DC-70 Troubleshooting the Dial-In Connection DC-71 Contents vii Cisco IOS Dial Technologies Configuration Guide Configuring the Modem Using a Modemcap DC-71 Configuring the Modem Circuit Interface DC-73 Comparison of NextPort SPE and MICA Modem Commands DC-73 Configuring Cisco Integrated Modems Using Modem Attention Commands DC-76 Using Modem Dial Modifiers on Cisco MICA Modems DC-76 Changing Configurations Manually in Integrated Microcom Modems DC-77 Configuring Leased-Line Support for Analog Modems DC-78 Configuring Modem Pooling DC-82 Creating a Modem Pool DC-83 Verifying Modem Pool Configuration DC-84 Configuring Physical Partitioning DC-85 Creating a Physical Partition DC-86 Physical Partitioning with Dial-In and Dial-Out Scenario DC-88 Configuring Virtual Partitioning DC-90 Configuring Call Tracker DC-91 Verifying Call Tracker DC-92 Enabling Call Tracker DC-92 Configuring Polling of Link Statistics on MICA Modems DC-93 Configuring MICA In-Band Framing Mode Control Messages DC-94 Enabling Modem Polling DC-95 Setting Modem Poll Intervals DC-95 Setting Modem Poll Retry DC-95 Collecting Modem Statistics DC-95 Logging EIA/TIA Events DC-95 Configuring a Microcom Modem to Poll for Statistics DC-96 Troubleshooting Using a Back-to-Back Modem Test Procedure DC-96 Clearing a Direct Connect Session on a Microcom Modem DC-99 Displaying Local Disconnect Reasons DC-99 Removing Inoperable Modems DC-102 Busying Out a Modem Card DC-104 Monitoring Resources on Cisco High-End Access Servers DC-104 Enabling DS0 Busyout Traps DC-105 Enabling ISDN PRI Requested Channel Not Available Traps DC-106 Enabling Modem Health Traps DC-106 Enabling DS1 Loopback Traps DC-106 Verifying Enabled Traps DC-106 Troubleshooting the Traps DC-107 NAS Health Monitoring Example DC-107 Configuration Examples for Modem Management DC-110 NextPort Modem Log Example DC-110 Contents viii Cisco IOS Dial Technologies Configuration Guide Modem Performance Summary Example DC-111 Modem AT-Mode Example DC-111 Connection Speed Performance Verification Example DC-111 Configuring and Managing Cisco Access Servers and Dial Shelves DC-115 Cisco AS5800 Dial Shelf Architecture and DSIP Overview DC-115 Split Dial Shelves Feature DC-116 How to Configure Dial Shelves DC-116 Configuring the Shelf ID DC-117 Configuring Redundant DSC Cards DC-118 Synchronizing to the System Clocks DC-119 Verifying External Clock Configuration DC-120 Configuring Dial Shelf Split Mode DC-120 Changing Slot Sets DC-122 Leaving Split Mode DC-123 Troubleshooting Split Dial Shelves DC-123 Managing a Split Dial Shelf DC-123 Executing Commands Remotely DC-124 Verifying DSC Configuration DC-125 Monitoring and Maintaining the DSCs DC-125 Troubleshooting DSIP DC-125 Port Management Services on Cisco Access Servers DC-126 Upgrading and Configuring SPE Firmware DC-128 Downloading SPE Firmware from the Cisco.com FTP Server to a Local TFTP Server DC-129 Copying the SPE Firmware File from the Local TFTP Server to the SPEs DC-131 Specifying a Country Name DC-132 Configuring Dial Split Shelves (AS5800 Only) DC-132 Configuring SPEs to Use an Upgraded Firmware File DC-133 Disabling SPEs DC-134 Rebooting SPEs DC-135 Configuring Lines DC-136 Configuring Ports DC-137 Verifying SPE Line and Port Configuration DC-138 Configuring SPE Performance Statistics DC-138 Clearing Log Events DC-139 Troubleshooting SPEs DC-139 Monitoring SPE Performance Statistics DC-141 SPE Events and Firmware Statistics DC-141 Port Statistics DC-141 Digital SPE Statistics DC-142 Contents ix Cisco IOS Dial Technologies Configuration Guide SPE Modem Statistics DC-143 Configuring and Managing External Modems DC-145 External Modems on Low-End Access Servers DC-145 Automatically Configuring an External Modem DC-146 Manually Configuring an External Modem DC-148 Supporting Dial-In Modems DC-149 Testing the Modem Connection DC-151 Managing Telnet Sessions DC-152 Modem Troubleshooting Tips DC-154 Checking Other Modem Settings DC-155 Modem Signal and Line States DC-157 Signal and Line State Diagrams DC-157 Configuring Automatic Dialing DC-159 Automatically Answering a Modem DC-159 Supporting Dial-In and Dial-Out Connections DC-160 Configuring a Line Timeout Interval DC-161 Closing Modem Connections DC-162 Configuring a Line to Disconnect Automatically DC-163 Supporting Reverse Modem Connections and Preventing Incoming Calls DC-163 Creating and Using Modem Chat Scripts DC-165 Chat Script Overview DC-165 How To Configure Chat Scripts DC-166 Understanding Chat Script Naming Conventions DC-166 Creating a Chat Script DC-166 Chat String Escape Key Sequences DC-167 Adding a Return Key Sequence DC-167 Chat String Special-Case Script Modifiers DC-168 Configuring the Line to Activate Chat Scripts DC-168 Manually Testing a Chat Script on an Asynchronous Line DC-169 Using Chat Scripts DC-169 Generic Chat Script Example DC-169 Traffic-Handling Chat Script Example DC-169 Modem-Specific Chat Script Examples DC-170 Dialer Mapping Example DC-170 System Login Scripts and Modem Script Examples DC-171 Contents x Cisco IOS Dial Technologies Configuration Guide ISDN CONFIGURATION Configuring ISDN BRI DC-175 ISDN Overview DC-175 Requesting BRI Line and Switch Configuration from a Telco Service Provider DC-176 Interface Configuration DC-178 Dynamic Multiple Encapsulations DC-178 Interface Configuration Options DC-178 ISDN Cause Codes DC-179 How to Configure ISDN BRI DC-180 Configuring the ISDN BRI Switch DC-180 Configuring the Switch Type DC-180 Checking and Setting the Buffers DC-181 Multiple ISDN Switch Types Feature DC-182 Specifying Interface Characteristics for an ISDN BRI DC-182 Specifying the Interface and Its IP Address DC-183 Specifying ISDN SPIDs DC-183 Configuring Encapsulation on ISDN BRI DC-183 Configuring Network Addressing DC-185 Configuring TEI Negotiation Timing DC-186 Configuring CLI Screening DC-186 Configuring Called Party Number Verification DC-186 Configuring ISDN Calling Number Identification DC-187 Configuring the Line Speed for Calls Not ISDN End to End DC-187 Configuring a Fast Rollover Delay DC-188 Overriding ISDN Application Default Cause Codes DC-188 Configuring Inclusion of the Sending Complete Information Element DC-189 Configuring DNIS-plus-ISDN-Subaddress Binding DC-189 Screening Incoming V.110 Modem Calls DC-189 Disabling V.110 Padding DC-190 Configuring ISDN Semipermanent Connections DC-190 Configuring ISDN BRI for Leased-Line Service DC-190 Configuring Leased-Line Service at Normal Speeds DC-191 Configuring Leased-Line Service at 128 Kbps DC-191 Monitoring and Maintaining ISDN Interfaces DC-192 Troubleshooting ISDN Interfaces DC-192 Configuration Examples for ISDN BRI DC-193 Global ISDN and BRI Interface Switch Type Example DC-193 BRI Connected to a PBX Example DC-193 Contents xi Cisco IOS Dial Technologies Configuration Guide Multilink PPP on a BRI Interface Example DC-193 Dialer Rotary Groups Example DC-194 Compression Examples DC-194 Multilink PPP and Compression Example DC-195 Voice over ISDN Examples DC-195 DNIS-plus-ISDN-Subaddress Binding Example DC-196 Screening Incoming V.110 Modem Calls Example DC-196 ISDN BRI Leased-Line Configuration Example DC-196 Configuring Virtual Asynchronous Traffic over ISDN DC-197 Recommendation V.120 Overview DC-198 How to Configure V.120 Access DC-198 Configuring Answering of All Incoming Calls as V.120 DC-198 Configuring Automatic Detection of Encapsulation Type DC-199 Enabling V.120 Support for Asynchronous Access over ISDN DC-199 Configuration Example for V.120 DC-200 ISDN LAPB-TA Overview DC-200 How to Configure ISDN LAPB-TA DC-201 Verifying ISDN LAPB-TA DC-202 Configuration Example for ISDN LAPB-TA DC-203 Configuring Modem Use over ISDN BRI DC-205 Modem over ISDN BRI Overview DC-206 How to Configure Modem over ISDN BRI DC-207 Verifying ISDN BRI Interface Configuration DC-210 Configuration Examples for Modem over ISDN BRI DC-212 BRI Interface Configuration Example DC-212 Complete Configuration Examples DC-215 Configuring X.25 on ISDN DC-227 X.25 on ISDN Overview DC-227 X.25-over-D-Channel Logical Interface DC-227 Outbound Circuit-Switched X.25 Support over a Dialer Interface DC-228 How to Configure X.25 on ISDN DC-228 Configuring X.25 on the ISDN D Channel DC-229 Configuration Examples for X.25 on ISDN DC-229 X.25 on ISDN D-Channel Configuration Example DC-229 Outbound Circuit-Switched X.25 Example DC-230 Contents xii Cisco IOS Dial Technologies Configuration Guide Configuring X.25 on ISDN Using AO/DI DC-235 AO/DI Overview DC-235 PPP over X.25 Encapsulation DC-237 Multilink PPP Bundle DC-238 MLP Encapsulation Enhancements DC-238 BACP/BAP DC-239 How to Configure an AO/DI Interface DC-239 Configuring PPP and BAP on the Client DC-239 Configuring X.25 Parameters on the Client DC-240 Configuring PPP and BAP on the Server DC-240 Configuring X.25 Parameters on the Server DC-241 How to Configure an AO/DI Client/Server DC-241 Configuring the AO/DI Client DC-242 Enabling AO/DI on the Interface DC-242 Enabling the AO/DI Interface to Initiate Client Calls DC-242 Enabling the MLP Bundle to Add Multiple Links DC-242 Modifying BACP Default Settings DC-243 Configuring the AO/DI Server DC-243 Enabling the Interface to Receive AO/DI Client Calls DC-243 Enabling the MLP Bundle to Add Multiple Links DC-244 Modifying BACP Default Settings DC-244 Configuration Examples for AO/DI DC-245 AO/DI Client Configuration Example DC-245 AO/DI Server Configuration Example DC-246 Configuring ISDN on Cisco 800 Series Routers DC-247 CAPI and RCAPI Overview DC-248 Framing Protocols DC-248 Data Link and Network Layer Protocols DC-248 CAPI Features DC-248 Supported B-Channel Protocols DC-249 Supported Switch Types DC-250 CAPI and RVS-COM DC-250 Supported Applications DC-251 Helpful Website DC-251 How to Configure RCAPI DC-251 Configuring RCAPI on the Cisco 800 Series Router DC-251 Monitoring and Maintaining RCAPI DC-252 Troubleshooting RCAPI DC-252 Contents xiii Cisco IOS Dial Technologies Configuration Guide Configuration Examples for RCAPI DC-252 SIGNALING CONFIGURATION Configuring ISDN PRI DC-257 Signaling Overview DC-258 In-Band and Out-of-Band Signaling DC-258 Channelized E1 and T1 on Cisco Devices DC-258 How to Configure ISDN PRI DC-259 Requesting PRI Line and Switch Configuration from a Telco Service Provider DC-259 Configuring Channelized E1 ISDN PRI DC-260 Configuring Channelized T1 ISDN PRI DC-261 Configuring the Serial Interface DC-262 Specifying an IP Address for the Interface DC-263 Configuring Encapsulation on ISDN PRI DC-263 Configuring Network Addressing DC-265 Configuring ISDN Calling Number Identification DC-266 Overriding the Default TEI Value DC-266 Configuring a Static TEI DC-266 Configuring Incoming ISDN Modem Calls DC-266 Filtering Incoming ISDN Calls DC-267 Configuring the ISDN Guard Timer DC-268 Configuring Inclusion of the Sending Complete Information Element DC-268 Configuring ISDN PRI B-Channel Busyout DC-269 Configuring NSF Call-by-Call Support DC-269 Configuring Multiple ISDN Switch Types DC-270 Configuring B Channel Outgoing Call Order DC-272 Performing Configuration Self-Tests DC-272 Monitoring and Maintaining ISDN PRI Interfaces DC-273 How to Configure Robbed-Bit Signaling for Analog Calls over T1 Lines DC-273 How to Configure CAS DC-275 CAS on Channelized E1 DC-275 Configuring CAS for Analog Calls over E1 Lines DC-276 Configuring CAS on a Cisco Router Connected to a PBX or PSTN DC-276 CAS on T1 Voice Channels DC-277 Configuring ANI/DNIS Delimiters for CAS Calls on CT1 DC-277 How to Configure Switched 56K Digital Dial-In over Channelized T1 and Robbed-Bit Signaling DC-278 Switched 56K Scenarios DC-279 Switched 56K and Analog Modem Calls into T1 CAS DC-279 Contents xiv Cisco IOS Dial Technologies Configuration Guide Basic Call Processing Components DC-280 ISDN BRI Calls into T1 CAS DC-281 How to Configure Switched 56K Services DC-281 How to Configure E1 R2 Signaling DC-282 E1 R2 Signaling Overview DC-282 Configuring E1 R2 Signaling DC-285 Configuring E1 R2 Signaling for Voice DC-285 Monitoring E1 R2 Signaling DC-286 Verifying E1 R2 Signaling DC-287 Troubleshooting E1 R2 Signaling DC-288 Enabling R1 Modified Signaling in Taiwan DC-289 R1 Modified Signaling Topology DC-289 R1 Modified Signaling Configuration Task List DC-290 Configuring R1 Modified Signaling on a T1 Interface DC-291 Configuring R1 Modified Signaling on an E1 Interface DC-292 Troubleshooting Channelized E1 and T1 Channel Groups DC-293 Interface Local Loopback DC-293 Interface Remote Loopback DC-294 Configuration Examples for Channelized E1 and Channelized T1 DC-294 ISDN PRI Examples DC-294 Global ISDN, BRI, and PRI Switch Example DC-295 Global ISDN and Multiple BRI and PRI Switch Using TEI Negotiation Example DC-295 NSF Call-by-Call Support Example DC-295 PRI on a Cisco AS5000 Series Access Server Example DC-296 ISDN B-Channel Busyout Example DC-298 Multiple ISDN Switch Types Example DC-298 Outgoing B-Channel Ascending Call Order Example DC-298 Static TEI Configuration Example DC-299 Call Reject Configuration Examples DC-299 ISDN Cause Code Override and Guard Timer Example DC-299 PRI Groups and Channel Groups on the Same Channelized T1 Controller Example DC-299 Robbed-Bit Signaling Examples DC-300 Allocating All Channels for Robbed-Bit Signaling Example DC-300 Mixing and Matching Channels—Robbed-Bit Signaling and Channel Grouping DC-300 Switched 56K Configuration Examples DC-300 Switched 56K T1 Controller Procedure DC-301 Mixture of Switched 56K and Modem Calls over CT1 CAS Example DC-301 Switched 56K and Analog Modem Calls over Separate T1 CAS Lines Example DC-302 Comprehensive Switched 56K Startup Configuration Example DC-302 Contents xv Cisco IOS Dial Technologies Configuration Guide ISDN CAS Examples DC-307 Allocating All Channels for CAS Example DC-307 Mixing and Matching Channels—CAS and Channel Grouping Example DC-308 E1 R2 Signaling Procedure DC-308 R1 Modified Signaling Using an E1 Interface Example DC-311 R1 Modified Signaling for Taiwan Configuration Example DC-312 Configuring ISDN Special Signaling DC-313 How to Configure ISDN Special Signaling DC-313 Configuring ISDN AOC DC-314 Configuring Short-Hold Mode DC-314 Monitoring ISDN AOC Call Information DC-315 Configuring NFAS on PRI Groups DC-315 ISDN NFAS Prerequisites DC-316 ISDN NFAS Configuration Task List DC-316 Configuring NFAS on PRI Groups DC-316 Configuring NTT PRI NFAS DC-317 Disabling a Channel or Interface DC-318 When the T1 Controller Is Shut Down DC-319 Monitoring NFAS Groups DC-319 Monitoring ISDN Service DC-319 Enabling an ISDN PRI to Take PIAFS Calls on MICA Modems DC-319 Verifying PIAFS DC-320 Configuring Automatic Detection of Encapsulation Type DC-320 Configuring Encapsulation for Combinet Compatibility DC-321 Troubleshooting ISDN Special Signaling DC-322 Configuration Examples for ISDN Special Signaling DC-322 ISDN AOC Configuration Examples DC-322 Using Legacy DDR for ISDN PRI AOC Configuration DC-322 Using Dialer Profiles for ISDN BRI AOC Configuration DC-323 ISDN NFAS Configuration Examples DC-324 NFAS Primary and Backup D Channels DC-324 PRI Interface Service State DC-325 NTT PRI NFAS Primary D Channel Example DC-325 Configuring Network Side ISDN PRI Signaling, Trunking, and Switching DC-327 Network Side ISDN PRI Signaling Overview DC-327 Call Switching Using Dial Peers DC-328 Trunk Group Resource Manager DC-328 Class of Restrictions DC-329 Contents xvi Cisco IOS Dial Technologies Configuration Guide ISDN Disconnect Timers DC-329 How to Configure Network Side ISDN PRI DC-329 Configuring ISDN Network Side DC-330 Configuring ISDN Network Side for the National ISDN Switch Type DC-331 Configuring ISDN Network Side for ETSI Net5 PRI DC-331 Configuring Global or Interface Trunk Groups DC-332 Configuring Classes of Restrictions DC-333 Configuring ISDN T306 and T310 Timers DC-334 Verifying Network Side ISDN PRI Signaling, Trunking, and Switching DC-334 Monitoring Network Side ISDN PRI DC-337 Monitoring TGRM DC-338 Configuration Examples for Network Side ISDN PRI Signaling, Trunking, and Switching DC-338 Call Switching and Dial Peers Configuration on T1/T3 Example DC-338 Trunk Group Configuration Example DC-339 COR for Dial Peer Configuration Example DC-339 COR Based on Outgoing Dial Peers Example DC-340 Dial Peers and Trunk Groups for Special Numbers Examples DC-341 ISDN Network Side for ETSI Net5 PRI Configuration on E1 Example DC-342 T306/T310 Timer Configuration Example DC-342 DIAL-ON-DEMAND ROUTING CONFIGURATION Preparing to Configure DDR DC-345 DDR Decision Flowchart DC-345 DDR Topology Decisions DC-347 DDR-Independent Implementation Decisions DC-347 DDR-Dependent Implementation Decisions DC-348 Dialer Profiles DC-348 Legacy DDR DC-349 Simple or Complex DDR Configuration DC-349 Global and Interface Preparations for DDR DC-349 Preparations Depending on the Selected Interface Type DC-350 Preparations for Routing or Bridging over DDR DC-350 Preparing for Transparent Bridging over DDR DC-350 Defining the Protocols to Bridge DC-350 Specifying the Bridging Protocol DC-351 Controlling Bridging Access DC-351 Preparing for Routing over DDR DC-351 Configuring the Protocol for Routing and Access Control DC-352 Contents xvii Cisco IOS Dial Technologies Configuration Guide Associating the Protocol Access List with a Dialer Group DC-356 Configuration Examples for Legacy DDR DC-356 Point-to-Point DDR Without Authentication Examples DC-356 Point-to-Point DDR with Authentication Examples DC-358 Configuring Legacy DDR Spokes DC-361 DDR Spokes Configuration Task Flow DC-361 How to Configure DDR DC-362 Specifying the Interface DC-363 Enabling DDR on the Interface DC-364 Configuring the Interface to Place Calls DC-365 Specifying the Dial String for Synchronous Serial Interfaces DC-365 Specifying Chat Scripts and Dial Strings for Asynchronous Serial Interfaces DC-365 Configuring the Interface to Receive Calls DC-365 Configuring the Interface to Place and Receive Calls DC-366 Defining the Traffic to Be Authenticated DC-366 Configuring Access Control for Outgoing Calls DC-367 Configuring Access Control for Bridging DC-367 Controlling Bridging Access by Ethernet Type Codes DC-368 Permitting All Bridge Packets to Trigger Calls DC-368 Assigning the Interface to a Bridge Group DC-368 Configuring Access Control for Routing DC-368 Customizing the Interface Settings DC-369 Configuring Timers on the DDR Interface DC-369 Setting Dialer Interface Priority DC-370 Configuring a Dialer Hold Queue DC-371 Configuring Bandwidth on Demand DC-371 Disabling and Reenabling DDR Fast Switching DC-372 Configuring Dialer Redial Options DC-372 Sending Traffic over Frame Relay, X.25, or LAPB Networks DC-372 Configuring the Interface for Sending Traffic over a Frame Relay Network DC-373 Configuring the Interface for Sending Traffic over an X.25 Network DC-374 Configuring the Interface for Sending Traffic over a LAPB Network DC-375 Monitoring DDR Connections DC-375 Configuration Examples for Legacy DDR Spoke DC-376 Legacy Dial-on-Demand Routing Example DC-376 Transparent Bridging over DDR Examples DC-377 DDR Configuration in an IP Environment Example DC-378 Two-Way DDR for Novell IPX Example DC-378 Remote Configuration Example DC-378 Contents xviii Cisco IOS Dial Technologies Configuration Guide Local Configuration Example DC-379 AppleTalk Configuration Example DC-380 DECnet Configuration Example DC-380 ISO CLNS Configuration Example DC-381 XNS Configuration Example DC-381 Single Site Dialing Example DC-381 DTR Dialing Example DC-382 Hub-and-Spoke DDR for Asynchronous Interfaces and Authentication Example DC-383 Spoke Topology Configuration DC-383 Hub Router Configuration DC-384 Two-Way Reciprocal Client/Server DDR Without Authentication Example DC-385 Remote Configuration DC-385 Local Configuration DC-385 Frame Relay Support Example DC-386 Frame Relay Access with In-Band Dialing (V.25bis) and Static Mapping Example DC-386 Frame Relay Access with ISDN Dialing and DDR Dynamic Maps Example DC-387 X.25 Support Example DC-387 LAPB Support Example DC-388 Configuring Legacy DDR Hubs DC-389 DDR Issues DC-389 DDR Hubs Configuration Task Flow DC-390 How to Configure DDR DC-391 Specifying the Interface DC-391 Enabling DDR on the Interface DC-392 Configuring the Interface to Place Calls Only DC-392 Defining the Dialing Destination DC-393 Specifying a Physical Interface to Use and Assigning It to a Dialer Rotary Group DC-393 Configuring the Interface to Receive Calls Only DC-394 Configuring the Interface for TACACS+ DC-395 Configuring the Interface for PPP Authentication DC-395 Specifying Physical Interfaces and Assigning Them to the Dialer Rotary Group DC-396 Configuring the Interface to Place and Receive Calls DC-396 Defining One or More Dialing Destinations DC-397 Defining the Traffic to Be Authenticated DC-398 Configuring Access Control for Outgoing Calls DC-398 Configuring Access Control for Bridging DC-398 Configuring Access Control for Routing DC-399 Customizing the Interface Settings DC-399 Configuring Timers on the DDR Interface DC-399 Contents xix Cisco IOS Dial Technologies Configuration Guide Setting Dialer Interface Priority DC-401 Configuring a Dialer Hold Queue DC-401 Configuring Bandwidth on Demand DC-401 Disabling and Reenabling DDR Fast Switching DC-402 Configuring Dialer Redial Options DC-402 Sending Traffic over Frame Relay, X.25, or LAPB Networks DC-403 Configuring the Interface for Sending Traffic over a Frame Relay Network DC-403 Configuring the Interface for Sending Traffic over an X.25 Network DC-405 Configuring the Interface for Sending Traffic over a LAPB Network DC-405 Monitoring DDR Connections DC-406 Configuration Examples for Legacy DDR Hub DC-406 Transparent Bridging over DDR Examples DC-407 DDR Configuration in an IP Environment Example DC-408 AppleTalk Configuration Example DC-408 Banyan VINES Configuration Example DC-409 DECnet Configuration Example DC-409 ISO CLNS Configuration Example DC-410 XNS Configuration Example DC-410 Hub-and-Spoke DDR for Asynchronous Interfaces and Authentication Example DC-410 Spoke Topology Configuration DC-411 Hub Router Configuration DC-411 Single Site or Multiple Sites Dialing Configuration Example DC-413 Multiple Destinations Configuration Example DC-413 Dialer Interfaces and Dialer Rotary Groups Example DC-414 DDR Configuration Using Dialer Interface and PPP Encapsulation Example DC-414 Two-Way DDR with Authentication Example DC-415 Remote Configuration DC-416 Local Configuration DC-416 Frame Relay Support Examples DC-417 Frame Relay Access with In-Band Dialing and Static Mapping DC-417 Frame Relay Access with ISDN Dialing and DDR Dynamic Maps DC-417 Frame Relay Access with ISDN Dialing and Subinterfaces DC-418 X.25 Support Configuration Example DC-419 LAPB Support Configuration Example DC-419 Configuring Peer-to-Peer DDR with Dialer Profiles DC-421 Dialer Profiles Overview DC-421 New Dialer Profile Model DC-422 Dialer Interface DC-423 Dialer Map Class DC-423 Contents xx Cisco IOS Dial Technologies Configuration Guide Dialer Pool DC-423 How to Configure Dialer Profiles DC-425 Configuring a Dialer Profile DC-425 Configuring a Dialer Interface DC-425 Fancy Queueing and Traffic Shaping on Dialer Profile Interfaces DC-426 Configuring a Map Class DC-426 Configuring the Physical Interfaces DC-427 Configuring Dialer Profiles for Routed Protocols DC-427 Configuring Dialer Profiles for AppleTalk DC-428 Configuring Dialer Profiles for Banyan VINES DC-428 Configuring Dialer Profiles for DECnet DC-428 Configuring Dialer Profiles for IP DC-429 Configuring Dialer Profiles for Novell IPX DC-429 Configuring XNS over DDR DC-430 Configuring Dialer Profiles for Transparent Bridging DC-430 Defining the Protocols to Bridge DC-431 Specifying the Bridging Protocol DC-431 Controlling Access for Bridging DC-431 Configuring an Interface for Bridging DC-432 Monitoring and Maintaining Dialer Profile Connections DC-433 Configuration Examples Dialer Profiles DC-433 Dialer Profile with Inbound Traffic Filter Example DC-434 Dialer Profile for Central Site with Multiple Remote Sites Example DC-434 Dialer Profile for ISDN BRI Backing Up Two Leased Lines Example DC-435 Dynamic Multiple Encapsulations over ISDN Example DC-436 Verifying the Dynamic Multiple Encapsulations Feature DC-438 Configuring Snapshot Routing DC-441 Snapshot Routing Overview DC-441 How to Configure Snapshot Routing DC-442 Configuring the Client Router DC-443 Configuring the Server Router DC-444 Monitoring and Maintaining DDR Connections and Snapshot Routing DC-444 Configuration Examples for Snapshot Routing DC-444 DIAL-BACKUP CONFIGURATION Configuring Dial Backup for Serial Lines DC-449 Backup Serial Interface Overview DC-449 Contents xxi Cisco IOS Dial Technologies Configuration Guide How to Configure Dial Backup DC-450 Specifying the Backup Interface DC-451 Defining the Traffic Load Threshold DC-451 Defining Backup Line Delays DC-452 Configuration Examples for Dial Backup for Serial Interfaces DC-452 Dial Backup Using an Asynchronous Interface Example DC-452 Dial Backup Using DDR and ISDN Example DC-453 Dial Backup Service When the Primary Line Reaches Threshold Example DC-453 Dial Backup Service When the Primary Line Exceeds Threshold Example DC-453 Dial Backup Service When the Primary Line Goes Down Example DC-454 Configuring Dial Backup with Dialer Profiles DC-455 Dial Backup with Dialer Profiles Overview DC-455 How to Configure Dial Backup with Dialer Profiles DC-455 Configuring a Dialer Interface DC-456 Configuring a Physical Interface to Function As Backup DC-456 Configuring Interfaces to Use a Backup Interface DC-456 Configuration Example of Dialer Profile for ISDN BRI Backing Up Two Leased Lines DC-457 Configuring Dial Backup Using Dialer Watch DC-459 Dialer Watch Overview DC-459 How to Configure Dialer Backup with Dialer Watch DC-460 Determining the Primary and Secondary Interfaces DC-461 Determining the Interface Addresses and Networks to Watch DC-461 Configuring the Interface to Perform DDR Backup DC-461 Creating a Dialer List DC-461 Setting the Disable Timer on the Backup Interface DC-461 Configuration Examples for Dialer Watch DC-462 Dialer Watch Configuration Example Prior to Cisco IOS Release 12.3(11)T DC-463 Dialer Watch Configuration Example After Cisco IOS Release 12.3(11)T DC-467 DIAL-RELATED ADDRESSING SERVICES Configuring Cisco Easy IP DC-473 Cisco Easy IP Overview DC-473 How to Configure Cisco Easy IP DC-476 Defining the NAT Pool DC-477 Configuring the LAN Interface DC-477 Defining NAT for the LAN Interface DC-477 Configuring the WAN Interface DC-477 Contents xxii Cisco IOS Dial Technologies Configuration Guide Enabling PPP/IPCP Negotiation DC-478 Defining NAT for the Dialer Interface DC-478 Configuring the Dialer Interface DC-478 Timeout Considerations DC-479 Configuration Examples for Cisco Easy IP DC-479 VIRTUAL TEMPLATES, PROFILES, AND NETWORKS Configuring Virtual Template Interfaces DC-483 Virtual Template Interface Service Overview DC-484 Features that Apply Virtual Template Interfaces DC-485 Selective Virtual Access Interface Creation DC-485 How to Configure a Virtual Template Interface DC-486 Monitoring and Maintaining a Virtual Access Interface DC-486 Configuration Examples for Virtual Template Interface DC-486 Basic PPP Virtual Template Interface DC-487 Virtual Template Interface DC-487 Selective Virtual Access Interface DC-487 RADIUS Per-User and Virtual Profiles DC-488 TACACS+ Per-User and Virtual Profiles DC-488 Configuring Virtual Profiles DC-489 Virtual Profiles Overview DC-489 DDR Configuration of Physical Interfaces DC-490 Multilink PPP Effect on Virtual Access Interface Configuration DC-491 Interoperability with Other Features That Use Virtual Templates DC-491 How Virtual Profiles Work—Four Configuration Cases DC-492 Case 1: Virtual Profiles Configured by Virtual Template DC-493 Case 2: Virtual Profiles Configured by AAA DC-493 Case 3: Virtual Profiles Configured by Virtual Template and AAA Configuration DC-494 Case 4: Virtual Profiles Configured by AAA, and a Virtual Template Defined by Another Application DC-495 How to Configure Virtual Profiles DC-496 Configuring Virtual Profiles by Virtual Template DC-496 Creating and Configuring a Virtual Template Interface DC-496 Specifying a Virtual Template Interface for Virtual Profiles DC-497 Configuring Virtual Profiles by AAA Configuration DC-497 Configuring Virtual Profiles by Both Virtual Template and AAA Configuration DC-497 Creating and Configuring a Virtual Template Interface DC-498 Specifying Virtual Profiles by Both Virtual Templates and AAA DC-498 Contents xxiii Cisco IOS Dial Technologies Configuration Guide Troubleshooting Virtual Profile Configurations DC-499 Configuration Examples for Virtual Profiles DC-499 Virtual Profiles Configured by Virtual Templates DC-499 Virtual Profiles Configured by AAA Configuration DC-501 Virtual Profiles Configured by Virtual Templates and AAA Configuration DC-502 Virtual Profiles Configured by AAA Plus a VPDN Virtual Template on a VPDN Home Gateway DC-504 Configuring Virtual Private Networks DC-507 VPN Technology Overview DC-507 VPDN MIB DC-508 VPN Hardware Terminology DC-508 VPN Architectures DC-509 Client-Initiated VPNs DC-509 NAS-Initiated VPNs DC-509 PPTP Dial-In with MPPE Encryption DC-509 PPTP Tunnel Negotiation DC-510 Flow Control Alarm DC-510 MPPE Overview DC-510 MPPE Encryption Types DC-511 L2F Dial-In DC-511 Protocol Negotiation Sequence DC-512 L2F Tunnel Authentication Process DC-514 L2TP Dial-In DC-515 Incoming Call Sequence DC-517 VPN Tunnel Authentication Search Order DC-518 VPN Tunnel Lookup Based on Domain Name DC-519 VPN Tunnel Lookup Based on DNIS Information DC-519 VPN Tunnel Lookup Based on Both Domain Name and DNIS Information DC-519 NAS AAA Tunnel Definition Lookup DC-519 L2TP Dial-Out DC-520 VPN Configuration Modes Overview DC-521 Prerequisites for VPNs DC-523 Configuring the LAN Interface DC-524 Configuring AAA DC-524 Specifying the IP Address Pool and BOOTP Servers on the Tunnel Server DC-526 Commissioning the T1 Controllers on the NAS DC-526 Configuring the Serial Channels for Modem Calls on the NAS DC-527 Configuring the Modems and Asynchronous Lines on the NAS DC-528 Configuring the Group-Asynchronous Interface on the NAS DC-528 Configuring the Dialer on a NAS DC-529 Contents xxiv Cisco IOS Dial Technologies Configuration Guide Configuring the Dialer on a Tunnel Server DC-529 How to Configure a VPN DC-530 Enabling a VPN DC-530 Configuring VPN Tunnel Authentication Configuration DC-530 Disabling VPN Tunnel Authentication for L2TP Tunnels DC-531 Configuring VPN Tunnel Authentication Using the Host Name or Local Name DC-532 Configuring VPN Tunnel Authentication Using the L2TP Tunnel Password DC-532 Configuring Client-Initiated Dial-In VPN DC-533 Configuring a Tunnel Server to Accept PPTP Tunnels DC-533 Configuring MPPE on the ISA Card DC-534 Tuning PPTP DC-534 Configuring NAS-Initiated Dial-In VPN DC-534 Configuring a NAS to Request Dial-In DC-534 Configuring a Tunnel Server to Accept Dial-In DC-535 Creating the Virtual Template on the Network Server DC-535 Configuring Dial-Out VPN DC-536 Configuring a Tunnel Server to Request Dial-Out DC-536 Configuring a NAS to Accept Dial-Out DC-537 Configuring Advanced VPN Features DC-537 Configuring Advanced Remote AAA Features DC-537 Configuring Per-User VPN DC-538 Configuring Preservation of IP ToS Field DC-539 Shutting Down a VPN Tunnel DC-540 Limiting the Number of Allowed Simultaneous VPN Sessions DC-540 Enabling Soft Shutdown of VPN Tunnels DC-541 Configuring Event Logging DC-542 Setting the History Table Size DC-542 Verifying VPN Sessions DC-542 Verifying a Client-Initiated VPN DC-542 Verifying a NAS-Initiated VPN DC-544 Monitoring and Maintaining VPNs DC-547 Troubleshooting VPNs DC-548 Successful Debug Examples DC-549 L2TP Dial-In Debug Output on NAS Example DC-549 L2TP Dial-In Debug Output on a Tunnel Server Example DC-550 L2TP Dial-Out Debug Output on a NAS Example DC-550 L2TP Dial-Out Debug Output on a Tunnel Server Example DC-551 VPN Troubleshooting Methodology DC-553 Comparing Your Debug Output to the Successful Debug Output DC-555 Contents xxv Cisco IOS Dial Technologies Configuration Guide Troubleshooting VPN Negotiation DC-555 Troubleshooting PPP Negotiation DC-559 Troubleshooting AAA Negotiation DC-560 Configuration Examples for VPN DC-563 Client-Initiated Dial-In Configuration Example DC-563 VPN Tunnel Authentication Examples DC-565 Tunnel Secret Configured Using the Local Name Command DC-565 Tunnel Secret Configured Using the L2TP Tunnel Password Command DC-565 Tunnel Secret Configuration Using Different Tunnel Authentication Methods DC-566 NAS Comprehensive Dial-In Configuration Example DC-566 Tunnel Server Comprehensive Dial-in Configuration Example DC-567 NAS Configured for Both Dial-In and Dial-Out Example DC-568 Tunnel Server Configured for Both Dial-In and Dial-Out Example DC-569 RADIUS Profile Examples DC-569 RADIUS Domain Profile DC-569 RADIUS User Profile DC-570 TACACS+ Profile Examples DC-570 TACACS+ Domain Profile DC-570 TACACS+ User Profile DC-571 TACACS+ Tunnel Profiles DC-571 PPP CONFIGURATION Configuring Asynchronous SLIP and PPP DC-575 Asynchronous SLIP and PPP Overview DC-575 Responding to BOOTP Requests DC-576 Asynchronous Network Connections and Routing DC-576 Asynchronous Interfaces and Broadcasts DC-577 How to Configure Asynchronous SLIP and PPP DC-577 Configuring Network-Layer Protocols over PPP and SLIP DC-578 Configuring IP and PPP DC-578 Configuring IPX and PPP DC-578 Configuring AppleTalk and PPP DC-580 Configuring IP and SLIP DC-581 Configuring Asynchronous Host Mobility DC-581 Making Additional Remote Node Connections DC-582 Creating PPP Connections DC-582 Making SLIP Connections DC-583 Configuring Remote Access to NetBEUI Services DC-583 Configuring Performance Parameters DC-584 Contents xxvi Cisco IOS Dial Technologies Configuration Guide Compressing TCP Packet Headers DC-584 Setting the TCP Connection Attempt Time DC-585 Compressing IPX Packet Headers over PPP DC-585 Enabling Fast Switching DC-586 Controlling Route Cache Invalidation DC-587 Customizing SLIP and PPP Banner Messages DC-587 Configuration Examples for Asynchronous SLIP and PPP DC-588 Basic PPP Configurations Examples DC-588 Remote Node NetBEUI Examples DC-589 Remote Network Access Using PPP Basic Configuration Example DC-590 Remote Network Access Using PPP and Routing IP Example DC-591 Remote Network Access Using a Leased Line with Dial-Backup and PPP Example DC-592 Multilink PPP Using Multiple Asynchronous Interfaces Example DC-593 Configuring Media-Independent PPP and Multilink PPP DC-595 PPP Encapsulation Overview DC-595 Configuring PPP and MLP DC-596 Enabling PPP Encapsulation DC-597 Enabling CHAP or PAP Authentication DC-597 Enabling Link Quality Monitoring DC-599 Configuring Compression of PPP Data DC-600 Software Compression DC-600 Hardware-Dependent Compression DC-600 Configuring Microsoft Point-to-Point Compression DC-601 MPPC Restrictions DC-602 Configuring MPPC DC-602 Configuring IP Address Pooling DC-603 Peer Address Allocation DC-603 Precedence Rules DC-604 Interfaces Affected DC-604 Choosing the IP Address Assignment Method DC-604 Defining the Global Default Address Pooling Mechanism DC-605 Controlling DHCP Network Discovery DC-606 Configuring IP Address Assignment DC-606 Configuring PPP Reliable Link DC-607 Troubleshooting PPP DC-608 Disabling or Reenabling Peer Neighbor Routes DC-608 Configuring PPP Half-Bridging DC-608 Configuring Multilink PPP DC-610 Configuring MLP on Synchronous Interfaces DC-610 Contents xxvii Cisco IOS Dial Technologies Configuration Guide Configuring MLP on Asynchronous Interfaces DC-611 Configuring MLP on a Single ISDN BRI Interface DC-611 Configuring MLP on Multiple ISDN BRI Interfaces DC-612 Configuring MLP Using Multilink Group Interfaces DC-614 Changing the Default Endpoint Discriminator DC-615 Configuring MLP Interleaving and Queueing DC-615 Configuring MLP Interleaving DC-616 Configuring MLP Inverse Multiplexer and Distributed MLP DC-617 Enabling Distributed CEF Switching DC-619 Creating a Multilink Bundle DC-619 Assigning an Interface to a Multilink Bundle DC-619 Disabling PPP Multilink Fragmentation DC-620 Verifying the MLP Inverse Multiplexer Configuration DC-620 Monitoring and Maintaining PPP and MLP Interfaces DC-620 Configuration Examples for PPP and MLP DC-620 CHAP with an Encrypted Password Examples DC-621 User Maximum Links Configuration Example DC-621 MPPC Interface Configuration Examples DC-622 IP Address Pooling Example DC-623 DHCP Network Control Example DC-625 PPP Reliable Link Examples DC-625 MLP Examples DC-626 MLP on Synchronous Serial Interfaces Example DC-626 MLP on One ISDN BRI Interface Example DC-628 MLP on Multiple ISDN BRI Interfaces Example DC-629 MLP Using Multilink Group Interfaces over ATM Example DC-629 Changing the Default Endpoint Discriminator Example DC-630 MLP Interleaving and Queueing for Real-Time Traffic Example DC-630 T3 Controller Configuration for an MLP Multilink Inverse Multiplexer Example DC-631 Multilink Interface Configuration for Distributed MLP Example DC-631 Configuring Multichassis Multilink PPP DC-633 Multichassis Multilink PPP Overview DC-633 Stack Groups DC-634 Call Handling and Bidding DC-634 How to Configure MMP DC-636 Configuring the Stack Group and Identifying Members DC-636 Configuring a Virtual Template and Creating a Virtual Template Interface DC-636 Monitoring and Maintaining MMP Virtual Interfaces DC-637 Contents xxviii Cisco IOS Dial Technologies Configuration Guide Configuration Examples for MMP DC-638 MMP Using PRI But No Dialers DC-638 MMP with Dialers DC-639 MMP with Explicitly Defined Dialer DC-639 MMP with ISDN PRI but No Explicitly Defined Dialer DC-640 MMP with Offload Server DC-640 CALLBACK AND BANDWIDTH ALLOCATION CONFIGURATION Configuring Asynchronous Callback DC-643 Asynchronous Callback Overview DC-643 How to Configure Asynchronous Callback DC-644 Configuring Callback PPP Clients DC-644 Accepting Callback Requests from RFC-Compliant PPP Clients DC-644 Accepting Callback Requests from Non-RFC-Compliant PPP Clients Placing Themselves in Answer Mode DC-645 Enabling PPP Callback on Outgoing Lines DC-645 Enabling Callback Clients That Dial In and Connect to the EXEC Prompt DC-646 Configuring Callback ARA Clients DC-647 Configuration Examples for Asynchronous Callback DC-647 Callback to a PPP Client Example DC-648 Callback Clients That Connect to the EXEC Prompt Example DC-649 Callback to an ARA Client Example DC-649 Configuring PPP Callback DC-651 PPP Callback for DDR Overview DC-651 How to Configure PPP Callback for DDR DC-652 Configuring a Router as a Callback Client DC-652 Configuring a Router as a Callback Server DC-653 MS Callback Overview DC-653 How to Configure MS Callback DC-654 Configuration Examples for PPP Callback DC-654 Configuring ISDN Caller ID Callback DC-657 ISDN Caller ID Callback Overview DC-658 Callback After the Best Match Is Determined DC-658 Legacy DDR DC-658 Dialer Profiles DC-659 Timing and Coordinating Callback on Both Sides DC-659 How to Configure ISDN Caller ID Callback DC-659 Contents xxix Cisco IOS Dial Technologies Configuration Guide Configuring ISDN Caller ID Callback for Legacy DDR DC-659 Configuring ISDN Caller ID Callback for Dialer Profiles DC-660 Monitoring and Troubleshooting ISDN Caller ID Callback DC-661 Configuration Examples for ISDN Caller ID Callback DC-661 Best Match System Examples DC-661 Best Match Based on the Number of “Don’t Care” Characters Example DC-662 Best Match with No Callback Configured Example DC-662 No Match Configured Example DC-662 Simple Callback Configuration Examples DC-662 ISDN Caller ID Callback with Dialer Profiles Examples DC-663 ISDN Caller ID Callback with Legacy DDR Example DC-664 Individual Interface Example DC-664 Dialer Rotary Group Example DC-665 Configuring BACP DC-667 BACP Overview DC-668 BACP Configuration Options DC-668 How to Configure BACP DC-669 Enabling BACP DC-670 Modifying BACP Passive Mode Default Settings DC-671 Configuring Active Mode BACP DC-671 Monitoring and Maintaining Interfaces Configured for BACP DC-672 Troubleshooting BACP DC-673 Configuration Examples for BACP DC-673 Basic BACP Configurations DC-673 Dialer Rotary Group with Different Dial-In Numbers DC-674 Passive Mode Dialer Rotary Group Members with One Dial-In Number DC-675 PRI Interface with No Defined PPP BACP Number DC-676 BRI Interface with No Defined BACP Number DC-676 DIAL ACCESS SPECIALIZED FEATURES Configuring Large-Scale Dial-Out DC-679 Large-Scale Dial-Out Overview DC-679 Next Hop Definition DC-681 Static Routes DC-681 Stack Groups DC-681 How to Configure Large-Scale Dial-Out DC-682 Complying with Large-Scale Dial-Out Prerequisites DC-682 Contents xxx Cisco IOS Dial Technologies Configuration Guide Establishing the Route to the Remote Network DC-683 Enabling AAA and Static Route Download DC-683 Enabling Access to the AAA Server DC-684 Enabling Reverse DNS DC-684 Enabling SGBP Dial-Out Connection Bidding DC-684 Defining a User Profile DC-685 Monitoring and Maintaining the Large-Scale Dial-Out Network DC-690 Configuration Examples for Large-Scale Dial-Out DC-690 Stack Group and Static Route Download Configuration Example DC-690 User Profile on an Ascend RADIUS Server for NAS1 Example DC-695 Asynchronous Dialing Configuration Examples DC-696 Asynchronous Dialing Example DC-696 Asynchronous and Synchronous Dialing Example DC-696 Configuring per-User Configuration DC-699 Per-User Configuration Overview DC-699 General Operational Processes DC-700 Operational Processes with IP Address Pooling DC-701 Deleting Downloaded Pools DC-702 Supported Attributes for AV Pairs DC-703 How to Configure a AAA Server for Per-User Configuration DC-705 Configuring a Freeware TACACS Server for Per-User Configuration DC-706 Configuring a CiscoSecure TACACS Server for Per-User Configuration DC-706 Configuring a RADIUS Server for Per-User Configuration DC-707 Monitoring and Debugging Per-User Configuration Settings DC-708 Configuration Examples for Per-User Configuration DC-708 TACACS+ Freeware Examples DC-708 IP Access Lists and Static Routes Using Virtual Profiles over ISDN BRI DC-709 IPX Per-User SAP Filters Using IPXWAN and Virtual Profiles by a Synchronous Interface DC-711 RADIUS Examples DC-712 IP Access Lists and Static Routes Using Virtual Profiles over ISDN BRI DC-712 IPX Per-User SAP Filters Using IPXWAN and Virtual Profiles by a Synchronous Interface DC-718 Configuring Resource Pool Management DC-721 RPM Overview DC-721 Components of Incoming and Outgoing Call Management DC-722 Customer Profile Types DC-723 DNIS Groups DC-725 CLID Groups DC-725 Call Types DC-725 Contents xxxi Cisco IOS Dial Technologies Configuration Guide Resource Groups DC-726 Resource Services DC-726 VPDN Groups DC-727 VPDN Profiles DC-727 Call Treatments DC-727 Details on RPM Call Processes DC-728 Accounting Data DC-730 Data over Voice Bearer Services DC-730 Call Discriminator Profiles DC-731 Incoming Call Preauthentication DC-732 RPM Standalone Network Access Server DC-733 Call Processing DC-734 Base Session and Overflow Session Limits DC-734 VPDN Session and Overflow Session Limits DC-735 VPDN MLP Bundle and Links-per-Bundle Limits DC-736 VPDN Tunnel Limits DC-736 RPM Using the Cisco RPMS DC-739 Resource Manager Protocol DC-739 Direct Remote Services DC-740 RPM Process with RPMS and SS7 DC-740 Additional Information About Cisco RPM DC-741 How to Configure RPM DC-741 Enabling RPM DC-742 Configuring DNIS Groups DC-743 Creating CLID Groups DC-744 Configuring Discriminator Profiles DC-744 Configuring Resource Groups DC-746 Configuring Service Profiles DC-746 Configuring Customer Profiles DC-747 Configuring Default Customer Profiles DC-747 Configuring Customer Profiles Using Backup Customer Profiles DC-747 Configuring Customer Profiles for Using DoVBS DC-748 Configuring a Customer Profile Template DC-748 Typical Template Configuration DC-749 Verifying Template Configuration DC-749 Placing the Template in the Customer Profile DC-750 Configuring AAA Server Groups DC-751 Configuring VPDN Profiles DC-751 Configuring VPDN Groups DC-752 Counting VPDN Sessions by Using VPDN Profiles DC-753 Contents xxxii Cisco IOS Dial Technologies Configuration Guide Limiting the Number of MLP Bundles in VPDN Groups DC-755 Configuring Switched 56 over CT1 and RBS DC-756 Verifying RPM Components DC-757 Verifying Current Calls DC-757 Verifying Call Counters for a Customer Profile DC-757 Clearing Call Counters DC-758 Verifying Call Counters for a Discriminator Profile DC-758 Verifying Call Counters for a Resource Group DC-758 Verifying Call Counters for a DNIS Group DC-759 Verifying Call Counters for a VPDN Profile DC-759 Verifying Load Sharing and Backup DC-759 Troubleshooting RPM DC-760 Resource-Pool Component DC-761 Successful Resource Pool Connection DC-762 Dialer Component DC-762 Resource Group Manager DC-762 Signaling Stack DC-762 AAA Component DC-763 VPDN Component DC-763 Troubleshooting DNIS Group Problems DC-763 Troubleshooting Call Discriminator Problems DC-764 Troubleshooting Customer Profile Counts DC-764 Troubleshooting Resource Group Counts DC-764 Troubleshooting VPDN DC-764 Troubleshooting RPM/VPDN Connection DC-765 Troubleshooting Customer/VPDN Profile DC-765 Troubleshooting VPDN Profile Limits DC-766 Troubleshooting VPDN Group Limits DC-766 Troubleshooting VPDN Endpoint Problems DC-767 Troubleshooting RPMS DC-767 Configuration Examples for RPM DC-768 Standard Configuration for RPM Example DC-769 Customer Profile Configuration for DoVBS Example DC-770 DNIS Discriminator Profile Example DC-770 CLID Discriminator Profile Example DC-771 Direct Remote Services Configuration Example DC-774 VPDN Configuration Example DC-775 VPDN Load Sharing and Backing Up Between Multiple HGW/LNSs Example DC-776 Contents xxxiii Cisco IOS Dial Technologies Configuration Guide Configuring Wholesale Dial Performance Optimization DC-779 Wholesale Dial Performance Optimization Feature Overview DC-779 How to Configure Automatic Command Execution DC-780 How to Configure TCP Clear Performance Optimization DC-780 Verifying Configuration of TCP Clear Performance Optimization DC-781 DIAL ACCESS SCENARIOS Dial Networking Business Applications DC-785 Dial Networking for Service Providers and Enterprises DC-785 Common Dial Applications DC-788 IP Address Strategies DC-789 Choosing an Addressing Scheme DC-789 Classic IP Addressing DC-789 Cisco Easy IP DC-790 Enterprise Dial Scenarios and Configurations DC-793 Remote User Demographics DC-793 Demand and Scalability DC-794 Remote Offices and Telecommuters Dialing In to a Central Site DC-794 Network Topologies DC-794 Dial-In Scenarios DC-795 Cisco 1604 Remote Office Router Dialing In to a Cisco 3620 Access Router DC-796 Remote Office Router Dialing In to a Cisco 3620 Router DC-799 Cisco 700 Series Router Using Port Address Translation to Dial In to a Cisco AS5300 Access Server DC-802 Cisco 3640 Central Site Router Configuration to Support ISDN and Modem Calls DC-806 Cisco AS5300 Central Site Configuration Using Remote Security DC-808 Bidirectional Dial Between Central Sites and Remote Offices DC-811 Dial-In and Dial-Out Network Topology DC-811 Dialer Profiles and Virtual Profiles DC-812 Running Access Server Configurations DC-814 Cisco AS5300 Access Server Configuration with Dialer Profiles DC-815 Cisco 1604 ISDN Router Configuration with Dialer Profiles DC-820 Cisco 1604 Router Asynchronous Configuration with Dialer Profiles DC-821 Cisco AS5300 Access Server Configuration Without Dialer Profiles DC-822 Cisco 1604 ISDN Router Configuration Without Dialer Profiles DC-824 Cisco 1604 Router Asynchronous Configuration Without Dialer Profiles DC-825 Large-Scale Dial-In Configuration Using Virtual Profiles DC-826 Contents xxxiv Cisco IOS Dial Technologies Configuration Guide Telecommuters Dialing In to a Mixed Protocol Environment DC-826 Description DC-827 Enterprise Network Topology DC-829 Mixed Protocol Dial-In Scenarios DC-830 Cisco 7200 #1 Backbone Router DC-831 Cisco 7200 #2 Backbone Router DC-832 Cisco AS5300 Universal Access Server DC-833 Telco and ISP Dial Scenarios and Configurations DC-837 Small- to Medium-Scale POPs DC-837 Individual Remote PCs Using Analog Modems DC-838 Network Topology DC-838 Running Configuration for ISDN PRI DC-838 Running Configuration for Robbed-Bit Signaling DC-840 Individual PCs Using ISDN Terminal Adapters DC-842 Network Topology DC-842 Terminal Adapter Configuration Example DC-843 Mixture of ISDN and Analog Modem Calls DC-845 Combination of Modem and ISDN Dial-In Configuration Example DC-845 Large-Scale POPs DC-847 Scaling Considerations DC-847 How Stacking Works DC-848 A Typical Multilink PPP Session DC-848 Using Multichassis Multilink PPP DC-849 Setting Up an Offload Server DC-850 Using the Stack Group Bidding Protocol DC-851 Using L2F DC-852 Stack Group of Access Servers Using MMP with an Offload Processor Examples DC-852 Cisco Access Server #1 DC-852 Cisco Access Server #2 DC-854 Cisco Access Server #3 DC-856 Cisco 7206 as Offload Server DC-859 RADIUS Remote Security Examples DC-860 User Setup for PPP DC-861 User Setup for PPP and Static IP Address DC-861 Enabling Router Dial-In DC-861 User Setup for SLIP DC-861 User Setup for SLIP and Static IP Address DC-862 Using Telnet to connect to a UNIX Host DC-862 Automatic rlogin to UNIX Host DC-862 Contents xxxv Cisco IOS Dial Technologies Configuration Guide PPP Calls over X.25 Networks DC-862 Overview DC-863 Remote PC Browsing Network Topology DC-863 Protocol Translation Configuration Example DC-864 APPENDIXES Modem Initialization Strings DC-869 Sample Modem Scripts DC-872 INDEX Contents xxxvi Cisco IOS Dial Technologies Configuration Guide xxxvii Cisco IOS Dial Technologies Configuration Guide About Cisco IOS Software Documentation This chapter discusses the objectives, audience, organization, and conventions of Cisco IOS software documentation. It also provides sources for obtaining documentation from Cisco Systems. Documentation Objectives Cisco IOS software documentation describes the tasks and commands necessary to configure and maintain Cisco networking devices. Audience The Cisco IOS software documentation set is intended primarily for users who configure and maintain Cisco networking devices (such as routers and switches) but who may not be familiar with the tasks, the relationship between tasks, or the Cisco IOS software commands necessary to perform particular tasks. The Cisco IOS software documentation set is also intended for those users experienced with Cisco IOS software who need to know about new features, new configuration options, and new software characteristics in the current Cisco IOS software release. Documentation Organization The Cisco IOS software documentation set consists of documentation modules and master indexes. In addition to the main documentation set, there are supporting documents and resources. Documentation Modules The Cisco IOS documentation modules consist of configuration guides and corresponding command reference publications. Chapters in a configuration guide describe protocols, configuration tasks, and Cisco IOS software functionality and contain comprehensive configuration examples. Chapters in a command reference publication provide complete Cisco IOS command syntax information. Use each configuration guide in conjunction with its corresponding command reference publication. About Cisco IOS Software Documentation Documentation Organization xxxviii Cisco IOS Dial Technologies Configuration Guide Figure 1 shows the Cisco IOS software documentation modules. Note The abbreviations (for example, FC and FR) next to the book icons are page designators, which are defined in a key in the index of each document to help you with navigation. The bullets under each module list the major technology areas discussed in the corresponding books. Figure 1 Cisco IOS Software Documentation Modules Cisco IOS IP Configuration Guide IPC Cisco IOS Configuration Fundamentals Configuration Guide Cisco IOS Configuration Fundamentals Command Reference Module FC/FR: • Cisco IOS User Interfaces • File Management • System Management Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols Module IPC/IP1R/IP2R/IP3R: • IP Addressing and Services • IP Routing Protocols • IP Multicast Cisco IOS AppleTalk and Novell IPX Configuration Guide Cisco IOS AppleTalk and Novell IPX Command Reference Module P2C/P2R: • AppleTalk • Novell IPX Cisco IOS Apollo Domain, Banyan VINES, DECnet, ISO CLNS, and XNS Configuration Guide Cisco IOS Apollo Domain, Banyan VINES, DECnet, ISO CLNS, and XNS Command Reference Module P3C/P3R: • Apollo Domain • Banyan VINES • DECnet • ISO CLNS • XNS Cisco IOS Wide-Area Networking Configuration Guide Cisco IOS Wide-Area Networking Command Reference Module WC/WR: • ATM • Broadband Access • Frame Relay • SMDS • X.25 and LAPB Cisco IOS Security Configuration Guide Cisco IOS Security Command Reference Module SC/SR: • AAA Security Services • Security Server Protocols • Traffic Filtering and Firewalls • IP Security and Encryption • Passwords and Privileges • Neighbor Router Authentication • IP Security Options • Supported AV Pairs Cisco IOS Interface Configuration Guide Cisco IOS Interface Command Reference Module IC/IR: • LAN Interfaces • Serial Interfaces • Logical Interfaces 47953 FC FR IP2R WC WR SC SR MWC MWR Cisco IOS Mobile Wireless Configuration Guide Cisco IOS Mobile Wireless Command Reference Module MWC/MWR: • General Packet Radio Service IC IR Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services Cisco IOS IP Command Reference, Volume 3 of 3: Multicast P2C P2R IP1R IP3R P3C P3R About Cisco IOS Software Documentation Documentation Organization xxxix Cisco IOS Dial Technologies Configuration Guide Cisco IOS Voice, Video, and Fax Configuration Guide Cisco IOS Voice, Video, and Fax Command Reference Module VC/VR: • Voice over IP • Call Control Signalling • Voice over Frame Relay • Voice over ATM • Telephony Applications • Trunk Management • Fax, Video, and Modem Support Cisco IOS Quality of Service Solutions Configuration Guide Cisco IOS Quality of Service Solutions Command Reference Module QC/QR: • Packet Classification • Congestion Management • Congestion Avoidance • Policing and Shaping • Signalling • Link Efficiency Mechanisms Module DC/DR: • Preparing for Dial Access • Modem and Dial Shelf Configuration and Management • ISDN Configuration • Signalling Configuration • Dial-on-Demand Routing Configuration • Dial-Backup Configuration • Dial-Related Addressing Services • Virtual Templates, Profiles, and Networks • PPP Configuration • Callback and Bandwidth Allocation Configuration • Dial Access Specialized Features • Dial Access Scenarios Module BC/B1R: • Transparent Bridging • SRB • Token Ring Inter-Switch Link • Token Ring Route Switch Module • RSRB • DLSw+ • Serial Tunnel and Block Serial Tunnel • LLC2 and SDLC • IBM Network Media Translation • SNA Frame Relay Access • NCIA Client/Server • Airline Product Set Module BC/B2R: • DSPU and SNA Service Point • SNA Switching Services • Cisco Transaction Connection • Cisco Mainframe Channel Connection • CLAW and TCP/IP Offload • CSNA, CMPC, and CMPC+ • TN3270 Server Cisco IOS Switching Services Configuration Guide Cisco IOS Switching Services Command Reference Module XC/XR: • Cisco IOS Switching Paths • NetFlow Switching • Multiprotocol Label Switching • Multilayer Switching • Multicast Distributed Switching • Virtual LANs • LAN Emulation 47954 Cisco IOS Bridging and IBM Networking Configuration Guide Cisco IOS Bridging and IBM Networking Command Reference, Volume 1 of 2 Cisco IOS Bridging and IBM Networking Command Reference, Volume 2 of 2 XC DC DR TC TR BC XR B1R B2R QC QR VC VR Cisco IOS Terminal Services Configuration Guide Cisco IOS Terminal Services Command Reference Module TC/TR: • ARA • LAT • NASI • Telnet • TN3270 • XRemote • X.28 PAD • Protocol Translation Cisco IOS Dial Technologies Configuration Guide Cisco IOS Dial Technologies Command Reference About Cisco IOS Software Documentation Documentation Organization xl Cisco IOS Dial Technologies Configuration Guide Master Indexes Two master indexes provide indexing information for the Cisco IOS software documentation set: an index for the configuration guides and an index for the command references. Individual books also contain a book-specific index. The master indexes provide a quick way for you to find a command when you know the command name but not which module contains the command. When you use the online master indexes, you can click the page number for an index entry and go to that page in the online document. Supporting Documents and Resources The following documents and resources support the Cisco IOS software documentation set: • Cisco IOS Command Summary (two volumes)—This publication explains the function and syntax of the Cisco IOS software commands. For more information about defaults and usage guidelines, refer to the Cisco IOS command reference publications. • Cisco IOS System Error Messages—This publication lists and describes Cisco IOS system error messages. Not all system error messages indicate problems with your system. Some are purely informational, and others may help diagnose problems with communications lines, internal hardware, or the system software. • Cisco IOS Debug Command Reference—This publication contains an alphabetical listing of the debug commands and their descriptions. Documentation for each command includes a brief description of its use, command syntax, usage guidelines, and sample output. • Dictionary of Internetworking Terms and Acronyms—This Cisco publication compiles and defines the terms and acronyms used in the internetworking industry. • New feature documentation—The Cisco IOS software documentation set documents the mainline release of Cisco IOS software (for example, Cisco IOS Release 12.2). New software features are introduced in early deployment releases (for example, the Cisco IOS “T” release train for 12.2, 12.2(x)T). Documentation for these new features can be found in standalone documents called “feature modules.” Feature module documentation describes new Cisco IOS software and hardware networking functionality and is available on Cisco.com and the Documentation CD-ROM. • Release notes—This documentation describes system requirements, provides information about new and changed features, and includes other useful information about specific software releases. See the section “Using Software Release Notes” in the chapter “Using Cisco IOS Software” for more information. • Caveats documentation—This documentation provides information about Cisco IOS software defects in specific software releases. • RFCs—RFCs are standards documents maintained by the Internet Engineering Task Force (IETF). Cisco IOS software documentation references supported RFCs when applicable. The full text of referenced RFCs may be obtained on the World Wide Web at http://www.rfc-editor.org/. • MIBs—MIBs are used for network monitoring. For lists of supported MIBs by platform and release, and to download MIB files, see the Cisco MIB website on Cisco.com at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml. About Cisco IOS Software Documentation New and Changed Information xli Cisco IOS Dial Technologies Configuration Guide New and Changed Information For Cisco IOS Release 12.2, two previous Release 12.1 guides, Cisco IOS Dial Services Configuration Guide: Terminal Services and Cisco IOS Dial Services Configuration Guide: Network Services, have been renamed and reorganized into a single book: Cisco IOS Dial Technologies Configuration Guide. See Figure 1 for a list of the contents. For Cisco IOS Release 12.2, the Release 12.1 Cisco IOS Dial Services Command Reference has been renamed Cisco IOS Dial Technologies Command Reference. The Cisco IOS Terminal Services Configuration Guide and Cisco IOS Terminal Services Command Reference were extracted from the 12.1 release of the Cisco IOS Dial Services Configuration Guide: Terminal Services and Cisco IOS Dial Services Command Reference, and placed in separate books not included in this set. Document Conventions Within Cisco IOS software documentation, the term router is generally used to refer to a variety of Cisco products (for example, routers, access servers, and switches). Routers, access servers, and other networking devices that support Cisco IOS software are shown interchangeably within examples. These products are used only for illustrative purposes; that is, an example that shows one product does not necessarily indicate that other products are not supported. The Cisco IOS documentation set uses the following conventions: Command syntax descriptions use the following conventions: Convention Description ^ or Ctrl The ^ and Ctrl symbols represent the Control key. For example, the key combination ^D or Ctrl-D means hold down the Control key while you press the D key. Keys are indicated in capital letters but are not case sensitive. string A string is a nonquoted set of characters shown in italics. For example, when setting an SNMP community string to public, do not use quotation marks around the string or the string will include the quotation marks. Convention Description boldface Boldface text indicates commands and keywords that you enter literally as shown. italics Italic text indicates arguments for which you supply values. [x] Square brackets enclose an optional element (keyword or argument). | A vertical line indicates a choice within an optional or required set of keywords or arguments. [x | y] Square brackets enclosing keywords or arguments separated by a vertical line indicate an optional choice. {x | y} Braces enclosing keywords or arguments separated by a vertical line indicate a required choice. About Cisco IOS Software Documentation Obtaining Documentation xlii Cisco IOS Dial Technologies Configuration Guide Nested sets of square brackets or braces indicate optional or required choices within optional or required elements. For example: Examples use the following conventions: The following conventions are used to attract the attention of the reader: Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data. Note Means reader take note. Notes contain helpful suggestions or references to materials not contained in this manual. Timesaver Means the described action saves time. You can save time by performing the action described in the paragraph. Obtaining Documentation The following sections provide sources for obtaining documentation from Cisco Systems. World Wide Web The most current Cisco documentation is available on the World Wide Web at the following website: http://www.cisco.com Translated documentation is available at the following website: http://www.cisco.com/public/countries_languages.html Convention Description [x {y | z}] Braces and a vertical line within square brackets indicate a required choice within an optional element. Convention Description screen Examples of information displayed on the screen are set in Courier font. boldface screen Examples of text that you must enter are set in Courier bold font. < > Angle brackets enclose text that is not printed to the screen, such as passwords. ! An exclamation point at the beginning of a line indicates a comment line. (Exclamation points are also displayed by the Cisco IOS software for certain processes.) [ ] Square brackets enclose default responses to system prompts. About Cisco IOS Software Documentation Documentation Feedback xliii Cisco IOS Dial Technologies Configuration Guide Documentation CD-ROM Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription. Ordering Documentation Cisco documentation can be ordered in the following ways: • Registered Cisco Direct Customers can order Cisco product documentation from the Networking Products MarketPlace: http://www.cisco.com/cgi-bin/order/order_root.pl • Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store: http://www.cisco.com/go/subscription • Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, in North America, by calling 800 553-NETS(6387). Documentation Feedback If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. You can e-mail your comments to bug-doc@cisco.com. To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address: Cisco Systems, Inc. Document Resource Connection 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments. Obtaining Technical Assistance Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC website. About Cisco IOS Software Documentation Obtaining Technical Assistance xliv Cisco IOS Dial Technologies Configuration Guide Cisco.com Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco. Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online technical support, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available. Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco. To access Cisco.com, go to the following website: http://www.cisco.com Technical Assistance Center The Cisco TAC website is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract. Contacting TAC by Using the Cisco TAC Website If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC website: http://www.cisco.com/tac P3 and P4 level problems are defined as follows: • P3—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue. • P4—You need information or assistance on Cisco product capabilities, product installation, or basic product configuration. In each of the above cases, use the Cisco TAC website to quickly find answers to your questions. To register for Cisco.com, go to the following website: http://www.cisco.com/register/ If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following website: http://www.cisco.com/tac/caseopen Contacting TAC by Telephone If you have a priority level 1 (P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following website: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml About Cisco IOS Software Documentation Obtaining Technical Assistance xlv Cisco IOS Dial Technologies Configuration Guide P1 and P2 level problems are defined as follows: • P1—Your production network is down, causing a critical impact to business operations if service is not restored quickly. No workaround is available. • P2—Your production network is severely degraded, affecting significant aspects of your business operations. No workaround is available. About Cisco IOS Software Documentation Obtaining Technical Assistance xlvi Cisco IOS Dial Technologies Configuration Guide xlvii Cisco IOS Dial Technologies Configuration Guide Using Cisco IOS Software This chapter provides helpful tips for understanding and configuring Cisco IOS software using the command-line interface (CLI). It contains the following sections: • Understanding Command Modes • Getting Help • Using the no and default Forms of Commands • Saving Configuration Changes • Filtering Output from the show and more Commands • Identifying Supported Platforms For an overview of Cisco IOS software configuration, refer to the Cisco IOS Configuration Fundamentals Configuration Guide. For information on the conventions used in the Cisco IOS software documentation set, see the chapter “About Cisco IOS Software Documentation” located at the beginning of this book. Understanding Command Modes You use the CLI to access Cisco IOS software. Because the CLI is divided into many different modes, the commands available to you at any given time depend on the mode you are currently in. Entering a question mark (?) at the CLI prompt allows you to obtain a list of commands available for each command mode. When you log in to the CLI, you are in user EXEC mode. User EXEC mode contains only a limited subset of commands. To have access to all commands, you must enter privileged EXEC mode, normally by using a password. From privileged EXEC mode you can issue any EXEC command—user or privileged mode—or you can enter global configuration mode. Most EXEC commands are one-time commands. For example, show commands show important status information, and clear commands clear counters or interfaces. The EXEC commands are not saved when the software reboots. Configuration modes allow you to make changes to the running configuration. If you later save the running configuration to the startup configuration, these changed commands are stored when the software is rebooted. To enter specific configuration modes, you must start at global configuration mode. From global configuration mode, you can enter interface configuration mode and a variety of other modes, such as protocol-specific modes. ROM monitor mode is a separate mode used when the Cisco IOS software cannot load properly. If a valid software image is not found when the software boots or if the configuration file is corrupted at startup, the software might enter ROM monitor mode. Using Cisco IOS Software Getting Help xlviii Cisco IOS Dial Technologies Configuration Guide Table 1 describes how to access and exit various common command modes of the Cisco IOS software. It also shows examples of the prompts displayed for each mode. For more information on command modes, refer to the “Using the Command-Line Interface” chapter in the Cisco IOS Configuration Fundamentals Configuration Guide. Getting Help Entering a question mark (?) at the CLI prompt displays a list of commands available for each command mode. You can also get a list of keywords and arguments associated with any command by using the context-sensitive help feature. To get help specific to a command mode, a command, a keyword, or an argument, use one of the following commands: Table 1 Accessing and Exiting Command Modes Command Mode Access Method Prompt Exit Method User EXEC Log in. Router> Use the logout command. Privileged EXEC From user EXEC mode, use the enable EXEC command. Router# To return to user EXEC mode, use the disable command. Global configuration From privileged EXEC mode, use the configure terminal privileged EXEC command. Router(config)# To return to privileged EXEC mode from global configuration mode, use the exit or end command, or press Ctrl-Z. Interface configuration From global configuration mode, specify an interface using an interface command. Router(config-if)# To return to global configuration mode, use the exit command. To return to privileged EXEC mode, use the end command, or press Ctrl-Z. ROM monitor From privileged EXEC mode, use the reload EXEC command. Press the Break key during the first 60 seconds while the system is booting. > To exit ROM monitor mode, use the continue command. Command Purpose help Provides a brief description of the help system in any command mode. abbreviated-command-entry? Provides a list of commands that begin with a particular character string. (No space between command and question mark.) abbreviated-command-entry Completes a partial command name. ? Lists all commands available for a particular command mode. command ? Lists the keywords or arguments that you must enter next on the command line. (Space between command and question mark.) Using Cisco IOS Software Getting Help xlix Cisco IOS Dial Technologies Configuration Guide Example: How to Find Command Options This section provides an example of how to display syntax for a command. The syntax can consist of optional or required keywords and arguments. To display keywords and arguments for a command, enter a question mark (?) at the configuration prompt or after entering part of a command followed by a space. The Cisco IOS software displays a list and brief description of available keywords and arguments. For example, if you were in global configuration mode and wanted to see all the keywords or arguments for the arap command, you would type arap ?. The symbol in command help output stands for “carriage return.” On older keyboards, the carriage return key is the Return key. On most modern keyboards, the carriage return key is the Enter key. The symbol at the end of command help output indicates that you have the option to press Enter to complete the command and that the arguments and keywords in the list preceding the symbol are optional. The symbol by itself indicates that no more arguments or keywords are available and that you must press Enter to complete the command. Table 2 shows examples of how you can use the question mark (?) to assist you in entering commands. The table steps you through configuring an IP address on a serial interface on a Cisco 7206 router that is running Cisco IOS Release 12.0(3). Table 2 How to Find Command Options Command Comment Router> enable Password: Router# Enter the enable command and password to access privileged EXEC commands. You are in privileged EXEC mode when the prompt changes to Router#. Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# Enter the configure terminal privileged EXEC command to enter global configuration mode. You are in global configuration mode when the prompt changes to Router(config)#. Router(config)# interface serial ? <0-6> Serial interface number Router(config)# interface serial 4 ? / Router(config)# interface serial 4/ ? <0-3> Serial interface number Router(config)# interface serial 4/0 Router(config-if)# Enter interface configuration mode by specifying the serial interface that you want to configure using the interface serial global configuration command. Enter ? to display what you must enter next on the command line. In this example, you must enter the serial interface slot number and port number, separated by a forward slash. You are in interface configuration mode when the prompt changes to Router(config-if)#. Using Cisco IOS Software Getting Help l Cisco IOS Dial Technologies Configuration Guide Router(config-if)# ? Interface configuration commands: . . . ip Interface Internet Protocol config commands keepalive Enable keepalive lan-name LAN Name command llc2 LLC2 Interface Subcommands load-interval Specify interval for load calculation for an interface locaddr-priority Assign a priority group logging Configure logging for interface loopback Configure internal loopback on an interface mac-address Manually set interface MAC address mls mls router sub/interface commands mpoa MPOA interface configuration commands mtu Set the interface Maximum Transmission Unit (MTU) netbios Use a defined NETBIOS access list or enable name-caching no Negate a command or set its defaults nrzi-encoding Enable use of NRZI encoding ntp Configure NTP . . . Router(config-if)# Enter ? to display a list of all the interface configuration commands available for the serial interface. This example shows only some of the available interface configuration commands. Router(config-if)# ip ? Interface IP configuration subcommands: access-group Specify access control for packets accounting Enable IP accounting on this interface address Set the IP address of an interface authentication authentication subcommands bandwidth-percent Set EIGRP bandwidth limit broadcast-address Set the broadcast address of an interface cgmp Enable/disable CGMP directed-broadcast Enable forwarding of directed broadcasts dvmrp DVMRP interface commands hello-interval Configures IP-EIGRP hello interval helper-address Specify a destination address for UDP broadcasts hold-time Configures IP-EIGRP hold time . . . Router(config-if)# ip Enter the command that you want to configure for the interface. This example uses the ip command. Enter ? to display what you must enter next on the command line. This example shows only some of the available interface IP configuration commands. Table 2 How to Find Command Options (continued) Command Comment Using Cisco IOS Software Using the no and default Forms of Commands li Cisco IOS Dial Technologies Configuration Guide Using the no and default Forms of Commands Almost every configuration command has a no form. In general, use the no form to disable a function. Use the command without the no keyword to reenable a disabled function or to enable a function that is disabled by default. For example, IP routing is enabled by default. To disable IP routing, use the no ip routing command; to reenable IP routing, use the ip routing command. The Cisco IOS software command reference publications provide the complete syntax for the configuration commands and describe what the no form of a command does. Configuration commands also can have a default form, which returns the command settings to the default values. Most commands are disabled by default, so in such cases using the default form has the same result as using the no form of the command. However, some commands are enabled by default and Router(config-if)# ip address ? A.B.C.D IP address negotiated IP Address negotiated over PPP Router(config-if)# ip address Enter the command that you want to configure for the interface. This example uses the ip address command. Enter ? to display what you must enter next on the command line. In this example, you must enter an IP address or the negotiated keyword. A carriage return () is not displayed; therefore, you must enter additional keywords or arguments to complete the command. Router(config-if)# ip address 172.16.0.1 ? A.B.C.D IP subnet mask Router(config-if)# ip address 172.16.0.1 Enter the keyword or argument you want to use. This example uses the 172.16.0.1 IP address. Enter ? to display what you must enter next on the command line. In this example, you must enter an IP subnet mask. A is not displayed; therefore, you must enter additional keywords or arguments to complete the command. Router(config-if)# ip address 172.16.0.1 255.255.255.0 ? secondary Make this IP address a secondary address Router(config-if)# ip address 172.16.0.1 255.255.255.0 Enter the IP subnet mask. This example uses the 255.255.255.0 IP subnet mask. Enter ? to display what you must enter next on the command line. In this example, you can enter the secondary keyword, or you can press Enter. A is displayed; you can press Enter to complete the command, or you can enter another keyword. Router(config-if)# ip address 172.16.0.1 255.255.255.0 Router(config-if)# In this example, Enter is pressed to complete the command. Table 2 How to Find Command Options (continued) Command Comment Using Cisco IOS Software Saving Configuration Changes lii Cisco IOS Dial Technologies Configuration Guide have variables set to certain default values. In these cases, the default form of the command enables the command and sets the variables to their default values. The Cisco IOS software command reference publications describe the effect of the default form of a command if the command functions differently than the no form. Saving Configuration Changes Use the copy system:running-config nvram:startup-config command to save your configuration changes to the startup configuration so that the changes will not be lost if the software reloads or a power outage occurs. For example: Router# copy system:running-config nvram:startup-config Building configuration... It might take a minute or two to save the configuration. After the configuration has been saved, the following output appears: [OK] Router# On most platforms, this task saves the configuration to NVRAM. On the Class A Flash file system platforms, this task saves the configuration to the location specified by the CONFIG_FILE environment variable. The CONFIG_FILE variable defaults to NVRAM. Filtering Output from the show and more Commands In Cisco IOS Release 12.0(1)T and later releases, you can search and filter the output of show and more commands. This functionality is useful if you need to sort through large amounts of output or if you want to exclude output that you need not see. To use this functionality, enter a show or more command followed by the “pipe” character (|); one of the keywords begin, include, or exclude; and a regular expression on which you want to search or filter (the expression is case-sensitive): command | {begin | include | exclude} regular-expression The output matches certain lines of information in the configuration file. The following example illustrates how to use output modifiers with the show interface command when you want the output to include only lines in which the expression “protocol” appears: Router# show interface | include protocol FastEthernet0/0 is up, line protocol is up Serial4/0 is up, line protocol is up Serial4/1 is up, line protocol is up Serial4/2 is administratively down, line protocol is down Serial4/3 is administratively down, line protocol is down For more information on the search and filter functionality, refer to the “Using the Command-Line Interface” chapter in the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2. Using Cisco IOS Software Identifying Supported Platforms liii Cisco IOS Dial Technologies Configuration Guide Identifying Supported Platforms Cisco IOS software is packaged in feature sets consisting of software images that support specific platforms. The feature sets available for a specific platform depend on which Cisco IOS software images are included in a release. To identify the set of software images available in a specific release or to find out if a feature is available in a given Cisco IOS software image, see the following sections: • Using Feature Navigator • Using Software Release Notes Using Feature Navigator Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a particular set of features and which features are supported in a particular Cisco IOS image. Feature Navigator is available 24 hours a day, 7 days a week. To access Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, e-mail the Contact Database Administration group at cdbadmin@cisco.com. If you do not have an account on Cisco.com, go to http://www.cisco.com/register and follow the directions to establish an account. To use Feature Navigator, you must have a JavaScript-enabled web browser such as Netscape 3.0 or later, or Internet Explorer 4.0 or later. Internet Explorer 4.0 always has JavaScript enabled. To enable JavaScript for Netscape 3.x or Netscape 4.x, follow the instructions provided with the web browser. For JavaScript support and enabling instructions for other browsers, check with the browser vendor. Feature Navigator is updated when major Cisco IOS software releases and technology releases occur. You can access Feature Navigator at the following URL: http://www.cisco.com/go/fn Using Software Release Notes Cisco IOS software releases include release notes that provide the following information: • Platform support information • Memory recommendations • Microcode support information • Feature set tables • Feature descriptions • Open and resolved severity 1 and 2 caveats for all platforms Release notes are intended to be release-specific for the most current release, and the information provided in these documents may not be cumulative in providing information about features that first appeared in previous releases. Using Cisco IOS Software Identifying Supported Platforms liv Cisco IOS Dial Technologies Configuration Guide Dial Interfaces, Controllers, and Lines DC-3 Cisco IOS Dial Technologies Configuration Guide Overview of Dial Interfaces, Controllers, and Lines This chapter describes the different types of software constructs, interfaces, controllers, channels, and lines that are used for dial-up remote access. It includes the following main sections: • Cisco IOS Dial Components • Logical Constructs • Logical Interfaces • Circuit-Switched Digital Calls • T1 and E1 Controllers • Non-ISDN Channelized T1 and Channelized E1 Lines • ISDN Service • Line Types • Encapsulation Types For a complete description of the commands in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Cisco IOS Dial Components Different components inside Cisco IOS software work together to enable remote clients to dial in and send packets. Figure 2 shows one Cisco AS5300 access server that is receiving calls from a remote office, branch office (ROBO); small office, home office (SOHO); and modem client. Depending on your network scenario, you may encounter all of the components in Figure 2. For example, you might decide to create a virtual IP subnet by using a loopback interface. This step saves address space. Virtual subnets can exist inside devices that you advertise to your backbone. In turn, IP packets get relayed to remote PCs, which route back to the central site. Overview of Dial Interfaces, Controllers, and Lines Cisco IOS Dial Components DC-4 Cisco IOS Dial Technologies Configuration Guide Figure 2 Cisco IOS Dial Universe Virtual access interface Interface virtual template Headquarters intranet/Internet Interface group-async Cloning Cloning Asynchronous interfaces Lines Modems POTS PSTN/ISDN BRI line BRI line POTS line Cisco 766 (SOHO) Cisco 1604 (ROBO) Modem Remote PC 14931 Loopback interface Fast Ethernet interface Routing and switching engine Interface serial channels S0:0, S0:1… (B channels) Interface dialer controlling the D channels Cloning TDM bus Controllers E1/T1 PRI ports PRI lines AAA = ISDN B channel = Modem/POTS Cisco IOS software inside a Cisco AS5300 Overview of Dial Interfaces, Controllers, and Lines Logical Constructs DC-5 Cisco IOS Dial Technologies Configuration Guide Logical Constructs A logical construct stores core protocol characteristics to assign to physical interfaces. No data packets are forwarded to a logical construct. Cisco uses three types of logical constructs in its access servers and routers. These constructs are described in the following sections: • Asynchronous Interfaces • Group Asynchronous Interfaces • Virtual Template Interfaces Asynchronous Interfaces An asynchronous interface assigns network protocol characteristics to remote asynchronous clients that are dialing in through physical terminal lines and modems. (See Figure 3.) Use the interface async command to create and configure an asynchronous interface. Figure 3 Logical Construct for an Asynchronous Interface To enable clients to dial in, you must configure two asynchronous components: asynchronous lines and asynchronous interfaces. Asynchronous interfaces correspond to physical terminal lines. For example, asynchronous interface 1 corresponds to tty line 1. Commands entered in asynchronous interface mode configure protocol-specific parameters for asynchronous interfaces, whereas commands entered in line configuration configure the physical aspects for the same port. Contains core protocol characteristics for incoming asynchronous clients Asynchronous interface Modem 1 Modem 14054 Line 1 PSTN/ISDN Remote PC negotiating parameters with the asynchronous interface Overview of Dial Interfaces, Controllers, and Lines Logical Constructs DC-6 Cisco IOS Dial Technologies Configuration Guide Specifically, you configure asynchronous interfaces to support PPP connections. An asynchronous interface on an access server or router can be configured to support the following functions: • Network protocol support such as IP, Internet Protocol Exchange (IPX), or AppleTalk • Encapsulation support (such as PPP) • IP client addressing options (default or dynamic) • IPX network addressing options • PPP authentication • ISDN BRI and PRI configuration For additional information about configuring asynchronous interfaces, see the chapter “Configuring Asynchronous Lines and Interfaces.” Group Asynchronous Interfaces A group asynchronous interface is a parent interface that stores core protocol characteristics and projects them to a specified range of asynchronous interfaces. Asynchronous interfaces clone protocol information from group asynchronous interfaces. No data packets arrive in a group asynchronous interface. By setting up a group asynchronous interface, you also eliminate the need to repeatedly configure identical configuration information across several asynchronous interfaces. See the “Overview of Modem Interfaces” chapter for more information about group asynchronous interfaces. Virtual Template Interfaces A virtual template interface stores protocol configuration information for virtual access interfaces and protocol translation sessions. (See Figure 4.) Figure 4 Logical Construct for a Virtual Template Interface Temporary virtual access interface Multilink session event VPDN session event Protocol translation event S6490 Virtual template interface Stores and projects core protocol configuration information Overview of Dial Interfaces, Controllers, and Lines Logical Interfaces DC-7 Cisco IOS Dial Technologies Configuration Guide Templates for Virtual Access Interfaces Virtual templates project configuration information to temporary virtual access interfaces triggered by multilink or virtual private dial-up network (VPDN) session events. When a virtual access interface is triggered, the configuration attributes in the virtual template are cloned and the negotiated parameters are applied to the connection. The following example shows a virtual template interface on a Cisco 7206 router, which is used as a home gateway in a VPDN scenario: Router# configure terminal Router(config)# interface virtual-template 1 Router(config-if)# ip unnumbered ethernet 2/1 Router(config-if)# peer default ip address pool cisco-pool Router(config-if)# ppp authentication chap pap Router(config-if)# exit Router(config)# vpdn enable Router(config)# vpdn incoming isp cisco.com virtual-template 1 Templates for Protocol Translation Virtual templates are used to simplify the process of configuring protocol translation to tunnel PPP or Serial Line Internet Protocol (SLIP) across X.25, TCP, and LAT networks. You can create a virtual interface template using the interface virtual-template command, and you can use it for one-step and two-step protocol translation. When a user dials in through a vty line and a tunnel connection is established, the router clones the attributes of the virtual interface template onto a virtual access interface. This virtual access interface is a temporary interface that supports the protocol configuration specified in the virtual interface template. This virtual access interface is created dynamically and lasts only as long as the tunnel session is active. The virtual template in the following example explicitly specifies PPP encapsulation. The translation is from X.25 to PPP, which enables tunneling of PPP across an X.25 network. Router# configure terminal Router(config)# interface virtual-template 1 Router(config-if)# ip unnumbered ethernet 0 Router(config-if)# peer default ip address 172.18.2.131 Router(config-if)# encapsulation ppp Router(config-if)# exit Router(config)# translate x25 5555678 virtual-template 1 For more information, refer to the chapter “Configuring Protocol Translation and Virtual Asynchronous Devices” in the Cisco IOS Terminal Services Configuration Guide. Logical Interfaces A logical interface receives and sends data packets and controls physical interfaces. Cisco IOS software provides three logical interfaces used for dial access. These interfaces are described in the following sections: • Dialer Interfaces • Virtual Access Interfaces • Virtual Asynchronous Interfaces Overview of Dial Interfaces, Controllers, and Lines Logical Interfaces DC-8 Cisco IOS Dial Technologies Configuration Guide Dialer Interfaces A dialer interface is a parent interface that stores and projects protocol configuration information that is common to all data (D) channels that are members of a dialer rotary group. Data packets pass through dialer interfaces, which in turn initiate dialing for inbound calls. In most cases, D channels get their core protocol intelligence from dialer interfaces. Figure 5 shows packets coming into a dialer interface, which contains the configuration parameters common to four D channels (shown as S0:0, S0:1, S0:2, and S0:3). All the D channels are members of the same rotary group. Without the dialer interface configuration, each D channel must be manually configured with identical properties. Dialer interfaces condense and streamline the configuration process. Figure 5 Dialer Interface and Its Neighboring Components A dialer interface is user configurable and linked to individual B channels, where it delivers data packets to their physical destinations. Dialer interfaces seize physical interfaces to cause packet delivery. If a dialer interface engages in a multilink session, a dialer interface is in control of a virtual access interface, which in turn controls S0:3 or chassis 2 S0:3, for example. A dialer interface is created with the interface dialer global configuration command. The following example shows a fully configured dialer interface: Router# configure terminal Router(config)# interface dialer 0 Router(config-if)# ip unnumbered loopback 0 Router(config-if)# no ip mroute-cache Router(config-if)# encapsulation ppp Router(config-if)# peer default ip address pool dialin_pool Router(config-if)# dialer in-band Router(config-if)# dialer-group 1 Router(config-if)# no fair-queue Router(config-if)# no cdp enable Router(config-if)# ppp authentication chap pap callin Router(config-if)# ppp multilink All the D channels are members of rotary group 1. S0:0 S0:1 S0:2 S0:3 Dialer interface (parent) Incoming data packets Incoming data packets S6489 PRI 1 B channels PRI 2 B channels PRI 3 B channels PRI 4 B channels Overview of Dial Interfaces, Controllers, and Lines Logical Interfaces DC-9 Cisco IOS Dial Technologies Configuration Guide Virtual Access Interfaces A virtual access interface is a temporary interface that is spawned to terminate incoming PPP streams that have no physical connections. PPP streams, Layer 2 Forwarding Protocol (L2F), and Layer 2 Tunnel Protocol (L2TP) frames that come in on multiple B channels are reassembled on virtual access interfaces. These access interfaces are constructs used to terminate packets. Virtual access interfaces obtain their set of instructions from virtual interface templates. The attributes configured in virtual templates are projected or cloned to a virtual access interfaces. Virtual access interfaces are not directly user configurable. These interfaces are created dynamically and last only as long as the tunnels or multilink sessions are active. After the sessions end, the virtual access interfaces disappear. Figure 6 shows how a virtual access interface functions to accommodate a multilink session event. Two physical interfaces on two different access servers are participating in one multilink call from a remote PC. However, each Cisco AS5300 access server has only one B channel available to receive a call. All other channels are busy. Therefore all four packets are equally dispersed across two separate B channels and two access servers. Each Cisco AS5300 access server receives only half the total packets. A virtual access interface is dynamically spawned upstream on a Cisco 7206 backhaul router to receive the multilink protocol, track the multilink frames, and reassemble the packets. The Cisco 7206 router is configured to be the bundle master, which performs all packet assembly and reassembly for both Cisco AS5300 access servers. Figure 6 Virtual Access Interfaces Used for Multichassis Multilink Session Events PC sending data over a PPP packet stream Cisco 1600 remote office router BRI Fast Ethernet HSSI/ATM Cisco AS5300. One available B channel. Receiving packets and Cisco 7206 backhaul router. Spawns all virtual access interfaces. The dedicated bundlemaster. Cisco AS5300. One available B channel. Receiving packets and S6492 1 1 1 2 2 2 3 3 3 4 4 4 PSTN/ISDN ISDN network Overview of Dial Interfaces, Controllers, and Lines Circuit-Switched Digital Calls DC-10 Cisco IOS Dial Technologies Configuration Guide Virtual Asynchronous Interfaces A virtual asynchronous interface is created on demand to support calls that enter the router through a nonphysical interface. For example, asynchronous character stream calls terminate or land on nonphysical interfaces. These types of calls include inbound Telnet, LAT, PPP over character-oriented protocols (such as V.120 or X.25), and LAPB-TA and PAD calls. A virtual asynchronous interface is also used to terminate L2F/L2TP tunnels, which are often traveling companions with Multilink protocol sessions. Virtual asynchronous interfaces are not user configurable; rather, they are dynamically created and torn down on demand. A virtual asynchronous line is used to access a virtual asynchronous interface. Figure 7 shows a variety of calls that are terminating on a virtual asynchronous interface. After the calls end, the interface is torn down. Figure 7 Asynchronous Character Stream Calls Terminating on a Virtual Asynchronous Interface Circuit-Switched Digital Calls Circuit-switched digital calls are usually ISDN 56-kbps or 64-kbps data calls that use PPP. These calls are initiated by an ISDN router, access server, or terminal adapter that is connected to a client workstation. Individual synchronous serial digital signal level 0 (DS0) bearer (B) channels are used to transport circuit-switched digital calls across WANs. These calls do not transmit across “old world” lines. Figure 8 shows a Cisco 1600 series remote office router dialing in to a Cisco 3640 router positioned at a headquarters gateway. Virtual asynchronous interface Telnet call X.25 PAD call PPP stream coming in over a V.120 line L2F/L2TP tunnel needing to be terminated LAT call S6488 Overview of Dial Interfaces, Controllers, and Lines T1 and E1 Controllers DC-11 Cisco IOS Dial Technologies Configuration Guide Figure 8 Remote Office LAN Dialing In to Headquarters T1 and E1 Controllers Cisco controllers negotiate the following parameters between an access server and a central office: line coding, framing, clocking, DS0/time-slot provisioning, and signaling. Time slots are provisioned to meet the needs of particular network scenarios. T1 controllers have 24 time slots, and E1 controllers have 30 time slots. To support traffic flow for one ISDN PRI line in a T1 configuration, use the pri-group command. To support traffic flow for analog calls over a channelized E1 line with recEive and transMit (E&M—also ear and mouth) signaling, use the cas-group 1 timeslots 1-30 type e&m-fgb command. Most telephone companies do not support provisioning one trunk for different combinations of time-slot services, though this provisioning is supported on Cisco controllers. On a T1 controller, for example, time slots 1 to 10 could run PRI, time slots 11 to 20 could run channel-associated signaling (CAS), and time slots 21 to 24 could support leased-line grouping. The following example configures one of four T1 controllers on a Cisco AS5300 access server: Router# configure terminal Router(config)# controller t1 ? <0-3> Controller unit number Router(config)# controller t1 0 Router(config-controller)# framing esf Router(config-controller)# linecode b8zs Router(config-controller)# clock source line primary Router(config-controller)# pri-group timeslots 1-24 Router(config-controller)# This example supports modem calls and circuit-switched digital calls over ISDN PRI. Non-ISDN Channelized T1 and Channelized E1 Lines A channelized T1 or channelized E1 line is an analog line that was originally intended to support analog voice calls, but has evolved to support analog data calls. ISDN is not sent across channelized T1 or E1 lines. Channelized T1 and channelized E1 lines are often referred to as CT1 and CE1. These channelized lines are found in “old world,” non-ISDN telephone networks. PC sending e-mail to headquarters PC Hub NT server Cisco 1600 remote office router Cisco 3640 headquarters gateway router BRI PRI Fast PSTN/ISDN Ethernet PPP 14053 Overview of Dial Interfaces, Controllers, and Lines ISDN Service DC-12 Cisco IOS Dial Technologies Configuration Guide The difference between traditional channelized lines (analog) and nonchannelized lines (ISDN) is that channelized lines have no built-in D channel. That is, all 24 channels on a T1 line carry only data. The signaling is in-band or associated to the data channels. Traditional channelized lines do not support digitized data calls (for example, BRI with 2B + D). Channelized lines support a variety of in-band signal types, such as ground start, loop start, wink start, immediate start, E&M, and R2. Signaling for channelized lines is configured with the cas-group controller configuration command. The following example configures E&M group B signaling on a T1 controller: Router# configure terminal Router(config)# controller t1 0 Router(config-controller)# cas-group 1 timeslots 1-24 type ? e&m-fgb E & M Type II FGB e&m-fgd E & M Type II FGD e&m-immediate-start E & M Immediate Start fxs-ground-start FXS Ground Start fxs-loop-start FXS Loop Start r1-modified R1 Modified sas-ground-start SAS Ground Start sas-loop-start SAS Loop Start Router(config-controller)# cas-group 1 timeslots 1-24 type e&m-fgb Router(config-controller)# framing esf Router(config-controller)# clock source line primary ISDN Service Cisco routing devices support ISDN BRI and ISDN PRI. Both media types use B channels and D channels. Figure 9 shows how many B channels and D channels are assigned to each media type. Figure 9 Logical Relationship of B Channels and D Channels BRI 2B + D T1-PRI 23B + D Used in North America and Japan E1-PRI 30B + D Used in Europe 14051 B channel B channel B channel D channel D channel B channel D channel Overview of Dial Interfaces, Controllers, and Lines ISDN Service DC-13 Cisco IOS Dial Technologies Configuration Guide ISDN BRI ISDN BRI operates over most of the copper twisted-pair telephone wiring in place. ISDN BRI delivers a total bandwidth of a 144 kbps via three separate channels. Two of the B channels operate at 64 kbps and are used to carry voice, video, or data traffic. The third channel, the D channel, is a 16-kbps signaling channel used to tell the Public Switched Telephone Network (PSTN) how to handle each of the B channels. ISDN BRI is often referred to as “2 B + D.” Enter the interface bri command to bring up and configure a single BRI interface, which is the overseer of the 2 B + D channels. The D channel is not user configurable. The following example configures an ISDN BRI interface on a Cisco 1600 series router. The isdn spid command defines the service profile identifier (SPID) number for both B channels. The SPID number is assigned by the ISDN service provider. Not all ISDN lines have SPIDs. Router# configure terminal Router(config)# interface bri 0 Router(config-if)# isdn spid1 55598760101 Router(config-if)# isdn spid2 55598770101 Router(config-if)# isdn switch-type basic-ni Router(config-if)# ip unnumbered ethernet 0 Router(config-if)# dialer map ip 172.168.37.40 name hq 5552053 Router(config-if)# dialer load-threshold 70 Router(config-if)# dialer-group 1 Router(config-if)# encapsulation ppp Router(config-if)# ppp authentication chap pap callin Router(config-if)# ppp multilink Router(config-if)# no shutdown ISDN PRI ISDN PRI is designed to carry large numbers of incoming ISDN calls at point of presences (POPs) and other large central site locations. All the reliability and performance of ISDN BRI applies to ISDN PRI, but ISDN PRI has 23 B channels running at 64 kbps each and a shared 64 kbps D channel that carries signaling traffic. ISDN PRI is often referred to as “23 B + D” (North America and Japan) or “30 B + D” (rest of the world). The D channel notifies the central office switch to send the incoming call to particular timeslots on the Cisco access server or router. Each one of the B channels carries data or voice. The D channel carries signaling for the B channels. The D channel identifies if the call is a circuit-switched digital call or an analog modem call. Analog modem calls are decoded and then sent to the onboard modems. Circuit-switched digital calls are directly relayed to the ISDN processor in the router. Enter the interface serial command to bring up and configure the D channel, which is user configurable. Figure 10 shows the logical contents of an ISDN PRI interface used in a T1 network configuration. The logical contents include 23 B channels, 1 D channel, 24 time slots, and 24 virtual serial interfaces (total number of B + D channels). Overview of Dial Interfaces, Controllers, and Lines ISDN Service DC-14 Cisco IOS Dial Technologies Configuration Guide Figure 10 Logical Relationship of ISDN PRI Components for T1 The following example is for a Cisco AS5300 access server. It configures one T1 controller for ISDN PRI, then configures the neighboring D channel (interface serial 0:23). Controller T1 0 and interface serial 0:23 are both assigned to the first PRI port. The second PRI port is assigned to controller T1 1 and interface serial 1:23, and so on. The second PRI port configuration is not shown in this example. This Cisco AS5300 access server is used as part of a stack group dial-in solution for an Internet service provider. Router# configure terminal Router(config)# controller t1 0 Router(config-controller)# framing esf Router(config-controller)# linecode b8zs Router(config-controller)# clock source line primary Router(config-controller)# pri-group timeslots 1-24 Router(config-controller)# exit Router(config)# interface serial 0:23 Router(config-if)# ip unnumbered Loopback 0 Router(config-if)# ip accounting output-packets Router(config-if)# no ip mroute-cache Router(config-if)# encapsulation ppp Router(config-if)# isdn incoming-voice modem Router(config-if)# dialer-group 1 Router(config-if)# no fair-queue Router(config-if)# compress stac Router(config-if)# no cdp enable Router(config-if)# ppp authentication chap Router(config-if)# ppp multilink Router(config-if)# netbios nbf B (data channel) 1 S0:0 B (data channel) 2 S0:1 B (data channel) 3 S0:2 B (data channel) 4 S0:3 • •• • •• • •• • •• • •• B (data channel) 21 S0:20 B (data channel) 22 S0:21 B (data channel) 23 S0:22 D (signaling channel) 24 S0:23 S6487 Channel Type Time Slot Number Logical contents of a PRI interface Virtual Serial Interface Number Overview of Dial Interfaces, Controllers, and Lines Line Types DC-15 Cisco IOS Dial Technologies Configuration Guide Line Types This section describes the different line types used for dial access. It also describes the relationship between lines and interfaces. Note Cisco devices have four types of lines: console, auxiliary, asynchronous, and virtual terminal. Different routers have different numbers of these line types. Refer to the hardware and software configuration guides that shipped with your device for exact configurations. Table 3 shows the types of lines that can be configured. Use the show line command to see the status of each of the lines available on a router. (See Figure 11.) Table 3 Available Line Types Line Type Interface Description Numbering Rules CON or CTY Console Typically used to log in to the router for configuration purposes. Line 0. AUX Auxiliary EIA/TIA-232 data terminal equipment (DTE) port used as a backup (tty) asynchronous port. Cannot be used as a second console port. Last tty line number plus 1. tty Asynchronous Same as asynchronous interface. Used typically for remote-node dial-in sessions that use such protocols as SLIP, PPP, AppleTalk Remote Access (ARA), and XRemote. The numbering widely varies between platforms. This number is equivalent to the maximum number of modems or asynchronous interfaces supported by your access server or router.1 1. Enter the interface line tty ? command to view the maximum number of tty lines supported. vty Virtual asynchronous Used for incoming Telnet, LAT, X.25 PAD, and protocol translation connections into synchronous ports (such as Ethernet and serial interfaces) on the router. Last tty line number plus 2 through the maximum number of vty lines specified.2 2. Increase the number of vty lines on a router using the line vty global configuration command. Delete vty lines with the no line vty line-number command. The line vty command accepts any line number larger than 5 up to the maximum number of lines supported by your router with its current configuration. Enter the interface line vty ? command to view the maximum number of vty lines supported. Overview of Dial Interfaces, Controllers, and Lines Line Types DC-16 Cisco IOS Dial Technologies Configuration Guide Figure 11 Sample Show Line Output Showing CTY, tty, AUX, and vty Line Statistics Relationship Between Lines and Interfaces The following sections describe the relationship between lines and interfaces: • Asynchronous Interfaces and Physical Terminal Lines • Synchronous Interfaces and Virtual Terminal Lines Asynchronous Interfaces and Physical Terminal Lines Asynchronous interfaces correspond to physical terminal lines. Commands entered in asynchronous interface mode let you configure protocol-specific parameters for asynchronous interfaces; commands entered in line configuration mode let you configure the physical aspects of the line port. sankara> show line Tty Typ Tx/Rx A Modem Roty ACCO ACCI Uses Noise Overruns * 0 CTY - - - - - 0 0 0/0 * 1 TTY 115200/115200 - inout - 4 - 31 26 0/0 * 2 TTY 115200/115200 - inout - 21630 - 37 23 0/0 A 3 TTY 115200/115200 - inout - 25 - 10 24 1/0 * 4 TTY 115200/115200 - inout - 4 - 20 63 1/0 * 5 TTY 115200/115200 - inout - 32445 - 18 325 22/0 A 6 TTY 115200/115200 - inout - 25 - 7 0 0/0 I 7 TTY 115200/115200 - inout - 6 - 6 36 1/0 I 8 TTY 115200/115200 - inout - - - 3 25 3/0 * 9 TTY 115200/115200 - inout - 4 - 2 0 0/0 A 10 TTY 115200/115200 - inout - 56 - 2 470 216/0 I 11 TTY 115200/115200 - inout - 4 - 31 26 0/0 I 12 TTY 115200/115200 - inout - 4 - 31 26 0/0 I 13 TTY 115200/115200 - inout - 4 - 31 26 0/0 I 14 TTY 115200/115200 - inout - 4 - 31 26 0/0 I 15 TTY 115200/115200 - inout - 4 - 31 26 0/0 I 16 TTY 115200/115200 - inout - 4 - 31 26 0/0 17 AUX 9600/9600 - - - - - 2 1 2/104800 * 18 VTY 9600/9600 - - - - - 103 0 0/0 19 VTY 9600/9600 - - - - - 6 0 0/0 20 VTY 9600/9600 - - - - - 1 0 0/0 21 VTY 9600/9600 - - - - - 0 0 0/0 22 VTY 9600/9600 - - - - - 0 0 0/0 23 VTY 9600/9600 - - - - - 0 0 0/0 24 VTY 9600/9600 - - - - - 0 0 0/0 25 VTY 9600/9600 - - - - - 0 0 0/0 26 VTY 9600/9600 - - - - - 0 0 0/0 27 VTY 9600/9600 - - - - - 0 0 0/0 28 VTY 9600/9600 - - - - - 0 0 0/0 29 VTY 9600/9600 - - - - - 0 0 0/0 30 VTY 9600/9600 - - - - - 0 0 0/0 31 VTY 9600/9600 - - - - - 0 0 0/0 32 VTY 9600/9600 - - - - - 0 0 0/0 33 VTY 9600/9600 - - - - - 0 0 0/0 Rotary group # Access class in/out Autoselect state Absolute line number Line speed This is VTY2 (3rd VTY) line 20 Modem setting Number of TCP connections made S4214 Overview of Dial Interfaces, Controllers, and Lines Line Types DC-17 Cisco IOS Dial Technologies Configuration Guide For example, to enable IP resources to dial in to a network through a Cisco 2500 series access server, configure the lines and asynchronous interfaces as follows. • Configure the physical aspect of a line that leads to a port. You might enter the following commands to configure lines 1 through 16 (asynchronous physical terminal lines on a Cisco 2511 access server): line 1 16 login local modem inout speed 115200 flowcontrol hardware ! Configures the line to autosense PPP; physical line attribute. autoselect ppp • On asynchronous interface 1, you configure your protocol-specific commands. You might enter the following commands: interface async 1 encapsulation ppp async mode interactive async dynamic address async dynamic routing async default ip address 192.168.16.132 ppp authentication chap The remote node services SLIP, PPP, and XRemote are configured in asynchronous interface mode. ARA is configured in line configuration mode on virtual terminal lines or physical terminal lines. Synchronous Interfaces and Virtual Terminal Lines Virtual terminal lines provide access to the router through a synchronous interface. Virtual terminal lines do not correspond to synchronous interfaces in the same way that physical terminal lines correspond to asynchronous interfaces because vty lines are created dynamically on the router, whereas physical terminal lines are static physical ports. When a user connects to the router on a vty line, that user is connecting into a virtual port on an interface. You can have multiple virtual ports for each synchronous interface. For example, several Telnet connections can be made to an interface (such as an Ethernet or serial interface). The number of virtual terminal lines available on a router is defined using the line vty number-of-lines global configuration command. Overview of Dial Interfaces, Controllers, and Lines Encapsulation Types DC-18 Cisco IOS Dial Technologies Configuration Guide Encapsulation Types Synchronous serial interfaces default to High-Level Data Link Control (HDLC) encapsulation, and asynchronous serial interfaces default to SLIP encapsulation. Cisco IOS software provides a long list of encapsulation methods that can be set on the interface to change the default encapsulation method. See the Cisco IOS Interface Command Reference for a complete list and description of these encapsulation methods. The following list summarizes the encapsulation commands available for serial interfaces used in dial configurations: • encapsulation frame-relay—Frame Relay • encapsulation hdlc—HDLC protocol • encapsulation lapb—X.25 LAPB DTE operation • encapsulation ppp—PPP • encapsulation slip—SLIP To use SLIP or PPP encapsulation, the router or access server must be configured with an IP routing protocol or with the ip host-routing command. DC-19 Cisco IOS Dial Technologies Configuration Guide Configuring Asynchronous Lines and Interfaces This chapter describes how to configure asynchronous line features in the following main sections: • How to Configure Asynchronous Interfaces and Lines • How to Configure Other Asynchronous Line and Interface Features • Configuration Examples for Asynchronous Interfaces and Lines Perform these tasks, as required, for your particular network. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the commands in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. How to Configure Asynchronous Interfaces and Lines To configure an asynchronous interface, perform the tasks described in the following sections as required: • Configuring a Typical Asynchronous Interface (As required) • Creating a Group Asynchronous Interface (As required) • Configuring Asynchronous Rotary Line Queueing (As required) • Configuring Autoselect (As required) Configuring Asynchronous Lines and Interfaces How to Configure Asynchronous Interfaces and Lines DC-20 Cisco IOS Dial Technologies Configuration Guide Configuring a Typical Asynchronous Interface To configure an asynchronous interface, use the following commands beginning in global configuration mode: The “Interface and Line Configuration Examples” and “Asynchronous Interface As the Only Network Interface Example” sections later in this chapter contain examples of how to configure an asynchronous interface. Monitoring and Maintaining Asynchronous Connections This section describes the following monitoring and maintenance tasks that you can perform on asynchronous interfaces: • Monitoring and maintaining asynchronous activity • Debugging asynchronous interfaces • Debugging PPP Command Purpose Step 1 Router(config)# interface async number Brings up a single asynchronous interface and enters interface configuration mode. Step 2 Router(config-if)# description description Provides a description for the interface. Step 3 Router(config-if)# ip address address mask Specifies an IP address. Step 4 Router(config-if)# encapsulation ppp Enables PPP to run on the asynchronous interfaces in the group. Step 5 Router(config-if)# async default routing Enables the router to pass routing updates to other routers over the AUX port configured as an asynchronous interface. Step 6 Router(config-if)# async mode dedicated Places a line into dedicated asynchronous mode using Serial Line Internet Protocol (SLIP) or PPP encapsulation. Step 7 Router(config-if)# dialer in-band Specifies that dial-on-demand routing (DDR) is to be supported. Step 8 Router(config-if)# dialer map protocol next-hop-address Configures a serial interface to call one or multiple sites or to receive calls from multiple sites. Step 9 Router(config-if)# dialer-group Controls access by configuring an interface to belong to a specific dialing group. Step 10 Router(config-if)# ppp authentication chap pap list-name Enables Challenge Handshake Authentication Protocol (CHAP) and Password Authentication Protocol (PAP) authentication on the interface. Replace the list-name variable with a specified authentication list name.1 1. To create a string used to name the following list of authentication methods tried when a user logs in, refer to the aaa authentication ppp command. Authentication methods include RADIUS, TACACS+, and Kerberos. Step 11 Router(config-if)# exit Return to global configuration mode. Configuring Asynchronous Lines and Interfaces How to Configure Asynchronous Interfaces and Lines DC-21 Cisco IOS Dial Technologies Configuration Guide To monitor and maintain asynchronous activity, use the following commands in privileged EXEC mode as needed: To debug asynchronous interfaces, use the following debug command in privileged EXEC mode: To debug PPP links, use the following debug commands in privileged EXEC mode as needed: Creating a Group Asynchronous Interface Create a group asynchronous interface to project a set of core protocol characteristics to a range of asynchronous interfaces. Configuring the asynchronous interfaces as a group saves you time. Analog modem calls cannot enter the access server without this configuration. To configure a group asynchronous interface, use the following commands beginning in global configuration mode: Command Purpose Router# clear line line-number Returns a line to its idle state. Router# show async bootp Displays parameters that have been set for extended BOOTP requests. Router# show async status Displays statistics for asynchronous interface activity. Router# show line [line-number] Displays the status of asynchronous line connections. Command Purpose Router# debug async {framing | state | packets} Displays errors, changes in interface state, and log input and output. Command Purpose Router# debug ppp negotiation Enables debugging of PPP protocol negotiation process. Router# debug ppp error Displays PPP protocol errors. Router# debug ppp packet Displays PPP packets sent and received. Router# debug ppp chap Displays errors encountered during remote or local system authentication. Command Purpose Step 1 Router(config)# interface async number Brings up a single asynchronous interface and enters interface configuration mode. Step 2 Router(config-if)# ip unnumbered loopback number Configures the asynchronous interfaces as unnumbered and assigns the IP address of the loopback interface to them to conserve IP addresses.1 Step 3 Router(config-if)# encapsulation ppp Enables PPP to run on the asynchronous interfaces in the group. Configuring Asynchronous Lines and Interfaces How to Configure Asynchronous Interfaces and Lines DC-22 Cisco IOS Dial Technologies Configuration Guide The “Group and Member Asynchronous Interface Examples” section later in this chapter contains an example of how to configure a group interface. Verifying the Group Interface Configuration To verify the group interface configuration and check if one of the asynchronous interfaces is up, use the show interface async command: Router# show interface async 1 Async1 is up, line protocol is up modem(slot/port)=1/0, csm_state(0x00000204)=CSM_IC4_CONNECTED, bchan_num=18 modem_status(0x0002): VDEV_STATUS_ACTIVE_CALL. Hardware is Async Serial Interface is unnumbered. Using address of FastEthernet0 (10.1.1.10) MTU 1500 bytes, BW 115 Kbit, DLY 100000 usec, rely 255/255, load 1/255 Encapsulation PPP, loopback not set, keepalive not set DTR is pulsed for 5 seconds on reset LCP Open Open: IPCP Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/5, 0 drops; input queue 1/5, 0 drops 5 minute input rate 37000 bits/sec, 87 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 31063 packets input, 1459806 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 33 packets output, 1998 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions Step 4 Router(config-if)# async mode interactive Configures interactive mode on the asynchronous interface. Step 5 Router(config-if)# ppp authentication chap pap list-name Enables CHAP and PAP authentication on the interface. Replace the list-name variable with a specified authentication list name.2 Step 6 Router(config-if)# peer default ip address pool poolname Assigns dial-in clients IP addresses from an address pool.3 Step 7 Router(config-if)# no cdp enable Disables the Cisco Discovery Protocol (CDP) on the interface. Step 8 Router(config-if)# group-range low-end-of-range high-end-of-range Specifies the range of asynchronous interfaces to include in the group, which is usually equal to the number of modems you have in the access server. Step 9 Router(config-if)# exit Returns to global configuration mode. 1. You can also specify the Ethernet interface to conserver address space. In this case, enter the ip unnumbered ethernet 0 command. 2. To create a string used to name the following list of authentication methods tried when a user logs in, refer to the aaa authentication ppp command. Authentication methods include RADIUS, TACACS+, and Kerberos. 3. To create an IP address pool, refer to the ip local pool global configuration command. Command Purpose Configuring Asynchronous Lines and Interfaces How to Configure Asynchronous Interfaces and Lines DC-23 Cisco IOS Dial Technologies Configuration Guide If you are having trouble, enter one of the following debug commands and then send a call into the access server. Interpret the output and make configuration changes accordingly. • undebug all • debug ppp negotiation • debug ppp authentication • debug modem • debug ip peer Router# undebug all All possible debugging has been turned off Router# debug ppp negotiation PPP protocol negotiation debugging is on Router# debug ppp authentication PPP authentication debugging is on Router# debug modem Modem control/process activation debugging is on Router# debug ip peer IP peer address activity debugging is on Router# show debug General OS: Modem control/process activation debugging is on Generic IP: IP peer address activity debugging is on PPP: PPP authentication debugging is on PPP protocol negotiation debugging is on Router# *Mar 1 21:34:56.958: tty4: DSR came up *Mar 1 21:34:56.962: tty4: Modem: IDLE->READY *Mar 1 21:34:56.970: tty4: EXEC creation *Mar 1 21:34:56.978: tty4: set timer type 10, 30 seconds *Mar 1 21:34:59.722: tty4: Autoselect(2) sample 7E *Mar 1 21:34:59.726: tty4: Autoselect(2) sample 7EFF *Mar 1 21:34:59.730: tty4: Autoselect(2) sample 7EFF7D *Mar 1 21:34:59.730: tty4: Autoselect(2) sample 7EFF7D23 *Mar 1 21:34:59.734: tty4 Autoselect cmd: ppp negotiate *Mar 1 21:34:59.746: tty4: EXEC creation *Mar 1 21:34:59.746: tty4: create timer type 1, 600 seconds *Mar 1 21:34:59.786: ip_get_pool: As4: using pool default *Mar 1 21:34:59.790: ip_get_pool: As4: returning address = 172.20.1.101 *Mar 1 21:34:59.794: tty4: destroy timer type 1 (OK) *Mar 1 21:34:59.794: tty4: destroy timer type 0 *Mar 1 21:35:01.798: %LINK-3-UPDOWN: Interface Async4, changed state to up *Mar 1 21:35:01.834: As4 PPP: Treating connection as a dedicated line *Mar 1 21:35:01.838: As4 PPP: Phase is ESTABLISHING, Active Open *Mar 1 21:35:01.842: As4 LCP: O CONFREQ [Closed] id 1 len 25 *Mar 1 21:35:01.846: As4 LCP: ACCM 0x000A0000 (0x0206000A0000) *Mar 1 21:35:01.850: As4 LCP: AuthProto CHAP (0x0305C22305) *Mar 1 21:35:01.854: As4 LCP: MagicNumber 0x64E923A8 (0x050664E923A8) *Mar 1 21:35:01.854: As4 LCP: PFC (0x0702) *Mar 1 21:35:01.858: As4 LCP: ACFC (0x0802) *Mar 1 21:35:02.718: As4 LCP: I CONFREQ [REQsent] id 3 len 23 *Mar 1 21:35:02.722: As4 LCP: ACCM 0x000A0000 (0x0206000A0000) *Mar 1 21:35:02.726: As4 LCP: MagicNumber 0x00472467 (0x050600472467) *Mar 1 21:35:02.726: As4 LCP: PFC (0x0702) *Mar 1 21:35:02.730: As4 LCP: ACFC (0x0802) *Mar 1 21:35:02.730: As4 LCP: Callback 6 (0x0D0306) *Mar 1 21:35:02.738: As4 LCP: O CONFREJ [REQsent] id 3 len 7 *Mar 1 21:35:02.738: As4 LCP: Callback 6 (0x0D0306) *Mar 1 21:35:02.850: As4 LCP: I CONFREQ [REQsent] id 4 len 20 Configuring Asynchronous Lines and Interfaces How to Configure Asynchronous Interfaces and Lines DC-24 Cisco IOS Dial Technologies Configuration Guide *Mar 1 21:35:02.854: As4 LCP: ACCM 0x000A0000 (0x0206000A0000) *Mar 1 21:35:02.854: As4 LCP: MagicNumber 0x00472467 (0x050600472467) *Mar 1 21:35:02.858: As4 LCP: PFC (0x0702) *Mar 1 21:35:02.858: As4 LCP: ACFC (0x0802) *Mar 1 21:35:02.862: As4 LCP: O CONFACK [REQsent] id 4 len 20 *Mar 1 21:35:02.866: As4 LCP: ACCM 0x000A0000 (0x0206000A0000) *Mar 1 21:35:02.870: As4 LCP: MagicNumber 0x00472467 (0x050600472467) *Mar 1 21:35:02.870: As4 LCP: PFC (0x0702) *Mar 1 21:35:02.874: As4 LCP: ACFC (0x0802) *Mar 1 21:35:03.842: As4 LCP: TIMEout: State ACKsent *Mar 1 21:35:03.842: As4 LCP: O CONFREQ [ACKsent] id 2 len 25 *Mar 1 21:35:03.846: As4 LCP: ACCM 0x000A0000 (0x0206000A0000) *Mar 1 21:35:03.850: As4 LCP: AuthProto CHAP (0x0305C22305) *Mar 1 21:35:03.854: As4 LCP: MagicNumber 0x64E923A8 (0x050664E923A8) *Mar 1 21:35:03.854: As4 LCP: PFC (0x0702) *Mar 1 21:35:03.858: As4 LCP: ACFC (0x0802) *Mar 1 21:35:03.962: As4 LCP: I CONFACK [ACKsent] id 2 len 25 *Mar 1 21:35:03.966: As4 LCP: ACCM 0x000A0000 (0x0206000A0000) *Mar 1 21:35:03.966: As4 LCP: AuthProto CHAP (0x0305C22305) *Mar 1 21:35:03.970: As4 LCP: MagicNumber 0x64E923A8 (0x050664E923A8) *Mar 1 21:35:03.974: As4 LCP: PFC (0x0702) *Mar 1 21:35:03.974: As4 LCP: ACFC (0x0802) *Mar 1 21:35:03.978: As4 LCP: State is Open *Mar 1 21:35:03.978: As4 PPP: Phase is AUTHENTICATING, by this end *Mar 1 21:35:03.982: As4 CHAP: O CHALLENGE id 1 len 26 from "nas-1" *Mar 1 21:35:04.162: As4 CHAP: I RESPONSE id 1 len 26 from "krist" *Mar 1 21:35:04.170: As4 AUTH: Started process 0 pid 47 *Mar 1 21:35:04.182: As4 CHAP: O SUCCESS id 1 len 4 *Mar 1 21:35:04.186: As4 PPP: Phase is UP *Mar 1 21:35:04.190: As4 IPCP: O CONFREQ [Not negotiated] id 1 len 10 *Mar 1 21:35:04.194: As4 IPCP: Address 172.20.1.2 (0x0306AC140102) *Mar 1 21:35:04.202: As4 CDPCP: O CONFREQ [Closed] id 1 len 4 *Mar 1 21:35:04.282: As4 IPCP: I CONFREQ [REQsent] id 1 len 40 *Mar 1 21:35:04.282: As4 IPCP: CompressType VJ 15 slots CompressSlotID (0x02 06002D0F01) *Mar 1 21:35:04.286: As4 IPCP: Address 0.0.0.0 (0x030600000000) *Mar 1 21:35:04.290: As4 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000) *Mar 1 21:35:04.294: As4 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000) *Mar 1 21:35:04.298: As4 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000) *Mar 1 21:35:04.302: As4 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000) *Mar 1 21:35:04.306: As4 IPCP: O CONFREJ [REQsent] id 1 len 10 *Mar 1 21:35:04.310: As4 IPCP: CompressType VJ 15 slots CompressSlotID (0x02 06002D0F01) *Mar 1 21:35:04.314: As4 CCP: I CONFREQ [Not negotiated] id 1 len 15 *Mar 1 21:35:04.318: As4 CCP: MS-PPC supported bits 0x00000001 (0x1206000000 01) *Mar 1 21:35:04.318: As4 CCP: Stacker history 1 check mode EXTENDED (0x11050 00104) *Mar 1 21:35:04.322: As4 LCP: O PROTREJ [Open] id 3 len 21 protocol CCP *Mar 1 21:35:04.326: As4 LCP: (0x80FD0101000F12060000000111050001) *Mar 1 21:35:04.330: As4 LCP: (0x04) *Mar 1 21:35:04.334: As4 IPCP: I CONFACK [REQsent] id 1 len 10 *Mar 1 21:35:04.338: As4 IPCP: Address 172.20.1.2 (0x0306AC140102) *Mar 1 21:35:04.342: As4 LCP: I PROTREJ [Open] id 5 len 10 protocol CDPCP (0x82 0701010004) *Mar 1 21:35:04.342: As4 CDPCP: State is Closed *Mar 1 21:35:05.186: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async4, ch anged state to up *Mar 1 21:35:05.190: As4 PPP: Unsupported or un-negotiated protocol. Link cdp *Mar 1 21:35:05.190: As4 PPP: Trying to negotiate NCP for Link cdp *Mar 1 21:35:05.194: As4 CDPCP: State is Closed *Mar 1 21:35:05.198: As4 CDPCP: TIMEout: State Closed *Mar 1 21:35:05.202: As4 CDPCP: State is Listen *Mar 1 21:35:06.202: As4 IPCP: TIMEout: State ACKrcvd Configuring Asynchronous Lines and Interfaces How to Configure Asynchronous Interfaces and Lines DC-25 Cisco IOS Dial Technologies Configuration Guide *Mar 1 21:35:06.206: As4 IPCP: O CONFREQ [ACKrcvd] id 2 len 10 *Mar 1 21:35:06.206: As4 IPCP: Address 172.20.1.2 (0x0306AC140102) *Mar 1 21:35:06.314: As4 IPCP: I CONFACK [REQsent] id 2 len 10 *Mar 1 21:35:06.318: As4 IPCP: Address 172.20.1.2 (0x0306AC140102) *Mar 1 21:35:07.274: As4 IPCP: I CONFREQ [ACKrcvd] id 2 len 34 *Mar 1 21:35:07.278: As4 IPCP: Address 0.0.0.0 (0x030600000000) *Mar 1 21:35:07.282: As4 IPCP: PrimaryDNS 0.0.0.0 (0x810600000000) *Mar 1 21:35:07.286: As4 IPCP: PrimaryWINS 0.0.0.0 (0x820600000000) *Mar 1 21:35:07.286: As4 IPCP: SecondaryDNS 0.0.0.0 (0x830600000000) *Mar 1 21:35:07.290: As4 IPCP: SecondaryWINS 0.0.0.0 (0x840600000000) *Mar 1 21:35:07.294: As4 IPCP: O CONFNAK [ACKrcvd] id 2 len 34 *Mar 1 21:35:07.298: As4 IPCP: Address 172.20.1.101 (0x0306AC140165) *Mar 1 21:35:07.302: As4 IPCP: PrimaryDNS 172.20.5.100 (0x8106AC140564) *Mar 1 21:35:07.306: As4 IPCP: PrimaryWINS 172.20.5.101 (0x8206AC140565) *Mar 1 21:35:07.310: As4 IPCP: SecondaryDNS 172.20.6.100 (0x8306AC140664) *Mar 1 21:35:07.314: As4 IPCP: SecondaryWINS 172.20.6.101 (0x8406AC140665) *Mar 1 21:35:07.426: As4 IPCP: I CONFREQ [ACKrcvd] id 3 len 34 *Mar 1 21:35:07.430: As4 IPCP: Address 172.20.1.101 (0x0306AC140165) *Mar 1 21:35:07.434: As4 IPCP: PrimaryDNS 172.20.5.100 (0x8106AC140564) *Mar 1 21:35:07.438: As4 IPCP: PrimaryWINS 172.20.5.101 (0x8206AC140565) *Mar 1 21:35:07.442: As4 IPCP: SecondaryDNS 172.20.6.100 (0x8306AC140664) *Mar 1 21:35:07.446: As4 IPCP: SecondaryWINS 172.20.6.101 (0x8406AC140665) *Mar 1 21:35:07.446: ip_get_pool: As4: validate address = 172.20.1.101 *Mar 1 21:35:07.450: ip_get_pool: As4: using pool default *Mar 1 21:35:07.450: ip_get_pool: As4: returning address = 172.20.1.101 *Mar 1 21:35:07.454: set_ip_peer_addr: As4: address = 172.20.1.101 (3) is redun dant *Mar 1 21:35:07.458: As4 IPCP: O CONFACK [ACKrcvd] id 3 len 34 *Mar 1 21:35:07.462: As4 IPCP: Address 172.20.1.101 (0x0306AC140165) *Mar 1 21:35:07.466: As4 IPCP: PrimaryDNS 172.20.5.100 (0x8106AC140564) *Mar 1 21:35:07.470: As4 IPCP: PrimaryWINS 172.20.5.101 (0x8206AC140565) *Mar 1 21:35:07.474: As4 IPCP: SecondaryDNS 172.20.6.100 (0x8306AC140664) *Mar 1 21:35:07.474: As4 IPCP: SecondaryWINS 172.20.6.101 (0x8406AC140665) *Mar 1 21:35:07.478: As4 IPCP: State is Open *Mar 1 21:35:07.490: As4 IPCP: Install route to 172.20.1.101 *Mar 1 21:35:25.038: As4 PPP: Unsupported or un-negotiated protocol. Link cdp *Mar 1 21:36:12.614: tty0: timer type 1 expired *Mar 1 21:36:12.614: tty0: Exec timer (continued) *Mar 1 21:36:25.038: As4 PPP: Unsupported or un-negotiated protocol. Link cdp *Mar 1 21:37:25.038: As4 PPP: Unsupported or un-negotiated protocol. Link cdp *Mar 1 21:38:25.038: As4 PPP: Unsupported or un-negotiated protocol. Link cdp *Mar 1 21:39:25.038: As4 PPP: Unsupported or un-negotiated protocol. Link cdp *Mar 1 21:40:25.038: As4 PPP: Unsupported or un-negotiated protocol. Link cdp *Mar 1 21:41:25.038: As4 PPP: Unsupported or un-negotiated protocol. Link cdp *Mar 1 21:42:25.038: As4 PPP: Unsupported or un-negotiated protocol. Link cdp *Mar 1 21:43:25.038: As4 PPP: Unsupported or un-negotiated protocol. Link cdp Configuring Asynchronous Rotary Line Queueing The Cisco IOS Asynchronous Rotary Line Queueing feature allows Telnet connection requests to busy asynchronous rotary groups to be queued so that users automatically obtain the next available line, rather than needing to try repeatedly to open a Telnet connection. The Cisco IOS software sends a periodic message to the user to update progress in the connection queue. This feature allows users to make effective use of the asynchronous rotary groups on a Cisco router to access legacy mainframes or other serial devices with a limited number of asynchronous ports that might be used by a large number of users. Users that are unable to make a Telnet connection on the first attempt are assured of eventual success in an orderly process. They are no longer required to guess when a line might be available and to retry manually again and again. Configuring Asynchronous Lines and Interfaces How to Configure Asynchronous Interfaces and Lines DC-26 Cisco IOS Dial Technologies Configuration Guide Connections are authenticated using the method specified for the line configurations for the asynchronous rotary group. If a connection is queued, authentication is done prior to queueing and no authentication is done when the connection is later established. Make sure you comply with the following requirements when configuring asynchronous rotary line queueing: • Configure more virtual terminal lines than will ever be used by waiting asynchronous rotary connection attempts. Even when the queue is at its maximum, there must be at least one virtual terminal line available so that system operators or network administrators can use Telnet to access the router to show, debug, or configure system performance. • When adding lines to a rotary group, all lines must be either queued or not queued. A mixture of queued and unenqueued lines in the same rotary group is not supported and can result in unexpected behavior. • All lines within a queued rotary group need to use the same authentication method. Using different authentication methods within the same rotary group can result in unexpected behavior. To configure asynchronous rotary line queueing, use the following commands beginning in global configuration mode: See the “Rotary Group Examples” section for configuration examples. Verifying Asynchronous Rotary Line Queueing To verify operation of asynchronous rotary line queueing, perform the following tasks: • Use the show line command in EXEC mode to check the status of the vty lines. • Use the show line async-queue command in EXEC mode to check the status of queued connection requests. Troubleshooting Asynchronous Rotary Lines If asynchronous rotary line queueing is not operating correctly, use the following debug commands in privileged EXEC mode to determine where the problem may lie: • debug async async-queue • debug ip tcp transactions • debug modem Refer to the Cisco IOS Debug Command Reference for information about these commands. Command Purpose Step 1 Router (config)# line [aux | console | tty | vty] line-number [ending-line-number] Starts line configuration mode on the line type and numbers specified. Step 2 Router(config-line)# rotary group [queued | round-robin] Enables asynchronous rotary line queueing on the designated line or group of lines. The optional round-robin keyword selects a round-robin port selection algorithm instead of the default (queued) linear port selection algorithm. Configuring Asynchronous Lines and Interfaces How to Configure Asynchronous Interfaces and Lines DC-27 Cisco IOS Dial Technologies Configuration Guide Monitoring and Maintaining Asynchronous Rotary Line Queues To display queued lines and to remove lines from the queue, use the following commands in EXEC mode as needed: Configuring Autoselect Autoselect is used by the access server to sense the protocol being received on an incoming line and to launch the appropriate protocol. Autoselect can be used for AppleTalk Remote Access (ARA), PPP, or SLIP. When using Autoselect, “login” authentication is bypassed, so if security is required, it must be performed at the protocol level, that is, the AppleTalk Remote Access Protocol (ARAP) or PPP authentication. SLIP does not offer protocol layer authentication. To configure the Cisco IOS software to allow an ARA, PPP, or SLIP session to start automatically, use the following command in line configuration mode: The autoselect command enables the Cisco IOS software to start a process automatically when a start character is received. The autoselect command bypasses the login prompt and enables the specified session to begin automatically. However, when the autoselect command is entered with the during login keyword, the username or password prompt appears without the need to press the Return key; thus “login” users will get a prompt right away without needing to press the Return key. While the username or password prompt is displayed, you can choose either to answer these prompts or to send packets from an autoselected protocol. Normally a router avoids line and modem noise by clearing the initial data received within the first one or two seconds. However, when the autoselect PPP feature is configured, the router flushes characters initially received and then waits for more traffic. This flush causes timeout problems with applications that send only one carriage return. To ensure that the input data sent by a modem or other asynchronous device is not lost after line activation, enter the flush-at-activation line configuration command. Note When the autoselect command is used, the activation character should be set to the default Return, and exec-character-bits should be set to 7. If you change these defaults, the application cannot recognize the activation request. See the “High-Density Dial-In Solution Using Autoselect and EXEC Control Example” section for an example that makes use of the autoselect feature. Command Purpose Router# show line async-queue rotary-group Displays which lines are queued. Router# clear line async-queue rotary-group Clears all rotary queues or the specified rotary queue. If the rotary-group argument is not specified, all rotary queues are removed. Command Purpose Router(config-line)# autoselect {arap | ppp | slip | during login} Configures a line to automatically start an ARA, PPP, or SLIP session. Configuring Asynchronous Lines and Interfaces How to Configure Asynchronous Interfaces and Lines DC-28 Cisco IOS Dial Technologies Configuration Guide Verifying Autoselect PPP The following trace appears when the debug modem and debug ppp negotiation commands are enabled. As PPP calls pass through the access server, you should see this output. When autoselect is used, “login” authentication is bypassed. If security is required, it must be performed at the protocol level (that is, ARAP or PPP authentication). SLIP does not offer protocol layer authentication. 22:21:02: TTY1: DSR came up 22:21:02: tty1: Modem: IDLE->READY 22:21:02: TTY1: Autoselect started 22:21:05: TTY1: Autoselect sample 7E 22:21:05: TTY1: Autoselect sample 7EFF 22:21:05: TTY1: Autoselect sample 7EFF7D 22:21:05: TTY1 Autoselect cmd: ppp default 22:21:05: TTY1: EXEC creation %LINK-3-UPDOWN: Interface Async1, changed state to up 22:21:07: ppp: sending CONFREQ, type = 2 (CI_ASYNCMAP), value = A0000 22:21:07: ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = 23BE13AA 22:21:08: PPP Async1: state = REQSENT fsm_rconfack(0xC021): rcvd id 0x11 22:21:08: ppp: config ACK received, type = 2 (CI_ASYNCMAP), value = A0000 22:21:08: ppp: config ACK received, type = 5 (CI_MAGICNUMBER), value = 23BE13AA 22:21:08: ppp: config ACK received, type = 7 (CI_PCOMPRESSION) 22:21:08: ppp: config ACK received, type = 8 (CI_ACCOMPRESSION) 22:21:08: PPP Async1: received config for type = 0x2 (ASYNCMAP) value = 0x0 acked 22:21:08: PPP Async1: received config for type = 0x5 (MAGICNUMBER) value = 0x2A acked 22:21:08: PPP Async1: received config for type = 0x7 (PCOMPRESSION) acked 22:21:08: PPP Async1: received config for type = 0x8 (ACCOMPRESSION) acked 22:21:08: ipcp: sending CONFREQ, type = 3 (CI_ADDRESS), Address = 172.16.1.1 22:21:08: ppp Async1: ipcp_reqci: rcvd COMPRESSTYPE (rejected) (REJ) 22:21:08: ppp Async1: Negotiate IP address: her address 0.0.0.0 (NAK with address 172.16.1.100) (NAK) 22:21:08: ppp: ipcp_reqci: returning CONFREJ. 22:21:08: PPP Async1: state = REQSENT fsm_rconfack(0x8021): rcvd id 0x9 22:21:08: ipcp: config ACK received, type = 3 (CI_ADDRESS), Address = 172.16.1.1 22:21:08: ppp Async1: Negotiate IP address: her address 0.0.0.0 (NAK with address 172.16.1.100) (NAK) 22:21:08: ppp: ipcp_reqci: returning CONFNAK. 22:21:09: ppp Async1: Negotiate IP address: her address 172.16.1.100 (ACK) 22:21:09: ppp: ipcp_reqci: returning CONFACK. %LINEPROTO-5-UPDOWN: Line protocol on Interface Async1, changed state to up Verifying Autoselect ARA The following trace appears when the debug modem and debug arap internal commands are enabled. As ARA version 2.0 calls pass through the access server, this output is displayed. 20:45:11: TTY3: DSR came up 20:45:11: tty3: Modem: IDLE->READY 20:45:11: TTY3: EXEC creation 20:45:11: TTY3: Autoselect(2) sample 1 20:45:11: TTY3: Autoselect(2) sample 11B 20:45:12: TTY3: Autoselect(2) sample 11B02 20:45:18: ARAP: ---------- SRVRVERSION ---------- 20:45:19: ARAP: ---------- ACKing 0 ---------- 20:45:19: ARAP: ---------- AUTH_CHALLENGE ---------- 20:45:21: ARAP: ---------- ACKing 1 ---------- 20:45:21: ARAP: ---------- AUTH_RESPONSE ---------- 20:45:21: ARAP: ---------- STARTINFOFROMSERVER ---------- 20:45:22: ARAP: ---------- ACKing 2 ---------- 22:45:22: ARAP: ---------- ZONELISTINFO ---------- Configuring Asynchronous Lines and Interfaces How to Configure Other Asynchronous Line and Interface Features DC-29 Cisco IOS Dial Technologies Configuration Guide 22:45:22: ARAP: ---------- ZONELISTINFO ---------- 22:45:22: ARAP: ---------- ZONELISTINFO ---------- The following trace is for ARA version 1.0 calls: 22:31:45: TTY1: DSR came up 22:31:45: tty1: Modem: IDLE->READY 22:31:45: TTY1: Autoselect started 22:31:46: TTY1: Autoselect sample 16 22:31:46: TTY1: Autoselect sample 1610 22:31:46: TTY1: Autoselect sample 161002 22:31:47: ARAP: ---------- SRVRVERSION ---------- 22:31:47: ARAP: ---------- ACKing 0 ---------- 22:31:47: ARAP: ---------- AUTH_CHALLENGE ---------- 22:31:47: ARAP: ---------- ACKing 1 ---------- 22:31:47: ARAP: ---------- AUTH_RESPONSE ---------- 22:31:47: ARAP: ---------- STARTINFOFROMSERVER ---------- 22:31:48: ARAP: ---------- ACKing 2 ---------- 22:31:48: ARAP: ---------- ZONELISTINFO ---------- 22:31:48: ARAP: ---------- ZONELISTINFO ---------- 22:31:49: ARAP: ---------- ZONELISTINFO ---------- How to Configure Other Asynchronous Line and Interface Features This section describes the following asynchronous line and interface configurations: • Configuring the Auxiliary (AUX) Port • Establishing and Controlling the EXEC Process • Enabling Routing on Asynchronous Interfaces • Configuring Dedicated or Interactive PPP and SLIP Sessions • Conserving Network Addresses • Using Advanced Addressing Methods for Remote Devices • Optimizing Available Bandwidth Configuring the Auxiliary (AUX) Port The AUX (auxiliary) port is typically configured as an asynchronous serial interface on routers without built-in asynchronous interfaces. To configure the AUX port as an asynchronous interface, configure it first as an auxiliary line with the line aux 1 global configuration command. The AUX port sends a data terminal ready (DTR) signal only when a Telnet connection is established. The auxiliary port does not use request to send/clear to send (RTS/CTS) handshaking for flow control. To understand the differences between standard asynchronous interfaces and AUX ports configured as an asynchronous interface, refer to Table 4. To enable the auxiliary port, use the following command in global configuration mode: Command Purpose Router(config)# line aux line-number Enables the auxiliary serial DTE port. Configuring Asynchronous Lines and Interfaces How to Configure Other Asynchronous Line and Interface Features DC-30 Cisco IOS Dial Technologies Configuration Guide You cannot use the auxiliary (AUX) port as a second console port. To use the AUX port as a console port, you must order a special cable from your technical support personnel. On an access server, you can configure any of the available asynchronous interfaces (1 through 8, 16, or 48). The auxiliary port (labeled AUX on the back of the product) can also be configured as an asynchronous serial interface, although performance on the AUX port is much slower than on standard asynchronous interfaces and the port does not support some features. Table 4 illustrates why asynchronous interfaces permit substantially better performance than AUX ports configured as asynchronous interfaces. On routers without built-in asynchronous interfaces, only the AUX port can be configured as an asynchronous serial interface. To configure the AUX port as an asynchronous interface, you must also configure it as an auxiliary line with the line aux 1 command. Access servers do not have this restriction. Use the line command with the appropriate line configuration commands for modem control, such as speed. Only IP packets can be sent across lines configured for SLIP. PPP supports transmission of IP, Internet Packet Exchange (IPX), and AppleTalk packets on an asynchronous serial interface. See the “Line AUX Configuration Example” section for an example that shows how to configure the AUX port. Establishing and Controlling the EXEC Process By default, the Cisco IOS software starts an EXEC process on all lines. However, you can control EXEC processes, as follows: • Turn the EXEC process on or off. (A serial printer, for example, should not have an EXEC session started.) • Set the idle terminal timeout interval. The EXEC command interpreter waits for a specified amount of time to receive user input. If no input is detected, the EXEC facility resumes the current connection. If no connections exist, it returns the terminal to the idle state and disconnects the incoming connection. Table 4 Differences Between the Asynchronous Port and the Auxiliary (AUX) Port Feature Asynchronous Interface Auxiliary Port Maximum speed 115200 bps 38400 bps DMA buffering support1 1. Direct Memory Access (DMA) buffering moves data packets directly to and from system memory without interrupting the main CPU. This process removes overhead from the CPU and increases overall system performance. Yes No PPP framing on chip2 2. PPP framing on a hardware chip removes overhead from the CPU on the router, which enables the router to sustain 115200 bps throughput on all asynchronous ports simultaneously. Yes No IP fast switching3 3. After the destination of the first IP packet is added to the fast switching cache, it is fast switched to and from other interfaces with minimal involvement from the main processor. Yes No Configuring Asynchronous Lines and Interfaces How to Configure Other Asynchronous Line and Interface Features DC-31 Cisco IOS Dial Technologies Configuration Guide To control the EXEC process, use the following commands in line configuration mode: See the “High-Density Dial-In Solution Using Autoselect and EXEC Control Example” section for an example of configuring control over the EXEC process. Enabling Routing on Asynchronous Interfaces To route IP packets on an asynchronous interface, use one of the following commands in interface configuration mode: The async dynamic routing command routes IP packets on an asynchronous interface, which permits you to enable the Interior Gateway Routing Protocol (IGRP), Routing Information Protocol (RIP), and Open Shortest Path First (OSPF) routing protocols for use when the user makes a connection using the ppp or slip EXEC commands. The user must, however, specify the /routing keyword at the SLIP or PPP command line. For asynchronous interfaces in interactive mode, the async default routing command causes the ppp and slip EXEC commands to be interpreted as though the /route switch had been included in the command. For asynchronous interfaces in dedicated mode, the async dynamic routing command enables routing protocols to be used on the line. Without the async default routing command, there is no way to enable the use of routing protocols automatically on a dedicated asynchronous interface. See the following sections for examples of enabling routing on asynchronous interfaces: • Asynchronous Interface As the Only Network Interface Example • IGRP Configuration Example Configuring Dedicated or Interactive PPP and SLIP Sessions You can configure one or more asynchronous interfaces on your access server (and one on a router) to be in dedicated network interface mode. In dedicated mode, an interface is automatically configured for SLIP or PPP connections. There is no user prompt or EXEC level, and no end-user commands are required to initiate remote-node connections. If you want a line to be used only for SLIP or PPP connections, configure the line for dedicated mode. Command Purpose Step 1 Router(config-line)# exec Turns on EXEC processes. Step 2 Router(config-line)# exec-timeout minutes [seconds] Sets the idle terminal timeout interval. Command Purpose Router(config-if)# async dynamic routing Configures an asynchronous interface for dynamic routing. Use this command to manually bring up PPP from an EXEC session. Router(config-if)# async default routing Automatically configures an asynchronous interface for routing. Use this command to enable two routers to communicate over an asynchronous dial backup link. Configuring Asynchronous Lines and Interfaces How to Configure Other Asynchronous Line and Interface Features DC-32 Cisco IOS Dial Technologies Configuration Guide In interactive mode, a line can be used to make any type of connection, depending on the EXEC command entered by the user. For example, depending on its configuration, the line could be used for Telnet or XRemote connections, or SLIP or PPP encapsulation. The user is prompted for an EXEC command before a connection is initiated. You can configure an asynchronous interface to be in dedicated network mode. When the interface is configured for dedicated mode, the end user cannot change the encapsulation method, address, or other parameters. To configure an interface for dedicated network mode or to return it to interactive mode, use one of the following commands in interface configuration mode: By default, no asynchronous mode is configured. In this state, the line is not available for inbound networking because the SLIP and PPP connections are disabled. See the “Dedicated Asynchronous Interface Configuration Example” section for an example of how to configure a dedicated asynchronous interface. Conserving Network Addresses When asynchronous routing is enabled, you might need to conserve network addresses by configuring the asynchronous interfaces as unnumbered. An unnumbered interface does not have an address. Network resources are therefore conserved because fewer network numbers are used and routing tables are smaller. To configure an unnumbered interface, use the following command in interface configuration mode: Whenever the unnumbered interface generates a packet (for example, a routing update), it uses the address of the specified interface as the source address of the IP packet. It also uses the address of the specified interface to determine which routing processes are sending updates over the unnumbered interface. You can use the IP unnumbered feature even if the system on the other end of the asynchronous link does not support it. The IP unnumbered feature is transparent to the other end of the link because each system bases its routing activities on information in the routing updates it receives and on its own interface address. See the “Network Address Conservation Using the ip unnumbered Command Example” section for an example of how to conserve network addresses. Command Purpose Router(config-if)# async mode dedicated Places the line into dedicated asynchronous network mode. Router(config-if)# async mode interactive Returns the line to interactive mode. Command Purpose Router(config-if)# ip unnumbered type number Conserves IP addresses by configuring the asynchronous interfaces as unnumbered, and assigns the IP address of the interface type that you want to leverage. Configuring Asynchronous Lines and Interfaces How to Configure Other Asynchronous Line and Interface Features DC-33 Cisco IOS Dial Technologies Configuration Guide Using Advanced Addressing Methods for Remote Devices You can control whether addressing is dynamic (the user specifies the address at the EXEC level when making the connection) or whether default addressing is used (the address is forced by the system). If you specify dynamic addressing, the router must be in interactive mode and the user will enter the address at the EXEC level. It is common to configure an asynchronous interface to have a default address and to allow dynamic addressing. With this configuration, the choice between the default address or dynamic addressing is made by the users when they enter the slip or ppp EXEC command. If the user enters an address, it is used, and if the user enters the default keyword, the default address is used. This section describes the following optional tasks: • Assigning a Default Asynchronous Address • Allowing an Asynchronous Address to Be Assigned Dynamically Assigning a Default Asynchronous Address To assign a permanent default asynchronous address, use the following command in interface configuration mode: Use the no form of this command to disable the default address. If the server has been configured to authenticate asynchronous connections, you are prompted for a password after you enter the slip default or ppp default EXEC command before the line is placed into asynchronous mode. The assigned default address is implemented when the user enters the slip default or ppp default EXEC command. The transaction is validated by the TACACS server, when enabled, and the line is put into network mode using the address that is in the configuration file. Configuring a default address is useful when the user is not required to know the IP address to gain access to a system (for example, users of a server that is available to many students on a campus). Instead of each user being required to know an IP address, they only need to enter the slip default or ppp default EXEC command and let the server select the address to use. See the section “Making Additional Remote Node Connections” in the chapter “Configuring Asynchronous SLIP and PPP” in this publication for more information about the slip and ppp EXEC commands. See the following sections for examples: • Modem Asynchronous Group Example • Configuring Specific IP Addresses for an Interface • IP and PPP Asynchronous Interface Configuration Example Allowing an Asynchronous Address to Be Assigned Dynamically When a line is configured for dynamic assignment of asynchronous addresses, the user enters the slip or ppp EXEC command and is prompted for an address or logical host name. The address is validated by TACACS, when enabled, and the line is assigned the given address and put into asynchronous mode. Command Purpose Router(config-if)# peer default ip address ip-address Assigns a default IP address to an asynchronous interface. Configuring Asynchronous Lines and Interfaces How to Configure Other Asynchronous Line and Interface Features DC-34 Cisco IOS Dial Technologies Configuration Guide Assigning asynchronous addresses dynamically is useful when you want to assign set addresses to users. For example, an application on a personal computer that automatically dials in using Serial Line Internet Protocol (SLIP) and polls for electronic mail messages can be set up to dial in periodically and enter the required IP address and password. To assign asynchronous addresses dynamically, use the following command in interface configuration mode: The dynamic addressing features of the internetwork allow packets to get to their destination and back regardless of the access server, router, or network they are sent from. For example, if a host such as a laptop computer moves from place to place, it can keep the same address no matter where it is dialing in from. Logical host names are first converted to uppercase and then sent to the TACACS server for authentication. See the following sections for examples of configurations that allow asynchronous addresses to be assigned dynamically: • Access Restriction on the Asynchronous Interface Example • Asynchronous Routing and Dynamic Addressing Configuration Example • Network Address Conservation Using the ip unnumbered Command Example Optimizing Available Bandwidth Asynchronous lines have relatively low bandwidth and can easily be overloaded, resulting in slow traffic across these lines. To optimize available bandwidth, perform either of the following optional tasks: • Configuring Header Compression • Forcing Header Compression at the EXEC Level Configuring Header Compression One way to optimize available bandwidth is by using TCP header compression. Van Jacobson TCP header compression (defined by RFC 1144) can increase bandwidth availability two- to five-fold when compared to lines not using header compression. Theoretically, it can improve bandwidth availability by a ratio of seven to one. To configure header compression, use the following command in interface configuration mode: Command Purpose Router(config-if)# async dynamic address Allows the IP address to be assigned when the protocol is initiated. Command Purpose Router(config-if)# ip tcp header-compression [on | off | passive] Configures Van Jacobson TCP header compression on the asynchronous link. Configuring Asynchronous Lines and Interfaces Configuration Examples for Asynchronous Interfaces and Lines DC-35 Cisco IOS Dial Technologies Configuration Guide Forcing Header Compression at the EXEC Level On SLIP interfaces, you can force header compression at the EXEC prompt on a line on which header compression has been set to passive. This option allows more efficient use of the available bandwidth and does not require entering privileged configuration mode. To implement header compression, use the following command in interface configuration mode: For PPP interfaces, the passive option functions the same as the on option. See the following sections for examples of header compression: • TCP Header Compression Configuration Example • Network Address Conservation Using the ip unnumbered Command Example • IGRP Configuration Example Configuration Examples for Asynchronous Interfaces and Lines This section provides the following asynchronous interface configuration examples: • Interface and Line Configuration Examples • Line AUX Configuration Example • Rotary Group Examples • Dedicated Asynchronous Interface Configuration Example • Access Restriction on the Asynchronous Interface Example • Group and Member Asynchronous Interface Examples • Asynchronous Interface Address Pool Examples • IP and SLIP Using an Asynchronous Interface Example • IP and PPP Asynchronous Interface Configuration Example • Asynchronous Routing and Dynamic Addressing Configuration Example • TCP Header Compression Configuration Example • Network Address Conservation Using the ip unnumbered Command Example • Asynchronous Interface As the Only Network Interface Example • Routing on a Dedicated Dial-In Router Example • IGRP Configuration Example Command Purpose Router(config-if)# ip tcp header-compression passive Allows status of header compression to be assigned at the user level. Configuring Asynchronous Lines and Interfaces Configuration Examples for Asynchronous Interfaces and Lines DC-36 Cisco IOS Dial Technologies Configuration Guide Interface and Line Configuration Examples This section contains the following examples: • Asynchronous Interface Backup DDR Configuration Example • Passive Header Compression and Default Address Example • High-Density Dial-In Solution Using Autoselect and EXEC Control Example • Asynchronous Line Backup DDR Configuration Example Asynchronous Interface Backup DDR Configuration Example The following is an example of one asynchronous interface configuration on a Cisco AS2511-RJ access server that is used in an asynchronous backup DDR scenario: interface async 1 description ASYNC LINE 5293731 TO HIGHWAY encapsulation ppp async default routing async mode dedicated dialer in-band dialer map ip 192.168.10.2 name Router2 broadcast dialer-group 1 ppp authentication chap Passive Header Compression and Default Address Example The following configuration shows interface and line configuration. The interface is configured with access lists, passive header compression, and a default address. The line is configured for TACACS authentication. interface async 1 ip access-group 1 in ip access-group 1 out ip tcp header-compression passive async default ip address 172.31.176.201 line 1 login tacacs location 457-5xxx exec-timeout 20 0 password XXXXXXXX session-timeout 20 stopbits 1 High-Density Dial-In Solution Using Autoselect and EXEC Control Example The following example configures a Cisco AS5800 access server, which is used as a high-density dial-in solution: line 1/2/00 1/9/71 session-timeout 30 exec-timeout 30 0 absolute-timeout 240 autoselect during-login autoselect ppp Configuring Asynchronous Lines and Interfaces Configuration Examples for Asynchronous Interfaces and Lines DC-37 Cisco IOS Dial Technologies Configuration Guide modem InOut transport preferred none transport input all Asynchronous Line Backup DDR Configuration Example The following example configures one asynchronous line on a Cisco AS2511-RJ access server that is used in an asynchronous backup DDR scenario: line 1 modem InOut speed 115200 transport input all flowcontrol hardware Line AUX Configuration Example In the following example, the asynchronous interface corresponds to the AUX port. Use the show line command to determine which asynchronous interface corresponds to the AUX port. The IP address on the AUX ports of both routers are in the same subnet interface Async1 ip address 192.168.10.1 255.255.255.0 encapsulation ppp async dynamic routing async mode dedicated ! no ip classless ip route 0.0.0.0 0.0.0.0 Async1 /Default route points to the Async1 (AUX port) interface. ! ! logging buffered ! line con 0 exec-timeout 0 0 line aux 0 modem InOut transport input all rxspeed 38400 txspeed 38400 Rotary Group Examples The following example establishes a rotary group consisting of virtual terminal lines 2 through 4 and defines a password on those lines. By using Telnet to connect to TCP port 3001, the user gets the next free line in the rotary group. The user need not remember the range of line numbers associated with the password. line vty 2 4 rotary 1 password letmein login Configuring Asynchronous Lines and Interfaces Configuration Examples for Asynchronous Interfaces and Lines DC-38 Cisco IOS Dial Technologies Configuration Guide The following example enables asynchronous rotary line queueing: line 1 2 rotary 1 queued The following example enables asynchronous rotary line queueing using the round-robin algorithm: line 1 2 rotary 1 queued round-robin Dedicated Asynchronous Interface Configuration Example The following example shows how to assign an IP address to an asynchronous interface and place the line in dedicated network mode. Setting the stop bit to 1 is a performance enhancement. line 20 location Department PC Lab stopbits 1 speed 19200 ! interface async 20 async default ip address 172.18.7.51 async mode dedicated Access Restriction on the Asynchronous Interface Example The following example shows how to allow most terminal users access to anything on the local network, but restrict access to certain servers designated as asynchronous servers: ! access list for normal connections access-list 1 permit 192.168.0.0 0.0.255.255 ! access-list 2 permit 192.168.42.55 access-list 2 permit 192.168.111.1 access-list 2 permit 192.168.55.99 ! line 1 speed 19200 flow hardware modem inout interface async 1 async mode interactive async dynamic address ip access-group 1 out ip access-group 2 in Group and Member Asynchronous Interface Examples The following examples are included in this section: • Asynchronous Group Interface Examples • Modem Asynchronous Group Example • High-Density Dial-In Solution Using an Asynchronous Group Configuring Asynchronous Lines and Interfaces Configuration Examples for Asynchronous Interfaces and Lines DC-39 Cisco IOS Dial Technologies Configuration Guide Asynchronous Group Interface Examples The following example shows how to create an asynchronous group interface 0 with group interface members 2 through 7, beginning in global configuration mode: interface group-async 0 group-range 2 7 The following example shows how you need to configure asynchronous interfaces 1, 2, and 3 separately if you do not have a group interface configured: interface Async1 ip unnumbered Ethernet0 encapsulation ppp async default ip address 172.30.1.1 async mode interactive async dynamic routing ! interface Async2 ip unnumbered Ethernet0 encapsulation ppp async default ip address 172.30.1.2 async mode interactive async dynamic routing ! interface Async3 ip unnumbered Ethernet0 ! encapsulation ppp async default ip address 172.30.1.3 async mode interactive async dynamic routing The following example configures the same interfaces, but from a single group asynchronous interface: interface Group-Async 0 ip unnumbered Ethernet0 encapsulation ppp async mode interactive async dynamic routing group-range 1 3 member 1 async default ip address 172.30.1.1 member 2 async default ip address 172.30.1.2 member 3 async default ip address 172.30.1.3 Modem Asynchronous Group Example To configure a group asynchronous interface, specify the group async number (an arbitrary number) and the group range (beginning and ending asynchronous interface number). The following example shows the process of creating and configuring a group asynchronous interface for asynchronous interfaces 1 through 96 on a Cisco AS5300 access server, which is loaded with ninety-six 56K MICA technologies modems: interface group-async 1 ip unnumbered ethernet 0 encapsulation ppp async mode interactive ppp authentication chap pap peer default ip address pool default group-range 1 96 Configuring Asynchronous Lines and Interfaces Configuration Examples for Asynchronous Interfaces and Lines DC-40 Cisco IOS Dial Technologies Configuration Guide High-Density Dial-In Solution Using an Asynchronous Group The following example configures a Cisco AS5800 access server that is used as a high-density dial-in solution: interface group-async 0 ip unnumbered FastEthernet0/2/0 encapsulation ppp async mode interactive peer default ip address pool default no cdp enable ppp authentication chap hold-queue 10 in group-range 1/2/00 1/9/71 Asynchronous Interface Address Pool Examples The following sections provide examples of the use of Dynamic Host Configuration Protocol (DHCP) and local pooling mechanisms: • DHCP Pooling Example • Local Pooling Example • Configuring Specific IP Addresses for an Interface DHCP Pooling Example The following global configuration example enables DHCP proxy-client status on all asynchronous interfaces on the access server: ip address-pool dhcp-proxy-client The following global configuration example shows how to specify which DHCP servers are used on your network. You can specify up to four servers using IP addresses or names. If you do not specify servers, the default is to use the IP limited broadcast address of 255.255.255.255 for transactions with any and all discovered DHCP servers. ip dhcp-server jones smith wesson The following interface configuration example illustrates how to disable DHCP proxy-client functionality on asynchronous interface 1: async interface interface 1 no peer default ip address Local Pooling Example The following example shows how to select the IP pooling mechanism and how to create a pool of local IP addresses that are used when a client dials in on an asynchronous line. The default address pool comprises IP addresses 172.30.0.1 through 172.30.0.28. ! This command tells the access server to use a local pool. Configuring Asynchronous Lines and Interfaces Configuration Examples for Asynchronous Interfaces and Lines DC-41 Cisco IOS Dial Technologies Configuration Guide ip address-pool local ! This command defines the ip address pool. ! The address pool is named group1 and comprised of addresses. ! 172.30.0.1 through 172.30.0.28 inclusive ip local-pool group1 172.30.0.1 172.30.0.28 Configuring Specific IP Addresses for an Interface The following example shows how to configure the access server so that it will use the default address pool on all interfaces except interface 7, on which it will use an address pool called lass: ip address-pool local ip local-pool lass 172.30.0.1 async interface interface 7 peer default ip address lass IP and SLIP Using an Asynchronous Interface Example The following example configures IP and SLIP on asynchronous interface 6. The IP address for the interface is assigned to Ethernet 0, interactive mode has been enabled, and the IP address of the client PC running SLIP has been specified. IP and the appropriate IP routing protocols have already been enabled on the access server or router. interface async 6 ip unnumbered ethernet 0 encapsulation slip async mode interactive async default ip address 172.18.1.128 IP and PPP Asynchronous Interface Configuration Example The following example configures IP and PPP on asynchronous interface 6. The IP address for the interface is assigned to Ethernet 0, interactive mode has been enabled, and the IP address of the client PC running PPP has been specified. IP and the appropriate IP routing protocols have already been enabled on the access server or router. interface async 6 ip unnumbered ethernet 0 encapsulation ppp async mode interactive peer default ip address 172.18.1.128 Configuring Asynchronous Lines and Interfaces Configuration Examples for Asynchronous Interfaces and Lines DC-42 Cisco IOS Dial Technologies Configuration Guide Asynchronous Routing and Dynamic Addressing Configuration Example The following example shows a simple configuration that allows routing and dynamic addressing. With this configuration, if the user specifies /routing in the EXEC slip or ppp command, routing protocols will be sent and received. interface async 6 async dynamic routing async dynamic address TCP Header Compression Configuration Example The following example configures asynchronous interface 7 with a default IP address, allowing header compression if it is specified in the slip or ppp connection command entered by the user or if the connecting system sends compressed packets. interface async 7 ip address 172.31.79.1 async default ip address 172.31.79.2 ip tcp header-compression passive Network Address Conservation Using the ip unnumbered Command Example The following example shows how to configure your router for routing using unnumbered interfaces. The source (local) address is shared between the Ethernet 0 and asynchronous 6 interfaces (172.18.1.1). The default remote address is 172.18.1.2. interface ethernet 0 ip address 172.18.1.1 255.255.255.0 ! interface async 6 ip unnumbered ethernet 0 async dynamic routing ! Default address is on the local subnet. async dynamic address async default ip address 172.18.1.2 ip tcp header-compression passive The following example shows how the IP unnumbered configuration works. Although the user is assigned an address, the system response shows the interface as unnumbered, and the address entered by the user will be used only in response to BOOTP requests. Router> slip /compressed 10.11.11.254 Password: Entering async mode. Interface IP address is unnumbered, MTU is 1500 bytes. Header compression is On. Configuring Asynchronous Lines and Interfaces Configuration Examples for Asynchronous Interfaces and Lines DC-43 Cisco IOS Dial Technologies Configuration Guide Asynchronous Interface As the Only Network Interface Example The following example shows how one of the asynchronous lines can be used as the only network interface. The router is used primarily as a terminal server, but is at a remote location and dials in to the central site for its only network connection. ip default-gateway 10.11.12.2 interface ethernet 0 shutdown interface async 1 async dynamic routing ip tcp header-compression on async default ip address 10.11.16.12 async mode dedicated ip address 10.11.12.32 255.255.255.0 Routing on a Dedicated Dial-In Router Example The following example shows how a router is set up as a dedicated dial-in router. Interfaces are configured as IP unnumbered to conserve network resources, primarily IP addresses. ip routing interface ethernet 0 ip address 10.129.128.2 255.255.255.0 ! interface async 1 ip unnumbered ethernet 0 async dynamic routing ! The addresses assigned with SLIP or PPP EXEC commands are not used except ! to reply to BOOTP requests. ! Normally, the routers dialing in will have their own address and not use BOOTP at all. async default ip address 10.11.11.254 ! interface async 2 ip unnumbered ethernet 0 async default ip address 10.11.12.16 ip tcp header-compression passive async mode dedicated ! ! Run RIP on the asynchronous lines because few implementations of SLIP ! understand IGRP. Run IGRP on the Ethernet (and in the local network). ! router igrp 110 network 10.11.12.0 ! Send routes from the asynchronous lines on the production network. redistribute RIP ! Do not send IGRP updates on the asynchronous interfaces. passive-interface async 1 ! router RIP network 10.11.12.0 redistribute igrp passive-interface ethernet 0 ! Consider filtering everything except a default route from the routing ! updates sent on the (slow) asynchronous lines. distribute-list 1 out ip unnumbered async 2 async dynamic routing Configuring Asynchronous Lines and Interfaces Configuration Examples for Asynchronous Interfaces and Lines DC-44 Cisco IOS Dial Technologies Configuration Guide IGRP Configuration Example In the following example, only the Interior Gateway Routing Protocol (IGRP) TCP/IP routing protocol is running; it is assumed that the systems that are dialing in to use routing will either support IGRP or have some other method (for example, a static default route) of determining that the router is the best place to send most of its packets. router igrp 111 network 10.11.12.0 interface ethernet 0 ip address 10.11.12.92 255.255.255.0 ! interface async 1 async default ip address 10.11.12.96 async dynamic routing ip tcp header-compression passive ip unnumbered ethernet 0 line 1 modem ri-is-cd DC-45 Cisco IOS Dial Technologies Configuration Guide Configuring Asynchronous Serial Traffic over UDP This chapter describes how to communicate with a modem using the Asynchronous Serial Traffic over UDP feature in the following main sections: • UDPTN Overview • How to Configure Asynchronous Serial Traffic over UDP See the “Configuration Examples for UDPTN” section for configuration examples. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the UDP commands mentioned in this chapter, refer to the Cisco IOS Dial Technologies Command Reference, Release 12.2. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. UDPTN Overview The Asynchronous Serial Traffic over UDP feature provides the ability to encapsulate asynchronous data into User Datagram Protocol (UDP) packets and then unreliably send this data without needing to establish a connection with a receiving device. This process is referred to as UDP Telnet (UDPTN), although it does not—and cannot—use the Telnet protocol. UDPTN is similar to Telnet in that both are used to send data, but UDPTN is unique in that it does not require that a connection be established with a receiving device. You load the data that you want to send through an asynchronous port, and then send it, optionally, as a multicast or a broadcast. The receiving device(s) can then receive the data whenever it wants. If the receiver ends reception, the transmission is unaffected. The Asynchronous Serial Traffic over UDP feature provides a low-bandwidth, low-maintenance method to unreliably deliver data. This delivery is similar to a radio broadcast: It does not require that you establish a connection to a destination; rather, it sends the data to whatever device wants to receive it. The receivers are free to begin or end their reception without interrupting the transmission. It is a low-bandwidth solution for delivering streaming information for which lost packets are not critical. Such applications include stock quotes, news wires, console monitoring, and multiuser chat features. Configuring Asynchronous Serial Traffic over UDP How to Configure Asynchronous Serial Traffic over UDP DC-46 Cisco IOS Dial Technologies Configuration Guide This feature is particularly useful for broadcast, multicast, and unstable point-to-point connections. This feature may not work as expected when there are multiple users on the same port number in a nonmulticast environment. The same port must be used for both receiving and sending. How to Configure Asynchronous Serial Traffic over UDP To configure the Asynchronous Serial Traffic over UDP feature, perform the tasks described in the following sections: • Preparing to Configure Asynchronous Serial Traffic over UDP (Required) • Configuring a Line for UDPTN (Required) • Enabling UDPTN (Required) • Verifying UDPTN Traffic (Optional but Recommended) See the “Configuration Examples for UDPTN” section at the end of this chapter for multicast, broadcast, and point-to-point UDPTN configuration examples. Preparing to Configure Asynchronous Serial Traffic over UDP When configuring the Asynchronous Serial Traffic over UDP feature for multicast transmission, you must configure IP multicast routing for the entire network that will receive or propagate the multicasts. When configuring the feature for broadcast transmission, you must configure broadcast flooding on the routers between network segments. Refer to the “Configuring IP Multicast Routing” chapter of this guide for information on how to configure IP multicast routing. See the section “Configuring Broadcast Packet Handling” in the Cisco IOS IP Configuration Guide for information on how to configure broadcast flooding. Configuring a Line for UDPTN To configure the line that will be used to send or receive UDP packets, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# line line-number Enters line configuration mode for the line number specified. Step 2 Router(config-line)# transport output udptn Enables the line to transport UDP packets. Step 3 Router(config-line)# dispatch-timeout 1000 Sends packets every 1000 milliseconds. Step 4 Router(config-line)# dispatch-character 13 Sends packets after every new line. Step 5 Router(config-line)# no session-timeout Disables timeout connection closing. Configuring Asynchronous Serial Traffic over UDP How to Configure Asynchronous Serial Traffic over UDP DC-47 Cisco IOS Dial Technologies Configuration Guide Enabling UDPTN There are two methods of enabling UDPTN. You can manually enable UDPTN when you want to begin transmission or reception, or you can configure the router to automatically enable UDPTN when a connection is made to the line. To manually enable UDPTN and begin UDPTN transmission or reception, use the following command in EXEC mode: To automatically enable UDPTN when a connection is made to the line, use the following commands beginning in global configuration mode: Verifying UDPTN Traffic To verify that UDPTN is enabled correctly, perform the following steps: Step 1 Enable UDPTN debugging by using the debug udptn EXEC command. Step 2 Enable UDPTN by using the udptn ip-address EXEC command, and then observe the debug output. The following debug output shows a UDPTN session being successfully established and then disconnected. Router# debug udptn Router# udptn 172.16.1.1 Trying 172.16.1.1 ... Open *Mar 1 00:10:15.191:udptn0:adding multicast group. *Mar 1 00:10:15.195:udptn0:open to 172.16.1.1:57 Loopback0jjaassdd *Mar 1 00:10:18.083:udptn0:output packet w 1 bytes *Mar 1 00:10:18.087:udptn0:Input packet w 1 bytes Router# disconnect Closing connection to 172.16.1.1 [confirm] y Router# Command Purpose Router# udptn ip-address [port] [/transmit] [/receive] Enables UDPTN to the specified IP address (optionally, using the specified port). Use the /transmit or /receive keyword if the router will only be sending or receiving UDPTN. Command Purpose Step 1 Router(config)# line line-number Enters line configuration mode for the line number specified. Step 2 Router(config-line)# autocommand udptn ip-address [port] [/transmit] [/receive] Enables UDPTN automatically when a connection is made to the line (optionally, using the specified port). Use the /transmit or /receive keyword if the router will only be sending or receiving UDPTN. Configuring Asynchronous Serial Traffic over UDP Configuration Examples for UDPTN DC-48 Cisco IOS Dial Technologies Configuration Guide Step 3 While the udptn command is enabled, enter the show ip socket command to verify that the socket being used for UDPTN opened correctly. Router# show ip socket Proto Remote Port Local Port In Out Stat TTY OutputIF 17 --listen-- 172.21.14.90 67 0 0 89 0 17 0.0.0.0 520 172.21.14.90 520 0 0 1 0 17 1.1.1.2 57 1.1.1.1 57 0 0 48 0 17 224.1.1.1 57 1.2.2.2 57 0 0 48 0 Loopback0 Configuration Examples for UDPTN This section provides the following UDPTN configuration examples: • Multicast UDPTN Example • Broadcast UDPTN Example • Point-to-Point UDPTN Example Multicast UDPTN Example These configurations are for multicast UDPTN. The router that is multicasting does not require a multicast configuration—it simply sends to the multicast IP address. Router That Is Multicasting ip multicast-routing interface ethernet 0 ip address 10.1.1.1 255.255.255.0 ip pim dense-mode ! line 5 no session-timeout transport output udptn dispatch-timeout 10000 dispatch-character 13 modem in autocommand udptn 172.1.1.1 /transmit Receiving Routers ip multicast-routing interface ethernet 0 ip address 10.99.98.97 255.255.255.192 ip pim dense-mode ! line 0 16 transport output udptn telnet lat rlogin autocommand udptn 172.1.1.1 /receive Configuring Asynchronous Serial Traffic over UDP Configuration Examples for UDPTN DC-49 Cisco IOS Dial Technologies Configuration Guide Broadcast UDPTN Example These configurations are for broadcast UDPTN. This is the simplest method to send to multiple receivers. The broadcasting router sends to the broadcast IP address, and any router that wants to receive the transmission simply connects to the broadcast IP address by using the udptn command. Router That Is Broadcasting interface ethernet 0 ip address 10.1.1.1 255.255.255.0 ! line 5 no session-timeout transport output udptn dispatch-timeout 10000 dispatch-character 13 modem in autocommand udptn 255.255.255.255 /transmit Receiving Routers interface ethernet 0 ip address 10.99.98.97 255.255.255.192 ! line 0 16 transport output udptn telnet lat rlogin autocommand udptn 255.255.255.255 /receive Point-to-Point UDPTN Example These configurations are for two routers in mobile, unstable environments that wish to establish a bidirectional asynchronous tunnel. Because there is no way to ensure that both routers will be up and running when one of the routers wants to establish a tunnel, they cannot use connection-dependent protocols like Telnet or local area transport (LAT). They instead use the following UDPTN configurations. Each router is configured to send to and receive from the IP address of the other. Because both routers will be sending and receiving, they do not use the /transmit or /receive keywords with the udptn command. Router A interface ethernet 0 ip address 10.54.46.1 255.255.255.192 ! line 5 no session-timeout transport output udptn dispatch-timeout 10000 dispatch-character 13 modem in autocommand udptn 10.54.46.2 Configuring Asynchronous Serial Traffic over UDP Configuration Examples for UDPTN DC-50 Cisco IOS Dial Technologies Configuration Guide Router B interface ethernet 0 ip address 10.54.46.2 255.255.255.192 ! line 10 no session-timeout transport output udptn dispatch-timeout 10000 dispatch-character 13 modem in autocommand udptn 10.54.46.1 Modem Configuration and Management DC-53 Cisco IOS Dial Technologies Configuration Guide Overview of Modem Interfaces This chapter describes modem interfaces in the following sections: • Cisco Modems and Cisco IOS Modem Features • Cisco IOS Modem Components • Logical Constructs in Modem Configurations See the chapter “Overview of Dial Interfaces, Controllers, and Lines” for more information about Cisco asynchronous serial interfaces. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the modem support commands in this chapter, refer to the Cisco IOS Modem Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Cisco Modems and Cisco IOS Modem Features Deciding which asynchronous features to use, to some degree, depends on your hardware configuration. All Cisco access servers must have their asynchronous interfaces and lines configured for network protocol support. Commands entered in asynchronous interface mode configure protocol-specific parameters for asynchronous interfaces, whereas commands entered in line configuration mode configure the physical and logical aspects for the same port. Modems inside high-end access servers need a localized modem country code. This code is projected from the Cisco IOS software to the onboard modems using the modem country {mica | microcom_hdms} country command. The following are high-end access servers: Cisco AS5800, Cisco AccessPath, Cisco AS5300, and the Cisco AS5200. Modems externally attached to low-end access servers need to receive initialization strings from the modem autoconfigure discovery command. For troubleshooting tips, see the section “External Modems on Low-End Access Servers” in the chapter “Configuring and Managing External Modems.” The following are low-end access servers: Cisco AS2511-RJ, Cisco AS2509-RJ, Cisco 2509, Cisco 2511, and the Cisco 2512. Figure 12 shows a Cisco AS2511-RJ access server. Figure 13 shows a Cisco AS5300 access server. Notice that modems are either inside or outside the chassis, depending on the product model. Overview of Modem Interfaces Cisco IOS Modem Components DC-54 Cisco IOS Dial Technologies Configuration Guide Figure 12 Cisco AS2511-RJ Access Server Figure 13 Cisco AS5300 Access Server Cisco IOS Modem Components Different components inside Cisco IOS software work together to enable remote clients to dial in and send packets. Figure 14 shows one Cisco AS5300 access server that is receiving calls from a remote office, branch office (ROBO); small office, home office (SOHO); and modem client. Depending on your network scenario, you may encounter all of the components in Figure 14. For example, you might decide to create a virtual IP subnet by using a loopback interface. This step saves address space. Virtual subnets can exist inside devices that you advertise to your backbone. In turn, IP packets get relayed to remote PCs, which route back to the central site. 14479 1 ASYNC 2 3 ASYNC 4 5 ASYNC 6 7 ASYNC 8 9 ASYNC 10 11 ASYNC 12 13 ASYNC 14 15 ASYNC 16 Cisco AS2511-RJ Modems are outside the chassis Modem Modem 14480 Cisco AS5300 Modems are inside the chassis Overview of Modem Interfaces Cisco IOS Modem Components DC-55 Cisco IOS Dial Technologies Configuration Guide Figure 14 Cisco IOS Modem Concepts Virtual access interface Interface virtual template Headquarters intranet/Internet Interface group-async Cloning Cloning Asynchronous interfaces Lines Modems POTS PSTN/ISDN BRI line BRI line POTS line Cisco 766 (SOHO) Cisco 1604 (ROBO) Modem Remote PC 14931 Loopback interface Fast Ethernet interface Routing and switching engine Interface serial channels S0:0, S0:1… (B channels) Interface dialer controlling the D channels Cloning TDM bus Controllers E1/T1 PRI ports PRI lines AAA = ISDN B channel = Modem/POTS Cisco IOS software inside a Cisco AS5300 Overview of Modem Interfaces Logical Constructs in Modem Configurations DC-56 Cisco IOS Dial Technologies Configuration Guide Logical Constructs in Modem Configurations A logical construct stores core protocol characteristics to assign to physical interfaces. No data packets are forwarded to a logical construct. Cisco uses three types of logical constructs in its access servers and routers. These constructs are described in the following sections: • Asynchronous Interfaces • Group Asynchronous Interfaces • Modem Lines and Asynchronous Interfaces Asynchronous Interfaces An asynchronous interface assigns network protocol characteristics to remote asynchronous clients that are dialing in through physical terminal lines and modems. (See Figure 15.) Use the interface async command to create and configure an asynchronous interface. Figure 15 Logical Construct for an Asynchronous Interface To enable clients to dial in, you must configure two asynchronous components: asynchronous lines and asynchronous interfaces. Asynchronous interfaces correspond to physical terminal lines. For example, asynchronous interface 1 corresponds to tty line 1. Commands entered in asynchronous interface mode configure protocol-specific parameters for asynchronous interfaces, whereas commands entered in line configuration mode configure the physical aspects for the same port. Contains core protocol characteristics for incoming asynchronous clients Asynchronous interface Modem 1 Modem 14054 Line 1 PSTN/ISDN Remote PC negotiating parameters with the asynchronous interface Overview of Modem Interfaces Logical Constructs in Modem Configurations DC-57 Cisco IOS Dial Technologies Configuration Guide Specifically, you configure asynchronous interfaces to support PPP connections. An asynchronous interface on an access server or router can be configured to support the following functions: • Network protocol support such as IP, Internet Protocol Exchange (IPX), or AppleTalk • Encapsulation support such as PPP • IP client addressing options (default or dynamic) • IPX network addressing options • PPP authentication • ISDN BRI and PRI configuration For additional information about configuring asynchronous interfaces, see the “Overview of Dial Interfaces, Controllers, and Lines” chapter. Group Asynchronous Interfaces A group asynchronous interface is a parent interface that stores core protocol characteristics and projects them to a specified range of asynchronous interfaces. Asynchronous interfaces clone protocol information from group asynchronous interfaces. No data packets arrive in a group asynchronous interface. By setting up a group asynchronous interface, you also eliminate the need to repeatedly configure identical configuration information across several asynchronous interfaces. For example, on a Cisco AS5300 one group asynchronous interface is used instead of 96 individual asynchronous interfaces. (See Figure 16.) The following example shows a group asynchronous configuration for a Cisco AS5300 access server loaded with one 4-port ISDN PRI card and 96 MICA modems: Router(config)# interface group-async 1 Router(config-if)# ip unnumbered loopback 0 Router(config-if)# encapsulation ppp Router(config-if)# async mode interactive Router(config-if)# peer default ip address pool dialin_pool Router(config-if)# no cdp enable Router(config-if)# ppp authentication chap pap dialin Router(config-if)# group-range 1 96 To configure multiple asynchronous interfaces at the same time (with the same parameters), you can assign each asynchronous interface to a group and then configure the group. Configurations throughout this guide configure group asynchronous interfaces, rather than each interface separately. If you want to configure different attributes on different asynchronous interfaces, do not assign them to the group or assign different interfaces to different groups. After assigning asynchronous interfaces to a group, you cannot configure these interfaces separately. For example, on a Cisco AS5300 access server in a T1 configuration, you could assign asynchronous interfaces 1 to 48 as part of one group (such as group-async1) and asynchronous interfaces 49 to 96 as part of another group (group-async2). You can also use the member command to perform a similar grouping function. Overview of Modem Interfaces Logical Constructs in Modem Configurations DC-58 Cisco IOS Dial Technologies Configuration Guide Modem Lines and Asynchronous Interfaces Modems attach to asynchronous lines, which in turn attach to asynchronous interfaces. Depending on the type of access server you have, these components appear outside or inside the physical chassis. Figure 16 shows the logical relationships among modems, asynchronous lines, asynchronous interfaces, and group asynchronous interfaces. All these components work together to deliver packets as follows: • Asynchronous calls come into the modems from the “plain old telephone service” (POTS) or Public Switched Telephone Network (PSTN). • Modems pass packets up through asynchronous lines. • Asynchronous interfaces clone their configuration information from group asynchronous interfaces. Note The number of interfaces and modems varies among access server product models. Figure 16 Modems, Lines, and Asynchronous Interfaces Use the interface group-async command to create and configure a group asynchronous interface. The following example shows a group asynchronous configuration for a Cisco AS5300 access server loaded with one 4-port ISDN PRI card and 96 MICA modems: Router(config)# interface group-async 1 Router(config-if)# ip unnumbered loopback 0 Router(config-if)# encapsulation ppp Router(config-if)# async mode interactive Router(config-if)# peer default ip address pool dialin_pool Router(config-if)# no cdp enable Router(config-if)# ppp authentication chap pap dialin Router(config-if)# group-range 1 96 Group asynchronous interface Projects core protocol characteristics out to asynchronous interfaces Modem 1 Modem 2 Modem 96 14478 Interface async 1 Interface async 2 Interface async 96 Line 1 Line 2 Line 96 Asynchronous lines and interfaces inside the access server Modems are inside or outside the access server, depending on the product model Overview of Modem Interfaces Logical Constructs in Modem Configurations DC-59 Cisco IOS Dial Technologies Configuration Guide Modem Calls Modem calls travel through traditional telephone and ISDN lines. Regardless of the media used, these calls are initiated by a modem and terminate on another modem at the remote end. Figure 17 shows a remote laptop using a V.90 internal modem to dial in to a Cisco AS5300 access server, which is loaded with 96 internal V.90 MICA technologies modems. Figure 17 Remote Node Dialing In to a Cisco AS5300 Access Server Asynchronous Line Configuration Asynchronous line configuration commands configure ports for the following options: • Physical layer options such as modem configuration • Security for login in EXEC mode • AppleTalk Remote Access (ARA) protocol configuration (PPP is configured in interface configuration mode) • Autoselect to detect incoming protocols (ARA and PPP) To enter line configuration mode, first connect to the console port of the access server and enter privileged EXEC mode. Then enter global configuration mode and finally enter line configuration mode for the asynchronous lines that you want to configure. The following example shows how you enter line configuration mode for lines 1 through 16: Router> enable Router# configure terminal Router(config)# line 1 16 Router(config-line)# Absolute Versus Relative Line Numbers When you enter line configuration mode, you can specify an absolute line number or a relative line number. For example, absolute line number 20 is vty 2 (line 18 is vty 0). Referring to lines in a relative format is often easier than attempting to recall the absolute number of a line on a large system. Internally, the router uses absolute line numbers. On all routers except the Cisco AS5350, AS5400, AS5800, AS5850 access servers, you can view all of the absolute and relative line numbers using the show users all EXEC command. POTS PSTN/ISDN Async PRI Fast Ethernet Cisco AS5300 equipped with 96 V.90 MICA modems PC laptop with internal V.90 modem dialing in to large business LAN 14052 PPP Overview of Modem Interfaces Logical Constructs in Modem Configurations DC-60 Cisco IOS Dial Technologies Configuration Guide In the following sample display, absolute line numbers are listed at the far left. Relative line numbers are in the third column, after the line type. The second virtual terminal line, vty 1, is absolute line number 3. Compare the line numbers in this sample display to the output from the show line command. Line User Host(s) Idle Location 0 con 0 1 aux 0 2 vty 0 incoming 0 SERVER.COMPANY.COM 3 vty 1 4 vty 2 5 vty 3 6 vty 4 On the Cisco AS5350, AS5400, AS5800, AS5850 access servers, you can view the absolute and relative line numbers with the following commands: • show users all | exclude tty | interface to show the non-internal modem lines • show controller async | include tty to show the internal modem lines The following example shows the information displayed with the show users all | exclude tty|Interface command: Router# show users all | exclude tty | Interface Line User Host(s) Idle Location * 0 con 0 idle 00:00:00 1 aux 0 00:00:00 2 vty 0 00:00:00 3 vty 1 00:00:00 4 vty 2 00:00:00 5 vty 3 00:00:00 6 vty 4 00:00:00 The following example shows the information displayed with the show controller async | include tty command: Router# show controller async | include tty Controller information for Async2/00 (tty324) Controller information for Async2/01 (tty325) Controller information for Async2/02 (tty326) . . . Compare the line numbers in this sample display to the output from the show line command. Line and Modem Numbering Issues The tty line numbering scheme used by your access server or router is specific to your product and its hardware configuration. Refer to the product-specific documentation that came with your product for line numbering scheme information. For example, the Cisco AS5200 access server has tty lines that map directly to integrated modems, as shown in Table 5. Depending on the shelf, slot, and port physical architecture of the access server, the modem and tty line number schemes will change. As shown in Table 5, physical terminal lines 1 through 24 directly connect to modems 1/0 through 1/23, which are installed in the first chassis slot in this example. Physical terminal lines 25 through 48 directly connect to modems 2/0 through 2/23, which are installed in the second slot. Overview of Modem Interfaces Logical Constructs in Modem Configurations DC-61 Cisco IOS Dial Technologies Configuration Guide Decimal TCP Port Numbers for Line Connections Connections to an individual line are most useful when a dial-out modem, parallel printer, or serial printer is attached to that line. To connect to an individual line, the remote host or terminal must specify a particular TCP port on the router. If reverse XRemote is required, the port is 9000 (decimal) plus the decimal value of the line number. If a raw TCP stream is required, the port is 4000 (decimal) plus the decimal line number. The raw TCP stream is usually the required mode for sending data to a printer. If Telnet protocols are required, the port is 2000 (decimal) plus the decimal value of the line number. The Telnet protocol might require that Return characters be translated into Return and line-feed character pairs. You can turn off this translation by specifying the Telnet binary mode option. To specify this option, connect to port 6000 (decimal) plus the decimal line number. Table 5 tty Lines Associated with Cisco AS5200 Modems tty Line Slot/Modem Number tty Line Slot/Modem Number 1 1/0 25 2/0 2 1/1 26 2/1 3 1/2 27 2/2 4 1/3 28 2/3 5 1/4 29 2/4 6 1/5 30 2/5 7 1/6 31 2/6 8 1/7 32 2/7 9 1/8 33 2/8 10 1/9 34 2/9 11 1/10 35 2/10 12 1/11 36 2/11 13 1/12 37 2/12 14 1/13 38 2/13 15 1/14 39 2/14 16 1/15 40 2/15 17 1/16 41 2/16 18 1/17 42 2/17 19 1/18 43 2/18 20 1/19 44 2/19 21 1/20 45 2/20 22 1/21 46 2/21 23 1/22 47 2/22 24 1/23 48 2/23 Overview of Modem Interfaces Logical Constructs in Modem Configurations DC-62 Cisco IOS Dial Technologies Configuration Guide For example, a laser printer is attached to line 10 of a Cisco 2511 router. Such a printer usually uses XON/XOFF software flow control. Because the Cisco IOS software cannot receive an incoming connection if the line already has a process, you must ensure that an EXEC session is not accidentally started. You must, therefore, configure it as follows: line 10 flowcontrol software no exec A host that wants to send data to the printer would connect to the router on TCP port 4008, send the data, and then close the connection. (Remember that line number 10 octal equals 8 decimal.) Signal and Flow Control Overview The EIA/TIA-232 output signals are Transmit Data (TXDATA), Data Terminal Ready (DTR), and Ready To Send (RTS—Cisco 2500 routers only). The input signals are Receive Data (RXDATA), Clear to Send (CTS), and RING. The sixth signal is ground. Depending on the type of modem control your modem uses, these names may or may not correspond to the standard EIA/TIA-232 signals. Dialup modems that operate over normal telephone lines at speeds of 28800 bps use hardware flow control to stop the data from reaching the host by toggling an EIA/TIA-232 signal when their limit is reached. In addition to hardware flow control, modems require special software configuring. For example, they must be configured to create an EXEC session when a user dials in and to hang up when the user exits the EXEC. These modems also must be configured to close any existing network connections if the telephone line hangs up in the middle of a session. The Cisco IOS software supports hardware flow control on its CTS input signal, which is also used by the normal modem handshake. DC-63 Cisco IOS Dial Technologies Configuration Guide Configuring and Managing Integrated Modems The Cisco IOS software provides commands that manage modems that reside inside access servers or routers in the form of modem cards. This chapter describes the modem management tasks. It includes the following main sections: • Modems and Modem Feature Support • Managing Modems • Configuration Examples for Modem Management For additional instructions for configuring Cisco access servers, see the chapter “Configuring and Managing Cisco Access Servers and Dial Shelves” in this publication. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. Modem initialization strings are listed in the “Modem Initialization Strings” appendix. For a complete description of the commands mentioned in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Modems and Modem Feature Support The Cisco IOS software supports three types of integrated modems for Cisco access servers and access routers: • Modem ISDN channel aggregation (MICA) digital modem • NextPort digital modem • NM-AM network module analog modem Table 6 lists device support for each of the Cisco access server hardware platforms. Configuring and Managing Integrated Modems Modems and Modem Feature Support DC-64 Cisco IOS Dial Technologies Configuration Guide Note If the platform is using MICA technologies modems, the V.120 rate adaptation is done by CPU on vty lines like protocol translation sessions. The following sections summarize the standards supported by modems in the Cisco access servers. See Table 7 through Table 10 for a summary and comparison of the Cisco IOS commands used for the MICA and NextPort modems. V.90 Modem Standard Study Group 16 of the International Telecommunication Union Telecommunication Standardization Sector (ITU-T) developed the V.90 modem standard for multimedia systems. The V.90 standard describes a digital modem and analog modem pair for use on the public switched telephone network (PSTN). V.90 modems are designed for connections that are digital at one end and have only one digital-to-analog conversion. The V.90 standard is expected to be widely used for applications such as Internet and online service access. Download speeds of up to 56,000 bits per second (bps) are possible, depending on telephone line conditions, with upload speeds of up to 33,600 bps. V.110 Bit Rate Adaption Standard V.110 is a bit rate adaptation standard defined by the ITU that provides a standard method of encapsulating data over global system for mobile telecommunication (GSM) and ISDN networks. V.110 allows for reliable transport of asynchronous or synchronous data. V.110 adapts a low-speed connection Table 6 Cisco IOS Modems and Modem Feature Support Device Support Cisco AS5300 Cisco AS5350 Cisco AS5400 Cisco AS5800 Cisco 2600/3600 Series Routers Integrated modems 6- and 12-port MICA 60-port NextPort CSM v6DFC 108-port NextPort CSM v6DFC 72- and 144-port MICA 324-port NextPort CSM v6DFC 6-port, 12-port, 18-port, 24-port, or 30-port MICA NM-DM 8- and 16-port analog NM-AM V.90 Yes Yes Yes Yes Yes with NM-DM V.110 Yes Yes Yes Yes Yes with NM-DM V.120 No, CPU only Yes Yes Yes with 324-port NextPort1 CSM v6DFC 1. For more detailed information regarding the V.120 functionalities that are supported both by NextPort and Cisco IOS software, see the section “V.120 Bit Rate Adaptation Standard.” No, CPU only Configuring and Managing Integrated Modems Modems and Modem Feature Support DC-65 Cisco IOS Dial Technologies Configuration Guide to an ISDN B channel allowing the remote station or terminal adapter to use the fast call setup times offered by ISDN. This feature allows V.110 calls to be originated and terminated over ISDN. It also enables GSM wireless connectivity. V.110, as an alternative to V.120, provides DTE with V-series type interfaces with access to ISDN network by bit stuffing. Many V.110 devices are used in Europe and Japan. In Japan, MICA supports the Personal-Handyphone-System Internet Access Forum Standard (PIAFS) protocol, which is similar to V.110. The V.110 implementation for calls on MICA modems is managed by special boardware and modem code, along with the appropriate Cisco IOS image, in a manner similar to other modulation standards. This MICA V.110 implementation provides V.110 user rates ranging from 600 bps to 38,400 bps. V.110 is supported on the following Cisco devices and network modules: • Cisco AS5300-series access servers • Cisco 3620, 3640, and 3660 access routers • NM-6DM, NM-12DM, NM-18DM, NM-24DM, and NM-30DM network modules The digital signal processors (DSPs) on the board can function as either modems or V.110 terminal adapters (or V.120 terminal adapters for NextPort DSPs). Based on the ISDN Q.931 bearer capability information element, the Cisco IOS software configures the DSP to treat the incoming call as a modem call, a V.110 call, or a V.120 call. Figure 18 shows a dial-in scenario for how V.110 technology can be used with a stack of Cisco AS5300-series access servers. Figure 18 V.110 Dial-In Scenario Using a Stack of Cisco AS5300-Series Access Servers S6819 GSM cellular satellite Cellular phone Laptop with wireless modem Cellular tower V.110 terminal adapter Telecommuter or home office Dial process server Stack of Cisco AS5300 access servers loaded with V.110 terminal adapter cards PRI PRI PSTN/ ISDN network Internet or enterprise Configuring and Managing Integrated Modems Managing Modems DC-66 Cisco IOS Dial Technologies Configuration Guide V.120 Bit Rate Adaptation Standard ITU-T Recommendation V.120 revised by the ITU-T Study Group 14. V.120 describes a standard that can be used for adapting terminals with non-ISDN standard network interfaces to an ISDN. It is intended to be used between two terminal adapter (TA) functional groups, between two ISDN terminal (TE1) functional groups, between a TA and a TE1, or between either a TA or TE1 and an interworking facility inside a public or private ISDN. V.120 allows for reliable transport of synchronous, asynchronous, or bit transparent data over ISDN bearer channels. Cisco provides three V.120 support features for terminal adapters that do not send the low-layer compatibility fields or bearer capability V.120 information: • Answer all incoming calls as V.120—Static configuration used when all remote users have asynchronous terminals and need to connect with a vty on the router. • Automatically detect V.120 encapsulation—Encapsulation dynamically detected and set. • Enable V.120 support for asynchronous access over ISDN. For terminal adapters that send the low-layer compatibility or bearer capability V.120 information, mixed V.120 and ISDN calls are supported. No special configuration is required. V.120 is a digital rate adaptation and cannot be done on NM-AM network module analog modems. MICA DSP firmware does not have the code to terminate V.120 calls. NextPort supports only a subset of V.120 functionalities that are supported by Cisco IOS software. Therefore, certain V.120 calls still will need to be terminated on the CPU, even if the chassis has available NextPort modems. Managing Modems To manage modems, perform the tasks in the following sections; the tasks you need to perform depend upon the type and needs of your system: • Managing SPE Firmware • Configuring Modems in Cisco Access Servers • Configuring Cisco Integrated Modems Using Modem Attention Commands • Configuring Modem Pooling • Configuring Physical Partitioning • Configuring Virtual Partitioning • Configuring Call Tracker • Configuring Polling of Link Statistics on MICA Modems • Configuring MICA In-Band Framing Mode Control Messages • Enabling Modem Polling • Setting Modem Poll Intervals • Setting Modem Poll Retry • Collecting Modem Statistics • Troubleshooting Using a Back-to-Back Modem Test Procedure • Clearing a Direct Connect Session on a Microcom Modem Configuring and Managing Integrated Modems Managing Modems DC-67 Cisco IOS Dial Technologies Configuration Guide • Displaying Local Disconnect Reasons • Removing Inoperable Modems • Busying Out a Modem Card • Monitoring Resources on Cisco High-End Access Servers Managing SPE Firmware You can upgrade your modem firmware to the latest NextPort Service Processing Element (SPE) firmware image available from Cisco. The SPE firmware image is usually retrieved from Cisco.com. You must first copy the SPE image from a TFTP server to flash memory using the copy tftp flash command. You then configure the firmware upgrade using the firmware location and firmware upgrade SPE configuration commands. The firmware location command specifies the location of the firmware file and downloads the firmware to an SPE or a range of SPEs, according to the schedule you selected for the firmware upgrade method using the firmware upgrade command. The modem firmware upgrade commands must be saved into the system configuration using the write memory command; otherwise, at the next reboot downloading of the specified firmware will not occur. To upgrade SPE firmware, use the following commands: Command Purpose Step 1 Router# configure terminal Enters global configuration mode. Step 2 AS5400: Router(config)# spe slot/spe or Router(config)# spe slot/spe slot/spe AS5800: Router(config)# spe shelf/slot/spe or Router(config)# spe shelf/slot/spe shelf/slot/spe Enters SPE configuration mode. You can choose to configure a range of SPEs by specifying the first and last SPE in the range. Step 3 Router(config-spe)# firmware upgrade {busyout | download-maintenance | reboot} Specifies the upgrade method. Three methods of upgrade are available. The busyout keyword waits until all calls are terminated on an SPE before upgrading the SPE to the designated firmware. The download-maintenance keyword upgrades the firmware during the download maintenance time. The reboot keyword requests the access server to upgrade firmware at the next reboot. Configuring and Managing Integrated Modems Managing Modems DC-68 Cisco IOS Dial Technologies Configuration Guide Note As soon as a firmware file is specified, the downloading begins. Do not specify all modems and then go into an upgrade process on a busy router. The modems that are not busy will all be marked busy and the server will wait until all the modems on each of the given cards are free before upgrading the multiple-port cards. The only way to clear this situation is to start disconnecting users with a clear command. Normally, groups of modems are specified in scripts with the spe slot/spe_begin and slot/spe_end statements, and upgrades are done in a rolling fashion. Use the show modem version and show spe version commands to verify that the modems are running the portware version you specified. The following example shows how to enter the SPE configuration mode, set the range of SPEs, specify the firmware file location in flash memory, download the file to the SPEs, and display a status report using the show spe EXEC command: Router# configure terminal Router(config)# spe 7/0 7/17 Router(config-spe)# firmware upgrade busyout Router(config-spe)# firmware location flash:np_6_75 Started downloading firmware flash:np_6_75.spe Router(config-spe)# exit Router(config)# exit Router# show spe 7 . . . Step 4 Router(config-spe)# firmware location [IFS:[/]]filename Specifies the SPE firmware file in flash memory to use for the selected SPEs. Allows you to upgrade firmware for SPEs after the new SPE firmware image is copied to your flash memory. The Cisco IOS file specification (IFS) can be any valid IFS on any local file system. Use the dir all-filesystems EXEC command to display legal IFSs. Examples of legal IFS specifications include: • bootflash:—Loads the firmware from a separate flash memory device. • flash:—Loads the firmware from the flash NVRAM located within the router. • system:/—Loads the firmware from a built-in file within the Cisco IOS image. The optional forward slash (/) and system path must be entered with this specification. • filename—The name of the desired firmware file (for example, mica-modem-pw.2.7.3.0.bin). If the system keyword is specified, enter the path to the filename you want to download. Step 5 Router(config-spe)# exit Exits SPE configuration mode. Step 6 Router(config)# exit Exits global configuration mode. Step 7 Router# copy running-config startup-config Saves your changes. Command Purpose Configuring and Managing Integrated Modems Managing Modems DC-69 Cisco IOS Dial Technologies Configuration Guide SPE SPE SPE SPE Port Call SPE# Port # State Busyout Shut Crash State Type 7/00 0000-0005 ACTIVE 1 0 0 BBBBBB ______ 7/01 0006-0011 DOWNLOAD 1 0 0 bbbbbb ______ 7/02 0012-0017 DOWNLOAD 1 0 0 bbbbbb ______ 7/03 0018-0023 DOWNLOAD 1 0 0 bbbbbb ______ . . . For information about upgrading Cisco 3600 Series and Cisco 3700 modems, see the Cisco 3600 Series and Cisco 3700 Series Modem Portware Upgrade Configuration Note at the following URL: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/cis3600/sw_conf/portware/5257d56 k.htm . Configuring Modems in Cisco Access Servers To configure modem support for access servers such as the Cisco AS5300 and AS5800, perform the following tasks. The list describes which tasks are required and which are optional but recommended. • Configuring Modem Lines (Required) • Verifying the Dial-In Connection (Optional but Recommended) • Troubleshooting the Dial-In Connection (Optional but Recommended) • Configuring the Modem Using a Modemcap (Required) • Configuring the Modem Circuit Interface (Required for Digital Modems) Note See the chapter “Configuring and Managing Cisco Access Servers and Dial Shelves” for additional information about configuring Cisco AS5x00 series access servers. Configuring Modem Lines You must configure the modem lines and set the country code to enable asynchronous connections into your access server. To configure the modems and line, use the following commands beginning in global configuration mode: Command Purpose Step 1 MICA modems Router(config)# modem country mica country NextPort SPE modems Router(config)# spe country country Microcom modems Router(config)# modem country microcom_hdms country Depending on the type of modems loaded in your access server, specifies the modem vendor and country code.1 This step is only for the MICA, NextPort SPE, and Microcom modems in the Cisco AS5000 series access servers. Table 7 through Table 10 provide a summary and comparison of the Cisco IOS commands used for the MICA and NextPort modems. Step 2 Router(config)# line beginning-line-number ending-line-number Enters the number of modem lines to configure. Usually this range is equal to the number of modems in the access server. Use the show line EXEC command to see which lines are available. Configuring and Managing Integrated Modems Managing Modems DC-70 Cisco IOS Dial Technologies Configuration Guide Verifying the Dial-In Connection Before configuring any additional protocols for the line such as SLIP, PPP, or ARA, test whether the dial-in connection for the access server and modem are configured correctly for dial-in access, Note The same configuration issues exist between the client DTE and client modem. Make sure that you have the correct EIA/TIA-232 cabling and modem initialization string for your client modem. The following is an example of a successful connection from a PC using a known good modem to dial in to a Cisco access server: at OK atdt9,5550101 CONNECT 14400/ARQ/V32/LAPM/V42BIS User Access Verification Username: user1 Password: Router> Step 3 Router(config-line)# transport {input | output} {all | none} Specifies that connection protocols can be used when connecting to the line. For outgoing calls, choose the output option. For incoming calls, choose the input option. If you do not intend to dial out, choose the none option. Step 4 Router(config-line)# autoselect {arap | ppp | slip} Configures the line to automatically startup an AppleTalk Remote Access (ARA), PPP, and Serial Line Internet Protocol (SLIP) session. You can configure more than one protocol by entering multiple autoselect commands with the appropriate keyword. Step 5 Router(config-line)# autoselect during-login Configures the lines to display the username and password prompt as soon as the line is connected, rather than waiting until the user presses the Enter or Return key at the terminal. Step 6 Router(config-line)# login authentication dialin or Router(config-line)# login login-name Router(config-line)# password password Enables authentication across all asynchronous modem logins. Use the login authentication dialin command when authentication, authorization, and accounting (AAA) authentication has been enabled. Use the login and password commands to configure non-AAA user authentication. Step 7 Router(config-line)# modem dialin Configures the modem for only incoming calls. Step 8 Router(config-line)# exit Returns to global configuration mode. 1. For a comprehensive list of modem country codes, see the modem country mica command and the modem country microcom_hdms command in the Cisco IOS Dial Technologies Command Reference. Command Purpose Configuring and Managing Integrated Modems Managing Modems DC-71 Cisco IOS Dial Technologies Configuration Guide Troubleshooting the Dial-In Connection Depending upon the problems you experience, take the appropriate action: • If you are having problems making or receiving calls, make sure that you turned on the protocols for connecting to the lines and configured for incoming and outgoing calls. • If the calls are not coming up at all, turn on modem debugging. Use the the modem debugging commands as follows: – The debug modem command enables debugging on the modem line. – The debug modem csm (or debug csm modem) command enables debugging for lines configured for digital modems. – The debug isdn q931 command enables debugging for lines configured for the ISDN and Signaling System 7 (SS7) Q.931 protocols. – The debug cas command enables debugging for lines configured for channel-associated signaling (CAS). Following is a sample of how to enable and then disable Cisco IOS modem debugging commands on a network access server: Router# debug modem Router# debug modem csm Router# debug isdn q931 Router# no debug modem Router# no debug modem csm Router# no debug isdn q931 • Enter the debug modem ? command for a list of additional modem debugging commands: Router# debug modem ? b2b Modem Special B2B csm CSM activity maintenance Modem maintenance activity mica MICA Async driver debugging oob Modem out of band activity tdm B2B Modem/PRI TDM trace Call Trace Upload • Turn off the messages by entering the no debug modem command. For more detailed information refer to the TAC Tech Notes document, Troubleshooting Modems, at the following URL: http://www.cisco.com/warp/public/471/index_14280.html Configuring the Modem Using a Modemcap Modems are controlled by a series of parameter settings (up to a limit of 128 characters) that are sent to the modem to configure it to interact with a Cisco device in a specified way. The parameter settings are stored in a database called a modem capability (modemcap). The Cisco IOS software contains defined modemcaps that have been found to properly initialize internal modems. Following are the names of some modemcaps available in the Cisco IOS software: • cisco_v110—Cisco (NEC) internal V.110 TA (AS5200) • mica—Cisco MICA HMM/DMM internal digital modem • nextport—Cisco NextPort CSMV/6 internal digital modem • microcom_hdms—Microcom HDMS chassis Configuring and Managing Integrated Modems Managing Modems DC-72 Cisco IOS Dial Technologies Configuration Guide • microcom_mimic—Cisco (Microcom) internal analog modem (NM-AM–2600/3600) • microcom_server—Cisco (Microcom) V.34/56K internal digital modem (AS5200) Enter these modemcap names with the modem autoconfigure type command. For more information on creating and using modemcaps refer to the TAC Tech Notes documentation, Recommended Modemcaps for Internal Digital and Analog Modems on Cisco Access Servers, at the following URL: http://www.cisco.com/warp/public/471/recc_modemcaps.html If your modem is not on this list and if you know what modem initialization string you need to use with it, you can create your own modemcap; see the following procedure, “Using the Modem Autoconfigure Type Modemcap Feature.” To have the Cisco IOS determine what type of modem you have, use the modem autoconfigure discovery command to configure it, as described in the procedure “Using the Modem Autoconfigure Discovery Feature.” Note When configuring an internal modem, avoid using the Modem Autoconfigure Discovery feature because the feature can misdetect the internal modem type and cause the modem to start working in an unpredictable and unreproducable manner. Using the Modem Autoconfigure Type Modemcap Feature If you know what modem initialization string you need to use with your modem, you can create your own modemcap by performing the following steps. Step 1 Use the modemcap edit command to define your own modemcap entry. The following example defines modemcap MODEMCAPNAME: Router(config)# modemcap edit MODEMCAPNAME miscellaneous &FS0=1&D3 Step 2 Apply the modemcap to the modem lines as shown in the following example: Router# terminal monitor Router# debug confmodem Modem Configuration Database debugging is on Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#line 33 34 Router(config-line)#modem autoconfigure type MODEMCAPNAME Jan 16 18:12:59.643: TTY34: detection speed (115200) response ---OK--- Jan 16 18:12:59.643: TTY34: Modem command: --AT&FS0=1&D3-- Jan 16 18:12:59.659: TTY33: detection speed (115200) response ---OK--- Jan 16 18:12:59.659: TTY33: Modem command: --AT&FS0=1&D3-- Jan 16 18:13:00.227: TTY34: Modem configuration succeeded Jan 16 18:13:00.227: TTY34: Detected modem speed 115200 Jan 16 18:13:00.227: TTY34: Done with modem configuration Jan 16 18:13:00.259: TTY33: Modem configuration succeeded Jan 16 18:13:00.259: TTY33: Detected modem speed 115200 Jan 16 18:13:00.259: TTY33: Done with modem configuration Note The report that is generated by the debug confmodem command can be misleading for the MICA and NextPort internal modems because these modems do not have Universal Asynchronous Receiver/Transmitter (UART) and exchange data with the CPU at speeds of hundreds of kbps. Configuring and Managing Integrated Modems Managing Modems DC-73 Cisco IOS Dial Technologies Configuration Guide Using the Modem Autoconfigure Discovery Feature If you prefer that the modem software use its autoconfigure mechanism to configure the modem, use the modem autoconfigure discovery command. The following example shows how to configure modem autoconfigure discovery mode: Router# terminal monitor Router# debug confmodem Modem Configuration Database debugging is on Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# line 33 34 Router(config-line)# modem autoconfigure discovery Jan 16 18:16:17.724: TTY33: detection speed (115200) response ---OK--- Jan 16 18:16:17.724: TTY33: Modem type is default Jan 16 18:16:17.724: TTY33: Modem command: --AT&F&C1&D2S0=1H0-- Jan 16 18:16:17.728: TTY34: detection speed (115200) response ---OK--- Jan 16 18:16:17.728: TTY34: Modem type is default Jan 16 18:16:17.728: TTY34: Modem command: --AT&F&C1&D2S0=1H0-- Jan 16 18:16:18.324: TTY33: Modem configuration succeeded Jan 16 18:16:18.324: TTY33: Detected modem speed 115200 Jan 16 18:16:18.324: TTY33: Done with modem configuration Jan 16 18:16:18.324: TTY34: Modem configuration succeeded Jan 16 18:16:18.324: TTY34: Detected modem speed 115200 Jan 16 18:16:18.324: TTY34: Done with modem configuration Configuring the Modem Circuit Interface The next task to complete before using the integrated modem is to configure the modem circuit interface. The basic steps are outlined next: • If the integrated modem is an analog modem, no further configuration is required; modem characteristics are set on the line. • If the integrated modem is a digital modem, you can configure either the ISDN or CAS, as appropriate. – For ISDN BRI and PRI, you need to select the switch type and whether ISDN accepts incoming voice or data calls. If you configure a PRI, you will need to configure the T1 or E1 controller. See the chapter “Configuring ISDN BRI” in the “ISDN Configuration” part of this guide, and the chapter “Configuring ISDN PRI” in the “Signaling Configuration” part of this guide. – Configuring CAS is described in the chapter “Configuring ISDN PRI” in the Signaling Configuration part of this guide. If you want to configure SS7, refer to Appendix G, “Configuring the Cisco SS7/C7 Dial Access Solution System,” in the Cisco IOS Voice, Video, and Fax Configuration Guide. Comparison of NextPort SPE and MICA Modem Commands Table 7 through Table 10 compare the MICA and SPE commands. Table 7 EXEC Commands: NextPort to MICA Command Comparison NextPort SPE Commands Purpose MICA Modem Commands clear port Clears specified ports. clear modem clear port log Clears all log entries for specified ports. clear modem log Configuring and Managing Integrated Modems Managing Modems DC-74 Cisco IOS Dial Technologies Configuration Guide clear spe Reboots all specified SPEs. All calls will be torn down. none clear spe counters Clears all statistics. clear modem counters clear spe log Clears all log entries for specified SPEs. clear modem log show port config Displays configuration parameters for the current active session. show modem config show port modem calltracker Displays port-level information for an active modem. show modem calltracker show port modem log Displays the events generated by the modem sessions. show modem log show port modem test Displays port modem test results. show modem test show port operational-status Displays statistics for the current active session. show modem operational-status show spe Displays the SPE status. — show spe log Displays the SPE system log. — show spe modem active Displays the statistics of all active calls on specified SPEs. show modem show spe modem csr Displays the call success rate (CSR) for the specified SPE. show modem show spe modem disconnect-reason Displays all modem disconnect reasons for the specified SPEs. show modem call-stats show spe modem high speed Displays the total number of connections negotiated within each modulation or coder-decoder (codec) for a specific range of SPEs. show modem speed show spe modem high standard Displays the total number of connections negotiated within each high modulation or codec for a specific range of SPEs or for all the SPEs. — show spe modem low speed Displays the connect-speeds negotiated within each low-speed modulation or codec for a specific range of SPEs or for all the SPEs. show modem speed show spe modem low standard Displays the total number of connections negotiated within each low modulation or codec for a specific range of SPEs or for all the SPEs. — show spe modem summary Displays the modem service history statistics for specific SPEs. show modem show spe version Displays all MICA and NextPort firmware versions stored in flash memory and the firmware assigned to each SPE. show modem mapping Table 7 EXEC Commands: NextPort to MICA Command Comparison (continued) NextPort SPE Commands Purpose MICA Modem Commands Configuring and Managing Integrated Modems Managing Modems DC-75 Cisco IOS Dial Technologies Configuration Guide Table 8 SPE Configuration Commands: NextPort to MICA Command Comparison NextPort SPE Commands Purpose MICA Modem Commands busyout Busies out active calls. modem busyout firmware location filename Specifies the firmware file to be upgraded. Already implemented on the Cisco AS5300 and Cisco AS5800 platforms. firmware upgrade Specifies the upgrade method. Already implemented on the Cisco AS5300 platform. port modem autotest1 1. Cisco does not recommend the use of the modem autotest or port modem autotest command. These commands may produce unexpected results including modems being marked out of service and unscheduled reloads. These commands have been removed in Cisco IOS Release 12.3. Enables modem autotest. modem autotest shutdown Tears down all active calls on the specified SPEs. modem shutdown spe Configures the SPE. Already implemented on the Cisco AS5300 and Cisco AS5800 platforms. spe call-record Generates a modem call record at the end of each call. modem call-record spe country Sets the system country code. modem country spe log-size Sets the maximum log entries for each port. modem buffer-size spe poll Sets the statistic polling interval. modem poll Table 9 Port Configuration Commands: NextPort to MICA Command Comparison NextPort SPE Commands Purpose MICA Modem Commands busyout Busies out a port. modem busyout default Compares the value of the command to its default value. default modem port Configures the port range. modem range shutdown Shuts down a port. modem shutdown Table 10 Global Configuration Commands: NextPort to MICA Command Comparison NextPort SPE CLI Commands Purpose MICA Modem CLI Commands ds0 busyout-threshold Defines a threshold to maintain a balance between the number of digital signal level 0s (DS0s) and modems. modem busyout-threshold Configuring and Managing Integrated Modems Managing Modems DC-76 Cisco IOS Dial Technologies Configuration Guide Configuring Cisco Integrated Modems Using Modem Attention Commands This section provides information about using modem attention (AT) command sets to modify modem configuration. It contains the following sections: • Using Modem Dial Modifiers on Cisco MICA Modems (As required) • Changing Configurations Manually in Integrated Microcom Modems (As required) • Configuring Leased-Line Support for Analog Modems (As required) Using Modem Dial Modifiers on Cisco MICA Modems Dial modifiers permit multistage dialing for outbound modem calling through public and private switched telephone networks (PSTNs). Note For additional information about dial modifiers for the MICA modems, search Cisco.com for the publication AT Command Set and Register Summary for MICA Six-Port Modules. The Cisco NAS Modem Health feature is enabled by arguments to the ATD AT command. The AT prefix informs the network access server modem that commands are being sent to it, and the D (dial string or dial) suffix dials a telephone number, establishing a connection. With NAS Modem Health feature, you can enter the dial modifiers listed in Table 11 after the D in your dial string: X, W, and the comma (,) character. These modifiers had been previously accepted without error but ignored in Cisco MICA modems on Cisco AS5300 and Cisco AS5800 universal access servers. In the following example dial string, the portion of the string before the X is dialed for the given line type used in your configuration. All digits after the X generate the appropriate DTMF tones. atdT5550101x,,567 Table 11 Dial Modifiers for Cisco MICA Modems Dial Modifier Definition X Switches to in-band dual tone multifrequency (DTMF) mode for any subsequent digits remaining in the ATD string. The X dial modifier has been added to serve as a delimiter for the host when the dial string is processed. It allows Cisco MICA portware to be used in many environments that do not support DTMF dialing (for example, PRI). W Waits for dial tone and then switches to in-band DTMF mode for any subsequent digits remaining in the ATD string. The W dial modifier also acts as a delimiter between the primary and secondary sections of the dial string, so that no additional X modifier is needed. Once either an X or a W has been parsed in the dial string, any additional X modifiers are ignored. Additional W modifiers cause Cisco MICA modems to wait for a dial tone. , Delay: Number of seconds in S8. Default is 2 seconds. The comma (,) dial modifier is treated as a silent DTMF tone for the duration of seconds specified in S8. The comma is acted on only after the call switching module (CSM) has made the transition to DTMF mode, which requires that it either follow an X or a W in the dial string, or that the T1/E1 be configured for DTMF signaling. Configuring and Managing Integrated Modems Managing Modems DC-77 Cisco IOS Dial Technologies Configuration Guide Changing Configurations Manually in Integrated Microcom Modems You can change the running configuration of an integrated modem by sending individual modem AT commands. Manageable Microcom modems have an out-of-band feature, which is used to poll modem statistics and send AT commands. The Cisco IOS software uses a direct connect session to transfer information through this out-of-band feature. To send AT commands to a Microcom modem, you must permit a direct connect session for a specified modem, open a direct connect session, send AT commands to a modem, and clear the directly connected session from the modem when you are finished. Open a direct connect session by entering the modem at-mode slot/port command in privileged EXEC mode. From here, you can send AT commands directly from your terminal session window to the internal Microcom modems. Most incoming or outgoing calls on the modems are not interrupted when you open a direct connect session and send AT commands. However, some AT commands interrupt a call—for example, the ATH command, which hangs up a call. Open and close one direct connect session at a time. Note that multiple open sessions slow down modem performance. Refer to the AT command set that came with your router for a complete list of AT commands that you can send to the modems. For Microcom modems, you can clear or terminate an active directly connected session in two ways: • Press Ctrl-C after sending all AT commands as instructed by the system when you enter AT command mode. • Enter a second Telnet session and execute the clear modem at-mode slot/port EXEC command. This method is used for closing a directly connected session that may have been mistakenly left open by the first Telnet session. The following example illustrates use of the modem commands. AT Mode Example for Integrated Modems To establish a direct connect session to an internal or integrated modem (existing inside the router), such as the connection required for Microcom modems in the Cisco AS5200 access server, open a directly connected session with the modem at-mode command and then send an AT command to the specified modem. For example, the following example sends the AT command at%v to modem 1/1: AS5200# modem at-mode 1/1 You are now entering AT command mode on modem (slot 1 / port 1). Please type CTRL-C to exit AT command mode. at%v MNP Class 10 V.34/V.FC Modem Rev 1.0/85 OK at\s IDLE 000:00:00 LAST DIAL NET ADDR: FFFFFFFFFFFF MODEM HW: SA 2W United States 4 RTS 5 CTS 6 DSR - CD 20 DTR - RI MODULATION IDLE MODEM BPS 28800 AT%G0 MODEM FLOW OFF AT\G0 MODEM MODE AUT AT\N3 V.23 OPR. OFF AT%F0 AUTO ANS. ON ATS0=1 SERIAL BPS 115200 AT%U0 BPS ADJUST OFF AT\J0 Configuring and Managing Integrated Modems Managing Modems DC-78 Cisco IOS Dial Technologies Configuration Guide SPT BPS ADJ. 0 AT\W0 ANSWER MESSGS ON ATQ0 SERIAL FLOW BHW AT\Q3 PASS XON/XOFF OFF AT\X0 PARITY 8N AT The modem responds with “OK” when the AT command you send is received. Configuring Leased-Line Support for Analog Modems Analog modems on the NM-8AM and NM-16AM network modules in the Cisco 2600 and 3600 series routers provide two-wire leased-line support for enterprise customers who require point-to-point connections between locations and for enterprise customers with medium to high data transfer requirements without access to other technologies or with access to only low-grade phone lines. This feature works only with leased lines that provide loop current. Each modem used must have an RJ-11 connection to the PSTN. Several features enhance the analog modem software: • 2-wire leased-line support. • Modem speeds up to 33.6 kbps with support for all current analog modem protocols, compression, and error correction techniques. • Power-on autoconnect and loopback testing. • Support for the maximum number of leased-line users without data transmission loss at distances up to 2 to 5 km. • In-band and out-of-band monitoring. • Support on all Cisco 2600 and Cisco 3600 series platforms and upgradability using Cisco IOS software. • Compatibility with other major leased-line modem vendors. To configure this support, configure one modem AT command (AT&L) and two AT registers with the modemcap entry command for the appropriate leased lines. For leased line configuration using the AT&L{0 | 1 | 2}command: • 0—Disables the leased line (enables switched line; default). • 1—Enables the leased line. The modem initiates a leased line when dial and answer commands (ATD and ATA) are issued. • 2—Enables the leased line. The modem goes off hook automatically after T57 number of seconds in: – Originate mode if ATS0 is 0. – Answer mode if ATS0 is not equal to 0. The following AT registers can also be set: • AT:T57—Number of seconds before going off hook in leased-line mode when the command AT&L2 is used (defaults to 6). • AT:T79—Number of autoretrains before the modem is disconnected (defaults to 3). For more information about using the AT command set with the modems on the NM-8AM and NM-16AM network modules in the Cisco 2600 and 3600 series routers, search Cisco.com for the publication AT Command Set and Register Summary for Analog Modem Network Modules. Configuring and Managing Integrated Modems Managing Modems DC-79 Cisco IOS Dial Technologies Configuration Guide To configure a modem for leased-line operation, use the following commands in global configuration mode: The show modemcap command lists all the predefined modem types and any user-defined modemcaps that are currently configured on the router: • If the leased line has been configured, the modemcap information will be available. • If the leased line has not been configured, only the predefined modem types will be displayed. The important setting for leased-line support is what is defined in the modemcap as the key configuration item and its application to the leased line. Consider the following command strings: modemcap entry micro_LL_orig:AA=S0=0&L2 modemcap entry micro_LL_ans:AA=S0=1&L2 AA stands for autoanswer: • The answering modem AA register is set to 1 (AA=S0=1) so that autoanswer is “on”. • The originating modem AA register is set to 0 (AA=S0=0) so that autoanswer is “off”. If the AA feature is used, both the originating and answering modem must be put into leased-line mode with the &L2 AT command. In the examples, the micro_LL_orig and micro_LL_ans strings are arbitrary text descriptions. Note For the modemcap entry command, one of the predefined modem types may be used or a completely user-defined modemcap may be created. For leased line, no new modem type was added. Users may create their own modemcaps for leased-line functionality. To configure the modem for leased-line operation, use the modemcap entry command. For each connection, each modem must be configured as an originator or answerer. The following example shows modemcaps for a leased-line originator and answerer and their application to specific ports: modemcap entry micro_LL_orig:AA=S0=0&L2 modemcap entry micro_LL_ans:AA=S0=1&L2 line 73 no exec modem InOut modem autoconfigure type micro_LL_ans transport input all line 74 no exec modem InOut modem autoconfigure type micro_LL_orig transport input all Command Purpose Step 1 Router(config)# modemcap entry modem-type-name:AA=S0=0&L2 Sets the modemcap for leased-line operation for the originating modem. Step 2 Router(config)# modemcap entry modem-type-name:AA=S0=1&L2 Sets the modemcap for leased-line operation for the answering modem. Configuring and Managing Integrated Modems Managing Modems DC-80 Cisco IOS Dial Technologies Configuration Guide Note When Multilink PPP (MLP) is configured on a dialer interface, the dialer configuration has a default value of 2 minutes for dialer idle timeout. For leased-line connections, set the dialer idle timeout to infinity by adding dialer idle-timeout 0 to the configuration. Verifying the Analog Leased-Line Configuration The following information is important for verifying or troubleshooting your configuration. The show modem log command displays the progress of leased-line connections. Here is an example log for a leased-line answerer. Note the “LL Answering” state and “LL Answer” in the “Direction” field of the connection report: 00:44:03.884 DTR set high 00:44:02.888 Modem enabled 00:43:57.732 Modem disabled 00:43:52.476 Modem State:LL Answering 00:43:52.476 CSM:event-MODEM_STARTING_CONNECT New State-CSM_CONNECT_INITIATED_STATE 00:43:51.112 Modem State:Waiting for Carrier 00:43:43.308 Modem State:Connected 00:43:42.304 Connection:TX/RX Speed = 33600/33600, Modulation = V34 Direction = LL Answer, Protocol = MNP, Compression = V42bis 00:43:42.304 CSM:event-MODEM_CONNECTED New State-CONNECTED_STATE 00:43:42.300 RS232:noCTS* DSR* DCD* noRI noRxBREAK TxBREAK* 00:43:41.892 PPP mode active 00:43:41.892 Modem enabled 00:43:39.888 PPP escape maps set:TX map=00000000 RX map=FFFFFFFF 00:43:39.724 PPP escape maps set:TX map=00000000 RX map=000A0000 00:43:34.444 RS232:CTS* DSR DCD noRI noRxBREAK TxBREAK 00:43:11.716 Modem Analog Report:TX = -20, RX = -34, Signal to noise = 61 Cisco 2600 and 3600 Series Analog Modem Leased-Line Support Examples In the following examples, one Cisco 3620 router and one Cisco 3640 router are connected back-to-back using leased lines. The Cisco 3620 router has the originating configuration, and the Cisco 3640 router has the answering configuration. In the dialer interface configuration, the dialer idle-timeout 0 command is added to set the dialer idle timeout to be infinity. Otherwise the leased line will go down and up every 2 minutes because the default dialer interface idle timeout is 2 minutes. Note Except for passwords and logins, the Cisco IOS command-line interface (CLI) is case-insensitive. For this document, an uppercase “L” has been used in the command examples to avoid confusion with the numeral “1”. Leased-Line Originating Configuration version 12.1 service timestamps debug uptime service timestamps log uptime ! Configuring and Managing Integrated Modems Managing Modems DC-81 Cisco IOS Dial Technologies Configuration Guide modemcap entry micro_LL_orig:AA=S0=0&L2 modemcap entry micro_LL_ans:AA=S0=1&L2 ! interface Async33 no ip address encapsulation ppp no ip route-cache no ip mroute-cache dialer in-band dialer pool-member 1 async default routing async dynamic routing async mode dedicated no peer default ip address no fair-queue no cdp enable ppp direction callout ppp multilink ! interface Dialer1 ip address 10.1.24.1 255.255.255.0 encapsulation ppp no ip route-cache no ip mroute-cache dialer remote-name sara40 dialer pool 1 dialer idle-timeout 0 dialer max-call 4096 no cdp enable ppp direction callout ppp multilink ! dialer-list 1 protocol ip permit ! line con 0 exec-timeout 0 0 transport input none line 33 no exec modem InOut modem autoconfigure type micro_LL_orig transport input all line aux 0 exec-timeout 0 0 line vty 0 4 exec-timeout 0 0 ! end Leased-Line Answering Configuration version 12.1 service timestamps debug uptime service timestamps log uptime ! modemcap entry micro_LL_orig:AA=S0=0&L2 modemcap entry micro_LL_ans:AA=S0=1&L2 ! interface Async73 no ip address encapsulation ppp no ip route-cache no ip mroute-cache dialer in-band Configuring and Managing Integrated Modems Managing Modems DC-82 Cisco IOS Dial Technologies Configuration Guide dialer pool-member 1 async default routing async dynamic routing async mode dedicated no peer default ip address no fair-queue no cdp enable ppp direction callout ppp multilink ! interface Dialer1 ip address 10.1.24.2 255.255.255.0 encapsulation ppp no ip route-cache no ip mroute-cache load-interval 30 dialer remote-name sara20 dialer pool 1 dialer idle-timeout 0 dialer load-threshold 1 either dialer max-call 4096 no cdp enable ppp direction callout ppp multilink ! dialer-list 1 protocol ip permit line con 0 exec-timeout 0 0 transport input none line 73 no exec modem InOut modem autoconfigure type micro_LL_ans transport input all line aux 0 transport input all flowcontrol hardware line vty 0 4 exec-timeout 0 0 ! end Configuring Modem Pooling Modem pooling allows you to control which modem a call connects to, on the basis of dialed number identification service (DNIS). When modem pooling is not used, incoming and outgoing calls are arbitrarily assigned to modems. For example, consider a Cisco AS5300 access server loaded with a 4-port ISDN PRI card. After an analog modem call comes into the first PRI trunk, the call is greeted by a general pool of B channels and a general pool of modems. Any B channel can be connected to any modem in the access server. A random assignment takes place. Modem resources cannot be controlled. Modem pooling assigns physical modems to a single DNIS. It enables you to create pools of physical modems in one access server, assign a unique DNIS to each modem pool, and set maximum simultaneous connect limits. This feature is used for physically partitioning or virtually partitioning modems inside one network access server. Configuring and Managing Integrated Modems Managing Modems DC-83 Cisco IOS Dial Technologies Configuration Guide Modem pooling offers these benefits: • A certain number of modem ports can be guaranteed per DNIS. • Maximum simultaneous connection limits can be set for each DNIS. The following restrictions apply: • Modem pooling is not a solution for large-scale dial access. It cannot be used to create virtual modem pools across multiple access servers that are connected. Modem pooling is physically restricted to one access server. • MICA and Microcom technology modems support modem pooling. However, only MICA modems support modem pooling for CT1 and CE1 configurations using CAS. To use modem pooling with CT1 or CE1 connections, you must reserve at least two modems in the default modem pool. These reserved modems decode DNIS before handing off calls to the modems assigned to modem pools. If you see many call failures appearing on the access server, try assigning more modems to the default pool. Use the show modem and show modem summary EXEC commands to display the modem call failure and success ratio. • No MIBs support modem pooling. • The same DNIS cannot exist in more than one modem pool. Modem pooling is supported on the Cisco AS5300 access servers. To configure and manage modems, perform the tasks in the following sections; all tasks are optional and depend upon the needs of your system. • Creating a Modem Pool (Required) • Verifying Modem Pool Configuration (As required) Creating a Modem Pool You must first decide to physically partition or virtually partition your modems. For more information, see the previous section, “Configuring Modem Pooling.” After you have made this decision, create a modem pool for a dial-in service or specific customer by using the following commands beginning in global configuration mode. Command Purpose Step 1 Router(config)# modem-pool name Creates a modem pool and assigns it a name, and starts modem pool configuration mode. Step 2 Router(config-modem-pool)# pool-range number-number Assigns a range of modems to the pool. A hyphen (-) is required between the two numbers. The range of modems you can choose from is equivalent to the number of modems in your access server that are not currently associated with another modem pool. Step 3 Router(config-modem-pool)# called-number number [max-conn number] Assigns the DNIS to be used for this modem pool. The max-conn option specifies the maximum number of simultaneous connections allowed for this DNIS. If you do not specify a max-conn value, the default (total number of modems in the pool) is used.1 Step 4 Router(config-modem-pool)# Ctrl-Z Returns to EXEC mode. Configuring and Managing Integrated Modems Managing Modems DC-84 Cisco IOS Dial Technologies Configuration Guide Note If you have active modem calls on the access server before using modem pooling, modem pooling gracefully applies itself to the access server. Modem pooling first waits for active calls to hang up before assigning modems to modem pools and directing calls according to DNIS. Verifying Modem Pool Configuration To verify the modem configuration, enter the show modem-pool command to display the configuration. This command displays the structure and activity status for all the modem pools in the access server. See Table 12 for a description of each display field. Router# show modem-pool modem-pool: System-def-Mpool modems in pool: 0 active conn: 0 0 no free modems in pool modem-pool: v90service modems in pool: 48 active conn: 46 8 no free modems in pool called_party_number: 1234 max conn allowed: 48, active conn: 46 8 max-conn exceeded, 8 no free modems in pool modem-pool: v34service modems in pool: 48 active conn: 35 0 no free modems in pool called_party_number: 5678 max conn allowed: 48, active conn: 35 0 max-conn exceeded, 0 no free modems in pool Step 5 Router# show configuration Displays the running configuration to verify the modem pool settings. Make changes accordingly. Step 6 Router# copy running-config startup-config Saves the running configuration to the startup configuration. 1. The DNIS string can have an integer x to indicate a “don’t care” digit for that position, for example, 555010x. Command Purpose Table 12 show modem-pool Field Descriptions Field Description modem-pool Name of the modem pool. In the previous example, there are three modem pools configured: System-def-Mpool, v90service, and v34service. To set the modem pool name, refer to the modem-pool command. All the modems not assigned to a modem pool are automatically assigned to the system default pool (displayed as System-def-Mpool). modems in pool Number of modems assigned to the modem pool. To assign modems to a pool, refer to the display and descriptions for the pool-range command. Configuring and Managing Integrated Modems Managing Modems DC-85 Cisco IOS Dial Technologies Configuration Guide For modem pool configuration examples, see the section “Physical Partitioning with Dial-In and Dial-Out Scenario” later in this chapter. Check the following if you are having trouble operating your modem: • Make sure you have not configured the same DNIS for multiple pools. • Make sure you have not placed the same modem in multiple pools. Note Modem pools that use MICA or Microcom modems support incoming analog calls over ISDN PRI. However, only MICA modems support modem pooling for T1 and E1 configurations with CAS. Configuring Physical Partitioning You can either physically partition or virtually partition your modems to enable different dial-in and dial-out services. This section provides information about the following optional tasks: • Creating a Physical Partition, page 86 • Physical Partitioning with Dial-In and Dial-Out Scenario, page 88 Physical partitioning uses one access server to function as multiple access servers loaded with different types of modem services (for example, V.34 modems, fax-capable modems, and point-of-sale (POS) modems). Each modem service is part of one physical modem pool and is assigned a unique DNIS number. (See Figure 19.) active conn Number of simultaneous active connections for the specified modem pool or called party DNIS number. no free modems in pool Number of times incoming calls were rejected because there were no more free modems in the pool to accept the call. called_party_number Specified called party DNIS number. This is the number that the remote clients use to dial in to the access server. You can have more than one DNIS number per modem pool. To set the DNIS number, refer to the description for the called-number command. max conn allowed Maximum number of modems that a called party DNIS number can use, which is an overflow protection measure. To set this feature, refer to the description for the called-number command. max-conn exceeded Number of times an incoming call using this called party DNIS number was rejected because the max-conn number parameter specified by the called-number command was exceeded. Table 12 show modem-pool Field Descriptions (continued) Field Description Configuring and Managing Integrated Modems Managing Modems DC-86 Cisco IOS Dial Technologies Configuration Guide Figure 19 Modem Pooling Using Physical Partitioning Physical partitioning can also be used to set up an access server for bidirectional dial access. (See Figure 20.) Figure 20 shows one Cisco AS5300 access server loaded with 96 MICA modems and configured with 2 modem pools. One modem pool has 84 modems and collects DNIS. This pool is shared by 400 salespeople who remotely download e-mail from headquarters. The other modem pool contains 12 fax-capable modems and does not collect DNIS. This pool is shared by 40 employees using PCs on a LAN. Each time an outbound call is initiated by a PC, a modem on the Cisco AS5300 access server is seized and used to fax out or dial out. Not configuring DNIS support in the fax-out modem pool protects the pool from being used by the calls coming in from the field. Regardless of how many salespeople are dialing in or which telephone number they use, the fax-out and dial-out modem pool will always be reserved for the PCs connected to the LAN. Figure 20 Modem Pooling Used for Bidirectional Dialing Creating a Physical Partition The following task creates one V.34 modem pool and one 56K modem pool on a Cisco AS5200. Each modem pool is configured with its own DNIS. Depending on which DNIS the remote clients dial, they connect to a 56K MICA modem or a V.34 Microcom modem. 13053 56K modems V.34 modems Fax-capable modems POS modems 24 24 24 24 555-1111 Modems in Pool Assigned DNIS Number 555-2222 555-3333 555-4444 One Cisco AS5300 loaded with 96 modems 84 field salespeople dialing in with 56K modems Cisco AS5300 Four PRI or CT1 lines 13051 Dial-in calls • 84 V.90 modems in modem pool • DNIS is collected 40 PCs dialing out and faxing out with Cisco DialOut Utility software Dial out/fax out calls • 12 modems in default modem pool • DNIS is not collected. Dial in Fax out Dial out Headquarters LAN E-mail server PSTN Configuring and Managing Integrated Modems Managing Modems DC-87 Cisco IOS Dial Technologies Configuration Guide The following hardware configuration is used on the Cisco AS5200 access server: • One 2-port T1 PRI card • One 48-port card containing four 6-port MICA 56K modem modules and two 12-port Microcom V.34 modem modules To configure basic physical partitioning, perform the following steps: Step 1 Enter global configuration mode: Router# configure terminal Router(config)# Step 2 Create the modem pool for the 56K MICA modem services using the modem-pool name command. The modem pool is called 56kservices, which spans four 6-port MICA 56K modem modules. Router(config)# modem-pool 56kservices Router(config-modem-pool)# Note The router is in modem pool configuration mode after the prompt changes from Router(config)# to Router(config-modem-pool)#. Step 3 Assign a range of modems to the modem pool using the pool-range number-number command. Because all the 56K MICA technologies modems are seated in slot 1, they are assigned TTY line numbers 1 to 24. Use the show line EXEC command to determine the TTY line numbering scheme for your access server. Router(config-modem-pool)# pool-range 1-24 Step 4 Assign a DNIS to the modem pool using the called-number number [max-conn number] command. This example uses the DNIS 5550101 to connect to the 56K modems. The maximum simultaneous connection limit is set to 24. The 25th user who dials 5550101 gets a busy signal. Router(config-modem-pool)# called-number 5550101 max-conn 24 Step 5 Return to EXEC mode by entering Ctrl-Z. Next, display the modem pool configuration using the show modem-pool command. In the following example, 56K modems are in the modem pool called 56kservices. The remaining 24 V.34 Microcom modems are still in the default system pool. Router(config-modem-pool)# ^Z Router# show modem-pool modem-pool: System-def-Mpool modems in pool: 24 active conn: 0 0 no free modems in pool modem-pool: 56kservices modems in pool: 24 active conn: 0 0 no free modems in pool called_party_number: 5550101 max conn allowed: 24, active conn: 0 0 max-conn exceeded, 0 no free modems in pool Step 6 Create the modem pool for the Microcom physical partition. After the configuration is complete, the show modem-pool command shows that there are no remaining modems in the system default modem pool. Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# modem-pool v34services Configuring and Managing Integrated Modems Managing Modems DC-88 Cisco IOS Dial Technologies Configuration Guide Router(config-modem-pool)# pool-range 25-48 Router(config-modem-pool)# called-number 5550202 max-conn 24 Router(config-modem-pool)# ^Z Router# show modem-pool modem-pool: System-def-Mpool modems in pool: 0 active conn: 0 0 no free modems in pool modem-pool: 56kservices modems in pool: 48 active conn: 0 0 no free modems in pool called_party_number: 5550101 max conn allowed: 48, active conn: 0 0 max-conn exceeded, 0 no free modems in pool modem-pool: v34services modems in pool: 48 active conn: 0 0 no free modems in pool called_party_number: 5550202 max conn allowed: 48, active conn: 0 0 max-conn exceeded, 0 no free modems in pool Router# copy running-config startup-config Physical Partitioning with Dial-In and Dial-Out Scenario The following is a bidirectional dial scenario using a Cisco AS5300 access server. Two modem pools are configured. One modem pool contains 84 56K MICA modems, which is shared by 400 remote salespeople who dial in to headquarters. The other modem pool contains 12 fax-capable modems, which are shared by 40 employees who dial out of the headquarters LAN using the Cisco DialOut Utility software. See Figure 20 for the network topology. The following hardware configuration is used on the Cisco AS5300: • One 4-port T1 PRI card • Two 48-port cards containing fourteen 6-port MICA 56K modem modules and two 6-port MICA fax-capable modem modules To configure physical partitioning with dial-in and dial-out capability, perform the following steps: Step 1 Create the 56K modem pool for the 400 remote salespeople. This modem pool contains 84 modems, which are reserved for the dial-in calls. To get access, the salespeople dial the DNIS 5550303. The total number of simultaneous calls is limited to 84. The 85th call and those above it are rejected. The modem dialin line configuration command is used to prevent modems 1 to 84 from dialing out. Router# configure terminal Router(config)# modem-pool 56ksalesfolks Router(config-modem-pool)# pool-range 1-84 Router(config-modem-pool)# called-number 5550303 max-conn 84 Router(config-modem-pool)# exit Router(config)# line 1 84 Router(config-line)# modem dialin Router(config-line)# transport input all Router(config-line)# rotary 1 Router(config-line)# autoselect ppp Router(config-line)# exit Router(config)# Configuring and Managing Integrated Modems Managing Modems DC-89 Cisco IOS Dial Technologies Configuration Guide Step 2 Create the dial-out/fax-out modem pool for the 40 local employees connected to the headquarters LAN. This modem pool contains 12 fax-capable MICA modems. No DNIS is assigned to the pool. Because lines 85 to 96 are used for the dial-out and fax-out modem services, the asynchronous lines are configured for reverse Telnet. This configuration is needed for the Telnet extensions to work with the dial-out application, which is installed on the LAN PCs. Router(config)# modem-pool dialoutfolks Router(config-modem-pool)# pool-range 85-96 Router(config-modem-pool)# exit Router(config)# line 85-96 Router(config-line)# refuse-message z [!NMM!] No Modems Available z Router(config-line)# exec-timeout 0 0 Router(config-line)# autoselect during-login Router(config-line)# autoselect ppp Router(config-line)# modem inout Router(config-line)# rotary 1 Router(config-line)# transport preferred telnet Router(config-line)# transport input all Router(config-line)# exit Router(config)# Step 3 Configure the group asynchronous interface, which assigns core protocol characteristics to all the asynchronous interfaces in the system. Regardless of the direction that the modems are dialing, all modems in the access server leverage this group asynchronous configuration. Router(config)# interface group-async 1 Router(config-if)# ip unnumbered ethernet 0 Router(config-if)# encapsulation ppp Router(config-if)# async mode interactive Router(config-if)# ppp authentication chap pap paplocal Router(config-if)# peer default ip address pool bidir_dial_pool Router(config-if)# no cdp enable Router(config-if)# no ip mroute cache Router(config-if)# no ip route cache Router(config-if)# async dynamic routing Router(config-if)# async dynamic address Router(config-if)# group range 1-96 Building configuration... Router(config-if)# exit Step 4 Create an IP address pool for all the dial-in clients and dial-out clients. Both types of clients borrow addresses from this shared pool. Router(config)# ip local pool bidir_dial_pool 10.4.1.1 10.4.1.96 Router(config)# ^z Router# copy running-config startup-config Step 5 (Optional) If you are using CiscoSecure AAA and a remote TACACS server, include the following security statements on the access server: Router(config)# aaa new-model Router(config)# aaa authentication login default tacacs+ Router(config)# aaa authentication login noaaa local Router(config)# aaa authentication login logintac tacacs+ Router(config)# aaa authentication ppp ppptac tacacs+ Router(config)# aaa authentication ppp paplocal local Router(config)# aaa authorization exec tacacs+ Router(config)# aaa authorization network tacacs+ Router(config)# aaa authorization reverse-access tacacs+ Router(config)# aaa accounting exec start-stop tacacs+ Router(config)# aaa accounting network start-stop tacacs+ Router(config)# aaa accounting update newinfo Router(config)# enable password cisco Configuring and Managing Integrated Modems Managing Modems DC-90 Cisco IOS Dial Technologies Configuration Guide You should also include the host name, timeout interval, and authentication key: Router(config)# tacacs-server host 10.4.1.10 Router(config)# tacacs-server timeout 20 Router(config)# tacacs-server key nas1 Configuring Virtual Partitioning Virtual partitioning creates one large modem pool on one access server, but assigns different DNIS numbers to different customers. Each incoming DNIS consumes resources from the same modem pool, but a maximum connect option is set for each DNIS. Figure 21 shows two Internet service provider (ISP) customers who are leasing modems from another service provider. Each ISP is assigned its own DNIS number and range of modems. Each ISP is guaranteed a certain number of physical modem ports for simultaneous connections. After an ISP uses up all the modems assigned to its DNIS, a busy signal is issued. Figure 21 Modem Pooling Using Virtual Partitioning Virtual partitioning essentially resells modem banks to customers, such as a small-sized ISP. However, remember that modem pooling is a single-chassis solution, not a multichassis solution. Modem pooling is not a solution for reselling ports on a large-scale basis. The following procedure creates one modem pool on a Cisco AS5300 access server for two ISP customers. The shared modem pool is called isp56kpool. However, both ISP customers are assigned different DNIS numbers and are limited to a maximum number of simultaneous connections. See Figure 21 for the network topology. The following hardware configuration is used on the Cisco AS5300 access server: • One 4-port T1 PRI card • Two 48-port cards containing sixteen 6-port MICA 56K modem modules ISP-A client dialing in to a leased POP ISP-B client dialing in to a leased POP Cisco AS5300 loaded with 96 MICA modems. Leasing modems to ISP-A and ISP-B. Four PRI or CE1 lines 13052 Modem pool: ISP-A Modems in pool: 48 Assigned DNIS: 5551111 Maximum connections: 48 Modem pool: ISP-B Modems in pool: 48 Assigned DNIS: 5552222 Maximum connections: 48 Backbone leading to the Internet Fast Ethernet PSTN Configuring and Managing Integrated Modems Managing Modems DC-91 Cisco IOS Dial Technologies Configuration Guide To configure virtual partitioning, perform the following steps: Step 1 Enter global configuration mode: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# Step 2 Create the shared modem pool for the 56K MICA modem services. This modem pool is called isp56kpool, which spans sixteen 6-port MICA 56K modem modules. Router(config)# modem-pool isp56kpool Router(config-modem-pool)# Step 3 Assign all the modems to the modem pool using the pool-range number-number command. Use the show line EXEC command to determine your TTY line numbering scheme. Router(config-modem-pool)# pool-range 1-96 Step 4 Assign a unique DNIS to each ISP customer using the called-number number [max-conn number] command. In this example, the max-conn number option limits each ISP to 48 simultaneous connections. The 49th user to dial either DNIS will get a busy signal. Router(config-modem-pool)# called-number 5550101 max-conn 48 Router(config-modem-pool)# called-number 5550202 max-conn 48 Step 5 Return to EXEC mode by entering a Ctrl-Z sequence. Next, display the modem pool configuration using the show modem-pool command. In the following example, all the 56K modems are in the isp56kpool modem pool. The output also shows two DNIS numbers configured: 5550101 and 5550202. Router(config-modem-pool)# ^Z Router# show modem-pool modem-pool: System-def-Mpool modems in pool: 0 active conn: 0 0 no free modems in pool modem-pool: isp56kpool modems in pool: 96 active conn: 0 0 no free modems in pool called_party_number: 5550101 max conn allowed: 48, active conn: 0 0 max-conn exceeded, 0 no free modems in pool called_party_number: 5550202 max conn allowed: 48, active conn: 0 0 max-conn exceeded, 0 no free modems in pool Router# copy running-config startup-config Configuring Call Tracker The Call Tracker feature captures detailed statistics on the status and progress of active calls and retains historical data for disconnected call sessions. Call Tracker collects session information such as call states and resources, traffic statistics, total bytes transmitted and received, user IP address, and disconnect reason. This data is maintained within the Call Tracker database tables, which are accessible through the Simple Network Management Protocol (SNMP), the CLI, or syslog. Configuring and Managing Integrated Modems Managing Modems DC-92 Cisco IOS Dial Technologies Configuration Guide Note The calltracker command, providing Call Tracker services, is supported for dial calls but not voice. Calltracker is supported for dial calls on 5x platforms (5300, 5350, 5400, 5800, and 5850). Call Tracker is notified of applicable call events by related subsystems such as ISDN, PPP, CSM, Modem, EXEC, or TCP-Clear. SNMP traps are generated at the start of each call, when an entry is created in the active table, and at the end of each call, when an entry is created in the history table. Call Record syslogs are available through configuration that will generate detailed information records for all call terminations. This information can be sent to syslog servers for permanent storage and future analysis. Additionally, the status and diagnostic data that is routinely collected from MICA modems is expanded to include new link statistics for active calls, such as the attempted transmit and receive rates, the maximum and minimum transmit and receive rates, and locally and remotely issued retrains and speedshift counters. For more detailed information on Call Tracker logs, refer to the TAC Tech Notes document, Understanding Call Tracker Outputs, at the following URL: http://www.cisco.com/warp/public/471/calltracker_view.html To configure Call Tracker, perform the following steps: Verifying Call Tracker To verify the operation of Call Tracker, use the the following command in EXEC mode: Enabling Call Tracker The following example shows how to enable the Call Tracker feature: calltracker enable Command Purpose Step 1 Router(config)# calltracker enable Enables Call Tracker. Step 2 Router(config)# calltracker call-record {terse|verbose} [quiet] Enables Call Tracker syslog support for generating detailed Call Records. Step 3 Router(config)# calltracker history max-size number Sets the maximum number of call entries to store in the Call Tracker history table. Step 4 Router(config)# calltracker history retain-mins minutes Sets the number of minutes for which calls are stored in the Call Tracker history table. Step 5 Router(config)# snmp-server packetsize byte-count Sets the maximum packet size allowed for SNMP server requests and replies. Step 6 Router(config)# snmp-server queue-length length Sets the queue length for SNMP traps. Step 7 Router(config)# snmp-server enable traps calltracker Enables Call Tracker to send traps whenever a call starts or ends. Step 8 Router(config)# snmp-server host host community-string calltracker Specifies the name or Internet address of the host to send Call Tracker traps. Command Purpose Router# show call calltracker summary Verifies the Call Tracker configuration and current status. Configuring and Managing Integrated Modems Managing Modems DC-93 Cisco IOS Dial Technologies Configuration Guide calltracker call-record terse calltracker history max-size 50 calltracker history retain-mins 5000 ! snmp-server engineID local 0012345 snmp-server community public RW snmp-server community private RW snmp-server community wxyz123 view v1default RO snmp-server trap-source FastEthernet0 snmp-server packetsize 17940 snmp-server queue-length 200 snmp-server location SanJose snmp-server contact Bob snmp-server enable traps snmp snmp-server enable traps calltracker snmp-server enable traps isdn call-information snmp-server enable traps hsrp snmp-server enable traps config snmp-server enable traps entity snmp-server enable traps envmon snmp-server enable traps bgp snmp-server enable traps ipmulticast-heartbeat snmp-server enable traps rsvp snmp-server enable traps frame-relay snmp-server enable traps rtr snmp-server enable traps syslog snmp-server enable traps dlsw snmp-server enable traps dial snmp-server enable traps dsp card-status snmp-server enable traps voice poor-qov snmp-server host 10.255.255.255 wxyz123 snmp-server host 10.0.0.0 xxxyyy calltracker ! radius-server host 172.16.0.0 auth-port 1645 acct-port 1646 non-standard radius-server key xyz ! Configuring Polling of Link Statistics on MICA Modems The status and diagnostic data that is routinely collected from MICA modems is expanded to include new link statistics for active calls, such as the attempted transmit and receive rates, the maximum and minimum transmit and receive rates, and locally and remotely issued retrains and speedshift counters. This connection data is polled from the modem at user-defined intervals and passed to Call Tracker. To poll modem link statistics, use the following command in global configuration mode: Note The modem link-info poll time command consumes a substantial amount of memory, approximately 500 bytes for each MICA modem call. Use this command only if you require the specific data that it collects; for instance, if you have enabled Call Tracker on your access server. Command Purpose Router(config)# modem link-info poll time seconds Sets the polling interval at which link statistics for active calls are retrieved from the modem. Configuring and Managing Integrated Modems Managing Modems DC-94 Cisco IOS Dial Technologies Configuration Guide Configuring MICA In-Band Framing Mode Control Messages Dial-in Internet connections typically start in character mode to allow the user to log in and select a preferred service. When Cisco IOS software determines that the user wants a framed interface protocol during the call, such as PPP or SLIP, commands are sent to the MICA modem so that it will provide hardware assistance with the framing. This hardware assistance reduces the Cisco IOS processing load. To avoid loss or misinterpretation of framed data during the transition, issue these commands at precise times with respect to the data being sent and received. MICA modem framing commands can be sent in the data stream itself, which greatly simplifies Cisco IOS tasks in achieving precision timing. For PPP connections, the common way for modems to connect to the Internet, total connect time might typically be improved by 2 to 3 seconds. This functionality reduces timeouts during PPP startup and reduces startup time. If an ASCII banner is sent just before PPP startup, this feature eliminates problems with banner corruption such as truncation and extraneous characters, thus improving the performance of terminal equipment. In earlier software, the modem interface timing rules were not well understood and were difficult or impossible to implement using the separate command interface of the modem. The practical result is that the MICA in-band framing mode reduces the number of timeouts during PPP startup, and thus reduces startup time. MICA in-band framing is supported on MICA modems in Cisco AS5300 and Cisco AS5800 access servers. To configure the MICA in-band framing mode control messages, use the following commands beginning in global configuration mode: The Cisco IOS software offers additional interface commands that can be set to control modem interface timing. Refer to the Cisco IOS command references for more information about the interface commands described in the following paragraphs. When a link goes down and comes back up before the timer set by the carrier-delay command expires, the down state is effectively filtered, and the rest of the software on the switch is not aware that a link-down event occurred. Therefore, a large carrier delay timer results in fewer link-up and link-down events being detected. On the other hand, setting the carrier delay time to 0 means that every link-up and link-down event is detected. When the link protocol goes down (because of loss of synchronization, for example), the interface hardware is reset and the data terminal ready (DTR) signal is held inactive for at least the specified interval. Setting the pulse-time command enable pulsing DTR signal intervals on serial interfaces, and is useful for handling encrypting or other similar devices that toggle the DTR signal to resynchronize. Command Purpose Step 1 Router(config)# line line-number [ending-line-number] Specifies the number of modem lines to configure and enters line configuration mode. If a range is entered, it must be equal to the number of modems in the router. Step 2 Router(config-line)# no flush-at-activation Improves PPP and SLIP startup. Normally a router avoids line and modem noise by clearing the initial data received within the first one or two seconds. However, when the autoselect PPP feature is configured, the router flushes characters initially received and then waits for more traffic. This flush causes timeout problems with applications that send only one carriage return. Configuring and Managing Integrated Modems Managing Modems DC-95 Cisco IOS Dial Technologies Configuration Guide Use the modem dtr-delay command to reduce the time that a DTR signal is held down after an asynchronous line clears and before the DTR signal is raised again to accept new calls. Incoming calls may be rejected in heavily loaded systems, even when modems are unused because the default DTR hold-down interval may be too long. The modem dtr-delay command is designed for lines used for an unframed asynchronous session such as Telnet. Lines used for a framed asynchronous session such as PPP should use the pulse-time interface command. Enabling Modem Polling The following example enables modem status polling through the out-of-band feature, which is associated to line 1: Router# configure terminal Router(config)# line 1 Router(config-line)# modem status-poll Setting Modem Poll Intervals The following example sets the time interval between polls to 10 seconds using the modem poll time global configuration command: Router# configure terminal Router(config)# modem poll time 10 Setting Modem Poll Retry The following example configures the server to attempt to retrieve statistics from a local modem up to five times before discontinuing the polling effort: Router# configure terminal Router(config)# modem poll retry 5 Collecting Modem Statistics Depending upon your modem type, the Cisco IOS software provides several show EXEC commands that allow you to display or poll various modem statistics. See Table 7 and Table 8 to find the show EXEC command appropriate for your modem type and the task you want to perform. Logging EIA/TIA Events To facilitate meaningful analysis of the modem log, turn the storage of specific types of EIA/TIA events on or off. To activate or inactivate the storage of a specific type of EIA/TIA modem event for a specific line or set of lines, use either of the following commands in line configuration mode, as needed: Configuring and Managing Integrated Modems Managing Modems DC-96 Cisco IOS Dial Technologies Configuration Guide Configuring a Microcom Modem to Poll for Statistics Manageable Microcom modems have an out-of-band feature, which is used for polling modem statistics. To configure the system to poll for modem statistics, use the following commands in global configuration mode: Troubleshooting Using a Back-to-Back Modem Test Procedure You can manually isolate an internal back-to-back connection and data transfer between two modems for focused troubleshooting purposes. For example, if mobile users cannot dial in to modem 2/5 (which is the sixth modem port on the modem board in the second chassis slot), attempt a back-to-back test with modem 2/5 and a modem known to be functioning, such as modem 2/6. You might need to enable this command on several different combinations of modems to determine which one is not functioning properly. A pair of operable modems connect and complete sending data in both directions. An operable modem and an inoperable modem do not connect with each other. To perform the modem test procedure, enter the test modem back-to-back first-slot/port second-slot/port command, as follows: Step 1 Perform a back-to-back modem test between two normal functioning modems. This example shows a successful connection between modem 1/1 and modem 1/0, which verifies normal operating conditions between these two modems: Command Purpose Router(config-line)# modem log {cts | dcd | dsr | dtr | ri | rs323 | rts | tst} or Router(config-line)# no modem log {cts | dcd | dsr | dtr | ri | rs323 | rts | tst} Configures the types of EIA/TIA events that are stored in the modem log. The default setting stores no EIA/TIA events. Turns off the logging of a specific type of EIA/TIA event. Command Purpose Step 1 Router(config)# modem poll time seconds Specifies the number of seconds between statistical modem polling for Microcom modems. The default is 12 seconds. The configuration range is from 2 to 120 seconds. Step 2 Router(config)# modem poll retry number Sets the maximum number of polling attempts to Microcom modems. The default is three polling attempts. The configuration range is from 0 to 10 attempts.1 1. If the number of attempts to retrieve modem status or statistics exceeds the number you define, the out-of-band feature is removed from operation. In this case, you must reset the modem hardware using the clear modem command. Step 3 Router(config)# modem status-poll Polls for status and statistics for a Microcom modem through the modem’s out-of-band feature. Step 4 Router(config)# modem buffer-size number Defines the number of modem events that each modem is able to store. The default is 100 events for each modem. Use the show modem log command to display modem events. Configuring and Managing Integrated Modems Managing Modems DC-97 Cisco IOS Dial Technologies Configuration Guide Router# test modem back-to-back 1/1 1/0 Repetitions (of 10-byte packets) [1]: 10 Router# %MODEM-5-B2BCONNECT: Modems (1/1) and (1/0) connected in back-to-back test: CONN ECT9600/REL-MNP %MODEM-5-B2BMODEMS: Modems (1/0) and (1/1) completed back-to-back test: success/ packets = 20/20 After you enter the test modem back-to-back command, you must define the number of packets sent between modems at the Repetitions prompt. The ideal range of packets to send and receive is from 1 to 100. The default is 1 packet that is 10 bytes large. The response message (for example, “success/packets = 20/20”) tells you how many packets were sent in both directions compared to the total number of packets attempted to be sent in both directions. Because the software reports the packet total in both directions, the reported numbers are two times the number you originally specify. When a known good modem is tested against a known bad modem, the back-to-back modem test fails. In the following example, modem 1/3 is suspected or proven to be inoperable or bad: Router# test modem back-to-back 1/1 1/3 Repetitions (of 10-byte packets) [1]: 10 Router# %MODEM-5-BADMODEMS: Modems (1/3) and (1/1) failed back-to-back test: NOCARRIER Step 2 You would need to manually mark modem 1/3 as an inoperable or bad modem. You mark the bad modem by determining which line number corresponds with the modem. Use the show modem 1/3 EXEC command to verify that TTY line number 4 (shown as TTY4) is used for modem 1/3: Router# show modem 1/3 Mdm Typ Status Tx/Rx G Duration TX RX RTS CTS DSR DCD DTR 1/3 V34 Idle 28800/28800 0 00:00:00 x x x x x Modem 1/3, Microcom MNP10 V34 Modem (Managed), TTY4 Firmware (Boot) Rev: 1.0(23) (1.0(5)) Modem config: Incoming and Outgoing Protocol: reliable/MNP, Compression: V42bis Management port config: Status polling and AT session Management port status: Status polling and AT session TX signals: -15 dBm, RX signals: -17 dBm Last clearing of "show modem" counters never 0 incoming completes, 0 incoming failures 0 outgoing completes, 0 outgoing failures 0 failed dial attempts, 0 ring no answers, 1 busied outs 0 no dial tones, 0 dial timeouts, 0 watchdog timeouts 0 no carriers, 0 link failures, 0 resets, 0 recover oob 0 protocol timeouts, 0 protocol errors, 0 lost events Transmit Speed Counters: Connection Speeds 75 300 600 1200 2400 4800 # of connections 0 0 0 0 0 0 Connection Speeds 7200 9600 12000 14400 16800 19200 # of connections 0 0 0 0 0 0 Connection Speeds 21600 24000 26400 28800 31200 32000 # of connections 0 0 0 1 0 0 Connection Speeds 33600 34000 36000 38000 40000 42000 # of connections 0 0 0 0 0 0 Connection Speeds 44000 46000 48000 50000 52000 54000 # of connections 0 0 0 0 0 0 Connection Speeds 56000 # of connections 0 Configuring and Managing Integrated Modems Managing Modems DC-98 Cisco IOS Dial Technologies Configuration Guide Step 3 Enter line configuration mode and manually remove modem 1/3 from dial services by entering the modem bad command on line 4: Router# configure terminal Router(config)# line 4 Router(config-line)# modem bad Router(config-line)# exit Router(config)# exit Step 4 Enter the show modem EXEC command or the show modem slot/port command to display the bad modem status. Bad modems are marked with the letter B in the Mdm column of the show modem command display output. Router# show modem %SYS-5-CONFIG_I: Configured from console by consolem Inc calls Out calls Busied Failed No Succ Mdm Usage Succ Fail Succ Fail Out Dial Answer Pct. 1/0 0% 0 0 0 0 1 0 0 0% 1/1 0% 0 0 0 0 3 0 0 0% 1/2 0% 0 0 0 0 1 0 0 0% B 1/3 0% 0 0 0 0 1 0 0 0% 1/4 0% 0 0 0 0 1 0 0 0% 1/5 0% 0 0 0 0 1 0 0 0% 1/6 0% 0 0 0 0 1 0 0 0% 1/7 0% 0 0 0 0 1 0 0 0% 1/8 0% 0 0 0 0 1 0 0 0% 1/9 0% 0 0 0 0 1 0 0 0% 1/10 0% 0 0 0 0 1 0 0 0% 1/11 0% 0 0 0 0 1 0 0 0% 1/12 0% 0 0 0 0 1 0 0 0% 1/13 0% 0 0 0 0 1 0 0 0% 1/14 0% 0 0 0 0 1 0 0 0% 1/15 0% 0 0 0 0 1 0 0 0% 1/16 0% 0 0 0 0 1 0 0 0% 1/17 0% 0 0 0 0 1 0 0 0% 1/18 0% 0 0 0 0 0 0 0 0% 1/19 0% 0 0 0 0 0 0 0 0% 1/20 0% 0 0 0 0 0 0 0 0% 1/21 0% 0 0 0 0 0 0 0 0% 1/22 0% 0 0 0 0 0 0 0 0% 1/23 0% 0 0 0 0 0 0 0 0% Malfunctioning modems are also marked as Bad in the Status column of the show modem slot/port command display output, as the following example shows: Router# show modem 1/3 Mdm Typ Status Tx/Rx G Duration TX RX RTS CTS DSR DCD DTR 1/3 V34 Bad 28800/28800 0 00:00:00 x x x x x Modem 1/3, Microcom MNP10 V34 Modem (Managed), TTY4 Firmware (Boot) Rev: 1.0(23) (1.0(5)) Modem config: Incoming and Outgoing Protocol: reliable/MNP, Compression: V42bis Management port config: Status polling and AT session Management port status: Status polling and AT session TX signals: -15 dBm, RX signals: -17 dBm Last clearing of "show modem" counters never 0 incoming completes, 0 incoming failures 0 outgoing completes, 0 outgoing failures Configuring and Managing Integrated Modems Managing Modems DC-99 Cisco IOS Dial Technologies Configuration Guide 0 failed dial attempts, 0 ring no answers, 1 busied outs 0 no dial tones, 0 dial timeouts, 0 watchdog timeouts 0 no carriers, 0 link failures, 0 resets, 0 recover oob 0 protocol timeouts, 0 protocol errors, 0 lost events Transmit Speed Counters: Connection Speeds 75 300 600 1200 2400 4800 # of connections 0 0 0 0 0 0 Connection Speeds 7200 9600 12000 14400 16800 19200 # of connections 0 0 0 0 0 0 Connection Speeds 21600 24000 26400 28800 31200 32000 # of connections 0 0 0 1 0 0 Connection Speeds 33600 34000 36000 38000 40000 42000 # of connections 0 0 0 0 0 0 Connection Speeds 44000 46000 48000 50000 52000 54000 # of connections 0 0 0 0 0 0 Connection Speeds 56000 # of connections 0 Clearing a Direct Connect Session on a Microcom Modem The examples in this section are for Microcom modems. The following example shows how to execute the modem at-mode command from a Telnet session: Router# modem at-mode 1/1 The following example shows how to execute the clear modem at-mode command from a second Telnet session while the first Telnet session is connected to the modem: Router# clear modem at-mode 1/1 clear "modem at-mode" for modem 1/1 [confirm] Router# The following output is displayed in the first Telnet session after the modem is cleared by the second Telnet session: Direct connect session cleared by vty0 (172.19.1.164) Displaying Local Disconnect Reasons To find out why a modem ended its connection or why a modem is not operating at peak performance, use the show modem call-stats [slot] EXEC command. Disconnect reasons are described using four hexadecimal digits. The three lower-order digits can be used to identify the disconnect reason. The high-order digit generally indicates the type of disconnect reason or the time at which the disconnect occurred. For detailed information on the meaning of hexadecimal values for MICA modem disconnects, refer to the TAC Tech Notes document, MICA Modem States and Disconnect Reasons, at the following URL: http://www.cisco.com/warp/public/76/mica-states-drs.html For detailed information on the meaning of hexadecimal values for NextPort modem disconnects, refer to the TAC Tech Notes document, Interpreting NextPort Disconnect Reason Codes, at the following URL: http://www.cisco.com/warp/public/471/np_disc_code.html . Configuring and Managing Integrated Modems Managing Modems DC-100 Cisco IOS Dial Technologies Configuration Guide Local disconnect reasons are listed across the top of the screen display (for example, wdogTimr, compress, retrain, inacTout, linkFail, moduFail, mnpProto, and lapmProt). In the body of the screen display, the number of times each modem disconnected is displayed (see the # column). For a particular disconnect reason, the % column indicates the percent that a modem was logged for the specified disconnect reason with respect to the entire modem pool for that given reason. For example, out of all the times the rmtLink error occurred on all the modems in the system, the rmtLink error occurred 10 percent of the time on modem 0/22. Malfunctioning modems are detected by an unusually high number of disconnect counters for a particular disconnect reason. For example, if modem 1/0 had a high number of compression errors compared to the remaining modems in system, modem 1/0 would likely be the inoperable modem. To reset the counters displayed by the show modem call-stats command, enter the clear modem counters command. Note For a complete description of each error field displayed by the commands on this page, refer to the Cisco IOS Dial Technologies Command Reference. Remote disconnect reasons are not described by the show modem command output. The following example displays output for the show modem call-stats command. Because of the screen size limitation of most terminal screen displays, not all possible disconnect reasons are displayed at one time. Only the top eight most frequently experienced disconnect reasons are displayed at one time. Router# show modem call-stats dial-in/dial-out call statistics lostCarr dtrDrop rmtLink wdogTimr compress retrain inacTout linkFail Mdm # % # % # % # % # % # % # % # % * 0/0 6 2 2 3 1 0 0 0 0 0 0 0 0 0 0 0 * 0/1 5 2 2 3 2 1 0 0 0 0 0 0 0 0 0 0 0/2 5 2 2 3 4 3 0 0 0 0 0 0 0 0 0 0 * 0/3 5 2 2 3 2 1 0 0 0 0 0 0 0 0 0 0 * 0/4 5 2 1 1 1 0 0 0 0 0 0 0 0 0 0 0 * 0/5 5 2 2 3 2 1 0 0 0 0 0 0 0 0 0 0 * 0/6 4 1 2 3 2 1 0 0 0 0 0 0 0 0 0 0 * 0/7 4 1 2 3 4 3 0 0 0 0 0 0 0 0 0 0 * 0/8 6 2 1 1 3 2 0 0 0 0 0 0 0 0 0 0 * 0/9 5 2 1 1 1 0 0 0 0 0 0 0 0 0 0 0 * 0/10 5 2 1 1 2 1 0 0 0 0 0 0 0 0 0 0 * 0/11 5 2 1 1 2 1 0 0 0 0 0 0 0 0 0 0 0/12 5 2 2 3 2 1 0 0 0 0 0 0 0 0 0 0 * 0/13 5 2 1 1 1 0 0 0 0 0 0 0 0 0 0 0 * 0/14 5 2 1 1 1 0 0 0 0 0 0 0 0 0 0 0 * 0/15 5 2 1 1 1 0 0 0 0 0 0 0 0 0 0 0 * 0/16 5 2 1 1 1 0 0 0 0 0 0 0 0 0 0 0 * 0/17 5 2 1 1 2 1 0 0 0 0 0 0 0 0 0 0 * 0/18 5 2 1 1 2 1 0 0 0 0 0 0 0 0 0 0 * 0/19 5 2 1 1 3 2 0 0 0 0 0 0 0 0 0 0 * 0/20 5 2 1 1 1 0 0 0 0 0 0 0 0 0 0 0 * 0/21 5 2 1 1 1 0 0 0 0 0 0 0 0 0 0 0 * 0/22 5 2 1 1 11 10 0 0 0 0 0 0 0 0 0 0 * 0/23 5 2 1 1 2 1 0 0 0 0 0 0 0 0 0 0 * 2/0 4 1 2 3 2 1 0 0 0 0 0 0 0 0 0 0 * 2/1 5 2 1 1 2 1 0 0 0 0 0 0 0 0 0 0 * 2/2 5 2 2 3 0 0 0 0 0 0 0 0 0 0 0 0 * 2/3 5 2 1 1 2 1 0 0 0 0 0 0 0 0 0 0 * 2/4 5 2 1 1 2 1 0 0 0 0 0 0 0 0 0 0 * 2/5 5 2 1 1 2 1 0 0 0 0 0 0 0 0 0 0 * 2/6 4 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 Configuring and Managing Integrated Modems Managing Modems DC-101 Cisco IOS Dial Technologies Configuration Guide * 2/7 5 2 1 1 1 0 0 0 0 0 0 0 0 0 0 0 * 2/8 5 2 1 1 1 0 0 0 0 0 0 0 0 0 0 0 * 2/9 4 1 1 1 2 1 0 0 0 0 0 0 0 0 0 0 * 2/10 5 2 1 1 0 0 0 0 0 0 0 0 0 0 0 0 * 2/11 5 2 1 1 5 4 0 0 0 0 0 0 0 0 0 0 * 2/12 5 2 1 1 2 1 0 0 0 0 0 0 0 0 0 0 * 2/13 5 2 1 1 1 0 0 0 0 0 0 0 0 0 0 0 * 2/14 5 2 1 1 2 1 0 0 0 0 0 0 0 0 0 0 * 2/15 4 1 1 1 3 2 0 0 0 0 0 0 0 0 0 0 * 2/16 4 1 1 1 3 2 0 0 0 0 0 0 0 0 0 0 * 2/17 5 2 2 3 9 8 0 0 0 0 0 0 0 0 0 0 * 2/18 4 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 * 2/19 3 1 1 1 2 1 0 0 0 0 0 0 0 0 0 0 * 2/20 7 3 1 1 8 7 0 0 0 0 0 0 0 0 0 0 * 2/21 5 2 1 1 1 0 0 0 0 0 0 0 0 0 0 0 * 2/22 4 1 1 1 2 1 0 0 0 0 0 0 0 0 0 0 * 2/23 5 2 1 1 2 1 0 0 0 0 0 0 0 0 0 0 Total 233 59 110 0 0 0 0 0 dial-out call statistics noCarr noDitone busy abort dialStrg autoLgon dialTout rmtHgup Mdm # % # % # % # % # % # % # % # % * 0/0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 0/1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0/2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 0/3 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 0/4 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 0/5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 0/6 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 0/7 5 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 0/8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 0/9 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 0/10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 0/11 5 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0/12 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 0/13 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 0/14 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 0/15 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 0/16 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 0/17 4 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 0/18 5 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 0/19 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 0/20 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 0/21 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 0/22 5 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 0/23 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 2/0 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 2/1 3 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 2/2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 2/3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 2/4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 2/5 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 2/6 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 2/7 4 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 2/8 7 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 2/9 4 1 1 1 2 1 0 0 0 0 0 0 0 0 0 0 * 2/10 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 2/11 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 2/12 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 2/13 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 2/14 4 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 2/15 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 2/16 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Configuring and Managing Integrated Modems Managing Modems DC-102 Cisco IOS Dial Technologies Configuration Guide * 2/17 5 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 2/18 5 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 2/19 3 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 2/20 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 2/21 4 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 2/22 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 * 2/23 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Total 84 0 0 0 0 0 0 0 Removing Inoperable Modems To manually remove inoperable modems from dialup services, use the following commands in line configuration mode: If you use the modem bad command to remove an idle modem from dial services and mark it as inoperable, the letter B is used to identify the modem as bad. The letter B appears in the Status column in the output of show modem slot/port command and in the far left column in the output of the show modem command. Use the no modem bad command to unmark a modem as B and restore it for dialup connection services. If the letter B appears next to a modem number, it means the modem was removed from service with the modem shutdown command. Note Only idle modems can be marked “bad” by the modem bad command. If you want to mark a modem bad that is actively supporting a call, first enter the modem shutdown command, then enter the modem bad command. Use the modem hold-reset command if a router is experiencing extreme modem behavior (for example, if the modem is uncontrollably dialing in to the network). This command prevents the modem from establishing software relationships such as those created by the test modem back-to-back command. The modem is unusable while the modem hold-reset command is configured. The modem hold-reset command also resets a modem that is frozen in a suspended state. Disable the suspended modem with the modem hold-reset command, and then restart hardware initialization with the no modem hold-reset command. The following example disables a suspended modem and resets its hardware initialization: Router# configure terminal Router(config)# line 4 Router(config-line)# modem hold-reset Router(config-line)# no modem hold-reset Command Purpose Step 1 Router(config-line)# modem bad Removes and idles the modem from service and indicates it as suspected or proven to be inoperable. Step 2 Router(config-line)# modem hold-reset Resets and isolates the modem hardware for extensive troubleshooting. Step 3 Router(config-line)# modem shutdown Abruptly shuts down a modem from dial service. Step 4 Router(config-line)# modem recovery-time minutes Sets the maximum amount of time for which the call-switching module waits for a local modem to respond to a request before it is considered locked in a suspended state. The default is 5 minutes. Configuring and Managing Integrated Modems Managing Modems DC-103 Cisco IOS Dial Technologies Configuration Guide The following example gracefully disables the modem associated with line 1 from dialing and answering calls. The modem is disabled only after all active calls on the modem are dropped. Router# configure terminal Router(config)# line 1 Router(config)# modem busyout The following example abruptly shuts down the modem associated with line 2. All active calls on the modem are dropped immediately. Router# configure terminal Router(config)# line 2 Router(config)# modem shutdown In the following example, the modem using TTY line 3 is actively supporting a call (as indicated by the asterisk). However, we want to mark the modem bad because it has poor connection performance. First, abruptly shut down the modem and drop the call with the modem shutdown command, and then enter the modem bad command to take the modem out of service. Router# show modem Inc calls Out calls Busied Failed No Succ Mdm Usage Succ Fail Succ Fail Out Dial Answer Pct. 1/0 37% 98 4 0 0 0 0 0 96% 1/1 38% 98 2 0 0 0 0 0 98% * 1/2 2% 3 99 0 0 0 0 0 1% . . . Router# configure terminal Router(config)# line 3 Router(config)# modem shutdown Router(config)# modem bad Router(config)# exit Router# show modem Inc calls Out calls Busied Failed No Succ Mdm Usage Succ Fail Succ Fail Out Dial Answer Pct. 1/0 37% 98 4 0 0 0 0 0 96% 1/1 38% 98 2 0 0 0 0 0 98% B 1/2 2% 3 99 0 0 0 0 0 1% For more information about modem recovery procedures, refer to TAC Tech Notes Configuring MICA Modem Recovery at http://www.cisco.com/warp/public/76/modem-recovery.html and Configuring NextPort SPE Recovery at http://www.cisco.com/warp/public/76/spe-recovery.html. Configuring and Managing Integrated Modems Managing Modems DC-104 Cisco IOS Dial Technologies Configuration Guide Busying Out a Modem Card To busy out a modem card in a Cisco access server, use the following commands beginning in global configuration mode: The modem busyout command disables the modem associated with a specified line from dialing and answering calls. The modem busyout command can busy out and eventually terminate all 72 ports on the Cisco AS5800 modem card. Monitoring Resources on Cisco High-End Access Servers The following tasks enable you to monitor the network access server (NAS) health conditions at the DS0 level, PRI bearer channel level, and modem level. Performing these tasks will benefit network operation with improved visibility into the line status for the NAS for comprehensive health monitoring and notification capability, and improved troubleshooting and diagnostics for large-scale dial networks. Perform the following tasks to monitor resource availability on the Cisco high-end access servers: • Enabling DS0 Busyout Traps—DS0 busyout traps are generated when there is a request to busy out a DS0, when there is a request to take a DS0 out of busyout mode, or when busyout completes and the DS0 is out-of-service. DS0 busyout traps are generated at the DS0 level for both CAS and ISDN Command Purpose Step 1 Router(config)# line shelf/slot/port Specifies the line number, by specifying the shelf, slot, and port numbers; you must type in the slashes. This command also begins line configuration mode. Step 2 Router(config-line)# modem busyout Having specified the modem to be busied out with the line command, enter the modem busyout command to busy out the modem. The command disables the modem associated with line shelf/slot/port from dialing and answering calls.You need not specify a shelf/slot/port number again in this command. Step 3 Router(config-line)# modem shutdown Having specified the modem to be shut down with the line command, enter the modem shutdown command to shut down the modem, whether or not it has already been busied out. You need not specify a shelf/slot/port number again in this command because you have already done so with the line command. Step 4 Router(config-line)# exit Exits line configuration mode and returns to global configuration mode. Step 5 Router(config)# modem busyout-threshold number Specifies a threshold number using the modem busyout-threshold number command to balance the number of DS0s with the number of modem lines. For more information, refer to the Cisco IOS Dial Technologies Command Reference. Step 6 Router(config)# exit Exits global configuration mode and returns to privileged EXEC mode. Step 7 Router# show busyout From privileged EXEC mode, verifies that the line is busied out. If there are active calls, the software waits until the call terminates before the line is busied out. Configuring and Managing Integrated Modems Managing Modems DC-105 Cisco IOS Dial Technologies Configuration Guide configured lines. This feature is enabled and disabled through use of the CLI and MIBs. DS0 busyout traps are disabled by default and are supported on Cisco AS5300, Cisco AS5400, and Cisco AS5800 universal access servers. • Enabling ISDN PRI Requested Channel Not Available Traps—ISDN PRI channel not available traps are generated when a requested DS0 channel is not available, or when there is no modem available to take the incoming call. This feature is available only for ISDN PRI interfaces. This feature is enabled and disabled through use of CLI for ISDN traps and the CISCO-ISDN-MIB. ISDN PRI channel not available traps are disabled by default and are supported on the Cisco AS5300, Cisco AS5400, and Cisco AS5800. • Enabling Modem Health Traps—Modem health traps are generated when a modem port is bad, disabled, reflashed, or shut down, or when there is a request to busy out the modem. This feature is enabled and disabled through use of CLI and the CISCO-MODEM-MGMT-MIB. Modem health traps are disabled by default and are supported on the Cisco AS5300, Cisco AS5400, and Cisco AS5800. • Enabling DS1 Loopback Traps—DS1 loopback traps are generated when a DS1 line goes into loopback mode. This feature is enabled and disabled by CLI and the CISCO-POP-MGMT-MIB. DS1 loopback traps are disabled by default and are supported on the Cisco AS5300 and Cisco AS5400 only. The CISCO-POP-MGMT-MIB supplies the DS0 busyout traps and the DS1 loopback traps. The CISCO-MODEM-MGMT-MIB supplies additional modem health traps when the modem port becomes non-functional. The CISCO-ISDN-MIB supplies additional traps for ISDN PRI channel not available. To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml. See the sections “Verifying Enabled Traps” and “Troubleshooting the Traps” to verify and troubleshoot configuration. The section “NAS Health Monitoring Example” provides output of a configuration with the NAS health monitoring features enabled. Enabling DS0 Busyout Traps Before you enable DS0 busyout traps, the SNMP manager must already have been installed on your workstation, and the SNMP agent must be configured on the NAS by entering the snmp-server community and snmp-server host commands. Refer to the Cisco IOS Configuration Fundamentals Configuration Guide for more information on these commands. To generate DS0 busyout traps, use the following command in global configuration mode: Command Purpose Router(config)# snmp-server enable traps ds0-busyout Generates a trap when there is a request to busy out a DS0 or to indicate when busyout finishes. Configuring and Managing Integrated Modems Managing Modems DC-106 Cisco IOS Dial Technologies Configuration Guide Enabling ISDN PRI Requested Channel Not Available Traps To generate ISDN PRI requested channel not available traps, use the following command in global configuration mode: Enabling Modem Health Traps To generate modem health traps, use the following command in global configuration mode: Enabling DS1 Loopback Traps To generate DS1 loopback traps, use the following command in global configuration mode: Verifying Enabled Traps To verify that the traps are enabled, use the show run command. The following output indicates that all the traps are enabled: Router(config)# show run snmp-server enable traps ds0-busyout snmp-server enable traps isdn chan-not-avail snmp-server enable traps modem-health snmp-server enable traps ds1-loopback Additionally, you can use the show controllers command with the timeslots keyword to display details about the channel state. This feature shows whether the DS0 channels of a particular controller are in idle, in-service, maintenance, or busyout state. This enhancement applies to both CAS and ISDN PRI interfaces and is supported on the Cisco AS5300 and Cisco AS5400 only. Command Purpose Router(config)# snmp-server enable traps isdn chan-not-avail Generates a trap when the NAS rejects an incoming call on an ISDN PRI interface because the channel is not available. Command Purpose Router(config)# snmp-server enable traps modem-health Generates a trap when a modem port is bad, disabled, or prepared for firmware download; when download fails; when placed in loopback mode for maintenance; or when there is a request to busy out the modem. Command Purpose Router(config)# snmp-server enable traps ds1-loopback Generates a trap when the DS1 line goes into loopback mode. Configuring and Managing Integrated Modems Managing Modems DC-107 Cisco IOS Dial Technologies Configuration Guide Troubleshooting the Traps To troubleshoot the traps, turn on the debug switch for SNMP packets by entering the following command in privileged EXEC mode: Router# debug snmp packets Check the resulting output to see that the SNMP trap information packet is being sent. The output will vary based on the kind of packet sent or received: SNMP: Packet received via UDP from 10.5.4.1 on Ethernet0 SNMP: Get-next request, reqid 23584, errstat 0, erridx 0 sysUpTime = NULL TYPE/VALUE system.1 = NULL TYPE/VALUE system.6 = NULL TYPE/VALUE SNMP: Response, reqid 23584, errstat 0, erridx 0 sysUpTime.0 = 2217027 system.1.0 = Cisco Internetwork Operating System Software system.6.0 = SNMP: Packet sent via UDP to 10.5.4.1 You can also use trap monitoring and logging tools like snmptrapd, with debugging flags turned on, to monitor output. NAS Health Monitoring Example The following is sample configuration output showing all NAS health monitoring traps turned on: Building configuration... Current configuration: ! Last configuration change at 12:27:30 pacific Thu May 25 2000 version xx.x service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname router ! aaa new-model aaa authentication ppp default group radius enable password ! spe 1/0 1/7 firmware location system:/ucode/mica_port_firmware spe 2/0 2/7 firmware location system:/ucode/mica_port_firmware ! resource-pool disable ! clock timezone PDT -8 clock calendar-valid no modem fast-answer modem country mica usa modem link-info poll time 60 modem buffer-size 300 ip subnet-zero ! isdn switch-type primary-5ess isdn voice-call-failure 0 ! Configuring and Managing Integrated Modems Managing Modems DC-108 Cisco IOS Dial Technologies Configuration Guide controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf linecode b8zs ds0-group 0 timeslots 1-24 type e&m-fgb cas-custom 0 ! controller T1 2 shutdown clock source line secondary 2 ! controller T1 3 shutdown clock source line secondary 3 ! controller T1 4 shutdown clock source line secondary 4 ! controller T1 5 shutdown clock source line secondary 5 ! controller T1 6 shutdown clock source line secondary 6 ! controller T1 7 shutdown clock source line secondary 7 ! interface Loopback0 ip address 10.5.4.1 ! interface Ethernet0 no ip address shutdown ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! interface Serial2 no ip address shutdown ! interface Serial3 no ip address shutdown ! interface Serial0:23 no ip address ip mroute-cache isdn switch-type primary-5ess isdn incoming-voice modem Configuring and Managing Integrated Modems Managing Modems DC-109 Cisco IOS Dial Technologies Configuration Guide no cdp enable ! interface FastEthernet0 ip address 10.5.4.1 duplex full speed auto no cdp enable ! interface Group-Async1 ip unnumbered FastEthernet0 encapsulation ppp ip tcp header-compression passive no ip mroute-cache async mode interactive peer default ip address pool swattest no fair-queue ppp authentication chap ppp multilink group-range 1 192 ! interface Dialer1 ip unnumbered FastEthernet0 encapsulation ppp ip tcp header-compression passive dialer-group 1 peer default ip address pool swattest pulse-time 0 no cdp enable ! ip local pool swattest 10.5.4.1 ip default-gateway 10.5.4.1 ip classless ! dialer-list 1 protocol ip permit snmp-server engineID local 00000009020000D058890CF0 snmp-server community public RO snmp-server packetsize 2048 snmp-server enable traps ds0-busyout snmp-server enable traps isdn chan-not-avail snmp-server enable traps modem-health snmp-server enable traps ds1-loopback snmp-server host 10.5.4.1 public ! radius-server host 10.5.4.1 auth-port 1645 acct-port 1646 radius-server retransmit 3 radius-server key ! line con 0 transport input none line 1 192 autoselect ppp modem InOut transport preferred none transport input all transport output none line aux 0 line vty 0 4 end Configuring and Managing Integrated Modems Configuration Examples for Modem Management DC-110 Cisco IOS Dial Technologies Configuration Guide Configuration Examples for Modem Management This section provides the following examples: • NextPort Modem Log Example • Modem Performance Summary Example • Modem AT-Mode Example • Connection Speed Performance Verification Example For additional information and examples about the commands in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. NextPort Modem Log Example The following is partial sample output for the Cisco AS5400 with the NextPort Distributed forwarding Card (DFC). This example shows the port history event log for slot 5, port 47: Router# show port modem log 5/47 Port 5/47 Events Log Service type: DATA_FAX_MODEM Service mode: DATA_FAX_MODEM Session State: IDLE 00:02:23: incoming called number: 35160 Service type: DATA_FAX_MODEM Service mode: DATA_FAX_MODEM Session State: IDLE Service type: DATA_FAX_MODEM Service mode: DATA_FAX_MODEM Session State: ACTIVE 00:02:23: Modem State event: State: Connect 00:02:16: Modem State event: State: Link 00:02:13: Modem State event: State: Train Up 00:02:05: Modem State event: State: EC Negotiating 00:02:05: Modem State event: State: Steady 00:02:05: Modem Static event: Connect Protocol : LAP-M Compression : V.42bis Connected Standard : V.34+ TX,RX Symbol Rate : 3429, 3429 TX,RX Carrier Frequency : 1959, 1959 TX,RX Trellis Coding : 16/16 Frequency Offset : 0 Hz Round Trip Delay : 0 msecs TX,RX Bit Rate : 33600, 33600 Robbed Bit Signalling (RBS) pattern : 0 Digital Pad : None Digital Pad Compensation : None 4 bytes of link info not formatted : 0x00 0x00 0x00 0x00 0x00 00:02:06:Modem Dynamic event: Sq Value : 5 Signal Noise Ratio : 40 dB Receive Level : -12 dBm Phase Jitter Frequency : 0 Hz Configuring and Managing Integrated Modems Configuration Examples for Modem Management DC-111 Cisco IOS Dial Technologies Configuration Guide Phase Jitter Level : 2 degrees Far End Echo Level : -90 dBm Phase Roll : 0 degrees Total Retrains : 0 EC Retransmission Count : 0 Characters transmitted, received : 0, 0 Characters received BAD : 0 PPP/SLIP packets transmitted, received : 0, 0 PPP/SLIP packets received (BAD/ABORTED) : 0 EC packets transmitted, received OK : 0, 0 EC packets (Received BAD/ABORTED) : 0 Modem Performance Summary Example You can display a high level summary of the performance of a modem with the show modem summary command: Router# show modem summary Incoming calls Outgoing calls Busied Failed No Succ Usage Succ Fail Avail Succ Fail Avail Out Dial Ans Pct. 14% 2489 123 15 0 0 15 0 3 3 95% Modem AT-Mode Example The following example shows that modem 1/1 has one open AT directly connected session: Router# show modem at-mode Active AT-MODE management sessions: Modem User's Terminal 1/1 0 cty 0 Connection Speed Performance Verification Example Making sure that your modems are connecting at the correct connection speeds is an important aspect of managing modems. The show modem connect-speeds and show modem commands provide performance information that allow you to investigate possible inoperable or corrupt modems or T1/E1 lines. For example, suppose you have an access server that is fully populated with V.34 modems. If you notice that modem 1/0 is getting V.34 connections only 50 percent of the time, whereas all the other modems are getting V.34 connections 80 percent of the time, then modem 1/0 is probably malfunctioning. If you are reading low connection speeds across all the modems, you may have a faulty channelized T1 or ISDN PRI line connection. To display connection speed information for all modems that are running in your system, use the show modem connect-speeds max-speed EXEC command. Because most terminal screens are not wide enough to display the entire range of connection speeds at one time (for example, 75 to 56,000 bps), the max-speed argument is used. This argument specifies the contents of a shifting baud-rate window, which provides you with a snapshot of the modem connection speeds for your system. Replace the max-speed argument with the maximum connect speed that you want to display. You can specify from 12,000 to 56,000 bps. If you are interested in viewing a snapshot of lower baud rates, specify a lower connection speed. If you are interested in displaying a snapshot of higher rates, specify a higher connection speed. Configuring and Managing Integrated Modems Configuration Examples for Modem Management DC-112 Cisco IOS Dial Technologies Configuration Guide The following example displays connection speed information for modems running up to 33,600 bps: Router# show modem connect-speeds 33600 transmit connect speeds Mdm 14400 16800 19200 21600 24000 26400 28800 31200 33600 TotCnt * 0/0 0 0 0 0 0 0 4 4 1 9 * 0/1 2 0 0 0 0 0 3 3 1 9 0/2 2 0 0 0 0 1 2 4 1 10 * 0/3 0 0 0 1 0 0 3 4 1 9 * 0/4 1 0 0 0 0 2 2 1 1 7 * 0/5 0 0 0 0 0 0 4 4 1 9 * 0/6 0 0 0 0 0 1 3 3 1 8 * 0/7 0 0 0 2 0 0 4 3 1 10 * 0/8 2 0 0 0 0 0 3 4 1 10 * 0/9 0 0 0 0 0 0 4 3 0 7 * 0/10 1 0 0 0 0 1 3 2 1 8 * 0/11 0 0 0 0 0 0 4 3 1 8 0/12 1 0 0 0 0 0 4 2 1 8 * 0/13 0 0 0 0 0 0 4 2 1 7 * 0/14 1 0 0 0 0 1 2 2 1 7 * 0/15 0 0 0 0 0 0 4 2 1 7 * 0/16 0 0 0 1 0 0 3 2 1 7 * 0/17 1 0 0 0 0 0 4 2 1 8 * 0/18 1 0 0 0 0 0 3 3 1 8 * 0/19 0 0 0 0 0 0 5 3 1 9 * 0/20 0 0 0 0 0 0 4 2 1 7 * 0/21 1 0 0 0 0 0 4 2 0 7 * 0/22 0 0 0 0 0 0 7 9 1 17 * 0/23 0 0 0 0 0 2 2 3 1 8 * 2/0 0 0 0 1 0 0 3 3 1 8 * 2/1 0 0 0 0 0 0 5 2 1 8 * 2/2 0 0 0 1 0 0 4 1 1 7 * 2/3 1 0 0 0 0 0 4 2 1 8 * 2/4 0 0 0 0 0 0 5 2 1 8 * 2/5 0 0 0 0 0 0 4 3 1 8 * 2/6 0 0 0 0 0 0 3 2 1 6 * 2/7 1 0 0 0 0 1 3 2 0 7 * 2/8 1 0 0 0 0 0 3 2 1 7 * 2/9 0 0 0 0 0 1 3 2 1 7 * 2/10 2 0 0 0 0 2 1 0 1 6 * 2/11 0 0 0 1 0 1 3 5 1 11 * 2/12 0 0 0 0 0 0 5 2 1 8 * 2/13 1 0 0 0 0 0 5 0 1 7 * 2/14 1 0 0 0 0 0 3 3 1 8 * 2/15 1 0 0 0 0 1 2 3 1 8 * 2/16 0 0 0 0 0 0 4 3 1 8 * 2/17 0 0 0 0 0 0 5 11 0 16 * 2/18 0 0 0 1 0 1 1 2 1 6 * 2/19 0 0 0 0 0 0 2 3 1 6 * 2/20 1 0 0 0 0 2 3 9 1 16 * 2/21 1 0 0 0 0 0 4 1 1 7 * 2/22 0 0 0 1 0 0 2 3 1 7 * 2/23 0 0 0 0 0 1 3 3 1 8 Tot 23 0 0 9 0 18 165 141 44 400 Tot % 5 0 0 2 0 4 41 35 11 receive connect speeds Mdm 14400 16800 19200 21600 24000 26400 28800 31200 33600 TotCnt * 0/0 0 0 0 0 0 4 1 3 1 9 * 0/1 2 0 0 0 0 3 1 2 1 9 0/2 2 0 0 0 0 3 1 3 1 10 Configuring and Managing Integrated Modems Configuration Examples for Modem Management DC-113 Cisco IOS Dial Technologies Configuration Guide * 0/3 0 0 0 1 0 3 4 0 1 9 * 0/4 1 0 0 0 0 4 0 1 1 7 * 0/5 0 0 0 0 0 4 3 1 1 9 * 0/6 0 0 0 0 0 4 0 3 1 8 * 0/7 0 0 0 2 0 4 1 2 1 10 * 0/8 2 0 0 0 0 3 0 5 0 10 * 0/9 0 0 0 0 0 4 2 0 1 7 * 0/10 1 0 0 0 0 4 0 2 1 8 * 0/11 0 0 0 0 0 4 0 3 1 8 0/12 1 0 0 0 0 2 2 2 1 8 * 0/13 0 0 0 0 0 4 1 1 1 7 * 0/14 1 0 0 0 0 2 3 0 1 7 * 0/15 0 0 0 0 0 4 1 1 1 7 * 0/16 0 0 0 1 0 3 2 0 1 7 * 0/17 1 0 0 0 0 4 1 1 1 8 * 0/18 1 0 0 0 0 3 2 1 1 8 * 0/19 0 0 0 0 0 5 1 2 1 9 * 0/20 0 0 0 0 0 4 0 3 0 7 * 0/21 1 0 0 0 0 4 0 1 1 7 * 0/22 0 0 0 0 0 6 6 4 1 17 * 0/23 0 0 0 0 0 4 2 1 1 8 * 2/0 0 0 0 1 0 3 1 2 1 8 * 2/1 0 0 0 0 0 3 3 1 1 8 * 2/2 0 0 0 1 0 4 0 1 1 7 * 2/3 1 0 0 0 0 3 2 1 1 8 * 2/4 0 0 0 0 0 4 2 1 1 8 * 2/5 0 0 0 0 0 4 1 2 1 8 * 2/6 0 0 0 0 0 3 0 3 0 6 * 2/7 1 0 0 0 1 2 2 0 1 7 * 2/8 1 0 0 0 0 3 0 2 1 7 * 2/9 0 0 0 0 0 4 1 1 1 7 * 2/10 2 0 0 0 0 3 0 0 1 6 * 2/11 0 0 0 1 0 3 1 5 1 11 * 2/12 0 0 0 0 0 4 3 0 1 8 * 2/13 1 0 0 0 0 2 3 0 1 7 * 2/14 1 0 0 0 0 3 2 1 1 8 * 2/15 1 0 0 0 0 3 0 3 1 8 * 2/16 0 0 0 0 0 4 0 4 0 8 * 2/17 0 0 0 0 0 5 2 8 1 16 * 2/18 0 0 1 0 0 2 1 1 1 6 * 2/19 0 0 0 0 0 2 2 1 1 6 * 2/20 1 0 0 0 0 4 2 8 1 16 * 2/21 1 0 0 0 0 4 0 1 1 7 * 2/22 0 0 1 0 0 2 0 3 1 7 * 2/23 0 0 0 0 0 4 2 1 1 8 Tot 23 0 2 7 1 167 64 92 44 400 Tot % 5 0 0 1 0 41 16 23 11 Configuring and Managing Integrated Modems Configuration Examples for Modem Management DC-114 Cisco IOS Dial Technologies Configuration Guide DC-115 Cisco IOS Dial Technologies Configuration Guide Configuring and Managing Cisco Access Servers and Dial Shelves This chapter describes configuration and monitoring tasks for the Cisco AS5800 and AS5400 access servers, including dial shelves and dial shelf controllers on the Cisco AS5800 access servers in the following main sections: • Cisco AS5800 Dial Shelf Architecture and DSIP Overview • How to Configure Dial Shelves • Port Management Services on Cisco Access Servers • Upgrading and Configuring SPE Firmware For further information and configuration examples for the Cisco AS5400, refer to the Cisco AS5400 Universal Access Server Software Configuration Guide. For further information and configuration examples for the Cisco AS5800, refer to the Cisco AS5800 Universal Access Server Operations, Administration, Maintenance, and Provisioning Guide. For more information on the Cisco access servers, go to the Cisco Connection Documentation site on Cisco.com, or use the Cisco Documentation CD-ROM. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the commands in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Cisco AS5800 Dial Shelf Architecture and DSIP Overview The Cisco AS5800 is a rack-mounted system consisting of a router shelf and a dial shelf. The dial shelf contains feature and controller cards (trunk cards), modem cards, and dial shelf controller (DSC) cards. Note For more information about split dial shelf configuration, refer to the hardware installation guides that accompanied your Cisco AS5800 Universal Access Server and the Cisco AS5800 Universal Access Server Software Installation and Configuration Guide. Configuring and Managing Cisco Access Servers and Dial Shelves How to Configure Dial Shelves DC-116 Cisco IOS Dial Technologies Configuration Guide The Dial Shelf Interconnect Protocol (DSIP) is used for communication between router shelf and dial shelf on an AS5800. Figure 22 diagrams the components of the architecture. The router shelf is the host for DSIP commands, which can be run remotely on the feature boards of the dial shelf using the command, execute-on. DSIP communicates over the packet backplane via the dial shelf interconnect (DSI) cable. Figure 22 DSIP Architecture in the Cisco AS5800 Split Dial Shelves Feature The split dial shelves feature provides for doubling the throughput of the Cisco AS5800 access server by splitting the dial shelf slots between two router shelves, each router connected to one Dial Shelf Controller (DSC), two of which must be installed in the system. Each router shelf is configured to control a certain set from the range of the dial shelf slots. Each router shelf will operate as though any other slots in the dial shelf contained no cards, even if there is a card in them, because they are controlled by the other router shelf. Thus the configuration on each router shelf would affect only the “owned” slots. Each router shelf should own modem cards and trunk cards. Calls received on a trunk card belonging to one router shelf cannot be serviced by a modem card belonging to the other router shelf. Each router shelf operates like a single Cisco AS5800 access server system, as if some slots are unavailable. Refer to the section “Configuring Dial Shelf Split Mode” for more information about configuring split dial shelves. How to Configure Dial Shelves To configure and maintain dial shelves, perform the tasks in the following sections: • Configuring the Shelf ID • Configuring Redundant DSC Cards • Synchronizing to the System Clocks • Configuring Dial Shelf Split Mode • Executing Commands Remotely • Verifying DSC Configuration Packet back plane Router shelf Feature board DSIP DSIP Feature board DSIP Feature board DSIP 15013 Configuring and Managing Cisco Access Servers and Dial Shelves How to Configure Dial Shelves DC-117 Cisco IOS Dial Technologies Configuration Guide • Monitoring and Maintaining the DSCs • Troubleshooting DSIP Configuring the Shelf ID The Cisco AS5800 consists of a router shelf and a dial shelf. To distinguish the slot/port number on the Cisco AS5800, you must specify the shelf number. The default shelf number is 0 for the router shelf and 1 for the dial shelf. Caution You must reload the Cisco AS5800 for the new shelf number to take effect. Because the shelf number is part of the interface names when you reload, all NVRAM interface configuration information is lost. Normally you do not need to change the shelf IDs; however, if you do, we recommend that you change the shelf number when you initially access the setup facility. For information on the setup facility, refer to the Cisco AS5800 Universal Access Server Software Installation and Configuration Guide. If you are booting the router shelf from the network (netbooting), you can change the shelf numbers using the shelf-id command. To configure the dial shelf, you save and verify the configuration in EXEC mode, and enter shelf-id commands in global configuration mode, as indicated in the following steps: Command Purpose Step 1 Router# copy startup-configure tftp Saves your current configuration. Changing the shelf number removes all interface configuration information when you reload the Cisco AS5800. Step 2 Router# configure terminal Begins global configuration mode. Step 3 Router(config)# shelf-id number router-shelf Specifies the router shelf ID. Step 4 Router(config)# shelf-id number dial-shelf Specifies the dial shelf ID. Step 5 Router(config)# exit Exits global configuration mode. Step 6 Router# copy running-config startup-config Saves your configuration. This step is optional. Step 7 Router# show version Verifies that the correct shelf number will be changed after the next reload. Step 8 Router# reload components all Instructs the DSC (or DSCs in a redundant configuration) be reloaded at the same time as a reload on the router shelf. Type “yes” to the “save config” prompt. Configure one interface so that its router shelf has connectivity to the server with the configuration. Step 9 Router# copy tftp startup-config Because changing the shelf number removes all interface configuration information when you reload the Cisco AS5800, edit the configuration file saved in step 1 and download it. Configuring and Managing Cisco Access Servers and Dial Shelves How to Configure Dial Shelves DC-118 Cisco IOS Dial Technologies Configuration Guide If you are booting the router shelf from Flash memory, use the following commands beginning in EXEC mode: Configuring Redundant DSC Cards The Redundant Dial Shelf Controller feature consists of two DSC cards on a Cisco AS5800 dial shelf. The DSC cards provide clock and power control to the dial shelf cards. Each DSC card provides the following: • Master clock for the dial shelf • Fast Ethernet link to the router shelf • Environmental monitoring of the feature boards • Bootstrap images on start-up for the feature boards The Redundant Dial Shelf Controller feature is automatically enabled when two DSC cards are installed. DSC redundancy is supported with Cisco AS5800 software at the Dial Shelf Interconnect Protocol (DSIP) level. This feature enables a Cisco AS5800 dial shelf to use dual DSCs for full redundancy. A redundant configuration allows for one DSC to act as backup to the active card, should the active card fail. This increases system availability by preventing loss of service. The redundant DSC functionality is robust under high loads and through DSC or software crashes and reloads. The redundant DSC functionality is driven by the following events: • User actions • Control messages • Timeouts Command Purpose Step 1 Router# copy running-config tftp or Router# copy startup-config tftp Saves your current (latest) configuration to a server. Step 2 Router# configure terminal Begins global configuration mode. Step 3 Router(config)# shelf-id number router-shelf Configures the router shelf ID. Step 4 Router(config)# shelf-id number dial-shelf Configures the dial shelf ID. Step 5 Router(config)# exit Exits global configuration mode. Step 6 Router> copy running-config startup-config Saves your configuration. This step is optional. If this step is skipped, type “No” at the “save configuration” prompt. Step 7 Router> show version Allows verification that the correct shelf number will be changed after the next reload. Edit the configuration file saved in Step 1. Step 8 Router> copy tftp startup-config Copies the edited configuration to NVRAM on the Cisco AS5800. Step 9 Router# reload components all Instructs the DSC (or DSCs in a redundant configuration) to be reloaded at the same time as a reload on the router shelf. Configuring and Managing Cisco Access Servers and Dial Shelves How to Configure Dial Shelves DC-119 Cisco IOS Dial Technologies Configuration Guide • Detection of component failures • Error and warning messages DSC redundancy provides maximum system availability by preventing loss of service if one of the DSCs fails. There is no load sharing between the Broadband Inter-Carrier Interfaces (BICI). One BIC is used as a backup, carrying only control traffic, such as keepalives, until there is a switchover. Before starting this configuration task: • Your Cisco AS5800 router shelf and dial shelf must be fully installed, with two DSC cards installed on the dial shelf. • Your Cisco AS5800 access server must be running Cisco IOS Release 12.1(2)T. • The external DSC clocking port must be configured identically on both router shelves and must be physically connected to both DSCs. This assures that if a DSC card needs replacing or if the backup DSC card becomes primary, clocking remains stable. Synchronizing to the System Clocks The time-division multiplexing (TDM) bus in the backplane on the dial shelf must be synchronized to the T1/E1 clocks on the trunk cards. The Dial Shelf Controller (DSC) card on the daily shelf provides hardware logic to accept multiple clock sources as input and use one of them as the primary source to generate a stable, PPL synchronized output clock. The input clock can be any of the following sources: • Trunk port in slots 0 through 5—up to 12 can be selected (2 per slot) • An external T1 or E1 clock source fed directly through a connector on the DSC card • A free-running clock from an oscillator in the clocking hardware on the DSC card For dual (redundant) DSC cards, the external DSC clocking port should be configured so that the clock signal fed into both DSCs is identical. To configure the external clocks, use the following commands from the router shelf login beginning in global configuration mode. One external clock is configured as the primary clock source, and the other is configured as the backup clock source. Command Purpose Step 1 Router(config)# dial-tdm-clock priority value Configures the trunk card clock priority. Priority range is a value between 1 and 50. Step 2 Router(config)# dial-tdm-clock priority X {trunk-slot Y port Z} external {t1 | e1} [120-ohm] Selects the T1/E1 trunk slot and port that is providing the clocking source. T1/E1 selection is based on the incoming signal. Select the impedance. The default impedance is 75-ohm. Step 3 Router(config)# dial-tdm-clock priority value external t1 or Router(config)# dial-tdm-clock priority value external e1 Configures the T1/E1 external clock on the dial shelf controller front panel. T1/E1 selection is based on the signal coming in. Priority range is a value between 1 and 50. Step 4 Router(config)# Ctrl-Z Router# Verifies your command registers when you press the return key. Enter Ctrl-Z to return to privileged EXEC mode. Step 5 Router# copy running-config startup-config Saves your changes. Configuring and Managing Cisco Access Servers and Dial Shelves How to Configure Dial Shelves DC-120 Cisco IOS Dial Technologies Configuration Guide Verifying External Clock Configuration To verify that the primary clock is running, enter the show dial-shelf clocks privileged EXEC command: Router# show dial-shelf 12 clocks Slot 12: System primary is 1/2/0 of priority 202 TDM Bus Master Clock Generator State = NORMAL Backup clocks: Source Slot Port Priority Status State ------------------------------------------------------- Trunk 2 1 208 Good Default Slot Type 11 10 9 8 7 6 5 4 3 2 1 0 2 T1 G G G G G G G G G G G G For more information on configuring external clocks, refer to the Cisco document Managing Dial Shelves. Configuring Dial Shelf Split Mode This section describes the procedure required to transition a router from normal mode to split mode and to change the set of slots a router owns while it is in split mode. Since the process of switching the ownership of a slot from one router to the other is potentially disruptive (when a feature board is restarted, all calls through that card are lost), a router shelf cannot take over a slot until ownership is relinquished by the router that currently claims ownership, either by reconfiguring the router or disconnecting that router or its associated DSC. The dial shelf is split by dividing the ownership of the feature boards between the two router shelves. You must configure the division of the dial shelf slots between the two router shelves so that each router controls an appropriate mix of trunk and modem cards. Each router shelf controls its set of feature boards as if those were the only boards present. There is no interaction between feature boards owned by one router and feature boards owned by the other router. Split mode is entered when the dial-shelf split slots command is parsed on the router shelf. This can occur when the router is starting up and parsing the stored configuration, or when the command is entered when the router is already up. Upon parsing the dial-shelf split slots command, the router frees any resources associated with cards in the slots that it no longer owns, as specified by exclusion of slot numbers from the slot-numbers argument. The router should be in the same state as if the card had been removed from the slot; all calls through that card will be terminated. The configured router then informs its connected DSC that it is in split mode, and which slots it claims to own. In split mode, a router shelf by default takes half of the 2048 available TDM timeslots. The TDM split mode is configured using the dial-shelf split backplane-ds0 command. (The dial-shelf split slot command must be defined for the dial-shelf split backplane-ds0 command to be active.) If the dial-shelf split slots command is entered when the total number of calls using timeslots exceeds the number that would normally be available to the router in split mode, the command is rejected. This should occur only when a change to split mode is attempted, in which the dial shelf has more than 896 calls in progress (more than half of the 1,792 available timeslots). Otherwise, a transition from normal mode to split mode can be made without disturbing the cards in the slots that remain owned, and calls going through those cards will stay up. Configuring and Managing Cisco Access Servers and Dial Shelves How to Configure Dial Shelves DC-121 Cisco IOS Dial Technologies Configuration Guide To configure a router for split dial shelf operation, perform the following steps: Step 1 Ensure that both DSCs and both router shelves are running the same Cisco IOS image. Note Having the same version of Cisco IOS running on both DSCs and both router shelves is not mandatory; however, it is a good idea. There is no automatic checking that the versions are the same. Step 2 Schedule a time when the Cisco AS5800 can be taken out of service without unnecessarily terminating calls in progress. The entire procedure for transitioning from normal mode to split mode should require approximately one hour if all the hardware is already installed. Step 3 Busy out all feature boards and wait for your customers to log off. Step 4 Reconfigure the existing router shelf to operate in split mode. Step 5 Enter the dial-shelf split slots command, specifying the slot numbers that are to be owned by the existing router shelf. Step 6 Configure the new router shelf to operate in split mode on other feature boards. Step 7 Enter the dial-shelf split slots command, specifying the slot numbers that are to be owned by the new router shelf. Do not specify any of the slot numbers that you specified in Step 6. The range of valid slot numbers is 0 through 11. To perform this step, enter the following command in global configuration mode: Step 8 Install the second DSC, if it has not already been installed. Step 9 Connect the DSIP cable from the second DSC to the new router shelf. Command Purpose Router(config)# dial-shelf split slots slot-numbers Enter list of slot numbers, for example: dial-shelf split slots 0 1 2 6 7 8 In this example, the other router shelf could be configured to own the other slots: 3 4 5 9 10 11. Normal mode: This command changes the router shelf to split mode with ownership of the slots listed. In case of conflicting slot assignments, the command is rejected and a warning message is issued. Issue a show dial-shelf split slots command to the other router shelf to display its list of owned dial shelf slots. Online insertion and removal (OIR) events on all slots are detected by both DSCs and added to the list of feature boards physically present in the dial shelf; however, OIR event processing is done only for assigned slots. Split mode: This command adds the dial shelf slots listed to the router shelf’s list of owned dial shelf slots. Configuring and Managing Cisco Access Servers and Dial Shelves How to Configure Dial Shelves DC-122 Cisco IOS Dial Technologies Configuration Guide Step 10 Ensure that split mode is operating properly. Enter the show dial-shelf command for each router. This command has been extended so that the response indicates that the router shelf is running in split mode and which slots the router shelf owns. The status of any cards in any owned slots is shown, just as they are in the present show dial-shelf command. When in split mode, the output will be extended as in the following example: System is in split dial shelf mode. Slots owned: 0 2 3 4 5 6 (connected to DSC in slot 13) Slot Board CPU DRAM I/O Memory State Elapsed Type Util Total (free) Total (free) Time 0 CE1 0%/0% 21341728( 87%) 8388608( 45%) Up 00:11:37 2 CE1 0%/0% 21341728( 87%) 8388608( 45%) Up 00:11:37 4 Modem(HMM) 20%/20% 6661664( 47%) 6291456( 33%) Up 00:11:37 5 Modem(DMM) 0%/0% 6661664( 31%) 6291456( 32%) Up 00:11:37 6 Modem(DMM) 0%/0% 6661664( 31%) 6291456( 32%) Up 00:11:37 13 DSC 0%/0% 20451808( 91%) 8388608( 66%) Up 00:16:31 Dial shelf set for auto boot Step 11 Enable all feature boards to accept calls once again. Changing Slot Sets You can change the sets of slots owned by the two router shelves while they are in split mode by first removing slots from the set owned by one router, and then adding them to the slot set of the other router. The changed slot set information is sent to the respective DSCs, and the DSCs determine which slots have been removed and which added from the new slot set information. It should be clear that moving a slot in this manner will disconnect all calls that were going through the card in that slot. To perform this task, enter the following commands as needed: When a Slot Is Removed The router shelf that is losing the slot frees any resources and clears any state associated with the card in the slot it is relinquishing. The DSC reconfigures its hub to ignore traffic from that slot, and if there is a card in the slot, it will be reset. This ensures that the card frees up any TDM resource it might be using and allows it to restart under control of the router shelf that is subsequently configured to own the slot. When a Slot Is Added If there are no configuration conflicts, and there is a card present in the added slot, a dial-shelf OIR insertion event is sent to the router shelf, which processes the event the same as it always does. The card in the added slot is reset by the DSC to ensure a clean state, and the card downloads its image from the router shelf that now owns it. Command Purpose Router (config)# dial-shelf split slots remove slot-numbers Removes the dial shelf slots listed from the router shelf’s list of owned dial shelf slots. The effect of multiple commands is cumulative. Router(config)# dial-shelf split slots slot-numbers Adds the dial shelf slots listed to the router shelf’s list of owned dial shelf slots. Configuring and Managing Cisco Access Servers and Dial Shelves How to Configure Dial Shelves DC-123 Cisco IOS Dial Technologies Configuration Guide If the other router shelf and the other DSC claim ownership of the same slot, the command adding the slot should be rejected. However, should a configuration conflict exist, error messages are sent to both routers and the card is not reset until one of the other router shelves and its DSC stop claiming ownership of the slot. Normally, this will not happen until you issue a dial-shelf split slots remove command surrendering the ownership claim on the slot by one of the routers. Leaving Split Mode Split mode is exited when the dial shelf configuration is changed by a no dial-shelf split slots command. When the split dial shelf line is removed, the router shelf will start using all of the TDM timeslots. Feature boards that were not owned in split mode and that are not owned by the other router will be reset. Cards in slots that are owned by the other router will be reset, but only after the other DSC has been removed or is no longer claiming the slots. The split dial shelf configuration should not be removed while the second router shelf is still connected to the dial shelf. When a router configured in split mode fails, all calls associated with the failed router are lost. Users cannot connect back in until the failed router recovers and is available to accept new incoming calls; however, the other split mode router shelf will continue to operate normally. Troubleshooting Split Dial Shelves The system will behave as configured as soon as the configuration is changed. The exception is when there is a misconfiguration, such as when one router is configured in split mode and the other router is configured in normal mode, or when both routers are configured in split mode and both claim ownership of the same slots. Problems can arise if one of the two routers connected to a dial shelf is not configured in split mode, or if both are configured in split mode and both claim ownership of the same slots. If the state of the second router is known when the dial-shelf split slots command is entered and the command would result in a conflict, the command is rejected. If a conflict in slot ownership does arise, both routers will receive warning messages until the conflict is resolved. Any card in a slot which is claimed by both routers remains under the control of the router that claimed it first, until you can resolve the conflict by correcting the configuration of one or both routers. It should be noted that there can also be slots that are not owned by either router (orphan slots). Cards in orphan slots cannot boot up until one of the two routers claims ownership of the slot because neither DSC will download bootstrap images to cards in unowned orphan slots. Managing a Split Dial Shelf If you are installing split dial shelf systems, a system controller is available that provides a single system view of multiple point of presences (POPs). The system controller for the Cisco AS5800 Universal Access Server includes the Cisco 3640 router running Cisco IOS software. The system controller can be installed at a remote facility so that you can access multiple systems through a console port or Web interface. There are no new MIBs or MIB variables required for the split dial shelf configuration. A split dial shelf appears to Simple Network Management Protocol (SNMP) management applications as two separate Cisco AS5800 systems. One console to manage the whole system is not supported—you must have a console session per router shelf (two console sessions) to configure each split of the Cisco AS5800. The system controller must manage a split dial shelf configuration as two separate Cisco AS5800 systems. Configuring and Managing Cisco Access Servers and Dial Shelves How to Configure Dial Shelves DC-124 Cisco IOS Dial Technologies Configuration Guide The normal mode configuration of the Cisco AS5800 requires the dial shelf and router shelf IDs to be different. In a split system, four unique shelf IDs are desirable, one for each router shelf and one for each of the slot sets; however, a split system will function satisfactorily if the router shelf IDs are the same. If a system controller is used to manage a split dial shelf configuration, the two routers must have distinct shelf IDs, just as they must when each router has its own dial shelf. You can download software configurations to any Cisco AS5800 using SNMP or a Telnet connection. The system controller also provides performance monitoring and accounting data collection and logging. In addition to the system controller, a network management system with a graphical user interface (GUI) runs on a UNIX SPARC station and includes a database management system, polling engine, trap management, and map integration. To manage a split dial shelf, enter the following commands in EXEC mode as needed: Executing Commands Remotely Although not recommended, it is possible to connect directly to the system console interface in the DSC to execute dial shelf configuration commands. All commands necessary for dial shelf configuration, and show, and debug command tasks can be executed remotely from the router console. A special command, execute-on, is provided for this purpose. This command enables a special set of EXEC mode commands to be executed on the router or the dial shelf. This command is a convenience that avoids connecting the console to the DSC. For a list of commands you can execute using execute-on, refer to the command description in the Cisco IOS Dial Technologies Command Reference. To enter a command that you wish to execute on a specific card installed in the dial shelf while logged onto the router shelf console, use the following commands in privileged EXEC mode as needed: Command Purpose Router# show dial-shelf split Displays the slots assigned to each of the router shelves and the corresponding feature boards in ‘orphan’ slots (slots not currently assigned to either router). Router# show dial-shelf Displays information about the dial shelf, including clocking information. Router# show context Displays information about the dial shelf, including clocking information, but works only for owned slots. Use show context all to display all the information available about any slot. This is intended to cover the case where ownership of a feature board is moved from one router shelf to the other after a crash. Command Purpose Router# execute-on slot slot command Executes a command from the router shelf on a specific slot in the dial shelf. Router# execute-on all command Executes a command from the router shelf on all cards in the dial shelf. Configuring and Managing Cisco Access Servers and Dial Shelves How to Configure Dial Shelves DC-125 Cisco IOS Dial Technologies Configuration Guide Verifying DSC Configuration To verify that you have started the redundant DSC feature, enter the show redundancy privileged EXEC command: Router# show redundancy DSC in slot 12: Hub is in 'active' state. Clock is in 'active' state. DSC in slot 13: Hub is in 'backup' state. Clock is in 'backup' state. Router# Monitoring and Maintaining the DSCs To monitor and maintain the DSC cards, use the following commands in privileged EXEC mode, as needed: Troubleshooting DSIP There are a number of show commands available to aid in troubleshooting dial shelves. Use the following EXEC mode commands to monitor DSI and DSIP activity as needed: Command Purpose Router# hw-module shelf/slot {start|stop} Stops the target DSC remotely from the router console. Restart the DSC if it has been stopped. Router# show redundancy [history] Displays the current or history status for redundant DSC. Router# debug redundancy {all|ui|clk|hub} Use this debug command if you need to collect events for troubleshooting, selecting the appropriate required key word. Router# show debugging Lists the debug commands that are turned on, including those for redundant DSC. Command Purpose Router# clear dsip tracing Clears tracing statistics for the DSIP. Router# show dsip Displays all information about the DSIP. Router# show dsip clients Displays information about DSIP clients. Router# show dsip nodes Displays information about the processors running the DSIP. Router# show dsip ports Displays information about local and remote ports. Router# show dsip queue Displays the number of messages in the retransmit queue waiting for acknowledgment. Router# show dsip tracing Displays DSIP tracing buffer information. Configuring and Managing Cisco Access Servers and Dial Shelves Port Management Services on Cisco Access Servers DC-126 Cisco IOS Dial Technologies Configuration Guide The privileged EXEC mode show dsi command can also be used to troubleshoot, as it displays the status of the DSI adapter, which is used to physically connect the router shelf and the dial shelf to enable DSIP communications. The following is an example troubleshooting scenario: Problem: The router shelf boots, but there is no communication between the router and dial shelves. Step 1 Run the show dsip transport command. Step 2 Check the “DSIP registered addresses” column. If there are zero entries there, there is some problem with the Dial Shelf Interconnect (DSI). Check if the DSI is installed in the router shelf. Step 3 If there is only one entry and it is our own local address, then first sanity check the physical layer. Make sure that there is a physical connection between the RS and DS. If everything is fine from cabling point of view, go to step 3. Step 4 Check the DSI health by issuing the show dsi command. This gives a consolidated output of DSI controller and interface. Check for any errors like runts, giants, throttles and other usual FE interface errors. Diagnosis: If an entry for a particular dial shelf slot is not found among the registered addresses, but most of other card entries are present, the problem is most likely with that dial shelf slot. The DSI hardware on that feature board is probably bad. Port Management Services on Cisco Access Servers Port Management Services on the Cisco AS5400 Access Server Port service management on the Cisco AS5400 access server implements service using the NextPort dial feature card (DFC). The NextPort DFC is a hardware card that processes digital service port technology for the Cisco AS5400 access server. A port is defined as an endpoint on a DFC card through which multiservice tones and data flow. The ports on the NextPort DFC support both modem and digital services. Ports can be addressed-aggregated at the slot level of the NextPort module, the Service Processing Element (SPE) level within the NextPort module, and the individual port level. Cisco IOS Release 12.1(3)T or higher is required for the NextPort DFC. Instead of the traditional line-modem one-to-one correspondence, lines are mapped to an SPE that resides on the Cisco AS5400 NextPort DFC. Each SPE provides modem services for six ports. Busyout and shutdown can be configured at the SPE or port level. The NextPort DFC introduces the slot and SPE software hierarchy. On the Cisco AS5400, the hierarchy designation is slot/SPE. The NextPort DFC slot is defined as a value between 1 and 7. Slot 0 is reserved for the motherboard. Each NextPort DFC provides 18 SPEs. The SPE value ranges from 0 to 17. Since each SPE has six ports, the NextPort DFC has a total of 108 ports. The port value ranges from 0 to 107. Router# show dsip transport Displays information about the DSIP transport statistics for the control/data and IPC packets and registered addresses. Router# show dsip version Displays DSIP version information. Command Purpose Configuring and Managing Cisco Access Servers and Dial Shelves Port Management Services on Cisco Access Servers DC-127 Cisco IOS Dial Technologies Configuration Guide The NextPort DFC performs the following functions: • Converts pulse code modulation (PCM) bitstreams to digital packet data. • Forwards converted and packetized data to the main processor, which examines the data and forwards it to the backhaul egress interface. • Supports all modem standards (such as V.34 and V.42bis) and features, including dial-in and dial-out. Port Management Services on the Cisco AS5800 Access Server Port service management on the Cisco AS5800 access server implements service on the Universal Port Card (UPC). A universal port carries a single channel at the speed of digital signal level 0 (DS0), or the equivalent of 64-kbps on a T1 facility. Network traffic can be a modem, voice, or fax connection. The 324 port UPC uses NextPort hardware and firmware to provide universal ports for the Cisco AS5800 access server. These ports are grouped into 54 service processing elements (SPEs). Each SPE supports six universal ports. To find the total number of ports supported by a UPC, multiply the 54 SPEs by the six ports supported on each SPE. The total number of universal ports supported by a single UPC is 324. Configuration, management, and troubleshooting of universal ports can be done at the UPC, SPE, and port level. Each UPC also has a SDRAM card with a minimum of a 128 MB of memory. The Cisco AS5800 access server can be equipped with a maximum of seven UPCs with upgradable firmware. The UPC supports data traffic, and depending on the software and platform is universal port capable. Each UPC plugs directly into the dial shelf backplane and does not need any external connections. Each UPC has three LEDs, which indicate card status. The Cisco AS5800 access server is capable of terminating up to 2,048 incoming modem connections (slightly more than an OC3) when equipped with seven UPCs and three CT3 trunk cards. A split shelf configuration with a second router shelf and second dial shelf controller are required to achieve full capacity. A single router with a standard configuration supports up to 1,344 port connections. Cisco IOS Release 12.1(3)T or higher is required for the UPC. Unless your system shipped with UPCs installed, you must upgrade the Cisco IOS image on the dial shelf and router shelf or shelves. Instead of the traditional line-modem one-to-one correspondence, lines are mapped to an SPE that resides on the Cisco AS5800 access server UPC. Each SPE provides modem services for six ports. Busyout and shutdown can be configured at the SPE or port level. The UPC introduces the shelf, slot, and SPE software hierarchy. On the Cisco AS5800 access server, the hierarchy designation is shelf/slot/SPE. A UPC can be installed in slots numbered 2 to 11 on the dial shelf backplane. If installed in slots 0 or 1, the UPC automatically powers down. Slots 0 and 1 only accept trunk cards; they do not accept mixes of cards. We recommend that you install mixes of T3 and T1 cards, or E1 trunk cards in slots 2 to 5. You can use double-density modem cards, UPCs, and VoIP cards simultaneously. Trunk cards can operate in slots 0 to 5 and are required for call termination. The UPC performs the following functions: • Converts pulse code modulation (PCM) bitstreams to digital packet data. • Forwards converted and packetized data to the dial shelf main processor, which examines the data and forwards it to the router shelf. From the router shelf, the data is routed to the external network. Configuring and Managing Cisco Access Servers and Dial Shelves Upgrading and Configuring SPE Firmware DC-128 Cisco IOS Dial Technologies Configuration Guide • Supports all modem standards (such as V.34 and V.42bis) and features, including dial-in and dial-out. • Supports online insertion and removal (OIR), a feature that allows you to remove and replace UPCs while the system is operating. A UPC can be removed without disrupting the operation of other cards and their associated calls. If a UPC is removed while the system is operating, connections or current calls on that card are dropped. Calls being handled by other cards are not affected. Note All six ports on an SPE run the same firmware. Upgrading and Configuring SPE Firmware SPE firmware is automatically downloaded in both the Cisco AS5400 and AS5800 access servers. AS5400 Access Server SPE firmware is automatically downloaded to a NextPort DFC from the Cisco AS5400 when you boot the system for the first time, or when you insert a NextPort DFC while the system is operating. When you insert DFCs while the system is operating, the Cisco IOS image recognizes the cards and downloads the required firmware to the cards. The SPE firmware image is bundled with the access server Cisco IOS image. The SPE firmware image uses an autodetect mechanism, which enables the NextPort DFC to service multiple call types. An SPE detects the call type and automatically configures itself for that operation. For further information on upgrading SPE firmware from the Cisco IOS image, refer to the section “Configuring SPEs to Use an Upgraded Firmware File.” The firmware is upgradeable independent of Cisco IOS upgrades, and different firmware versions can be configured to run on SPEs in the same NextPort DFC. You can download firmware from the Cisco System Cisco.com File Transfer Protocol (FTP) server. AS5800 Access Server SPE firmware is automatically downloaded to an AS5800 UPC from the router shelf Cisco IOS image when you boot the system for the first time or when you insert a UPC while the system is operating. The Cisco IOS image recognizes the card and the dial shelf downloads the required portware to the cards. Cisco IOS Release 12.1(3)T or higher is required for the UPC. The SPE firmware image (also known as portware) is bundled with the Cisco IOS UPC image. The SPE firmware image uses an autodetect mechanism, which enables the UPC to service multiple call types. An SPE detects the call type and automatically configures itself for that operation. For further information on upgrading SPE firmware from the Cisco IOS image, refer to the section “Configuring SPEs to Use an Upgraded Firmware File.” The firmware is upgradable independent of Cisco IOS upgrades, and different firmware versions can be configured to run on SPEs in the same UPC. You can download firmware from the Cisco.com File Transfer Protocol (FTP) server. Firmware Upgrade Task List Upgrading SPE firmware from the Cisco.com FTP server is done in two steps: • Downloading SPE Firmware from the Cisco.com FTP Server to a Local TFTP Server • Copying the SPE Firmware File from the Local TFTP Server to the SPEs Configuring and Managing Cisco Access Servers and Dial Shelves Upgrading and Configuring SPE Firmware DC-129 Cisco IOS Dial Technologies Configuration Guide Firmware Configuration Task List To complete firmware configuration once you have downloaded the SPE firmware, perform the tasks in the following sections: • Specifying a Country Name • Configuring Dial Split Shelves (AS5800 Only) • Configuring SPEs to Use an Upgraded Firmware File • Disabling SPEs • Rebooting SPEs • Configuring Lines • Configuring Ports • Verifying SPE Line and Port Configuration • Configuring SPE Performance Statistics • Clearing Log Events • Troubleshooting SPEs • Monitoring SPE Performance Statistics Note The following procedure can be used for either a Cisco AS5400 or AS5800 access server. Downloading SPE Firmware from the Cisco.com FTP Server to a Local TFTP Server Note You must be a registered Cisco user to log in to the Cisco Software Center. You can download software from the Cisco Systems Cisco.com FTP server using an Internet browser or using an FTP application. Both procedures are described. Using an Internet Browser Step 1 Launch an Internet browser. Step 2 Bring up the Cisco Software Center home page at the following URL (this is subject to change without notice): http://www.cisco.com/kobayashi/sw-center/ Step 3 Click Access Software (under Cisco Software Products) to open the Access Software window. Step 4 Click Cisco AS5400 Series or Cisco AS5800 Series software. Step 5 Click the SPE firmware you want and download it to your workstation or PC. For example, to download SPE firmware for the universal access server, click Download Universal Images. Step 6 Click the SPE firmware file you want to download, and then follow the remaining download instructions. If you are downloading the SPE firmware file to a PC, make sure that you download the file to the c:/tftpboot directory; otherwise, the download process does not work. Configuring and Managing Cisco Access Servers and Dial Shelves Upgrading and Configuring SPE Firmware DC-130 Cisco IOS Dial Technologies Configuration Guide Step 7 When the SPE firmware is downloaded to your workstation, transfer the file to a Trivial File Transfer Protocol (TFTP) server in your LAN using a terminal emulation software application. Step 8 When the SPE firmware is downloaded to your workstation, transfer the file to a TFTP server somewhere in your LAN using a terminal emulation software application. Using an FTP Application Note The directory path leading to the SPE firmware files on cco.cisco.com is subject to change without notice. If you cannot access the files using an FTP application, try the Cisco Systems URL http://www.cisco.com/cgi-bin/ibld/all.pl?i=support&c=3. Step 1 Log in to the Cisco.com FTP server called cco.cisco.com: terminal> ftp cco.cisco.com Connected to cio-sys.cisco.com. Step 2 Enter your registered username and password (for example, harry and letmein): Name (cco.cisco.com:harry): harry 331 Password required for harry. Password: letmein 230-############################################################# 230-# Welcome to the Cisco Systems CCO FTP server. 230-# This server has a number of restrictions. If you are not familiar 230-# with these, please first get and read the /README or /README.TXT file. 230-# http://www.cisco.com/acs/info/cioesd.html for more info. 230-############################################################# Step 3 Specify the directory path that holds the SPE firmware you want to download. For example, the directory path for the Cisco AS5400 SPE firmware is /cisco/access/5400: ftp> cd /cisco/access/5400 250-Please read the file README 250- it was last modified on Tue May 27 10:07:38 1997 - 48 days ago 250-Please read the file README.txt 250- it was last modified on Tue May 27 10:07:38 1997 - 48 days ago 250 CWD command successful. Step 4 Enter the ls command to view the contents of the directory: ftp> ls 227 Entering Passive Mode (192,31,7,130,218,128) 150 Opening ASCII mode data connection for /bin/ls. total 2688 drwxr-s--T 2 ftpadmin ftpcio 512 Jun 30 18:11 . drwxr-sr-t 19 ftpadmin ftpcio 512 Jun 23 10:26 .. lrwxrwxrwx 1 root 3 10 Aug 6 1996 README ->README.txt -rw-rw-r-- 1 root ftpcio 2304 May 27 10:07 README.txt -r--r--r-- 1 ftpadmin ftpint 377112 Jul 10 18:08 np-spe-upw-10.0.1.2.bin -r--r--r-- 1 ftpadmin ftpint 635 Jul 10 18:08 SPE-firmware.10.1.30.readme Step 5 Specify a binary image transfer: ftp> binary 200 Type set to I. Step 6 Copy the SPE firmware files from the access server to your local environment with the get command. Configuring and Managing Cisco Access Servers and Dial Shelves Upgrading and Configuring SPE Firmware DC-131 Cisco IOS Dial Technologies Configuration Guide Step 7 Quit your terminal session: ftp> quit Goodbye. Step 8 Enter the ls -al command to verify that you successfully transferred the files to your local directory: server% ls -al total 596 -r--r--r-- 1 280208 Jul 10 18:08 np-spe-upw-10.0.1.2.bin server% pwd /auto/tftpboot Step 9 Transfer these files to a local TFTP or remote copy protocol (RCP) server that your access server or router can access. Copying the SPE Firmware File from the Local TFTP Server to the SPEs The procedure for copying the SPE firmware file from your local TFTP server to the Cisco AS5400 NextPort DFCs or Cisco AS5800 UPCs is a two-step process. First, transfer the SPE firmware to the access server’s Flash memory. Then, configure the SPEs to use the upgrade firmware. The upgrade occurs automatically, either as you leave configuration mode, or as specified in the configuration. These two steps are performed only once. After you copy the SPE firmware file into Flash memory for the first time, you should not have to perform these steps again. Note Because the SPE firmware is configurable for individual SPEs or ranges of SPEs, the Cisco IOS software automatically copies the SPE firmware to each SPE each time the access server restarts. To transfer SPE Firmware to Flash memory, perform the following task to download the Universal SPE firmware to Flash memory: Step 1 Check the image in the access server Flash memory: Router# show flash System flash directory: File Length Name/status 1 4530624 c5400-js-mx [498776 bytes used, 16278440 available, 16777216 total] 16384K bytes of processor board System flash (Read/Write) Step 2 Enter the copy tftp flash command to download the code file from the TFTP server into the access server Flash memory. You are prompted for the download destination and the remote host name. Router# copy tftp flash Step 3 Enter the show flash command to verify that the file has been copied into the access server Flash memory: Router# show flash Configuring and Managing Cisco Access Servers and Dial Shelves Upgrading and Configuring SPE Firmware DC-132 Cisco IOS Dial Technologies Configuration Guide Specifying a Country Name To set the Cisco AS5400 NextPort DFCs or Cisco AS5800 UPCs to be operational for call set up, you must specify the country name. To specify the country name, use the following command in global configuration mode: Configuring Dial Split Shelves (AS5800 Only) The Cisco AS5800 access server requires a split dial shelf configuration using two router shelves to achieve the maximum capacity of 2048 port connections using the seven UPCs and three T3 + 1 T1 trunks. A new configuration command is available to define the split point: dial-shelf split backplane-ds0 option The options for this command come in pairs, and vary according to the desired configuration. You will need to log in to each router shelf and separately configure the routers for the intended load. In most circumstances it is recommended that the predefined options are selected. These options are designed to be matched pairs as seen below. Command Purpose Router(config)# spe country country name Specifies the country to set the UPC or DFC parameters (including country code and encoding). If you do not specify a country, the interface uses the default. If the access server is configured with T1 interfaces, the default is usa. If the access server is configured with E1 interfaces, the default is e1-default. Use the no form of this command to set the country code to the default of the domestic country. Note All sessions in all UPCs or DFCs in all slots must be in the idle state for this command to execute. Option Pair Router Shelf 1 Router Shelf 2 Total Option Maximum Calls Unused T1 Option Maximum Calls Unused T1 1 2ct3cas 1344 1ct3cas 672 2016 2 part2ct1ct3cas 1152 4 part1ct1ct3cas 888 3 2040 3 2ct3isdn 1288 part1ct1ct3isdn_b 644 7 1932 4 part2ct1ct3isdn 1150 2 part1ct1ct3isdn 897 1 2047 51 1. This option is used to revert to the default for an environment using 6 E1 lines. 3ce1 960 3ce1 960 1920 6 Default (no option entered) 1/2 of current input Default (no option entered) 1/2 of current input 7 no dial-shelf backplane-ds0 1024 no dial-shelf backplane-ds0 1024 2048 Configuring and Managing Cisco Access Servers and Dial Shelves Upgrading and Configuring SPE Firmware DC-133 Cisco IOS Dial Technologies Configuration Guide The dial-shelf split slot 0 3 4 5 command must be defined for the dial-shelf split backplane-ds0 option command to be active. You may also select the user defined option to define your own split. Even if your system is already using a split dial shelf configuration, configuring one router shelf to handle two T3 trunks and the other router to handle the third trunk requires you to take the entire access server out of service. Busyout all connections before attempting to reconfigure. The configuration must be changed to setup one pool of TDM resources that can be used by either DMM cards or UPCs, and a second pool of two streams that contains TDM resources that can only be used by UPCs. You may have more trunk capacity than 2048 calls. It is your decision how to provision the trunks so the backplane capacity is not exceeded. If more calls come in than backplane DS0 capacity for that half of the split, the call will be rejected and an error message printed for each call. This cannot be detected while a new configuration is being built because the router cannot tell which T1 trunks are provisioned and which are not. The user may want some trunks in hot standby. The DMM, HMM, and VoIP cards can only use 1792 DS0 of the available 2048 backplane DS0. The UPC and trunk cards can use the full 2048 backplane DS0. The show tdm splitbackplane command will show the resources in two groups, the first 1792 accessible to all cards, and the remaining 256 accessible only to UPC and trunk cards. For more information about split dial shelf configuration, refer to the Cisco AS5800 Universal Access Server Split Dial Shelf Installation and Configuration Guide and the hardware installation guides that accompanied your Cisco AS5800 Universal Access Server. Configuring SPEs to Use an Upgraded Firmware File To configure the SPEs to use the upgraded firmware file, use the following commands beginning in privileged EXEC mode to display the firmware version number: Command Purpose Step 1 Router# show spe version Displays SPE firmware versions to obtain the On-Flash firmware filename. Step 2 Router# configure terminal Enters global configuration mode. Step 3 AS5400: Router(config)# spe slot/spe or Router(config)# spe slot/spe slot/spe AS5800: Router(config)# spe shelf/slot/spe or Router(config)# spe shelf/slot/spe shelf/slot/spe Enters the SPE configuration mode. You can choose to configure a range of SPEs by specifying the first and last SPE in the range. Step 4 Router(config-spe)# firmware upgrade {busyout | download-maintenance | reboot} Specifies the upgrade method. Three methods of upgrade are available. The busyout keyword waits until all calls are terminated on an SPE before upgrading the SPE to the designated firmware. The download-maintenance keyword upgrades the firmware during the download maintenance time. The reboot keyword requests the access server to upgrade firmware at the next reboot. Configuring and Managing Cisco Access Servers and Dial Shelves Upgrading and Configuring SPE Firmware DC-134 Cisco IOS Dial Technologies Configuration Guide Note The copy ios-bundled command is not necessary with UPCs or NextPort DFCs. By default, the version of SPE firmware bundled with the Cisco IOS software release transfers to all SPEs not specifically configured for a different SPE firmware file. Disabling SPEs To disable specific SPEs in the Cisco AS5400 NextPort DFCs or Cisco AS5800 UPCs, use the following commands starting in global configuration mode: Step 5 Router(config-spe)# firmware location filename Specifies the SPE firmware file in Flash memory to use for the selected SPEs. Allows you to upgrade firmware for SPEs after the new SPE firmware image is copied to your Flash memory. Enter the no firmware location command to revert back to the default Cisco IOS bundled SPE firmware. Step 6 Router(config-spe)# exit Exits SPE configuration mode. Step 7 Router# exit Exits global configuration mode. Step 8 Router# copy running-config startup-config Saves your changes. Command Purpose Command Purpose Step 1 Cisco AS5400 Series Routers Router(config)# spe slot/spe or Router(config)# spe slot/spe slot/spe Cisco AS5800 Series Routers Router(config)# spe shelf/slot/spe or Router(config)# spe shelf/slot/spe shelf/slot/spe Enters SPE configuration mode. You can also configure SPEs specifying the first and last SPE in a range. Configuring and Managing Cisco Access Servers and Dial Shelves Upgrading and Configuring SPE Firmware DC-135 Cisco IOS Dial Technologies Configuration Guide Rebooting SPEs To reboot specified SPEs, use the following command in privileged EXEC mode: Step 2 Router(config-spe)# busyout Gracefully disables an SPE by waiting for all the active services on the specified SPE to terminate. You can perform auto-diagnostic tests and firmware upgrades when you put the SPEs in the Busy out state. Active ports on the specified SPE will change the state of the specified range of SPEs to the BusyoutPending state. The state changes from BusyoutPending to Busiedout when all calls end. Use the show spe command to see the state of the range of SPEs. Use the no form of this command to re-enable the SPEs. Step 3 Router(config-spe)# shutdown Clears active calls on all ports on the SPE. Calls can no longer be placed on the SPE because the SPE state is changed to Busiedout. Use the no form of this command to re-enable the ports on the SPE. Command Purpose Command Purpose Cisco AS5400 Series Routers Router# clear spe slot/spe Cisco AS5800 Series Routers Router# clear spe shelf/slot/spe Allows manual recovery of a port that is frozen in a suspended state. Reboots SPEs that are in suspended or Bad state. Downloads configured firmware to the specified SPE or range of SPEs and power-on self test (POST) is executed. Note Depending on the problem, sometimes downloading the SPE firmware may not help recover a bad port or an SPE. This command can be executed regardless of the state of SPEs. All active ports running on the SPE are prematurely terminated, and messages are logged into the appropriate log. Configuring and Managing Cisco Access Servers and Dial Shelves Upgrading and Configuring SPE Firmware DC-136 Cisco IOS Dial Technologies Configuration Guide Configuring Lines To configure the lines to dial in to your network, use the following commands beginning in global configuration mode: Command Purpose Step 1 Cisco AS5400 Series Routers Router(config)# line slot/port slot/port Cisco AS5800 Series Routers Router(config)# line shelf/slot/port shelf/slot/port Enters the line configuration mode. You can specify a range of slot and port numbers to configure. On the Cisco AS5400 access server, the NextPort DFC slot is defined as a value between 1 and 7. Slot 0 is reserved for the motherboard. Each NextPort DFC provides 18 SPEs. The SPE value ranges from 0 to 17. Since each SPE has six ports, the NextPort DFC has a total of 108 ports. The port value ranges from 0 to 107. To configure 108 ports on slot 3, you would enter line 3/00 3/107. If you wish to configure 324 ports on slots 3-5, you would enter line 3/00 5/107. On the Cisco AS5800 access server, the UPC slot is defined as a value between 2 and 11. Each UPC provides 54 SPEs. The SPE value ranges from 0 to 53. Because each SPE has six ports, the UPC has a total of 324 ports. The port value ranges from 0 to 323. To configure 324 ports on slot 3, you would enter line 1/3/00 1/3/323. If you want to configure 972 ports on slots 3-5, you would enter line 1/3/00 1/5/323. Step 2 Router(config-line)# transport input all Allows all protocols when connecting to the line. Step 3 Router(config-line)# autoselect ppp Enables remote IP users running a PPP application to dial in, bypass the EXEC facility, and connect directly to the network. Step 4 Router(config-line)# modem inout Enables incoming and outgoing calls. Step 5 Router(config-line)# modem autoconfigure type name Configures the attached modem using the entry for name. Configuring and Managing Cisco Access Servers and Dial Shelves Upgrading and Configuring SPE Firmware DC-137 Cisco IOS Dial Technologies Configuration Guide Configuring Ports This section describes how to configure Cisco AS5800 UPC or Cisco AS5400 NextPort DFC ports. You need to be in port configuration mode to configure these ports. The port configuration mode allows you to shut down or put individual ports or ranges of ports in busyout mode. To configure Cisco AS5800 UPC or Cisco AS5400 NextPort DFC ports, perform the following tasks beginning in global configuration mode: Command Purpose Step 1 Cisco AS5400 Series Routers Router(config)# port slot/spe or Router(config)# port slot/spe slot/spe Cisco AS5800 Series Routers Router(config)# port shelf/slot/spe or Router(config)# port shelf/slot/spe shelf/slot/spe Enters port configuration mode. You can choose to configure a single port or range of ports. Step 2 Router(config-port)# busyout (Optional) Gracefully disables a port by waiting for the active services on the specified port to terminate. Use the no form of this command to re-enable the ports. Maintenance activities, such as testing, can still be performed while the port is in busyout mode. Note When a port is in busyout mode, the state of the SPE is changed to the consolidated states of all the underlying ports on that SPE. Step 3 Router(config-port)# shutdown (Optional) Clears active calls on the port. No more calls can be placed on the port in the shutdown mode. Use the no form of this command to re-enable the ports. Note When a port is in shutdown mode, the state of the SPE is changed to the consolidated states of all the underlying ports on that SPE. Step 4 Router(config-port)# exit Exits port configuration mode. Configuring and Managing Cisco Access Servers and Dial Shelves Upgrading and Configuring SPE Firmware DC-138 Cisco IOS Dial Technologies Configuration Guide Verifying SPE Line and Port Configuration To verify your SPE line configuration, enter the show spe command to display a summary for all the lines and ports: Step 1 Enter the show spe command to display a summary for all the lines and ports: Router# show spe Step 2 Enter the show line command to display a summary for a single line. AS5400 Router# show line 1/1 AS5800 Router# show line 1/2/10 Note If you are having trouble, make sure that you have turned on the protocols for If you are having trouble, make sure that you have turned on the protocols for connecting to the lines (transport input all) and that your access server is configured for incoming and outgoing calls (modem inout). Configuring SPE Performance Statistics Depending on the configuration, call record is displayed on the console, or the syslog, or on both. The log contains raw data in binary form, which must be viewed using the show commands listed in the section “Monitoring SPE Performance Statistics.” You can configure some aspects of history events by using one of the following commands in global configuration mode: Command Purpose Router(config)# spe call-record modem max-userid Requests the access server to generate a modem call record after a call is terminated. To disable this function, use the no form of this command. Router(config)# spe log-size number Sets the maximum size of the history event queue log entry for each port. The default is 50 events per port. Configuring and Managing Cisco Access Servers and Dial Shelves Upgrading and Configuring SPE Firmware DC-139 Cisco IOS Dial Technologies Configuration Guide Clearing Log Events To clear some or all of the log events relating to the SPEs as needed, use the following privileged EXEC mode commands: Troubleshooting SPEs This section provides troubleshooting information for your SPEs regardless of service type mode. Note SPE ports that pass the diagnostic test are marked as Pass, Fail, and Unkn. Ports that fail the diagnostic test are marked as Bad. These ports cannot be used for call connections. Depending on how many ports are installed, the diagnostic tests may take from 5 to 10 minutes to complete. • Enter the port modem startup-test command to perform diagnostic testing for all modems during the system's initial startup or rebooting process. To disable the test, enter the no port modem startup-test command. • Enter the port modem autotest command to perform diagnostic testing for all ports during the system’s initial startup or rebooting process.To disable the test, enter the no port modem autotest command. You may additionally configure the following options: – Enter the port modem autotest minimum ports command to define the minimum number of free ports available for autotest to begin. – Enter the port modem autotest time hh:mm interval command to enable autotesting time and interval. – Enter the port modem autotest error threshold command to define the maximum number of errors detected for autotest to begin. • Enter the show port modem test command to displays results of the SPE port startup test and SPE port auto-test. When an SPE port is tested as Bad, you may perform additional testing by conducting a series of internal back-to-back connections and data transfers between two SPE ports. All port test connections occur inside the access server. For example, if mobile users cannot dial into port 2/5 (which is the sixth port on the NextPort DFC in the second chassis slot), attempt a back-to-back test with port 2/5 and a known-functioning port such as port 2/6. • Enter the test port modem back-to-back slot/port slot/port command to perform internal back-to-back port tests between two ports sending test packets of the specified size. Command Purpose Router# clear spe log Clears all event entries in the slot history event log. Router# clear spe counters Clears statistical counters for all types of services for the specified SPE, a specified range of SPEs, or all SPEs. If you do not specify the range of SPEs or an SPE, the statistics for all SPEs are cleared. Router# clear port log Clears all event entries in the port level history event log. You cannot remove individual service events from the port log. Configuring and Managing Cisco Access Servers and Dial Shelves Upgrading and Configuring SPE Firmware DC-140 Cisco IOS Dial Technologies Configuration Guide Note You might need to enable this command on several different combinations of ports to determine which one is not functioning properly. A pair of operable ports successfully connects and completes transmitting data in both directions. An operable port and an inoperable port do not successfully connect with each other. A sample back-to-back test might look like the following: Router# test port modem back-to-back 2/10 3/20 Repetitions (of 10-byte packets) [1]: *Mar 02 12:13:51.743:%PM_MODEM_MAINT-5-B2BCONNECT:Modems (2/10) and (3/20) connected in back-to-back test:CONNECT33600/V34/LAP *Mar 02 12:13:52.783:%PM_MODEM_MAINT-5-B2BMODEMS:Modems (3/20) and (2/10) completed back-to-back test:success/packets = 2/2 Tips You may reboot the port that has problems using the clear spe EXEC command. • Enter the spe recovery {port-action {disable | recover | none} | port-threshold num-failures} command to perform automatic recovery (removal from service and reloading of SPE firmware) of ports on an SPE at any available time. An SPE port failing to connect for a certain number of consecutive times indicates that a problem exists in a specific part or the whole of SPE firmware. Such SPEs have to be recovered by downloading firmware. Any port failing to connect num-failures times is moved to a state based on the port-action value, where you can choose to disable (mark the port as Bad) or recover the port when the SPE is in the idle state and has no active calls. The default for num-failures is 30 consecutive call failures. Tips You may also schedule recovery using the spe download maintenance command. • Enter the spe download maintenance time hh:mm | stop-time hh:mm | max-spes number | window time-period | expired-window {drop-call | reschedule} command to perform a scheduled recovery of SPEs. The download maintenance activity starts at the set start time and steps through all the SPEs that need recovery and the SPEs that need a firmware upgrade and starts maintenance on the maximum number of set SPEs for maintenance. The system waits for the window delay time for all the ports on the SPE to become inactive before moving the SPE to the Idle state. Immediately after the SPE moves to Idle state, the system starts to download firmware. If the ports are still in use by the end of window delay time, depending upon the expired-window setting, connections on the SPE ports are shutdown and the firmware is downloaded by choosing the drop-call option, or the firmware download is rescheduled to the next download maintenance time by choosing the reschedule option. This process continues until the number of SPEs under maintenance is below max-spes, or until stop-time (if set), or until all SPEs marked for recovery or upgrade have had their firmware reloaded. Configuring and Managing Cisco Access Servers and Dial Shelves Upgrading and Configuring SPE Firmware DC-141 Cisco IOS Dial Technologies Configuration Guide Monitoring SPE Performance Statistics This section documents various SPE performance statistics for the Cisco AS5400 NextPort DFCs or Cisco AS5800 UPCs: • SPE Events and Firmware Statistics • Port Statistics • Digital SPE Statistics • SPE Modem Statistics SPE Events and Firmware Statistics To view SPE events and firmware statistics for the Cisco AS5400 NextPort DFCs or Cisco AS5800 UPCs, use one or more of the following commands in privileged EXEC mode: Port Statistics To view port statistics for the Cisco AS5400 NextPort DFCs or Cisco AS5800 UPCs, use the following commands in privileged EXEC mode as needed: Command Purpose Cisco AS5400 series routers Router# show spe slot/spe Cisco AS5800 series routers Router# show spe shelf/slot/spe Displays the SPE status for the specified range of SPEs. Router# show spe log [reverse | slot] Displays the SPE system log. Router# show spe version Lists all SPEs and the SPE firmware files used. Note This list helps you decide if you need to update your SPE firmware files. Command Purpose Cisco AS5400 series routers Router# show port config {slot | slot/port} Cisco AS5800 series routers Router# show port config {slot | shelf/slot/port} Displays the configuration information for specified ports or the specified port range. The port should have an active session associated at the time the command is executed. Cisco AS5400 series routers Router# show port digital log [reverse slot/port] [slot | slot/port] Displays the digital data event log. Configuring and Managing Cisco Access Servers and Dial Shelves Upgrading and Configuring SPE Firmware DC-142 Cisco IOS Dial Technologies Configuration Guide Digital SPE Statistics To view digital SPE statistics for the Cisco AS5400 NextPort DFCs, use one or more of the following commands in privileged EXEC mode: Cisco AS5400 series routers Router# show port modem log [reverse slot/port] [slot | slot/port] Cisco AS5800 series routers Router# show port modem log [reverse shelf/slot/port] [shelf/slot | shelf/slot/port] Displays the port history event log. Cisco AS5400 series routers Router# show port modem test [slot | slot/port] Cisco AS5800 series routers Router# show port modem test [shelf/slot | shelf/slot/port] Displays the test log for the specified SPE port range or all the SPE ports. Cisco AS5400 series routers Router# show port operational-status [slot | slot/port] Cisco AS5800 series routers Router# show port operational-status [shelf/slot | shelf/slot/port] Displays the operational status of the specified ports or the specified port range. The port should have an active session associated at the time the command is executed. Command Purpose Command Purpose Router# show spe digital [slot | slot/spe] Displays history statistics of all digital SPEs. Router# show spe digital active [slot | slot/spe] Displays active digital statistics of a specified SPE, the specified range of SPEs, or all the SPEs. Router# show spe digital csr [summary | slot | slot/spe] Displays the digital call success rate statistics for a specific SPE, a range of SPEs, or all the SPEs. Router# show spe digital disconnect-reason [summary | slot | slot/spe] Displays the digital disconnect reasons for the specified SPE or range of SPEs. The disconnect reasons are displayed with Class boundaries. Router# show spe digital summary [slot | slot/spe] Displays digital history statistics of all SPEs, a specified SPE, or the specified range of SPEs for all service types. Configuring and Managing Cisco Access Servers and Dial Shelves Upgrading and Configuring SPE Firmware DC-143 Cisco IOS Dial Technologies Configuration Guide SPE Modem Statistics To view SPE modem statistics for the Cisco AS5400 NextPort DFCs or Cisco AS5800 UPCs, use one or more of the following commands in privileged EXEC mode: Command Purpose Cisco AS5400 series routers Router# show spe modem active {slot | slot/spe} Cisco AS5800 series router: Router# show spe modem active {shelf/slot | shelf/slot/spe} Displays the active statistics of a specified SPE, a specified range of SPEs, or all the SPEs serving modem traffic. Cisco AS5400 series routers Router# show spe modem csr {summary | slot | slot/spe} Cisco AS5800 series routers Router# show spe modem csr {summary | shelf/slot | shelf/slot/spe} Displays the call success rate statistics for a specific SPE, range of SPEs, or all the SPEs. Cisco AS5400 series routers Router# show spe modem disconnect-reason {summary | slot | slot/spe} Cisco AS5800 series routers Router# show spe modem disconnect-reason {summary | shelf/slot | shelf/slot/spe} Displays the disconnect reasons for the specified SPE or range of SPEs. The disconnect reasons are displayed with Class boundaries. Cisco AS5400 series routers Router# show spe modem high speed {summary | slot | slot/spe} Cisco AS5800 series routers Router# show spe modem high speed {summary | shelf/slot | shelf/slot/spe} Shows the connect-speeds negotiated within each high speed modulation or codecs for a specific range of SPEs or all the SPEs. Cisco AS5400 series routers Router# show spe modem low speed {summary | slot | slot/spe} Cisco AS5800 series routers Router# show spe modem low speed {summary | shelf/slot | shelf/slot/spe} Shows the connect-speeds negotiated within each low speed modulation or codecs for a specific range of SPEs or all the SPEs. Cisco AS5400 series routers Router# show spe modem high standard {summary | slot | slot/spe} Cisco AS5800 series routers Router# show spe modem high standard {summary | shelf/slot | shelf/slot/spe} Displays the total number of connections within each low modulation or codec for a specific range of SPEs. Configuring and Managing Cisco Access Servers and Dial Shelves Upgrading and Configuring SPE Firmware DC-144 Cisco IOS Dial Technologies Configuration Guide Cisco AS5400 series routers Router# show spe modem low standard {summary | slot | slot/spe} Cisco AS5800 series routers Router# show spe modem low standard {summary | shelf/slot | shelf/slot/spe} Displays the total number of connections within each high modulation or codec for a specific range of SPEs. Cisco AS5400 series routers Router# show spe modem summary {slot | slot/spe} Cisco AS5800 series routers Router# show spe modem summary {shelf/slot | shelf/slot/spe} Displays the history statistics of all SPEs, specified SPE or the specified range of SPEs. Command Purpose DC-145 Cisco IOS Dial Technologies Configuration Guide Configuring and Managing External Modems This chapter describes how to configure externally connected modems. These tasks are presented in the following main sections: • External Modems on Low-End Access Servers • Automatically Configuring an External Modem • Manually Configuring an External Modem • Supporting Dial-In Modems • Testing the Modem Connection • Managing Telnet Sessions • Modem Troubleshooting Tips • Checking Other Modem Settings To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the modem support commands in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. External Modems on Low-End Access Servers Some of the Cisco lower-end access servers, such as the Cisco AS2511-RJ shown in Figure 23, have cable connections to external modems. The asynchronous interfaces and lines are inside the access server. Configuring and Managing External Modems Automatically Configuring an External Modem DC-146 Cisco IOS Dial Technologies Configuration Guide Figure 23 Cisco AS2511-RJ Access Server When you configure modems to function with your access server, you must provide initialization strings and other settings on the modem to tell it how to function with the access server. This section assumes that you have already physically attached the modem to the access server. If not, refer to the user guide or installation and configuration guide for your access server for information about attaching modems. Automatically Configuring an External Modem The Cisco IOS software can issue initialization strings automatically, in a file called a modemcap, for most types of modems externally attached to the access server. A modemcap is a series of parameter settings that are sent to your modem to configure it to interact with the Cisco device in a specified way. The Cisco IOS software defines modemcaps that have been found to properly initialize most modems so that they function properly with Cisco routers and access servers. For Cisco IOS Release 12.2, these modemcaps have the following names: • default—Generic Hayes interface external modem • codex_3260—Motorola Codex 3260 external • usr_courier—U.S. Robotics Courier external • usr_sportster—U.S. Robotics Sportster external • hayes_optima—Hayes Optima external1 • global_village—Global Village Teleport external • viva—Viva (Rockwell ACF with MNP) external • telebit_t3000—Telebit T3000 external • nec_v34—NEC V.34 external • nec_v110—NEC V.110 TA external • nec_piafs—NEC PIAFS TA external 1 The hayes_optima modemcap is not recommended for use; instead, use the default modemcap. 14479 1 ASYNC 2 3 ASYNC 4 5 ASYNC 6 7 ASYNC 8 9 ASYNC 10 11 ASYNC 12 13 ASYNC 14 15 ASYNC 16 Cisco AS2511-RJ Modems are outside the chassis Modem Modem Configuring and Managing External Modems Automatically Configuring an External Modem DC-147 Cisco IOS Dial Technologies Configuration Guide Enter these modemcap names with the modemcap entry command. If your modem is not on this list and if you know what modem initialization string you need to use with it, you can create your own modemcap; see the following procedure “Using the Modem Autoconfigure Type Modemcap Feature.” To have the Cisco IOS software determine what type of modem you have, use the modem autoconfigure discovery command to configure it, as described in the procedure “Using the Modem Autoconfigure Discovery Feature.” Using the Modem Autoconfigure Type Modemcap Feature Step 1 Use the modemcap edit command to define your own modemcap entry. The following example defines modemcap MODEMCAPNAME: Router(config)# modemcap edit MODEMCAPNAME miscellaneous &FS0=1&D3 Step 2 Apply the modemcap to the modem lines as shown in the following example: Router# terminal monitor Router# debug confmodem Modem Configuration Database debugging is on Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# line 33 34 Router(config-line)# modem autoconfigure type MODEMCAPNAME Router(config-line)# Jan 16 18:12:59.643: TTY34: detection speed (115200) response ---OK--- Jan 16 18:12:59.643: TTY34: Modem command: --AT&FS0=1&D3-- Jan 16 18:12:59.659: TTY33: detection speed (115200) response ---OK--- Jan 16 18:12:59.659: TTY33: Modem command: --AT&FS0=1&D3-- Jan 16 18:13:00.227: TTY34: Modem configuration succeeded Jan 16 18:13:00.227: TTY34: Detected modem speed 115200 Jan 16 18:13:00.227: TTY34: Done with modem configuration Jan 16 18:13:00.259: TTY33: Modem configuration succeeded Jan 16 18:13:00.259: TTY33: Detected modem speed 115200 Jan 16 18:13:00.259: TTY33: Done with modem configuration Using the Modem Autoconfigure Discovery Feature If you prefer the modem software to use its autoconfigure mechanism to configure the modem, use the modem autoconfigure discovery command. The following example shows how to configure modem autoconfigure discovery mode: Router# terminal monitor Router# debug confmodem Modem Configuration Database debugging is on Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# line 33 34 Router(config-line)# modem autoconfigure discovery Jan 16 18:16:17.724: TTY33: detection speed (115200) response ---OK--- Jan 16 18:16:17.724: TTY33: Modem type is default Jan 16 18:16:17.724: TTY33: Modem command: --AT&F&C1&D2S0=1H0-- Jan 16 18:16:17.728: TTY34: detection speed (115200) response ---OK--- Jan 16 18:16:17.728: TTY34: Modem type is default Jan 16 18:16:17.728: TTY34: Modem command: --AT&F&C1&D2S0=1H0-- Jan 16 18:16:18.324: TTY33: Modem configuration succeeded Configuring and Managing External Modems Manually Configuring an External Modem DC-148 Cisco IOS Dial Technologies Configuration Guide Jan 16 18:16:18.324: TTY33: Detected modem speed 115200 Jan 16 18:16:18.324: TTY33: Done with modem configuration Jan 16 18:16:18.324: TTY34: Modem configuration succeeded Jan 16 18:16:18.324: TTY34: Detected modem speed 115200 Jan 16 18:16:18.324: TTY34: Done with modem configuration Manually Configuring an External Modem If you cannot configure your modem automatically, you must configure it manually. This section describes how to determine and issue the correct initialization string for your modem and how to configure your modem with it. Modem command sets vary widely. Although most modems use the Hayes command set (prefixing commands with at), Hayes-compatible modems do not use identical at command sets. Refer to the documentation that came with your modem to learn how to examine the current and stored configuration of the modem that you are using. Generally, you enter at commands such as &v, i4, or *o to view, inspect, or observe the settings. Timesaver You must first create a direct Telnet or connection session to the modem before you can send an initialization string. You can use AT&F as a basic modem initialization string in most cases. To establish a direct Telnet session to an external modem, determine the IP address of your LAN (Ethernet) interface, and then enter a Telnet command to port 2000 + n on the access server, where n is the line number to which the modem is connected. See the sections “Testing the Modem Connection” and “Managing Telnet Sessions” for more information about making Telnet connections. A sample modem initialization string for a US Robotics Courier modem is as follows: &b1&h1&r2&c1&d3&m4&k1s0=1 Modem initialization strings enable the following functions: • Locks the speed of the modem to the speed of the serial port on the access server • Sets hardware flow control (RTS/CTS or request to send/clear to send) • Ensures correct data carrier detect (DCD) operation • Ensures proper data terminal ready (DTR) interpretation • Answers calls on the first ring Note Make sure to turn off automatic baud rate detection because the modem speeds must be set to a fixed value. The port speed must not change when a session is negotiated with a remote modem. If the speed of the port on the access server is changed, you must establish a direct Telnet session to the modem and send an at command so that the modem can learn the new speed. Configuring and Managing External Modems Supporting Dial-In Modems DC-149 Cisco IOS Dial Technologies Configuration Guide Modems differ in the method that they use to lock the EIA/TIA-232 (serial) port speed. In the modem documentation, vendors use terms such as port-rate adjust, speed conversion, or buffered mode. Enabling error correction often puts the modem in the buffered mode. Refer to your modem documentation to learn how your modem locks speed (check the settings &b, \j, &q, \n, or s-register settings). RTS and CTS signals must be used between the modem and the access server to control the flow of data. Incorrectly configuring flow control for software or setting no flow control can result in hung sessions and loss of data. Modems differ in the method that they use to enable hardware flow control. Refer to your modem documentation to learn how to enable hardware flow control (check the settings &e, &k, &h, &r, or s-register). The modem must use the DCD wire to indicate to the access server when a session has been negotiated and is established with a remote modem. Most modems use the setting &c1. Refer to your modem documentation for the DCD settings used with your modem. The modem must interpret a toggle of the DTR signal as a command to drop any active call and return to the stored settings. Most modems use the settings &d2 or &d3. Refer to your modem documentation for the DTR settings used with your modem. If a modem is used to service incoming calls, it must be configured to answer a call after a specific number of rings. Most modems use the setting s0=1 to answer the call after one ring. Refer to your modem documentation for the settings used with your modem. Supporting Dial-In Modems The Cisco IOS software supports dial-in modems that use DTR to control the off-hook status of the telephone line. This feature is supported primarily on old-style modems, especially those in Europe. To configure the line to support this feature, use the following command in line configuration mode: Figure 24 illustrates the modem callin command. When a modem dialing line is idle, it has its DTR signal at a low state and waits for a transition to occur on the data set ready (DSR) input. This transition causes the line to raise the DTR signal and start watching the CTS signal from the modem. After the modem raises CTS, the Cisco IOS software creates an EXEC session on the line. If the timeout interval (set with the modem answer-timeout command) passes before the modem raises the CTS signal, the line lowers the DTR signal and returns to the idle state. Command Purpose Router(config-line)# modem callin Configures a line for a dial-in modem. Configuring and Managing External Modems Supporting Dial-In Modems DC-150 Cisco IOS Dial Technologies Configuration Guide Figure 24 EXEC Creation on a Line Configured for Modem Dial-In Note The modem callin and modem cts-required line configuration commands are useful for SLIP operation. These commands ensure that when the line is hung up or the CTS signal drops, the line reverts from Serial Line Internet Protocol (SLIP) mode to normal interactive mode. These commands do not work if you put the line in network mode permanently. Although you can use the modem callin line configuration command with newer modems, the modem dialin line configuration command described in this section is more appropriate. The modem dialin command frees up CTS input for hardware flow control. Modern modems do not require the assertion of DTR to answer a phone line (that is, to take the line off-hook). high, watching Lower DTR Ringing Idle state Ready and active Ring transition CTS raised DTR CTS Create EXEC Raise DTR Lower DTR close connection DTR high CTS lowered or exit Answer timeout Hang up DTR low S1001a DTR low, watching CTS Configuring and Managing External Modems Testing the Modem Connection DC-151 Cisco IOS Dial Technologies Configuration Guide Testing the Modem Connection To test the connection, send the modem the AT command to request its attention. The modem should respond with “OK.” For example: at OK If the modem does not reply to the at command, perform the following steps: Step 1 Enter the show users EXEC command and scan the display output. The output should not indicate that the line is in use. Also verify that the line is configured for modem inout. Step 2 Enter the show line EXEC command. The output should contain the following two lines: Modem state: Idle Modem hardware state: CTS noDSR DTR RTS If the output displays “no CTS” for the modem hardware state, the modem is not connected, is not powered up, is waiting for data, or might not be configured for hardware flow control. Step 3 Verify the line speed and modem transmission rate. Make sure that the line speed on the access server matches the transmission rate, as shown in Table 13. To verify the line speed, use the show run EXEC command. The line configuration fragment appears at the tail end of the output. The following example shows that lines 7 through 9 are transmitting at 115200 bits per second (bps). Sixteen 28800-kbps modems are connected to a Cisco AS2511-RJ access server via a modem cable. Router# show run Building configuration... Current configuration: . . . ! line 1 16 login local modem InOut speed 115200 transport input all flowcontrol hardware script callback callback autoselect ppp autoselect during-login Table 13 Matching Line Speed with Transmission Rate Modem Transmission Rate (in bits per second) Line Speed on the Access Server (in bits per second) 9600 38400 14400 57600 28800 115200 Configuring and Managing External Modems Managing Telnet Sessions DC-152 Cisco IOS Dial Technologies Configuration Guide Step 4 The speeds of the modem and the access server are likely to be different. If so, switch off the modem, and then switch it back on. This action should change the speed of the modem to match the speed of the access server. Step 5 Check your cabling and the modem configuration (echo or result codes might be off). Enter the appropriate at modem command to view the modem configuration, or use the at&f command to return to factory defaults. Refer to your modem documentation to learn the appropriate at command to view your modem configuration. Note See the section “Configuring Cisco Integrated Modems Using Modem Attention Commands” in the “Configuring and Managing Integrated Modems” chapter for information about modem attention commands for the Cisco internal modems. Managing Telnet Sessions You communicate with an external modem by establishing a direct Telnet session from the asynchronous line on the access server, which is connected to the modem. This process is also referred to as reverse Telnet. Performing a reverse Telnet means that you are initiating a Telnet session out the asynchronous line, instead of accepting a connection into the line (called a forward connection). Note Before attempting to allow inbound connections, make sure that you close all open connections to the modems attached to the access server. If you have a modem port in use, the modem will not accept a call properly. To establish a direct Telnet session to an external modem, determine the IP address of your LAN (Ethernet) interface, and then enter a Telnet command to port 2000 + n on the access server, where n is the line number to which the modem is connected. For example, to connect to the modem attached to line 1, enter the following command from an EXEC session on the access server: Router# telnet 172.16.1.10 2001 Trying 172.16.1.10, 2001 ... Open This example enables you to communicate with the modem on line 1 using the AT (attention) command set defined by the modem vendor. Timesaver Use the ip host configuration command to simplify direct Telnet sessions with modems. The ip host command maps an IP address of a port to a device name. For example, the modem1 2001 172.16.1.10 command enables you to enter modem1 to initiate a connection with the modem, instead of repeatedly entering telnet 172.16.1.10 2001 each time you want to communicate with the modem. You can also configure asynchronous rotary line queueing, which places Telnet login requests in a queue when lines are busy. See the section “Configuring Asynchronous Rotary Line Queueing” in the “Configuring Asynchronous Lines and Interfaces” chapter for more information. Configuring and Managing External Modems Managing Telnet Sessions DC-153 Cisco IOS Dial Technologies Configuration Guide Suspending Telnet Sessions: When you are connected to an external modem, the direct Telnet session must be terminated before the line can accept incoming calls. If you do not terminate the session, it will be indicated in the output of the show users command and will return a modem state of ready if the line is still in use. If the line is no longer in use, the output of the show line value command will return a state of idle. Terminating the Telnet session requires first suspending it, then disconnecting it. To suspend a Telnet session, perform the following steps: Step 1 Enter Ctrl-Shift-6 x to suspend the Telnet session: - suspend keystroke - Router# Note Ensure that you can reliably issue the escape sequence to suspend a Telnet session. Some terminal emulation packages have difficulty sending the Ctrl-Shift-6 x sequence. Refer to your terminal emulation documentation for more information about escape sequences. Step 2 Enter the where EXEC command to check the connection numbers of open sessions: Router# where Conn Host Address Byte Idle Conn Name * 1 172.16.1.10 172.16.1.10 0 0 172.16.1.10 2 172.16.1.11 172.16.1.11 0 12 modem2 Step 3 When you have suspended a session with one modem, you can connect to another modem and suspend it: Router# telnet modem2 Trying modem2 (172.16.1.11, 2002) ... Open - suspend keystroke - Router# Step 4 To disconnect (completely close) a Telnet session, enter the disconnect EXEC command: Router# disconnect line 1 Closing connection to 172.16.1.10 [confirm] y Router# disconnect line 2 Closing connection to 172.16.1.11 [confirm] y Router# Configuring and Managing External Modems Modem Troubleshooting Tips DC-154 Cisco IOS Dial Technologies Configuration Guide Modem Troubleshooting Tips Table 14 contains troubleshooting tips on modem access and control. Table 14 Modem Troubleshooting Tips Problem Likely Cause Connection refused. Someone already has a connection to that port. or an EXEC is running on that port. or The modem failed to lower the carrier detect (CD) signal after a call disconnected, resulting in an EXEC that remained active after disconnect. To force the line back into an idle state, clear the line from the console and try again. If it still fails, ensure that you have set modem inout command for that line. If you don't have modem control, either turn off EXEC on the line (by using the exec-timeout line configuration command) before making a reverse connection or configure the modem using an external terminal. As a last resort, disconnect the modem, clear the line, make the Telnet connection, and then attach the modem. The prevents a misconfigured modem from denying you line access. Connection appears to hang. Try entering “^U” (clear line), “^Q” (XON), and press Return a few times to try to establish terminal control. EXEC does not come up; autoselect is on. Press Return to enter EXEC. Modem does not hang up after entering quit. The modem is not receiving DTR information, or you have not set up modem control on the router. Interrupts another user session when you dial in. The modem is not dropping CD on disconnect, or you have not set up modem control on the router. Connection hangs after entering “+++” on the dialing modem, followed by an ATO. The answering modem saw and interpreted the “+++” when it was echoed to you. This is a bug in the answering modem, common to many modems. There may be a switch to work around this problem; check the modem’s documentation. Losing data. You may have Hardware Flow Control only on for either the router’s line (DTE) or the modem (DCE). Hardware Flow Control should be on for both or off for both, but not for only one. Using MDCE. Turn MDCE into an MMOD by moving pin 6 to pin 8 because most modems use CD and not DSR to indicate the presence of carrier. You can also program some modems to provide carrier info via DSR. Configuring and Managing External Modems Checking Other Modem Settings DC-155 Cisco IOS Dial Technologies Configuration Guide Checking Other Modem Settings This section defines other settings that might be needed or desirable, depending on your modem. Error correction can be negotiated between two modems to ensure a reliable data link. Error correction standards include Link Access Procedure for Modems (LAPM) and MNP4. V.42 error correction allows either LAPM or MNP4 error correction to be negotiated. Modems differ in the way they enable error correction. Refer to your modem documentation for the error correction methods used with your modem. Data compression can be negotiated between two modems to allow for greater data throughput. Data compression standards include V.42bis and MNP5. Modems differ in the way they enable data compression. Refer to your modem documentation for the data compression settings used with your modem. Configuring and Managing External Modems Checking Other Modem Settings DC-156 Cisco IOS Dial Technologies Configuration Guide DC-157 Cisco IOS Dial Technologies Configuration Guide Modem Signal and Line States This chapter describes modem states in the following section: • Signal and Line State Diagrams To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the modem support commands in this chapter, refer to the Cisco IOS Modem Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Signal and Line State Diagrams The following signal and line state diagrams accompany some of the tasks in the following sections to illustrate how the modem control works: • Configuring Automatic Dialing • Automatically Answering a Modem • Supporting Dial-In and Dial-Out Connections • Configuring a Line Timeout Interval • Closing Modem Connections • Configuring a Line to Disconnect Automatically • Supporting Reverse Modem Connections and Preventing Incoming Calls Modem Signal and Line States Signal and Line State Diagrams DC-158 Cisco IOS Dial Technologies Configuration Guide The diagrams show two processes: • The “create daemon” process creates a tty daemon that handles the incoming network connection. • The “create EXEC” process creates the process that interprets user commands. (See Figure 25 through Figure 29.) In the diagrams, the current signal state and the signal the line is watching are listed inside each box. The state of the line (as displayed by the show line EXEC command) is listed next to the box. Events that change that state appear in italics along the event path, and actions that the software performs are described within ovals. Figure 25 illustrates line states when no modem control is set. The DTR output is always high, and CTS and RING are completely ignored. The Cisco IOS software starts an EXEC session when the user types the activation character. Incoming TCP connections occur instantly if the line is not in use and can be closed only by the remote host. Figure 25 EXEC and Daemon Creation on a Line with No Modem Control Ringing Ready Exit Create daemon Network connection closed Incoming network connection Ready and active DTR high Ready and active User-typed activation character Create EXEC DTR high S1201a DTR high Modem Signal and Line States Signal and Line State Diagrams DC-159 Cisco IOS Dial Technologies Configuration Guide Configuring Automatic Dialing With the dialup capability, you can set a modem to dial the phone number of a remote router automatically. This feature offers cost savings because phone line connections are made only when they are needed—you pay for using the phone line only when there is data to be received or sent. To configure a line for automatic dialing, use the following command in line configuration mode: Using the modem dtr-active command causes a line to raise DTR signal only when there is an outgoing connection (such as reverse Telnet, NetWare Asynchronous Support Interface (NASI), or DDR), rather than leave DTR raised all the time. When raised, DTR potentially tells the modem that the router is ready to accept a call. Automatically Answering a Modem You can configure a line to answer a modem automatically. You also can configure the modem to answer the telephone on its own (as long as DTR is high), drop connections when DTR is low, and use its Carrier Detect (CD) signal to accurately reflect the presence of carrier. (Configuring the modem is a modem-dependent process.) First, wire the modem CD signal (generally pin-8) to the router RING input (pin-22), then use the following command in line configuration mode: You can turn on modem hardware flow control independently to respond to the status of router CTS input. Wire CTS to whatever signal the modem uses for hardware flow control. If the modem expects to control hardware flow in both directions, you might also need to wire modem flow control input to some other signal that the router always has high, such as the DTR signal. Figure 26 illustrates the modem dialin process with a high-speed dialup modem. When the Cisco IOS software detects a signal on the RING input of an idle line, it starts an EXEC or autobaud process on that line. If the RING signal disappears on an active line, the Cisco IOS software closes any open network connections and terminates the EXEC facility. If the user exits the EXEC or the software terminates because of no user input, the line makes the modem hang up by lowering the DTR signal for 5 seconds. After 5 seconds, the modem is ready to accept another call. Command Purpose Router(config-line)# modem dtr-active Configures a line to initiate automatic dialing. Command Purpose Router(config-line)# modem dialin Configures a line to automatically answer a modem. Modem Signal and Line States Signal and Line State Diagrams DC-160 Cisco IOS Dial Technologies Configuration Guide Figure 26 EXEC Creation on a Line Configured for a High-Speed Modem Supporting Dial-In and Dial-Out Connections To configure a line for both incoming and outgoing calls, use the following command in line configuration mode: Figure 27 illustrates the modem inout command. If the line is activated by raising the data set ready (DSR) signal, it functions exactly as a line configured with the modem dialin line configuration command described in the section “Automatically Answering a Modem” earlier in this chapter. If the line is activated by an incoming TCP connection, the line functions similarly to lines not used with modems. high, watching Lower DTR Ringing Idle state Ready and active Ring transition CTS raised DTR CTS Create EXEC Raise DTR Lower DTR close connection DTR high CTS lowered or exit Answer timeout Hang up DTR low S1001a DTR low, watching CTS Command Purpose Router(config-line)# modem inout Configures a line for both incoming and outgoing calls. Modem Signal and Line States Signal and Line State Diagrams DC-161 Cisco IOS Dial Technologies Configuration Guide Figure 27 EXEC and Daemon Creation for Incoming and Outgoing Calls Note If your system incorporates dial-out modems, consider using access lists to prevent unauthorized use. Configuring a Line Timeout Interval To change the interval that the Cisco IOS software waits for the CTS signal after raising the DTR signal in response to the DSR (the default is 15 seconds), use the following command in line configuration mode. The timeout applies to the modem callin command only. Note The DSR signal is called RING on older ASM-style chassis. Hang up Idle state CTS raised high, watching DTR CTS CTS lowered or network connection closed CTS lowered high, watching DTR CTS Close connection, DTR low for 5 seconds high, watching DTR CTS Incoming network connection DTR going low high, watching DTR CTS Create daemon User-typed activation character Create EXEC Ready Ready and active Ready and active CTS lowered or exit S1004a Command Purpose Router(config-line)# modem answer-timeout seconds Configures modem line timing. Modem Signal and Line States Signal and Line State Diagrams DC-162 Cisco IOS Dial Technologies Configuration Guide Closing Modem Connections Note The modem cts-required command was replaced by the modem printer command in Cisco IOS Release 12.2. To configure a line to close connections from a user’s terminal when the terminal is turned off and to prevent inbound connections to devices that are out of service, use the following command in line configuration mode: Figure 28 illustrates the modem cts-required command operating in the context of a continuous CTS signal. This form of modem control requires that the CTS signal be high for the entire session. If CTS is not high, the user input is ignored and incoming connections are refused (or sent to the next line in a rotary group). Figure 28 EXEC and Daemon Creation on a Line Configured for Continuous CTS Command Purpose Router(config-line)# modem cts-required Configures a line to close connections. Hang up Idle state CTS raised high, watching DTR CTS CTS lowered or network connection closed CTS lowered high, watching DTR CTS Close connection, DTR low for 5 seconds high, watching DTR CTS Incoming network connection DTR going low high, watching DTR CTS Create daemon User-typed activation character Create EXEC Ready Ready and active Ready and active CTS lowered or exit S1004a Modem Signal and Line States Signal and Line State Diagrams DC-163 Cisco IOS Dial Technologies Configuration Guide Configuring a Line to Disconnect Automatically To configure automatic line disconnect, use the following command in line configuration mode: The autohangup command causes the EXEC facility to issue the exit command when the last connection closes. This feature is useful for UNIX-to-UNIX copy program (UUCP) applications because UUCP scripts cannot issue a command to hang up the telephone. This feature is not used often. Supporting Reverse Modem Connections and Preventing Incoming Calls In addition to initiating connections, the Cisco IOS software can receive incoming connections. This capability allows you to attach serial and parallel printers, modems, and other shared peripherals to the router or access server and drive them remotely from other modem-connected systems. The Cisco IOS software supports reverse TCP, XRemote, and local-area transport (LAT) connections. The specific TCP port or socket to which you attach the device determines the type of service that the Cisco IOS software provides on a line. When you attach the serial lines of a computer system or a data terminal switch to the serial lines of the access server, the access server can act as a network front-end device for a host that does not support the TCP/IP protocols. This arrangement is sometimes called front-ending or reverse connection mode. The Cisco IOS software supports ports connected to computers that are connected to modems. To configure the Cisco IOS software to function somewhat like a modem, use the following command in line configuration mode. This command also prevents incoming calls. Figure 29 illustrates the modem callout process. When the Cisco IOS software receives an incoming connection, it raises the DTR signal and waits to see if the CTS signal is raised to indicate that the host has noticed the router DTR signal. If the host does not respond within the interval set by the modem answer-timeout line configuration command, the software lowers the DTR signal and drops the connection. Command Purpose Router(config-line)# autohangup Configures automatic line disconnect. Command Purpose Router(config-line)# modem callout Configures a line for reverse connections and prevents incoming calls. Modem Signal and Line States Signal and Line State Diagrams DC-164 Cisco IOS Dial Technologies Configuration Guide Figure 29 Daemon Creation on a Line Configured for Modem Dial-Out Lower DTR Ringing Idle state Ready and active Incoming network connection CTS raised Create daemon Raise DTR DTR high, watching CTS DTR high, watching CTS Network connection closed or CTS lowered Answer timeout S1930 Lower DTR Close connection DTR low DC-165 Cisco IOS Dial Technologies Configuration Guide Creating and Using Modem Chat Scripts This chapter describes how to create and use modem chat scripts. These tasks are presented in the following main sections: • Chat Script Overview • How To Configure Chat Scripts • Using Chat Scripts To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the modem support commands in this chapter, refer to the Cisco IOS Dial Technologies Command Reference publication. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Chat Script Overview Chat scripts are strings of text used to send commands for modem dialing, logging in to remote systems, and initializing asynchronous devices connected to an asynchronous line. Note On a router, chat scripts can be configured only on the auxiliary port. A chat script must be configured to dial out on asynchronous lines. You also can configure chat scripts so that they can be executed automatically for other specific events on a line, or so that they are executed manually. Each chat script is defined for a different event. These events can include the following: • Line activation • Incoming connection initiation • Asynchronous dial-on-demand routing (DDR) • Line resets • Startup Creating and Using Modem Chat Scripts How To Configure Chat Scripts DC-166 Cisco IOS Dial Technologies Configuration Guide Note Outbound chat scripts are not supported on lines where modem control is set for inbound activity only using the modem dialin command. How To Configure Chat Scripts The following tasks must be performed before a chat script can be used: • Define the chat script in global configuration mode using the chat-script command. • Configure the line so that a chat script is activated when a specific event occurs (using the script line configuration command), or start a chat script manually (using the start-chat privileged EXEC command). To configure a chat script, perform the tasks in the following sections: • Understanding Chat Script Naming Conventions (Required) • Creating a Chat Script (Required) • Configuring the Line to Activate Chat Scripts (Required) • Manually Testing a Chat Script on an Asynchronous Line (Optional) See the section “Using Chat Scripts” later in this chapter for examples of how to use chat scripts. Understanding Chat Script Naming Conventions When you create a script name, include the modem vendor, type, and modulation, separated by hyphens, as follows: vendor-type-modulation For example, if you have a Telebit t3000 modem that uses V.32bis modulation, your script name would be: telebit-t3000-v32bis Note Adhering to the recommended naming convention allows you to specify a range of chat scripts by using partial names in UNIX-style regular expressions. The regular expressions are used to match patterns and select chat scripts to use. This method is particularly useful for dialer rotary groups on an interface that dials multiple destinations. Regular expressions are described in the “Regular Expressions” appendix in the Cisco IOS Terminal Services Configuration Guide. Creating a Chat Script We recommend that one chat script (a “modem” chat script) be written for placing a call and that another chat script (a “system” or “login” chat script) be written to log in to remote systems, where required. Creating and Using Modem Chat Scripts How To Configure Chat Scripts DC-167 Cisco IOS Dial Technologies Configuration Guide To define a chat script, use the following command in global configuration mode: The Cisco IOS software waits for the string from the modem (defined by the expect portion of the script) and uses it to determine what to send back to the modem (defined by the send portion of the script). Chat String Escape Key Sequences Chat script send strings can include the special escape sequences listed in Table 15. Adding a Return Key Sequence After the connection is established and you press the Return key, you must often press Return a second time before the prompt appears. To create a chat script that enters this additional Return key for you, include the following string with the Return key escape sequence (see Table 15) as part of your chat script: ssword:-/r-ssword Command Purpose Router(config)# chat-script script-name expect send... Creates a script that will place a call on a modem, log in to a remote system, or initialize an asynchronous device on a line. Table 15 Chat Script Send String Escape Sequences Escape Sequence Description \ Sends the ASCII character with its octal value. \\ Sends a backslash (\) character. \” Sends a double-quote (“) character (does not work within double quotes). \c Suppresses a new line at the end of the send string. \d Delays for 2 seconds. \K Inserts a BREAK. \n Sends a newline or linefeed character. \N Sends a null character. \p Pauses for 0.25 second. \q Reserved, not yet used. \r Sends a return. \s Sends a space character. \t Sends a tab character. \T Replaced by phone number. “ ” Expects a null string. BREAK Causes a BREAK. This sequence is sometimes simulated with line speed changes and null characters. May not work on all systems. EOT Sends an end-of-transmission character. Creating and Using Modem Chat Scripts How To Configure Chat Scripts DC-168 Cisco IOS Dial Technologies Configuration Guide This part of the script specifies that, after the connection is established, you want ssword to be displayed. If it is not displayed, you must press Return again after the timeout passes. (For more information about expressing characters in chat scripts, see the “Regular Expressions” appendix in the Cisco IOS Terminal Services Configuration Guide.) Chat String Special-Case Script Modifiers Special-case script modifiers are also supported; refer to Table 16 for examples. For example, if a modem reports BUSY when the number dialed is busy, you can indicate that you want the attempt stopped at this point by including ABORT BUSY in your chat script. Note If you use the expect-send pair ABORT SINK instead of ABORT ERROR, the system terminates abnormally when it encounters SINK instead of ERROR. Configuring the Line to Activate Chat Scripts Chat scripts can be activated by any of five events, each corresponding to a different version of the script line configuration command. To start a chat script manually at any point, see the following section, “Manually Testing a Chat Script on an Asynchronous Line.” To define a chat script to start automatically when a specific event occurs, use one of the following commands in line configuration mode: Table 16 Special-Case Script Modifiers Special Case Function ABORT string Designates a string whose presence in the input indicates that the chat script has failed. (You can have as many active abort entries as you like.) TIMEOUT time Sets the time to wait for input, in seconds. The default is 5 seconds, and a timeout of 60 seconds is recommended for V.90 modems. Command Purpose Router(config-line)# script activation regexp1 1. The regexp argument is a regular expression that is matched to a script name that has already been defined using the chat-script command. Starts a chat script on a line when the line is activated (every time a command EXEC is started on the line). Router(config-line)# script connection regexp Starts a chat script on a line when a network connection is made to the line. Router(config-line)# script dialer regexp Specifies a modem script for DDR on a line. Router(config-line)# script reset regexp2 2. Do not use the script reset or script startup commands to configure a modem; instead use the modem autoconfigure command. Starts a chat script on a line whenever the line is reset. Router(config-line)# script startup regexp2 Starts a chat script on a line whenever the system is started up. Creating and Using Modem Chat Scripts Using Chat Scripts DC-169 Cisco IOS Dial Technologies Configuration Guide Note Outbound chat scripts are not supported on lines where modem control is set for inbound activity only (using the modem dialin command). Manually Testing a Chat Script on an Asynchronous Line To test a chat script on any line that is currently not active, use the following commands in privileged EXEC mode: If you do not specify the line number, the script runs on the current line. If the line specified is already in use, you cannot start the chat script. A message appears indicating that the line is already in use. Using Chat Scripts The following sections provide examples of how to use chat scripts: • Generic Chat Script Example • Traffic-Handling Chat Script Example • Modem-Specific Chat Script Examples • Dialer Mapping Example • System Login Scripts and Modem Script Examples Generic Chat Script Example The following example chat script includes a pair of empty quotation marks (“ ”), which means “expect anything,” and \r, which means “send a return”: " " \r "name:" "myname" "ord":" "mypassword" ">" "slip default" Traffic-Handling Chat Script Example The following example shows a configuration in which, when there is traffic, a random line will be used. The dialer code will try to find a script that matches either the modem script .*-v32 or the system script cisco. If there is no match for either the modem script or the system script, you will see a “no matching chat script found” message. interface dialer 1 ! v.32 rotaries are in rotary 1. dialer rotary-group 1 ! Use v.32 generic script. dialer map ip 10.0.0.1 modem-script .*-v32 system-script cisco 1234 Command Purpose Step 1 Router# debug chat line number Starts detailed debugging on the specified line. Step 2 Router# start-chat regexp [line-number [dialer-string]] Starts a chat script on any asynchronous line. Creating and Using Modem Chat Scripts Using Chat Scripts DC-170 Cisco IOS Dial Technologies Configuration Guide Modem-Specific Chat Script Examples The following example shows line chat scripts being specified for lines connected to Telebit and US Robotics modems: ! Some lines have Telebit modems. line 1 6 script dialer telebit.* ! Some lines have US Robotics modems. line 7 12 script dialer usr.* Dialer Mapping Example The following example shows a modem chat script called dial and a system login chat script called login: chat-script dial ABORT ERROR "" "AT Z" OK "ATDT \T" TIMEOUT 60 CONNECT \c chat-script login ABORT invalid TIMEOUT 60 name: myname word: mypassword ">" "slip default" interface async 10 dialer in-band dialer map ip 10.55.0.1 modem-script dial system-script login 96837890 Figure 30 illustrates the configuration. Figure 30 Chat Script Configuration and Function • The configuration is on Router A. • The modem chat script dial is used to dial out to the modem at Router B. • The system login chat script login is used to log in to Router B. • The phone number is the number of the modem attached to Router B. • The IP address in the dialer map command is the address of Router B. In the sample script shown, the dialer in-band command enables DDR on asynchronous interface 10, and the dialer map command dials 96837890 after finding the specified dialing and the system login scripts. When a packet is received for 10.55.0.1, the first thing to happen is that the modem script is implemented. Table 17 lists the functions that are implemented with each expect-send pair in the modem script called dial. Router B Router A 10.55.0.1 96837890 S2313 Creating and Using Modem Chat Scripts Using Chat Scripts DC-171 Cisco IOS Dial Technologies Configuration Guide After the modem script is successfully executed, the system login script is executed. Table 18 lists the functions that are executed with each expect-send pair in the system script called login. System Login Scripts and Modem Script Examples The following example shows the use of chat scripts implemented with the system-script and modem-script options of the dialer map command. If there is traffic for IP address 10.2.3.4, the router will dial the 91800 number using the usrobotics-v32 script, matching the regular expression in the modem chat script. Then the router will run the unix-slip chat script as the system script to log in. If there is traffic for 10.3.2.1, the router will dial 8899 using usrobotics-v32, matching both the modem script and modem chat script regular expressions. The router will then log in using the cisco-compressed script. ! Script for dialing a usr v.32 modem: chat-script usrobotics-v32 ABORT ERROR "" "AT Z" OK "ATDT \T" TIMEOUT 60 CONNECT \c ! ! Script for logging into a UNIX system and starting up SLIP: chat-script unix-slip ABORT invalid TIMEOUT 60 name: billw word: wewpass ">" "slip default" ! Table 17 Example Modem Script Execution Expect and Send Pair Implementation ABORT ERROR Ends the script execution if the text “ERROR” is found. (You can have as many active abort entries as you like.) “ ” “AT Z” Without expecting anything, sends an “AT Z” command to the modem. (Note the use of quotation marks to allow a space in the send string.) OK “ATDT \T Waits to see “OK.” Sends “ATDT 96837890.” TIMEOUT 60 Waits up to 60 seconds for next expect string. CONNECT \c Expects “connect,” but does not send anything. (Note that \c is effectively nothing; “ ” would have indicated nothing followed by a carriage return.) Table 18 Example System Script Execution Expect and Send Pair Implementation ABORT invalid Ends the script execution if the message “invalid username or password” is displayed. TIMEOUT 60 Waits up to 60 seconds. name: username Waits for “name:” and sends username. (Using just “name:” will help avoid any capitalization issues.) word: password Waits for “word:” and sends the password. “>” “slip default” Waits for the > prompt and places the line into Serial Line Internet Protocol (SLIP) mode with its default address. Creating and Using Modem Chat Scripts Using Chat Scripts DC-172 Cisco IOS Dial Technologies Configuration Guide ! Script for logging into a Cisco access server and starting up TCP header compression: chat-script cisco-compressed... ! line 15 script dialer usrobotics-* ! interface async 15 dialer map ip 10.2.3.4 system-script *-v32 system-script cisco-compressed 91800 dialer map ip 10.3.2.1 modem-script *-v32 modem-script cisco-compressed 91800 ISDN Configuration DC-175 Cisco IOS Dial Technologies Configuration Guide Configuring ISDN BRI This chapter describes tasks that are required to use an ISDN BRI line. It provides an overview of the ISDN technologies currently available and describes features that you can configure in an ISDN BRI circuit-switched internetworking environment. This information is included in the following main sections: • ISDN Overview • How to Configure ISDN BRI • Monitoring and Maintaining ISDN Interfaces • Troubleshooting ISDN Interfaces • Configuration Examples for ISDN BRI This chapter describes configuration of the ISDN BRI. See the chapter “Configuring ISDN PRI” for information about configuring the ISDN PRI. This chapter does not address routing issues, dialer configuration, and dial backup. For information about those topics, see the chapters in the “Dial-on-Demand Routing Configuration” part of this publication. For hardware technical descriptions and for information about installing the router interfaces, refer to the appropriate hardware installation and maintenance publication for your particular product. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the BRI commands in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. ISDN Overview Basic ISDN service is described in the section “ISDN Service” in the chapter “Overview of Dial Interfaces, Controllers, and Lines.” To summarize, Cisco IOS software supports both the ISDN BRI and the ISDN PRI. ISDN BRI provides two bearer (B) channels, each capable of transferring voice or data at 64 kbps, and one 16 kbps data (D) signaling channel, which is used by the telephone network to carry instructions about how to handle each of the B channels. ISDN BRI (also referred to as 2 B + D) provides a maximum transmission speed of 128 kbps, but many users use only half the available bandwidth. Configuring ISDN BRI ISDN Overview DC-176 Cisco IOS Dial Technologies Configuration Guide Figure 9 in the chapter “Overview of Dial Interfaces, Controllers, and Lines” illustrates the channel assignment for each ISDN type. Requesting BRI Line and Switch Configuration from a Telco Service Provider Before configuring ISDN BRI on your Cisco router, you must order a correctly configured ISDN line from your telecommunications service provider. This process varies from provider to provider on a national and international basis. However, some general guidelines follow: • Ask for two channels to be called by one number. • Ask for delivery of calling line identification. Providers sometimes call this CLI or automatic number identification (ANI). • If the router will be the only device attached to the BRI, ask for point-to-point service and a data-only line. • If the router will be attached to an ISDN bus (to which other ISDN devices might be attached), ask for point-to-multipoint service (subaddressing is required) and a voice-and-data line. When you order ISDN service for switches used in North America, request the BRI switch configuration attributes specified in Table 19. Table 19 North American ISDN BRI Switch Type Configuration Information Switch Type Configuration DMS-100 BRI Custom 2 B channels for voice and data. 2 directory numbers assigned by service provider. 2 service profile identifiers (SPIDs) required; assigned by service provider. Functional signaling. Dynamic terminal endpoint identifier (TEI) assignment. Maximum number of keys = 64. Release key = no, or key number = no. Ringing indicator = no. EKTS = no. PVC = 2. Request delivery of calling line ID on Centrex lines. Set speed for ISDN calls to 56 kbps outside local exchange. Directory number 1 can hunt to directory number 2. Configuring ISDN BRI ISDN Overview DC-177 Cisco IOS Dial Technologies Configuration Guide 5ESS Custom BRI For Data Only 2 B channels for data. Point to point. Terminal type = E. 1 directory number (DN) assigned by service provider. MTERM = 1. Request delivery of calling line ID on Centrex lines. Set speed for ISDN calls to 56 kbps outside local exchange. For Voice and Data (Use these values only if you have an ISDN telephone connected.) 2 B channels for voice or data. Multipoint. Terminal type = D. 2 directory numbers assigned by service provider. 2 SPIDs required; assigned by service provider. MTERM = 2. Number of call appearances = 1. Display = No. Ringing/idle call appearances = idle. Autohold = no. Onetouch = no. Request delivery of calling line ID on Centrex lines. Set speed for ISDN calls to 56 kbps outside local exchange. Directory number 1 can hunt to directory number 2. 5ESS National ISDN (NI) BRI Terminal type = A. 2 B channels for voice and data. 2 directory numbers assigned by service provider. 2 SPIDs required; assigned by service provider. Set speed for ISDN calls to 56 kbps outside local exchange. Directory number 1 can hunt to directory number 2. EZ-ISDN 1 For Voice and Data • ISDN Ordering Code for Cisco 766/776 Series = Capability S • ISDN Ordering Code for Cisco 1604 Series = Capability R 2 B channels featuring alternate voice and circuit-switched data. Non-EKTS voice features include the following: • Flexible Calling • Call Forwarding Variable • Additional Call Offering • Calling Number Identification (includes Redirecting Number Delivery) Table 19 North American ISDN BRI Switch Type Configuration Information (continued) Switch Type Configuration Configuring ISDN BRI ISDN Overview DC-178 Cisco IOS Dial Technologies Configuration Guide Interface Configuration The Cisco IOS software also provides custom features for configuring the ISDN BRI interface that provide such capability as call screening, called party number verification, ISDN default cause code override, and for European and Australian customers, Dialed Number Identification Service (DNIS)-plus-ISDN-subaddress binding to allow multiple binds between a dialer profile and an ISDN B channel. Dynamic Multiple Encapsulations Before Cisco IOS Release 12.1, encapsulation techniques such as Frame Relay, High-Level Data Link Control (HDLC), Link Access Procedure, Balanced- Terminal Adapter (LAPB-TA), and X.25 could support only one ISDN B-channel connection over the entire link. HDLC and PPP could support multiple B channels, but the entire ISDN link needed to use the same encapsulation. The Dynamic Multiple Encapsulations feature introduced in Cisco IOS Release 12.1 allows various encapsulation types and per-user configurations on the same ISDN B channel at different times according to the type of incoming call. With the Dynamic Multiple Encapsulations feature, once calling line identification (CLID) binding is completed, the topmost interface is always used for all configuration and data structures. The ISDN B channel becomes a forwarding device, and the configuration on the D channel is ignored, thereby allowing the different encapsulation types and per-user configurations. Dynamic multiple encapsulations provide support for packet assembler/disassembler (PAD) traffic and X.25 encapsulated and switched packets. For X.25 encapsulations, the configurations reside on the dialer profile. Dynamic multiple encapsulation is especially important in Europe, where ISDN is relatively expensive and maximum use of all 30 B channels on the same ISDN link is desirable. Further, the feature removes the need to statically dedicate channels to a particular encapsulation and configuration type, and improves channel usage. Figure 31 shows a typical configuration for an X.25 network in Europe. The Dynamic Multiple Encapsulations feature allows use of all 30 B channels, and supports calls that originate in diverse areas of the network and converge on the same ISDN PRI. Figure 31 European X.25 Network Interface Configuration Options You can also optionally configure snapshot routing for ISDN interfaces. Snapshot routing is a method of learning remote routes dynamically and keeping the routes available for a specified period of time, even though routing updates are not exchanged during that period. See the chapter “Configuring Snapshot Routing” later in this guide for detailed information about snapshot routing. X.25 X.25 TA ISDN BRI 2 B BRI 2 B X.25 Host E1-PRI 30 X.25 B channels BRI 2 B 22344 Configuring ISDN BRI ISDN Overview DC-179 Cisco IOS Dial Technologies Configuration Guide To place calls on an ISDN interface, you must configure it with dial-on-demand routing (DDR). For configuration information about ISDN using DDR, see the “Dial-on-Demand Routing Configuration” part of this publication. For command information, refer to the Cisco IOS Dial Technologies Command Reference. To configure bandwidth on demand, see the chapters “Configuring Legacy DDR Spokes” or “Configuring Legacy DDR Hubs” later in this publication. ISDN Cause Codes A cause code is an information element (IE) that indicates why an ISDN call failed or was otherwise disconnected. When the originating gateway receives a Release Complete message, it generates a tone corresponding to the cause code in the message. Table 20 lists the default cause codes that the VoIP (Voice over IP) gateway sends to the switch when a call fails at the gateway, and the corresponding tones that it generates. For a complete list of ISDN cause codes that are generated by the switch, refer to “Appendix B: ISDN Switch Types, Codes and Values” in the Cisco IOS Debug Command Reference. Although the VoIP gateway generates the cause codes listed in Table 20 by default, there are commands introduced in previous Cisco IOS releases that can override these defaults, allowing the gateway to send different cause codes to the switch. The following commands override the default cause codes: • isdn disconnect-cause—Sends the specified cause code to the switch when a call is disconnected. • isdn network-failure-cause—Sends the specified cause code to the switch when a call fails because of internal network failures. • isdn voice-call-failure—Sends the specified cause code to the switch when an inbound voice call fails with no specific cause code. Table 20 Cause Codes Generated by the Cisco VoIP Gateway Cause Code Description Explanation Tone 1 Unallocated (unassigned) number The ISDN number is not assigned to any destination equipment. Reorder 3 No route to destination The call was routed through an intermediate network that does not serve the destination address. Reorder 16 Normal call clearing Normal call clearing has occurred. Dial 17 User busy The called system acknowledged the connection request but was unable to accept the call because all B channels were in use. Busy 19 No answer from user (user alerted) The destination responded to the connection request but failed to complete the connection within the prescribed time. The problem is at the remote end of the connection. Reorder 28 Invalid number format The connection could not be established because the destination address was presented in an unrecognizable format or because the destination address was incomplete. Reorder 34 No circuit/channel available The connection could not be established because no appropriate channel was available to take the call. Reorder Configuring ISDN BRI How to Configure ISDN BRI DC-180 Cisco IOS Dial Technologies Configuration Guide When you implement these commands, the configured cause codes are sent to the switch; otherwise, the default cause codes of the voice application are sent. For a complete description of these commands, refer to the Cisco IOS Dial Technologies Command Reference. How to Configure ISDN BRI To configure ISDN lines and interfaces, perform the tasks in the following sections: • Configuring the ISDN BRI Switch (Required) • Specifying Interface Characteristics for an ISDN BRI (As required) • Configuring ISDN Semipermanent Connections (As required) • Configuring ISDN BRI for Leased-Line Service (As required) See the sections “Monitoring and Maintaining ISDN Interfaces” and “Troubleshooting ISDN Interfaces” later in this chapter for tips on maintaining your network. See the section “Configuration Examples for ISDN BRI” at the end of this chapter for configuration examples. To configure ISDN BRI for voice, video, and fax applications, refer to the Cisco IOS Voice, Video, and Fax Applications Configuration Guide. Configuring the ISDN BRI Switch To configure the ISDN switch type, perform the following tasks: • Configuring the Switch Type (Required) • Checking and Setting the Buffers (As required) Also see to the “Multiple ISDN Switch Types Feature” section for information about configuring multiple switch types. Configuring the Switch Type To configure the switch type, use the following command in global configuration mode: The section “Global ISDN and BRI Interface Switch Type Example” later in this chapter provides an example of configuring the ISDN BRI switch. Table 21 lists the ISDN BRI service provider switch types. Command Purpose Router(config)# isdn switch-type switch-type Selects the service provider switch type; see Table 19 for switch types. Configuring ISDN BRI How to Configure ISDN BRI DC-181 Cisco IOS Dial Technologies Configuration Guide Note The command parser will still accept the following switch type keywords: basic-nwnet3, vn2, and basic-net3; however, when viewing the NVRAM configuration, the basic-net3 or vn3 switch type keywords are displayed respectively. Checking and Setting the Buffers When configuring a BRI, after the system comes up, make sure enough buffers are in the free list of the buffer pool that matches the maximum transmission unit (MTU) of your BRI interface. If not, you must reconfigure buffers in order for the BRI interfaces to function properly. To check the MTU size and the buffers, use the following commands in EXEC mode as needed: Table 21 ISDN Service Provider BRI Switch Types Switch Type Keywords Description/Use Central Office (CO) Switch Type? Voice/PBX Systems basic-qsig PINX (PBX) switch with QSIG signaling per Q.931 Australia, Europe, and UK basic-1tr6 German 1TR6 ISDN switch Yes basic-net3 NET3 ISDN BRI for Norway NET3, Australia NET3, and New Zealand NET3 switches; covers ETSI-compliant Euro-ISDN E-DSS1 signaling system Yes vn3 French VN3 ISDN BRI switch Yes Japan ntt Japanese NTT ISDN BRI switch North America basic-5ess Lucent (AT&T) basic rate 5ESS switch Yes basic-dms100 Nortel basic rate DMS-100 switch Yes basic-ni National ISDN switch Yes All Users none No switch defined Command Purpose Router# show interfaces bri number Displays the MTU size. Router# show buffers Displays the free buffers. Configuring ISDN BRI How to Configure ISDN BRI DC-182 Cisco IOS Dial Technologies Configuration Guide To configure the buffers and the MTU size, use the following commands in global configuration mode as needed: Multiple ISDN Switch Types Feature The Cisco IOS software provides an enhanced Multiple ISDN Switch Types feature that allows you to apply an ISDN switch type to a specific ISDN interface and configure more than one ISDN switch type per router. This feature allows both ISDN BRI and ISDN PRI to run simultaneously on platforms that support both interface types. See the section “Configuring Multiple ISDN Switch Types” in the chapter “Configuring ISDN PRI” for information about configuring this feature. Specifying Interface Characteristics for an ISDN BRI Perform the tasks in the following sections to set interface characteristics for an ISDN BRI, whether it is the only BRI in a router or is one of many. Each of the BRIs can be configured separately. • Specifying the Interface and Its IP Address (Required) • Configuring CLI Screening (As Required) • Configuring Encapsulation on ISDN BRI (Required) • Configuring Network Addressing (Required) • Configuring TEI Negotiation Timing (Optional) • Configuring CLI Screening (Optional) • Configuring Called Party Number Verification (Optional) • Configuring ISDN Calling Number Identification (Optional) • Configuring the Line Speed for Calls Not ISDN End to End (Optional) • Configuring a Fast Rollover Delay (Optional) • Overriding ISDN Application Default Cause Codes (Optional) • Configuring Inclusion of the Sending Complete Information Element (Optional) • Configuring DNIS-plus-ISDN-Subaddress Binding (Optional) • Screening Incoming V.110 Modem Calls (Optional) • Disabling V.110 Padding (Optional) Command Purpose Router(config)# buffers big permanent number Router(config)# buffers big max-free number Router(config)# buffers big min-free number Router(config)# buffers big initial number Configures the buffers. Configuring ISDN BRI How to Configure ISDN BRI DC-183 Cisco IOS Dial Technologies Configuration Guide Specifying the Interface and Its IP Address To specify an ISDN BRI and enter interface configuration mode, use the following commands beginning in global configuration mode: Specifying ISDN SPIDs Some service providers use SPIDs to define the services subscribed to by the ISDN device that is accessing the ISDN service provider. The service provider assigns the ISDN device one or more SPIDs when you first subscribe to the service. If you are using a service provider that requires SPIDs, your ISDN device cannot place or receive calls until it sends a valid, assigned SPID to the service provider when accessing the switch to initialize the connection. Currently, only the DMS-100 and NI switch types require SPIDs. The AT&T 5ESS switch type may support a SPID, but we recommend that you set up that ISDN service without SPIDs. In addition, SPIDs have significance at the local access ISDN interface only. Remote routers never receive the SPID. A SPID is usually a seven-digit telephone number with some optional numbers. However, service providers may use different numbering schemes. For the DMS-100 switch type, two SPIDs are assigned, one for each B channel. To define the SPIDs and the local directory number (LDN) on the router, use the following commands in interface configuration mode as needed: The LDN is optional but might be necessary if the router is to answer calls made to the second directory number. Configuring Encapsulation on ISDN BRI Each ISDN B channel is treated as a synchronous serial line, and the default serial encapsulation is HDLC. The Dynamic Multiple Encapsulations feature allows incoming calls over ISDN to be assigned an encapsulation type such as Frame Relay, PPP, and X.25 based on CLID or DNIS. PPP encapsulation is configured for most ISDN communication. Command Purpose Step 1 Router(config)# interface bri number Cisco 7200 series router only Router(config)# interface bri slot/port Specifies the interface and begins interface configuration mode. Step 2 Router(config-if)# ip address address mask Specifies an IP address for the interface. Command Purpose Router(config-if)# isdn spid1 spid-number [ldn] Specifies a SPID and local directory number for the B1 channel. Router(config-if)# isdn spid2 spid-number [ldn] Specifies a SPID and local directory number for the B2 channel. Configuring ISDN BRI How to Configure ISDN BRI DC-184 Cisco IOS Dial Technologies Configuration Guide To configure encapsulation, use the following command in interface configuration mode: Verifying the Dynamic Multiple Encapsulations Feature To verify dialer interfaces configured for binding and see statistics on each physical interface bound to the dialer interface, use the show interfaces EXEC command. The following example shows that the output under the B channel keeps all hardware counts that are not displayed under any logical or virtual access interface. The line in the report that states “Interface is bound to Dialer0 (Encapsulation LAPB)” indicates that this B interface is bound to the dialer 0 interface and the encapsulation running over this connection is LAPB, not PPP, which is the encapsulation configured on the D interface and inherited by the B channel. Router# show interfaces bri0:1 BRI0:1 is up, line protocol is up Hardware is BRI MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation PPP, loopback not set, keepalive not set Interface is bound to Dialer0 (Encapsulation LAPB) LCP Open, multilink Open Last input 00:00:31, output 00:00:03, output hang never Last clearing of “show interface” counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 1 packets/sec 5 minute output rate 0 bits/sec, 1 packets/sec 110 packets input, 13994 bytes, 0 no buffer Received 91 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 135 packets output, 14175 bytes, 0 underruns 0 output errors, 0 collisions, 12 interface resets 0 output buffer failures, 0 output buffers swapped out 8 carrier transitions Any protocol configuration and states should be displayed from the dialer 0 interface. Encapsulation Configuration Notes The router might need to communicate with devices that require a different encapsulation protocol or the router might send traffic over a Frame Relay or X.25 network. The Dynamic Multiple Encapsulations feature provides bidirectional support of all serial encapsulations except Frame Relay. For more information, see the sections “Sending Traffic over Frame Relay, X.25, or LAPB Networks” in the chapters “Configuring Legacy DDR Spokes” and “Configuring Legacy DDR Hubs” later in this publication. To configure the router for automatic detection of encapsulation type on incoming calls, or to configure encapsulation for Cisco 700 and 800 series (formerly Combinet) router compatibility, see the section “Configuring Automatic Detection of Encapsulation Type” in the chapter “Configuring ISDN Special Signaling” later in this publication. Command Purpose Router(config-if)# encapsulation [ppp | lapb | frame-relay] Configures encapsulation type. Configuring ISDN BRI How to Configure ISDN BRI DC-185 Cisco IOS Dial Technologies Configuration Guide Configuring Network Addressing The steps in this section support the primary goals of network addressing: • Define which packets are interesting and will thus cause the router to make an outgoing call. • Define the remote host where the calls are going. • Specify whether broadcast messages will be sent. • Specify the dialing string to use in the call. Intermediate steps that use shared argument values tie the host identification and dial string to the interesting packets to be sent to that host. To configure network addressing, use the following commands beginning in interface configuration mode: German networks allow semipermanent connections between customer routers with BRIs and the 1TR6 basic rate switches in the exchange. Semipermanent connections are less expensive than leased lines. Note The access list reference in Step 5 of this task is an example of the access-list commands allowed by different protocols. Some protocols might require a different command form or might require multiple commands. Refer to the relevant protocol chapter in the network protocol configuration guide (the Cisco IOS Novell IPX Configuration Guide, for example) for more information about setting up access lists for a protocol. For more information about defining outgoing call numbers, see the chapters “Configuring Legacy DDR Hubs” and “Configuring Legacy DDR Spokes” later in this publication. Command Purpose Step 1 Router(config-if)# dialer map protocol next-hop-address name hostname speed [56 | 64] dial-string[:isdn-subaddress] or Router(config-if)# dialer map protocol next-hop-address name hostname spc [speed 56 | 64] [broadcast] dial-string[:isdn-subaddress] (Most locations) Configures a serial interface or ISDN interface to call one or multiple sites or to receive calls from multiple sites. (Germany) Uses the command keyword that enables ISDN semipermanent connections. Step 2 Router(config-if)# dialer-group group-number Assigns the interface to a dialer group to control access to the interface. Step 3 Router(config-if)# exit Exits to global configuration mode. Step 4 Router(config)# dialer-list dialer-group protocol protocol-name {permit | deny | list access-list-number | access-group} Defines a dial-on-demand routing (DDR) dialer list for dialing by protocol or by a combination of a protocol and an access list. Step 5 Router(config)# access-list access-list-number {deny | permit} protocol source address source-mask destination destination-mask Defines an access list permitting or denying access to specified protocols, sources, or destinations. Permitted packets cause the router to place a call to the destination protocol address. Configuring ISDN BRI How to Configure ISDN BRI DC-186 Cisco IOS Dial Technologies Configuration Guide Configuring TEI Negotiation Timing You can configure ISDN TEI negotiation on individual ISDN interfaces. TEI negotiation is useful for switches that may deactivate Layers 1 or 2 when there are no active calls. Typically, this setting is used for ISDN service offerings in Europe and connections to DMS-100 switches that are designed to initiate TEI negotiation. By default, TEI negotiation occurs when the router is powered up. The TEI negotiation value configured on an interface overrides the default or global TEI value. For example, if you configure isdn tei first-call globally and isdn tei powerup on BRI interface 0, then TEI negotiation powerup is the value applied to BRI interface 0. It is not necessary to configure TEI negotiation unless you wish to override the default value (isdn tei powerup). To apply TEI negotiation to a specific BRI interface, use the following command in interface configuration mode: Configuring CLI Screening CLI screening adds a level of security by allowing you to screen incoming calls. You can verify that the calling line ID is from an expected origin. CLI screening requires a local switch that is capable of delivering the CLI to the router. To configure CLI screening, use the following command in interface configuration mode: Note If caller ID screening is configured and the local switch does not deliver caller IDs, the router rejects all calls. Note In earlier releases of the Cisco IOS software, ISDN accepted all synchronous calls and performed some minimal CLI screening before accepting or rejecting a call. Beginning with Cisco IOS Release 12.1 software, DDR provides a separate process that screens for the profile of the caller. The new screening process also checks that enough resources are available to accept the call and that the call conforms to predetermined rules. When the call is found acceptable, the screening process searches for a matching profile for the caller. The call is accepted only when there is a matching profile. Configuring Called Party Number Verification When multiple devices are attached to an ISDN BRI, you can ensure that only a single device answers an incoming call by verifying the number or subaddress in the incoming call against the configured number or subaddress or both of the device. Command Purpose Router(config-if)# isdn tei [first-call | powerup] Determines when ISDN TEI negotiation occurs. Command Purpose Router(config-if)# isdn caller number Configures caller ID screening. Configuring ISDN BRI How to Configure ISDN BRI DC-187 Cisco IOS Dial Technologies Configuration Guide You can specify that the router verify a called-party number or subaddress number in the incoming setup message for ISDN BRI calls, if the number is delivered by the switch. You can do so by configuring the number that is allowed. To configure verification, use the following command in interface configuration mode: Verifying the called-party number ensures that only the desired router responds to an incoming call. If you want to allow an additional number for the router, you can configure it, too. To configure a second number to be allowed, use the following command in interface configuration mode: Configuring ISDN Calling Number Identification A router with an ISDN BRI interface might need to supply the ISDN network with a billing number for outgoing calls. Some networks offer better pricing on calls in which the number is presented. When configured, this information is included in the outgoing call Setup message. To configure the interface to identify the billing number, use the following command in interface configuration mode: This command can be used with all switch types except German 1TR6 ISDN BRI switches. Configuring the Line Speed for Calls Not ISDN End to End When calls are made at 56 kbps but delivered by the ISDN network at 64 kbps, the incoming data can be corrupted. However, on ISDN calls, if the receiving side is informed that the call is not an ISDN call from end to end, it can set the line speed for the incoming call. To set the speed for incoming calls recognized as not ISDN end to end, use the following command in interface configuration mode: Command Purpose Router(config-if)# isdn answer1 [called-party-number][:subaddress] Specifies that the router verify a called-party number or subaddress number in the incoming setup message. Command Purpose Router(config-if)# isdn answer2 [called-party-number][:subaddress] Specifies that the router verify a second called-party number or subaddress number in the incoming setup message. Command Purpose Router(config-if)# isdn calling-number calling-number Specifies the calling party number. Command Purpose Router(config-if)# isdn not-end-to-end {56 | 64} Sets the speed to be used for incoming calls recognized as not ISDN end to end. Configuring ISDN BRI How to Configure ISDN BRI DC-188 Cisco IOS Dial Technologies Configuration Guide Configuring a Fast Rollover Delay Sometimes a router attempts to dial a call on an ISDN B channel before a previous call is completely torn down. The fast rollover fails because the second call is made to a different number before the B channel is released from the unsuccessful call. This failure might occur in the following ISDN configurations: • The two B channels of the BRI are not configured as a hunt group, but have separate numbers defined. • The B channel is not released by the ISDN switch until after Release Complete signal is processed. You need to configure this delay if a BRI on a remote peer has two phone numbers configured one for each B channel you are dialing into this BRI, you have a dialer map for each phone number, and the first call succeeds but a second call fails with no channel available. To configure a fast rollover delay, use the following command in interface configuration mode: A delay of 5 seconds should cover most cases. Configure sufficient delay to make sure the ISDN RELEASE_COMPLETE message has been sent or received before making the fast rollover call. Use the debug isdn q931 command to display this information. This pattern of failed second calls is a rare occurrence. Overriding ISDN Application Default Cause Codes The ISDN Cause Code Override function is useful for overriding the default cause code of ISDN applications. When this feature is implemented, the configured cause code is sent to the switch; otherwise, default cause codes of the application are sent. To configure ISDN cause code overrides, use the following command in interface configuration mode: ISDN Cause Code Override Configuration Example The following example sends a BUSY cause code to the switch when an application fails to complete the call: interface serial 0:23 isdn disconnect-cause busy Verifying ISDN Cause Code Override To verify that the ISDN Cause Code Override feature is operating correctly, enter the debug q931 command. The debug q931 command displays a report of any configuration irregularities. Command Purpose Router(config-if)# isdn fast-rollover-delay seconds Defines a fast rollover delay. Command Purpose Router(config-if)# isdn disconnect-cause {cause-code-number | busy | not-available} Specifies the ISDN cause code to send to the switch. Configuring ISDN BRI How to Configure ISDN BRI DC-189 Cisco IOS Dial Technologies Configuration Guide Configuring Inclusion of the Sending Complete Information Element In some geographic locations, such as Hong Kong and Taiwan, ISDN switches require that the Sending Complete information element be included in the outgoing Setup message to indicate that the entire number is included. This information element is generally not required in other locations. To configure the interface to include the Sending Complete information element in the outgoing call Setup message, use the following command in interface configuration mode: Configuring DNIS-plus-ISDN-Subaddress Binding To configure DNIS-plus-ISDN-subaddress binding, use the following command in global configuration mode Note This command allows multiple binds between a dialer profile and an ISDN B channel. The configuration requires an ISDN subaddress, which is used in Europe and Australia. See the section “DNIS-plus-ISDN-Subaddress Binding Example” later in this chapter for a configuration example. Screening Incoming V.110 Modem Calls You can screen incomingV.110 modem calls and reject calls that do not have the communications settings configured as the network expects them to be. To selectively accept incoming V.110 modem calls based on data bit, parity, and stop bit modem communications, use the following command in interface configuration mode: Command Purpose Router(config-if)# isdn sending-complete Includes the Sending Complete information element in the outgoing call Setup message. Command Purpose Router(config)# dialer called DNIS:subaddress Binds a DNIS to an ISDN subaddress. Command Purpose Router(config-if)# isdn v110 only [databits {5 | 7 | 8}] [parity {even | mark | none | odd | space}] [stopbits {1 | 1.5 | 2}] Selectively accepts incoming V.110 calls based on data bit, parity, and stop bit modem communication settings. Configuring ISDN BRI How to Configure ISDN BRI DC-190 Cisco IOS Dial Technologies Configuration Guide Disabling V.110 Padding In networks with devices such as terminal adapters (TAs) and global system for mobile communication (GSM) handsets that do not fully conform to the V.110 modem standard, you will need to disable V.110 padding. To disable the padded V.110 modem speed report required by the V.110 modem standard, use the following command in interface configuration mode: Configuring ISDN Semipermanent Connections German networks allow semipermanent connections between customer routers with BRI interfaces and the 1TR6 basic rate switches in the exchange. Australian networks allow semipermanent connections between ISDN PRI interfaces and the TS-014 primary rate switches in the exchange. Semipermanent connections are offered at better pricing than leased lines. Configuring BRI interfaces for semipermanent connection requires only that you use a keyword that indicates semipermanent connections when you are setting up network addressing as described in the previous section of this chapter. To configure a BRI for semipermanent connections, follow this procedure: Step 1 Set up the ISDN lines and ports as described in the sections “Configuring the ISDN BRI Switch”and “Specifying Interface Characteristics for an ISDN BRI” or for ISDN PRI, see the section “How to Configure ISDN PRI” in the chapter “Configuring ISDN PRI” later in this manual. Step 2 Configure DDR on a selected interface, as described in the “Dial-on-Demand Routing Configuration” part of this publication. To begin DDR network addressing, use the following command in interface configuration mode : Configuring ISDN BRI for Leased-Line Service To configure ISDN BRI for leased line service, perform the tasks in one of the following sections as needed and available: • Configuring Leased-Line Service at Normal Speeds (Available in Japan and Germany) • Configuring Leased-Line Service at 128 Kbps (Available only in Japan) Command Purpose Router(config-if)# no isdn v110 padding Disables the padded modem speed report required by the V.110 modem standard. Command Purpose Router(config-if)# dialer map protocol next-hop-address name hostname spc [speed 56 | 64] [broadcast] dial-string[:isdn-subaddress] Defines the remote recipient’s protocol address, host name, and dialing string; indicates semipermanent connections; optionally, provides the ISDN subaddress; and sets the dialer speed to 56 or 64 kbps, as needed. Configuring ISDN BRI How to Configure ISDN BRI DC-191 Cisco IOS Dial Technologies Configuration Guide Note Once an ISDN BRI interface is configured for access over leased lines, it is no longer a dialer interface, and signaling over the D channel no longer applies. Although the interface is called interface bri n, it is configured as a synchronous serial interface having the default High-Level Data Link (HDLC) encapsulation. However, the Cisco IOS commands that set the physical characteristics of a serial interface (such as the pulse time) do not apply to this interface. Configuring Leased-Line Service at Normal Speeds This service is offered in Japan and Germany and no call setup or teardown is involved. Data is placed on the ISDN interface similar to the way data is placed on a leased line connected to a serial port. To configure the BRI to use the ISDN connection as a leased-line service, use the following commands in global configuration mode: To disable leased-line service if you no longer want to support it on a specified ISDN BRI, use the following command in global configuration mode: Configuring Leased-Line Service at 128 Kbps The Cisco IOS software supports leased-line service at 128 kbps via ISDN BR. This service combines two B channels into a single pipe. This feature requires one or more ISDN BRI hardware interfaces that support channel aggregation and service provider support for ISDN channel aggregation at 128 kbps. When this software first became available, service providers offered support for ISDN channel aggregation at 128 kbps only in Japan. Note This feature is not supported on the Cisco 2500 series router because its BRI hardware does not support channel aggregation. To enable leased-line service at 128 kbps on a specified ISDN BRI, use the following commands in global configuration mode: Command Purpose Step 1 Router(config)# isdn switch-type switch-type Configures the BRI switch type, as specified by the local service provider. Step 2 Router(config)# isdn leased-line bri number 128 Specifies the BRI interface number. Command Purpose Router(config)# no isdn leased-line bri number Removes leased line configuration from a specified ISDN BRI interface. Command Purpose Step 1 Router(config)# isdn switch-type switch-type Selects the service provider switch type. Step 2 Router(config)# isdn leased-line bri number 128 Configures a specified BRI for access over leased lines. Configuring ISDN BRI Monitoring and Maintaining ISDN Interfaces DC-192 Cisco IOS Dial Technologies Configuration Guide To complete the configuration of the interface, see the chapter “Configure a Synchronous Serial Ports” in this publication. To remove the leased-line service configuration from a specified ISDN BRI, use the following command in global configuration mode: Monitoring and Maintaining ISDN Interfaces To monitor and maintain ISDN interfaces, use the following commands in EXEC mode as needed: Troubleshooting ISDN Interfaces To test the ISDN configuration of the router, use the following commands in EXEC mode as needed: Refer to the Cisco IOS Debug Command Reference for more information about the debug commands. Command Purpose Router(config)# no isdn leased-line bri number Removes leased-line configuration from a specified ISDN BRI interface. Command Purpose Router> show interfaces bri number Cisco 7200 series routers only Router> show interfaces bri slot/port Displays information about the physical attributes of the ISDN BRI B and D channels. Router> show controllers bri number Cisco 7200 series routers only Router> show controllers bri slot/port Displays protocol information about the ISDN B and D channels. Router> show isdn {active | history | memory | status | timers} Displays information about calls, history, memory, status, and Layer 2 and Layer 3 timers. Router> show dialer interface bri number Obtains general diagnostic information about the specified interface. Command Purpose Router# show controllers bri number Checks Layer 1 (physical layer) of the BRI. Router# debug q921 Checks Layer 2 (data link layer). Router# debug isdn events Router# debug q931 Router# debug dialer Router# show dialer Checks Layer 3 (network layer). Configuring ISDN BRI Configuration Examples for ISDN BRI DC-193 Cisco IOS Dial Technologies Configuration Guide Configuration Examples for ISDN BRI This section provides the following ISDN BRI configuration examples: • Global ISDN and BRI Interface Switch Type Example • BRI Connected to a PBX Example • Multilink PPP on a BRI Interface Example • Dialer Rotary Groups Example • Compression Examples • Multilink PPP and Compression Example • Voice over ISDN Examples • DNIS-plus-ISDN-Subaddress Binding Example • Screening Incoming V.110 Modem Calls Example • ISDN BRI Leased-Line Configuration Example Global ISDN and BRI Interface Switch Type Example The following example shows a global National ISDN switch type (keyword basic-ni) and an interface-level NET3 ISDN switch type (keyword basic-net3). The basic-net3 keyword is applied to BRI interface 0 and overrides the global switch setting. isdn switch-type basic-ni ! interface BRI0 isdn switch-type basic-net3 BRI Connected to a PBX Example The following example provides a simple partial configuration of a BRI interface that is connected to a PBX. This interface is connected to a switch that uses SPID numbers. interface BRI0 description connected to pbx line 61885 ip address 10.1.1.3 255.255.255.0 encapsulation ppp isdn spid1 123 dialer map ip 10.1.1.1 name mutter 61886 dialer map ip 10.1.1.2 name rudder 61884 dialer map ip 10.1.1.4 name flutter 61888 dialer-group 1 no fair-queue ppp authentication chap Multilink PPP on a BRI Interface Example The following example enables Multilink PPP on BRI 0: interface BRI0 description Enables PPP Multilink on BRI 0 ip address 10.1.1.1 255.255.255.0 Configuring ISDN BRI Configuration Examples for ISDN BRI DC-194 Cisco IOS Dial Technologies Configuration Guide encapsulation ppp dialer map ip 10.1.1.2 name coaster 14195291357 dialer map ip 10.1.1.3 name roaster speed 56 14098759854 ppp authentication chap ppp multilink dialer-group 1 Dialer Rotary Groups Example The following example configures BRI interfaces to connect into a rotary group (using the dialer-group command) and then configures a dialer interface for that dialer group. This configuration permits IP packets to trigger calls. interface BRI 0 description connected into a rotary group encapsulation ppp dialer rotary-group 1 interface BRI 1 no ip address encapsulation ppp dialer rotary-group 1 interface BRI 2 encapsulation ppp dialer rotary-group 1 interface BRI 3 no ip address encapsulation ppp dialer rotary-group 1 interface BRI 4 encapsulation ppp dialer rotary-group 1 interface Dialer 0 description Dialer group controlling the BRIs ip address 10.1.1.1 255.255.255.0 encapsulation ppp dialer map ip 10.1.1.2 name angus 14802616900 dialer-group 1 ppp authentication chap dialer-list 1 protocol ip permit Compression Examples The following example enables predictor compression on BRI 0: interface BRI0 description Enables predictor compression on BRI 0 ip address 10.1.1.1 255.255.255.0 encapsulation ppp dialer map ip 10.1.1.2 name bon 14195291357 compress predictor ppp authentication chap dialer-group 1 The following example enables stacker compression on BRI 0: interface BRI0 Configuring ISDN BRI Configuration Examples for ISDN BRI DC-195 Cisco IOS Dial Technologies Configuration Guide description Enables stac compression on BRI 0 ip address 10.1.1.1 255.255.255.0 encapsulation ppp dialer map ip 10.1.1.2 name malcom 14195291357 compress stac ppp authentication chap dialer-group 1 Multilink PPP and Compression Example The following example enables Multilink PPP and stacker compression on BRI 0: interface BRI0 description Enables PPP Multilink and stac compression on BRI 0 ip address 10.1.1.1 255.255.255.0 encapsulation ppp dialer map ip 10.1.1.2 name rudd 14195291357 ppp authentication chap compress stac ppp multilink dialer-group 1 Voice over ISDN Examples The following example allows incoming voice calls to be answered on BRI 0: interface bri0 description Allows incoming voice calls to be answered on BRI 0 ip address 10.1.1.1 255.255.255.0 encapsulation ppp isdn incoming-voice data dialer map ip 10.1.1.2 name starstruck 14038182344 ppp authentication chap dialer-group 1 The following example allows outgoing voice calls on BRI 1: interface bri1 description Places an outgoing call as a voice call on BRI 1 ip address 10.1.1.1 255.255.255.0 encapsulation ppp dialer map ip 10.1.1.2 name angus class calltype 19091238877 ppp authentication chap dialer-group 1 map-class dialer calltype dialer voice-call For more configuration examples of voice calls over ISDN, refer to the Cisco IOS Voice, Video, and Fax Configuration Guide. Configuring ISDN BRI Configuration Examples for ISDN BRI DC-196 Cisco IOS Dial Technologies Configuration Guide DNIS-plus-ISDN-Subaddress Binding Example The following example configures a dialer profile for a receiver with DNIS 12345 and ISDN subaddress 6789: dialer called 12345:6789 For additional configuration examples, see the sections “Dynamic Multiple Encapsulations” and “Verifying the Dynamic Multiple Encapsulations Feature” in the chapter “Configuring Peer-to-Peer DDR with Dialer Profiles” in this publication. Screening Incoming V.110 Modem Calls Example The following example filters out all V.110 modem calls except those with communication settings of 8 data bits, no parity bit, and 1 stop bit: interface serial 0:23 isdn v110 only databits 8 parity none stopbits 1 ISDN BRI Leased-Line Configuration Example The following example configures the BRI 0 interface for leased-line access at 128 kbps. Because of the leased-line–not dialed–environment, configuration of ISDN called and calling numbers are not needed and not used. The BRI 0 interface is henceforth treated as a synchronous serial interface, with the default HDLC encapsulation. isdn leased-line bri 0 128 The following example configures the BRI 0 interface for PPP encapsulation: interface bri 0 ip address 10.1.1.2 255.255.255.0 encapsulation ppp bandwidth 128 DC-197 Cisco IOS Dial Technologies Configuration Guide Configuring Virtual Asynchronous Traffic over ISDN Cisco IOS software offers two solutions to send virtual asynchronous traffic over ISDN: • Using International Telecommunication Union Telecommunication Standardization Sector (ITU-T) Recommendation V.120, which allows for reliable transport of synchronous, asynchronous, or bit transparent data over ISDN bearer channels. • Using ITU-T Recommendation X.75, which allows a system with an ISDN terminal adapter supporting asynchronous traffic over Link Access Procedure, Balanced (LAPB) to call into a router and establish an asynchronous PPP session. This method of asynchronous traffic transmission is also called ISDN Link Access Procedure, Balanced-Terminal Adapter (LAPB-TA). A virtual asynchronous interface (also known as vty-async) is created on demand to support calls that enter the router through a nonphysical interface. For example, asynchronous character stream calls terminate or land on nonphysical interfaces. These types of calls include inbound Telnet, local-area transport (LAT), PPP over character-oriented protocols (such as V.120 or X.25), and LAPB-TA and packet assembler/disassembler (PAD) calls. Virtual asynchronous interfaces are not user configurable; rather, they are dynamically created and torn down on demand. A virtual asynchronous line is used to access a virtual asynchronous interface. Refer to the section “Virtual Asynchronous Interfaces” in the chapter “Overview of Dial Interfaces, Controllers, and Lines” in this publication for more overview information about virtual asynchronous interfaces. Refer to the section “Enabling Asynchronous Functions on Virtual Terminal Lines” in the chapter “Configuring Protocol Translation and Virtual Asynchronous Devices” in the Cisco IOS Terminal Services Configuration Guide, for additional virtual asynchronous interface configuration information. This chapter describes how to configure virtual asynchronous traffic over ISDN lines. It includes the following main sections: • Recommendation V.120 Overview • How to Configure V.120 Access • Configuration Example for V.120 • ISDN LAPB-TA Overview • How to Configure ISDN LAPB-TA • Configuration Example for ISDN LAPB-TA Configuring Virtual Asynchronous Traffic over ISDN Recommendation V.120 Overview DC-198 Cisco IOS Dial Technologies Configuration Guide To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the commands in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Recommendation V.120 Overview The V-series recommendations are ITU-T standards dealing with data communications over telephone networks. V.120 allows for reliable transport of synchronous, asynchronous, or bit transparent data over ISDN bearer channels. Cisco provides three V.120 support features for terminal adapters that do not send the low-layer compatibility fields or bearer capability V.120 information: • Answer all incoming calls as V.120—Static configuration used when all remote users have asynchronous terminals and need to connect with a vty on the router. • Automatically detect V.120 encapsulation—Encapsulation dynamically detected and set. • Enable V.120 Support for Asynchronous Access over ISDN. For terminal adapters that send the low-layer compatibility or bearer capability V.120 information, mixed V.120 and ISDN calls are supported. No special configuration is required. How to Configure V.120 Access To configure V.120 access, perform the tasks in the following sections: • Configuring Answering of All Incoming Calls as V.120 (Required) • Configuring Automatic Detection of Encapsulation Type (Required) • Enabling V.120 Support for Asynchronous Access over ISDN (Required) See the section “Configuration Example for V.120” at the end of this chapter for an example of how to configure V.120 access. Configuring Answering of All Incoming Calls as V.120 This V.120 support feature allows users to connect using an asynchronous terminal over ISDN terminal adapters with V.120 support to a vty on the router, much like a direct asynchronous connection. Beginning with Cisco IOS Release 11.1, this feature supports incoming calls only. When all the remote users have asynchronous terminals and call in to a router through an ISDN terminal adapter that uses V.120 encapsulation but does not send the low-layer compatibility or bearer capability V.120 information, you can configure the interface to answer all calls as V.120. Such calls are connected with an available vty on the router. Configuring Virtual Asynchronous Traffic over ISDN How to Configure V.120 Access DC-199 Cisco IOS Dial Technologies Configuration Guide To configure an ISDN BRI or PRI interface to answer all incoming calls as V.120, use the following commands beginning in global configuration mode: Configuring Automatic Detection of Encapsulation Type If an ISDN call does not identify the call type in the lower-layer compatibility fields and is using an encapsulation that is different from the one configured on the interface, the interface can change its encapsulation type dynamically. This feature enables interoperation with ISDN terminal adapters that use V.120 encapsulation but do not signal V.120 in the call setup message. An ISDN interface that by default answers a call as synchronous serial with PPP encapsulation can change its encapsulation and answer such calls. Automatic detection is attempted for the first 10 seconds after the link is established or the first 5 packets exchanged over the link, whichever is first. To enable automatic detection of V.120 encapsulation, use the following command in interface configuration mode: You can specify one or more encapsulations to detect. Cisco IOS software currently supports automatic detection of PPP and V.120 encapsulations. Enabling V.120 Support for Asynchronous Access over ISDN You can optionally configure a router to support asynchronous access over ISDN by globally enabling PPP on vty lines. Asynchronous access is then supported over ISDN from the ISDN terminal to the vty session on the router. Command Purpose Step 1 Cisco 4000 series routers only Router(config)# interface bri number or Cisco 7200 series routers only Router(config)# interface bri slot/port Configures the ISDN BRI interface and begins interface configuration mode. Step 2 Router(config)# interface serial e1 controller-number:15 or Router(config)# interface serial t1 controller-number:23 Configures the ISDN PRI D channel and begins interface configuration mode. Step 3 Router(config-if)# isdn all-incoming-calls-v120 Configures the interface to answer all calls as V.120. Command Purpose Router(config-if)# autodetect encapsulation v120 Enables automatic detection of encapsulation type on the specified interface. Configuring Virtual Asynchronous Traffic over ISDN Configuration Example for V.120 DC-200 Cisco IOS Dial Technologies Configuration Guide To enable asynchronous protocol features on vty lines, use the following command in global configuration mode: This task enables PPP on vty lines on a global basis on the router. If you prefer instead to configure PPP on a per-vty basis, use the translate command, which is described in the Cisco IOS Dial Technologies Command Reference. Configuration Example for V.120 The following example configures BRI 0 to call and receive calls from two sites, to use PPP encapsulation on outgoing calls, and to use Challenge Handshake Authentication Protocol (CHAP) authentication on incoming calls. This example also enables BRI 0 to configure itself dynamically to answer calls that use V.120 but that do not signal V.120 in the call setup message. interface bri 0 encapsulation ppp autodetect encapsulation v120 no keepalive dialer map ip 172.18.36.10 name EB1 234 dialer map ip 172.18 36.9 name EB2 456 dialer-group 1 ppp authentication chap ISDN LAPB-TA Overview To carry asynchronous traffic over ISDN, your system must be able to convert that traffic and forward it over synchronous connections. This process can be implemented by the V.120 protocol, which carries asynchronous traffic over ISDN. However, several countries in Europe (Germany, Switzerland, and some Eastern European countries) use LAPB as the protocol to forward their asynchronous traffic over synchronous connections. Your system, therefore, must be able to recognize and accept calls from these asynchronous/synchronous conversion devices. LAPB-TA performs that function. (LAPB is sometimes referred to as “X.75,” because LAPB is the link layer specified in the ITU-T X.75 recommendation for carrying asynchronous traffic over ISDN.) LAPB-TA allows devices that use LAPB instead of the V.120 protocol to communicate with routers on the Cisco 3600 and 5300 series. LAPB supports both local CHAP authentication and external RADIUS authorization on the authentication, authorization, and accounting (AAA) server. Before configuring ISDN LAPB-TA in your network, observe these restrictions: • LAPB-TA does not currently support the ability to set a maximum frame size per user. • Outbound LAPB-TA calls are not supported. Command Purpose Router(config)# vty-async Configures all vty lines to support asynchronous protocol features. Configuring Virtual Asynchronous Traffic over ISDN How to Configure ISDN LAPB-TA DC-201 Cisco IOS Dial Technologies Configuration Guide • PPP over LAPB-TA (and V.120) connections impose a greater overhead on the router than synchronous PPP over ISDN. The number of simultaneous sessions can be limited by dedicating a pool of virtual terminals to these protocols and limiting the number of virtual terminals in the pool. • Multilink PPP compression is not supported. How to Configure ISDN LAPB-TA ISDN LAPB-TA is supported on the Cisco 3600 and Cisco 5300 series routers that meet the following additional requirements: • A virtual terminal must be configured for incoming LAPB-TA. If no appropriately configured virtual terminals are available, the incoming call will be cleared. • ISDN, LAPB, and PPP must be running to configure LAPB-TA. • The Cisco IOS software must include the vty-async global configuration command, which must be configured before you can run asynchronous PPP traffic over a LAPB-TA connection. If an interface is already configured for V.120, only the following two additional configuration commands are required on the interface because V.120 and LAPB-TA sessions are configured in a similar way: • Use the autodetect encapsulation command to enable autodetection of LAPB-TA connections. • Use the transport input command to list LAPB-TA as an acceptable transport on a specific router. Perform the following required task to configure LAPB-TA: To configure ISDN LAPB-TA, use the following commands beginning in global configuration command mode: (required). Procedures for verifying the configuration are found in the section “Verifying ISDN LAPB-TA” later in this chapter. The section “Configuration Example for ISDN LAPB-TA” at the end of this chapter provides configuration examples. To configure ISDN LAPB-TA, use the following commands beginning in global configuration command mode: Command Purpose Step 1 Router(config)# vty-async Creates a virtual asynchronous interface. Step 2 Router(config)# vty-async virtual-template 1 Applies virtual template to the virtual asynchronous interface. Step 3 Router(config)# interface virtual-template 1 Creates a virtual interface template and enters interface configuration mode. Step 4 Router(config-if)# ip unnumbered Ethernet0 Assigns an IP address to the virtual interface template. Step 5 Router(config-if)# encapsulation ppp Enables encapsulation on the virtual interface template. Step 6 Router(config-if)# no peer default ip address Disables an IP address from a pool to the device connecting to the virtual access interface Step 7 Router(config-if)# ppp authentication chap Enables the CHAP protocol for PPP authentication. Step 8 Router(config-if)# exit Exits to global configuration mode. Configuring Virtual Asynchronous Traffic over ISDN How to Configure ISDN LAPB-TA DC-202 Cisco IOS Dial Technologies Configuration Guide Verifying ISDN LAPB-TA Enter the show running configuration command to verify that LAPB-TA is configured. The following output shows LAPB-TA enabled for serial interface 0:23: Router# show running configuration Building configuration... Current configuration: ! version 12.0 service timestamps debug datetime msec localtime service timestamps log datetime msec localtime no service password-encryption service udp-small-servers service tcp-small-servers ! hostname Router ...(output omitted) interface Serial0:23 description ENG PBX BRI num.:81063 no ip address no ip directed-broadcast encapsulation ppp no ip route-cache dialer pool-member 1 autodetect encapsulation ppp lapb-ta isdn switch-type primary-5ess no peer default ip address no fair-queue no cdp enable ppp authentication chap ...(output omitted) ! end Step 9 Router(config)# username user1 password home Specifies CHAP password to be used to authenticate calls from caller “user1.” Step 10 Router(config)# interface Serial0:236 Enters interface configuration mode for a D-channel serial interface.1 Step 11 Router(config-if)# encapsulation ppp Configures PPP encapsulation as the default. Step 12 Router(config-if)# dialer-group 1 Specifies the dialer group belonging to the interface. Step 13 Router(config-if)# ppp authentication chap Enables the CHAP protocol for PPP authentication. Step 14 Router(config-if)# autodetect encapsulation lapb-ta Enables autodetect encapsulation for LAPB-TA protocols. Step 15 Router(config)# line vty 0 32 Configures a range of 32 vty lines starting with vty0. Step 16 Router(config-line)# transport input telnet lapb-ta Defines which protocol to use to connect to a specific line of the access server. 1. The D channel is the signaling channel. Command Purpose Configuring Virtual Asynchronous Traffic over ISDN Configuration Example for ISDN LAPB-TA DC-203 Cisco IOS Dial Technologies Configuration Guide Configuration Example for ISDN LAPB-TA The following example configures a virtual template LAPB-TA connection capable of running PPP. It assumes that you have already configured usernames and passwords for PPP authentication. vty-async vty-async virtual-template 1 interface virtual-template 1 ip unnumbered Ethernet0 encapsulation ppp no peer default ip address ppp authentication chap exit interface Serial0:23 autodetect encapsulation lapb-ta The following example treats the LAPB-TA and V.120 calls identically by immediately starting a PPP session without asking for username and password and relying on PPP authentication to identify the caller: vty-async vty-async virtual-template 1 interface Loopback0 ip address 10.2.2.1 255.255.255.0 exit interface BRI3/0 encapsulation ppp autodetect encapsulation ppp lapb-ta v120 exit interface Virtual-Template1 ip unnumbered Loopback0 ppp authentication chap exit ip local pool default 10.2.2.64 10.2.2.127 line vty 0 2 password login transport input telnet exit line vty 3 4 no login transport input lapb-ta v120 autocommand ppp neg exit end Configuring Virtual Asynchronous Traffic over ISDN Configuration Example for ISDN LAPB-TA DC-204 Cisco IOS Dial Technologies Configuration Guide DC-205 Cisco IOS Dial Technologies Configuration Guide Configuring Modem Use over ISDN BRI This chapter describes how to configure the Modem over ISDN BRI feature. It includes the following main sections: • Modem over ISDN BRI Overview • How to Configure Modem over ISDN BRI • Verifying ISDN BRI Interface Configuration • Configuration Examples for Modem over ISDN BRI Before beginning the tasks in this chapter, check your system for the following hardware and software: • At least one of the following digital modem network modules. The number in the model name indicates the number of digital modems that can be connected to the module. – NM-6DM – NM-12DM – NM-18DM – NM-24DM – NM-30DM These digital modem network modules do not have their own network connections, but instead handle analog calls passing through other router interfaces. BRI modules can provide their ISDN connectivity. Other modules, such as Ethernet, can provide connectivity to the LAN. The digital modem module acts as a pool of available modems that can be used for both incoming and outgoing calls. Digital modem network modules do not support BRI voice interface cards or wide-area network (WAN) interface cards. • At least one of the following Cisco BRI network modules: – NM-4B-S/T: 4-port ISDN BRI network module, minimum version 800-01236-03 – NM-4B-U: 4-port ISDN BRI with integrated network termination 1 (NT-1) network module, minimum version 800-01238-06 – NM-8B-S/T: 8-port ISDN BRI network module, minimum version 800-01237-03 – NM-8B-U: 8-port ISDN BRI with integrated NT-1 network module, minimum version 800-01239-06 The version level is available from the show diag command, which displays the version number as the part number. Configuring Modem Use over ISDN BRI Modem over ISDN BRI Overview DC-206 Cisco IOS Dial Technologies Configuration Guide If your BRI network module is a version lower than those cited or you need more details, refer to the Cisco.com Field Notice titled Using Digital Modems with the Cisco 3600 Basic Rate Interface (BRI) Network Module Upgrade in the Access Products index. If your existing Cisco BRI network module is one of those listed and does not support the Modem over ISDN BRI feature, Cisco will upgrade the module at no charge. • To support the Modem over ISDN BRI feature, V.90 modem portware—for instructions on downloading this software or obtaining it otherwise, refer to the Cisco 3600 Series Modem Portware Upgrade Configuration Note on Cisco.com. Before you can configure a Cisco 3640 router to provide Modem over ISDN BRI connectivity, you must also perform the following tasks: • Obtain BRI service from your telecommunications provider. The BRI line must be provisioned at the switch to support voice calls. • Install a 4-port or 8-port BRI network module into your Cisco router. Depending on the type of network module and your BRI service, you might also need to install an external NT-1 for S/T interfaces. • Install a supported digital modem network module into the Cisco 3640 router. • After the system comes up, make sure enough buffers are in the free list of the buffer pool that matches the maximum transmission unit (MTU) of your BRI interface. If not, you must reconfigure buffers so the BRI interfaces function properly. To check the MTU of your interfaces, use the show interfaces bri command. The show buffers command displays the free buffer space. Use the buffers global configuration command to make adjustments to initial buffer pool settings and to the limits at which temporary buffers are created and destroyed. For more information about the physical characteristics of the BRI network modules and their digital modem support, or instructions on how to install the network or modem modules, either refer to the Cisco 3600 series Network Module Hardware Installation Guide that came with your BRI network module or view the up-to-date information on CCO. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the Modem over ISDN BRI commands in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Modem over ISDN BRI Overview The Modem over ISDN BRI feature for the Cisco 3640 modular access router lowers the cost of remote access by offering high-speed modem and ISDN connectivity for mobile customers, offices, and other remote-access users. Branch offices and enterprises can support analog modem users who call over the Public Switched Telephone Network (PSTN) into BRI interfaces in Cisco 3640 routers. The digital modem in the router accepts the modem calls at connection speeds as fast as 56 kbps, adhering to the V.90 standard. As shown in Figure 32, the Cisco 3640 router in this way provides rapid access to E-mail and other network services. Configuring Modem Use over ISDN BRI How to Configure Modem over ISDN BRI DC-207 Cisco IOS Dial Technologies Configuration Guide Figure 32 Modem over ISDN BRI Feature The following are benefits of using the Modem over ISDN BRI feature: • Supports cost-effective and readily available BRI service. • Provides remote modem users with rapid Internet and LAN/WAN access. • Allows flexible remote access application support. How to Configure Modem over ISDN BRI The Modem over ISDN BRI feature is part of interface configuration for BRI. You configure the BRI interface after you have configured the ISDN global characteristics, which are switch type and TEI negotiation timing. These characteristics can also be defined for each BRI interface, as shown in the following task table. To set up the BRI interface characteristics, set the global parameters and then configure each interface separately by using the following commands beginning in global configuration mode: BRI Cisco 3640 router with 4- or 8-port module and internal digital modems POTS lines Optional WAN to headquarters Ethernet Home office Small business Mobile PSTN 17271 Command Purpose Step 1 Router(config)# isdn switch-type switch-type Configures the global ISDN switch type to match the service provider switch type. For a list of keywords, see Table 22. Step 2 Router(config)# isdn tei [first-call | powerup] Configures when the ISDN TEI negotiation occurs. If this command is not used, negotiation occurs when the router is powered up. The first-call option is primarily used in European ISDN switch types, such as NET3 networks. The powerup option should be used in most other locations. Configuring Modem Use over ISDN BRI How to Configure Modem over ISDN BRI DC-208 Cisco IOS Dial Technologies Configuration Guide Step 3 Router(config)# interface bri slot/port Begins interface configuration mode to configure parameters for the specified interface. slot is the location of the BRI module. Valid values are from 0 to 3. port is an interface number. Valid values are from 0 to 7 if the module is an 8-port BRI network module, or from 0 to 4 if the module is a 4-port BRI network module. Step 4 Router(config-if)# ip address ip-address mask Specifies an IP address and subnet for the interface. You can also specify that there is no IP address. For information about IP addressing, see the Release 12.2 Cisco IOS IP Configuration Guide publication. Step 5 Router(config-if)# encapsulation ppp Enables PPP encapsulation on the BRI interface. PPP encapsulation is configured for most ISDN communication. If the router needs to communicate with devices that require a different encapsulation protocol, needs to detect encapsulation on incoming calls automatically, or needs to send traffic over a Frame Relay or X.25 network, see the chapter “Configuring X.25 on ISDN” later in this part, and the chapters in the Dial-on-Demand Routing Configuration part of this publication for information. Step 6 Router(config-if)# dialer map protocol next-hop-address name hostname speed 56|64 dial-string[:isdn-subaddress] or Router(config-if)# dialer map protocol next-hop-address name hostname spc [speed 56 | 64] [broadcast] dial-string[:isdn-subaddress] (Most locations) Defines the remote protocol address of the recipient, host name, and dialing string; optionally, provide the ISDN subaddress; set the dialer speed to 56 or 64 kbps, as needed. (Germany) Use the spc keyword to enable ISDN semipermanent connections. Step 7 Router(config-if)# dialer-group group-number Assigns the interface to a dialer group to control access to the interface. Step 8 Router(config-if)# dialer-list dialer-group list access-list-number Associates the dialer group number with an access list number. Step 9 Router(config-if)# access-list access-list-number {deny | permit} protocol source address source-mask destination destination-mask Defines an access list permitting or denying access to specified protocols, sources, or destinations. Permitted packets cause the router to place a call to the destination protocol address. Step 10 Router(config-if)# no ip-directed broadcast (Optional) Disables the translation of directed broadcast to physical broadcasts. Step 11 Router(config-if)# isdn switch-type switch-type (Optional) Configures the interface ISDN switch type to match the service provider switch type. The interface ISDN switch type overrides the global ISDN switch type on the interface. For a list of keywords, refer to Table 22. Command Purpose Configuring Modem Use over ISDN BRI How to Configure Modem over ISDN BRI DC-209 Cisco IOS Dial Technologies Configuration Guide Step 12 Router(config-if)# isdn tei [first-call | powerup] (Optional) Determines when ISDN TEI negotiation occurs for an individual interface. This overrides the global configuration command. Step 13 Router(config-if)# isdn spid1 spid-number [ldn] Specifies a service profile identifier (SPID) and local directory number for the B1 channel. Currently, only the DMS-100 and NI-1 switch types require SPIDs. Although the Lucent 5ESS switch type might support a SPID, we recommend that you set up that ISDN service without SPIDs. Step 14 Router(config-if)# isdn spid2 spid-number [ldn] Specifies a SPID and local directory number for the B2 channel. Step 15 Router(config-if)# isdn caller number (Optional) Configure caller ID screening. Step 16 Router(config-if)# isdn answer1 [called-party-number][:subaddress] (Optional) Configures called-party number verification for a called-party number or subaddress number in the incoming setup message. Step 17 Router(config-if)# isdn calling-number calling-number (Optional) Specifies the calling-party number. Step 18 Router(config-if)# isdn not-end-to-end [56 | 64] (Optional) Configures the speed for incoming calls recognized as not ISDN end-to-end. Step 19 Router(config-if)# isdn incoming-voice modem Routes incoming voice calls to the modem and treats them as analog data. This step is required for the Modem over ISDN BRI feature. Step 20 Router(config-if)# isdn disconnect-cause {cause-code-number | busy | not available} Overrides specific cause codes such as modem availability and resource pooling that are sent to the switch by ISDN applications. When the isdn disconnect-cause command is implemented, the configured cause codes are sent to the switch; otherwise, the default cause codes of the application are sent. The cause-code-number argument sends a cause code number (submitted as integer 1 through 127) to the switch. The busy keyword sends the USER BUSY code to the switch. The not available keyword sends the CHANNEL NOT AVAILABLE code to the switch. Step 21 Router(config-if)# isdn fast-rollover-delay seconds (Optional) Configures a delay between fast rollover dials. Step 22 Router(config-if)# isdn sending-complete (Optional) Configures the BRI interface to include the Sending Complete information element in the outgoing call Setup message. Used in some geographic locations, such as Hong Kong and Taiwan, where the sending complete information element is required in the outgoing call setup message. Command Purpose Configuring Modem Use over ISDN BRI How to Configure Modem over ISDN BRI DC-210 Cisco IOS Dial Technologies Configuration Guide See the section “Configuration Examples for Modem over ISDN BRI” at the end of this chapter for configuration examples. Verifying ISDN BRI Interface Configuration Use the show running-config command in EXEC mode to verify the current configuration that is running on the terminal. Note The show startup-config shows the configuration stored in NVRAM or in a location specified by the CONFIG_FILE environment variable. The following example shows some of the command output that is relevant to BRI configuration tasks. The bold text in the example are the results of configuration steps such as those shown in the section “How to Configure Modem over ISDN BRI” earlier in this chapter. Building configuration... Current configuration: ! version 12.0 no service udp-small-servers service tcp-small-servers ! hostname Router ! enable secret 5 $1$c8xi$tObplXsIS.jDeo43yZgq50 enable password xxx ! username xxxx password x 11x5xx07 no ip domain-lookup ip host Labhost 172.17.12.1 ip host Labhost2 172.17.12.2 ip name-server 172.19.169.21 ! interface Ethernet0 ip address 172.17.12.100 255.255.255.192 no ip mroute-cache Table 22 ISDN Switch Types Country ISDN Switch Type Description Australia basic-ts013 Australian TS013 switches Europe basic-1tr6 German 1TR6 ISDN switches basic-net3 NET3 ISDN switches (United Kingdom and others) vn2 French VN2 ISDN switches vn3 French VN3 and VN4 ISDN switches Japan ntt Japanese NTT ISDN switches North America basic-5ess Lucent Technologies basic rate switches basic-dms100 NT DMS-100 basic rate switches basic-ni National ISDN-1 switches Configuring Modem Use over ISDN BRI How to Configure Modem over ISDN BRI DC-211 Cisco IOS Dial Technologies Configuration Guide no ip route-cache no mop enabled . . . interface BRI1/7 description (408) 555-3777 ip address 10.1.1.26 255.255.255.1 no ip directed-broadcast encapsulation ppp no ip route-cache no ip mroute-cache no keepalive shutdown dialer idle-timeout 180 dialer map ip 10.1.1.9 name MDial1 14085550715 dialer map ip 10.1.1.14 name MDial2 14085553775 dialer-group 1 isdn switch-type basic-5ess isdn incoming-voice modem isdn disconnect-cause busy no fair-queue no cdp enable ppp authentication chap ppp multilink . . . ! interface Group-Async1 ip unnumbered Loopback0 no ip directed-broadcast ip tcp header-compression passive async mode interactive peer default ip address pool default no fair-queue group-range 65 70 hold-queue 10 in ! router igrp 109 network 172.21.0.0 ! ip local pool local 172.21.50.85 172.21.50.89 ip local pool default 10.1.1.1 10.1.1.253 ip classless ip route 0.0.0.0 0.0.0.0 172.21.48.1 ! ! map-class dialer VOICE dialer voice-call ! map-class dialer DATA dialer-list 1 protocol ip list 101 tacacs-server host 172.19.2.74 tacacs-server host 192.168.15.197 snmp-server community isdn RW snmp-server enable traps isdn call-information snmp-server host 172.25.3.154 traps isdn Use the show interfaces bri number command to verify information about the physical attributes of the ISDN BRI B and D channels. The number argument is the slot location of the BRI module. Valid values are from 0 to 3. Configuring Modem Use over ISDN BRI Configuration Examples for Modem over ISDN BRI DC-212 Cisco IOS Dial Technologies Configuration Guide BRI0:1 is down, line protocol is down Hardware is BRI MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Internet address is 10.1.1.3/27 Encapsulation PPP, loopback not set, keepalive not set LCP Closed Closed: IPCP Last input never, output never, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 7 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions Configuration Examples for Modem over ISDN BRI This section provides the following examples: • BRI Interface Configuration Example • Complete Configuration Examples These examples show configuration of just the Modem over ISDN BRI feature using the interface configuration commands for each interface and a complete configuration showing global configuration, BRI interfaces, and modem configuration. BRI Interface Configuration Example The following example shows how to configure each BRI interface on a Cisco 3640 router for the Modem over ISDN BRI feature: interface BRI0/0 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0444000101 9194440001 isdn spid2 0444001101 9194440011 isdn incoming-voice modem ! interface BRI0/1 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0444000201 9194440002 isdn spid2 0444001201 9194440012 isdn incoming-voice modem ! interface BRI0/2 no ip address no ip directed-broadcast Configuring Modem Use over ISDN BRI Configuration Examples for Modem over ISDN BRI DC-213 Cisco IOS Dial Technologies Configuration Guide encapsulation ppp isdn switch-type basic-ni isdn spid1 0444000301 9194440003 isdn spid2 0444001301 9194440013 isdn incoming-voice modem ! interface BRI0/3 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0444000401 9194440004 isdn spid2 0444001401 9194440014 isdn incoming-voice modem ! interface BRI0/4 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0444000501 9194440005 isdn spid2 0444001501 9194440015 isdn incoming-voice modem ! interface BRI0/5 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0444000601 9194440006 isdn spid2 0444001601 9194440016 isdn incoming-voice modem ! interface BRI0/6 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0444000701 9194440007 isdn spid2 0444001701 9194440017 isdn incoming-voice modem ! interface BRI0/7 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0444000801 9194440008 isdn spid2 0444001801 9194440018 isdn incoming-voice modem ! interface BRI2/0 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0555000101 9195550001 isdn spid2 0555001101 9195550011 isdn incoming-voice modem ! interface BRI2/1 no ip address no ip directed-broadcast encapsulation ppp Configuring Modem Use over ISDN BRI Configuration Examples for Modem over ISDN BRI DC-214 Cisco IOS Dial Technologies Configuration Guide isdn switch-type basic-ni isdn spid1 0555000201 9195550002 isdn spid2 0555001201 9195550012 isdn incoming-voice modem ! interface BRI2/2 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0555000301 9195550003 isdn spid2 0555001301 9195550013 isdn incoming-voice modem ! interface BRI2/3 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0555000401 9195550004 isdn spid2 0555001401 9195550014 isdn incoming-voice modem ! interface BRI2/4 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0555000501 9195550005 isdn spid2 0555001501 9195550015 isdn incoming-voice modem ! interface BRI2/5 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0555000601 9195550006 isdn spid2 0555001601 9195550016 isdn incoming-voice modem ! interface BRI2/6 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0555000701 9195550007 isdn spid2 0555001701 9195550017 isdn incoming-voice modem ! interface BRI2/7 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0555000801 9195550008 isdn spid2 0555001801 9195550018 isdn incoming-voice modem ! Configuring Modem Use over ISDN BRI Configuration Examples for Modem over ISDN BRI DC-215 Cisco IOS Dial Technologies Configuration Guide Complete Configuration Examples The following example shows a complete configuration for a dial-in router, including a global command, BRI interface configuration, and modem configuration including group-async and dialer commands. version 12.0 service timestamps debug datetime localtime service timestamps log uptime no service password-encryption service udp-small-servers service tcp-small-servers ! hostname MBRI_IN ! no logging buffered enable password xxx The following lines are used for PPP CHAP authentication. Each username and password is associated with one dialer interface. username async1 password devtest username async2 password devtest username async3 password devtest username async4 password devtest username async5 password devtest username async6 password devtest username async7 password devtest username async8 password devtest username async9 password devtest username async10 password devtest username async11 password devtest username async12 password devtest username async13 password devtest username async14 password devtest username async15 password devtest username async16 password devtest username async17 password devtest username async18 password devtest username async19 password devtest username async20 password devtest username async21 password devtest username async22 password devtest username async23 password devtest username async24 password devtest username async25 password devtest username async26 password devtest username async27 password devtest username async28 password devtest username async29 password devtest username async30 password devtest username FLOYD password devtest username MBRI_OUT password devtest ip subnet-zero no ip domain-lookup ! isdn switch-type basic-5ess Configuring Modem Use over ISDN BRI Configuration Examples for Modem over ISDN BRI DC-216 Cisco IOS Dial Technologies Configuration Guide interface BRI0/0 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0444000101 9194440001 isdn spid2 0444001101 9194440011 isdn incoming-voice modem ! interface BRI0/1 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0444000201 9194440002 isdn spid2 0444001201 9194440012 isdn incoming-voice modem ! interface BRI0/2 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0444000301 9194440003 isdn spid2 0444001301 9194440013 isdn incoming-voice modem ! interface BRI0/3 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0444000401 9194440004 isdn spid2 0444001401 9194440014 isdn incoming-voice modem ! interface BRI0/4 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0444000501 9194440005 isdn spid2 0444001501 9194440015 isdn incoming-voice modem no shut ! interface BRI0/5 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0444000601 9194440006 isdn spid2 0444001601 9194440016 isdn incoming-voice modem ! interface BRI0/6 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0444000701 9194440007 isdn spid2 0444001701 9194440017 isdn incoming-voice modem ! Configuring Modem Use over ISDN BRI Configuration Examples for Modem over ISDN BRI DC-217 Cisco IOS Dial Technologies Configuration Guide interface BRI0/7 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0444000801 9194440008 isdn spid2 0444001801 9194440018 isdn incoming-voice modem ! interface BRI2/0 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0555000101 9195550001 isdn spid2 0555001101 9195550011 isdn incoming-voice modem ! interface BRI2/1 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0555000201 9195550002 isdn spid2 0555001201 9195550012 isdn incoming-voice modem ! interface BRI2/2 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0555000301 9195550003 isdn spid2 0555001301 9195550013 isdn incoming-voice modem ! interface BRI2/3 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0555000401 9195550004 isdn spid2 0555001401 9195550014 isdn incoming-voice modem ! interface BRI2/4 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0555000501 9195550005 isdn spid2 0555001501 9195550015 isdn incoming-voice modem ! interface BRI2/5 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0555000601 9195550006 isdn spid2 0555001601 9195550016 isdn incoming-voice modem ! Configuring Modem Use over ISDN BRI Configuration Examples for Modem over ISDN BRI DC-218 Cisco IOS Dial Technologies Configuration Guide interface BRI2/6 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0555000701 9195550007 isdn spid2 0555001701 9195550017 isdn incoming-voice modem ! interface BRI2/7 no ip address no ip directed-broadcast encapsulation ppp isdn switch-type basic-ni isdn spid1 0555000801 9195550008 isdn spid2 0555001801 9195550018 isdn incoming-voice modem ! interface Ethernet1/0 ip address 172.18.16.123 255.255.255.192 no ip directed-broadcast ! The following example defines a group-async interface for grouping all the digital modems and configuring them together. Group-async configuration is much easier than configuring all 30 digital modems individually. interface Group-Async1 ip unnumbered Ethernet3/1 no ip directed-broadcast encapsulation ppp load-interval 30 dialer in-band dialer pool-member 1 async default routing async mode dedicated no peer default ip address no cdp enable ppp authentication chap group-range 96 125 hold-queue 10 in The following example defines dialer interfaces, associates IP addresses, and sets all the authentication parameters required during the call establishment. interface Dialer1 ip address 10.1.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async1 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async1 ppp chap password devtest ! interface Dialer2 ip address 10.2.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async2 dialer pool 1 dialer-group 1 no cdp enable Configuring Modem Use over ISDN BRI Configuration Examples for Modem over ISDN BRI DC-219 Cisco IOS Dial Technologies Configuration Guide ppp authentication chap callin ppp chap hostname async2 ppp chap password devtest ! interface Dialer3 ip address 10.3.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async3 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async3 ppp chap password devtest ! interface Dialer4 ip address 10.4.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async4 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async4 ppp chap password devtest ! interface Dialer5 ip address 10.5.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async5 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async5 ppp chap password devtest ! interface Dialer6 ip address 10.6.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async6 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async6 ppp chap password devtest ! interface Dialer7 ip address 10.7.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async7 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async7 ppp chap password devtest ! Configuring Modem Use over ISDN BRI Configuration Examples for Modem over ISDN BRI DC-220 Cisco IOS Dial Technologies Configuration Guide interface Dialer8 ip address 10.8.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async8 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async8 ppp chap password devtest ! interface Dialer9 ip address 10.9.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async9 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async9 ppp chap password devtest ! interface Dialer10 ip address 10.10.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async10 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async10 ppp chap password devtest ! interface Dialer11 ip address 10.11.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async11 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async11 ppp chap password devtest ! interface Dialer12 ip address 10.12.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async12 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async12 ppp chap password devtest ! interface Dialer13 ip address 10.13.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp Configuring Modem Use over ISDN BRI Configuration Examples for Modem over ISDN BRI DC-221 Cisco IOS Dial Technologies Configuration Guide dialer remote-name async13 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async13 ppp chap password devtest ! interface Dialer14 ip address 10.14.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async14 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async14 ppp chap password devtest ! interface Dialer15 ip address 10.15.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async15 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async15 ppp chap password devtest ! interface Dialer16 ip address 10.16.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async16 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async16 ppp chap password devtest ! interface Dialer17 ip address 10.17.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async17 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async17 ppp chap password devtest ! interface Dialer18 ip address 10.18.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async18 dialer pool 1 dialer-group 1 no cdp enable Configuring Modem Use over ISDN BRI Configuration Examples for Modem over ISDN BRI DC-222 Cisco IOS Dial Technologies Configuration Guide ppp authentication chap callin ppp chap hostname async18 ppp chap password devtest ! interface Dialer19 ip address 10.19.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async19 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async19 ppp chap password devtest ! interface Dialer20 ip address 10.20.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async20 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async20 ppp chap password devtest ! interface Dialer21 ip address 10.21.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async21 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async21 ppp chap password devtest ! interface Dialer22 ip address 10.22.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async22 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async22 ppp chap password devtest ! interface Dialer23 ip address 10.23.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async23 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async23 ppp chap password devtest ! Configuring Modem Use over ISDN BRI Configuration Examples for Modem over ISDN BRI DC-223 Cisco IOS Dial Technologies Configuration Guide interface Dialer24 ip address 10.24.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async24 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async24 ppp chap password devtest ! interface Dialer25 ip address 10.25.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async25 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async25 ppp chap password devtest ! interface Dialer26 ip address 10.26.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async26 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async26 ppp chap password devtest ! interface Dialer27 ip address 10.27.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async27 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async27 ppp chap password devtest ! interface Dialer28 ip address 10.28.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async28 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async28 ppp chap password devtest ! interface Dialer29 ip address 10.29.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp Configuring Modem Use over ISDN BRI Configuration Examples for Modem over ISDN BRI DC-224 Cisco IOS Dial Technologies Configuration Guide dialer remote-name async29 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async29 ppp chap password devtest ! interface Dialer30 ip address 10.30.0.1 255.255.0.0 no ip directed-broadcast encapsulation ppp dialer remote-name async30 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname async30 ppp chap password devtest ! no ip classless The following lines define routes that send incoming packets out via specific interfaces: ip route 0.0.0.0 0.0.0.0 172.18.16.193 ip route 10.91.0.1 255.255.255.255 1.1.0.2 ip route 10.91.0.2 255.255.255.255 1.2.0.2 ip route 10.91.0.3 255.255.255.255 1.3.0.2 ip route 10.91.0.4 255.255.255.255 1.4.0.2 ip route 10.91.0.5 255.255.255.255 1.5.0.2 ip route 10.91.0.6 255.255.255.255 1.6.0.2 ip route 10.91.0.7 255.255.255.255 1.7.0.2 ip route 10.91.0.8 255.255.255.255 1.8.0.2 ip route 10.91.0.9 255.255.255.255 1.9.0.2 ip route 10.91.0.10 255.255.255.255 1.10.0.2 ip route 10.91.0.11 255.255.255.255 1.11.0.2 ip route 10.91.0.12 255.255.255.255 1.12.0.2 ip route 10.91.0.13 255.255.255.255 1.13.0.2 ip route 10.91.0.14 255.255.255.255 1.14.0.2 ip route 10.91.0.15 255.255.255.255 1.15.0.2 ip route 10.91.0.16 255.255.255.255 1.16.0.2 ip route 10.91.0.17 255.255.255.255 1.17.0.2 ip route 10.91.0.18 255.255.255.255 1.18.0.2 ip route 10.91.0.19 255.255.255.255 1.19.0.2 ip route 10.91.0.20 255.255.255.255 1.20.0.2 ip route 10.91.0.21 255.255.255.255 1.21.0.2 ip route 10.91.0.22 255.255.255.255 1.22.0.2 ip route 10.91.0.23 255.255.255.255 1.23.0.2 ip route 10.91.0.24 255.255.255.255 1.24.0.2 ip route 10.91.0.25 255.255.255.255 1.25.0.2 ip route 10.91.0.26 255.255.255.255 1.26.0.2 ip route 10.91.0.27 255.255.255.255 1.27.0.2 ip route 10.91.0.28 255.255.255.255 1.28.0.2 ip route 10.91.0.29 255.255.255.255 1.29.0.2 ip route 10.91.0.30 255.255.255.255 1.30.0.2 ip route 172.18.0.0 255.255.0.0 Ethernet3/1 ! dialer-list 1 protocol ip permit ! line con 0 exec-timeout 0 0 transport input none Configuring Modem Use over ISDN BRI Configuration Examples for Modem over ISDN BRI DC-225 Cisco IOS Dial Technologies Configuration Guide The following example configures the lines associated with the digital modems: line 96 125 exec-timeout 0 0 modem InOut transport input all stopbits 1 flowcontrol hardware line aux 0 exec-timeout 0 0 line vty 0 4 exec-timeout 0 0 password lab login line vty 5 60 exec-timeout 0 0 password lab login ! end Configuring Modem Use over ISDN BRI Configuration Examples for Modem over ISDN BRI DC-226 Cisco IOS Dial Technologies Configuration Guide DC-227 Cisco IOS Dial Technologies Configuration Guide Configuring X.25 on ISDN This chapter describes how to configure X.25 on ISDN. It includes the following main sections: • X.25 on ISDN Overview • How to Configure X.25 on ISDN • Configuration Examples for X.25 on ISDN To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the commands in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. X.25 on ISDN Overview BRI is an ISDN interface, and it consists of two B channels (B1 and B2) and one D channel. The B channels are used to transfer data, voice, and video. The D channel controls the B channels. ISDN uses the D channel to carry signal information. ISDN can also use the D channel in a BRI to carry X.25 packets. The D channel has a capacity of 16 kbps, and the X.25 over D channel can utilize up to 9.6 kbps. X.25-over-D-Channel Logical Interface When X.25 on ISDN is configured, a separate X.25-over-D-channel logical interface is created. You can set its parameters without disrupting the original ISDN interface configuration. The original BRI interface will continue to represent the D, B1, and B2 channels. Because some end-user equipment uses static terminal endpoint identifiers (TEIs) to access this feature, static TEIs are supported. The dialer understands the X.25-over-D-channel calls and initiates them on a new interface. X.25 traffic over the D channel can be used as a primary interface where low-volume, sporadic interactive traffic is the normal mode of operation. Supported traffic includes the Internet Protocol Exchange (IPX), AppleTalk, transparent bridging, Xerox Network Systems (XNS), DECnet, and IP. This feature is not available on the ISDN PRI. Configuring X.25 on ISDN How to Configure X.25 on ISDN DC-228 Cisco IOS Dial Technologies Configuration Guide Note X.25 on ISDN is also supported using the ISDN Always On/Dynamic (AO/DI) feature. AO/DI uses the Multilink PPP (MLP) protocol signaling with standard Q.922 and X.25 encapsulations, and can additionally use the Bandwidth Allocation Control Protocol (BACP) to optimize bandwidth on demand. For information about how to configure AO/DI, see the chapter “Configuring X.25 on ISDN Using AO/DI” in this publication. Outbound Circuit-Switched X.25 Support over a Dialer Interface Current Cisco IOS software enablescircuit-switched X.25 clients—PAD, X.25 switching, and Qualified Logical Link Control (QLLC)—to initiate calls and dynamically bring the X.25 context (which runs the X.25 protocol) up or down as needed. This capability allows packet-switched traffic over ISDN. In earlier releases of the Cisco IOS software, X.25 circuit-switched clients were required to do an X.25 route lookup to forward a call. If the lookup resulted in a route to a dialer interface, the client would check the X.25 protocol state on the dialer interface. If the interface was not already bound to run the X.25 protocol, the software would reroute the call instead of bringing up a link and running the X.25 protocol. With this new feature, the X.25 context is dynamically created on demand and then removed when the X.25 session is cleared on the dialer interface. For dialer profile interfaces, the X.25 context is created on the dialer interface, because X.25 protocol functions run on the dialer interface itself. Member links act like forwarding devices, because their topmost interface runs the actual encapsulated protocol. But for legacy dialer interfaces, the X.25 context is created on the member links once they come up and bind to a dialer. There are no specific configuration tasks required to enable outbound circuit-switched X.25 support. See the “Outbound Circuit-Switched X.25 Example” example in the section “Configuration Examples for X.25 on ISDN” at the end of this chapter for an example of how to make use of this feature in your network. How to Configure X.25 on ISDN You can configure X.25 on ISDN in three ways: • If the ISDN traffic will cross an X.25 network, you configure the ISDN interface as described in the “Setting Up Basic ISDN Services” and “Configuring signaling on T1 and E1” chapters earlier in this publication. Make certain to configure that ISDN interface for X.25 addressing and encapsulation as described in the “Configuring X.25” chapter of the Cisco IOS Wide-Area Networking Configuration Guide. • Configure dynamic X.25 as illustrated in the section “Outbound Circuit-Switched X.25 Example” later in this chapter. • If the D channel of an ISDN BRI interface is to carry X.25 traffic, perform the task described in the next section, “Configuring X.25 on the ISDN D Channel.” Configuring X.25 on ISDN Configuration Examples for X.25 on ISDN DC-229 Cisco IOS Dial Technologies Configuration Guide Configuring X.25 on the ISDN D Channel To configure an ISDN BRI interface (and create a special ISDN interface) to carry X.25 traffic on the D channel, use the following commands beginning in global configuration mode: The last step is to configure the X.25-over-ISDN interface for X.25 traffic. See the chapter “Configuring LAPB and X.25” in the Cisco IOS Wide-Area Networking Configuration Guide, Release 12.2, for the commands and tasks. The new X.25-over-ISDN interface is called interface bri number:0 in configuration displays. It must be configured as an individual X.25 interface. For information about configuring an interface for X.25 traffic, refer to the Cisco IOS Wide-Area Networking Configuration Guide, Release 12.2. Note The encapsulation x25 command is neither required nor used on this new interface, but other X.25 commands can be used to configure this interface. If you want to remove the X.25-over-ISDN interface later, use the no isdn x25 dchannel command. See the section “X.25 on ISDN D-Channel Configuration Example” at the end of this chapter for a configuration example. Configuration Examples for X.25 on ISDN This section illustrates X.25 on ISDN with the following examples: • X.25 on ISDN D-Channel Configuration Example • Outbound Circuit-Switched X.25 Example X.25 on ISDN D-Channel Configuration Example The following example creates a BRI 0:0 interface for X.25 traffic over the D channel and then configures the new interface to carry X.25 traffic: interface bri0 isdn x25 dchannel isdn x25 static-tei 8 ! interface bri0:0 ip address 10.1.1.2 255.255.255.0 x25 address 31107000000100 x25 htc 1 x25 suppress-calling-address Command Purpose Step 1 Router(config)# interface bri number Specifies an ISDN BRI interface and begins interface configuration mode. Step 2 Router(config-if)# isdn x25 static-tei tei-number Specifies a static TEI, if required by the switch. Step 3 Router(config-if)# isdn x25 dchannel Creates a configurable interface for X.25 traffic over the ISDN D channel. Configuring X.25 on ISDN Configuration Examples for X.25 on ISDN DC-230 Cisco IOS Dial Technologies Configuration Guide x25 facility windowsize 2 2 x25 facility packetsize 256 256 x25 facility throughput 9600 9600 x25 map ip 10.1.1.3 31107000000200 Outbound Circuit-Switched X.25 Example The following example shows how to configure dynamic X.25 on an ISDN interface. Figure 33 illustrates the configuration. Figure 33 Dynamic X.25 over ISDN Configuration for Yen version 12.0(5)T service timestamps debug uptime service timestamps log uptime no service password-encryption service udp-small-servers service tcp-small-servers ! hostname yen ! enable secret 5 $1$K32j$4AZW2oMDivpUeuMa/Fdcd. enable password secret ! username peso password 0 cisco username dinar password 0 cisco ip subnet-zero no ip domain-lookup ip domain-name cicso.com ip name-server 172.18.1.148 ! isdn switch-type basic-5ess x25 routing ! interface Loopback0 no ip address no ip directed-broadcast no ip mroute-cache ! interface Ethernet0 ip address 172.21.75.2 255.255.255.0 no ip directed-broadcast no ip mroute-cache media-type 10BaseT ! Peso (as X.25 switch) X.25 Yen Dinar PRI BRI ISDN X.25 Host BRI 25087 Configuring X.25 on ISDN Configuration Examples for X.25 on ISDN DC-231 Cisco IOS Dial Technologies Configuration Guide interface BRI1 no ip address no ip directed-broadcast no ip mroute-cache dialer pool-member 1 isdn switch-type basic-5ess no fair-queue ! interface Dialer0 ip address 10.1.1.1 255.0.0.0 no ip directed-broadcast encapsulation x25 no ip mroute-cache dialer remote-name dinar dialer idle-timeout 180 dialer string 81060 dialer caller 81060 dialer max-call 1 dialer pool 1 dialer-group 1 x25 address 11111 x25 map ip 10.1.1.2 22222 ! ip default-gateway 172.21.75.1 no ip classless ip route 0.0.0.0 0.0.0.0 172.21.75.1 no ip http server ! access-list 101 permit ip any any dialer-list 1 protocol ip list 101 ! x25 route 22222 interface Dialer0 x25 route 33333 interface Dialer0 ! line con 0 exec-timeout 0 0 transport input none line aux 0 transport input all line vty 0 4 password cisco login line vty 5 100 password cisco login ! end Configuration for Peso Acting as X.25 Switch version 12.0(5)T service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname peso ! enable secret 5 $1$.Q00$h3vIhbOwO1fPvA2LYx2gE. enable password cisco ! ip subnet-zero ! isdn switch-type primary-5ess x25 routing Configuring X.25 on ISDN Configuration Examples for X.25 on ISDN DC-232 Cisco IOS Dial Technologies Configuration Guide ! controller T1 0 cablelength short cablelength short 133 ! controller T1 1 framing esf clock source line primary pri-group timeslots 1-24 ! controller T1 2 cablelength short cablelength short 133 ! controller T1 3 cablelength short cablelength short 133 ! interface Ethernet0 ip address 172.21.75.3 255.255.255.0 no ip directed-broadcast ! interface Serial1:23 no ip address no ip directed-broadcast encapsulation ppp dialer pool-member 1 isdn switch-type primary-5ess isdn incoming-voice modem no fair-queue no cdp enable ppp authentication chap ! interface Dialer0 no ip address no ip directed-broadcast encapsulation x25 dce no ip mroute-cache dialer remote-name yen dialer idle-timeout 180 dialer string 61401 dialer caller 61401 dialer max-call 1 dialer pool 1 x25 address 33333 ! interface Dialer1 no ip address no ip directed-broadcast encapsulation x25 dce no ip mroute-cache dialer remote-name dinar dialer idle-timeout 180 dialer string 61403 dialer caller 61403 dialer max-call 1 dialer pool 1 x25 address 44444 ! ip default-gateway 172.21.75.1 no ip classless ip route 0.0.0.0 0.0.0.0 172.21.75.1 no ip http server ! Configuring X.25 on ISDN Configuration Examples for X.25 on ISDN DC-233 Cisco IOS Dial Technologies Configuration Guide x25 route 11111 interface Dialer0 x25 route 22222 interface Dialer1 x25 route source 11111 interface Dialer1 x25 route input-interface Dialer0 interface Dialer1 ! line con 0 transport input none line 1 48 line aux 0 line vty 0 4 password cisco login line vty 5 100 password cisco login ! end Configuration for Dinar version 12.0(5)T service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname dinar ! logging buffered 16384 debugging enable secret 5 $1$8EjF$4.S0AoMOVa5OIAYEMrrFI/ enable password cisco ! username yen password 0 cisco username 7701 username drachma password 0 cisco username AODI password 0 cisco ip subnet-zero ip rcmd rcp-enable ip rcmd rsh-enable ip rcmd remote-username atirumal ! isdn switch-type basic-5ess x25 routing ! controller T1 0/0 ! interface BRI3/1 no ip address no ip directed-broadcast no ip mroute-cache dialer pool-member 1 isdn switch-type basic-5ess no fair-queue ! interface Dialer0 ip address 10.1.1.2 255.0.0.0 no ip directed-broadcast encapsulation x25 no ip mroute-cache dialer remote-name yen dialer idle-timeout 180 dialer string 81060 dialer caller 81060 dialer max-call 1 dialer pool 1 Configuring X.25 on ISDN Configuration Examples for X.25 on ISDN DC-234 Cisco IOS Dial Technologies Configuration Guide dialer-group 1 x25 address 22222 x25 map ip 10.1.1.1 11111 ! interface Dialer1 ip address 10.1.1.10 255.0.0.0 no ip directed-broadcast no ip mroute-cache dialer in-band dialer-group 1 no fair-queue ! ip default-gateway 172.21.75.1 no ip classless ip route 0.0.0.0 0.0.0.0 172.21.75.1 no ip http server ! access-list 101 permit ip any any dialer-list 1 protocol ip list 101 ! x25 route 11111 interface Dialer0 x25 route 44444 interface Dialer0 ! DC-235 Cisco IOS Dial Technologies Configuration Guide Configuring X.25 on ISDN Using AO/DI The chapter describes how to configure the X.25 on ISDN using the Always On/Dynamic ISDN (AO/DI) feature. It includes the following main sections: • AO/DI Overview • How to Configure an AO/DI Interface • How to Configure an AO/DI Client/Server • Configuration Examples for AO/DI AO/DI supports PPP encapsulation on switched X.25 virtual circuits (VCs) only. The X.25 encapsulation (per RFC 1356), PPP, Bandwidth Allocation Control Protocol (BACP), and Bandwidth Allocation Protocol (BAP) modules must be present in both the AO/DI client and server. AO/DI relies on features from X.25, PPP, and BACP modules and must be configured on both the AO/DI client and server. BAP, if negotiated, is a subset of BACP, which is responsible for bandwidth allocation for the Multilink PPP (MLP) peers. It is recommended you configure MLP with the BAP option due to the differences between the ISDN (E.164) and X.25 (X.121) numbering formats. To implement AO/DI, you must configure the AO/DI client and server for PPP, incorporating BAP and X.25 module commands. This task involves configuring the BRI or PRI interfaces with the appropriate X.25 commands and the dialer interfaces with the necessary PPP or BAP commands. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the commands in this chapter, refer to the Cisco IOS Dial Technologies Command Reference, Release 12.2. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. AO/DI Overview AO/DI functionality is based on the technology modules described in the following sections: • PPP over X.25 Encapsulation • Multilink PPP Bundle • BACP/BAP Configuring X.25 on ISDN Using AO/DI AO/DI Overview DC-236 Cisco IOS Dial Technologies Configuration Guide AO/DI is an on-demand service that is designed to optimize the use of an existing ISDN signaling channel (D channel) to transport X.25 traffic. The X.25 D-channel call is placed from the subscriber to the packet data service provider. The use of PPP allows protocols to be encapsulated within the X.25 logical circuit carried by the D channel. The bearer channels (B channels) use the multilink protocol without the standard Q.922 and X.25 encapsulations, and invoke additional bandwidth as needed. Optionally, BACP and BAP can be used to negotiate bandwidth allocation as required. AO/DI takes full advantage of existing packet handlers at the central office by using an existing D channel to transport the X.25 traffic. The link associated with the X.25 D channel packet connection is used as the primary link of the multilink bundle. The D channel is a connectionless, packet-oriented link between the customer premise equipment (CPE) and the central office. Because the D channel is always available, it is possible to in turn offer “always available” services. On-demand functionality is achieved by using the B channels to temporarily boost data throughput and by disconnecting them after use. Figure 34 shows the AO/DI environment and how ISDN and X.25 resources are implemented. Note On the client side, the X.25 switched virtual circuit (SVC) can only be terminated on an ISDN D channel; however, on the server side, the SVC can be terminated on an ISDN BRI using a D channel, a PRI using specific time slots, or a high-speed serial link. Figure 34 AO/DI Environment AO/DI provides the following benefits: • ISDN telecommuting cost savings. Low-speed, D-channel services are typically more cost-efficient than the time-based tariffs applied to the B channels, which usually carry user data. • Reductions in the amount of data traffic from service provider voice networks. The D-channel X.25 packets are handled at the central office by the X.25 packet handler, thereby routing these packets bypassing the switch, which reduces impact on the telephony network. • Network access server cost reductions. AO/DI can reduce service provider network access server costs by increasing port efficiencies. Initial use of the “always on” D-channel connection lowers the contention ratio on standard circuit switched dial ports. (See Figure 35.) PH ISDN CPE ISP or corporate PPP over X.25 over the D channel X.25 link to NAS or corporate router X.25 B channel D channel 11520 Configuring X.25 on ISDN Using AO/DI AO/DI Overview DC-237 Cisco IOS Dial Technologies Configuration Guide Figure 35 Increasing Port Efficiency with AO/DI PPP over X.25 Encapsulation PPP over X.25 is accomplished through the following process: 1. The X.25 map statement on the client side creates a virtual access interface. A virtual access interface is dynamically created and configured by cloning the configuration from a dialer interface (dialer interface 1, for example). 2. The dialer interface goes into “spoofing” mode and stays in this mode until interesting traffic is seen. 3. When interesting traffic is seen, the dialer interface activates the virtual access interface, which creates the X.25 SVC. Once the SVC is established, PPP negotiation begins in order to bring up the line protocol. The client will initiate a call to the remote end server, per the x25 map ppp command. 4. When the AO/DI server receives a call intended for its X.25 map statement, the call is accepted and an event is queued to the X.25 encapsulation manager. The encapsulation manager is an X.25 process that authenticates incoming X.25 calls and AO/DI events, and creates a virtual access interface that clones the configuration from the dialer or BRI interface. Figure 36 shows the virtual interface creation process. Figure 36 Creating a Virtual Access Interface Traffic pointing a route to Dialer or BRI used for cloning MLP bundle Primary link Member link Member link 11522 Traffic pointing a route to Dialer or BRI used for cloning Virtual access interface 11521 Configuring X.25 on ISDN Using AO/DI AO/DI Overview DC-238 Cisco IOS Dial Technologies Configuration Guide Multilink PPP Bundle The multilink protocol offers load balancing, packet fragmentation, and the bandwidth allocation functionality that is key to AO/DI structure. The MLP bundle process is achieved through the following process: 1. The ppp multilink bap command initiates MLP and, subsequently, BAP. The virtual access interface that is created above the X.25 VC (over the D channel) becomes the first member link of the MLP bundle. 2. The ppp multilink idle-link command works in conjunction with the dialer load-threshold command in order to add B channels as needed to boost traffic throughput. When a B channel is added, the first member link enters “receive only” mode, allowing the link additions. When the higher throughput is no longer needed, the additional B channels are disconnected and the primary link is the only link in the bundle, the bundle disengages “receive only” mode. The X.25 SVC stays active. Figure 37 shows the MLP bundle sequence. Figure 37 MLP Bundle Creation Sequence MLP Encapsulation Enhancements In previous releases of the Cisco IOS software, when MLP was used in a dialer profile, a virtual access interface was always created as the bundle. It was bound to both the B channel and the dialer profile interfaces after creation and cloning. The dialer profile interface could act as the bundle without help from a virtual access interface. But with recent software enhancements, it is no longer the virtual access interface that is added into the connected group of the dialer profile, but the dialer profile itself. The dialer profile becomes a connected member of its own connected group. Traffic pointing a route to Dialer or BRI used for cloning MLP bundle Primary link Member link Member link 11522 Configuring X.25 on ISDN Using AO/DI How to Configure an AO/DI Interface DC-239 Cisco IOS Dial Technologies Configuration Guide BACP/BAP Bandwidth resources are provided by BACP, described in RFC 2125. Once the MLP peers have successfully negotiated BACP, BAP negotiates bandwidth resources in order to support traffic throughput. BAP is a subset of BACP, and it defines the methods and governing rules for adding and removing links from the bundle for MLP. BACP/BAP negotiations are achieved through the following process: 1. Once the MLP session is initiated and BACP is negotiated over the MLP bundle, the AO/DI client issues a BAP call request for additional bandwidth. 2. The AO/DI server responds with the BAP call response, which contains the phone number of the B channel to add. B channels are added, as needed, to support the demand for increased traffic throughput. 3. B channels are disconnected as the traffic load decreases. How to Configure an AO/DI Interface To configure X.25 on ISDN using AO/DI, perform the following tasks: • Configuring PPP and BAP on the Client (As required) • Configuring X.25 Parameters on the Client (As required) • Configuring PPP and BAP on the Server (As required) • Configuring X.25 Parameters on the Server (As required) For examples of how to configure X.25 on ISDN using AO/DI in your network, see the section “Configuration Examples for AO/DI” at the end of this chapter. Configuring PPP and BAP on the Client To configure PPP and BAP under the dialer interface on the AO/DI client, use the following commands in interface configuration mode as needed: Command Purpose Router(config-if)# ppp multilink bap Enables PPP BACP bandwidth allocation negotiation. Router(config-if)# encapsulation ppp Enables PPP on the interface. Router(config-if)# dialer in-band Enables dial-on-demand routing (DDR) on the interface. Router(config-if)# dialer load-threshold load Sets the dialer load threshold. Router(config-if)# dialer-group group-number Controls access to this interface by adding it to a dialer access group. Router(config-if)# ppp bap callback accept (Optional) Enables the interface to initiate additional links upon peer request. Configuring X.25 on ISDN Using AO/DI How to Configure an AO/DI Interface DC-240 Cisco IOS Dial Technologies Configuration Guide Configuring X.25 Parameters on the Client The AO/DI client interface must be configured to run PPP over X.25. To configure the interface for the X.25 parameters, use the following commands in interface configuration mode as needed: For details and usage guidelines for X.25 configuration parameters, refer to the Cisco IOS Wide-Area Networking Configuration Guide and Cisco IOS Wide-Area Networking Command Reference. Configuring PPP and BAP on the Server To configure PPP and BAP under the dialer interface on the AO/DI server, use the following commands in interface configuration mode as needed: Router(config-if)# ppp bap call request Enables the interface to initiate additional links. Router(config-if)# dialer map protocol next-hop-address [name hostname] [spc] [speed 56 | speed 64] [broadcast] [modem-script modem-regexp] system-script system-regexp] or Router(config-if)# dialer string dial-string [:isdn-subaddress] Router(config-if)# dialer string dial-string [class class-name] Enables a serial interface or an ISDN interface to initiate and receive calls to or from remote sites. Specifies the destination string (telephone number) for calling: • A single site (using legacy DDR) • Multiple sites (using dialer profiles) Command Purpose Command Purpose Router(config-if)# x25 address address Configures the X.25 address. Router(config-if)# x25 htc circuit-number Sets the highest two-way circuit number. For X.25 the default is 1024. Router(config-if)# x25 win packets Sets the default VC receive window size. The default is 2 packets.1 1. The default input and output window sizes are typically defined by your network administrator. Cisco IOS configured window sizes must be set to match the window size of the network. Router(config-if)# x25 wout packets Sets the default VC transmit window size. The default is 2 packets.1 Command Purpose Router(config-if)# ppp multilink bap Enables PPP BACP bandwidth allocation negotiation. Router(config-if)# encapsulation ppp Enables PPP on the interface. Router(config-if)# dialer in-band Enables DDR on the interface. Configuring X.25 on ISDN Using AO/DI How to Configure an AO/DI Client/Server DC-241 Cisco IOS Dial Technologies Configuration Guide BAP configuration commands are optional. For information on how to configure BACP/BAP see the chapter “Configuring BACP” later in this publication. Configuring X.25 Parameters on the Server The AO/DI server BRI, PRI, or serial interface must be configured for the X.25 parameters necessary to run PPP over X.25. To configure the interface for X.25 parameters, use the following commands in interface configuration mode as needed: For details and usage guidelines for X.25 configuration parameters, see the Cisco IOS Wide-Area Networking Configuration Guide and Cisco IOS Wide-Area Networking Command Reference. How to Configure an AO/DI Client/Server Once the AO/DI client and server are configured with the necessary PPP, BAP, and X.25 commands, configure the routers to perform AO/DI. Perform the tasks in the following sections: • Configuring the AO/DI Client (Required) • Configuring the AO/DI Server (Required) Router(config-if)# dialer load-threshold load Sets the dialer load threshold. Router(config-if)# dialer-group group-number Controls access to this interface by adding it to a dialer access group. Router(config-if)# ppp bap call accept Enables the interface to accept additional links upon peer request. Router(config-if)# ppp bap callback request Enables the interface to initiate additional links (optional). Command Purpose Command Purpose Router(config-if)# x25 address address Configures the X.25 address. Router(config-if)# x25 htc circuit-number Sets the highest two-way circuit number. For X.25 the default is 1024. Router(config-if)# x25 win packets Sets the default VC receive window size. The default is 2 packets.1 1. The default input and output window sizes are typically defined by your network administrator. Cisco IOS configured window sizes must be sets to match the window size of the network. Router(config-if)# x25 wout packets Sets the default VC transmit window size. The default is 2 packets.1 Configuring X.25 on ISDN Using AO/DI How to Configure an AO/DI Client/Server DC-242 Cisco IOS Dial Technologies Configuration Guide Configuring the AO/DI Client To configure AO/DI, you must complete the tasks in the following section. The last task, to define local number peer characteristics, is optional. • Enabling AO/DI on the Interface (Required) • Enabling the AO/DI Interface to Initiate Client Calls (Required) • Enabling the MLP Bundle to Add Multiple Links (Required) • Modifying BACP Default Settings (Optional) See the section “AO/DI Client Configuration Example” at the end of this chapter for an example of how to configure the AO/DI client. Enabling AO/DI on the Interface To enable an interface to run the AO/DI client, use the following command in interface configuration mode: Enabling the AO/DI Interface to Initiate Client Calls You must enable the interface to establish a PPP session over the X.25 protocol. The cloning interface will hold the PPP configuration, which will be cloned by the virtual access interface that is created and attached to the X.25 VC. The cloning interface must also hold the MLP configuration that is needed to run AO/DI. To add the X.25 map statement that will enable the PPP session over X.25, identify the cloning interface, and configure the interface to initiate AO/DI calls, use the following command in interface configuration mode: Enabling the MLP Bundle to Add Multiple Links Once MLP is enabled and the primary traffic load is reached (based on the dialer load-threshold value), the MLP bundle will add member links (B channels). The addition of another B channel places the first link member into “receive-only” mode and subsequent links are added, as needed. To configure the dialer interface or BRI interface used for cloning purposes and to place the first link member into receive only mode, use the following command in interface configuration mode: Command Purpose Router(config-if)# x25 aodi Enables the AO/DI client on an interface. Command Purpose Router(config-if)# x25 map ppp x121-address interface cloning-interface Enables the interface to initiate a PPP session over the X.25 protocol and remote end mapping. Command Purpose Router(config-if)# ppp multilink idle-link Configures the interface to enter “receive only” mode so that MLP links are added as needed. Configuring X.25 on ISDN Using AO/DI How to Configure an AO/DI Client/Server DC-243 Cisco IOS Dial Technologies Configuration Guide Modifying BACP Default Settings During BACP negotiation between peers, the called party indicates the number to call for BACP. This number may be in either a national or subscriber format. A national format indicates that the phone number returned from the server to the client should contain ten digits. A subscriber number format contains seven digits. To assign a prefix to the phone number that is to be returned, use the following optional command in interface configuration mode: Note The ppp bap number prefix command is not typically required on the server side, as the server usually does not initiate calls to the client. This command would only be used on the server in a scenario where both sides are configured to act as both client and server. Configuring the AO/DI Server The AO/DI server will receive calls from the remote end interface running AO/DI client and likewise, and must be configured to initiate a PPP session over X.25, allow interface cloning, and be capable of adding links to the MLP bundle. The interface configured for AO/DI server relies on the no-outgoing option for the x25 map command to ensure calls are not originated by the interface. Use the commands in the following sections to configure the AO/DI server: • Enabling the Interface to Receive AO/DI Client Calls (Required) • Enabling the MLP Bundle to Add Multiple Links (Required) • Modifying BACP Default Settings (Optional) See the section “AO/DI Server Configuration Example” at the end of this chapter for an example of how to configure the AO/DI server. Enabling the Interface to Receive AO/DI Client Calls Configure the x25 map command with the X.121 address of the calling client. This task enables the AO/DI server interface to run a PPP over X.25 session with the configured client. The no-outgoing option must be set in order to ensure that calls do not originate from this interface. To configure an interface for AO/DI server, use the following command in interface configuration mode: Command Purpose Router(config-if)# ppp bap number prefix prefix-number (Optional) specifies a primary telephone number prefix for a peer to call for PPP BACP negotiation. Command Purpose Router(config-if)# x25 map ppp x121-address interface cloning-interface no-outgoing Enables the interface to initiate a PPP session over the X.25 protocol and remote end mapping. Configuring X.25 on ISDN Using AO/DI How to Configure an AO/DI Client/Server DC-244 Cisco IOS Dial Technologies Configuration Guide Enabling the MLP Bundle to Add Multiple Links Once MLP is enabled and the primary traffic load is reached (based on the dialer load-threshold value), the MLP bundle will add member links (B channels). The addition of another B channel places the first link member into “receive-only” mode and subsequent links are added, as needed. To configure the dialer interface or BRI interface used for cloning purposes and to place the first link member into receive only mode, use the following command in interface configuration mode: Modifying BACP Default Settings During BACP negotiation between peers, the called party indicates the number to call for BACP. This number may be in either a national or subscriber format. A national format indicates that the phone number returned from the server to the client should contain 10 digits. A subscriber number format contains 7 digits. To assign a prefix to the phone number that is to be returned, use the following, optional command in interface configuration mode: Note The ppp bap number prefix command is not typically required on the server side, because the server usually does not initiate calls to the client. This command would only be used on the server in a scenario where both sides are configured to act as both client and server. Command Purpose Router(config-if)# ppp multilink idle-link Configures the interface to enter “receive only” mode so that MLP links are added as needed. Command Purpose Router(config-if)# ppp bap number {format national | subscriber} (Optional) Specifies that the primary telephone number for a peer to call is in either a national or subscriber number format. Configuring X.25 on ISDN Using AO/DI Configuration Examples for AO/DI DC-245 Cisco IOS Dial Technologies Configuration Guide Configuration Examples for AO/DI This section provides the following configuration examples: • AO/DI Client Configuration Example • AO/DI Server Configuration Example AO/DI Client Configuration Example The following example shows BRI interface 0 configured with the PPP, multilink, and X.25 commands necessary for the AO/DI client: hostname Router_client ! ip address-pool local isdn switch-type basic-5ess x25 routing ! interface Ethernet0 ip address 172.21.71.99 255.255.255.0 ! interface BRI0 isdn switch-type basic-5ess ip address 10.1.1.9 255.0.0.0 encap ppp dialer in-band dialer load-threshold 1 either dialer-group 1 no fair-queue ppp authentication chap ppp multilink bap ppp bap callback accept ppp bap call request ppp bap number prefix 91 ppp multilink idle-link isdn x25 static-tei 23 isdn x25 dchannel dialer rotary-group 1 ! interface BRI0:0 no ip address x25 address 12135551234 x25 aodi x25 htc 4 x25 win 3 x25 wout 3 x25 map ppp 12135556789 interface bri0 ! dialer-list 1 protocol ip permit Configuring X.25 on ISDN Using AO/DI Configuration Examples for AO/DI DC-246 Cisco IOS Dial Technologies Configuration Guide AO/DI Server Configuration Example The following example shows the configuration for the AO/DI server, which is configured to only receive calls from the AO/DI client. The configuration uses the x25 map ppp command with the no-outgoing option, and the ppp bap number format command, which implements the national format. hostname Router_server ! ip address-pool local isdn switch-type basic-5ess x25 routing ! interface Ethernet0 ip address 172.21.71.100 255.255.255.0 ! interface BRI0 isdn switch-type basic-5ess ip address 10.1.1.10 255.0.0.0 encap ppp dialer in-band no fair-queue dialer load-threshold 1 either dialer-group 1 ppp authentication pap ppp multilink bap ppp multilink idle-link ppp bap number default 2135550904 ppp bap number format national ppp bap call accept ppp bap timeout pending 20 isdn x25 static-tei 23 isdn x25 dchannel dialer rotary-group 1 ! interface BRI0:0 no ip address x25 address 12135556789 x25 htc 4 x25 win 3 x25 wout 3 x25 map ppp 12135551234 interface bri0 no-outgoing ! dialer-list 1 protocol ip permit DC-247 Cisco IOS Dial Technologies Configuration Guide Configuring ISDN on Cisco 800 Series Routers This chapter describes the Common Application Programming Interface (CAPI) and Remote Common Application Programming Interface (RCAPI) feature for the Cisco 800 series routers. This information is included in the following main sections: • CAPI and RCAPI Overview • How to Configure RCAPI • Configuration Examples for RCAPI The CAPI is an application programming interface standard used to access ISDN equipment connected to ISDN BRIs and ISDN PRIs. RCAPI is the CAPI feature configured remotely from a PC client. Before you can enable the RCAPI feature on the Cisco 800 series router, the following requirements must be met: • Cisco 800 series software with RCAPI support is installed on the router. • CAPI commands are properly configured on the router. • Both the CAPI local device console and RCAPI client devices on the LAN are correctly installed and configured with RVS-COM client driver software. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the commands in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Configuring ISDN on Cisco 800 Series Routers CAPI and RCAPI Overview DC-248 Cisco IOS Dial Technologies Configuration Guide CAPI and RCAPI Overview Figure 38 shows how CAPI connects applications, drivers, and controllers. Figure 38 CAPI Connections Framing Protocols The framing protocols supported by CAPI include High-Level Data Link Control (HDLC), HDLC inverted, bit transparent (speech), and V.110 synchronous/asynchronous. Data Link and Network Layer Protocols CAPI integrates the following data link and network layer protocols: • Link Access Procedure on the D-channel (LAPD) in accordance with Q.921 for X.25 D-channel implementation • PPP • ISO 8208 (X.25 DTE-DTE) • X.25 DCE, T.90NL, and T.30 (fax group 3) CAPI Features CAPI supports the following features: • Basic call features, such as call setup and tear-down • Multiple B channels for data and voice connections • Multiple logical data link connections within a physical connection • Selection of different services and protocols during connection setup and on answering incoming calls Controller 1 Application Facsimile Controller 2 Controller 3 Controller 4 26485 Application Telephone Common ISDN API (CAPI) Application File Transfer Application Other Configuring ISDN on Cisco 800 Series Routers CAPI and RCAPI Overview DC-249 Cisco IOS Dial Technologies Configuration Guide • Transparent interface for protocols above Layer 3 • One or more BRIs as well as PRI on one or more Integrated Services Digital Network (ISDN) adapters • Multiple applications • Operating-systems-independent messages • Operating-system-dependent exchange mechanism for optimum operating system integration • Asynchronous event-driven mechanism, resulting in high throughput • Well-defined mechanism for manufacturer-specific extensions • Multiple supplementary services Figure 39 shows the components of the RCAPI implementation. Figure 39 Components of RCAPI CAPI provides a standardized interface through which application programs can use ISDN drivers and controllers. One application can use one or more controllers. Several applications can share one or more controllers. CAPI supplies a selection mechanism that supports applications that use protocols at different levels and standardized network access. An abstraction from different protocol variables is performed to provide this support. All connection-related data, such as connection state and display messages, is available to the applications at any time. Supported B-Channel Protocols The router provides two 64-kbps B channels to RCAPI clients. Each B channel can be configured separately to work in either HDLC mode or bit transparent mode. For CAPI support, layers B2 through B7 protocols are transparent to the applications using these B channels. WinFax (non-CAPI) Soft modem ISDN DCP client driver DCP messaging over TCP/IP ISDN DCP server driver ISDN stack Cisco IOS software - 800 series router Virtual com port G4 fax (CAPI) CAPI library RCAPI client 29145 Configuring ISDN on Cisco 800 Series Routers CAPI and RCAPI Overview DC-250 Cisco IOS Dial Technologies Configuration Guide The ISDN Core Engine of RVS-COM supports the following B-channel protocols: • CAPI layer B1 – 64-kbps with HDLC framing – 64-kbps bit transparent operation with byte framing from the network – T.30 modem for fax group 3 – Modem with full negotiation • CAPI layer B2 – V.120 – Transparent – T.30 modem for fax group 3 – Modem with full negotiation • CAPI layer B3 – Transparent – T.90NL with compatibility to T.70NL according to T.90 Appendix II – ISO 8208 (X.25 DTE-DTE) modulo 8 and windows size 2, no multiple logical connections – T.30 for fax group 3 – Modem with full negotiation • T.30 for fax group 3 (SFF file format [default], sending and receiving up to 14400 bit/s with ECM option, modulations V.17, V.21, V.27ter, V.29) • Analog modem (sending and receiving up to 14,400 bit/s, modulations V.21, V.22, V.22bis, V.23, V.32, V.32bis) Supported Switch Types CAPI and RCAPI support is available only for the ISDN switch type Net3. CAPI and RVS-COM The router supports the ISDN Device Control Protocol (ISDN-DCP) from RVS-COM. ISDN-DCP allows a workstation on the LAN or router to use legacy dial computer telephony integration (CTI) applications. These applications include placing and receiving telephone calls and transmitting and receiving faxes. Using ISDN-DCP, the router acts as a DCP server. By default, the router listens for DCP messages on TCP port number 2578 (the Internet-assigned number for RVS-COM DCP) on its LAN port. When the router receives a DCP message from a DCP client (connected to the LAN port of the router), the router processes the message and acts on it; it can send confirmations to the DCP clients and ISDN packets through the BRI port of the router. When the router receives packets destined for one of the DCP clients on its BRI port, the router formats the packet as a DCP message and sends it to the corresponding client. The router supports all the DCP messages specified in the ISDN-DCP specifications defined by RVS-COM. Configuring ISDN on Cisco 800 Series Routers How to Configure RCAPI DC-251 Cisco IOS Dial Technologies Configuration Guide Supported Applications ISDN-DCP supports CAPI and non-CAPI applications. Applications are supported that use one or two B channels for data transfer, different HDLC-based protocols, Euro File transfer, or G4 fax; also supported are applications that send bit-transparent data such as A/Mu law audio, G3 fax, analog modem, or analog telephones. Helpful Website The following Web link provides answers to frequently asked questions about installing and using RCAPI: http://www.cisco.com/warp/partner/synchronicd/cc/pd/rt/800/prodlit/rcapi_qa.htm How to Configure RCAPI To configure RCAPI, perform the tasks in the following sections: • Configuring RCAPI on the Cisco 800 Series Router (Required) • Monitoring and Maintaining RCAPI (Optional) • Troubleshooting RCAPI (Optional) Configuring RCAPI on the Cisco 800 Series Router To configure RCAPI on the Cisco 800 series router, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# isdn switch-type basic-net3 Sets the switch type. In this example, the switch type is set to NET3 ISDN, which covers the Euro-ISDN E-DSS1 signaling system and is ETSI-compliant. Step 2 Router(config)# rcapi number number Enters the RCAPI directory number assigned by the ISDN provider for the device. An example command: rcapi number 12345. Step 3 Router(config)# rcapi server port number The rcapi server command is mandatory for RCAPI to be enabled on the router. The parameter port is optional and is entered only when you need to specify a port number for RCAPI functions. Otherwise, the default port 2578 is used. An example command with default port 2578: rcapi server port An example command with port 2000: rcapi server port 2000 Configure the same number on both the router and the client PC. Configuring ISDN on Cisco 800 Series Routers Configuration Examples for RCAPI DC-252 Cisco IOS Dial Technologies Configuration Guide Note If required, at each remote device console change to global configuration mode, using the command configure terminal, and repeat Step 2 through Step 7 to configure that device. Monitoring and Maintaining RCAPI To monitor and maintain RCAPI, use the following command in privileged EXEC mode: Troubleshooting RCAPI To test the RCAPI operation, use the following command in privileged EXEC mode Configuration Examples for RCAPI The following configuration output example shows two Cisco 800 series routers configured for RCAPI: Router 1 Router1# show running-config Building configuration... Current configuration: ! version xx.x service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname local ! Step 4 Router(config)# interface bri0 Configures the ISDN BRI interface and begins interface configuration mode. Step 5 Router(config-if)# isdn switch-type basic-net3 Sets the switch type for the bri0 interface. In this example, the switch type is set to NET3 ISDN, which covers the Euro-ISDN E-DSS1 signaling system and is ETSI-compliant. Step 6 Router(config-if)# isdn incoming-voice modem Sets the modem as the default handler for incoming voice calls. Command Purpose Command Purpose Router# show rcapi status Displays RCAPI status. Command Purpose Router# debug rcapi events Starts a background debug program. Configuring ISDN on Cisco 800 Series Routers Configuration Examples for RCAPI DC-253 Cisco IOS Dial Technologies Configuration Guide ip subnet-zero ! isdn switch-type basic-net3 isdn voice-call-failure 0 ! interface Ethernet0 ip address 192.168.2.1 255.255.255.0 no ip directed-broadcast ! interface BRI0 no ip address no ip directed-broadcast isdn switch-type basic-net3 isdn incoming-voice modem ! no ip http server ip classless ! line con 0 transport input none stopbits 1 line vty 0 4 ! rcapi server port 2578 ! rcapi number 5551000 rcapi number 5553000 ! end Router1# Router 2 Router2# show running-config Building configuration... Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname local ! ip subnet-zero ! isdn switch-type basic-net3 isdn voice-call-failure 0 ! interface Ethernet0 ip address 192.168.1.1 255.255.255.0 no ip directed-broadcast ! interface BRI0 no ip address no ip directed-broadcast isdn switch-type basic-net3 isdn incoming-voice modem ! Configuring ISDN on Cisco 800 Series Routers Configuration Examples for RCAPI DC-254 Cisco IOS Dial Technologies Configuration Guide no ip http server ip classless ! line con 0 transport input none stopbits 1 line vty 0 ! rcapi server port 2578 ! rcapi number 5552000 rcapi number 5554000 ! end Router2# Signaling Configuration DC-257 Cisco IOS Dial Technologies Configuration Guide Configuring ISDN PRI This chapter describes how to configure channelized E1 and channelized T1 for ISDN PRI and for two types of signaling to support analog calls over digital lines. This information is included in the following sections: • Signaling Overview • How to Configure ISDN PRI • Monitoring and Maintaining ISDN PRI Interfaces • How to Configure Robbed-Bit Signaling for Analog Calls over T1 Lines • How to Configure CAS • How to Configure Switched 56K Digital Dial-In over Channelized T1 and Robbed-Bit Signaling • How to Configure Switched 56K Services • How to Configure E1 R2 Signaling • Enabling R1 Modified Signaling in Taiwan • Configuration Examples for Channelized E1 and Channelized T1 In addition, this chapter describes how to run interface loopback diagnostics on channelized E1 and channelized T1 lines. For more information, see the “How to Configure Switched 56K Digital Dial-In over Channelized T1 and Robbed-Bit Signaling” section later in this chapter, and the Cisco IOS Interface Configuration Guide, Release 12.2. For hardware technical descriptions and for information about installing the controllers and interfaces, refer to the hardware installation and maintenance publication for your particular product. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the channelized E1/T1 commands in this chapter, refer to the Cisco IOS Dial Technologies Command Reference, Release 12.2. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Configuring ISDN PRI Signaling Overview DC-258 Cisco IOS Dial Technologies Configuration Guide Signaling Overview Channelized T1 and channelized E1 can be configured for ISDN PRI, synchronous serial, and asynchronous serial communications. Channelized T1 and channelized E1 are supported by corresponding controllers. Each T1 or E1 controller has one physical network termination, but it can have many virtual interfaces, depending on the configuration. In-Band and Out-of-Band Signaling The terms in-band and out-of-band indicate whether various signals—which are used to set up, control, and terminate calls—travel in the same channel (or band) with voice calls or data made by the user, or whether those signals travel in a separate channel (or band). ISDN, which uses the D channel for signaling and the B channels for user data, fits into the out-of-band signaling category. Robbed-bit signaling, which uses bits from specified frames in the user data channel for signaling, fits into the in-band signaling category. Channel-associated signaling (CAS), which uses E1 time slot 16 (the D channel) for signaling, fits into the out-of-band signaling category. Channelized E1 and T1 on Cisco Devices You can allocate the available channels for channelized E1 or T1 in the following ways: • All channels can be configured to support ISDN PRI. Channelized T1 ISDN PRI offers 23 B channels and 1 D channel. Channelized E1 ISDN PRI offers 30 B channels and 1 D channel. Channel 24 is the D channel for T1, and channel 16 is the D channel for E1. • If you are not running ISDN PRI, all channels can be configured to support robbed-bit signaling, which enables a Cisco modem to receive and send analog calls. • All channels can be configured in a single channel group. For configuration information about this leased line or nondial use, see the “Configuring Serial Interfaces” chapter in the Cisco IOS Interface Configuration Guide. • Mix and match channels supporting ISDN PRI and channel grouping. • Mix and match channels supporting ISDN PRI, robbed-bit signaling, and channel grouping across the same T1 line. For example, on the same channelized T1 line you can configure the pri-group timeslots 1-10 command, channel-group 11 timeslots 11-16 command, and cas-group 17 timeslots 17-23 type e&m-fgb command. This is a rare configuration because it requires you to align the correct range of time slots on both ends of the connection. See the sections “PRI Groups and Channel Groups on the Same Channelized T1 Controller Example,” “Robbed-Bit Signaling Examples,” and the “ISDN CAS Examples” at the end of this chapter. Configuring ISDN PRI How to Configure ISDN PRI DC-259 Cisco IOS Dial Technologies Configuration Guide How to Configure ISDN PRI This section describes tasks that are required to get ISDN PRI up and running. This section does not address routing issues, dialer configuration, and dial backup. For information about those topics, see the chapters in the “Dial-on-Demand Routing” part of this manual. To configure ISDN PRI, perform the tasks in the following sections: • Requesting PRI Line and Switch Configuration from a Telco Service Provider (Required) • Configuring Channelized E1 ISDN PRI (As required) • Configuring Channelized T1 ISDN PRI (As required) • Configuring the Serial Interface (Required) • Configuring NSF Call-by-Call Support (Primary-4ESS Only) • Configuring Multiple ISDN Switch Types (Optional) • Configuring B Channel Outgoing Call Order (Optional) • Performing Configuration Self-Tests (Optional) See the section “Monitoring and Maintaining ISDN PRI Interfaces” later in this chapter for tips on maintaining the ISDN PRI interface. See the end of this chapter for the “ISDN PRI Examples” section. Note After the ISDN PRI interface and lines are operational, configure the D-channel interface for dial-on-demand routing (DDR). The DDR configuration specifies the packets that can trigger outgoing calls, specifies whether to place or receive calls, and provides the protocol, address, and phone number to use. Requesting PRI Line and Switch Configuration from a Telco Service Provider Before configuring ISDN PRI on your Cisco router, you need to order a correctly provisioned ISDN PRI line from your telecommunications service provider. This process varies dramatically from provider to provider on a national and international basis. However, some general guidelines follow: • Verify if the outgoing B channel calls are made in ascending or descending order. Cisco IOS default is descending order however, if the switch from the service providers is configured for outgoing calls made in ascending order, the router can be configured to match the switch configuration of the service provider. • Ask for delivery of calling line identification. Providers sometimes call this CLI or automatic number identification (ANI). • If the router will be attached to an ISDN bus (to which other ISDN devices might be attached), ask for point-to-multipoint service (subaddressing is required) and a voice-and-data line. Table 23 provides a sample of the T1 configuration attributes you might request for a PRI switch used in North America. Configuring ISDN PRI How to Configure ISDN PRI DC-260 Cisco IOS Dial Technologies Configuration Guide Configuring Channelized E1 ISDN PRI To configure ISDN PRI on a channelized E1 controller, use the following commands beginning in global configuration mode: If you do not specify the time slots, the specified controller is configured for 30 B channels and 1 D channel. The B channel numbers range from 1 to 31; channel 16 is the D channel for E1. Corresponding serial interfaces numbers range from 0 to 30. In commands, the D channel is interface serial controller-number:15. For example, interface serial 0:15. Table 23 North American PRI Switch Configuration Attributes Attribute Value Line format Extended Superframe Format (ESF) Line coding Binary 8-zero substitution (B8ZS) Call type 23 incoming channels and 23 outgoing channels Speed 64 kbps Call-by-call capability Enabled Channels 23 B + D Trunk selection sequence Either ascending order (from 1 to 23) or descending order (from 23 to 1) B + D glare Yield Directory numbers Only 1 directory number assigned by service provider SPIDs required? None Command Purpose Step 1 Router(config)# isdn switch-type switch-type Selects a service provider switch type that accommodates PRI. (See Table 24 for a list of supported switch type keywords.) Step 2 Router(config)# controller e1 slot/port or Router(config)# controller e1 number Defines the controller location in the Cisco 7200 or Cisco 7500 series router by slot and port number. Defines the controller location in the Cisco 4000 series or the Cisco AS5200 universal access server by unit number.1 1. Controller numbers range from 0 to 2 on the Cisco 4000 series and from 1 to 2 on the Cisco AS5000 series access server. Step 3 Router(config-controller)# framing crc4 Defines the framing characteristics as cyclic redundancy check 4 (CRC4). Step 4 Router(config-controller)# linecode hdb3 Defines the line code as high-density bipolar 3 (HDB3). Step 5 Router(config-controller)# pri-group [timeslots range] Configures ISDN PRI. Configuring ISDN PRI How to Configure ISDN PRI DC-261 Cisco IOS Dial Technologies Configuration Guide Table 24 lists the keywords for the supported service provider switch types to be used in Step 1 above. Note For information and examples for configuring ISDN PRI for voice, video, and fax applications, refer to the Cisco IOS Voice, Video, and Fax Applications Configuration Guide. Configuring Channelized T1 ISDN PRI To configure ISDN PRI on a channelized T1 controller, use the following commands beginning in global configuration mode: Table 24 ISDN Service Provider PRI Switch Types Switch Type Keywords Description/Use Voice/PBX Systems primary-qsig Supports QSIG signaling per Q.931. Network side functionality is assigned with the isdn protocol-emulate command. Australia and Europe primary-net5 NET5 ISDN PRI switch types for Asia, Australia, and New Zealand; ETSI-compliant switches for Euro-ISDN E-DSS1 signaling system. Japan primary-ntt Japanese NTT ISDN PRI switches. North America primary-4ess Lucent (AT&T) 4ESS switch type for the United States. primary-5ess Lucent (AT&T) 5ESS switch type for the United States. primary-dms100 Nortel DMS-100 switch type for the United States. primary-ni National ISDN switch type. All Users none No switch defined. Command Purpose Step 1 Router(config)# isdn switch-type switch-type Selects a service provider switch type that accommodates PRI. (Refer to Table 24 for a list of supported PRI switch type keywords.) Step 2 Router(config)# controller t1 slot/port or Router(config)# controller t1 number Specifies a T1 controller on a Cisco 7500. Specifies a T1 controller on a Cisco 4000.1 Step 3 Router(config-controller)# framing esf Defines the framing characteristics as Extended Superframe Format (ESF). Configuring ISDN PRI How to Configure ISDN PRI DC-262 Cisco IOS Dial Technologies Configuration Guide If you do not specify the time slots, the specified controller is configured for 24 B channels and 1 D channel. The B channel numbers range from 1 to 24; channel 24 is the D channel for T1. Corresponding serial interfaces numbers range from 0 to 23. In commands, the D channel is interface serial controller-number:23. For example, interface serial 0:23. Configuring the Serial Interface When you configure ISDN PRI on the channelized E1 or channelized T1 controller, in effect you create a serial interface that corresponds to the PRI group time slots. This interface is a logical entity associated with the specific controller. After you create the serial interface by configuring the controller, you must configure the D channel serial interface. The configuration applies to all the PRI B channels (time slots). To configure the D channel serial interface, perform the tasks in the following sections: • Specifying an IP Address for the Interface (Required) • Configuring Encapsulation on ISDN PRI (Required) • Configuring Network Addressing (Required) • Configuring ISDN Calling Number Identification (As Required) • Overriding the Default TEI Value (As Required) • Configuring a Static TEI (As Required) • Configuring Incoming ISDN Modem Calls (As Required) • Filtering Incoming ISDN Calls (As Required) • Configuring the ISDN Guard Timer (Optional) • Configuring Inclusion of the Sending Complete Information Element (Optional) • Configuring ISDN PRI B-Channel Busyout (Optional) Step 4 Router(config-controller)# linecode b8zs Defines the line code as binary 8 zero substitution (B8ZS). Step 5 Router(config-controller)# pri-group [timeslots range]2 Configures ISDN PRI. If you do not specify the time slots, the controller is configured for 23 B channels and 1 D channel. 1. Controller numbers range from 0 to 2 on the Cisco 4000 series and from 1 to 2 on the Cisco AS5000 series. 2. On channelized T1, time slots range from 1 to 24. You can specify a range of time slots (for example, pri-group timeslots 12-24) if other time slots are used for non-PRI channel groups. Command Purpose Configuring ISDN PRI How to Configure ISDN PRI DC-263 Cisco IOS Dial Technologies Configuration Guide Specifying an IP Address for the Interface To configure the D channel serial interface created for ISDN PRI, use the following commands beginning in global configuration mode: When you configure the D channel, its configuration is applied to all the individual B channels. Configuring Encapsulation on ISDN PRI PPP encapsulation is configured for most ISDN communication. However, the router might require a different encapsulation for traffic sent over a Frame Relay or X.25 network, or the router might need to communicate with devices that require a different encapsulation protocol. Configure encapsulation as described in one of the following sections: • Configuring PPP Encapsulation • Configuring Encapsulation for Frame Relay or X.25 Networks • Configuring Encapsulation for Combinet Compatibility In addition, the router can be configured for automatic detection of encapsulation type on incoming calls. To configure this feature, complete the tasks in the “Configuring Automatic Detection of Encapsulation Type of Incoming Calls” section. Note See the sections “Dynamic Multiple Encapsulations” and “Configuring Encapsulation on ISDN BRI” in the chapter “Configuring ISDN BRI” for information about the Cisco Dynamic Multiple Encapsulations feature. Configuring PPP Encapsulation Each ISDN B channel is treated as a serial line and supports HDLC and PPP encapsulation. The default serial encapsulation is HDLC. To configure PPP encapsulation, use the following command in interface configuration mode: Command Purpose Step 1 Router(config)# interface serial slot/port:23 Router(config)# interface serial number:23 or Router(config)# interface serial slot/port:15 Router(config)# interface serial number:15 Specifies D channel on the serial interface for channelized T1 and begins interface configuration mode. Specifies D channel on the serial interface for channelized E1 and begins interface configuration mode. Step 2 Router(config-if)# ip address ip-address Specifies an IP address for the interface. Command Purpose Router(config-if)# encapsulation ppp Configures PPP encapsulation. Configuring ISDN PRI How to Configure ISDN PRI DC-264 Cisco IOS Dial Technologies Configuration Guide Configuring Encapsulation for Frame Relay or X.25 Networks If traffic from this ISDN interface crosses a Frame Relay or X.25 network, the appropriate addressing and encapsulation tasks must be completed as required for Frame Relay or X.25 networks. See the sections “Sending Traffic over Frame Relay, X.25, or LAPB Networks” in the chapter “Configuring Legacy DDR Spokes” for more information about addressing, encapsulation, and other tasks necessary to configure Frame Relay or X.25 networks. Configuring Encapsulation for Combinet Compatibility Historically, Combinet devices supported only the Combinet Proprietary Protocol (CPP) for negotiating connections over ISDN B channels. To enable Cisco routers to communicate with those Combinet bridges, the Cisco IOS software supports the CPP encapsulation type. To enable routers to communicate over ISDN interfaces with Combinet bridges that support only CPP, use the following commands in interface configuration mode: Most Combinet devices support PPP. Cisco routers can communicate over ISDN with these devices by using PPP encapsulation, which supports both routing and fast switching. Cisco 700 and 800 series routers and bridges (formerly Combinet devices) support only IP, IPX, and bridging. For AppleTalk, Cisco routers automatically perform half-bridging with Combinet devices. For more information about half-bridging, see the section “Configuring PPP Half-Bridging” in the “Configuring Media-Independent PPP and Multilink PPP” chapter in this publication. Cisco routers can also half-bridge IP and IPX with Combinet devices that support only CPP. To configure this feature, you only need to set up the addressing with the ISDN interface as part of the remote subnet; no additional commands are required. Configuring Automatic Detection of Encapsulation Type of Incoming Calls You can enable a serial or ISDN interface to accept calls and dynamically change the encapsulation in effect on the interface when the remote device does not signal the call type. For example, if an ISDN call does not identify the call type in the Lower Layer Compatibility fields and is using an encapsulation that is different from the one configured on the interface, the interface can change its encapsulation type at that time. This feature enables interoperation with ISDN terminal adapters that use V.120 encapsulation but do not signal V.120 in the call setup message. An ISDN interface that by default answers a call as synchronous serial with PPP encapsulation can change its encapsulation and answer such calls. Automatic detection is attempted for the first 10 seconds after the link is established or the first 5 packets exchanged over the link, whichever is first. Command Purpose Step 1 Router(config-if)# encapsulation cpp Specifies CPP encapsulation. Step 2 Router(config-if)# cpp callback accept Enables CPP callback acceptance. Step 3 Router(config-if)# cpp authentication Enables CPP authentication. Configuring ISDN PRI How to Configure ISDN PRI DC-265 Cisco IOS Dial Technologies Configuration Guide To enable automatic detection of encapsulation type, use the following command in interface configuration mode: You can specify one or more encapsulations to detect. Cisco IOS software currently supports automatic detection of PPP and V.120 encapsulations. Configuring Network Addressing When you configure networking, you specify how to reach the remote recipient. To configure network addressing, use the following commands in interface configuration mode: Australian networks allow semipermanent connections between customer routers with PRIs and the TS-014 ISDN PRI switches in the exchange. Semipermanent connections are offered at better pricing than leased lines. Packets that are permitted by the access list specified by the dialer-list command are considered interesting and cause the router to place a call to the identified destination protocol address. Note The access list reference in Step 4 of this task list is an example of the access list commands allowed by different protocols. Some protocols might require a different command form or might require multiple commands. See the relevant chapter in the appropriate network protocol configuration guide (for example, the Cisco IOS AppleTalk and Novell IPX Configuration Guide) for more information about setting up access lists for a protocol. For more information about defining outgoing call numbers, see the sections “Configuring Access Control for Outgoing Calls” in the chapters “Configuring Legacy DDR Spokes” or “Configuring Legacy DDR Hubs” later in this publication. Command Purpose Router(config-if)# autodetect encapsulation encapsulation-type Enables automatic detection of encapsulation type on the specified interface. Command Purpose Step 1 Router(config-if)# dialer map protocol next-hop-address name hostname speed 56|64 dial-string[:isdn-subaddress] or Defines the protocol address of the remote recipient, host name, and dialing string; optionally, provides the ISDN subaddress; sets the dialer speed to 56 or 64 kbps, as needed. Router(config-if)# dialer map protocol next-hop-address name hostname spc [speed 56 | 64] [broadcast] dial-string[:isdn-subaddress] (Australia) Uses the spc keyword that enables ISDN semipermanent connections. Step 2 Router(config-if)# dialer-group group-number Assigns the interface to a dialer group to control access to the interface. Step 3 Router(config-if)# dialer-list dialer-group list access-list-number Associates the dialer group number with an access list number. Step 4 Router(config-if)# access-list access-list-number {deny | permit} protocol source address source-mask destination destination-mask Defines an access list permitting or denying access to specified protocols, sources, or destinations. Configuring ISDN PRI How to Configure ISDN PRI DC-266 Cisco IOS Dial Technologies Configuration Guide Configuring ISDN Calling Number Identification A router might need to supply the ISDN network with a billing number for outgoing calls. Some networks offer better pricing on calls in which the number is presented. When configured, the calling number information is included in the outgoing Setup message. To configure the interface to identify the billing number, use the following command in interface configuration mode: This command can be used with all ISDN PRI switch types. Overriding the Default TEI Value You can configure ISDN terminal endpoint identifier (TEI) negotiation on individual ISDN interfaces. TEI negotiation is useful for switches that may deactivate Layers 1 or 2 when there are no active calls. Typically, this setting is used for ISDN service offerings in Europe and connections to DMS 100 switches that are designed to initiate TEI negotiation. By default, TEI negotiation occurs when the router is powered up. The TEI negotiation value configured on an interface overrides the default or global TEI value. On PRI interfaces connecting to DMS 100 switches, the router will change the default TEI setting to isdn tei first-call. To apply TEI negotiation to a specific PRI interface, use the following command in interface configuration mode: Configuring a Static TEI Depending on the telephone company you subscribe to, you may have a dynamically or statically assigned terminal endpoint identifier (TEI) for your ISDN service. By default, TEIs are dynamic in Cisco routers. To configure the TEI as a static configuration, use the following command in interface configuration mode: Configuring Incoming ISDN Modem Calls All incoming ISDN analog modem calls that come in on an ISDN PRI receive signaling information from the ISDN D channel. The D channel is used for circuit-switched data calls and analog modem calls. Command Purpose Router(config-if)# isdn calling-number calling-number Specifies the calling party number. Command Purpose Router(config-if)# isdn tei [first-call | powerup] Determines when ISDN TEI negotiation occurs. Command Purpose Router(config-if)# isdn static-tei tei-number Configures a static ISDN Layer 2 TEI over the D channel. Configuring ISDN PRI How to Configure ISDN PRI DC-267 Cisco IOS Dial Technologies Configuration Guide To enable all incoming ISDN voice calls to access the call switch module and integrated modems, use the following command in interface configuration mode: The settings for the isdn incoming-voice interface command determine how a call is handled based on bearer capability information, as follows: • isdn incoming-voice voice—Calls bypass the modem and are handled as a voice call. • isdn incoming-voice data—Calls bypass the modem and are handled as digital data. • isdn incoming-voice modem—Calls are passed to the modem and the call negotiates the appropriate connection with the far-end modem. Refer to the Cisco IOS Voice, Video, and Fax Configuration Guide and Cisco IOS Voice, Video, and Fax Command Reference, Release 12.2, for more information about using the isdn incoming-voice interface configuration command to configure incoming ISDN voice and data calls. Filtering Incoming ISDN Calls You may find it necessary to configure your network to reject an incoming call with some specific ISDN bearer capability such as nonspeech or nonaudio data. To filter out unwanted call types, use the following command in interface configuration mode: Note When the ISDN interface is configured for incoming voice with the isdn incoming-voice voice command (see the previous section “Configuring Incoming ISDN Modem Calls”), and bearer capability indicates the call as unrestricted digital data (i = 0x8890), the call is handled as voice over data (use vod keyword). Verifying the Call Reject Configuration To verify that calls are being rejected, perform the following steps: Step 1 Enable the following debug commands at the privileged EXEC prompt: • debug isdn event • debug isdn event detail • debug isdn q931 • debug isdn q931 l3trace Command Purpose Router(config-if)# isdn incoming-voice {modem [56 | 64]} Routes incoming ISDN modem calls to the call switch module. Command Purpose Router(config-if)# isdn reject {{cause cause-code} |{data [56 | 64]} | piafs | v110 | v120 | vod | voice {[3.1khz | 7khz | speech]}} Rejects an incoming ISDN BRI or PRI call based on type. Configuring ISDN PRI How to Configure ISDN PRI DC-268 Cisco IOS Dial Technologies Configuration Guide Step 2 Configure the appropriate isdn reject command. The following example configures the network to reject all incoming data calls on ISDN interfaces 4 through 23: Router(config)# interface serial 4:23 Router(config-if)# isdn reject data Router(config-if)# ^Z Step 3 Build the configuration and then monitor the debug command output for the following string, which indicates that the call was rejected: ISDN : Rejecting call id isdn calltype screening failed Step 4 Enter the show isdn status EXEC command to display a detailed report of the ISDN configuration, including status of Layers 1 through 3, the call type, and the call identifier. Step 5 Turn off the debugging messages by entering the no form of the debug command—no debug isdn event detail, for example— or by entering the undebug form of the command—undebug isdn q931, for example. Configuring the ISDN Guard Timer Beginning in Cisco IOS Release 12.2, the ISDN guard timer feature implements a new managed timer for ISDN calls. Because response times for authentication requests can vary, for instance when using DNIS authentication, the guard timer allows you to control the handling of calls. To configure the ISDN guard timer, use the following command in interface configuration mode: For more information about configuring RADIUS, and to see sample ISDN PRI guard timer configurations, refer to the Cisco IOS Security Configuration Guide. Configuring Inclusion of the Sending Complete Information Element In some geographic locations, such as Hong Kong and Taiwan, ISDN switches require that the Sending Complete information element be included in the outgoing Setup message to indicate that the entire number is included. This information element is generally not required in other locations. To configure the interface to include the Sending Complete information element in the outgoing call Setup message, use the following command in interface configuration mode: Command Purpose Router(config-if)# isdn guard-timer msecs Enables the guard timer and sets the number of milliseconds for which the access server waits for RADIUS to respond before rejecting or accepting (optional) a call. Command Purpose Router(config-if)# isdn sending-complete Includes the Sending Complete information element in the outgoing call Setup message. Configuring ISDN PRI How to Configure ISDN PRI DC-269 Cisco IOS Dial Technologies Configuration Guide Configuring ISDN PRI B-Channel Busyout To allow the busyout of individual ISDN PRI B channels, use the following commands beginning in global configuration mode: Configuring NSF Call-by-Call Support Network-Specific Facilities (NSF) are used to request a particular service from the network or to provide an indication of the service being provided. Call-by-call support means that a B channel can be used for any service; its use is not restricted to a certain preconfigured service, such as incoming 800 calls or an outgoing 800 calls. This specific NSF call-by-call service supports outgoing calls configured as voice calls. This NSF call-by-call support feature is vendor-specific; only routers connected to AT&T Primary-4ESS switches need to configure this feature. This feature is supported on channelized T1. To enable the router for NSF call-by-call support and, optionally, to place outgoing voice calls, complete the following steps: Step 1 Configure the controller for ISDN PRI. Step 2 Configure the D channel interface to place outgoing calls using the dialer map command with a dialing-plan keyword. You can enter a dialer map command for each dialing plan to be supported. Step 3 Define the dialer map class for that dialing plan. To define the dialer map class for the dialing plan, use the following commands beginning in global configuration mode: Note To set the called party type to international, the dialed number must be prefaced by 011. Table 25 lists the NSF dialing plans and supported services offered on AT&T Primary-4ESS switches. Command Purpose Step 1 Router(config)# interface serial controller:timeslot Enters interface configuration mode for a D-channel serial interface. Step 2 Router(config-if)# isdn snmp busyout b-channel Allows the busyout of individual PRI B channels via SNMP. Command Purpose Step 1 Router(config)# map-class dialer classname Specifies the dialer map class, using the dialing-plan keyword as the class name, and begins map class configuration mode. Step 2 Router(config-map-class)# dialer voice-call (Optional) Enables voice calls. Step 3 Router(config-map-class)# dialer outgoing classname Configures the specific dialer map class to make outgoing calls. Configuring ISDN PRI How to Configure ISDN PRI DC-270 Cisco IOS Dial Technologies Configuration Guide Configuring Multiple ISDN Switch Types You can apply an ISDN switch type on a per-interface basis, thus extending the existing global isdn switch-type command to the interface level. This allows PRI and BRI to run simultaneously on platforms that support both interface types. A global ISDN switch type is required and must be configured on the router before you can configure a switch type on an interface. To configure multiple ISDN switch types for a PRI interface using a channelized E1 or channelized T1 controller, use the following command in global configuration mode: You must ensure that the ISDN switch type is valid for the ISDN interfaces on the router. Table 24 lists valid ISDN switch types for BRI and PRI interfaces. Note When you configure an ISDN switch type on the channelized E1 or T1 controller, this switch type is applied to all time slots on that controller. For example, if you configure channelized T1 controller 1:23, which corresponds to serial interface 1, with the ISDN switch type keyword primary-net5, then all time slots on serial interface 1 (and T1 controller 1) will use the Primary-Net5 switch type. The following restrictions apply to the Multiple ISDN Switch Types feature: • You must configure a global ISDN switch type using the existing isdn switch-type global configuration command before you can configure the ISDN switch type on an interface. Because global commands are processed before interface level commands, the command parser will not accept the isdn switch-type command on an interface unless a switch type is first added globally. Using the isdn switch-type global command allows for backward compatibility. • If an ISDN switch type is configured globally, but not at the interface level, then the global switch type value is applied to all ISDN interfaces. • If an ISDN switch type is configured globally and on an interface, the interface level switch type supersedes the global switch type at initial configuration. For example, if the global BRI switch-type keyword basic-net3 is defined and the interface-level BRI switch-type keyword is basic-ni, the National ISDN switch type is the value applied to that BRI interface. Table 25 NSF Supported Services on AT&T Primary-4ESS Switches NSF Dialing Plan Data Voice International Software Defined Network (SDN)1 1. The dialing plan terminology in this table is defined and used by AT&T. Yes Yes Global SDN MEGACOMM No Yes Yes ACCUNET Yes Yes Yes Command Purpose Router(config)# isdn switch-type switch-type Applies a global ISDN switch type. Configuring ISDN PRI How to Configure ISDN PRI DC-271 Cisco IOS Dial Technologies Configuration Guide • The ISDN global switch type value is only propagated to the interface level on initial configuration or router reload. If you reconfigure the global ISDN switch type, the new value is not applied to subsequent interfaces. Therefore, if you require a new switch type for a specific interface, you must configure that interface with the desired ISDN switch type. • If an ISDN global switch type is not compatible with the interface type you are using or you change the global switch type and it is not propagated to the interface level, as a safety mechanism, the router will apply a default value to the interface level, as indicated in Table 26. If, for example, you reconfigure the router to use global switch type keyword basic-net3, the router will apply the primary-net5 ISDN switch type to PRI interfaces and the basic-net3 ISDN switch type to any BRI interfaces. You can override the default switch assignment by configuring a different ISDN switch type on the associated interface. Table 26 ISDN PRI and ISDN BRI Global Switch Type Keywords Global Switch Type PRI Interface BRI Interface primary-4ess primary-4ess basic-ni primary-5ess primary-5ess basic-ni primary-dms100 primary-dms100 basic-ni primary-net5 primary-net5 basic-net3 primary-ni primary-ni basic-ni primary-ntt primary-ntt basic-ntt primary-qsig primary-qsig basic-qsig primary-ts014 primary-ts014 basic-ts013 basic-1tr6 primary-net5 basic-1tr6 basic-5ess primary-ni basic-5ess basic-dms100 primary-ni basic-dms100 basic-net3 primary-net5 basic-net3 basic-ni primary-ni basic-ni basic-ntt primary-ntt basic-ntt basic-qsig primary-qsig basic-qsig basic-ts013 primary-ts014 basic-ts013 basic-vn3 primary-net5 basic-vn3 Configuring ISDN PRI How to Configure ISDN PRI DC-272 Cisco IOS Dial Technologies Configuration Guide Configuring B Channel Outgoing Call Order You can configure the router to select the first available B channel in ascending order (channel B1) or descending order (channel B23 for a T1 and channel B30 for an E1). To configure the optional task of selecting B channel order for outgoing calls for PRI interface types, use the following command in interface configuration mode: Before configuring the ISDN PRI on your router, check with your service vendor to determine if the ISDN trunk call selection is configured for ascending or descending order. If there is a mismatch between the router and switch with regard to channel availability, the switch will send back an error message stating the channel is not available. By default, the router will select outgoing calls in descending order. Performing Configuration Self-Tests To test the ISDN configuration, use the following EXEC commands as needed. Refer to the Cisco IOS Debug Command Reference for information about the debug commands. Command Purpose Router(config-if)# isdn bchan-number-order {ascending | descending} Enables B channel selection for outgoing calls on a PRI interface (optional). Command Purpose Router> show controllers t1 slot/port Checks Layer 1 (physical layer) of the PRI over T1. Router> show controllers e1 slot/port Checks Layer 1 (physical layer) of the PRI over E1. Router> show isdn status Checks the status of PRI channels. Router# debug q921 Checks Layer 2 (data link layer). Router# debug isdn events or Router# debug q931 or Router# debug dialer or Router> show dialer Checks Layer 3 (network layer). Configuring ISDN PRI Monitoring and Maintaining ISDN PRI Interfaces DC-273 Cisco IOS Dial Technologies Configuration Guide Monitoring and Maintaining ISDN PRI Interfaces To monitor and maintain ISDN interfaces, use the following EXEC commands as needed: How to Configure Robbed-Bit Signaling for Analog Calls over T1 Lines Some Cisco access servers support robbed-bit signaling for receiving and sending analog calls on T1 lines. Robbed-bit signaling emulates older analog trunk and line in-band signaling methods that are sent in many networks. Command Purpose Cisco 7500 series routers Router> show interfaces serial slot/port bchannel channel-number or Cisco 4000 series routers Router> show interfaces serial number bchannel channel-number Displays information about the physical attributes of the ISDN PRI over T1 B and D channels. Cisco 7500 series routers Router> show interfaces serial slot/port bchannel channel-number or Cisco 4000 series routers Router> show interfaces serial number bchannel channel-number Displays information about the physical attributes of the ISDN PRI over E1 B and D channels. Cisco 7500 series routers Router> show controllers t1 [slot/port] or Cisco 4000 series routers Router> show controllers t1 number Displays information about the T1 links supported on the ISDN PRI B and D channels. Cisco 7500 series routers Router> show controllers e1 [slot/port] or Cisco 4000 series routers Router> show controllers e1 number Displays information about the E1 links supported on the ISDN PRI B and D channels. Router> show isdn {active | history | memory | services | status [dsl | serial number] | timers} Displays information about current calls, history, memory, services, status of PRI channels, or Layer 2 or Layer 3 timers. (The service keyword is available for PRI only.) Router> show dialer [interface type number] Obtains general diagnostic information about the specified interface. Configuring ISDN PRI How to Configure Robbed-Bit Signaling for Analog Calls over T1 Lines DC-274 Cisco IOS Dial Technologies Configuration Guide In countries that support T1 framing (such as the United States and Canada), many networks send supervisory and signaling information to each other by removing the 8th bit of each time slot of the 6th and 12th frame for superframe (SF) framing. For networks supporting extended superframe (ESF) framing, the 6th, 12th, 18th, and 24th frames are affected. This additional signaling information is added to support channel banks in the network that convert various battery and ground operations on analog lines into signaling bits. Robbed-bit signaling configured on a Cisco access server enables integrated modems to answer and send analog calls. Robbed bits are forwarded over digital lines. To support analog signaling over T1 lines, robbed-bit signaling must be enabled. Note The signal type configured on the access server must match the signal type offered by your telco provider. Ask your telco provider which signal type to configure on each T1 controller. The Cisco access server has two controllers: controller T1 1 and controller T1 0, which must be configured individually. To configure robbed-bit signaling support for calls made and received, use the following commands beginning in global configuration mode: If you want to configure robbed-bit signaling on the other T1 controller, repeat Steps 1 through 7, making sure in Step 5 to select T1 controller line 1 as the secondary clock source. If you want to configure ISDN on the other controller, see the section “How to Configure ISDN PRI” in this chapter. If you want to configure channel groupings on the other controller, see the chapter “Configuring Synchronous Serial Ports” in this publication; specify the channel groupings when you specify the interface. See the section “Robbed-Bit Signaling Examples” at the end of this chapter for configuration examples. Command Purpose Step 1 Router(config)# controller t1 0 Enables the T1 0 controller and begins controller configuration mode. Step 2 Router(config-controller)# cablelength long dbgain-value dbloss-value If the channelized T1 line connects to a smart jack instead of a CSU, sets pulse equalization (use parameter values specified by your telco service provider). Step 3 Router(config-controller)# framing esf Sets the framing to match that of your telco service provider, which in most cases is esf. Step 4 Router(config-controller)# linecode b8zs Sets the line-code type to match that of your telco service provider, which in most cases is b8zs. Step 5 Router(config-controller)# clock source line primary Configures one T1 line to serve as the primary or most stable clock source line. Step 6 Router(config-controller)# cas-group channel-number timeslots range type signal Configures channels to accept voice calls. This step creates interfaces that you can configure. Step 7 Router(config-controller)# fdl {att | ansi} Sets the facilities data-link exchange standard for the CSU, as specified by your telco service provider. Configuring ISDN PRI How to Configure CAS DC-275 Cisco IOS Dial Technologies Configuration Guide How to Configure CAS The following sections describe how to configure channel-associated signaling in Cisco networking devices for both channelized E1 and T1 lines: • CAS on Channelized E1 • CAS on T1 Voice Channels CAS on Channelized E1 Cisco access servers and access routers support CAS for channelized E1 lines, which are commonly deployed in networks in Latin America, Asia, and Europe. CAS is configured to support channel banks in the network that convert various battery and ground operations on analog lines into signaling bits, which are forwarded over digital lines. CAS is call signaling that is configured on an E1 controller and enables the access server to send or receive analog calls. The signaling uses the16th channel (time slot); thus, CAS fits in the out-of-band signaling category. Once CAS is configured on a single E1 controller, remote users can simultaneously dial in to the Cisco device through networks running the R2 protocol (see specifications for your particular network device for the number of dialins supported). The R2 protocol is an international signaling standard for analog connections. Because R2 signaling is not supported in the Cisco access servers, an E1-to-E1 converter is required. Figure 40 illustrates that, because the Cisco access servers have more than one physical E1 port on the dual E1 PRI board, up to 60 simultaneous connections can be made through one dual E1 PRI board. Figure 40 Remote PC Accessing Network Resources Through the Cisco AS5000 Series Access Server Note For information on how to configure an Anadigicom E1-to-E1 converter, see to the documentation that came with the converter. Note The dual E1 PRI card must be installed in the Cisco access server before you can configure CAS. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information. S5960 Remote PC making an analog call Cisco AS5200 Modem EI-to-EI converter EI R2 EI E&M IP network Central office network using the R2 protocol Configuring ISDN PRI How to Configure CAS DC-276 Cisco IOS Dial Technologies Configuration Guide Configuring CAS for Analog Calls over E1 Lines To configure the E1 controllers in the Cisco access servers, use the following commands beginning in global configuration mode: If you do not specify the time slots, CAS is configured on all 30 B channels and one D channel on the specified controller. See the section “ISDN CAS Examples” for configuration examples. Configuring CAS on a Cisco Router Connected to a PBX or PSTN To define E1 channels for the CAS method by which the router connects to a PBX or PSTN, use the following commands beginning in global configuration mode: If you do not specify the time slots, channel-associated signaling is configured on all 30 B channels and one D channel on the specified controller. Command Purpose Step 1 Router(config)# controller e1 number Defines the controller location in the Cisco access server by unit number (choices for the number argument are 1 or 2) and begins controller configuration mode. Step 2 Router(config-controller)# cas-group channel-number timeslots range type signal Configures CAS and the R2 signaling protocol on a specified number of time slots. Step 3 Router(config-controller)# framing crc4 Defines the framing characteristics as CRC4. Step 4 Router(config-controller)# linecode hdb3 Defines the line code as HDB3. Step 5 Router(config-controller)# clock source line primary1 1. Specify the other E1 line as the secondary clock source using the clock source line secondary command. Specifies one E1 line to serve as the primary or most stable clock source line. Command Purpose Step 1 Router(config)# controller e1 slot/port Specifies the E1 controller that you want to configure with R2 signaling and begins controller configuration. Step 2 Router(config-controller)# ds0-group ds0-group-no timeslots timeslot-list type {e&m-immediate | e&m-delay | e&m-wink | fxs-ground-start | fxs-loop-start |fxo-ground-start | fxo-loop-start} Configures channel-associated signaling and the signaling protocol on a specified number of time slots. Step 3 Router(config-controller)# framing crc4 Defines the framing characteristics as cyclic redundancy check 4 (CRC4). Step 4 Router(config-controller)# linecode hdb3 Defines the line code as high-density bipolar 3 (HDB3). Step 5 Router(config-controller)# clock source line primary1 1. Specify the other E1 line as the secondary clock source using the clock source line secondary command. Specifies one E1 line to serve as the primary or most stable clock source line. Configuring ISDN PRI How to Configure CAS DC-277 Cisco IOS Dial Technologies Configuration Guide CAS on T1 Voice Channels Various types of CAS signaling are available in the T1 world. The most common forms of CAS signaling are loop-start, ground-start, and recEive and transMit (E&M). The biggest disadvantage of CAS signaling is its use of user bandwidth to perform signaling functions. CAS signaling is often referred to as robbed-bit-signaling because user bandwidth is being “robbed” by the network for other purposes. In addition to receiving and placing calls, CAS signaling also processes the receipt of DNIS and ANI information, which is used to support authentication and other functions. This configuration allows the Cisco access servers to provide the automatic number identification/dialed number identification service (ANI/DNIS) delimiter on incoming T1/CAS trunk lines. The digit collection logic in the call switching module (CSM) for incoming T1 CAS calls in dual tone multifrequency (DTMF) is modified to process the delimiters, the ANI digits, and the DNIS digits. As part of the configuration, a CAS signaling class with the template to process ANI/DNIS delimiters has to be defined. This creates a signaling class structure which can be referred to by its name. This feature is only functional in a T1 CAS configured for E&M-feature group b (wink start). E&M signaling is typically used for trunks. It is normally the only way that a central office (CO) switch can provide two-way dialing with direct inward dialing. In all the E&M protocols, off-hook is indicated by A=B=1, and on-hook is indicated by A=B=0. If dial pulse dialing is used, the A and B bits are pulsed to indicate the addressing digits. For this feature, here is an example of configuring for E&M-feature group b: ds0-group 1 timeslots 1-24 type e&m-fgb dtmf dnis In the original Wink Start protocol, the terminating side responds to an off-hook from the originating side with a short wink (transition from on-hook to off-hook and back again). This wink tells the originating side that the terminating side is ready to receive addressing digits. After receiving addressing digits, the terminating side then goes off-hook for the duration of the call. The originating endpoint maintains off-hook for the duration of the call. Configuring ANI/DNIS Delimiters for CAS Calls on CT1 To configure the signaling class and ANI/DNIS delimiters, use the following commands beginning in global configuration mode: To disable the delimiter, use the command no class under the cas-custom configuration. Command Purpose Step 1 Router(config)# signaling-class cas name Names the signaling class and begins interface configuration mode. Step 2 Router(config-if)# profile incoming template Defines the template to process the ANI/DNIS delimiter. Step 3 Router(config-if)# exit Return to global configuration mode. Step 4 Router(config)# controller t1 slot/port/number Enables this feature for a T1 controller and begins controller configuration mode. Step 5 Router(config-controller)# cas-custom channel Specifies a single channel group number. Step 6 Router(config-ctrl-cas)# class name Enables the ANI/DNIS delimiter feature by specifying the template. Configuring ISDN PRI How to Configure Switched 56K Digital Dial-In over Channelized T1 and Robbed-Bit Signaling DC-278 Cisco IOS Dial Technologies Configuration Guide To remove the signaling class, use the configuration command no signaling-class cas. When removing a signaling class, make sure the signaling class is no longer used by any controllers; otherwise, the following warning will be displayed: % Can’t delete, signaling class test is being used How to Configure Switched 56K Digital Dial-In over Channelized T1 and Robbed-Bit Signaling Internet service providers (ISPs) can provide switched 56-kbps access to their customers using a Cisco AS5000 series access server. Switched 56K digital dial-in enables many services for ISPs. When using traditional ISDN PRI, the access server uses the bearer capability to determine the type of service. However when providing switched 56K over a CT1 RBS connection, the digital signal level 0 (DS0s) in the access server can be configured to provide either modem or 56-kbps data service. The dial-in user can access a 56-kbps data connection using either an ISDN BRI connection or a 2- or 4-wire switched 56-kbps connection. The telco to which the access server connects must configure its switches to route 56-kbps data calls and voice (modem) calls to the appropriate DS0. Likewise, an enterprise can provide switched 56-kbps digital dial-in services to its full time telecommuters or small remote offices using ISDN PRI or a CT1 RBS connection. Switched 56K digital dial-in offers the following benefits: • Enables ISDN BRI clients to connect to a Cisco access server over switched 56K and T1 CAS. • Provides switched 56K dial-in services over T1 CAS to remote clients that do not have access to ISDN BRI, for example, a remote PC making digital calls over a 2- or 4-wire switched 56-kbps connection and a CSU. The following prerequisites apply to the Switched 56K Digital Dial-In feature: • The remote device could be an ISDN BRI end point such as a terminal adapter or BRI router. In this scenario, the CSU/DSU is irrelevant. For 2- or 4-wire switched 56K remote clients, the remote endpoint must be compatible with the service of the carrier. Different carriers may implement different versions of switched 56K end points. • A CSU/DSU must be present at the remote client side of the connection. Otherwise, switched 56K connections are not possible. The Cisco access servers have built-in CSU/DSUs. • The telco must configure its side of the T1 connection to deliver 56-kbps data calls to the correct range of DS0s. If you do not want to dedicate all the DS0s or time slots on a single T1 to switched 56K services, be sure to negotiate with the telco about which DS0s will support switched 56K and which DS0s will not. • Cisco IOS Release 11.3(2)T or later must be running on the access server. The following restrictions apply to Switched 56K digital dial-in: • A Cisco access server only supports incoming switched 56K calls. Dialing out with switched 56K is not supported at this time. • Switched 56K over E1 is not supported. Only switched 56K over T1 is supported. Configuring ISDN PRI How to Configure Switched 56K Digital Dial-In over Channelized T1 and Robbed-Bit Signaling DC-279 Cisco IOS Dial Technologies Configuration Guide • Analog modem calls are not supported over DS0s that are provisioned for switched 56K. For a configuration example, see the section “Switched 56K and Analog Modem Calls over Separate T1 CAS Lines Example” later in this chapter. • Certain types of T1 lines, such as loop start and ground start, might not support this service. Contact your telco vendor to determine if this feature is available. Switched 56K Scenarios The following scenarios are provided to show multiple applications for supporting switched 56K over T1 CAS: • Switched 56K and Analog Modem Calls into T1 CAS • Basic Call Processing Components • ISDN BRI Calls into T1 CAS Switched 56K and Analog Modem Calls into T1 CAS Figure 41 shows a sample network scenario using switched 56K. Two remote PCs are dialing in to the same Cisco access server to get access to the Internet. The desktop PC is making switched 56K digital calls through an external CSU/DSU. The laptop PC is making analog modem calls through a 28.8-kbps modem. The Cisco access server dynamically assigns IP addresses to each node and forwards data packets off to the switched 56K channels and onboard modems respectively. Figure 41 PCs Making Switched 56K and Analog Modem Calls into a Cisco AS5000 Series Access Server For the startup running configuration on the Cisco access server shown in Figure 41, see the section “Comprehensive Switched 56K Startup Configuration Example” later in this chapter. RADIUS security server ISP backbone providing 100BASE-T connections into the Internet PC running Windows 95 and making switched 56K digital calls into the Internet PC laptop making 28.8 modem calls into the Internet Switched 56K line External CSU/DSU 4 T1 lines 100BASE-T Cisco AS5300 Asynchronous modem line 10315 PSTN Internet Configuring ISDN PRI How to Configure Switched 56K Digital Dial-In over Channelized T1 and Robbed-Bit Signaling DC-280 Cisco IOS Dial Technologies Configuration Guide Basic Call Processing Components Figure 42 shows the basic components that process switched 56K calls and analog modem calls on board a Cisco access server. Switched 56K and modem calls are signaling using robbed-bit signaling. Digital switched 56K calls utilize logical serial interfaces just like in ISDN PRI. Modem calls utilize asynchronous interfaces, lines, and modems. Note The BRI terminal must originate its calls with a bearer capability of 56 kbps. Figure 42 Processing Components for Switched 56K Calls Versus Analog Modem Calls Note The Cisco IOS software does enable you to configure one T1 controller to support both switched 56K digital calls and analog modem calls. In this scenario, Figure 42 would show all calls coming into the access server through one T1 line and controller. However, you must negotiate with the telco which DS0s will support switched 56K services and which DS0s will not. On the access server, analog modem calls are not supported over DS0s that are provisioned for switched 56K. For an example software configuration, see the section “Mixture of Switched 56K and Modem Calls over CT1 CAS Example” at the end of this chapter. Serial interfaces SI:0-SI:23 Group-async Lines Modems Ethernet Laptop making analog modem calls to server PC making digital BRI calls with an internal terminal adapter BRI Access server at service provider POP, which is configured to support switched 56K calls and modem calls PC making switched 56K digital calls into access server T1 1 cas-group service data cas-group service voice Switched 56K over T1 CAS CSU/DSU WAN Analog modem over T1 CAS 10314 T1 0 Configuring ISDN PRI How to Configure Switched 56K Services DC-281 Cisco IOS Dial Technologies Configuration Guide ISDN BRI Calls into T1 CAS Figure 43 shows how switched 56K functionality can be used to forward ISDN BRI network traffic to a Cisco access server that is configured for switched 56K robbed-bit signaling over CT1. Note The BRI terminal must originate its calls with a bearer capability of 56 kbps. Figure 43 Remote PC Making BRI Digital Calls via Switched 56K to a Cisco AS5000 Series Access Server For a configuration example on the Cisco access server, see the section “Comprehensive Switched 56K Startup Configuration Example” at the end of this chapter. How to Configure Switched 56K Services This section describes how to configure switched 56K services on a Cisco access server. After the cas-group command is enabled for switched 56K services, a logical serial interface is automatically created for each 56K channel, which must also be configured. To configure an access server to support switched 56K digital calls, use the following commands beginning in global configuration mode: Enterprise LAN Windows NT server PC running Windows 95 and loaded with a BRI interface terminal adapter card PC telecommuter making analog modem calls into the enterprise BRI Switched 56K over CTI 100BASE-T Cisco AS5300 10316 PSTN Telco switch converting ISDN BRI and analog modem calls to robbed bit signaling UNIX mail server Command Purpose Step 1 Router(config)# controllers t1 number Specifies a T1 controller and begins controller configuration mode. Step 2 Router(config-controller)# framing {sf | esf} Sets the framing. Step 3 Router(config-controller)# linecode {ami | b8zs} Defines the line code. Configuring ISDN PRI How to Configure E1 R2 Signaling DC-282 Cisco IOS Dial Technologies Configuration Guide For configuration examples, see the section “Switched 56K Configuration Examples” later in this chapter. How to Configure E1 R2 Signaling R2 signaling is an international signaling standard that is common to channelized E1 networks. However, there is no single signaling standard for R2. The International Telecommunication Union Telecommunication Standardization Sector (ITU-T) Q.400-Q.490 recommendation defines R2, but a number of countries and geographic regions implement R2 in entirely different ways. Cisco addresses this challenge by supporting many localized implementations of R2 signaling in its Cisco IOS software. The following sections offer pertinent information about the E1 R2 signaling feature: • E1 R2 Signaling Overview • Configuring E1 R2 Signaling • Configuring E1 R2 Signaling for Voice • Monitoring E1 R2 Signaling • Verifying E1 R2 Signaling • Troubleshooting E1 R2 Signaling E1 R2 Signaling Overview R2 signaling is channelized E1 signaling used in Europe, Asia, and South America. It is equivalent to channelized T1 signaling in North America. There are two types of R2 signaling: line signaling and interregister signaling. R2 line signaling includes R2 digital, R2 analog, and R2 pulse. R2 interregister signaling includes R2 compelled, R2 noncompelled, and R2 semicompelled. These signaling types are configured using the cas-group command for Cisco access servers, and the ds0-group command for Cisco routers. Many countries and regions have their own E1 R2 variant specifications, which supplement the ITU-T Q.400-Q.490 recommendation for R2 signaling. Unique E1 R2 signaling parameters for specific countries and regions are set by entering the cas-custom channel command followed by the country name command. Step 4 Router(config-controller)# clock source {line {primary | secondary} | internal} Specifies the clocking. Step 5 Router(config-controller)# cas-group channel timeslots range type signal Configures robbed-bit signaling for a range of time slots. A logical serial interface is automatically created for each switched 56K channel. Step 6 Router(config-controller)# exit Exits controller configuration mode. Step 7 Router(config)# interface serial number:number Specifies logical serial interface, which was dynamically created when the cas-group command was issued, and configures the core protocol characteristics for the serial interface. Command Purpose Configuring ISDN PRI How to Configure E1 R2 Signaling DC-283 Cisco IOS Dial Technologies Configuration Guide The Cisco E1 R2 signaling default is ITU, which supports the following countries: Denmark, Finland, Germany, Russia (ITU variant), Hong Kong (ITU variant), and South Africa (ITU variant). The expression “ITU variant” means that there are multiple R2 signaling types in the specified country, but Cisco supports the ITU variant. Cisco also supports specific local variants of E1 R2 signaling in the following regions, countries, and corporations: Note Only MICA technologies modems support R2 functionality. Microcom modems do not support R2. The following are benefits of E1 R2 signaling: • R2 custom localization—R2 signaling is supported for a wide range of countries and geographical regions. Cisco is continually supporting new countries. • Broader deployment of dial access services—The flexibility of a high-density access server can be deployed in E1 networks. Cisco’s implementation of R2 signaling has DNIS support turned on by default. If you enable the ani option, the collection of DNIS information is still performed. Specifying the ani option does not disable DNIS collection. DNIS is the number being called. ANI is the number of the caller. For example, if you are configuring router A to call router B, then the DNIS number is assigned to router B, the ANI number is assigned to router A. ANI is similar to Caller ID. Figure 44 shows a sample network topology for using E1 R2 signaling with a Cisco AS5800. All four controllers on the access server are configured with R2 digital signaling. Additionally, localized R2 country settings are enabled on the access server. • Argentina • Laos1 • Australia • Malaysia • Bolivia1 • Malta1 • Brazil • New Zealand • Bulgaria1 • Paraguay • China • Peru • Colombia • Philippines • Costa Rica • Saudi Arabia • East Europe2 • Singapore • Ecuador ITU • South Africa (Panaftel variant) • Ecuador LME • Telmex corporation (Mexico) • Greece • Telnor corporation (Mexico) • Guatemala • Thailand • Hong Kong (uses the China variant) • Uruguay • Indonesia • Venezuela • Israel • Vietnam • Korea 1. Cisco 3620 and 3640 series routers only. 2. Includes Croatia, Russia, and Slovak Republic. Configuring ISDN PRI How to Configure E1 R2 Signaling DC-284 Cisco IOS Dial Technologies Configuration Guide Figure 44 Service Provider Using E1 R2 Signaling and a Cisco AS5800 Figure 45 shows a sample network topology for using E1 R2 signaling for voice transfers with a Cisco 2600, 3600, or 7200 series router. All the controllers on the router are configured with R2 digital signaling. Additionally, localized R2 country settings are enabled on the router. Figure 45 E1 R2 Connections for the Cisco 2600/3600/7200 Series Routers Configuration examples are supplied in the “Configuration Examples for Channelized E1 and Channelized T1” section at the end of this chapter. Service provider LAN PC running Windows 95 and making analog modem calls into the Cisco AS5800 4 CEI lines Fast Ethernet Cisco AS5800 loaded with 56k MICA modems 12950 PSTN 56k modem Telco switch Data network 42930 IP, ATM, or Frame Relay Network Router E1 R2 line PBX Configuring ISDN PRI How to Configure E1 R2 Signaling DC-285 Cisco IOS Dial Technologies Configuration Guide Configuring E1 R2 Signaling To configure support for E1 R2 signaling on the Cisco access servers, use the following commands beginning in global configuration mode: For an E1 R2 configuration example, see the section “E1 R2 Signaling Procedure.” Configuring E1 R2 Signaling for Voice To configure E1 R2 signaling on systems that will be configured for voice, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# controller e1 slot/port Specifies the E1 controller that you want to configure with R2 signaling and begins controller configuration mode. Step 2 Router(config-controller)# cas-group channel timeslots range type signal Replace the signal argument with any of the following choices under R2 analog, R2 digital, or R2 pulse: r2-analog [dtmf | r2-compelled [ani] | r2-non-compelled [ani] | r2-semi-compelled [ani]] or r2-digital [dtmf | r2-compelled [ani] | r2-non-compelled [ani] | r2-semi-compelled [ani]] or r2-pulse [dtmf | r2-compelled [ani] | r2-non-compelled [ani] | r2-semi-compelled [ani]] Configures R2 channel associated signaling on the E1 controller. For a complete description of the available R2 options, see the cas-group command. The R2 part of this command is defined by the signal argument in the cas-group command. Command Purpose Step 1 Router(config)# controller E1 slot/port Specifies the E1 controller that you want to configure with R2 signaling and begins controller configuration mode. Step 2 Router(config-controller)# ds0-group channel timeslots range type signal Replace the signal argument with any of the following choices under R2 analog, R2 digital, or R2 pulse: r2-analog [dtmf | r2-compelled [ani] | r2-non-compelled [ani] | r2-semi-compelled [ani]] or r2-digital [dtmf | r2-compelled [ani] | r2-non-compelled [ani] | r2-semi-compelled [ani]] or r2-pulse [dtmf | r2-compelled [ani] | r2-non-compelled [ani] | r2-semi-compelled [ani]] Configures R2 channel-associated signaling on the E1 controller. For a complete description of the available R2 options, see the ds0-group (controller e1) command reference page. Configuring ISDN PRI How to Configure E1 R2 Signaling DC-286 Cisco IOS Dial Technologies Configuration Guide Monitoring E1 R2 Signaling To monitor E1 R2 signaling, use the following commands in EXEC mode as needed: Step 3 Router(config-controller)# cas-custom channel Enters cas-custom mode. In this mode, you can localize E1 R2 signaling parameters, such as specific R2 country settings for Hong Kong. For the customization to take effect, the channel number used in the cas-custom command must match the channel number specified by the ds0-group command. Step 4 Router(config-ctrl-cas)# country name use-defaults Specifies the local country, region, or corporation specification to use with R2 signaling. Replaces the name variable with one of the supported country names. Cisco strongly recommends that you include the use-defaults option, which engages the default settings for a specific country. The default setting for all countries is ITU. See the cas-custom command reference page for the list of supported countries, regions, and corporation specifications. Step 5 • Router(config-ctrl-cas)# ani-digits • Router(config-ctrl-cas)# answer-signal • Router(config-ctrl-cas)# caller-digits • Router(config-ctrl-cas)# category • Router(config-ctrl-cas)# default • Router(config-ctrl-cas)# dnis-digits • Router(config-ctrl-cas)# invert-abcd • Router(config-ctrl-cas)# ka • Router(config-ctrl-cas)# kd • Router(config-ctrl-cas)# metering • Router(config-ctrl-cas)# nc-congestion • Router(config-ctrl-cas)# unused-abcd • Router(config-ctrl-cas)# request-category (Optional) Further customizes the R2 signaling parameters. Some switch types require you to fine tune your R2 settings. Do not tamper with these commands unless you fully understand your switch’s requirements. For nearly all network scenarios, the country name use-defaults command fully configures your country’s local settings. You should not need to perform Step 5. See the cas-custom command reference page for more information about each signaling command. Command Purpose Command Purpose Router> show controllers e1 or Router> show controllers e1 number Displays the status for all controllers or a specific controller. Be sure the status indicates the controller is up and there are no alarms or errors (lines 2, 4, 9, and 10, as shown immediately below in the “Monitoring E1 R2 Using the show controllers e1 Command” section). Router> show modem csm [slot/port| group number] Displays status for a specific modem, as shown below in the “Monitoring E1 R2 Signaling Using the show modem csm Command” section. Configuring ISDN PRI How to Configure E1 R2 Signaling DC-287 Cisco IOS Dial Technologies Configuration Guide Monitoring E1 R2 Using the show controllers e1 Command Router# show controllers e1 0 E1 0 is up. Applique type is Channelized E1 - balanced No alarms detected. Version info of Slot 0: HW: 2, Firmware: 4, PLD Rev: 2 Manufacture Cookie is not programmed. Framing is CRC4, Line Code is HDB3, Clock Source is Line Primary. Data in current interval (785 seconds elapsed): 0 Line Code Violations, 0 Path Code Violations 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs Total Data (last 13 15 minute intervals): 0 Line Code Violations, 0 Path Code Violations, 0 Slip Secs, 12 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins, 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 12 Unavail Secs Monitoring E1 R2 Signaling Using the show modem csm Command Router# show modem csm 1/0 MODEM_INFO: slot 1, port 0, unit 0, tone r2-compelled, modem_mask=0x0000, modem_port_offset=0 tty_hwidb=0x60E63E4C, modem_tty=0x60C16F04, oobp_info=0x00000000, modem_pool=0x60BC60CC modem_status(0x0002): VDEV_STATUS_ACTIVE_CALL. csm_state(0x0205)=CSM_IC5_CONNECTED, csm_event_proc=0x600CFF70, current call thru CAS line invalid_event_count=0, wdt_timeout_count=0 wdt_timestamp_started is not activated wait_for_dialing:False, wait_for_bchan:False pri_chnl=TDM_PRI_STREAM(s0, u3, c7), modem_chnl=TDM_MODEM_STREAM(s1, c0) dchan_idb_start_index=0, dchan_idb_index=0, call_id=0x0239, bchan_num=6 csm_event=CSM_EVENT_DSX0_CONNECTED, cause=0x0000 ring_no_answer=0, ic_failure=0, ic_complete=3 dial_failure=0, oc_failure=0, oc_complete=0 oc_busy=0, oc_no_dial_tone=0, oc_dial_timeout=0 remote_link_disc=2, stat_busyout=2, stat_modem_reset=0 oobp_failure=0 call_duration_started=00:04:56, call_duration_ended=00:00:00, total_call_duration=00:01:43 The calling party phone number = The called party phone number = 9993003 total_free_rbs_timeslot = 0, total_busy_rbs_timeslot = 0, total_dynamic_busy_rbs_timeslot = 0, total_static_busy_rbs_timeslot = 0, min_free_modem_threshold = 0 Verifying E1 R2 Signaling To verify the E1 R2 signaling configuration, enter the show controller e1 command to view the status for all controllers, or enter the show controller e1 slot/port command to view the status for a particular controller. Make sure that the status indicates that the controller is up (line 2 in the following example) and that no alarms (line 6 in the following example) or errors (lines 9, 10, and 11 in the following example) have been reported. Router# show controller E1 1/0 E1 1/0 is up. Applique type is Channelized E1 Cablelength is short 133 Configuring ISDN PRI How to Configure E1 R2 Signaling DC-288 Cisco IOS Dial Technologies Configuration Guide Description: E1 WIC card Alpha No alarms detected. Framing is CRC4, Line Code is HDB3, Clock Source is Line Primary. Data in current interval (1 seconds elapsed): 0 Line Code Violations, 0 Path Code Violations 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs Troubleshooting E1 R2 Signaling If a connection does not come up, check for the following: • Loose wires, splices, connectors, shorts, bridge taps, and grounds • Backward send and receive • Mismatched framing types (for example, CRC-4 versus no CRC-4) • Send and receive pair separation (crosstalk) • Faulty line cards or repeaters • Noisy lines (for example, power and crosstalk) If you see errors on the line or the line is going up and down, check the following: • Mismatched line codes (HDB3 versus AMI) • Receive level • Frame slips due to poor clocking plan If problems persist, enable the modem management Call Switching Module (CSM) debug mode, using the debug modem csm command, as shown immediately below in the “Debug E1 R1 Signaling Using the debug modem Command” section. Debug E1 R1 Signaling Using the debug modem Command Router# debug modem csm 1/0 *May 15 04:05:46.675: VDEV_ALLOCATE: slot 2 and port 39 is allocated. *May 15 04:05:46.675: CSM_RX_CAS_EVENT_FROM_NEAT:(04BF): EVENT_CALL_DIAL_IN at slot 2 and port 39 *May 15 04:05:46.675: CSM_PROC_IDLE: CSM_EVENT_DSX0_CALL at slot 2, port 39 *May 15 04:05:46.675: Mica Modem(2/39): Configure(0x0) *May 15 04:05:46.675: Mica Modem(2/39): Configure(0x3) *May 15 04:05:46.675: Mica Modem(2/39): Configure(0x6) *May 15 04:05:46.675: Mica Modem(2/39): Call Setup *May 15 04:05:46.891: Mica Modem(2/39): State Transition to Call Setup *May 15 04:05:46.891: Mica Modem(2/39): Went offhook *May 15 04:05:46.891: CSM_PROC_IC1_RING: CSM_EVENT_MODEM_OFFHOOK at slot 2, port 39 When the E1 controller comes up, you will see the following messages: %CONTROLLER-3-UPDOWN: Controller E1 0, changed state to up It also shows these messages for individual timeslots: %DSX0-5-RBSLINEUP: RBS of controller 1 timeslot 1 is up %DSX0-5-RBSLINEUP: RBS of controller 1 timeslot 2 is up %DSX0-5-RBSLINEUP: RBS of controller 1 timeslot 3 is up %DSX0-5-RBSLINEUP: RBS of controller 1 timeslot 4 is up %DSX0-5-RBSLINEUP: RBS of controller 1 timeslot 5 is up Configuring ISDN PRI Enabling R1 Modified Signaling in Taiwan DC-289 Cisco IOS Dial Technologies Configuration Guide %DSX0-5-RBSLINEUP: RBS of controller 1 timeslot 6 is up %DSX0-5-RBSLINEUP: RBS of controller 1 timeslot 7 is up %DSX0-5-RBSLINEUP: RBS of controller 1 timeslot 8 is up Enabling R1 Modified Signaling in Taiwan Enabling R1 modified signaling allows a Cisco universal access server to communicate with central office trunks that also use R1 modified signaling. R1 modified signaling is an international signaling standard that is common to channelized T1/E1 networks. Cisco IOS Release 12.1 supports R1 modified signaling customized for Taiwan only. You can configure a channelized T1/E1 interface to support different types of R1 modified signaling, which is used in older analog telephone networks. This feature allows enterprises and service providers to fully interoperate with the installed Taiwanese telecommunications standards, providing interoperability in addition to the vast array of Cisco IOS troubleshooting and diagnostic capability. This feature will provide customers with a seamless, single-box solution for their Taiwan signaling requirements. Note This type of signaling is not the same as ITU R1 signaling; it is R1 signaling modified for Taiwan specifically. In the future, R1 modified signaling will be supported by the Cisco AS5800 access server, and will also be available in Turkey. The following restrictions are for the use of R1 modified signaling: • Because different line signaling uses different A/B/C/D bit definitions to represent the line state, you must understand the configuration of the T1/E1 trunk before configuring the CAS group. If the wrong type of provision is configured, the access server might interpret the wrong A/B/C/D bit definitions and behave erratically. • Cisco access servers (Cisco AS5300, and Cisco AS5800) with Microcom modems cannot support this feature. • You must know the configuration of the T1/E1 trunk before configuring the cas-group. If there is a trunk provisioning mismatch, performance problems may occur. R1 Modified Signaling Topology Figure 46 illustrates a service provider using R1 signaling with E1 and a Cisco AS5200 access server. The network topology would be the same for T1 or a Cisco AS5300 access server. Configuring ISDN PRI Enabling R1 Modified Signaling in Taiwan DC-290 Cisco IOS Dial Technologies Configuration Guide Figure 46 Service Provider Using E1 R1 Signaling with a Cisco AS5200 Access Server Figure 47 illustrates a service provider using R1 modified signaling with E1 and a Cisco AS5800 access server. Figure 47 Service Provider Using E1 R1 Modified Signaling with a Cisco AS5800 Access Server R1 Modified Signaling Configuration Task List This section describes how to enable R1 modified signaling on your Cisco access server on both a T1 and E1 interface. Before beginning the tasks in this section, check for the following hardware and software in your system: • Cisco AS 5200, Cisco AS5300, or Cisco AS5800 access server (without a Microcom modem) • Cisco IOS Release 12.1 or later software • MICA feature module • Portware Version 2.3.1.0 or later Service provider LAN PC running Windows 95 and making analog modem calls into the Cisco AS5200 2 CE1 lines 10BaseT Cisco AS5200 loaded with 56k MICA modems 10733 PSTN 56k modem Telco switch Data network Service provider LAN PC making analog modem calls into the Cisco AS5800 12 CEI lines 10BASE-T Cisco AS5800 72 modem MICA card per CE1 line 17692 PSTN 56K modem Telco switch Data network Configuring ISDN PRI Enabling R1 Modified Signaling in Taiwan DC-291 Cisco IOS Dial Technologies Configuration Guide For information on upgrading your Cisco IOS images, modem portware, or modem code, go to the following locations and then select your access server type (Cisco AS5200, Cisco AS5300, or Cisco AS5800) and port information: • On Cisco.com: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_serv/ Or, follow this path: Cisco Product Documentation/Access Servers and Access Routers/Access Servers • On the Documentation CD-ROM: Cisco Product Documentation/Access Servers and Access Routers/Access Servers To configure R1 modified signaling, perform the tasks in the following sections, as required: • Configuring R1 Modified Signaling on a T1 Interface • Configuring R1 Modified Signaling on an E1 Interface Note The sample prompts and output are similar for the Cisco AS5200, Cisco AS5300 and Cisco AS5800 access servers. Configuring R1 Modified Signaling on a T1 Interface To configure R1 modified signaling on a T1 interface, use the following commands beginning global configuration mode: Command Purpose Step 1 Cisco AS5800 access server Router(config)# vty-async(config)# controller t1 shelf/slot/port Router(config)# vty-async(config-controller)# or Cisco AS5200 and AS5300 access servers Router(config)# vty-async(config)# controller t1 [0 | 1 | 2 | 3] Router(config)# vty-async(config-controller)# Specifies the T1 controller that you want to configure and begins controller configuration mode. Refer to the Cisco AS5800 Universal Access Server Software Installation and Configuration Guide for port details. The T1 controller ports are labeled 0 to 3 on the quad T1/PRI cards in the Cisco AS5200 and AS5300 access servers. Step 2 Router(config)# vty-async (config-controller)# framing {sf|esf} Entering framing sf configures framing to T1 with sf. Entering framing esf configures framing to T1 only. Step 3 Router(config)# vty-async (config-controller)# linecode {ami|b8zs} Entering linecode ami configures line code to AMI1 encoding. Entering linecode b8zs configures line code to b8zs encoding. Step 4 Router(config)# vty-async (config-controller)# clock source {internal | line [primary | secondary]} Entering clock source internal configures the clock source to the internal clock. Entering clock source line primary configures the clock source to the primary recovered clock. Entering clock source secondary configures the clock source to the secondary recovered clock. Configuring ISDN PRI Enabling R1 Modified Signaling in Taiwan DC-292 Cisco IOS Dial Technologies Configuration Guide Configuring R1 Modified Signaling on an E1 Interface To configure R1 modified signaling on an E1 interface, use the following commands beginning in global configuration mode: Step 5 Router(config)# vty-async(config-controller)# cas-group 1 timeslots 1-24 type {r1-modified {ani-dnis | dnis} | r1-itu {dnis}} Configures the time slots that belong to each E1 circuit for r1-modified or for r1-itu signaling.2 • The cas-group # ranges from 0 to 23 for CT1. • The timeslot # ranges from 1 to 24 for CT1. • For the type, each CAS group can be configured as one of the Robbed Bit Signaling provisions. • ani-dnis indicates R1 will collect ani and dnis information; dnis indicates R1 will collect only dnis information. Step 6 Router(config)# vty-async(config-if)# ^Z Router(config)# vty-async# %SYS-5-CONFIG_I: Configured from console by console Returns to enable mode by simultaneously pressing the Ctrl key and the z key. (This message returned is expected and does not indicate an error.) 1. AMI = alternate mark inversion. 2. For a more detailed description of the syntax and arguments of this command, refer to the Cisco IOS Dial Technologies Command Reference. Command Purpose Command Purpose Step 1 Cisco AS5800 access server Router(config)# controller e1 shelf/slot/port or Cisco AS5200 and AS5300 access servers Router(config)# controller e1 [0 | 1 | 2 | 3] Specifies the T1 controller that you want to configure and begins controller configuration mode. Refer to the Cisco AS5800 Universal Access Server Software Installation and Configuration Guide for port details. The T1 controller ports are labeled 0 to 3 on the quad T1/PRI cards in the Cisco AS5200 and AS5300 access servers. Step 2 Router (config-controller)# framing {crc4 | no-crc4} Entering framing crc4 configures framing to E1 with CRC.1 Entering framing no-crc4 configures framing to E1 only. Step 3 Router (config-controller)# linecode {ami | hdb3} Entering linecode ami configures line code to AMI2 encoding. Entering linecode hdb3 configures line code to HDB3 encoding. Step 4 Router (config-controller)# clock source {internal | line [primary | secondary]} Entering clock source internal configures the clock source to the internal clock. Entering clock source line primary configures the clock source to the primary recovered clock. Entering clock source secondary configures the clock source to the secondary recovered clock. Configuring ISDN PRI Enabling R1 Modified Signaling in Taiwan DC-293 Cisco IOS Dial Technologies Configuration Guide Troubleshooting Channelized E1 and T1 Channel Groups Each channelized T1 or channelized E1 channel group is treated as a separate serial interface. To troubleshoot channel groups, first verify configurations and check everything that is normally checked for serial interfaces. You can verify that the time slots and speed are correct for the channel group by checking for CRC errors and aborts on the incoming line. Note None of the Cisco channelized interfaces will react to any loop codes. To loop a channelized interface requires that the configuration command be entered manually. Two loopbacks are available for channel groups and are described in the following sections: • Interface Local Loopback • Interface Remote Loopback Interface Local Loopback Interface local loopback is a bidirectional loopback, which will loopback toward the router and toward the line. The entire set of time slots for the channel group is looped back. The service provider can use a BERT test set to test the link from the central office to your local router, or the remote router can test using pings to its local interface (which will go from the remote site, looped back at your local site, and return to the interface on the remote site). Step 5 Router(config-controller)# cas-group 1 timeslots 1-15, 17-31 type r1-modified {ani-dnis | dnis} Configures the time slots that belong to each E1 circuit for R1 modified signaling.4 • The cas-group number ranges from 0 to 30 for CE1. • The timeslot number ranges from 1 to 31 for CE1. • For the type, each CAS group can be configured as one of the robbed bit signaling provisions. • ani-dnis indicates R1 will collect ANI and DNIS information; dnis indicates R1 will collect only DNIS information. Step 6 Router(config-controller-cas)# cas-custom 1 (Optional) Enters the channel number to customize. Step 7 Router(config-controller-cas)# ^Z Router# %SYS-5-CONFIG_I: Configured from console by console Returns to enable mode by simultaneously pressing the Ctrl key and the Z key. This message is normal and does not indicate an error. 1. CRC = cyclic redundancy check. 2. AMI = alternate mark inversion. 3. HDB = high-density bipolar 3. 4. For a more detailed description of the syntax and arguments of this command, refer to the Cisco IOS Dial Technologies Command Reference. Command Purpose Configuring ISDN PRI Configuration Examples for Channelized E1 and Channelized T1 DC-294 Cisco IOS Dial Technologies Configuration Guide To place the serial interface (channel group) into local loopback, use the following command in interface configuration mode: Interface Remote Loopback Remote loopback is the ability to put the remote DDS CSU/DSU in loopback. It will work only with channel groups that have a single DS0 (1 time slot), and with equipment that works with a latched CSU loopback as specified in AT&T specification TR-TSY-000476, “OTGR Network Maintenance Access and Testing.” To place the serial interface (channel group) in remote loopback, use the following command in interface configuration mode: Using the loopback remote interface command sends a latched CSU loopback command to the remote CSU/DSU. The router must detect the response code, at which time the remote loopback is verified. Configuration Examples for Channelized E1 and Channelized T1 • ISDN PRI Examples • PRI Groups and Channel Groups on the Same Channelized T1 Controller Example • Robbed-Bit Signaling Examples • Switched 56K Configuration Examples • ISDN CAS Examples • E1 R2 Signaling Procedure • R1 Modified Signaling Using an E1 Interface Example • R1 Modified Signaling for Taiwan Configuration Example ISDN PRI Examples This section contains the following ISDN PRI examples: • Global ISDN, BRI, and PRI Switch Example • Global ISDN and Multiple BRI and PRI Switch Using TEI Negotiation Example • NSF Call-by-Call Support Example • PRI on a Cisco AS5000 Series Access Server Example • ISDN B-Channel Busyout Example • Multiple ISDN Switch Types Example • Outgoing B-Channel Ascending Call Order Example Command Purpose Router(config-if)# loopback local Places the serial interface (channel group) in local loopback. Command Purpose Router(config-if)# loopback remote interface Places the serial interface (channel group) in remote loopback. Configuring ISDN PRI Configuration Examples for Channelized E1 and Channelized T1 DC-295 Cisco IOS Dial Technologies Configuration Guide • Static TEI Configuration Example • Call Reject Configuration Examples • ISDN Cause Code Override and Guard Timer Example Global ISDN, BRI, and PRI Switch Example The following example shows BRI interface 0 configured for a NET3 ISDN switch type (basic-net3 keyword) that will override the National ISDN switch type configured globally. The PRI interface (channelized T1 controller) is configured for ISDN switch type Primary-Net5 and is applied only to the PRI. isdn switch-type basic-ni ! interface BRI0 isdn switch-type basic-net3 interface serial0:23 ! Apply the primary-net5 switch to this interface only. isdn switch-type primary-net5 Global ISDN and Multiple BRI and PRI Switch Using TEI Negotiation Example In the following example, the global ISDN switch type setting is NET3 ISDN (basic-net3 keyword) and the PRI interface (channelized T1 controller) is configured to use isdn switch-type primary-net5. BRI interface 0 is configured for isdn switch-type basic-ni and isdn tei first-call. TEI first-call negotiation configured on BRI interface 0 overrides the default value (isdn tei powerup). isdn switch-type basic-net ! interface serial0:23 isdn switch-type primary-net5 ip address 172.21.24.85 255.255.255.0 ! interface BRI0 isdn switch-type basic-ni isdn tei first-call NSF Call-by-Call Support Example The following example configures NSF, which is needed for an AT&T 4ESS switch when it is configured for call-by-call support. In call-by-call support, the PRI 4ESS switch expects some AT&T-specific information when placing outgoing ISDN PRI voice calls. The options are accunet, sdn, and megacom. This example shows both the controller and interface commands required to make the ISDN interface operational and the DDR commands, such as the dialer map, dialer-group, and map-class dialer commands, that are needed to configure the ISDN interface to make outgoing calls. ! The following lines configure the channelized T1 controller; all time slots are ! configured for ISDN PRI. ! controller t1 1/1 framing esf linecode b8zs pri-group timeslots 1-23 isdn switchtype primary-4ess ! Configuring ISDN PRI Configuration Examples for Channelized E1 and Channelized T1 DC-296 Cisco IOS Dial Technologies Configuration Guide ! The following lines configure the D channel for DDR. This configuration applies ! to all B channels on the ISDN PRI interface. interface serial 1/1:23 description Will mark outgoing calls from AT&T type calls. ip address 10.1.1.1 255.255.255.0 encapsulation ppp dialer map ip 10.1.1.2 name tommyjohn class sdnplan 14193460913 dialer map ip 10.1.1.3 name angus class megaplan 14182616900 dialer map ip 10.1.1.4 name angus class accuplan 14193453730 dialer-group 1 ppp authentication chap map-class dialer sdnplan dialer outgoing sdn map-class dialer megaplan dialer voice-call dialer outgoing mega map-class dialer accuplan dialer outgoing accu PRI on a Cisco AS5000 Series Access Server Example The following example configures ISDN PRI on the appropriate interfaces for IP dial-in on channelized T1: ! T1 PRI controller configuration controller T1 0 framing esf linecode b8zs clock source line primary pri-group timeslots 1-24 ! controller T1 1 framing esf linecode b8zs clock source line secondary pri-group timeslots 1-24 ! interface Serial0:23 isdn incoming-voice modem dialer rotary-group 1 ! interface Serial1:23 isdn incoming-voice modem dialer rotary-group 1 ! interface Loopback0 ip address 172.16.254.254 255.255.255.0 ! interface Ethernet0 ip address 172.16.1.1 255.255.255.0 ! interface Group-Async1 ip unnumbered Loopback0 ip tcp header-compression passive encapsulation ppp async mode interactive peer default ip address pool default Configuring ISDN PRI Configuration Examples for Channelized E1 and Channelized T1 DC-297 Cisco IOS Dial Technologies Configuration Guide dialer-group 1 ppp authentication chap pap default group-range 1 48 ! interface Dialer1 ip unnumbered Loopback0 encapsulation ppp peer default ip address pool default ip local pool default 172.16.254.1 172.16.254.48 dialer in-band dialer-group 1 dialer idle-timeout 3600 ppp multilink ppp authentication chap pap default The following example configures ISDN PRI on the appropriate interfaces for IP dial-in on channelized E1: ! E1 PRI controller configuration controller E1 0 framing crc4 linecode hdb3 clock source line primary pri-group timeslots 1-31 ! controller E1 1 framing crc4 linecode hdb3 clock source line secondary pri-group timeslots 1-31 interface serial0:15 isdn incoming-voice modem dialer rotary-group 1 ! interface serial1:15 isdn incoming-voice modem dialer rotary-group 1 ! interface loopback0 ip address 172.16.254.254 255.255.255.0 ! interface ethernet0 ip address 172.16.1.1 255.255.255.0 ! ! The following block of commands configures DDR for all the ISDN PRI interfaces ! configured above. The dialer-group and dialer rotary-group commands tie the ! interface configuration blocks to the DDR configuration. ! interface dialer1 ip unnumbered loopback0 encapsulation ppp peer default ip address pool default ip local pool default 172.16.254.1 172.16.254.60 dialer in-band dialer-group 1 dialer idle-timeout 3600 ppp multilink ppp authentication chap pap default Configuring ISDN PRI Configuration Examples for Channelized E1 and Channelized T1 DC-298 Cisco IOS Dial Technologies Configuration Guide ISDN B-Channel Busyout Example interface Serial0:23 ip address 172.16.0.0 192.168.0.0 no ip directed-broadcast encapsulation ppp no keepalive dialer idle-timeout 400 dialer load-threshold 1 either dialer-group 1 isdn switch-type primary-5ess isdn incoming-voice modem isdn snmp busyout b-channel no fair-queue no cdp enable Multiple ISDN Switch Types Example The following example configures ISDN switch type keyword primary-4ess on channelized T1 controller 0 and a switch type keyword primary-net5 for channelized T1 controller 1. controller t1 0 framing esf linecode b8zs isdn switchtype primary-4ess ! controller t1 1 framing esf linecode b8zs isdn switchtype primary-net5 The following example shows BRI interface 0 configured for switch type keyword basic-net3 (NET3 ISDN) that will override the global switch type keyword basic-ni (National ISDN). The PRI interface (channelized T1 controller), is configured for ISDN switch type keyword primary-net5 and is applied only to the PRI interface. isdn switch-type basic-ni ! interface BRI0 isdn switch-type basic-net3 interface serial0:23 ! Apply the primary-net5 switch to this interface only. isdn switch-type primary-net5 Outgoing B-Channel Ascending Call Order Example The following example configures the router to use global ISDN switch-type keyword primary-ni and configures the ISDN outgoing call channel selection to be made in ascending order: isdn switch-type primary-ni ! interface serial0:23 isdn bchan-number-order ascending Configuring ISDN PRI Configuration Examples for Channelized E1 and Channelized T1 DC-299 Cisco IOS Dial Technologies Configuration Guide Static TEI Configuration Example The following example shows a static TEI configuration: interface bri 0 isdn static-tei 1 Call Reject Configuration Examples The following example configures the network to accept incoming ISDN voice calls and reject data calls: interface Serial4:23 description Connected to V-Sys R2D2 no ip address isdn switch-type primary-5ess isdn incoming-voice modem isdn reject data no cdp enable end The following example sets cause code 21 to reject all incoming data calls: interface serial 2/0:23 isdn reject data isdn reject cause 21 ISDN Cause Code Override and Guard Timer Example The following example shows how to configure cause code override and the ISDN guard timer: interface Serial0:23 no ip address no ip directed-broadcast encapsulation ppp dialer rotary-group 0 isdn switch-type primary-5ess isdn incoming-voice modem isdn disconnect-cause 17 isdn guard-timer 3000 on-expiry accept isdn calling-number 8005551234 no fair-queue no cdp enable PRI Groups and Channel Groups on the Same Channelized T1 Controller Example The following example shows a channelized T1 controller configured for PRI groups and for channel groups. The pri-group command and the channel-group command cannot have overlapping time slots; note the correct time slot configuration in this example. controller t1 0 channel-group 0 timeslot 1-6 channel-group 1 timeslot 7 channel-group 2 timeslot 8 channel-group 3 timeslot 9-11 pri-group timeslot 12-24 The same type of configuration also applies to channelized E1. Configuring ISDN PRI Configuration Examples for Channelized E1 and Channelized T1 DC-300 Cisco IOS Dial Technologies Configuration Guide Robbed-Bit Signaling Examples This section provides sample configurations for the T1 controllers on the Cisco access server. You can configure the 24 channels of a channelized T1 to support ISDN PRI, robbed-bit signaling, channel grouping, or a combination of all three. The following samples are provided: • Allocating All Channels for Robbed-Bit Signaling Example • Mixing and Matching Channels—Robbed-Bit Signaling and Channel Grouping Allocating All Channels for Robbed-Bit Signaling Example The following example configures all 24 channels to support robbed-bit signaling feature group B on a Cisco access server: controller T1 0 cas-group 1 timeslots 1-24 type e&m-fgb Mixing and Matching Channels—Robbed-Bit Signaling and Channel Grouping The following example shows you how to configure all 24 channels to support a combination of ISDN PRI, robbed-bit signaling, and channel grouping. The range of time slots that you allocate must match the time slot allocations that your central office chooses to use. This is a rare configuration due to the complexity of aligning the correct range of time slots on both ends of the connection. The following configuration creates serial interfaces 0 to 9, which correspond to ISDN PRI time slots 1 to 10 (shown as serial 1:0 through serial 1:9). The serial line 1:23 is the D channel, which carries the analog signal bits that dial the phone number of the modem and determine if a modem is busy or available. The D channel is automatically created and assigned to time slot 24. controller T1 0 ! ISDN PRI is configured on time slots 1 through 10. pri-group timeslots 1-10 ! Channelized T1 data is transmitted over time slots 11 through 16. channel-group 11 timeslots 11-16 ! The channel-associated signal ear and mouth feature group B is configured on ! virtual signal group 17 for time slots 17 to 23, which are used for incoming ! and outgoing analog calls. cas-group 17 timeslots 17-23 type e&m-fgb There is no specific interface, such as the serial interface shown in the earlier examples, that corresponds to the time-slot range. Switched 56K Configuration Examples The following switched 56K configuration examples are provided: • Switched 56K T1 Controller Procedure • Mixture of Switched 56K and Modem Calls over CT1 CAS Example • Switched 56K and Analog Modem Calls over Separate T1 CAS Lines Example • Comprehensive Switched 56K Startup Configuration Example Configuring ISDN PRI Configuration Examples for Channelized E1 and Channelized T1 DC-301 Cisco IOS Dial Technologies Configuration Guide Switched 56K T1 Controller Procedure The following procedure shows how to configure one T1 controller on a Cisco access server to support switched 56K digital calls. The Cisco access server has four controllers, which are numbered 0 to 3. If you want all four T1 controllers to support switched 56K calls, then repeat this procedure on each controller. Step 1 Enter global configuration mode using the configure terminal command: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Step 2 Specify a T1 controller with the controller t1 number command. Replace the number variable with a controller number from 0 to 3. Router(config)# controller t1 1 Step 3 Configure robbed-bit signaling on a range of time slots, then specify switched 56K digital services using the cas-group command. In this example, all calls coming into controller T1 1 are expected to be switched 56K data calls, not analog modem calls. Router(config-controller)# cas-group 1 timeslots 1-24 type e&m-fgb service data Note Be sure your signaling type matches the signaling type specified by the central office or telco on the other end. For a list of supported signaling types and how to collect DNIS, refer to the cas-group command description for the E1 controller card in the Cisco IOS Dial Technologies Command Reference, Release 12.2. Step 4 Set the framing for your network environment. You can choose ESF (enter framing esf) or SF (enter framing sf). Router(config-controller)# framing esf Step 5 Set the line-code type for your network environment. You can choose AMI encoding (enter linecode ami) or B8ZS encoding (enter linecode b8zs). Router(config-controller)# linecode b8zs Mixture of Switched 56K and Modem Calls over CT1 CAS Example The following example configures one T1 controller to accept incoming switched 56K digital calls and analog modem calls over the same T1 CAS line. Time slots 1 through 10 are provisioned by the telco to support switched 56K digital calls. Time slots 11 through 24 are provisioned to support analog modem calls. Due to the DS0s provisioning, it is impossible for analog modems calls to be sent over the DS0s that map to time slots 1 through 10. controller T1 0 cas-group 1 timeslots 1-10 type e&m-fgb service data cas-group 1 timeslots 11-24 type e&m-fgb service voice framing esf clock source line primary linecode b8zs exit Configuring ISDN PRI Configuration Examples for Channelized E1 and Channelized T1 DC-302 Cisco IOS Dial Technologies Configuration Guide Switched 56K and Analog Modem Calls over Separate T1 CAS Lines Example The following example configures one Cisco access server to accept 50 percent switched 56K digital calls and 50 percent analog modem calls. The controllers T1 0 and T1 1 are configured to support the switched 56K digital calls using the cas-group 1 timeslots 1-24 type e&m-fgb service digital command. Controllers T1 2 and T1 3 are configured to support analog modem calls. controller T1 0 cas-group 1 timeslots 1-24 type e&m-fgb service data framing esf clock source line primary linecode b8zs exit controller T1 1 cas-group 1 timeslots 1-24 type e&m-fgb service data framing esf clock source line secondary linecode b8zs exit controller T1 2 cas-group 1 timeslots 1-24 type e&m-fgb service voice framing esf clock source internal linecode b8zs exit controller T1 3 cas-group 1 timeslots 1-24 type e&m-fgb service voice framing esf clock source internal linecode b8zs exit copy running-config startup-config Comprehensive Switched 56K Startup Configuration Example The startup configuration in this section runs on the Cisco access server, as shown in Figure 41. This configuration is for an IP dial-in scenario with a mix of switched 56K calls and modem calls. Switched 56K digital calls come into controllers T1 0 and T1 1. Analog modem calls come into controllers T1 2 and T1 3. In this example, the switched 56K clients are single endpoints in a remote node configuration. If each switched 56K client were instead a router with a LAN behind it without port address translation (PAT) turned on, then a static address, subnet mask, and route must be configured for each remote endpoint. This configuration would best done through RADIUS. After a T1 time slot is configured with robbed-bit signaling using the cas-group command with the service data option, a logical serial interface is instantly created for each switched 56K channel. For example, signaling configured on all 24 time slots of controller T1 1 dynamically creates serial interfaces S0:0 through S0:23. You must then configure protocol support on each serial interface. No interface group command exists for serial interfaces, unlike asynchronous interfaces via the interface group-async command. Each serial interface must be individually configured. In most cases, the serial configurations will be identical. To streamline or shorten this configuration task, you might consider using a dialer interface, as shown in the following example. Note In the following example, only analog modem calls encounter the group asynchronous and line interfaces. Switched 56K calls encounter the logical serial interfaces and dialer interface. Configuring ISDN PRI Configuration Examples for Channelized E1 and Channelized T1 DC-303 Cisco IOS Dial Technologies Configuration Guide version xx.x service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service udp-small-servers no service tcp-small-servers ! hostname 5300 ! aaa new-model aaa authentication login default local aaa authentication login console enable aaa authentication login vty local aaa authentication login dialin radius aaa authentication ppp default local aaa authentication ppp dialin if-needed radius aaa authorization exec local radius aaa authorization network radius aaa accounting network start-stop radius aaa accounting exec start-stop radius ! enable secret cisco ! username admin password cisco async-bootp dns-server 10.1.3.1 10.1.3.2 ! ! ! Switched 56K calls come into controllers T1 0 and T1 1. Take note of the keywords ! ”service data” in the cas-group command. ! controller T1 0 framing esf clock source line primary linecode b8zs cas-group 0 timeslots 1-24 type e&m-fgb service data ! controller T1 1 framing esf clock source line secondary linecode b8zs cas-group 1 timeslots 1-24 type e&m-fgb service data ! ! Analog modem calls come into controllers T1 2 and T1 3. ! controller T1 2 framing esf clock source line internal linecode b8zs cas-group 2 timeslots 1-24 type e&m-fgb ! controller T1 3 framing esf clock source line internal linecode b8zs cas-group 3 timeslots 1-24 type e&m-fgb ! interface loopback0 ip address 10.1.2.62 255.255.255.192 ! interface Ethernet0 no ip address shutdown ! Configuring ISDN PRI Configuration Examples for Channelized E1 and Channelized T1 DC-304 Cisco IOS Dial Technologies Configuration Guide interface FastEthernet0 ip address 10.1.1.11 255.255.255.0 ip summary address eigrp 10.10.1.2.0 255.255.255.192 ! ! Interface serial0:0 maps to the first switched 56K channel. The dialer pool-member ! command connects this channel to dialer interface 1. ! interface Serial0:0 dialer rotary-group 1 ! interface Serial0:1 dialer rotary-group 1 ! interface Serial0:2 dialer rotary-group 1 ! interface Serial0:3 dialer rotary-group 1 ! interface Serial0:4 dialer rotary-group 1 ! interface Serial0:5 dialer rotary-group 1 ! interface Serial0:6 dialer rotary-group 1 ! interface Serial0:7 dialer rotary-group 1 ! interface Serial0:8 dialer rotary-group 1 ! interface Serial0:9 dialer rotary-group 1 ! interface Serial0:10 dialer rotary-group 1 ! interface Serial0:11 dialer rotary-group 1 ! interface Serial0:12 dialer rotary-group 1 ! interface Serial0:13 dialer rotary-group 1 ! interface Serial0:14 dialer rotary-group 1 ! interface Serial0:15 dialer rotary-group 1 ! interface Serial0:16 dialer rotary-group 1 ! interface Serial0:17 dialer rotary-group 1 ! interface Serial0:18 dialer rotary-group 1 ! Configuring ISDN PRI Configuration Examples for Channelized E1 and Channelized T1 DC-305 Cisco IOS Dial Technologies Configuration Guide interface Serial0:19 dialer rotary-group 1 ! interface Serial0:20 dialer rotary-group 1 ! interface Serial0:21 dialer rotary-group 1 ! interface Serial0:22 dialer rotary-group 1 ! ! Interface serial 0:23 is the last switched 56K channel for controller T1 0. ! interface Serial0:23 dialer rotary-group 1 ! ! The switched 56K channels for controller T1 1 begin with interface serial 1:0 and end ! with interface serial 1:23. ! interface Serial1:0 dialer rotary-group 1 ! interface Serial1:1 dialer rotary-group 1 ! interface Serial1:2 dialer rotary-group 1 ! interface Serial1:3 dialer rotary-group 1 ! interface Serial1:4 dialer rotary-group 1 ! interface Serial1:5 dialer rotary-group 1 ! interface Serial1:6 dialer rotary-group 1 ! interface Serial1:7 dialer rotary-group 1 ! interface Serial1:8 dialer rotary-group 1 ! interface Serial1:9 dialer rotary-group 1 ! interface Serial1:10 dialer rotary-group 1 ! interface Serial1:11 dialer rotary-group 1 ! interface Serial1:12 dialer rotary-group 1 ! interface Serial1:13 dialer rotary-group 1 ! interface Serial1:14 dialer rotary-group 1 Configuring ISDN PRI Configuration Examples for Channelized E1 and Channelized T1 DC-306 Cisco IOS Dial Technologies Configuration Guide ! interface Serial1:15 dialer rotary-group 1 ! interface Serial1:16 dialer rotary-group 1 ! interface Serial1:17 dialer rotary-group 1 ! interface Serial1:18 dialer rotary-group 1 ! interface Serial1:19 dialer rotary-group 1 ! interface Serial1:20 dialer rotary-group 1 ! interface Serial1:21 dialer rotary-group 1 ! interface Serial1:22 dialer rotary-group 1 ! interface Serial1:23 dialer rotary-group 1 ! interface Group-Async1 ip unnumbered Loopback0 encapsulation ppp async mode interactive peer default ip address pool dialin_pool no cdp enable ppp authentication chap pap dialin group-range 1 96 ! interface Dialer1 ip unnumbered Loopback0 no ip mroute-cache encapsulation ppp peer default ip address pool dialin_pool no fair-queue no cdp enable ppp authentication chap pap dialin ! router eigrp 10 network 10.0.0.0 passive-interface Dialer0 no auto-summary ! ip local pool dialin_pool 10.1.2.1 10.1.2.96 ip default-gateway 10.1.1.1 ip classless ! dialer-list 1 protocol ip permit radius-server host 10.1.1.23 auth-port 1645 acct-port 1646 radius-server host 10.1.1.24 auth-port 1645 acct-port 1646 radius-server key cisco ! line con 0 login authentication console line 1 96 autoselect ppp Configuring ISDN PRI Configuration Examples for Channelized E1 and Channelized T1 DC-307 Cisco IOS Dial Technologies Configuration Guide autoselect during-login login authentication dialin modem DialIn line aux 0 login authentication console line vty 0 4 login authentication vty transport input telnet rlogin ! end ISDN CAS Examples This section provides channelized E1 sample configurations for the Cisco access server. You can configure the 30 available channels with CAS, channel grouping, or a combination of the two. The following examples are provided: • Allocating All Channels for CAS Example • Mixing and Matching Channels—CAS and Channel Grouping Example Allocating All Channels for CAS Example The following interactive example configures channels (also known as time slots) 1 to 30 with ear and mouth channel signaling and feature group B support on a Cisco access server; it also shows that the router displays informative messages about each time slot. signaling messages are sent in the 16th time slot; therefore, that time slot is not brought up. Router# %SYS-5-CONFIG_I: Configured from console by console Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# controller e1 0 Router(config-controller)# cas-group 1 timeslots 1-31 type e&m-fgb Router(config-controller)# %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 1 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 2 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 3 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 4 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 5 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 6 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 7 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 8 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 9 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 10 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 11 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 12 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 13 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 14 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 15 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 17 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 18 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 19 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 20 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 21 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 22 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 23 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 24 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 25 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 26 is up Configuring ISDN PRI Configuration Examples for Channelized E1 and Channelized T1 DC-308 Cisco IOS Dial Technologies Configuration Guide %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 27 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 28 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 29 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 30 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 31 is up Mixing and Matching Channels—CAS and Channel Grouping Example The following interactive example shows you how to configure an E1 controller to support a combination of CAS and channel grouping. The range of time slots that you allocate must match the time slot allocations that your central office chooses to use. This configuration is rare because of the complexity of aligning the correct range of time slots on both ends of the connection. Time slots 1 through 15 are assigned to channel group 1. In turn, these time slots are assigned to serial interface 0 and virtual channel group 1 (shown as serial 0:1). Router(config)# controller e1 0 Router(config-controller)# channel-group 1 timeslots 1-15 Router(config-controller)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0:1, changed state to down %LINK-3-UPDOWN: Interface Serial0:1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0:1, changed state to up Time slots 17 to 31 are configured with CAS: Router(config-controller)# cas-group 2 timeslots 17-31 type e&m-fgb %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0:1, changed state to down Router(config-controller)# %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 17 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 18 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 19 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 20 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 21 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 22 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 23 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 24 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 25 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 26 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 27 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 28 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 29 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 30 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 31 is up Router(config-controller)# E1 R2 Signaling Procedure The following procedure configures R2 signaling and customizes R2 parameters on controller E1 2 of a Cisco AS5300 access server. In most cases, the same R2 signaling type is configured on each E1 controller. Step 1 Enter global configuration mode using the configure terminal command: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Configuring ISDN PRI Configuration Examples for Channelized E1 and Channelized T1 DC-309 Cisco IOS Dial Technologies Configuration Guide Step 2 Specify the E1 controller that you want to configure with R2 signaling using the controller e1 number global configuration command. A controller informs the access server how to distribute or provision individual time slots for a connected channelized E1 line. You must configure one E1 controller for each E1 line. Router(config)# controller e1 2 Step 3 Configure CAS with the cas-group channel timeslots range type signal command. The signaling type forwarded by the connecting telco switch must match the signaling configured on the Cisco AS5300 access server. The Cisco IOS configuration options are r2-analog, r2-digital, or r2-pulse. Router(config-controller)# cas-group 1 timeslots 1-31 type ? e&m-fgb E & M Type II FGB e&m-fgd E & M Type II FGD e&m-immediate-start E & M Immediate Start fxs-ground-start FXS Ground Start fxs-loop-start FXS Loop Start p7 P7 Switch r2-analog R2 ITU Q411 r2-digital R2 ITU Q421 r2-pulse R2 ITU Supplement 7 sas-ground-start SAS Ground Start sas-loop-start SAS Loop Start The following example specifies R2 ITU Q421 digital line signaling (r2-digital). This example also specifies R2 compelled register signaling and provisions the ANI ADDR option. Router(config-controller)# cas-group 1 timeslots 1-31 type r2-digital r2-compelled ani Router(config-controller)# %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 1 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 2 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 3 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 4 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 5 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 6 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 7 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 8 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 9 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 10 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 11 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 12 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 13 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 14 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 15 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 17 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 18 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 19 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 20 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 21 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 22 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 23 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 24 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 25 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 26 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 27 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 28 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 29 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 30 is up %DSX0-5-RBSLINEUP: RBS of controller 0 timeslot 31 is up Configuring ISDN PRI Configuration Examples for Channelized E1 and Channelized T1 DC-310 Cisco IOS Dial Technologies Configuration Guide Note The actual R2 CAS is configured on the 16th time slot, which is why the time slot does not come up in the example output. For a description of the supported R2 signaling options, refer to the cas-group command for the E1 controller in the Cisco IOS Dial Technologies Command Reference. Step 4 Customize some of the E1 R2 signaling parameters with the cas-custom channel controller configuration command. This example specifies the default R2 settings for Argentina. For custom options, refer to the cas-custom command in the Cisco IOS Dial Technologies Command Reference. Router(config-controller)# cas-custom 1 Router(config-ctrl-cas)# ? CAS custom commands: ani-digits Expected number of ANI digits answer-signal Answer signal to be used caller-digits Digits to be collected before requesting CallerID category Category signal country Country Name default Set a command to its defaults dnis-digits Expected number of DNIS digits exit Exit from cas custom mode invert-abcd invert the ABCD bits before tx and after rx ka KA Signal kd KD Signal metering R2 network is sending metering signal nc-congestion Non Compelled Congestion signal no Negate a command or set its defaults request-category DNIS digits to be collected before requesting category unused-abcd Unused ABCD bit values Router(config-ctrl-cas)# country ? argentina Argentina australia Australia brazil Brazil china China colombia Colombia . . . Router(config-ctrl-cas)# country argentina ? use-defaults Use Country defaults Router(config-ctrl-cas)# country argentina use-defaults Note We highly recommend that you specify the default settings of your country. To display a list of supported countries, enter the country? command. The default setting for all countries is ITU. Configuring ISDN PRI Configuration Examples for Channelized E1 and Channelized T1 DC-311 Cisco IOS Dial Technologies Configuration Guide R1 Modified Signaling Using an E1 Interface Example The following example shows a configuration sample for R1 modified signaling on a Cisco access sever, using an E1 interface: version xx.x service timestamps debug datetime msec no service password-encryption ! hostname router ! enable secret 5 $1$YAaG$L0jTcQ.nMH.gpFYXaOU5c. ! no modem fast-answer ip host dirt 10.255.254.254 ip multicast rpf-check-interval 0 isdn switch-type primary-dms100 ! ! controller E1 0 clock source line primary cas-group 1 timeslots 1-15,17-31 type r1-modified ani-dnis ! controller E1 1 clock source line secondary cas-group 1 timeslots 1-15,17-31 type r1-modified ani-dnis ! controller E1 2 clock source internal ! controller E1 3 clock source internal ! interface Ethernet0 ip address 10.19.36.7 255.255.0.0 no ip mroute-cache ! interface FastEthernet0 no ip address no ip route-cache no ip mroute-cache shutdown ! interface Group-Async1 ip unnumbered Ethernet0 encapsulation ppp dialer in-band dialer idle-timeout 480 dialer-group 1 async dynamic address async mode interactive peer default ip address pool DYNAMIC no fair-queue no cdp enable group-range 1 108 ! router igrp 200 network 10.0.0.0 network 192.168.254.0 ! no ip classless ip route 0.0.0.0 0.0.0.0 Ethernet0 logging source-interface Ethernet0 Configuring ISDN PRI Configuration Examples for Channelized E1 and Channelized T1 DC-312 Cisco IOS Dial Technologies Configuration Guide ! line con 0 exec-timeout 0 0 line 1 108 exec-timeout 0 0 modem InOut transport input all line aux 0 line vty 0 4 ! end R1 Modified Signaling for Taiwan Configuration Example The following example shows how to configure R1 modified signaling for Taiwan: service timestamps debug datetime msec no service password-encryption ! hostname router ! enable secret 5 $1$YAaG$L0jTcQ.nMH.gpFYXaOU5c. ! no modem fast-answer ip host dirt 192.168.254.254 ip multicast rpf-check-interval 0 isdn switch-type primary-dms100 ! ! controller T1 1/1/0 framing esf linecode b8zs cablelength short 133 pri-group timeslots 1-24 fdl att ! controller T1 1/1/1 framing esf linecode b8zs cablelength short 133 cas-group 1 timeslots 1-24 type r1-modified fdl att ! controller T1 1/1/2 framing esf linecode b8zs cablelength short 133 pri-group timeslots 1-24 fdl att ! controller T1 1/1/3 framing esf linecode b8zs cablelength short 133 pri-group timeslots 1-24 fdl att ! DC-313 Cisco IOS Dial Technologies Configuration Guide Configuring ISDN Special Signaling This chapter describes features that either depend on special signaling services offered by an ISDN network service provider or overcome an inability to deliver certain signals. It describes these features in the following main sections: • How to Configure ISDN Special Signaling • Troubleshooting ISDN Special Signaling • Configuration Examples for ISDN Special Signaling For an overview of ISDN PRI, see the section “ISDN Service” in the “Overview of Dial Interfaces, Controllers, and Lines” chapter, and the section “ISDN Overview” in the “Configuring ISDN BRI” chapter. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the ISDN signaling commands in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. How to Configure ISDN Special Signaling To configure special signaling features of ISDN, perform the tasks in the following sections; all tasks are optional: • Configuring ISDN AOC (Optional) • Configuring NFAS on PRI Groups (Optional) • Enabling an ISDN PRI to Take PIAFS Calls on MICA Modems (Optional) • Configuring Automatic Detection of Encapsulation Type (Optional) • Configuring Encapsulation for Combinet Compatibility (Optional) See the section “Configuration Examples for ISDN Special Signaling” at the end of this chapter for examples of these signaling features. See the “Troubleshooting ISDN Special Signaling” section later in this chapter for help in troubleshooting ISDN signaling features. Configuring ISDN Special Signaling How to Configure ISDN Special Signaling DC-314 Cisco IOS Dial Technologies Configuration Guide Configuring ISDN AOC ISDN Advice of Charge (AOC) allows users to obtain charging information for all calls during the call (AOC-D) or at the end of the call (AOC-E) or both. Users must have subscribed through their local ISDN network to receive the AOC information from the switch. No router configuration changes are required to retrieve this call charging information. The ISDN AOC feature also supports, for the AOC-D service, an optional configurable short-hold mode that provides a dynamic idle timeout by measuring the call charging period, based on the frequency of the AOC-D or the AOC-E message from the network. The short-hold mode allows users to track call costs and to control and possibly reduce tariff charges. The short-hold mode idle time will do the following: • Disconnect a call just before the beginning of a new charging period if the call has been idle for at least the configured minimum idle time. • Maintain the call to the end of the current charging period past the configured idle timeout if the time left in the charging period is longer. Incoming calls are disconnected using the static dialer idle timeout value. The AOC-D and AOC-E messages are part of the Facility Information Element (IE) message. Its contents can be verified with the debug q931 command. Call accounting information from AOC-D and AOC-E messages is stored in Simple Network Management Protocol (SNMP) MIB objects. ISDN AOC is provided for ISDN PRI NET5 and ISDN BRI NET3 switch types only. AOC information at call setup is not supported. Configuring Short-Hold Mode No configuration is required to enable ISDN AOC. However, you can configure the optional short-hold minimum idle timeout period for outgoing calls; the default minimum idle timeout is 120 seconds. If the short-hold option is not configured, the router default is to use the static dialer idle timeout. If the short-hold idle timeout has been configured but no charging information is available from the network, the static dialer idle timeout applies. To configure an ISDN interface and provide the AOC short-hold mode option on an ISDN interface, perform the following steps: Step 1 Configure the ISDN BRI or PRI interface, as described in the chapter “Configuring ISDN BRI” or the section “How to Configure ISDN PRI” in the chapter “Configuring ISDN PRI” later in this publication, using the relevant keyword in the isdn switch-type command: • BRI interface—basic-net3 • PRI interface—primary-net5 Step 2 Configure dialer profiles or legacy dial-on-demand routing (DDR) for outgoing calls, as described in the chapters in the “Dial-on-Demand Routing” part of this publication, making sure to do the following: • Configure the static line-idle timeout to be used for incoming calls. • For each destination, use the dialer map command with the class keyword (legacy DDR) or a dialer string class command (dialer profiles) to identify the dialer map class to be used for outgoing calls to the destination. Configuring ISDN Special Signaling How to Configure ISDN Special Signaling DC-315 Cisco IOS Dial Technologies Configuration Guide Step 3 Configure each specified dialer map class, providing a dialer idle timeout, or ISDN short-hold timeout, or both for outgoing calls, as described in this chapter. To configure a dialer map class with timers, use the following commands beginning in global configuration mode: Monitoring ISDN AOC Call Information To monitor ISDN AOC call information, use the following command in EXEC mode: Configuring NFAS on PRI Groups ISDN Non-Facility Associated Signaling (NFAS) allows a single D channel to control multiple PRI interfaces. A backup D channel can also be configured for use when the primary NFAS D channel fails. Use of a single D channel to control multiple PRI interfaces can free one B channel on each interface to carry other traffic. Any hard failure causes a switchover to the backup D channel and currently connected calls remain connected. Once the channelized T1 controllers are configured for ISDN PRI, only the NFAS primary D channel must be configured; its configuration is distributed to all the members of the associated NFAS group. Command Purpose Step 1 Router(config)# map-class dialer classname Specifies the dialer map class and begins map class configuration mode. Step 2 Router(config-map-class)# dialer idle-timeout seconds (Optional) Specifies a static idle timeout for the map class to override the static line-idle timeout configured on the BRI interface. Step 3 Router(config-map-class)# dialer isdn short-hold seconds Specifies a dialer ISDN short-hold timeout for the map class. Command Purpose Router> show isdn {active [dsl | serial-number] | history [dsl | serial-number ] | memory | nfas group group-number | service [dsl | serial-number] | status [dsl | serial-number] | timers [dsl | serial-number]} Displays information about active calls, call history, memory, nfas group, service or status of PRI channels, or Layer 2 or Layer 3 timers. The history keyword displays AOC charging time units used during the call and indicates whether the AOC information is provided during calls or at the end of calls. (The service keyword is available for PRI only.) Configuring ISDN Special Signaling How to Configure ISDN Special Signaling DC-316 Cisco IOS Dial Technologies Configuration Guide ISDN NFAS Prerequisites NFAS is only supported with a channelized T1 controller. Table 27 shows the Cisco IOS keywords for the ISDN switch types and lists whether NFAS is supported. Note On the Nortel (Northern Telecom) DMS-100 switch, when a single D channel is shared, multiple PRI interfaces may be configured in a single trunk group. The additional use of alternate route indexing, which is a feature of the DMS-100 switch, provides a rotary from one trunk group to another. This feature enables the capability of building large trunk groups in a public switched network. The ISDN switch must be provisioned for NFAS. The primary and backup D channels should be configured on separate T1 controllers. The primary, backup, and B-channel members on the respective controllers should be the same as that configured on the router and ISDN switch. The interface ID assigned to the controllers must match that of the ISDN switch. ISDN NFAS Configuration Task List To configure NFAS on channelized T1 controllers configured for ISDN, perform the tasks in the following section: Configuring NFAS on PRI Groups (required). You can also disable a channel or interface, if necessary, and monitor NFAS groups and ISDN service. To do so, perform the tasks in the following sections: • Configuring NTT PRI NFAS (Optional) • Disabling a Channel or Interface (Optional) • Monitoring NFAS Groups (Optional) • Monitoring ISDN Service (Optional) See the section “NFAS Primary and Backup D Channels” later in this chapter for ISDN, NFAS, and DDR configuration examples. Configuring NFAS on PRI Groups This section documents tasks used to configure NFAS with D channel backup. When configuring NFAS, you use an extended version of the ISDN pri-group command to specify the following values for the associated channelized T1 controllers configured for ISDN: • The range of PRI time slots to be under the control of the D channel (time slot 24). Table 27 ISDN Switch Types and NFAS Support Switch Type Keyword NFAS Support Lucent 4ESS Custom NFAS primary-4ess Yes Lucent 5ESS Custom NFAS primary-5ess No (use National) Nortel DMS Custom NFAS primary-dms Yes NTT Custom NFAS primary-ntt Yes National primary-ni Yes Other switch types — No (use National) Configuring ISDN Special Signaling How to Configure ISDN Special Signaling DC-317 Cisco IOS Dial Technologies Configuration Guide • The function to be performed by time slot 24 (primary D channel, backup, or none); the latter specifies its use as a B channel. • The group identifier number for the interface under control of the D channel. To configure ISDN NFAS, use the following commands in controller configuration mode: For an example of configuring three T1 controllers for the NFAS primary D channel, the backup D channel, and 24 B channels, along with the DDR configuration for the PRI interface, see the section “NFAS Primary and Backup D Channels” at the end of this chapter. When a backup NFAS D channel is configured and the primary NFAS D channel fails, rollover to the backup D channel is automatic and all connected calls stay connected. If the primary NFAS D channel recovers, the backup NFAS D channel remains active and does not switch over again unless the backup NFAS D channel fails. Configuring NTT PRI NFAS Addition of the NTT switch type to the NFAS feature allows its use in geographic areas where NTT switches are available. This feature provides use of a single D channel to control multiple PRI interfaces, and can free one B channel on each interface to carry other traffic. To configure NTT PRI NFAS, use the procedure described in the “Configuring NFAS on PRI Groups” section. Specify a primary-ntt switch type. Note You cannot configure a backup D channel for the NTT PRI NFAS feature; it does not support D channel backup. Verifying NTT PRI NFAS Step 1 Enter the show isdn status command to learn whether the ISDN PRI switch type was configured correctly: Router# show isdn status serial 0:23 Global ISDN Switchtype = primary-ntt ISDN Serial0:23 interface Step 2 Enter the show isdn nfas group command to display information about members of an NFAS group: Router# show isdn nfas group 1 ISDN NFAS GROUP 1 ENTRIES: Command Purpose Step 1 Router(config-controller)# pri-group timeslots 1-24 nfas_d primary nfas_interface number nfas_group number On one channelized T1 controller, configures the NFAS primary D channel. Step 2 Router(config-controller)# pri-group timeslots 1-24 nfas_d backup nfas_interface number nfas_group number On a different channelized T1 controller, configures the NFAS backup D channel to be used if the primary D channel fails. Step 3 Router(config-controller)# pri-group timeslots 1-24 nfas_d none nfas_interface number nfas_group number (Optional) On other channelized T1 controllers, configures a 24-B-channel interface, if desired. Configuring ISDN Special Signaling How to Configure ISDN Special Signaling DC-318 Cisco IOS Dial Technologies Configuration Guide The primary D is Serial1/0:23. The NFAS member is Serial2/0:23. There are 3 total nfas members. There are 93 total available B channels. The primary D-channel is DSL 0 in state INITIALIZED. The current active layer 2 DSL is 0. Step 3 Enter the show isdn service command to display information about ISDN channels and the service states: Router# show isdn service PRI Channel Statistics: ISDN Se1/0:23, Channel (1-24) Configured Isdn Interface (dsl) 0 State (0=Idle 1=Propose 2=Busy 3=Reserved 4=Restart 5=Maint) 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 Channel (1-24) Service (0=Inservice 1=Maint 2=Outofservice) 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ISDN Se1/1:23, Channel (1-24) Configured Isdn Interface (dsl) 1 State (0=Idle 1=Propose 2=Busy 3=Reserved 4=Restart 5=Maint) 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Channel (1-24) Service (0=Inservice 1=Maint 2=Outofservice) 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ISDN Se2/0:23, Channel (1-24) Configured Isdn Interface (dsl) 2 State (0=Idle 1=Propose 2=Busy 3=Reserved 4=Restart 5=Maint) 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Channel (1-24) Service (0=Inservice 1=Maint 2=Outofservice) 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Disabling a Channel or Interface You can disable a specified channel or an entire PRI interface, thus taking it out of service or placing it into one of the other states that is passed in to the switch. To disable a specific channel or PRI interface, use one of the following commands in interface configuration mode as appropriate for your network: The supported state-values are as follows: • 0—In service • 1—Maintenance • 2—Out of service Command Purpose Router(config-if)# isdn service dsl number b_channel number state state-value Takes an individual B channel out of service or sets it to a different state. Router(config-if)# isdn service dsl number b_channel 0 state state-value Sets the entire PRI to the specified state. Configuring ISDN Special Signaling How to Configure ISDN Special Signaling DC-319 Cisco IOS Dial Technologies Configuration Guide When the T1 Controller Is Shut Down In the event that a controller belonging to an NFAS group is shut down, all active B-channel calls on the controller that is shut down will be cleared (regardless of whether the controller is set to be primary, backup, or none), and one of the following events will occur: • If the controller that is shut down is configured as the primary and no backup is configured, all active calls on the group are cleared. • If the controller that is shut down is configured as the primary, and the active (In service) D channel is the primary and a backup is configured, then the active D channel changes to the backup controller. • If the controller that is shut down is configured as the primary, and the active D channel is the backup, then the active D channel remains as backup controller. • If the controller that is shut down is configured as the backup, and the active D channel is the backup, then the active D channel changes to the primary controller. Note The active D channel changeover between primary and backup controllers happens only when one of the link fails and not when the link comes up. The T309 timer is triggered when the changeover takes place. Monitoring NFAS Groups To monitor NFAS groups, use the following command in EXEC mode: Monitoring ISDN Service To display information about ISDN channel service states, use the following command in EXEC mode: Enabling an ISDN PRI to Take PIAFS Calls on MICA Modems The Personal-Handyphone-System Internet Access Forum Standard (PIAFS) specifications describe a transmission system that uses the PHS 64000 bps/32000 bps unrestricted digital bearer on the Cisco AS5300 universal access server platform. The PIAFS TA (terminal adapter) module is like a modem or a V.110 module in the following ways: • Ports will be a pool of resources. • Calls will use the same call setup Q.931 message. • Module supports a subset of common AT commands. • Call setup and teardown are similar. Command Purpose Router> show isdn nfas group number Displays information about members of an NFAS group. Command Purpose Router> show isdn service Displays information about ISDN channels and the service states. Configuring ISDN Special Signaling How to Configure ISDN Special Signaling DC-320 Cisco IOS Dial Technologies Configuration Guide However, the rate negotiation information will be part of the bearer cap and not the lower-layer compatibility. PIAFS calls will have the user rate as 32000 and 64000; this will be used to distinguish a PIAFS call from a V.110 call. Also, PIAFS will use only up to octets 5a in a call setup message. The data format will default to 8N1 for PIAFS calls. To configure ISDN PRI to take PIAFS call on MICA modems, use the following commands beginning in global configuration mode: Verifying PIAFS Step 1 Enter the show modem operational-status slot/port command to view PIAFS call information. Router# show modem op 1/32 Mdm Typ Status Tx/Rx G Duration RTS CTS DCD DTR 1/32 ISDN Conn 64000/64000 0 1d01h x x x x Modem 1/32, Mica Hex Modem (Managed), Async33, tty33 Firmware Rev: 8.2.0.c Modem config: Incoming and Outgoing Protocol: PIAFS, Compression: V.42bis both Management config: Status polling RX signals: 0 dBm Last clearing of "show modem" counters never 2 incoming completes, 0 incoming failures 0 outgoing completes, 0 outgoing failures 0 failed dial attempts, 0 ring no answers, 0 busied outs 0 no dial tones, 0 dial timeouts, 0 watchdog timeouts 0 no carriers, 0 link failures, 0 resets, 0 recover oob 0 recover modem, 0 current fail count 0 protocol timeouts, 0 protocol errors, 0 lost events 0 ready poll timeouts Configuring Automatic Detection of Encapsulation Type You can enable a serial or ISDN interface to accept calls and dynamically change the encapsulation in effect on the interface when the remote device does not signal the call type. For example, if an ISDN call does not identify the call type in the lower-layer compatibility fields and is using an encapsulation that is different from the one configured on the interface, the interface can change its encapsulation type dynamically. This feature enables interoperation with ISDN terminal adapters that use V.120 encapsulation but do not signal V.120 in the call setup message. An ISDN interface that by default answers a call as synchronous serial with PPP encapsulation can change its encapsulation and answer such calls. Command Purpose Step 1 Router(config)# interface serial controller:channel Enters interface configuration mode for a D-channel serial interface. Step 2 Router(config-if)# isdn piafs-enabled Enables the PRI to take PIAFS calls on MICA modems. Step 3 Router(config-if)# exit Exits interface configuration mode. Configuring ISDN Special Signaling How to Configure ISDN Special Signaling DC-321 Cisco IOS Dial Technologies Configuration Guide Automatic detection is attempted for the first 10 seconds after the link is established or the first 5 packets exchanged over the link, whichever is first. To enable automatic detection of encapsulation type, use the following command in interface configuration mode: You can specify one or more encapsulations to detect. Cisco IOS software currently supports automatic detection of PPP and V.120 encapsulations. Configuring Encapsulation for Combinet Compatibility Historically, Combinet devices supported only the Combinet Proprietary Protocol (CPP) for negotiating connections over ISDN B channels. To enable Cisco routers to communicate with those Combinet bridges, the Cisco IOS supports a the CPP encapsulation type. To enable routers to communicate over ISDN interfaces with Combinet bridges that support only CPP, use the following commands in interface configuration mode: Most Combinet devices support PPP. Cisco routers can communicate over ISDN with these devices by using PPP encapsulation, which supports both routing and fast switching. Cisco 700 and 800 series routers and bridges (formerly Combinet devices) support only IP, Internet Protocol Exchange (IPX), and bridging. For AppleTalk, Cisco routers automatically perform half-bridging with Combinet devices. For more information about half-bridging, see the section “Configuring PPP Half-Bridging” in the chapter “Configuring Media-Independent PPP and Multilink PPP” later in this publication. Cisco routers can also half-bridge IP and IPX with Combinet devices that support only CPP. To configure this feature, you only need to set up the addressing with the ISDN interface as part of the remote subnet; no additional commands are required. Command Purpose Router(config-if)# autodetect encapsulation encapsulation-type Enables automatic detection of encapsulation type on the specified interface. Command Purpose Step 1 Router(config-if)# encapsulation cpp Specifies CPP encapsulation. Step 2 Router(config-if)# cpp callback accept Enables CPP callback acceptance. Step 3 Router(config-if)# cpp authentication Enables CPP authentication. Configuring ISDN Special Signaling Troubleshooting ISDN Special Signaling DC-322 Cisco IOS Dial Technologies Configuration Guide Troubleshooting ISDN Special Signaling To troubleshoot ISDN, use the following commands in EXEC mode as needed: Configuration Examples for ISDN Special Signaling This section provides the following configuration examples: • ISDN AOC Configuration Examples • ISDN NFAS Configuration Examples ISDN AOC Configuration Examples This section provides the following ISDN AOC configuration examples: • Using Legacy DDR for ISDN PRI AOC Configuration • Using Dialer Profiles for ISDN BRI AOC Configuration Using Legacy DDR for ISDN PRI AOC Configuration This example shows ISDN PRI configured on an E1 controller. Legacy DDR is configured on the ISDN D channel (serial interface 0:15) and propagates to all ISDN B channels. A static dialer idle-timeout is configured for all incoming calls on the B channels, but the map classes are configured independently of it. Map classes Kappa and Beta use AOC charging unit duration to calculate the timeout for the call. A short-hold idle timer is set so that if the line is idle for 10 or more seconds, the call is disconnected when the current charging period ends. Map class Iota uses a static idle timeout. version 11.2 service timestamps debug datetime msec service timestamps log datetime msec ! hostname A ! username c2503isdn password 7 1511021F0725 Command Purpose Router# debug dialer Displays the values of timers. Router# debug isdn q921 [interface bri number] or Router# debug isdn q921 interface serial slot/controller-number:23 Displays link layer information for all interfaces or, optionally, for a single BRI interface. Displays link layer information for a single PRI interface. Router# debug isdn q931 [interface bri number] or Router# debug isdn q931 interface serial slot/controller-number:23 Displays the content of call control messages and information elements, in particular the Facility IE message for all interfaces or, optionally, for a single BRI interface. Displays the content of call control messages and information elements, in particular the Facility IE message for a single PRI interface. Configuring ISDN Special Signaling Configuration Examples for ISDN Special Signaling DC-323 Cisco IOS Dial Technologies Configuration Guide username B password 7 110A1016141D29 username C password 7 1511021F072508 isdn switch-type primary-net5 ! controller E1 0 pri-group timeslots 1-31 ! interface Serial 0:15 ip address 10.0.0.35 255.0.0.0 encapsulation ppp dialer idle-timeout 150 dialer map ip 10.0.0.33 name c2503isdn class Iota 06966600050 dialer map ip 10.0.0.40 name B class Beta 778578 dialer map ip 10.0.0.45 name C class Kappa 778579 dialer-group 1 ppp authentication chap ! map-class dialer Kappa dialer idle-timeout 300 dialer isdn short-hold 120 ! map-class dialer Iota dialer idle-timeout 300 ! map-class dialer Beta dialer idle-timeout 300 dialer isdn short-hold 90 ! dialer-list 1 protocol ip permit Using Dialer Profiles for ISDN BRI AOC Configuration This example shows ISDN BRI configured as a member of two dialer pools for dialer profiles. version 11.2 service timestamps debug datetime msec service timestamps log datetime msec ! hostname delorean ! username spanky password 7 0705344245 username delorean password 7 1511021F0725 isdn switch-type basic-net3 ! interface BRI0 description Connected to NTT 81012345678901 no ip address dialer pool-member 1 max-link 1 dialer pool-member 2 max-link encapsulation ppp no fair-queue ! interface Dialer1 ip address 10.1.1.8 255.255.255.0 encapsulation ppp dialer remote-name spanky dialer string 81012345678902 class Omega dialer pool 1 dialer-group 1 ppp authentication chap ! Configuring ISDN Special Signaling Configuration Examples for ISDN Special Signaling DC-324 Cisco IOS Dial Technologies Configuration Guide interface Dialer2 ip address 10.1.1.8 255.255.255.0 encapsulation ppp dialer remote-name dmsisdn dialer string 81012345678902 class Omega dialer string 14153909503 class Gamma dialer pool 2 dialer-group 1 ppp authentication chap ! map-class dialer Omega dialer idle-timeout 60 dialer isdn short-hold 150 ! map-class dialer Gamma dialer isdn short-hold 60 ! dialer-list 1 protocol ip permit ISDN NFAS Configuration Examples This section provides the following configuration examples: • NFAS Primary and Backup D Channels • PRI Interface Service State • NTT PRI NFAS Primary D Channel Example NFAS Primary and Backup D Channels The following example configures ISDN PRI and NFAS on three T1 controllers of a Cisco 7500 series router. The NFAS primary D channel is configured on the 1/0 controller, and the NFAS backup D channel is configured on the 1/1 controller. No NFAS D channel is configured on the 2/0 controller; it is configured for 24 B channels. Once the NFAS primary D channel is configured, it is the only interface you see and need to configure; DDR configuration for the primary D channel—which is distributed to all B channels—is also included in this example. isdn switch-type primary-4ess ! ! NFAS primary D channel on the channelized T1 controller in 1/0. controller t1 1/0 framing esf linecode b8zs pri-group timeslots 1-24 nfas_d primary nfas_interface 0 nfas_group 1 ! ! NFAS backup D channel on the channelized T1 controller in 1/1. controller t1 1/1 framing esf linecode b8zs pri-group timeslots 1-24 nfas_d backup nfas_interface 1 nfas_group 1 ! ! NFAS 24 B channels on the channelized T1 controller in 2/0. controller t1 2/0 framing esf linecode b8zs pri-group timeslots 1-24 nfas_d none nfas_interface 2 nfas_group 1 ! Configuring ISDN Special Signaling Configuration Examples for ISDN Special Signaling DC-325 Cisco IOS Dial Technologies Configuration Guide ! NFAS primary D channel interface configuration for PPP and DDR. This ! configuration is distributed to all the B channels in NFAS group 1 on the ! three channelized T1 controllers. ! interface Serial 1/0:23 ip address 10.1.1.2 255.255.255.0 no ip mroute-cache encapsulation ppp dialer map ip 10.1.1.1 name flyboy 567898 dialer map ip 10.1.1.3 name flyboy 101112345678 dialer map ip 10.1.1.4 name flyboy 01112345678 dialer-group 1 no fair-queue no cdp enable ppp authentication chap PRI Interface Service State The following example puts the entire PRI interface back in service after it previously had been taken out of service: isdn service dsl 0 b-channel 0 state 0 NTT PRI NFAS Primary D Channel Example The following example configures ISDN PRI and NFAS on three T1 controllers of a Cisco 7500 series router. The NFAS primary D channel is configured on the 1/0 controller. No NFAS D channel is configured on the 1/1 and 2/0 controllers; they are configured for 24 B channels. Once the NFAS primary D channel is configured, it is the only interface you see and need to configure. DDR configuration for the primary D channel—which is distributed to all B channels—is also included in this example. isdn switch-type primary-ntt ! ! NFAS primary D channel on the channelized T1 controller in 1/0. controller t1 1/0 framing esf linecode b8zs pri-group timeslots 1-24 nfas_d primary nfas_interface 0 nfas_group 1 ! ! NFAS backup D channel on the channelized T1 controller in 1/1. controller t1 1/1 framing esf linecode b8zs pri-group timeslots 1-24 nfas_d none nfas_interface 1 nfas_group 1 ! ! NFAS 24 B channels on the channelized T1 controller in 2/0. controller t1 2/0 framing esf linecode b8zs pri-group timeslots 1-24 nfas_d none nfas_interface 2 nfas_group 1 ! ! NFAS primary D channel interface configuration for PPP and DDR. This ! configuration is distributed to all the B channels in NFAS group 1 on the ! three channelized T1 controllers. ! interface Serial 1/0:23 ip address 10.1.1.2 255.255.255.0 no ip mroute-cache encapsulation ppp dialer map ip 10.1.1.1 name flyboy 567898 dialer map ip 10.1.1.3 name flyboy 101112345678 Configuring ISDN Special Signaling Configuration Examples for ISDN Special Signaling DC-326 Cisco IOS Dial Technologies Configuration Guide dialer map ip 10.1.1.4 name flyboy 01112345678 dialer-group 1 no fair-queue no cdp enable ppp authentication chap DC-327 Cisco IOS Dial Technologies Configuration Guide Configuring Network Side ISDN PRI Signaling, Trunking, and Switching This chapter describes the Network Side ISDN PRI Signaling, Trunking, and Switching feature. The following main sections are provided: • Network Side ISDN PRI Signaling Overview • How to Configure Network Side ISDN PRI • Configuration Examples for Network Side ISDN PRI Signaling, Trunking, and Switching For hardware technical descriptions and for information about installing the controllers and interfaces, refer to the hardware installation and maintenance publication for your particular product. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the ISDN PRI commands in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Network Side ISDN PRI Signaling Overview The Network Side ISDN PRI Signaling, Trunking, and Switching feature enables Cisco IOS software to replicate the public switched network interface to a PBX that is compatible with the National ISDN (NI) switch types and European Telecommunications Standards Institute (ETSI) Net5 switch types. Routers and PBXs are both traditionally customer premises equipment (CPE) devices with respect to the public switched network interfaces. However, for Voice over IP (VoIP) applications, it is desirable to interface access servers to PBXs with the access server representing the public switched network. Enterprise organizations use the current VoIP features with Cisco products as a method to reduce costs for long distance phone calls within and outside their organizations. However, there are times that a call cannot go over VoIP and the call needs to be placed using the Public Switched Telephone Network (PSTN). The customer then must have two devices connected to a PBX to allow some calls to be placed using VoIP and some calls to be placed over the PSTN. In contrast, this feature allows Cisco access servers to connect directly to user-side CPE devices such as PBXs and allows voice calls and data calls to be placed without requiring two different devices to be connected to the PBXs. Configuring Network Side ISDN PRI Signaling, Trunking, and Switching Network Side ISDN PRI Signaling Overview DC-328 Cisco IOS Dial Technologies Configuration Guide The Network Side ISDN PRI Signaling, Trunking, and Switching feature provides the following benefits: • Allows you to bypass PSTN tariffed services such as trunking and administration, thus extending the cost savings of VoIP. • Allows your PBXs to be connected directly to a Cisco access server, so PBX station calls can be routed automatically to the IP network without the need for special IP telephones. • Provides flexibility in network design. • Enables you to block calls selectively based on the called number or the calling number. Call Switching Using Dial Peers Call switching using dial peers enables Cisco VoIP gateways to switch both voice and data calls between different interfaces based on the dial peer matching. An incoming call is matched against configured dial peers, and based on the configured called number, the outgoing interface is selected. Any call that arrives from an ISDN PRI network side on a supported platform is either terminated on the access server, switched to an IP network, or switched to the PSTN, depending on the configuration. Note An incoming call will be switched or processed as a voice call only if it matches a dial peer. A dial peer is an addressable call endpoint identified, for example, by a phone number or a port number. In VoIP, there are two kinds of dial peers: plain old telephone service (POTS) and VoIP. Dial peers are defined from the perspective of the access server and are used for both inbound and outbound call legs. An inbound call leg originates outside the access server. An outbound call leg originates from the access server. For inbound call legs, a dial peer might be associated with the calling number or the port designation. Outbound call legs always have a dial peer associated with them. The destination pattern (a defined initial part of a phone number) is used to identify the outbound dial peer. The call is associated with the outbound dial peer at setup time. POTS dial peers associate a telephone number with a particular voice port so that incoming calls for that telephone number can be received and outgoing calls can be placed. Additional information about dial peers can be found in the chapter “Configuring Dial Plans, Dial Peers, and Digit Manipulation” in the Cisco IOS Voice, Video, and Fax Configuration Guide, Release 12.2. Trunk Group Resource Manager The Trunk Group Resource Manager (TGRM) supports the logical grouping, configuration, and joint management of one or more PRI interfaces. The TGRM is used to store configuration information and to accept or select an interface from a trunk group when requested. A trunk group is provisioned as the target of a dial peer, and the TGRM transparently selects the specific PRI interface and channels to use for incoming or outgoing calls. Trunks are selected based on usage: The trunk that is least used is selected. Using trunk groups simplifies the task of configuring dial peers and PRI interfaces, and also enables the dynamic selection of PRI interfaces as needed in the access server. A trunk group can include any number of PRI interfaces, but all the interfaces in a trunk group must use the same type of signaling. Configuring Network Side ISDN PRI Signaling, Trunking, and Switching How to Configure Network Side ISDN PRI DC-329 Cisco IOS Dial Technologies Configuration Guide Class of Restrictions The class of restrictions (COR) functionality provides the ability to deny certain call attempts based on the incoming and outgoing class of restrictions provisioned on the dial peers. This functionality provides flexibility in network design, allows users to block calls (for example, to 900 numbers), and applies different restrictions to call attempts from different originators. COR is used to specify which incoming dial peer can use which outgoing dial peer to make a call. Each dial peer can be provisioned with an incoming and an outgoing COR list. The incoming COR list indicates the capability of the dial peer to initiate certain classes of calls. The outgoing COR list indicates the capability required for an incoming dial peer to deliver a call via this outgoing dial peer. If the capabilities of the incoming dial peer are not the same or a superset of the capabilities required by the outgoing dial peer, the call cannot be completed using this outgoing dial peer. ISDN Disconnect Timers A new disconnect timer, T306, has been added as part of the Internetworking Signaling Enhancements for H.323 and SIP VoIP feature. This timer allows in-band announcements and tones to be played before a call is disconnected. It is designed for routers that are configured as an ISDN network-side switch. The T306 timer starts when the gateway receives a Disconnect message with a progress indicator of 8. The voice path is cut-through in the backward direction, and the announcement or error tone is played until the timer expires. When the timer expires, the voice application disconnects the call. You can configure this timer by using the isdn t306 command. The T306 timer is supported only on routers that are configured for network-side ISDN. The following switches support network-side ISDN: • National ISDN • NET3 BRI • NET5 • QSIG The T310 timer sets a limit for a call in the Call Proceeding state. The timer starts when the router receives a Call Proceeding message and stops when the call moves to another phase, typically Alerting, Connect, or Progress. If the timer expires while the call is in the Call Proceeding state, the router releases the call. You can configure this timer by using the isdn t310 command. How to Configure Network Side ISDN PRI See the following sections for configuration tasks for the Network Side ISDN PRI Signaling, Trunking, and Switching feature. Each task is identified as required or optional. • Configuring ISDN Network Side (Required) • Configuring Global or Interface Trunk Groups (Optional) • Configuring Classes of Restrictions (Optional) • Configuring ISDN T306 and T310 Timers (Optional) • Verifying Network Side ISDN PRI Signaling, Trunking, and Switching (Optional) The sections “Monitoring Network Side ISDN PRI” and “Monitoring TGRM” list commands that you can use to monitor network side ISDN PRI signaling. Configuring Network Side ISDN PRI Signaling, Trunking, and Switching How to Configure Network Side ISDN PRI DC-330 Cisco IOS Dial Technologies Configuration Guide Configuring ISDN Network Side Before you begin to configure the Network Side ISDN PRI Signaling, Trunking, and Switching feature, ensure that the selected access server is in the following condition: • The T1 or E1 controllers are operational and configured for ISDN PRI. • The D-channel interfaces are operational and configured for ISDN PRI. • Each D-channel interface is configured with the isdn incoming-voice modem command. For example, the selected PRI interfaces might have a configuration similar to the following: interface Serial1/0/0:23 no ip address no ip directed-broadcast isdn switch-type primary-ni isdn protocol-emulate network isdn incoming-voice modem no cdp enable Also keep the following restrictions in mind as you configure network side ISDN PRI signaling, trunking, and switching: • You can configure Cisco access server and access routers for either Network Side ISDN PRI for NI or Net5 switches. • The trunking and COR parts of the Network Side ISDN PRI Signaling, Trunking, and Switching feature are available only on the Cisco AS5800 access server. In addition, call hairpinning without the need of a Voice Feature Card (and its digital signal processor) is available only on the Cisco AS5800 and Cisco AS5400. The remainder of the feature is platform-independent. • The Cisco AS5800 and Cisco AS5400 switch both voice and data calls. The Cisco As5300 switches only data calls. • On the Cisco AS5800, direct-inward-dial (DID) switched calls can work without a Voice Feature Card, if the appropriate modem is present. Refer to the AS5800 hardware and software installation manuals for more information. • On the Cisco AS5400, direct-inward-dial (DID) switched calls can work with only Trunk Feature Cards present. No Voice Feature Card or Modem Feature card are required. • An interface that is a member of a Non-Facility Associated Signaling (NFAS) group cannot belong to a trunk group. • The Cisco AS5400 supports Network Side ISDN PRI Signaling and Calling Switching Using Dial Peers. It does not support Trunk Group Resource Manager and Class of Restrictions. • The Network Side ISDN PRI part of this feature runs on any ISDN-capable platform with PRI interfaces. The trunking and class of restrictions parts of this feature require the Cisco AS5800. Note To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. Configuring Network Side ISDN PRI Signaling, Trunking, and Switching How to Configure Network Side ISDN PRI DC-331 Cisco IOS Dial Technologies Configuration Guide Configuring ISDN Network Side for the National ISDN Switch Type To configure Network Side ISDN PRI, use the following commands beginning in global configuration mode: If you choose to configure Network Side ISDN PRI on individual interfaces in Step 1, repeat the configuration on the additional PRI interfaces. Configuring ISDN Network Side for ETSI Net5 PRI To configure a Cisco access router for ISDN Network Side for ETSI Net5 PRI, you can configure the primary-net5 switch type globally or you can configure the primary-net5 switch type on selected PRI interfaces. To configure ISDN Network Side for Net5, use the following commands beginning in global configuration mode: Repeat the configuration steps on all the additional PRI D-channel interfaces you want to configure for ISDN Network Side for ETSI Net5 PRI. Command Purpose Step 1 Router(config)# isdn switch-type type or Router(config-if)# interface serial0/0/n and Router(config-if)# switch-type primary-ni Sets the global ISDN switch type. Two types are supported: • primary-ni for NI on a T1 line • primary-net5 for ETSI Net5 on an E1 line Specifies the D-channel interface. For n, the D-channel number, use: 0:23 on a T1 PRI 0:15 on an E1 PRI Sets the switch type on the interface. Step 2 Router(config-if)# isdn protocol-emulate network Enables network-side support on the PRI interface. Command Purpose Step 1 Router(config)# isdn switch-type primary-net5 or Router(config-if)# interface serial0/0/0:15 Router(config-if)# switch-type primary-net5 Sets the primary-net5 global ISDN switch type. or Specifies a D-channel interface to configure for ISDN Network Side for ETSI Net5 PRI. Sets the primary-net5 switch type on the interface. Step 2 Router(config-if)# isdn protocol-emulate network Enables network side support on the interface. Configuring Network Side ISDN PRI Signaling, Trunking, and Switching How to Configure Network Side ISDN PRI DC-332 Cisco IOS Dial Technologies Configuration Guide Configuring Global or Interface Trunk Groups You can create trunk groups globally (using the one-command version of Step 1) or on each interface (using the two-command version of Step 1). To configure trunk groups, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# trunk group group-number Defines the trunk group globally. or Router(config-if)# interface serial0/0/n and Specifies the PRI D-channel. For n, the D-channel number, use: • 0:23 on a T1 PRI • 0:15 on an E1 PRI Router(config-if)# trunk-group group-number Adds the interface to a trunk group. If the trunk group has not been defined globally, it will be created now. Step 2 Router(config-if)# max-calls {voice | data | any} number | [direction in | out] Applies a maximum number of calls restriction to the trunk group. This command can be repeated to apply a maximum number to different types of calls and, optionally, to specify whether the maximum applies to incoming or outgoing calls. Note Repeat Step 1 and Step 2 to create additional trunk groups and specify their restrictions, as needed for your traffic. Step 3 Router(config)# dial-peer voice tag pots Enters dial-peer configuration mode and defines a remote dial peer. Step 4 Router(config-dial-peer)# trunkgroup group-number Specifies the trunk group to be used for outgoing calls to the destination phone number. Configuring Network Side ISDN PRI Signaling, Trunking, and Switching How to Configure Network Side ISDN PRI DC-333 Cisco IOS Dial Technologies Configuration Guide Configuring Classes of Restrictions To configure COR for dial peers, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# dial-peer cor custom Specifies that named classes of restrictions apply to dial peers and changes the command mode to COR configuration. Step 2 Router(config-cor)# name class-name Provides a name for a custom class of restrictions. Note Repeat this step for additional class names, as needed. These class names are used in various combinations to define the lists in Step 3 and Step 4. Step 3 Router(config)# dial-peer cor list list-name Provides a name for a list of restrictions. Step 4 Router(config-cor)# member class-name Adds a COR class to this list of restrictions. The member is a class named in Step 2. Note Repeat Step 3 and Step 4 to define another list and its membership, as needed. Step 5 Router(config)# dial-peer voice tag pots Enters dial-peer configuration mode and defines a remote dial peer. Step 6 Router(config-dial-peer)# corlist incoming cor-list-name Specifies the COR list to be used when this is the incoming dial peer. Step 7 Router(config-dial-peer)# corlist outgoing cor-list-name Specifies the COR list to be used when this is the outgoing dial peer. Note Repeat Step 5 through Step 7 for additional dial peers, as needed. Configuring Network Side ISDN PRI Signaling, Trunking, and Switching How to Configure Network Side ISDN PRI DC-334 Cisco IOS Dial Technologies Configuration Guide Configuring ISDN T306 and T310 Timers To configure the T306 and T310 timers, use the following commands beginning in global configuration mode: To verify that the T306 timer is configured and operating correctly, perform the following steps: Step 1 Display the running configuration file with the show running-config privileged EXEC command. Verify that the configuration is accurate for the T306 timer. See the “T306/T310 Timer Configuration Example” section for a sample configuration. Step 2 Enable the debug isdn q931 privileged EXEC command to trace the ISDN messages. Step 3 Place a call to the gateway. Disconnect the call and allow the far end to play its error message until the T306 timer expires. When the timer expires, the gateway should disconnect the call. Verifying Network Side ISDN PRI Signaling, Trunking, and Switching To learn whether the Network Side ISDN PRI Signaling, Trunking, and Switching feature is configured successfully, perform the following steps: Step 1 Enter the show isdn status command to learn whether an appropriate switch type is specified either globally or on the D-channel interface: Router# show isdn status serial 0:15 Global ISDN Switchtype = primary-net5 ISDN Serial0:15 interface ******* Network side configuration ******* dsl 0, interface ISDN Switchtype = primary-net5 Command Purpose Step 1 Router(config)# interface serial controller:timeslot Enters interface configuration mode for a D-channel serial interface. Step 2 Router(config-if)# isdn t306 milliseconds Sets the number of milliseconds that the gateway waits before clearing a call after it receives a Disconnect message with a progress indicator of 8. Step 3 Router(config-if)# isdn t310 milliseconds Sets the number of milliseconds that the gateway waits before clearing a call after it receives a Call Proceeding message. Configuring Network Side ISDN PRI Signaling, Trunking, and Switching How to Configure Network Side ISDN PRI DC-335 Cisco IOS Dial Technologies Configuration Guide Step 2 Enter the show dial-peer voice command to learn whether the trunk group COR list and permission fields are set as desired on a dial peer: Router# show dial-peer voice VoiceEncapPeer210 information type = voice, tag = 210, destination-pattern = `221', answer-address = `', preference=0, numbering Type = `unknown' group = 210, Admin state is up, Operation state is up, incoming called-number = `221', connections/maximum = 4/unlimited, DTMF Relay = disabled, Modem = system passthrough , huntstop = disabled, application associated: permission :both incoming COR list:listA outgoing COR list:minimum requirement type = pots, prefix = `221', forward-digits default session-target = `', voice-port = `1/0/8:D', direct-inward-dial = enabled, digit_strip = enabled, Note The above output is for a dial peer configured with incoming COR list “listA” and without an outgoing COR list configured. When no outgoing COR list is configured, the show dial-peer voice command displays “minimum requirement” in the outgoing COR list output. When no incoming COR list is configured, the show dial-peer voice command displays “maximum capability” in the incoming COR list output. Step 3 Enter the show dial-peer cor command to display the COR names and lists you defined. For example, if you configured COR as shown in the following sample display, the show dial-peer cor command output reflects that configuration. Sample Configuration dial-peer cor custom name 900block name 800_call name Catchall ! dial-peer cor list list1 member 900block member 800_call ! dial-peer cor list list2 member 900block ! dial-peer cor list list3 member 900block member 800_call member Catchall Configuring Network Side ISDN PRI Signaling, Trunking, and Switching How to Configure Network Side ISDN PRI DC-336 Cisco IOS Dial Technologies Configuration Guide Verification Router# show dial-peer cor Class of Restriction name:900block name:800_call name:Catchall COR list member:900block member:800_call COR list member:900block COR list member:900block member:800_call member:Catchall Step 4 Enter the show tgrm command to verify the trunk group configuration. For example, if you configured trunk groups as shown in the following sample display, the show tgrm command output reflects that configuration. Sample Configuration interface Serial1/0/8:15 no ip address ip mroute-cache no keepalive isdn switch-type primary-net5 isdn protocol-emulate network isdn incoming-voice modem trunk-group 2 no cdp enable Verification Router# show tgrm Trunk Any in Vce in Data in Group # Any out Vce out Data out 2 65535 65535 65535 65535 65535 65535 0 Retries Interface Se1/0/1:15 Data = 0, Voice = 0, Free = 30 Interface Se1/0/8:15 Data = 2, Voice = 0, Free = 28 Total calls for trunk group:Data = 2, Voice = 0, Free = 58 Selected Voice Interface :Se1/0/1:15 Selected Data Interface :Se1/0/1:15 Configuring Network Side ISDN PRI Signaling, Trunking, and Switching How to Configure Network Side ISDN PRI DC-337 Cisco IOS Dial Technologies Configuration Guide Step 5 Enter the show isdn status command to display the status of both Network Side ISDN PRI and call switching: Router# show isdn status Global ISDN Switchtype = primary-net5 ISDN Serial1/0/0:15 interface ******* Network side configuration ******* dsl 0, interface ISDN Switchtype = primary-net5 Layer 1 Status: ACTIVE Layer 2 Status: TEI = 0, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED Layer 3 Status: 2 Active Layer 3 Call(s) Activated dsl 0 CCBs = 2 CCB:callid=3C71, sapi=0, ces=0, B-chan=31, calltype=data CCB:callid=3C72, sapi=0, ces=0, B-chan=30, calltype=data The Free Channel Mask: 0x9FFF7FFF ISDN Serial1/0/1:15 interface /1/0/8 filtering... ISDN Serial1/0/8:15 interface ******* Network side configuration ******* dsl 8, interface ISDN Switchtype = primary-net5 Layer 1 Status: ACTIVE Layer 2 Status: TEI = 0, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED Layer 3 Status: 2 Active Layer 3 Call(s) Activated dsl 8 CCBs = 2 CCB:callid=BB40, sapi=0, ces=0, B-chan=1, calltype=DATA CCB:callid=BB41, sapi=0, ces=0, B-chan=2, calltype=DATA The Free Channel Mask: 0xFFFF7FFC Monitoring Network Side ISDN PRI To monitor Network Side ISDN PRI, use the following commands in EXEC mode as needed: Command Purpose Router# show controllers e1 slot/port Checks Layer 1 (physical layer) of the PRI over E1. Router# show controllers e1 number call-counters Displays the number of calls and call durations on an E1 controller. Router# show interfaces serial slot/port bchannel channel-number Displays information about the physical attributes of the ISDN PRI over channelized E1 B and D channels. Router# show isdn {active | history | memory | services | status [dsl | interface-type number] | timers} Displays information about memory, Layer 2 and Layer 3 timers, and the status of PRI channels. Configuring Network Side ISDN PRI Signaling, Trunking, and Switching Configuration Examples for Network Side ISDN PRI Signaling, Trunking, and Switching DC-338 Cisco IOS Dial Technologies Configuration Guide Monitoring TGRM To monitor and maintain the Trunk Group Resource Manager, use the following command in EXEC mode: Configuration Examples for Network Side ISDN PRI Signaling, Trunking, and Switching This section provides the following configuration examples: • Call Switching and Dial Peers Configuration on T1/T3 Example • Trunk Group Configuration Example • COR for Dial Peer Configuration Example • COR Based on Outgoing Dial Peers Example • Dial Peers and Trunk Groups for Special Numbers Examples • ISDN Network Side for ETSI Net5 PRI Configuration on E1 Example • T306/T310 Timer Configuration Example Call Switching and Dial Peers Configuration on T1/T3 Example The following example enables Network Side ISDN PRI, call switching, and dial peers: isdn switch-type primary-ni ! controller T1 1/0/0 framing esf linecode b8zs pri-group timeslots 1-24 ! interface Serial1/0/0:23 no ip address no ip directed-broadcast isdn switch-type primary-ni isdn protocol-emulate network isdn incoming-voice modem no cdp enable ! dial-peer voice 11 pots incoming called-number 222 destination-pattern 222 direct-inward-dial port 1/0/0:D prefix 555 Command Purpose Router# show tgrm Displays TGRM information for debugging purposes. Configuring Network Side ISDN PRI Signaling, Trunking, and Switching Configuration Examples for Network Side ISDN PRI Signaling, Trunking, and Switching DC-339 Cisco IOS Dial Technologies Configuration Guide Trunk Group Configuration Example The following trunk group allows only voice calls: trunk group 1 max-calls data 0 ! The following trunk group allows a maximum of 20 outgoing voice calls: trunk group 2 max-calls voice 20 direction out ! The following trunk group allows a maximum of 50 incoming calls: trunk group 3 max-calls any 50 direction in ! The following trunk group allows a maximum of 100 calls, 30 of which can be voice (incoming or outgoing), and 60 of which can be incoming data (the remaining 10 will be unused): trunk group 4 max-calls any 100 max-calls voice 30 max-calls data 60 direction in COR for Dial Peer Configuration Example The following example defines trunk group 101, establishes Network Side ISDN PRI on two PRI interfaces, and assigns both interfaces to trunk group 101. In addition, it establishes three COR lists, and specifies which incoming dial peers can make calls to 800 and which can make calls to 900 area codes. This example adopts a useful mnemonic pattern: the dial-peer voice tags for incoming calls correspond to the answer address (the phone number being called) and the dial-peer voice tags for outgoing calls correspond to the destination pattern. trunk group 101 ! interface Serial1/0/0:23 no ip address no ip directed-broadcast isdn switch-type primary-ni isdn protocol-emulate network isdn incoming-voice modem no cdp enable trunk-group 101 ! interface Serial1/0/1:23 no ip address no ip directed-broadcast isdn switch-type primary-ni isdn protocol-emulate network isdn incoming-voice modem no cdp enable trunk-group 101 ! dial-peer cor custom name 900_call name 800_call ! dial-peer cor list list1 member 900_call ! Configuring Network Side ISDN PRI Signaling, Trunking, and Switching Configuration Examples for Network Side ISDN PRI Signaling, Trunking, and Switching DC-340 Cisco IOS Dial Technologies Configuration Guide dial-peer cor list list2 member 800_call ! dial-peer cor list list3 member 900_csll member 800_call ! dial-peer voice 525 pots answer-address 408525.... corlist incoming list3 direct-inward-dial ! dial-peer voice 526 pots answer-address 408526.... corlist incoming list2 direct-inward-dial ! dial-peer voice 900 pots destination-pattern 1900....... direct-inward-dial trunkgroup 101 prefix 333 corlist outgoing list1 ! dial-peer voice 12345 pots destination-pattern .T direct-inward-dial trunkgroup 202 ! COR Based on Outgoing Dial Peers Example A typical application of COR is to define a COR name for the number that an outgoing dial peer serves, then define a list that contains only that COR name, and assign that list as corlist outgoing for this outgoing dial peer. For example, dial peer with destination pattern 5x can have a corlist outgoing that contains COR 5x. The next step, in the typical application, is to determine how many call permission groups are needed, and define a COR list for each group. For example, group A is allowed to call 5x and 6x, and group B is allowed to call 5x, 6x, and 1900x. Then, for each incoming dial peer, we can assign a group for it, which defines what number an incoming dial peer can call. Assigning a group means assigning a corlist incoming to this incoming dial peer. config terminal dial-peer cor custom name 5x name 6x name 1900x ! dial-peer cor list listA member 5x member 6x ! dial-peer cor list listB member 5x member 6x member 1900x ! dial-peer cor list list5x member 5x ! Configuring Network Side ISDN PRI Signaling, Trunking, and Switching Configuration Examples for Network Side ISDN PRI Signaling, Trunking, and Switching DC-341 Cisco IOS Dial Technologies Configuration Guide dial-peer cor list list6x member 6x ! dial-peer cor list list1900x member 1900x ! outgoing dialpeer 100, 200, 300 dial-peer voice 100 pots destination-pattern 5T corlist outgoing list5x dial-peer voice 200 pots destination-pattern 6T corlist outgoing list6x dial-peer voice 300 pots destination-pattern 1900T corlist outgoing list1900x ! ! incoming dialpeer 400, 500 dial-peer voice 400 pots answer-address 525.... corlist incoming listA dial-peer voice 500 pots answer-address 526 corlist incoming listB In this example, calls from 525xxxx are not able to use dial peer 300, which means they will not be able to make 1900 calls (long distance calls to the 900 area code). But calls from 526xxxx can make 1900 calls. Dial Peers and Trunk Groups for Special Numbers Examples The following partial examples show setups for handling special numbers such as the 911 emergency number, the 0 local operator number, the 00 long-distance operator number, and so forth. “T” in these examples stands for the “interdigital timeout.” Calls to emergency numbers should not wait for this timeout, so 911 is used as the destination pattern, not 911T. This partial example sets up a trunk group to handle calls going to the operator (0): dial-peer voice 100 pots destination-pattern 0T trunkgroup 203 ! The following partial example sets up a trunk group to handle calls to the long distance operator (00): dial-peer voice 200 pots destination-pattern 00T trunkgroup 205 ! The following partial example sets up a trunk group to handle calls to the international direct dial (011): dial-peer voice 300 pots destination-pattern 011T trunkgroup 207 ! The following partial example sets up a trunk group to handle street line calls (calls that get a dial tone for an outside line): disl-peer voice 400 pots destination-pattern 9T trunkgroup 209 ! Configuring Network Side ISDN PRI Signaling, Trunking, and Switching Configuration Examples for Network Side ISDN PRI Signaling, Trunking, and Switching DC-342 Cisco IOS Dial Technologies Configuration Guide The following partial example sets up a trunk group to handle calls for directory assistance: dial-peer voice 500 pots destination-pattern 411 trunkgroup 211 ! The following partial example sets up a trunk group to handle calls to the 911 emergency number. Emergency calls will not require a wait for the interdigital timeout to expire. They will be completed immediately. dial-peer voice 600 pots destination pattern 911 trunkgroup 333 ISDN Network Side for ETSI Net5 PRI Configuration on E1 Example The following example enables the ISDN Network Side for ETSI Net5 PRI feature on an access server on which ISDN PRI is already configured and operational. In this example, the Net5 PRI switch type is set on the D-channel interface, and the global interface type is not shown. controller e1 0 pri-group timeslots 1-31 exit ! interface serial0:15 no ip address no ip directed-broadcast ip mroute-cache isdn switch-type primary-net5 isdn protocol-emulate networK T306/T310 Timer Configuration Example The following example configures the T306 and T310 disconnect timers: interface Serial0:23 no ip address no ip directed-broadcast encapsulation ppp dialer rotary-group 0 isdn switch-type primary-5ess isdn incoming-voice modem isdn t306 60000 isdn t310 40000 Dial-on-Demand Routing Configuration DC-345 Cisco IOS Dial Technologies Configuration Guide Preparing to Configure DDR This chapter presents the decisions and preparations leading to a dial-on-demand routing (DDR) configuration and shows where some advanced features fit into the DDR configuration steps. It distinguishes between the topology decisions and the implementation of the decisions. In the implementation phase, it distinguishes the DDR-independent decisions from the DDR-dependent decisions. This chapter provides the following information: • DDR Decision Flowchart—A flowchart of topology and implementation decisions that you will need to make before you configure DDR. • DDR Topology Decisions, DDR-Independent Implementation Decisions, and DDR-Dependent Implementation Decisions—References to sources of detailed information for the configuration steps associated with each decision. • Global and Interface Preparations for DDR—Brief description indicating which preparations are global and which are interface-specific. • Preparations for Routing or Bridging over DDR—A description of the steps required for bridging or routing over DDR. The section “Configuration Examples for Legacy DDR” at the end of this chapter provides examples of configuring DDR in your network, and includes line configuration and chat script samples. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the global dialer commands in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. DDR Decision Flowchart This section provides a flowchart of the decisions to be made before and while you configure DDR and also includes the flowchart. Figure 48 presents the entire decision flowchart. The decision phases are shown in separate boxes. Numbers in parentheses refer to notes, which follow the figure. Preparing to Configure DDR DDR Decision Flowchart DC-346 Cisco IOS Dial Technologies Configuration Guide Figure 48 Decisions and Implementation Flow to DDR Who places and who receives calls? Which routers? Which media? Topology decisions Topology implementation Async Sync Bridge DDR-independent implementation DDR-dependent implementation 1 Route Spoke S6669 Simple Complex Hub Bandwidth on demand MLP BACP MMP Dial backup DDR IPX AT IP Bridging configuration ISDN HDLC PPP LAPB X.25 FR Which encapsulation? Legacy DDR or dialer profiles? Simple or complex? Route or bridge? Which routed protocol? . . . 2 3 4 6 5 Preparing to Configure DDR DDR Topology Decisions DC-347 Cisco IOS Dial Technologies Configuration Guide Flowchart Notes The DDR chapters do not provide complete configuration information for most of the items in the following list. However, detailed information is available in other chapters and publications. The numbers in this list correspond to the circled numbers in the flowchart. 1. Configuration of the dial port and interface. The port, line, and interface are expected to be configured and operational before you configure DDR. See the relevant chapters in the “Preparing for Dial Access” part of this manual. 2. Encapsulation; including encapsulation for other WANs. See the “Configuring Media-Independent PPP and Multilink PPP” chapter of this publication for PPP encapsulation and refer to the Cisco IOS Wide-Area Networking Configuration Guide for sections on Frame Relay and X.25. 3. Bridging configurations. Refer to the Cisco IOS Bridging and IBM Networking Configuration Guide. 4. Routed protocols to be supported. See the protocol-specific chapters and publications. 5. Dialer profiles and legacy DDR are described in different chapters of the “Dial-on-Demand Routing” part of this publication. 6. Complex DDR configurations. Refer to the chapter “Configuring Media-Independent PPP and Multilink PPP” in this publication. The DDR chapters provide complete configuration information about the simple hub-and-spoke DDR configurations, about the dialer profiles implementation of DDR, and about preparations required for configuring asynchronous interfaces for DDR. DDR Topology Decisions Topology decisions determine which routers will use DDR, which media and interfaces each one will use for DDR, and how each interface will function when using DDR. For example, if you choose a hub-and-spoke topology, one router will communicate with multiple routers. You must decide whether that router will use one interface or multiple interfaces for DDR, and whether it will receive calls only (forcing the spokes to initiate and bear the cost of calls). If it will use multiple interfaces, you must decide whether they will be of different types or the same type. DDR-Independent Implementation Decisions DDR-independent implementation decisions include the following: • Using a specific interface or combination of interfaces for DDR. For complete configuration steps for the various media and interfaces, see the chapters in the “Dial-In Port Setup” part of this publication. • Using nondefault encapsulations. The default encapsulation is High-Level Data Link Control (HDLC). However, PPP is widely used for situations in which authentication is desired, especially situations in which an interface will receive calls from multiple sites. Detailed PPP encapsulation requirements are described in the “Configuring Media-Independent PPP and Multilink PPP” and “Configuring Asynchronous PPP and SLIP” chapters of this publication. Preparing to Configure DDR DDR-Dependent Implementation Decisions DC-348 Cisco IOS Dial Technologies Configuration Guide If you decide to send DDR traffic over Frame Relay, X.25, or Link Access Procedure, Balanced (LAPB) networks, the interface must be configured with the appropriate encapsulation. For configuration details, refer to the related chapters in the Cisco IOS Wide-Area Networking Configuration Guide. • Routing or bridging the DDR traffic. Legacy DDR supports bridging to only one destination, but the dialer profiles support bridging to multiple destinations. If you decide to bridge traffic over a dial-on-demand connection, configure the interface for transparent bridging. For detailed information, refer to the “Configuring Transparent Bridging” chapter of the Cisco IOS Bridging and IBM Networking Configuration Guide. • Supporting one or more specific routed protocols, if you decide to route traffic. Depending on the protocol, you do need to control access by entering access lists and to decide how to support network addressing on an interface to be configured for DDR. You might also need to spoof keepalive or other packets. For configuration details, refer to the related network protocol chapters in the appropriate network protocols configuration guide, such as the Cisco IOS AppleTalk and Novell IPX Configuration Guide. DDR-Dependent Implementation Decisions You must decide whether to implement legacy DDR or the newer dialer profiles; both are documented in the “Dial-on-Demand Routing” part of this publication. You must also decide whether a simple DDR configuration meets your business needs or whether to add other features. Dialer Profiles The dialer profiles implementation of DDR is based on a separation between logical and physical interface configuration. Dialer profiles also allow the logical and physical configurations to be bound together dynamically on a per-call basis. Dialer profiles are advantageous in the following situations: • When you want to share an interface (ISDN, asynchronous, or synchronous serial) to place or receive calls. • When you want to change any configuration on a per-user basis. • When you want to maximize ISDN channel usage using the Dynamic Multiple Encapsulations feature to configure various encapsulation types and per-user configurations on the same ISDN B channel at different times according to the type of call. • When you want to bridge to many destinations, and for avoiding split horizon problem. Most routed protocols are supported; however, International Organization for Standardization Connectionless Network Service (ISO CLNS) is not supported. If you decide to configure dialer profiles, you must disable validation of source addresses for the routed protocols you support. For detailed dialer profiles information, see the “Configuring Peer-to-Peer DDR with Dialer Profiles” chapter in this publication. For more information about Dynamic Multiple Encapsulations, see the “How to Configure Dialer Profiles” section in that chapter. Preparing to Configure DDR Global and Interface Preparations for DDR DC-349 Cisco IOS Dial Technologies Configuration Guide Legacy DDR Legacy DDR is powerful and comprehensive, but its limitations affect scaling and extensibility. Legacy DDR is based on a static binding between the per-destination call specification and the physical interface configuration. However, legacy DDR also has many strengths. It supports Frame Relay, ISO CLNS, LAPB, snapshot routing, and all routed protocols that are supported on Cisco routers. By default, legacy DDR supports fast switching. For information about simple legacy DDR spoke configurations, see the “Configuring Legacy DDR Spokes” chapter. For information about simple legacy DDR hub configurations, see the “Configuring Legacy DDR Hubs” chapter. Both chapters are in this publication. Simple or Complex DDR Configuration You must also decide whether to implement a simple DDR configuration—whether it is a simple point-to-point (spoke-to-spoke) layout or a simple hub-and-spoke layout—or to add on features that make the implementation more complex. Add-on features include dial backup, bandwidth on demand, application of the Bandwidth Allocation Control Protocol (BACP), Multilink PPP, and many others. Global and Interface Preparations for DDR Some preparations are global and some depend on the type of interface you will configure for DDR. After you have made the required global decision whether to bridge or to route a specified protocol over a dial-on-demand link, you can make the following preparations: • If you choose to bridge the protocol, decide whether to allow bridge packet access by Ethernet type codes or to permit all bridge packets across the link. Allowing access by Ethernet type codes requires you to define a bridging access list in global configuration mode. Allowing all bridge packets to trigger calls across a dial-on-demand link to a single destination is a DDR-dependent task addressed in the “Configure Dialer Access Lists to Trigger Outgoing Calls” section of both the “Configuring Legacy DDR Spokes” and “Configuring Legacy DDR Hubs” chapters in this publication. Bridging to multiple destinations requires dialer profiles. • If you choose to route the protocol: – Define one or more access lists for the selected routed protocol to determine which packets should be permitted or denied access to the dial-on-demand link. Allowing those packets to trigger calls across a dial-on-demand link is a DDR-dependent task addressed in the “Configure Dialer Access Lists to Trigger Outgoing Calls” section of both the “Configuring Legacy DDR Spokes” and “Configuring Legacy DDR Hubs” chapters in this publication. – Define an appropriate dialer list for the protocol. – Disable validation of source addresses, if you decide to configure dialer profiles. Preparing to Configure DDR Preparations for Routing or Bridging over DDR DC-350 Cisco IOS Dial Technologies Configuration Guide Preparations Depending on the Selected Interface Type The steps shown in this chapter assume that you have also completed the required preparatory steps for the type of interface you will configure for DDR: • The interface is installed, the cable is connected as needed, and operational. • Chat scripts are ready, as needed, for any asynchronous interfaces and modem scripts have been assigned to the relevant asynchronous lines. • Asynchronous lines and modems are configured and operational, as needed. • Any ISDN line that will be used for DDR is properly provisioned and running. • You have decided which interfaces and how many interfaces are to be configured for DDR, and what functions each interface will perform. Preparations for Routing or Bridging over DDR The following tasks are DDR-independent and can be completed before you configure DDR. Minimal tasks required for each item are presented in this chapter. For detailed information about bridging, routing, and wide-area networking configurations, refer to the appropriate chapters in other manuals of the Cisco IOS documentation set. Complete the following minimal tasks for the global decisions you have made: • Preparing for Transparent Bridging over DDR (As required) • Preparing for Routing over DDR (As required) Preparing for Transparent Bridging over DDR To prepare for transparent bridging over DDR, complete the tasks in the following sections: • Defining the Protocols to Bridge (As required) • Specifying the Bridging Protocol (As required) • Controlling Bridging Access (As required) Defining the Protocols to Bridge IP packets are routed by default unless they are explicitly bridged; all others are bridged by default unless they are explicitly routed. To bridge IP packets, use the following command in global configuration mode: If you choose not to bridge another protocol supported on your network, use the relevant command to enable routing of that protocol. For more information about tasks and commands, refer to the relevant protocol chapter in the appropriate network protocols configuration guide, such as the Cisco IOS AppleTalk and Novell IPX Configuration Guide or Cisco IOS IP Configuration Guide. Command Purpose Router(config)# no ip routing Disables IP routing. Preparing to Configure DDR Preparations for Routing or Bridging over DDR DC-351 Cisco IOS Dial Technologies Configuration Guide Specifying the Bridging Protocol You must specify the type of spanning-tree bridging protocol to use and also identify a bridge group. To specify the spanning-tree protocol and a bridge group number, use the following command in global configuration mode: The bridge-group number is used when you configure the interface and assign it to a bridge group. Packets are bridged only among members of the same bridge group. Controlling Bridging Access You can control access by defining any transparent bridge packet as interesting, or you can use the finer granularity of controlling access by Ethernet type codes. To control access by Ethernet type codes, use the following commands in global configuration mode: Packets with a specified Ethernet type code can trigger outgoing calls. Spanning tree bridge protocol data units (BPDUs) are always treated as uninteresting and cannot trigger calls. For a table of some common Ethernet types codes, refer to the “Ethernet Types Codes” appendix in the Cisco IOS Bridging and IBM Networking Command Reference. To identify all transparent bridge packets as interesting, use the following command in global configuration mode: Preparing for Routing over DDR DDR supports the following routed protocols: AppleTalk, Banyan VINES, DECnet, IP, Internet Protocol Exchange (IPX), ISO CLNS, and Xerox Network Systems (XNS). To prepare for routing a protocol over DDR, perform the tasks in the relevant section: • Configuring the Protocol for Routing and Access Control (As required) • Associating the Protocol Access List with a Dialer Group (As required) Command Purpose Router(config)# bridge bridge-group protocol {ieee | dec} Defines the type of spanning tree protocol and identifies a bridge group. Command Purpose Step 1 Router(config)# access-list access-list-number {permit | deny} type-code [mask] Identifies interesting packets by Ethernet type codes (access list numbers must be in the range 200–299). Step 2 Router(config)# dialer-list dialer-group protocol bridge list access-list-number Defines a dialer list for the specified access list. Command Purpose Router(config)# dialer-list dialer-group protocol bridge permit Defines a dialer list that treats all transparent bridge packets as interesting. Preparing to Configure DDR Preparations for Routing or Bridging over DDR DC-352 Cisco IOS Dial Technologies Configuration Guide Configuring the Protocol for Routing and Access Control This section specifies the minimal steps required to configure a protocol for routing over DDR. For more options and more detailed descriptions, refer to the relevant protocol chapter. Configuring IP Routing IP routing is enabled by default on Cisco routers; thus no preparation is required simply to enable it. You might, however, need to decide your addressing strategy and complete other global preparations for routing IP in your networks. To use dynamic routing where multiple remote sites communicate with each other through a central site, you might need to disable the IP split horizon feature. Refer to the “Configuring IP Addressing” chapter in the Cisco IOS IP Configuration Guide for more information. At a minimum, you must complete the following tasks: • Disable validation of source addresses. • Configure one or more IP access lists before you refer to the access lists in DDR dialer-list commands to specify which packets can trigger outgoing calls. To disable validation of source addresses, use the following commands in global configuration mode: For more information about IP routing protocols, refer to the Cisco IOS IP Configuration Guide. To configure IP access lists, use one of the following commands in global configuration mode: You can also use simplified IP access lists that use the any keyword instead of the numeric forms of source and destination addresses and masks. Other forms of IP access lists are also available. For more information, refer to the “IP Services Commands” chapter in the Cisco IOS IP Configuration Guide. For an example of configuring DDR for IP, see the chapters “Configuring a Legacy DDR Spoke” or “Configuring a Legacy DDR Hub” in this publication. You can configure IP routing on DDR asynchronous, synchronous serial, and ISDN interfaces, as well as dialer rotary groups. Command Purpose Router(config)# router rip Specifies the routing protocol; RIP, for example. Router(config)# no validate-update-source Disables validation of source addresses. Router(config)# network number Specifies the IP address. Command Purpose Router(config)# access-list access-list-number {deny | permit} source [source-mask] or Router(config)# access-list access-list-number {deny | permit} protocol source source-mask destination destination-mask [operator operand] Specifies an IP standard access list. Specifies an IP extended access list. Preparing to Configure DDR Preparations for Routing or Bridging over DDR DC-353 Cisco IOS Dial Technologies Configuration Guide Configuring Novell IPX Routing To configure routing of IPX over DDR, you must complete both global and interface-specific tasks: • Enable IPX routing globally. • Enable IPX watchdog spoofing, or enable Sequenced Packet Exchange (SPX) keepalive spoofing on the interface. To enable IPX routing, use the following command in global configuration mode: To enable IPX watchdog spoofing on the interface, use the following command in interface configuration mode: To enable SPX keepalive spoofing, use the following commands in interface configuration mode: You can configure IPX routing on DDR asynchronous, synchronous serial, and ISDN interfaces, as well as dialer rotary groups. For detailed DDR for IPX configuration examples, refer to the section “IPX over DDR Example” in the “Configuring Novell IPX” chapter of the Cisco IOS AppleTalk and Novell IPX Configuration Guide. Configuring AppleTalk Routing You must enable AppleTalk routing and then specify AppleTalk access lists. After you specify AppleTalk access lists, define dialer lists. Use the dialer-list protocol command to define permit or deny conditions for the entire protocol; for a finer granularity, use the dialer-list protocol command with the list keyword. You can configure AppleTalk routing on DDR asynchronous, synchronous serial, and ISDN interfaces, as well as dialer rotary groups. See the chapters “Configuring a Legacy DDR Spoke” or “Configuring a Legacy DDR Hub” for more information and examples. Command Purpose Router(config)# ipx routing [node] Enables IPX routing. Command Purpose Router(config-if)# ipx watchdog-spoof Enables IPX watchdog spoofing. Command Purpose Router(config-if)# ipx spx-spoof Enables SPX keepalive spoofing. Router(config-if)# ipx spx-idle-time delay-in-seconds Sets the idle time after which SPX spoofing begins. Preparing to Configure DDR Preparations for Routing or Bridging over DDR DC-354 Cisco IOS Dial Technologies Configuration Guide Configuring Banyan VINES Routing To configure DDR for Banyan VINES, use one of the following commands in global configuration mode: After you specify VINES standard or extended access lists, define DDR dialer lists. Use the dialer-list protocol command to define permit or deny conditions for the entire protocol; for a finer granularity, use the dialer-list protocol command with the list keyword. See the chapters “Configuring a Legacy DDR Spoke” or “Configuring a Legacy DDR Hub” for more information and examples. You can configure Banyan VINES on DDR asynchronous, synchronous serial, and ISDN interfaces, as well as dialer rotary groups. Note The Banyan VINES neighbor command is not supported for LAPB and X.25 encapsulations. Configuring DECnet Routing To configure DDR for DECnet, use one of the following commands in global configuration mode: After you specify DECnet standard or extended access lists, define DDR dialer lists. Use the dialer-list protocol command to define permit or deny conditions for the entire protocol; for a finer granularity, use the dialer-list protocol command with the list keyword. See the chapters “Configuring a Legacy DDR Spoke” or “Configuring a Legacy DDR Hub” in this publication for more information and examples. You classify DECnet control packets, including hello packets and routing updates, using one or more of the following commands: dialer-list protocol decnet_router-L1 permit, dialer-list protocol decnet_router-L2 permit, and dialer-list protocol decnet_node permit. You can configure DECnet on DDR asynchronous, synchronous serial, and ISDN interfaces, as well as dialer rotary groups. Command Purpose Router(config)# vines access-list access-list-number {permit | deny} source source-mask1 or Router(config)# vines access-list access-list-number {permit | deny} source source-mask [destination] [destination-mask] Specifies a VINES standard access list. Specifies a VINES extended access list. Command Purpose Router(config)# access-list access-list-number {permit | deny} source source-mask1 or Router(config)# access-list access-list-number {permit | deny} source source-mask [destination] [destination-mask] Specifies a DECnet standard access list. Specifies a DECnet extended access list. Preparing to Configure DDR Preparations for Routing or Bridging over DDR DC-355 Cisco IOS Dial Technologies Configuration Guide Configuring ISO CLNS Routing To configure ISO CLNS for DDR, use the following commands beginning in global configuration mode: After you complete these CLNS-specific steps, define a dialer list for CLNS. Use the dialer-list protocol command to define permit or deny conditions for the entire protocol; for a finer granularity, use the dialer-list protocol command with the list keyword. Use the access-group argument with this command, because ISO CLNS uses access groups but does not use access lists. See the chapters “Configuring a Legacy DDR Spoke” or “Configuring a Legacy DDR Hub” in this publication for more information and examples. You classify CLNS control packets, including hello packets and routing updates, using the dialer-list protocol clns_is permit and/or dialer-list protocol clns_es permit command. You can configure ISO CLNS on DDR asynchronous, synchronous serial, and ISDN interfaces, as well as dialer rotary groups. Configuring XNS Routing You must enable XNS routing and then define an access list. To define an XNS access list, use one of the following commands in global configuration mode: After you specify an XNS access list, define a DDR dialer list. Use the dialer-list protocol command to define permit or deny conditions for the entire protocol; for a finer granularity, use the dialer-list protocol command with the list keyword. See the chapters “Configuring a Legacy DDR Spoke” or “Configuring a Legacy DDR Hub” for more information and examples. Command Purpose Step 1 Router(config)# clns filter-set name [permit | deny] template Specifies one or more CLNS filters, repeating this command as needed to build the filter list associated with the filter name. Step 2 Router(config)# interface type number Specifies the interface to apply the filter to and begins interface configuration mode. Step 3 Router(config-if)# clns access-group name out Filters CLNS traffic going out of the interface, on the basis of the filter specified and named in Step 1. Command Purpose Router(config)# access-list access-list-number {deny | permit} source-network[.source-address [source-address-mask]] [destination-network[.destination-address [destination-address-mask]]] or Router(config)# access-list access-list-number {deny | permit} protocol [source-network[.source-host [source-network-mask.]source-host-mask] source-socket [destination-network [.destination-host [destination-network-mask.destination-host-mask] destination-socket[/pep]]] Specifies a standard XNS access list. Specifies an extended XNS access list. Preparing to Configure DDR Configuration Examples for Legacy DDR DC-356 Cisco IOS Dial Technologies Configuration Guide You can configure XNS on DDR asynchronous, synchronous serial, and ISDN interfaces, as well as dialer rotary groups. Associating the Protocol Access List with a Dialer Group DDR supports the following routed protocols: AppleTalk, Banyan VINES, DECnet, IP, Novell IPX, ISO CLNS, and XNS. You can permit or deny access by protocol, or you can specify an access list for more refined control. To associate a protocol or access list with a dialer group, use the following command in global configuration mode: Note For a given protocol and a given dialer group, only one access list can be specified in the dialer-list command. For the dialer-list protocol list command form, acceptable access list numbers are as follows: • Banyan VINES, DECnet, IP, and XNS standard and extended access list numbers • Novell IPX standard, extended, and SAP access list numbers • AppleTalk access lists numbers • Bridge type codes Configuration Examples for Legacy DDR The following sections provide DDR configuration examples: • Point-to-Point DDR Without Authentication Examples • Point-to-Point DDR with Authentication Examples Point-to-Point DDR Without Authentication Examples The following example sets up two-way reciprocal DDR without authentication; the client and server have dial-in access to each other. This configuration is demonstrated in the following two subsections. Remote Configuration The following sample configuration is performed on the remote side of the connection: interface ethernet 0 ip address 172.30.44.1 255.255.255.0 ! interface async 7 ip address 172.30.45.2 255.255.255.0 Command Purpose Router(config)# dialer-list dialer-group protocol protocol-name {permit | deny | list access-list-number | access-group} Associates a protocol access list number or access group name with the dialer group. Preparing to Configure DDR Configuration Examples for Legacy DDR DC-357 Cisco IOS Dial Technologies Configuration Guide async mode dedicated peer default ip address 172.30.45.1 encapsulation ppp dialer in-band dialer string 1234 dialer-group 1 ! ip route 172.30.43.0 255.255.255.0 async 7 ip default-network 172.30.0.0 chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT dialer-list 1 protocol ip permit ! line 7 no exec modem InOut speed 38400 flowcontrol hardware script dialer generic Local Configuration The following sample configuration is performed on the local side of the connection: interface ethernet 0 ip address 172.30.43.1 255.255.255.0 ! interface async 7 async mode dedicated peer default ip address 172.30.45.2 encapsulation ppp dialer in-band dialer string 1235 dialer rotary-group 1 ! interface async 8 async mode dedicated peer default ip address 172.30.45.2 dialer rotary-group 1 ! ip route 172.30.44.0 255.255.255.0 async 7 ip address 172.30.45.2 255.255.255.0 encapsulation ppp ppp authentication chap dialer in-band dialer map ip 172.30.45.2 name remote 4321 dialer load-threshold 80 ! ip route 172.30.44.0 255.255.255.0 128.150.45.2 chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT dialer-list 1 protocol ip permit ! route igrp 109 network 172.30.0.0 redistribute static passive-interface async 7 ! line 7 modem InOut speed 38400 flowcontrol hardware script dialer generic Preparing to Configure DDR Configuration Examples for Legacy DDR DC-358 Cisco IOS Dial Technologies Configuration Guide Point-to-Point DDR with Authentication Examples The following sample sets up two-way DDR with authentication; the client and server have dial-in access to each other. This configuration is demonstrated in the following two subsections. Remote Configuration The following example is performed on the remote side of the connection. It provides authentication by identifying a password that must be provided on each end of the connection. username local password secret1 username remote password secret2 interface ethernet 0 ip address 172.30.44.1 255.255.255.0 ! interface async 7 ip address 172.30.45.2 255.255.255.0 async mode dedicated peer default ip address 172.30.45.1 encapsulation ppp dialer in-band dialer string 1234 dialer-group 1 ! ip route 172.30.43.0 255.255.255.0 async 7 ip default-network 172.30.0.0 chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT dialer-list 1 protocol ip permit ! line 7 no exec modem InOut speed 38400 flowcontrol hardware script dialer generic Local Configuration The following example configuration is performed on the local side of the connection. As with the remote side configuration, it provides authentication by identifying a password for each end of the connection. username remote password secret1 username local password secret2 ! interface ethernet 0 ip address 172.30.43.1 255.255.255.0 ! interface async 7 async mode dedicated peer default ip address 172.30.45.2 dialer rotary-group 1 ! interface async 8 async mode dedicated peer default ip address 172.30.45.2 dialer rotary-group 1 ! interface dialer 1 ip address 172.30.45.2 255.255.255.0 encapsulation ppp Preparing to Configure DDR Configuration Examples for Legacy DDR DC-359 Cisco IOS Dial Technologies Configuration Guide ppp authentication chap dialer in-band dialer map ip 172.30.45.2 name remote 4321 dialer load-threshold 80 ! ip route 172.30.44.0 255.255.255.0 172.30.45.2 chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT ! route igrp 109 network 172.30.0.0 redistribute static passive-interface async 7 ! line 7 modem InOut speed 38400 flowcontrol hardware script dialer generic Preparing to Configure DDR Configuration Examples for Legacy DDR DC-360 Cisco IOS Dial Technologies Configuration Guide DC-361 Cisco IOS Dial Technologies Configuration Guide Configuring Legacy DDR Spokes This chapter describes how to configure legacy dial-on-demand routing (DDR) on interfaces that function as a spoke in a hub-and-spoke network topology. It includes the following main sections: • DDR Spokes Configuration Task Flow • How to Configure DDR • Monitoring DDR Connections • Configuration Examples for Legacy DDR Spoke This chapter considers a spoke interface to be any interface that calls or receives calls from exactly one other router, and considers a hub interface to be an interface that calls or receives calls from more than one router: all the spokes in the network. This chapter also describes the DDR-independent tasks required to bridge protocols or to route protocols over DDR. Most of these tasks are global in scope and can be completed before you begin to configure DDR. For configuration tasks for the central hub interface in a hub-and-spoke network topology, see the chapter “Configuring a Legacy DDR Hub” in this publication. For information about the Dialer Profiles implementation of DDR, see the chapter “Configuring Peer-to-Peer DDR with Dialer Profiles” in this publication. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the legacy DDR spoke commands mentioned in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. DDR Spokes Configuration Task Flow Before you configure DDR, make sure you have completed the preparations for bridging or routing as described in the chapter “Preparing to Configure DDR” in this publication. That chapter provides information about the minimal requirements. For detailed information about bridging, routing, and wide-area networking configurations, refer to the appropriate chapters in other volumes of this documentation set. Configuring Legacy DDR Spokes How to Configure DDR DC-362 Cisco IOS Dial Technologies Configuration Guide When you configure DDR on a spoke interface in a hub-and-spoke topology, you perform the following general steps: Step 1 Specify the interface that will place calls to or receive calls from a single site. (See the chapter “Configuring Legacy DDR Hubs” in this publication for information about configuring an interface to place calls to or receive calls from multiple sites.) Step 2 Enable DDR on the interface. This step is not required for some interfaces; for example, ISDN interfaces and passive interfaces that receive only from DTR-dialing interfaces. Step 3 Configure the interface to receive calls only, if applicable. Receiving calls from multiple sites requires each inbound call to be authenticated. Step 4 Configure the interface to place calls only, if applicable. Step 5 Configure the interface to place and receive calls, if applicable. Step 6 If the interface will place calls, specify access control for: • Transparent bridging—Assign the interface to a bridge group, and define dialer lists associated with the bridging access lists. The interface switches between members of the same bridge group, and dialer lists specify which packets can trigger calls. or • Routed protocols—Define dialer lists associated with the protocol access lists to specify which packets can trigger calls. Step 7 Customize the interface settings (timers, interface priority, hold queues, bandwidth on demand, and disabling fast switching) as needed. When you have configured the interface and it is operational, you can monitor its performance and its connections as described in the “Monitoring DDR Connections” section later in this chapter. You can also enhance DDR by configuring Multilink PPP and configuring PPP callback. The PPP configuration tasks are described in the chapter “Configuring Media-Independent PPP and Multilink PPP” in this publication. See the section “Configuration Examples for Legacy DDR Spoke” later in this chapter for examples of how to configure DDR on your network. How to Configure DDR To configure DDR on an interface, perform the tasks in the following sections. The first five bulleted items are required. The remaining tasks are not required, but might be necessary in your networking environment. • Specifying the Interface (Required) • Enabling DDR on the Interface (Required) • Configuring the Interface to Place Calls (Required) or Configuring the Interface to Receive Calls (Required) or Configuring the Interface to Place and Receive Calls (Required) • Defining the Traffic to Be Authenticated (As required) Configuring Legacy DDR Spokes How to Configure DDR DC-363 Cisco IOS Dial Technologies Configuration Guide • Configuring Access Control for Outgoing Calls (As required) • Configuring Access Control for Bridging (As required) • Configuring Access Control for Routing (As required) • Customizing the Interface Settings (As required) • Sending Traffic over Frame Relay, X.25, or LAPB Networks (As required) You can also monitor DDR connections. See the “Monitoring DDR Connections” section later in this chapter for commands and other information. For examples of legacy DDR on a point-to-point connection, see the “Configuration Examples for Legacy DDR Spoke” section later in this chapter. Specifying the Interface This section assumes that you have completed any preparatory steps required for the relevant interface. For example, if you intend to use an asynchronous interface, it assumes that you have completed the modem support and line configuration steps and the chat script creation steps. If you intend to use an ISDN interface, it assumes that you have the ISDN line properly provisioned and running. You can configure any asynchronous, synchronous serial, ISDN, or dialer interface for legacy DDR. Note When you specify an interface, make sure to use the interface numbering scheme supported on the network interface module or other port hardware on the router. On the Cisco 7200 series, for example, you specify an interface by indicating its type, slot number, and port number. To specify an interface to configure for DDR, use one of the following commands in global configuration mode: Dialer interfaces are logical or virtual entities, but they use physical interfaces to place or receive calls. Command Purpose Router(config)# interface async number Router(config)# interface serial number Router(config)# interface bri number or Router(config)# interface serial slot/port:23 Router(config)# interface serial slot/port:15 or Router(config)# interface dialer number Specifies an interface to configure for DDR. Specifies an ISDN PRI D channel (T1). Specifies an ISDN PRI D channel (E1). Specifies a logical interface to function as a dialer rotary group leader. Configuring Legacy DDR Spokes How to Configure DDR DC-364 Cisco IOS Dial Technologies Configuration Guide Enabling DDR on the Interface This task is required for asynchronous or synchronous serial interfaces but not for ISDN interfaces. The software automatically configures ISDN interfaces to be dialer type ISDN. This step is not required for ISDN interfaces (BRI interfaces and ISDN PRI D channels) and for purely passive interfaces that will receive calls only from interfaces that use DTR dialing. Enabling DDR on an interface usually requires you to specify the type of dialer to be used. This step is not required for ISDN interfaces because the software automatically configures ISDN interfaces to be dialer type ISDN. To enable DDR and specify the dialer type, use one of the following commands in global configuration mode: Note An interface configured with the dialer in-band command can both place and receive calls. A serial interface configured for DTR dialing can place calls only; it cannot accept them. You can optionally specify parity if the modem on this interface uses the V.25bis command set. The 1984 version of the V.25bis specification states that characters must have odd parity. However, the default for the dialer in-band command is no parity. For an example of configuring an interface to support DTR dialing, see the section “DTR Dialing Example” later in this chapter. To receive calls from an interface that is using DTR dialing, an interface can be configured for in-band dialing or not configured for anything but encapsulation, depending on the desired behavior. If you expect the receiving interface to terminate a call when no traffic is received for some time, you must configure in-band dialing (along with access lists and a dummy dialer string). If the receiving interface is purely passive, no additional configuration is necessary. Note You can configure an interface or dialer rotary group to both place and receive calls. If the interface is calling and being called by a single site, simply enable DDR and specify a dial string. Command Purpose Router(config)# dialer dtr or Router(config)# dialer in-band [no-parity | odd-parity] Enables DDR and configures the specified serial interface to use DTR dialing—for interfaces with non-V.25bis modems using EIA Data Terminal Ready (DTR) signaling. Enables DDR and configures the specified serial interface to use in-band dialing—for asynchronous interfaces or interfaces using V.25bis modems. Configuring Legacy DDR Spokes How to Configure DDR DC-365 Cisco IOS Dial Technologies Configuration Guide Configuring the Interface to Place Calls To configure an interface to place calls to one site only, perform the tasks in one of the following sections: • Specifying the Dial String for Synchronous Serial Interfaces (As required) • Specifying Chat Scripts and Dial Strings for Asynchronous Serial Interfaces (As required) Specifying the Dial String for Synchronous Serial Interfaces If you want to call only one remote system per synchronous serial interface, use the dialer string command. Dialers pass the string you have defined to the external DCE device. ISDN devices call the number specified in the string. To specify the telephone number call on a serial interface (asynchronous or synchronous), use the following command in interface configuration mode: Dialers pass the string (telephone number) to the external DCE device, which dials the number; ISDN devices themselves call the specified number. Specifying Chat Scripts and Dial Strings for Asynchronous Serial Interfaces The modem chat script becomes the default chat script for an interface, which means it becomes the default chat script for the dialer string and dialer map commands presented in this section. To place a call to a single site on an asynchronous line for which either a modem dialing script has not been assigned or a system script login must be specified, use the following command in interface configuration mode: Refer to the sections “How To Configure Chat Scripts” and “Dialer Mapping Example” in the chapter “Creating and Using Modem Chat Scripts” for more information about configuring chat scripts. Configuring the Interface to Receive Calls If you enable DDR on an interface by using the dialer in-band command, the interface can receive calls. No additional configuration steps are required simply to receive calls. Parity is not required for receiving calls only. An interface configured with the dialer in-band command can terminate calls when the line is idle for some configurable time. You cannot set up an ISDN interface only to receive calls from a single site, but you can set it up to receive and place calls to a single site. Command Purpose Router(config-if)# dialer string dial-string[:isdn-subaddress] Specifies the number to dial. Command Purpose Router(config-if)# dialer map protocol next-hop-address [modem-script modem-regexp] [system-script system-regexp] dial-string [:isdn-subaddress] Specifies chat scripts and a dial string. Configuring Legacy DDR Spokes How to Configure DDR DC-366 Cisco IOS Dial Technologies Configuration Guide To receive calls from an interface that is using DTR dialing, an interface can be configured for in-band dialing or not configured for anything but encapsulation, depending on the desired behavior. If you expect the receiving interface to terminate a call when no traffic is received for some time, you must configure in-band dialing (along with access lists and a dummy dialer string). If the receiving interface is purely passive, no additional configuration is necessary. Authentication is not required when traffic comes from only one site. However, you can configure authentication for security. See the “Defining the Traffic to Be Authenticated” section. If you want to receive calls only, do not provide a dial string in the dialer map command shown in that section. Configuring the Interface to Place and Receive Calls If you enable DDR on an interface by using the dialer in-band command, the interface can receive calls. To enable it to place calls to one site, you must define the dialing destination. To define the dialing destination, use the following command in interface configuration mode: Note Use the dialer map command instead of the dialer string command if you want to authenticate calls received. See the section “Defining the Traffic to Be Authenticated” later in this chapter for more information. When a dialer string is configured but PPP Challenge Handshake Authentication Protocol (CHAP) is not configured on the interface, the Cisco IOS software recognizes each incoming call as coming from the configured dialer string. That is, if your outgoing calls go to only one number and you do not authenticate incoming calls, it is assumed that all incoming calls come from that number. (If you received calls from multiple sites, you would need to authenticate the calls.) Authentication is not required when traffic comes from only one site. However, you can configure authentication for an extra measure of security. See the following section, “Defining the Traffic to Be Authenticated,” for more information. If you want to receive and place calls, use the dialer map command. Defining the Traffic to Be Authenticated Authentication can be done through CHAP or Password Authentication Protocol (PAP). In addition, the interface must be configured to map the protocol address of the host to the name to use for authenticating the remote host. Command Purpose Router(config-if)# dialer string dial-string[:isdn-subaddress] Specifies the number to dial one site. Configuring Legacy DDR Spokes How to Configure DDR DC-367 Cisco IOS Dial Technologies Configuration Guide To enable CHAP or PAP on an interface and authenticate sites that are calling in, use the following commands in interface configuration mode: If the dial string is not provided in the chat script, the interface will be able to receive calls from the host but will not be able to place calls to the host. Configuring Access Control for Outgoing Calls Protocol access lists and dialer access lists are central to the operation of DDR. In general, access lists are used as the screening criteria for determining when to initiate DDR calls. All packets are tested against the dialer access list. Packets that match a permit entry are deemed interesting. Packets that do not match a permit entry or that do match a deny entry are deemed uninteresting. When a packet is found to be interesting, either the dialer idle timer is reset (if the line is active) or a connection is attempted (if the line is available but not active). If a tested packet is deemed uninteresting, it will be forwarded if it is intended for a destination known to be on a specific interface and the link is active. However, such a packet will not initiate a DDR call and will not reset the idle timer. Configuring Access Control for Bridging You can control access by defining any transparent bridge packet as interesting, or you can use the finer granularity of controlling access by Ethernet type codes. To control access for DDR bridging, perform one of the following tasks in global configuration mode: • Controlling Bridging Access by Ethernet Type Codes (As required) • Permitting All Bridge Packets to Trigger Calls (As required) • Assigning the Interface to a Bridge Group (As required) Note Spanning-tree bridge protocol data units (BPDUs) are always treated as uninteresting. Command Purpose Step 1 Router(config-if)# encapsulation ppp Configures an interface for PPP encapsulation. Step 2 Router(config-if)# ppp authentication chap [if-needed] or Router(config-if)# ppp authentication pap [if-needed] Enables CHAP. Enables PAP. Step 3 Router(config-if)# dialer map protocol next-hop-address name hostname [modem-script modem-regexp] [system-script system-regexp] [dial-string[:isdn-subaddress]] Maps the protocol address to a host name. Configuring Legacy DDR Spokes How to Configure DDR DC-368 Cisco IOS Dial Technologies Configuration Guide Controlling Bridging Access by Ethernet Type Codes To control access by Ethernet type codes, use the following command in global configuration mode: To enable packets with a specified Ethernet type code to trigger outgoing calls, use the following command in interface configuration mode: For a table of some common Ethernet types codes, see the “Ethernet Types Codes” appendix in the Cisco IOS Bridging and IBM Networking Command Reference. Permitting All Bridge Packets to Trigger Calls To identify all transparent bridge packets as interesting, use the following command in interface configuration mode when you are configuring DDR: Assigning the Interface to a Bridge Group Packets are bridged only among interfaces that belong to the same bridge group. To assign an interface to a bridge group, use the following command in interface configuration mode: Configuring Access Control for Routing Before you perform the tasks outlined in this section, configure access lists for the protocols you intend to route over DDR as described briefly in the chapter “Preparing to Configure DDR” in this publication, and as described in greater detail in the appropriate network protocol configuration guide (for example, the Cisco IOS AppleTalk and Novell IPX Configuration Guide). Command Purpose Router(config)# access-list access-list-number {permit | deny} type-code [mask] Identifies interesting packets by Ethernet type codes (access list numbers must be in the range 200 to 299). Command Purpose Router(config-if)# dialer-list dialer-group protocol bridge list access-list-number Defines a dialer list for the specified access list. Command Purpose Router(config-if)# dialer-list dialer-group protocol bridge permit Defines a dialer list that treats all transparent bridge packets as interesting. Command Purpose Router(config-if)# bridge-group bridge-group Assigns the specified interface to a bridge group. Configuring Legacy DDR Spokes How to Configure DDR DC-369 Cisco IOS Dial Technologies Configuration Guide An interface can be associated only with a single dialer access group; multiple dialer access group assignments are not allowed. To specify the dialer access group to which you want to assign an access list, use the following command in interface configuration mode: Customizing the Interface Settings To customize DDR in your network, perform the tasks in the following sections as needed: • Configuring Timers on the DDR Interface (As required) • Setting Dialer Interface Priority (As required) • Configuring a Dialer Hold Queue (As required) • Configuring Bandwidth on Demand (As required) • Disabling and Reenabling DDR Fast Switching (As required) • Configuring Dialer Redial Options (As required) Configuring Timers on the DDR Interface To set the timers, perform the tasks in the following sections as needed: • Setting Line-Idle Time (As required) • Setting Idle Time for Busy Interfaces (As required) • Setting Line-Down Time (As required) • Setting Carrier-Wait Time (As required) Setting Line-Idle Time To specify the amount of time for which a line will stay idle before it is disconnected, use the following command in interface configuration mode: Note The dialer idle-timeout interface configuration command specifies the duration of time before an idle connection is disconnected. Previously, both inbound and outbound traffic would reset the dialer idle timer; now you can specify that only inbound traffic will reset the dialer idle timer. Command Purpose Router(config-if)# dialer-group group-number Specifies the number of the dialer access group to which the specific interface belongs. Command Purpose Router(config-if)# dialer idle-timeout seconds [inbound | either] Specifies the duration of idle time in seconds after which a line will be disconnected. By default, outbound traffic will reset the dialer idle timer. Adding the either keyword causes both inbound and outbound traffic to reset the timer; adding the inbound keyword causes only inbound traffic to reset the timer. Configuring Legacy DDR Spokes How to Configure DDR DC-370 Cisco IOS Dial Technologies Configuration Guide Setting Idle Time for Busy Interfaces The dialer fast idle timer is activated if there is contention for a line. Contention occurs when a line is in use, a packet for a different next hop address is received, and the busy line is required to send the competing packet. If the line has been idle for the configured amount of time, the current call is disconnected immediately and the new call is placed. If the line has not yet been idle as long as the fast idle timeout period, the packet is dropped because there is no way to get through to the destination. (After the packet is dropped, the fast idle timer remains active and the current call is disconnected as soon as it has been idle for as long as the fast idle timeout.) If, in the meantime, another packet is sent to the currently connected destination, and it is classified as interesting, the fast-idle timer is restarted. To specify the amount of time for which a line for which there is contention will stay idle before the line is disconnected and the competing call is placed, use the following command in interface configuration mode: This command applies to both inbound and outbound calls. Setting Line-Down Time To set the length of time for which the interface stays down before it is available to dial again after a line is disconnected or fails, use the following command in interface configuration mode: This command applies to both inbound and outbound calls. Setting Carrier-Wait Time To set the length of time for which an interface waits for the telephone service (carrier), use the following command in interface configuration mode: For asynchronous interfaces, this command sets the total time to wait for a call to connect. This time is set to allow for running the chat script. Setting Dialer Interface Priority Interface priority indicates which interface in a dialer rotary group will get used first for outgoing calls. You might give one interface a higher priority if it is attached to a faster, more reliable modem. In this way, the higher-priority interface will be used as often as possible. Command Purpose Router(config-if)# dialer fast-idle seconds Sets idle time for high traffic lines. Command Purpose Router(config-if)# dialer enable-timeout seconds Sets the interface downtime. Command Purpose Router(config-if)# dialer wait-for-carrier-time seconds Sets the length of time for which the interface waits for the carrier to come up when a call is placed. Configuring Legacy DDR Spokes How to Configure DDR DC-371 Cisco IOS Dial Technologies Configuration Guide To assign priority to an interface in a dialer rotary group, use the following command in interface configuration mode: The range of values for number is 0 through 255. Zero is the default value and lowest priority; 255 is the highest priority. This command applies to outgoing calls only. Configuring a Dialer Hold Queue Sometimes packets destined for a remote router are discarded because no connection exists. Establishing a connection using an analog modem can take time, during which packets are discarded. However, configuring a dialer hold queue will allow interesting outgoing packets to be queued and sent as soon as the modem connection is established. A dialer hold queue can be configured on any type of dialer, including in-band synchronous, asynchronous, DTR, and ISDN dialers. Also, hunt group leaders can be configured with a dialer hold queue. If a hunt group leader (of a rotary dialing group) is configured with a hold queue, all members of the group will be configured with a dialer hold queue and no hold queue of an individual member can be altered. To establish a dialer hold queue, use the following command in interface configuration mode: As many as 100 packets can be held in an outgoing dialer hold queue. Configuring Bandwidth on Demand You can configure a dialer rotary group to use additional bandwidth by placing additional calls to a single destination if the load for the interface exceeds a specified weighted value. Parallel communication links are established based on traffic load. The number of parallel links that can be established to one location is not limited. To set the dialer load threshold for bandwidth on demand, use the following command in interface configuration mode: Once multiple links are established, they are still governed by the load threshold. If the total load on all the links falls below the threshold, an idle link will be torn down. Command Purpose Router(config-if)# dialer priority number Sets the interface priority in the dialer rotary group. Command Purpose Router(config-if)# dialer hold-queue packets Creates a dialer hold queue and specifies the number of packets to be held in it. Command Purpose Router(config-if)# dialer load-threshold load Configures the dialer rotary group to place additional calls to a single destination, as indicated by interface load. Configuring Legacy DDR Spokes How to Configure DDR DC-372 Cisco IOS Dial Technologies Configuration Guide Disabling and Reenabling DDR Fast Switching Fast switching is enabled by default on all DDR interfaces. When fast switching is enabled or disabled on an ISDN D channel, it is enabled or disabled on all B channels. When fast switching is enabled or disabled on a dialer interface, it is enabled or disabled on all rotary group members but cannot be enabled or disabled on the serial interfaces individually. Fast switching can be disabled and re-enabled on a protocol-by-protocol basis. To disable fast switching and re-enable it, use one of the following protocol-specific commands in interface configuration mode: Configuring Dialer Redial Options By default, the Cisco IOS software generates a single dial attempt for each interesting packet. Dialer redial allows the dialer to be configured to make a maximum number of redial attempts if the first dial-out attempt fails, wait a specific interval between redial attempts, and disable the interface for a specified duration if all redial attempts fail. New dialout attempts will not be initiated if a redial is pending to the same destination. To configure redial options, use the following commands beginning in global configuration mode: Sending Traffic over Frame Relay, X.25, or LAPB Networks An interface configured for DDR can send traffic over networks that require Link Access Procedure, Balanced (LAPB), X.25, or Frame Relay encapsulation. Before Cisco IOS software Release 12.0(6)T, encapsulation techniques such as Frame Relay, HDLC, LAPB-TA, and X.25 could support only one ISDN B-channel connection over the entire link. HDLC and PPP could support multiple B channels, but the entire ISDN link needed to use the same encapsulation. The Dynamic Multiple Encapsulations feature allows incoming calls over ISDN to be assigned encapsulation type based on calling line identification (CLID) or DNIS. With the Dynamic Multiple Encapsulations feature, once CLID binding is completed, the topmost interface is always used for all Command Purpose Router(config-if)# no ip route-cache Router(config-if)# ip route cache Router(config-if)# no ip route-cache distributed Router(config-if)# ip route-cache distributed Disables IP fast switching over a DDR interface. Reenables IP fast switching over a DDR interface. Disables distributed IP fast switching over a DDR interface. This feature works in Cisco 7500 routers with a Versatile Interface Processor (VIP) card. Enables distributed IP fast switching over a DDR interface. This feature works in Cisco 7500 routers with a VIP card. Router(config-if)# no ipx route-cache Router(config-if)# ipx route-cache Disables IPX fast switching over a DDR interface. Reenables IPX fast switching over a DDR interface. Command Purpose Step 1 Router(config)# interface dialer Enters interface configuration mode. Step 2 Router(config-if)# dialer redial interval time attempts number re-enable disable-time Configures redial options on the router. Configuring Legacy DDR Spokes How to Configure DDR DC-373 Cisco IOS Dial Technologies Configuration Guide configuration and data structures. The ISDN B channel becomes a forwarding device, and the configuration on the D channel is ignored, thereby allowing the different encapsulation types and per-user configurations. To configure an interface for those networks, perform the tasks in the following sections: • Configuring the Interface for Sending Traffic over a Frame Relay Network (As required) • Configuring the Interface for Sending Traffic over an X.25 Network (As required) • Configuring the Interface for Sending Traffic over a LAPB Network (As required) Configuring the Interface for Sending Traffic over a Frame Relay Network Access to Frame Relay networks is now available through dialup connections as well as leased lines. Dialup connectivity allows Frame Relay networks to be extended to sites that do not generate enough traffic to justify leased lines, and also allows a Frame Relay network to back up another network or point-to-point line. DDR over Frame Relay is supported for synchronous serial and ISDN interfaces and for rotary groups, and is available for in-band, DTR, and ISDN dialers. Frame Relay supports multiple permanent virtual circuit (PVC) connections over the same serial interface or ISDN B channel, but only one physical interface can be used (dialed, connected, and active) in a rotary group or with ISDN. The Dynamic Multiple Encapsulations feature supports the following Frame Relay features: • Frame Relay RTP Header Compression (RFC 1889) • Frame Relay TCP/IP Header Compression • Legacy DDR over Frame Relay • Frame Relay Interface/Subinterface Backup Dynamic multiple encapsulations support at least four Frame Relay PVCs on either dialer interfaces or dialer subinterfaces. Note Frame Relay encapsulations in the Dynamic Multiple Encapsulations feature do not support IETF or Cisco Encapsulation for IBM Systems Network Architecture (SNA). Frame Relay for SNA support is not applicable. Configuration Restrictions The following restrictions apply to DDR used over Frame Relay: • Frame Relay is not available for asynchronous dialers. • The Frame Relay Dynamic Multiple Encapsulations feature does not provide bidirectional support. • With the Dynamic Multiple Encapsulations feature, there is no process switching for Frame Relay packets; these packets are always fast switched. • Like HDLC, LAPB, and X.25, Frame Relay does not provide authentication. However, ISDN dialers can offer some authentication through the caller ID feature. • Only one ISDN B channel can be dialed at any one time. When configuring a rotary group, you can use only one serial interface. Frame Relay subinterfaces work the same on dialup connections as they do on leased lines. Configuring Legacy DDR Spokes How to Configure DDR DC-374 Cisco IOS Dial Technologies Configuration Guide Configuration Overview No new commands are required to support DDR over Frame Relay. In general, you configure Frame Relay and configure DDR. In general, complete the following tasks to configure an interface for DDR over Frame Relay: • Specify the interface. • Specify the protocol identifiers for the interface. For example, enter the IP address and mask, the IPX network number, and the AppleTalk cable range and zone. • Configure Frame Relay. As a minimum, you must enable Frame Relay encapsulation and decide whether you need to do static or dynamic address mapping. If you decide to do dynamic mapping, you need not enter a command because Inverse Address Resolution Protocol is enabled by default. If you decide to do static mapping, you must enter Frame Relay mapping commands. You can then configure various options as needed for your Frame Relay network topology. • Configure DDR. At a minimum, you must decide and configure the interface for outgoing calls only, incoming calls only, or both outgoing and incoming calls. You can also configure DDR for your routed protocols (as specified in the section “Preparations for Routing or Bridging over DDR” in the chapter “Preparing to Configure DDR” in this publication) and for snapshot routing (as specified in the chapter “Configuring Snapshot Routing” later in this publication). You can also customize DDR interfaces on your router or access server (as described in the section “Customizing the Interface Settings” in this chapter). For examples of configuring various interfaces for DDR over Frame Relay, see the section “Frame Relay Support Example” later in this chapter. Configuring the Interface for Sending Traffic over an X.25 Network X.25 interfaces can now be configured to support DDR. Synchronous serial and ISDN interfaces on Cisco routers and access servers can be configured for X.25 addresses, X.25 encapsulation, and mapping of protocol addresses to the X.25 address of a remote host. In-band, DTR, and ISDN dialers can be configured to support X.25 encapsulation, but rotary groups cannot. Remember that for ISDN interfaces, once CLID binding is completed, the topmost interface is always used for all configuration and data structures. The ISDN B channel becomes a forwarding device, and the configuration on the D channel is ignored, thereby allowing the different encapsulation types and per-user configurations. For X.25 encapsulations, the configurations reside on the dialer profile. The Dynamic Multiple Encapsulations feature provides support for packet assembler/disassembler (PAD) traffic and X.25 encapsulated and switched packets. To configure an interface to support X.25 and DDR, use the following X.25-specific commands in interface configuration mode: Command Purpose Step 1 Router(config-if)# encapsulation x25 [dte | dce] [ietf] Configures the interface to use X.25 encapsulation. Configuring Legacy DDR Spokes Monitoring DDR Connections DC-375 Cisco IOS Dial Technologies Configuration Guide The order of DDR and X.25 configuration tasks is not critical; you can configure DDR before or after X.25, and you can even mix the DDR and X.25 commands. For an example of configuring an interface for X.25 encapsulation and then completing the DDR configuration, see the section “X.25 Support Example” later in this chapter. Configuring the Interface for Sending Traffic over a LAPB Network DDR over serial lines now supports LAPB encapsulation, in addition to the previously supported PPP, HDLC, and X.25 encapsulations. LAPB encapsulation is supported on synchronous serial, ISDN, and dialer rotary group interfaces, but not on asynchronous dialers. Because the default encapsulation is HDLC, you must explicitly configure LAPB encapsulation. To configure an interface to support LAPB encapsulation and DDR, use the following command in interface configuration mode: For more information about the serial connections on which LAPB encapsulation is appropriate, refer to the encapsulation lapb command in the chapter “X.25 and LAPB Commands” in the Cisco IOS Wide-Area Networking Command Reference. For an example of configuring an interface for DDR over LAPB, see the section “LAPB Support Example” later in this chapter. Monitoring DDR Connections To monitor DDR connections, use any of the following commands in privileged EXEC mode: Step 2 Router(config-if)# x25 address x.121-address Assigns an X.25 address to the interface. Step 3 Router(config-if)# x25 map protocol address [protocol2 address2 [...[protocol9 address9]]] x.121-address [option] Sets up the LAN protocols-to-remote host address mapping. Command Purpose Command Purpose Router(config-if)# encapsulation lapb [dte | dce] [multi | protocol] Specifies LAPB encapsulation. Command Purpose Router# show dialer [interface type number] Displays general diagnostics about the DDR interface. Router# show dialer map Displays current dialer maps, next-hop protocol addresses, user names, and the interfaces on which they are configured. Router# show interfaces bri 0 Displays information about the ISDN interface. Router# show ipx interface [type number] Displays status about the IPX interface. Router# show ipx traffic Displays information about the IPX packets sent by the router or access server, including watchdog counters. Configuring Legacy DDR Spokes Configuration Examples for Legacy DDR Spoke DC-376 Cisco IOS Dial Technologies Configuration Guide Configuration Examples for Legacy DDR Spoke The following section provides various DDR configurations examples: • Legacy Dial-on-Demand Routing Example • Transparent Bridging over DDR Examples • DDR Configuration in an IP Environment Example • Two-Way DDR for Novell IPX Example • AppleTalk Configuration Example • DECnet Configuration Example • ISO CLNS Configuration Example • XNS Configuration Example • Single Site Dialing Example • DTR Dialing Example • Hub-and-Spoke DDR for Asynchronous Interfaces and Authentication Example • Two-Way Reciprocal Client/Server DDR Without Authentication Example • Frame Relay Support Example • X.25 Support Example • LAPB Support Example Legacy Dial-on-Demand Routing Example The following example shows a Cisco 2600 series router that has enabled the dialer idle-timeout command with the inbound keyword. This command allows only inbound traffic that conforms to the dialer list to establish a connection and reset the dialer idle timer. interface BRI0/0 ip address 10.1.1.1 255.255.255.0 no ip directed-broadcast encapsulation ppp dialer idle-timeout 120 inbound dialer map ip 10.1.1.2 name 2611-7 0201 dialer-group 1 Router# show appletalk traffic Displays information about the AppleTalk packets sent by the router or access server. Router# show vines traffic Displays information about the Banyan VINES packets sent by the router or access server. Router# show decnet traffic Displays information about the DECnet packets sent by the router or access server. Router# show xns traffic Displays information about the XNS packets sent by the router or access server. Router# clear dialer Clears the values of the general diagnostic statistics. Command Purpose Configuring Legacy DDR Spokes Configuration Examples for Legacy DDR Spoke DC-377 Cisco IOS Dial Technologies Configuration Guide isdn switch-type basic-5ess no cdp enable ppp authentication chap ! ip classless ip route 10.2.1.1 255.255.255.255 10.1.1.2 ! access-list 101 permit icmp any any access-list 101 deny ip any any dialer-list 1 protocol ip list 101 tftp-server flash c2600-i-mz.jtong-CSCdm88145-120 Transparent Bridging over DDR Examples The following two examples differ only in the packets that cause calls to be placed. The first example specifies by protocol (any bridge packet is permitted to cause a call to be made); the second example allows a finer granularity by specifying the Ethernet type codes of bridge packets. The first example configures the serial 1 interface for DDR bridging. Any bridge packet is permitted to cause a call to be placed. no ip routing ! interface Serial1 no ip address encapsulation ppp dialer in-band dialer enable-timeout 3 dialer map bridge name urk broadcast 8985 dialer hold-queue 10 dialer-group 1 ppp authentication chap bridge-group 1 pulse-time 1 ! dialer-list 1 protocol bridge permit bridge 1 protocol ieee bridge 1 hello 10 The second example also configures the serial 1 interface for DDR bridging. However, this example includes an access-list command that specifies the Ethernet type codes that can cause calls to be placed and a dialer list protocol list command that refers to the specified access list. no ip routing ! interface Serial1 no ip address encapsulation ppp dialer in-band dialer enable-timeout 3 dialer map bridge name urk broadcast 8985 dialer hold-queue 10 dialer-group 1 ppp authentication chap bridge-group 1 pulse-time 1 ! access-list 200 permit 0x0800 0xFFF8 ! dialer-list 1 protocol bridge list 200 bridge 1 protocol ieee bridge 1 hello 10 Configuring Legacy DDR Spokes Configuration Examples for Legacy DDR Spoke DC-378 Cisco IOS Dial Technologies Configuration Guide DDR Configuration in an IP Environment Example The following example illustrates how to use DDR on an synchronous interface in an IP environment. You could use the same configuration on an asynchronous serial interface by changing interface serial 1 to specify an asynchronous interface (for example, interface async 0). interface serial 1 ip address 172.18.126.1 255.255.255.0 dialer in-band ! The next command sets the dialer idle time-out to 10 minutes. dialer idle-timeout 600 ! The next command inserts the phone number. dialer string 5551234 ! The next command gives the modem enough time to recognize that ! DTR has dropped so the modem disconnects the call. pulse-time 1 ! The next command adds this interface to the dialer access group defined with ! the dialer-list command. dialer-group 1 ! ! The first access list statement, below, specifies that IGRP updates are not ! interesting packets. The second access-list statement specifies that all ! other IP traffic such as Ping, Telnet, or any other IP packet are interesting ! packets. The dialer-list command then creates dialer access group 1 and states ! that access list 101 is to be used to classify packets as interesting or ! uninteresting. The ip route commands specify that there is a route to network ! 172.18.29.0 and to network 172.18.1.0 via 131.108.126.2. This means that several ! destination networks are available through a router that is dialed from interface ! async 1. ! access-list 101 deny igrp 0.0.0.0 255.255.255.255 255.255.255.255 0.0.0.0 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 dialer-list 1 list 101 ip route 172.18.29.0 172.18.126.2 ip route 172.18.1.0 172.18.126.2 ip local pool dialin 10.102.126.2 10.102.126.254 With many modems, the pulse-time command must be used so that DTR is dropped for enough time to allow the modem to disconnect. The redistribute static command can be used to advertise static route information for DDR applications. Refer to the redistribute static ip command, described in the chapter “IP Routing Commands” of the Cisco IOS IP Command Reference. Without this command, static routes to the hosts or network that the router can access with DDR will not be advertised to other routers with which the router is communicating. This behavior can block communication because some routes will not be known. Two-Way DDR for Novell IPX Example You can set DDR for Novell IPX so that both the client and server have dial-in access to each other. This configuration is demonstrated in the following two subsections. Remote Configuration Example The following example is performed on the remote side of the connection: username local password secret ipx routing ! Configuring Legacy DDR Spokes Configuration Examples for Legacy DDR Spoke DC-379 Cisco IOS Dial Technologies Configuration Guide interface ethernet 0 ipx network 40 ! interface async ip unnumbered e0 encapsulation ppp async mode dedicated async dynamic routing ipx network 45 ipx watchdog-spoof dialer in-band dialer map ipx 45.0000.0cff.d016 broadcast name local 1212 dialer-group 1 ppp authentication chap ! access-list 901 deny 0 FFFFFFFF 452 access-list 901 deny 0 FFFFFFFF 453 access-list 901 deny 0 FFFFFFFF 457 access-list 901 deny 0 FFFFFFFF 0 FFFFFFFF 452 access-list 901 deny 0 FFFFFFFF 0 FFFFFFFF 453 access-list 901 deny 0 FFFFFFFF 0 FFFFFFFF 457 access-list 901 permit 0 ipx route 41 45.0000.0cff.d016 ipx route 50 45.0000.0cff.d016 ipx sap 4 SERVER 50.0000.0000.0001 451 2 chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT ! dialer-list 1 list 901 ! line 7 modem InOut speed 38400 flowcontrol hardware modem chat-script generic Local Configuration Example The following example is performed on the local side of the connection: username remote password secret ipx routing ! interface ethernet 0 ipx network 41 ! interface async ip unnumbered e0 encapsulation ppp async mode dedicated async dynamic routing ipx network 45 ipx watchdog-spoof dialer in-band dialer map ipx 45.0000.0cff.d016 broadcast name remote 8888 dialer-group 1 ppp authentication chap ! access-list 901 deny 0 FFFFFFFF 452 access-list 901 deny 0 FFFFFFFF 453 access-list 901 deny 0 FFFFFFFF 457 access-list 901 deny 0 FFFFFFFF 0 FFFFFFFF 452 access-list 901 deny 0 FFFFFFFF 0 FFFFFFFF 453 access-list 901 deny 0 FFFFFFFF 0 FFFFFFFF 457 Configuring Legacy DDR Spokes Configuration Examples for Legacy DDR Spoke DC-380 Cisco IOS Dial Technologies Configuration Guide access-list 901 permit 0 ipx route 40 45.0000.0cff.d016 chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT ! dialer-list 1 list 901 ! line 7 modem InOut speed 38400 flowcontrol hardware modem chat-script generic AppleTalk Configuration Example The following example configures DDR for AppleTalk access using an ISDN BRI. Two access lists are defined: one for IP and Interior Gateway Routing Protocol (IGRP) and one for AppleTalk. AppleTalk packets from network 2141 only (except broadcast packets) can initiate calls. interface BRI0 ip address 172.17.20.107 255.255.255.0 encapsulation ppp appletalk cable-range 2141-2141 2141.65 appletalk zone SCruz-Eng no appletalk send-rtmps dialer map ip 172.17.20.106 broadcast 1879 dialer map appletalk 2141.66 broadcast 1879 dialer-group 1 ! access-list 101 deny igrp 0.0.0.0 255.255.255.255 255.255.255.255 0.0.0.0 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 access-list 601 permit cable-range 2141-2141 broadcast-deny access-list 601 deny other-access ! dialer-list 1 list 101 dialer-list 1 list 601 DECnet Configuration Example The following example configures DDR for DECnet: decnet routing 10.19 username RouterB password 7 030752180531 interface serial 0 no ip address decnet cost 10 encapsulation ppp dialer in-band dialer map decnet 10.151 name RouterB broadcast 4155551212 dialer-group 1 ppp authentication chap pulse-time 1 access-list 301 permit 10.0 0.1023 0.0 63.1023 dialer-list 1 protocol decnet list 301 Configuring Legacy DDR Spokes Configuration Examples for Legacy DDR Spoke DC-381 Cisco IOS Dial Technologies Configuration Guide ISO CLNS Configuration Example The following example configures a router for International Organization for Standardization Connectionless Network Service (ISO CLNS) DDR with in-band dialing: username RouterB password 7 111C140B0E clns net 47.0004.0001.0000.0c00.2222.00 clns routing clns filter-set ddrline permit 47.0004.0001.... ! interface serial 0 no ip address encapsulation ppp dialer in-band dialer map clns 47.0004.0001.0000.0c00.1111.00 name RouterB broadcast 1212 dialer-group 1 ppp authentication chap clns enable pulse-time 1 ! clns route default serial 0 dialer-list 1 protocol clns list ddrline XNS Configuration Example The following example configures DDR for XNS. The access lists deny broadcast traffic to any host on any network, but allow all other traffic. xns routing 0000.0c01.d8dd username RouterB password 7 111B210A0F interface serial 0 no ip address encapsulation ppp xns network 10 dialer in-band dialer map xns 10.0000.0c01.d877 name RouterB broadcast 4155551212 dialer-group 1 ppp authentication chap pulse-time 1 ! access-list 400 deny -1 -1.ffff.ffff.ffff 0000.0000.0000 access-list 400 permit -1 10 ! dialer-list 1 protocol xns list 400 Single Site Dialing Example The following example is based on the configuration shown in Figure 49; the router receives a packet with a next hop address of 10.1.1.1. Configuring Legacy DDR Spokes Configuration Examples for Legacy DDR Spoke DC-382 Cisco IOS Dial Technologies Configuration Guide Figure 49 Sample Dialer String or Dialer Map Configuration If the single site called by the DDR spoke interface on your router has the phone number 5555555, it will send the packet to that site, assuming that the next hop address 10.1.1.1 indicates the same remote device as phone number 5555555. The dialer string command is used to specify the string (telephone number) to be called. interface serial 1 dialer in-band dialer string 5555555 DTR Dialing Example The following example shows Router A and Router B connected to a Public Switched Telephone Network (PSTN). Router A is configured for DTR dialing. Remote Router B is configured for in-band dialing so it can disconnect an idle call. (See Figure 50.) Figure 50 DTR Dialing Through a PSTN Router A interface serial 0 ip address 172.18.170.19 255.255.255.0 dialer dtr dialer-group 1 ! access-list 101 deny igrp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 ! dialer-list 1 list 101 Remote Router B Remote Router A Local router 6666666 5555555 56951 Router A Router B PSTN E0 S0 S0 E0 S3036 Configuring Legacy DDR Spokes Configuration Examples for Legacy DDR Spoke DC-383 Cisco IOS Dial Technologies Configuration Guide Router B interface serial 0 ip address 172.18.170.20 255.255.255.0 dialer in-band dialer string 9876543 pulse-time 1 ! access-list 101 deny igrp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 ! dialer-list 1 list 101 Hub-and-Spoke DDR for Asynchronous Interfaces and Authentication Example The following example sets up DDR to provide service to multiple remote sites. In a hub-and-spoke configuration, you can use a generic configuration script to set up each remote connection. Figure 51 illustrates a typical hub-and-spoke configuration. Figure 51 Hub-and-Spoke DDR Configuration Commands in the following sections are used to create this configuration. Spoke Topology Configuration The following commands are executed on the spoke side of the connection. (A different “spoke” password must be specified for each remote client.) The configuration provides authentication by identifying a password that must be provided on each end of the connection. interface ethernet 0 ip address 172.30.44.1 255.255.255.0 ! interface async 7 async mode dedicated async default ip address 172.30.45.1 ip address 172.30.45.2 255.255.255.0 encapsulation ppp ppp authentication chap dialer in-band dialer map ip 172.30.45.1 name hub system-script hub 1234 dialer map ip 172.30.45.255 name hub system-script hub 1234 dialer-group 1 ! ip route 172.30.43.0 255.255.255.0 172.30.45.1 ip default-network 172.30.0.0 chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT S3366 Configuring Legacy DDR Spokes Configuration Examples for Legacy DDR Spoke DC-384 Cisco IOS Dial Technologies Configuration Guide chat-script hub ““ ““ name: spoke1 word: PPP dialer-list 1 protocol ip permit ! username hub password ! router igrp 109 network 172.30.0.0 passive-interface async 7 ! line 7 modem InOut speed 38400 flowcontrol hardware modem chat-script generic Hub Router Configuration The following commands are executed on the local side of the connection—the hub router. The commands configure the server for communication with three clients and provide authentication by identifying a unique password for each “spoke” in the hub-and-spoke configuration. interface ethernet 0 ip address 172.30.43.1 255.255.255.0 ! interface async 7 async mode interactive async dynamic address dialer rotary-group 1 ! interface async 8 async mode interactive async dynamic address dialer rotary-group 1 ! interface dialer 1 ip address 172.30.45.2 255.255.255.0 no ip split-horizon encapsulation ppp ppp authentication chap dialer in-band dialer map ip 172.30.45.2 name spoke1 3333 dialer map ip 172.30.45.2 name spoke2 4444 dialer map ip 172.30.45.2 name spoke3 5555 dialer map ip 172.30.45.255 name spoke1 3333 dialer map ip 172.30.45.255 name spoke2 4444 dialer map ip 172.30.45.255 name spoke3 5555 dialer-group 1 ! ip route 172.30.44.0 255.255.255.0 172.30.45.2 ip route 172.30.44.0 255.255.255.0 172.30.45.3 ip route 172.30.44.0 255.255.255.0 172.30.45.4 dialer-list 1 list 101 access-list 101 deny igrp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT ! username spoke1 password username spoke2 password username spoke3 password username spoke1 autocommand ppp 172.30.45.2 username spoke2 autocommand ppp 172.30.45.3 username spoke3 autocommand ppp 172.30.45.4 Configuring Legacy DDR Spokes Configuration Examples for Legacy DDR Spoke DC-385 Cisco IOS Dial Technologies Configuration Guide ! router igrp 109 network 172.30.0.0 redistribute static ! line 7 login tacacs modem InOut speed 38400 flowcontrol hardware modem chat-script generic Two-Way Reciprocal Client/Server DDR Without Authentication Example You can set up two-way reciprocal DDR without authentication in which both the client and server have dial-in access to each other. This configuration is demonstrated in the following two sections. Remote Configuration The following commands are executed on the remote side of the connection. This configuration provides authentication by identifying a password that must be provided on each end of the connection. interface ethernet 0 ip address 172.30.44.1 255.255.255.0 ! interface async 7 ip address 172.30.45.2 255.255.255.0 async mode dedicated async default ip address 172.30.45.1 encap ppp dialer in-band dialer string 1234 dialer-group 1 ! ip route 172.30.43.0 255.255.255.0 async 7 ip default-network 172.30.0.0 chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT dialer-list 1 protocol ip permit ! line 7 no exec modem InOut speed 38400 flowcontrol hardware modem chat-script generic Local Configuration The following commands are executed on the local side of the connection. As with the remote side configuration, this configuration provides authentication by identifying a password for each end of the connection. interface ethernet 0 ip address 172.30.43.1 255.255.255.0 ! interface async 7 async mode dedicated async default ip address 172.30.45.2 encapsulation ppp Configuring Legacy DDR Spokes Configuration Examples for Legacy DDR Spoke DC-386 Cisco IOS Dial Technologies Configuration Guide dialer in-band dialer string 1235 dialer rotary-group 1 ! interface async 8 async mode dedicated async default ip address 172.30.45.2 dialer rotary-group 1 ! ip route 172.30.44.0 255.255.255.0 async 7 ip address 172.30.45.2 255.255.255.0 encapsulation ppp ppp authentication chap dialer in-band dialer map ip 172.30.45.2 name remote 4321 dialer load-threshold 80 ! ip route 172.30.44.0 255.255.255.0 128.150.45.2 chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT dialer-list 1 protocol ip permit ! route igrp 109 network 172.30.0.0 redistribute static passive-interface async 7 ! line 7 modem InOut speed 38400 flowcontrol hardware modem chat-script generic Frame Relay Support Example The examples in this section present various combinations of interfaces, Frame Relay features, and DDR features. Frame Relay Access with In-Band Dialing (V.25bis) and Static Mapping Example The following example shows how to configure a router for IP over Frame Relay using in-band dialing. A Frame Relay static map is used to associate the next hop protocol address to the data-link connection identifier (DLCI). The dialer string allows dialing to only one destination. interface Serial0 ip address 10.1.1.1 255.255.255.0 encapsulation frame-relay frame-relay map ip 10.1.1.2 100 broadcast dialer in-band dialer string 4155551212 dialer-group 1 ! access-list 101 deny igrp any host 255.255.255.255 access-list 101 permit ip any any ! dialer-list 1 protocol ip list 101 Configuring Legacy DDR Spokes Configuration Examples for Legacy DDR Spoke DC-387 Cisco IOS Dial Technologies Configuration Guide Frame Relay Access with ISDN Dialing and DDR Dynamic Maps Example The following example shows a BRI interface configured for Frame Relay and for IP, IPX, and AppleTalk routing. No static maps are defined because this setup relies on Frame Relay Local Management Interface (LMI) signaling and Inverse ARP to determine the network addresses-to-DLCI mappings dynamically. (Because Frame Relay Inverse ARP is enabled by default, no command is required.) interface BRI0 ip address 10.1.1.1 255.255.255.0 ipx network 100 appletalk cable-range 100-100 100.1 appletalk zone ISDN no appletalk send-rtmps encapsulation frame-relay IETF dialer map ip 10.1.1.2 broadcast 4155551212 dialer map apple 100.2 broadcast 4155551212 dialer map ipx 100.0000.0c05.33ed broadcast 4085551234 dialer-group 1 ! access-list 101 deny igrp any host 255.255.255.255 access-list 101 permit ip any any access-list 901 deny -1 FFFFFFFF 452 access-list 901 deny -1 FFFFFFFF 453 access-list 901 deny -1 FFFFFFFF 457 access-list 901 deny -1 FFFFFFFF 0 FFFFFFFF 452 access-list 901 deny -1 FFFFFFFF 0 FFFFFFFF 453 access-list 901 deny -1 FFFFFFFF 0 FFFFFFFF 457 access-list 901 permit -1 access-list 601 permit cable-range 100-100 broadcast-deny access-list 601 deny other-access ! dialer-list 1 protocol ip list 101 dialer-list 1 protocol novell list 901 dialer-list 1 protocol apple list 601 X.25 Support Example The following example configures a router to support X.25 and DTR dialing: interface serial 0 ip address 172.18.170.19 255.255.255.0 encapsulation x25 x25 address 12345 x25 map ip 172.18.171.20 67890 broadcast dialer dtr dialer-group 1 ! access-list 101 deny igrp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 ! dialer-list 1 list 101 Configuring Legacy DDR Spokes Configuration Examples for Legacy DDR Spoke DC-388 Cisco IOS Dial Technologies Configuration Guide LAPB Support Example The following example configures a router for LAPB encapsulation and in-band dialing: interface serial 0 ip address 172.18.170.19 255.255.255.0 encapsulation lapb dialer in-band dialer string 4155551212 dialer-group 1 ! access-list 101 deny igrp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 ! dialer-list 1 protocol ip list 101 DC-389 Cisco IOS Dial Technologies Configuration Guide Configuring Legacy DDR Hubs This chapter describes how to configure legacy dial-on-demand routing (DDR) on interfaces functioning as the hub in a hub-and-spoke network topology. It includes the following main sections: • DDR Issues • DDR Hubs Configuration Task Flow • How to Configure DDR • Monitoring DDR Connections • Configuration Examples for Legacy DDR Hub This chapter considers a hub interface to be any interface that calls or receives calls from more than one other router and considers a spoke interface to be an interface that calls or receives calls from exactly one router. For configuration tasks for the spoke interfaces in a hub-and-spoke network topology, see the chapter “Configuring Legacy DDR Spokes” in this publication. For information about the dialer profiles implementation of DDR, see the chapter “Configuring Peer-to-Peer DDR with Dialer Profiles” in this publication. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the DDR commands in this chapter, see the Cisco IOS Dial Technologies Command Reference, Release 12.2. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. DDR Issues A DDR configuration applies to a specified router interface but serves to meet the communication needs of the network. The router configured for DDR has a function to serve in preserving communications and ensuring that routes are known to other routers at both ends of the dial link. Thus, these issues are important: • Types and number of router interfaces to be configured for DDR. • Function of each specific interface—to place calls, receive calls, or both—and the number of sites connecting to the interface. Configuring Legacy DDR Hubs DDR Hubs Configuration Task Flow DC-390 Cisco IOS Dial Technologies Configuration Guide • Identity and characteristics of the router at the other end of each connection—phone number, host name, next hop network protocol addresses, type of signaling used or required, ability to place or receive calls, other requirements. • Types of packets that will be allowed to trigger outgoing calls—if the interface places calls. • End of the connection that will control the communication: initiating calls and terminating calls when the line is idle. • Method for authenticating other routers—if the interface receives calls from multiple sites. • Passing routing information across the dial link. DDR Hubs Configuration Task Flow Before you configure DDR, make sure you have completed the preparations for bridging or routing as described in the chapter “Preparing to Configure DDR” in this publication. That chapter provides information about the minimal requirements. For detailed information about bridging, routing, and wide-area networking configurations, see the appropriate chapters in other volumes of this documentation set. When you configure DDR on a hub interface in a hub-and-spoke topology, you perform the following general steps: Step 1 Specify the interface that will place calls to or receive calls from multiple sites. (See the chapter “Configuring Legacy DDR Spokes” in this publication for information about configuring an interface to place calls to or receive calls from one site only.) Step 2 Enable DDR on the interface. This step is not required for some interfaces; for example, ISDN interfaces and passive interfaces that receive only from data terminal ready (DTR)-dialing interfaces. Step 3 Configure the interface to receive calls only, if applicable. Receiving calls from multiple sites requires each inbound call to be authenticated. Step 4 Configure the interface to place calls only, if applicable. Step 5 Configure the interface to place and receive calls, if applicable. Step 6 If the interface will place calls, specify access control for the following: • Transparent bridging—Assign the interface to a bridge group, and define dialer lists associated with the bridging access lists. The interface switches between members of the same bridge group, and dialer lists specify which packets can trigger calls. or • Routed protocols—Define dialer lists associated with the protocol access lists to specify which packets can trigger calls. Configuring Legacy DDR Hubs How to Configure DDR DC-391 Cisco IOS Dial Technologies Configuration Guide Step 7 Customize the interface settings (timers, interface priority, hold queues, bandwidth on demand, and disabling fast switching) as needed. When you have configured the interface and it is operational, you can monitor its performance and its connections as described in the “Monitoring DDR Connections” section later in this chapter. You can also enhance DDR by configuring Multilink PPP and configuring PPP callback. The PPP configuration tasks are described in the chapter “Configuring Media-Independent PPP and Multilink PPP” in this publication. See the section “Configuration Examples for Legacy DDR Hub” at the end of this chapter for examples of how to configure DDR on your network. How to Configure DDR To configure DDR on an interface, perform the tasks in the following sections. The first five bulleted items are required. The remaining tasks are not absolutely required, but might be necessary in your networking environment. • Specifying the Interface (Required) • Enabling DDR on the Interface (Required) • Configuring the Interface to Place Calls Only (Required) or Configuring the Interface to Receive Calls Only (Required) or Configuring the Interface to Place and Receive Calls (Required) • Configuring Access Control for Outgoing Calls (As required) • Customizing the Interface Settings (As required) • Sending Traffic over Frame Relay, X.25, or LAPB Networks (As required) See the section “Monitoring DDR Connections” later in this chapter for commands and other information about monitoring DDR connections. See the section “Configuration Examples for Legacy DDR Hub” at the end of this chapter for ideas about how to implement DDR in your network. Specifying the Interface You can configure any asynchronous, synchronous serial, ISDN, or dialer interface for legacy DDR. Note When you specify an interface, make sure to use the interface numbering scheme supported on the network interface module or other port hardware on the router. On the Cisco 7200 series router, for example, you specify an interface by indicating its type, slot number, and port number. Configuring Legacy DDR Hubs How to Configure DDR DC-392 Cisco IOS Dial Technologies Configuration Guide To specify an interface to configure for DDR, use one of the following commands in global configuration mode: Dialer interfaces are logical or virtual entities, but they use physical interfaces to place or receive calls. Enabling DDR on the Interface This task is required for asynchronous serial, synchronous serial, and logical dialer interfaces. This task is not required for ISDN interfaces (BRI interfaces and ISDN PRI D channels) and for purely passive interfaces that will receive calls only from interfaces that use DTR dialing. Enabling DDR on an interface usually requires you to specify the type of dialer to be used. This task is not required for ISDN interfaces because the software automatically configures ISDN interfaces to be dialer type ISDN. To enable DDR on the interface, use the following command in interface configuration mode: You can optionally specify parity if the modem on this interface uses the V.25bis command set. The 1984 version of the V.25bis specification states that characters must have odd parity. However, the default for the dialer in-band command is no parity. Configuring the Interface to Place Calls Only To configure an interface to place calls to multiple destinations, perform the following tasks. The first task is required for all interface types. The second task is required only if you specified a dialer interface. • Defining the Dialing Destination (Required) • Specifying a Physical Interface to Use and Assigning It to a Dialer Rotary Group (As required) Command Purpose Router(config)# interface async number Router(config)# interface serial number Router(config)# interface bri number or Router(config)# interface serial slot/port:23 Router(config)# interface serial slot/port:15 or Router(config)# interface dialer number Specifies an interface to configure for DDR. Specifies an ISDN PRI D channel (T1). Specifies an ISDN PRI D channel (E1). Specifies a logical interface to function as a dialer rotary group leader. Command Purpose Router(config-if)# dialer in-band [no-parity | odd-parity] Enables DDR on an asynchronous interface or a synchronous serial interface using V.25bis modems. Configuring Legacy DDR Hubs How to Configure DDR DC-393 Cisco IOS Dial Technologies Configuration Guide Defining the Dialing Destination For calling multiple sites, an interface or dialer rotary group must be configured to map each next hop protocol address to the dial string (some form of a telephone number) used to reach it. To define each dialing destination, use one of the following commands in interface configuration mode: Repeat this task as many times as needed to ensure that all dialing destinations are reachable via some next hop address and dialed number. If you intend to send traffic over other types of networks, see one of the following sections later in this chapter: “Configuring the Interface for Sending Traffic over a Frame Relay Network,” “Configuring the Interface for Sending Traffic over an X.25 Network,” or “Configuring the Interface for Sending Traffic over a LAPB Network.” Specifying a Physical Interface to Use and Assigning It to a Dialer Rotary Group This section applies only if you specified a dialer interface to configure for DDR. To assign a physical interface to a dialer rotary group, use the following commands beginning in global configuration mode: Repeat these two steps for each physical interface to be used by the dialer interface. An ISDN BRI is a rotary group of B channels. An ISDN interface can be part of a rotary group comprising other interfaces (synchronous, asynchronous, ISDN BRI, or ISDN PRI). However, Cisco supports at most one level of recursion; that is, a rotary of rotaries is acceptable, but a rotary of rotaries of rotaries is not supported. Interfaces in a dialer rotary group do not have individual addresses; when the interface is being used for dialing, it inherits the parameters configured for the dialer interface. However, if the individual interface is configured with an address and it is subsequently used to establish a connection from the user EXEC level, the individual interface address again applies. Command Purpose Router(config-if)# dialer map protocol next-hop-address dial-string[:isdn-subaddress] Defines a dialing destination for a synchronous serial interface or a dialer interface. Router(config-if)# dialer map protocol next-hop-address [spc] [speed 56 | 64] [broadcast] [dial-string[:isdn-subaddress]] Defines a dialing destination for an ISDN interface (including an ISDN PRI D channel). Router(config-if)# dialer map protocol next-hop-address [modem-script modem-regexp] [system-script system-regexp] dial-string[:isdn-subaddress] Defines a dialing destination for an asynchronous interface. If a modem dialing chat script has not been assigned to the line or a system login chat script must be specified, defines both a dialing destination and the chat scripts to use. Command Purpose Step 1 Router(config)# interface serial number or Router(config)# interface async number Specifies a physical interface to use and begins interface configuration mode. Step 2 Router(config-if)# dialer rotary-group number Assigns the specified physical interface to a dialer rotary group. Configuring Legacy DDR Hubs How to Configure DDR DC-394 Cisco IOS Dial Technologies Configuration Guide Note When you look at your configuration file, commands will not appear in the order in which you entered them. You will also see interface configuration commands that you did not enter, because each interface assigned to a dialer rotary group inherits the parameters of the dialer interface in the dialer rotary group. Figure 52 illustrates how dialer interfaces work. In this configuration, serial interfaces 1, 2, and 3 are assigned to dialer rotary group 1 and thereby take on the parameters configured for dialer interface 1. When it is used for dialing, the IP address of serial interface 2 is the same as the address of the dialer interface, 172.18.1.1. Figure 52 Sample Dialer Interface Configuration Configuring the Interface to Receive Calls Only Once DDR is enabled on an asynchronous serial, synchronous serial, and ISDN interface, the interface can receive calls from multiple sites using one line or multiple lines. However, interfaces that receive calls from multiple sites require authentication of the remote sites. In addition, dialer interfaces require at least one physical interface to be specified and added to the dialer rotary group. The tasks in the following sections describe how to configuration authentication: • Configuring the Interface for TACACS+ or • Configuring the Interface for PPP Authentication • Specifying Physical Interfaces and Assigning Them to the Dialer Rotary Group Serial interface 6 Serial interface 5 Serial interface 4 Serial interface 1 Serial interface 2 Serial interface 3 Dialer rotary group 2 172.18.1.1 172.25.1.1 Dialer interface 1 Dialer interface 2 Dialer rotary group 1 54733 Router Configuring Legacy DDR Hubs How to Configure DDR DC-395 Cisco IOS Dial Technologies Configuration Guide Configuring the Interface for TACACS+ To configure TACACS as an alternative to host authentication, use one of the following commands in interface configuration mode: Use the ppp use-tacacs command with TACACS and extended TACACS. Use the aaa authentication ppp command with authentication, authorization, and accounting (AAA)/TACACS+. Configuring the Interface for PPP Authentication This section specifies the minimum required configuration for PPP Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP) authentication. For more detailed information, see the chapter “Configuring Media-Independent PPP and Multilink PPP” in this publication. To use CHAP or PAP authentication, perform the following steps beginning in interface configuration mode: Note After you have enabled one of these protocols, the local router or access server requires authentication of the remote devices that are calling. If the remote device does not support the enabled authentication protocol, no traffic will be passed to that device. 1. For CHAP, configure host name authentication and the secret or password for each remote system with which authentication is required. 2. Map the protocol address to the name of the host calling in. To enable PPP encapsulation, use the following commands beginning in interface configuration mode: Command Purpose Router(config-if)# ppp use-tacacs [single-line] or Router(config-if)# aaa authentication ppp Configures TACACS. Command Purpose Step 1 Router(config-if)# encapsulation ppp Enables PPP on an interface. Step 2 Router(config-if)# ppp authentication chap [if-needed] or Router(config-if)# ppp authentication pap Enables CHAP on an interface. Enables PAP on an interface. Step 3 Router(config-if)# dialer map protocol next-hop-address name hostname For any host calling in to the local router or access server, maps its host name (case-sensitive) to the next hop address used to reach it. Repeat this step for each host calling in to this interface. Configuring Legacy DDR Hubs How to Configure DDR DC-396 Cisco IOS Dial Technologies Configuration Guide Specifying Physical Interfaces and Assigning Them to the Dialer Rotary Group To assign a physical interface to a dialer rotary group, use the following commands beginning in global configuration mode: Repeat these two steps for each physical interface to be used by the dialer interface. Configuring the Interface to Place and Receive Calls You can configure an physical interface or dialer interface to both place and receive calls. For placing calls, the interface must be configured to map each next hop address to the telephone number to dial. For receiving calls from multiple sites, the interface must be configured to authenticate callers. Figure 53 shows a configuration in which the central site is calling and receiving calls from multiple sites. In this configuration, multiple sites are calling in to a central site, and the central site might be calling one or more of the remote sites. Step 4 Router(config-if)# exit Returns to global configuration mode. Step 5 Router(config)# username name [user-maxlinks link-number] password secret Specifies the password to be used in CHAP caller identification. Optionally, you can specify the maximum number of connections a user can establish. To use the user-maxlinks keyword, you must also use the aaa authorization network default local command, and PPP encapsulation and name authentication on all the interfaces the user will be accessing. Repeat this step to add a username entry for each remote system from which the local router or access server requires authentication. Command Purpose Command Purpose Step 1 Router(config)# interface serial number or Router(config)# interface async number Specifies a physical interface to use and begins interface configuration mode. Step 2 Router(config-if)# dialer rotary-group number Assigns the specified physical interface to a dialer rotary group. Configuring Legacy DDR Hubs How to Configure DDR DC-397 Cisco IOS Dial Technologies Configuration Guide Figure 53 Hub-and-Spoke Configuration Using DDR To configure a single line, multiple lines, or a dialer interface to place calls to and receive calls from multiple sites, perform the tasks in the following section: • Defining One or More Dialing Destinations • Defining the Traffic to Be Authenticated If you intend to send traffic over other types of networks, see one of the following sections later in this chapter: “Configuring the Interface for Sending Traffic over a Frame Relay Network,” “Configuring the Interface for Sending Traffic over an X.25 Network,” or “Configuring the Interface for Sending Traffic over a LAPB Network.” Defining One or More Dialing Destinations For calling multiple sites, an interface or dialer rotary group must be configured to map each next hop protocol address to the dial string (some form of a telephone number) used to reach it. To define each dialing destination, use one of the following commands in interface configuration mode: Repeat this task as many times as needed to ensure that all dialing destinations are reachable via some next hop address and dialed number. Central site S1159a Remote Router A Remote Router B Remote Router D Remote Router C Remote Router E Command Purpose Router(config-if)# dialer string dial-string[:isdn-subaddress] Defines only one dialing destination (used to configure one phone number on multiple lines only). Router(config-if)# dialer map protocol next-hop-address dial-string[:isdn-subaddress] Defines one of several dialing destinations for a synchronous serial interface or a dialer interface. Router(config-if)# dialer map protocol next-hop-address [spc] [speed 56 | 64][broadcast] [dial-string[:isdn-subaddress]] Defines one of several dialing destinations for an ISDN interface (including an ISDN PRI D channel). Router(config-if)# dialer map protocol next-hop-address [modem-script modem-regexp] [system-script system-regexp] dial-string[:isdn-subaddress] Defines one of several dialing destinations for an asynchronous interface. If a modem dialing chat script has not been assigned to the line or a system login chat script must be specified, define both a dialing destination and the chat scripts to use. Configuring Legacy DDR Hubs How to Configure DDR DC-398 Cisco IOS Dial Technologies Configuration Guide Defining the Traffic to Be Authenticated Calls from the multiple sites must be authenticated. Authentication can be done through CHAP or PAP. In addition, the interface must be configured to map the protocol address of a host to the name to use for authenticating the remote host. To enable CHAP or PAP on an interface and authenticate sites that are calling in, use the following commands in interface configuration mode: If the dial string is not used, the interface will be able to receive calls from the host, but will not be able to place calls to the host. Repeat this task for each site from which the router will receive calls. Configuring Access Control for Outgoing Calls Protocol access lists and dialer access lists are central to the operation of DDR. In general, access lists are used as the screening criteria for determining when to initiate DDR calls. All packets are tested against the dialer access list. Packets that match a permit entry are deemed interesting or packets of interest. Packets that do not match a permit entry or that do match a deny entry are deemed uninteresting. When a packet is found to be interesting, either the dialer idle timer is reset (if the line is active) or a connection is attempted (assuming the line is available but not active). If a tested packet is deemed uninteresting, it will be forwarded if it is intended for a destination known to be on a specific interface and the link is active. However, such a packet will not initiate a DDR call and will not reset the idle timer. Configuring Access Control for Bridging When you completed preparations for bridging over DDR, you entered global access lists to specify the protocol packets to be permitted or denied, and global dialer lists to specify which access list to use and which dialer group will place the outgoing calls. Now you must tie those global lists to an interface configured for DDR. You do this by assigning selected interfaces to a bridge group. Because packets are bridged only among interfaces that belong to the same bridge group, you need to assign this interface and others to the same bridge group. Command Purpose Step 1 Router(config-if)# encapsulation ppp Configures an interface for PPP encapsulation. Step 2 Router(config-if)# ppp authentication chap [if-needed] or Router(config-if)# ppp authentication pap [if-needed] Enables CHAP. Enables PAP. Step 3 Router(config-if)# dialer map protocol next-hop-address name hostname [modem-script modem-regexp] [system-script system-regexp] [dial-string[:isdn-subaddress]] Maps the protocol address to a host name. Configuring Legacy DDR Hubs How to Configure DDR DC-399 Cisco IOS Dial Technologies Configuration Guide To assign an interface to a bridge group, use the following command in interface configuration mode: For examples of bridging over DDR, see the “Transparent Bridging over DDR Examples” section later in this chapter. Configuring Access Control for Routing Before you perform the tasks outlined in this section, you should have completed the preparations for routing a protocol over DDR as described briefly in the chapter “Preparing to Configure DDR” in this publication and as described in greater detail in the appropriate network protocols configuration guide (for example, the Cisco IOS AppleTalk and Novell IPX Configuration Guide). An interface can be associated only with a single dialer access group; multiple dialer access group assignments are not allowed. To specify the dialer access group to which you want to assign an access list, use the following command in interface configuration mode: Customizing the Interface Settings To customize DDR in your network, perform the tasks in the following sections as needed: • Configuring Timers on the DDR Interface (As required) • Setting Dialer Interface Priority (As required) • Configuring a Dialer Hold Queue (As required) • Configuring Bandwidth on Demand (As required) • Disabling and Reenabling DDR Fast Switching (As required) • Configuring Dialer Redial Options (As required) Configuring Timers on the DDR Interface To configure DDR interface timers, perform the tasks in the following sections as needed: • Setting Line-Idle Time (As required) • Setting Idle Time for Busy Interfaces (As required) • Setting Line-Down Time (As required) • Setting Carrier-Wait Time (As required) Command Purpose Router(config-if)# bridge-group bridge-group Assigns the specified interface to a bridge group. Command Purpose Router(config-if)# dialer-group group-number Specifies the number of the dialer access group to which the specific interface belongs. Configuring Legacy DDR Hubs How to Configure DDR DC-400 Cisco IOS Dial Technologies Configuration Guide Setting Line-Idle Time To specify the amount of time for which a line will stay idle before it is disconnected, use the following command in interface configuration mode: Setting Idle Time for Busy Interfaces The dialer fast idle timer is activated if there is contention for a line. Contention occurs when a line is in use, a packet for a different next hop address is received, and the busy line is required to send the competing packet. If the line has been idle for the configured amount of time, the current call is disconnected immediately and the new call is placed. If the line has not yet been idle as long as the fast idle timeout period, the packet is dropped because the destination is unreachable. (After the packet is dropped, the fast idle timer remains active and the current call is disconnected as soon as it has been idle for as long as the fast idle timeout). If, in the meantime, another packet is sent to the currently connected destination, and it is classified as interesting, the fast-idle timer is restarted. To specify the amount of time for which a line for which there is contention will stay idle before the line is disconnected and the competing call is placed, use the following command in interface configuration mode: This command applies to both inbound and outbound calls. Setting Line-Down Time To set the length of time for which the interface stays down before it is available to dial again after a line is disconnected or fails, use the following command in interface configuration mode: This command applies to both inbound and outbound calls. Setting Carrier-Wait Time To set the length of time for which an interface waits for the telephone service (carrier), use the following command in interface configuration mode: Command Purpose Router(config-if)# dialer idle-timeout seconds Sets line-idle time. Command Purpose Router(config-if)# dialer fast-idle seconds Sets idle time for high traffic lines. Command Purpose Router(config-if)# dialer enable-timeout seconds Sets the interface downtime. Command Purpose Router(config-if)# dialer wait-for-carrier-time seconds Sets the length of for which time the interface waits for the carrier to come up when a call is placed. Configuring Legacy DDR Hubs How to Configure DDR DC-401 Cisco IOS Dial Technologies Configuration Guide For asynchronous interfaces, this command sets the total time to wait for a call to connect. This time is set to allow for running the chat script. Setting Dialer Interface Priority You can assign dialer priority to an interface. Priority indicates which interface in a dialer rotary group will get used first. To assign priority to a dialer interface, use the following command in interface configuration mode: For example, you might give one interface in a dialer rotary group higher priority than another if it is attached to a faster, more reliable modem. In this way, the higher-priority interface will be used as often as possible. The range of values for number is 0 through 255. Zero is the default value and lowest priority; 255 is the highest priority. This command applies to outgoing calls only. Configuring a Dialer Hold Queue Sometimes packets destined for a remote router are discarded because no connection exists. Establishing a connection using an analog modem can take time, during which packets are discarded. However, configuring a dialer hold queue will allow interesting outgoing packets to be queued and sent as soon as the modem connection is established. A dialer hold queue can be configured on any type of dialer, including in-band synchronous, asynchronous, DTR, and ISDN dialers. Also, hunt group leaders can be configured with a dialer hold queue. If a hunt group leader (of a rotary dialing group) is configured with a hold queue, all members of the group will be configured with a dialer hold queue and no hold queue for an individual member can be altered. To establish a dialer hold queue, use the following command in interface configuration mode: As many as 100 packets can be held in an outgoing dialer hold queue. Configuring Bandwidth on Demand You can configure a dialer rotary group to use additional bandwidth by placing additional calls to a single destination if the load for the interface exceeds a specified weighted value. Parallel communication links are established based on traffic load. The number of parallel links that can be established to one location is not limited. Command Purpose Router(config-if)# dialer priority number Specifies which dialer interfaces will be used first. Command Purpose Router(config-if)# dialer hold-queue packets Creates a dialer hold queue and specifies the number of packets to be held in it. Configuring Legacy DDR Hubs How to Configure DDR DC-402 Cisco IOS Dial Technologies Configuration Guide To set the dialer load threshold for bandwidth on demand, use the following command in interface configuration mode: Once multiple links are established, they are still governed by the load threshold. If the total load falls below the threshold, an idle link will be torn down. Disabling and Reenabling DDR Fast Switching Fast switching is enabled by default on all DDR interfaces. When fast switching is enabled or disabled on an ISDN D channel, it is enabled or disabled on all B channels. When fast switching is enabled or disabled on a dialer interface, it is enabled or disabled on all rotary group members but cannot be enabled or disabled on the serial interfaces individually. Fast switching can be disabled and re-enabled on a protocol-by-protocol basis. To disable fast switching and re-enable it, use one of the following protocol-specific commands in interface configuration mode: Configuring Dialer Redial Options By default, the Cisco IOS software generates a single dial attempt for each interesting packet. Dialer redial allows the dialer to be configured to make a maximum number of redial attempts if the first dial-out attempt fails, wait a specific interval between redial attempts, and disable the interface for a specified duration if all redial attempts fail. New dialout attempts will not be initiated if a redial is pending to the same destination. Command Purpose Router(config-if)# dialer load-threshold load Configures the dialer rotary group to place additional calls to a destination, as indicated by interface load. Command Purpose Router(config-if)# no ip route-cache Router(config-if)# ip route cache Router(config-if)# no ip route-cache distributed Router(config-if)# ip route-cache distributed Disables IP fast switching over a DDR interface. Reenables IP fast switching over a DDR interface. Disables distributed IP fast switching over a DDR interface. This feature works in Cisco 7500 routers with a Versatile Interface Processor (VIP) card. Enables distributed IP fast switching over a DDR interface. This feature works in Cisco 7500 routers with a VIP card. Router(config-if)# no ipx route-cache Router(config-if)# ipx route-cache Disables IPX fast switching over a DDR interface. Reenables IPX fast switching over a DDR interface. Configuring Legacy DDR Hubs How to Configure DDR DC-403 Cisco IOS Dial Technologies Configuration Guide To configure redial options, use the following commands beginning in global configuration mode: Sending Traffic over Frame Relay, X.25, or LAPB Networks An interface configured for DDR can send traffic over networks that require Link Access Procedure, Balanced (LAPB), X.25, or Frame Relay encapsulation. Before Cisco IOS software Release 12.0(6)T, encapsulation techniques such as Frame Relay, High-Level Data Link Control (HDLC), LAPB-TA, and X.25 could support only one ISDN B-channel connection over the entire link. HDLC and PPP could support multiple B channels, but the entire ISDN link needed to use the same encapsulation. Dynamic multiple encapsulations allow incoming calls over ISDN to be assigned encapsulation type based on calling line identification (CLID) or Dialed Number Identification Service (DNIS). With dynamic multiple encapsulations, once CLID binding is completed, the topmost interface is always used for all configuration and data structures. The ISDN B channel becomes a forwarding device, and the configuration on the D channel is ignored, thereby allowing the different encapsulation types and per-user configurations. To configure an interface for those networks, perform the tasks in the following sections: • Configuring the Interface for Sending Traffic over a Frame Relay Network (As Required) • Configuring the Interface for Sending Traffic over an X.25 Network (As Required) • Configuring the Interface for Sending Traffic over a LAPB Network (As Required) Configuring the Interface for Sending Traffic over a Frame Relay Network Access to Frame Relay networks is now available through dialup connections and leased lines. Dialup connectivity allows Frame Relay networks to be extended to sites that do not generate enough traffic to justify leased lines, and also allows a Frame Relay network to back up another network or point-to-point line. DDR over Frame Relay is supported for synchronous serial and ISDN interfaces and for rotary groups, and is available for in-band, DTR, and ISDN dialers. Frame Relay supports multiple permanent virtual circuit (PVC) connections over the same serial interface or ISDN B channel, but only one physical interface can be used (dialed, connected, and active) in a rotary group or with ISDN. Dynamic multiple encapsulations support the following Frame Relay features: • Frame Relay RTP Header Compression (RFC 1889) • Frame Relay TCP/IP Header Compression • Legacy DDR over Frame Relay • Frame Relay Interface/Subinterface Backup Dynamic multiple encapsulations support at least four Frame Relay PVCs on either dialer interfaces or dialer subinterfaces. Command Purpose Step 1 Router(config)# interface dialer Enters interface configuration mode. Step 2 Router(config-if)# dialer redial interval time attempts number re-enable disable-time Configures redial options on the router. Configuring Legacy DDR Hubs How to Configure DDR DC-404 Cisco IOS Dial Technologies Configuration Guide Note Frame Relay encapsulations in the dynamic multiple encapsulations feature do not support IETF or Cisco Encapsulation for IBM Systems Network Architecture (SNA). Frame Relay for SNA support is not applicable. Configuration Restrictions The following restrictions apply to DDR used over Frame Relay: • Frame Relay is not available for asynchronous dialers. • The Frame Relay dynamic multiple encapsulations does not provide bidirectional support. • With the dynamic multiple encapsulations, there is no process switching for Frame Relay packets; these packets are always fast switched. • Like HDLC, LAPB, X.25 and Frame Relay do not provide authentication. However, ISDN dialers can offer some authentication through the caller ID feature. • Only one ISDN B channel can be dialed at any one time. When configuring a rotary group, you can use only one serial interface. Note Frame Relay subinterfaces work the same on dialup connections as they do on leased lines. Configuration Overview No new commands are required to support DDR over Frame Relay. In general, you configure Frame Relay and configure DDR. In general, to configure an interface for DDR over Frame Relay, perform the following tasks: • Specify the interface. • Specify the protocol identifiers for the interface. For example, enter the IP address and mask, the IPX network number, and the AppleTalk cable range and zone. • Configure Frame Relay, as described in the chapter “Configuring Frame Relay” in the Cisco IOS Wide-Area Networking Configuration Guide. As a minimum, you must enable Frame Relay encapsulation and decide whether you need to do static or dynamic address mapping. If you decide to do dynamic mapping, you need not enter a command because Inverse ARP is enabled by default. If you decide to do static mapping, you must enter Frame Relay mapping commands. You can then configure various options as needed for your Frame Relay network topology. • Configure DDR. At a minimum, you must decide and configure the interface for outgoing calls only, incoming calls only, or both outgoing and incoming calls. You can also configure DDR for your routed protocols (as specified in the chapter “Preparing to Configure DDR”) and for snapshot routing (as specified in the chapter “Configuring Snapshot Routing” later in this publication). You can also customize DDR on your router or access server (as described in the “Customizing the Interface Settings” section later in this chapter). For examples of configuring various interfaces for DDR over Frame Relay, see the section “Frame Relay Support Examples” later in this chapter. Configuring Legacy DDR Hubs How to Configure DDR DC-405 Cisco IOS Dial Technologies Configuration Guide Configuring the Interface for Sending Traffic over an X.25 Network X.25 interfaces can now be configured to support DDR. Synchronous serial and ISDN interfaces on Cisco routers and access servers can be configured for X.25 addresses, X.25 encapsulation, and mapping of protocol addresses to the X.25 address of a remote host. In-band, DTR, and ISDN dialers can be configured to support X.25 encapsulation, but rotary groups cannot. Remember that for ISDN interfaces, once CLID binding is completed, the topmost interface is always used for all configuration and data structures. The ISDN B channel becomes a forwarding device, and the configuration on the D channel is ignored, thereby allowing the different encapsulation types and per-user configurations. For X.25 encapsulations, the configurations reside on the dialer profile. The Dynamic Multiple Encapsulations feature provides support for packet assembler/disassembler (PAD) traffic and X.25 encapsulated and switched packets. To configure an interface to support X.25 and DDR, use the following X.25-specific commands in interface configuration mode: The order of DDR and X.25 configuration tasks is not critical; you can configure DDR before or after X.25, and you can even mix the DDR and X.25 commands. For an example of configuring an interface for X.25 encapsulation and then completing the DDR configuration, see the section “X.25 Support Configuration Example” later in this chapter. Configuring the Interface for Sending Traffic over a LAPB Network DDR over serial lines now supports LAPB encapsulation, in addition to the previously supported PPP, HDLC, and X.25 encapsulations. LAPB encapsulation is supported on synchronous serial, ISDN, and dialer rotary group interfaces, but not on asynchronous dialers. Because the default encapsulation is HDLC, you must explicitly configure LAPB encapsulation. To configure an interface to support LAPB encapsulation and DDR, use the following command in interface configuration mode: For more information about the serial connections on which LAPB encapsulation is appropriate, see the encapsulation lapb command in the chapter “X.25 and LAPB Commands” in the Cisco IOS Wide-Area Networking Command Reference, Release 12.2. For an example of configuring an interface for DDR over LAPB, see the section “X.25 Support Configuration Example” later in this chapter. Command Purpose Step 1 Router(config-if)# encapsulation x25 [dte | dce] [ietf] Configures the interface to use X.25 encapsulation. Step 2 Router(config-if)# x25 address x.121-address Assigns an X.25 address to the interface. Step 3 Router(config-if)# x25 map protocol address [protocol2 address2 [...[protocol9 address9]]] x.121-address [option] Sets up the LAN protocols-to-remote host address mapping. Command Purpose Router(config-if)# encapsulation lapb [dte | dce] [multi | protocol] Specifies LAPB encapsulation. Configuring Legacy DDR Hubs Monitoring DDR Connections DC-406 Cisco IOS Dial Technologies Configuration Guide Monitoring DDR Connections To monitor DDR connections and snapshot routing, use the following commands in privileged EXEC mode: Configuration Examples for Legacy DDR Hub The following sections provide various DDR configuration examples: • Transparent Bridging over DDR Examples • DDR Configuration in an IP Environment Example • AppleTalk Configuration Example • Banyan VINES Configuration Example • DECnet Configuration Example • ISO CLNS Configuration Example • XNS Configuration Example • Hub-and-Spoke DDR for Asynchronous Interfaces and Authentication Example • Single Site or Multiple Sites Dialing Configuration Example • Multiple Destinations Configuration Example • Dialer Interfaces and Dialer Rotary Groups Example • DDR Configuration Using Dialer Interface and PPP Encapsulation Example • Two-Way DDR with Authentication Example Command Purpose Router# show dialer [interface type number] Displays general diagnostics about the DDR interface. Router# show dialer map Displays current dialer maps, next-hop protocol addresses, user names, and the interfaces on which they are configured. Router# show interfaces bri 0 Displays information about the ISDN interface. Router# show ipx interface [type number] Displays status about the IPX interface. Router# show ipx traffic Displays information about the IPX packets sent by the router or access server, including watchdog counters. Router# show appletalk traffic Displays information about the AppleTalk packets sent by the router or access server. Router# show vines traffic Displays information about the Banyan VINES packets sent by the router or access server. Router# show decnet traffic Displays information about the DECnet packets sent by the router or access server. Router# show xns traffic Displays information about the XNS packets sent by the router or access server. Router# clear dialer Clears the values of the general diagnostic statistics. Configuring Legacy DDR Hubs Configuration Examples for Legacy DDR Hub DC-407 Cisco IOS Dial Technologies Configuration Guide • Frame Relay Support Examples • X.25 Support Configuration Example • LAPB Support Configuration Example Transparent Bridging over DDR Examples The following two examples differ only in the packets that cause calls to be placed. The first example specifies by protocol (any bridge packet is permitted to cause a call to be made); the second example allows a finer granularity by specifying the Ethernet type codes of bridge packets. The first example configures serial interface 1 for DDR bridging. Any bridge packet is permitted to cause a call to be placed. no ip routing ! interface Serial1 no ip address encapsulation ppp dialer in-band dialer enable-timeout 3 dialer map bridge name urk broadcast 8985 dialer hold-queue 10 dialer-group 1 ppp authentication chap bridge-group 1 pulse-time 1 ! dialer-list 1 protocol bridge permit bridge 1 protocol ieee bridge 1 hello 10 The second example also configures the serial interface 1 for DDR bridging. However, this example includes an access-list command that specifies the Ethernet type codes that can cause calls to be placed and a dialer list protocol list command that refers to the specified access list. no ip routing ! interface Serial1 no ip address encapsulation ppp dialer in-band dialer enable-timeout 3 dialer map bridge name urk broadcast 8985 dialer hold-queue 10 dialer-group 1 ppp authentication chap bridge-group 1 pulse-time 1 ! access-list 200 permit 0x0800 0xFFF8 ! dialer-list 1 protocol bridge list 200 bridge 1 protocol ieee bridge 1 hello 10 Configuring Legacy DDR Hubs Configuration Examples for Legacy DDR Hub DC-408 Cisco IOS Dial Technologies Configuration Guide DDR Configuration in an IP Environment Example The following example shows how to configure DDR to call one site from a synchronous serial interface in an IP environment. You could use the same configuration on an asynchronous serial interface by changing the interface serial 1 command to specify an asynchronous interface (for example, interface async 0). interface serial 1 ip address 172.18.126.1 255.255.255.0 dialer in-band dialer idle-timeout 600 dialer string 5551234 pulse-time 1 ! The next command adds this interface to the dialer access group defined with ! the dialer-list command. dialer-group 1 ! ! The first access list statement, below, specifies that IGRP updates are not ! interesting packets. The second access-list statement specifies that all ! other IP traffic such as Ping, Telnet, or any other IP packet is interesting. ! The dialer-list command then creates dialer access group 1 and states that ! access list 101 is to be used to classify packets as interesting or ! uninteresting. The ip route commands specify that there is a route to network ! 172.18.29.0 and to network 172.18.1.0 via 172.18.126.2. This means that ! several destination networks are available through a router that is dialed ! from interface serial 1. ! access-list 101 deny igrp 0.0.0.0 255.255.255.255 255.255.255.255 0.0.0.0 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 dialer-list 1 list 101 ip route 172.18.29.0 172.18.126.2 ip route 172.18.1.0 172.18.126.2 ip local pool dialin 10.102.126.2 10.102.126.254 With many modems, the pulse-time command must be used so that DTR is dropped for enough time to allow the modem to disconnect. AppleTalk Configuration Example The following example configures DDR for AppleTalk access using an ISDN BRI. Two access lists are defined: one for IP and Interior Gateway Routing Protocol (IGRP) and one for AppleTalk. AppleTalk packets from network 2141 only (except broadcast packets) can initiate calls. interface BRI0 ip address 172.16.20.107 255.255.255.0 encapsulation ppp appletalk cable-range 2141-2141 2141.65 appletalk zone SCruz-Eng no appletalk send-rtmps dialer map ip 172.16.20.106 broadcast 1879 dialer map appletalk 2141.66 broadcast 1879 dialer-group 1 ! access-list 101 deny igrp 0.0.0.0 255.255.255.255 255.255.255.255 0.0.0.0 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 access-list 601 permit cable-range 2141-2141 broadcast-deny access-list 601 deny other-access ! dialer-list 1 list 101 dialer-list 1 list 601 Configuring Legacy DDR Hubs Configuration Examples for Legacy DDR Hub DC-409 Cisco IOS Dial Technologies Configuration Guide Banyan VINES Configuration Example The following example configures a router for VINES and IP DDR with in-band dialing. The VINES access list does not allow RTP routing updates to place a call, but any other data packet is interesting. vines routing BBBBBBBB:0001 ! hostname RouterA ! username RouterB password 7 030752180500 username RouterC password 7 00071A150754 ! interface serial 0 ip address 172.18.170.19 255.255.255.0 encapsulation ppp vines metrics 10 vines neighbor AAAAAAAA:0001 0 dialer in-band dialer map ip 172.18.170.151 name RouterB broadcast 4155551234 dialer map vines AAAAAAAA:0001 name RouterC broadcast 4155551212 dialer-group 1 ppp authentication chap pulse-time 1 ! access-list 101 deny igrp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 ! vines access-list 107 deny RTP 00000000:0000 FFFFFFFF:FFFF 00000000:0000 FFFFFFFF:FFFF vines access-list 107 permit IP 00000000:0000 FFFFFFFF:FFFF 00000000:0000 FFFFFFFF:FFFF ! dialer-list 1 protocol ip list 101 dialer-list 1 protocol vines list 107 DECnet Configuration Example The following example configures a router for DECnet DDR with in-band dialing: decnet routing 10.19 username RouterB password 7 030752180531 ! interface serial 0 no ip address decnet cost 10 encapsulation ppp dialer in-band dialer map decnet 10.151 name RouterB broadcast 4155551212 dialer-group 1 ppp authentication chap pulse-time 1 ! access-list 301 permit 10.0 0.1023 0.0 63.1023 dialer-list 1 protocol decnet list 301 Configuring Legacy DDR Hubs Configuration Examples for Legacy DDR Hub DC-410 Cisco IOS Dial Technologies Configuration Guide ISO CLNS Configuration Example The following example configures a router for International Organization for Standardization Connectionless Network Service (ISO CLNS) DDR with in-band dialing: username RouterB password 7 111C140B0E clns net 47.0004.0001.0000.0c00.2222.00 clns routing clns filter-set ddrline permit 47.0004.0001.... ! interface serial 0 no ip address encapsulation ppp dialer in-band dialer map clns 47.0004.0001.0000.0c00.1111.00 name RouterB broadcast 1212 dialer-group 1 ppp authentication chap clns enable pulse-time 1 ! clns route default serial 0 dialer-list 1 protocol clns list ddrline XNS Configuration Example The following example configures a router for XNS DDR with in-band dialing. The access lists deny broadcast traffic to any host on any network, but allow all other traffic. xns routing 0000.0c01.d8dd username RouterB password 7 111B210A0F interface serial 0 no ip address encapsulation ppp xns network 10 dialer in-band dialer map xns 10.0000.0c01.d877 name RouterB broadcast 4155551212 dialer-group 1 ppp authentication chap pulse-time 1 access-list 400 deny -1 -1.ffff.ffff.ffff 0000.0000.0000 access-list 400 permit -1 10 dialer-list 1 protocol xns list 400 Hub-and-Spoke DDR for Asynchronous Interfaces and Authentication Example You can set up DDR to provide service to multiple remote sites. In a hub-and-spoke configuration, you can use a generic configuration script to set up each remote connection. Figure 54 illustrates a typical hub-and-spoke configuration. Configuring Legacy DDR Hubs Configuration Examples for Legacy DDR Hub DC-411 Cisco IOS Dial Technologies Configuration Guide Figure 54 Hub-and-Spoke DDR Configuration The examples in the following sections show how to create this configuration. Spoke Topology Configuration The following commands are executed on the spoke side of the connection. (A different “spoke” password must be specified for each remote client.) The configuration provides authentication by identifying a password that must be provided on each end of the connection. interface ethernet 0 ip address 172.30.44.1 255.255.255.0 ! interface async 7 async mode dedicated async default ip address 172.19.45.1 ip address 172.30.45.2 255.255.255.0 encapsulation ppp ppp authentication chap dialer in-band dialer map ip 172.30.45.1 name hub system-script hub 1234 dialer map ip 172.30.45.255 name hub system-script hub 1234 dialer-group 1 ! ip route 172.30.43.0 255.255.255.0 172.30.45.1 ip default-network 172.30.0.0 chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT chat-script hub ““ ““ name: spoke1 word” PPP dialer-list 1 protocol ip permit ! username hub password ! router igrp 109 network 172.30.0.0 passive-interface async 7 ! line 7 modem InOut speed 38400 flowcontrol hardware modem chat-script generic Hub Router Configuration The following commands are executed on the local side of the connection—the hub router. The commands configure the server for communication with three clients and provide authentication by identifying a unique password for each “spoke” in the hub-and-spoke configuration. S3366 Configuring Legacy DDR Hubs Configuration Examples for Legacy DDR Hub DC-412 Cisco IOS Dial Technologies Configuration Guide interface ethernet 0 ip address 172.30.43.1 255.255.255.0 ! interface async 7 async mode interactive async dynamic address dialer rotary-group 1 ! interface async 8 async mode interactive async dynamic address dialer rotary-group 1 ! interface dialer 1 ip address 172.30.45.2 255.255.255.0 no ip split-horizon encapsulation ppp ppp authentication chap dialer in-band dialer map ip 172.30.45.2 name spoke1 3333 dialer map ip 172.30.45.2 name spoke2 4444 dialer map ip 172.30.45.2 name spoke3 5555 dialer map ip 172.30.45.255 name spoke1 3333 dialer map ip 172.30.45.255 name spoke2 4444 dialer map ip 172.30.45.255 name spoke3 5555 dialer-group 1 ! ip route 172.30.44.0 255.255.255.0 172.30.45.2 ip route 172.30.44.0 255.255.255.0 172.30.45.3 ip route 172.30.44.0 255.255.255.0 172.30.45.4 dialer-list 1 protocol ip list 101 access-list 101 deny igrp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT ! username spoke1 password username spoke2 password username spoke3 password username spoke1 autocommand ppp 172.30.45.2 username spoke2 autocommand ppp 172.30.45.3 username spoke3 autocommand ppp 172.30.45.4 ! router igrp 109 network 172.30.0.0 redistribute static ! line 7 login tacacs modem InOut speed 38400 flowcontrol hardware modem chat-script generic The redistribute static command can be used to advertise static route information for DDR applications. Without this command, static routes to the hosts or network that the router can access with DDR will not be advertised to other routers with which the router is communicating. This behavior can block communication because some routes will not be known. See the redistribute static ip command, described in the chapter “IP Routing Protocol-Independent Commands” in the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. Configuring Legacy DDR Hubs Configuration Examples for Legacy DDR Hub DC-413 Cisco IOS Dial Technologies Configuration Guide Single Site or Multiple Sites Dialing Configuration Example The following example is based on the configuration shown in Figure 55; the router receives a packet with a next hop address of 10.1.1.1. Figure 55 Sample Dialer String or Dialer Map Configuration If the interface on your router is configured to call a single site with phone number 5555555, it will send the packet to that site, assuming that the next hop address 10.1.1.1 indicates the same remote device as phone number 5555555. The dialer string command is used to specify the string (telephone number) to be called. interface serial 1 dialer in-band dialer string 5555555 If the interface is configured to dial multiple sites, the interface or dialer rotary group must be configured so that the correct phone number, 5555555, is mapped to the address 10.1.1.1. If this mapping is not configured, the interface or dialer rotary group does not know what phone number to call to deliver the packet to its correct destination, which is the address 10.1.1.1. In this way, a packet with a destination of 10.2.2.2 will not be sent to 5555555. The dialer map command is used to map next hop addresses to phone numbers. interface serial 1 dialer in-band dialer map ip 10.1.1.1 5555555 dialer map ip 10.2.2.2 6666666 Multiple Destinations Configuration Example The following example shows how to specify multiple destination numbers to dial for outgoing calls: interface serial 1 ip address 172.18.126.1 255.255.255.0 dialer in-band dialer wait-for-carrier-time 100 pulse-time 1 dialer-group 1 dialer map ip 172.18.126.10 5558899 Remote Router B Remote Router A Local router 6666666 5555555 56951 Configuring Legacy DDR Hubs Configuration Examples for Legacy DDR Hub DC-414 Cisco IOS Dial Technologies Configuration Guide dialer map ip 172.18.126.15 5555555 ! access-list 101 deny igrp 0.0.0.0 255.255.255.255 255.255.255.255 0.0.0.0 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 dialer-list 1 protocol ip list 101 As in the “DDR Configuration in an IP Environment Example” section, a pulse time is assigned and a dialer access group specified. The first dialer map command specifies that the number 555-8899 is to be dialed for IP packets with a next-hop-address value of 172.18.126.10. The second dialer map command then specifies that the number 5555555 will be called when an IP packet with a next-hop-address value of 172.18.126.15 is detected. Dialer Interfaces and Dialer Rotary Groups Example The following configuration places serial interfaces 1 and 2 into dialer rotary group 1, defined by the interface dialer 1 command: ! PPP encapsulation is enabled for interface dialer 1. interface dialer 1 encapsulation ppp dialer in-band ip address 172.18.2.1 255.255.255.0 ip address 172.18.2.1 255.255.255.0 secondary ! The first dialer map command allows remote site YYY and the central site to ! call each other. The second dialer map command, with no dialer string, allows ! remote site ZZZ to call the central site but the central site cannot call ! remote site ZZZ (no phone number). ! dialer map ip 172.18.2.5 name YYY 1415553434 dialer map ip 172.18.2.55 name ZZZ ! ! The DTR pulse signals for three seconds on the interfaces in dialer group 1. ! This holds the DTR low so the modem can recognize that DTR has been dropped. pulse-time 3 ! Serial interfaces 1 and 2 are placed in dialer rotary group 1. All the ! interface configuration commands (the encapsulation and dialer map commands ! shown earlier in this example) that applied to interface dialer 1 also apply ! to these interfaces. interface serial 1 dialer rotary-group 1 interface serial 2 dialer rotary-group 1 DDR Configuration Using Dialer Interface and PPP Encapsulation Example The following example shows a configuration for XXX, the local router shown in Figure 56. In this example, remote Routers YYY and ZZZ can call Router XXX. Router XXX has dialing information only for Router YYY and cannot call Router ZZZ. Configuring Legacy DDR Hubs Configuration Examples for Legacy DDR Hub DC-415 Cisco IOS Dial Technologies Configuration Guide Figure 56 DDR Configuration Router XXX Configuration username YYY password theirsystem username ZZZ password thatsystem ! Create a dialer interface with PPP encapsulation and CHAP authentication. interface dialer 1 ip address 172.18.2.1 255.255.255.0 ip address 172.24.4.1 255.255.255.0 secondary encapsulation ppp ppp authentication chap dialer in-band dialer group 1 ! The first dialer map command indicates that calls between the remote site ! YYY and the central site will be placed at either end. The second dialer ! map command, with no dialer string, indicates that remote site ZZZ will call ! the central site but the central site will not call out. dialer map ip 172.18.2.5 name YYY 1415553434 dialer map ip 172.24.4.5 name ZZZ ! The DTR pulse holds the DTR low for three seconds, so the modem can recognize ! that DTR has been dropped. pulse-time 3 ! ! Place asynchronous serial interfaces 1 and 2 in dialer group 1. The interface commands ! applied to dialer group 1 (for example, PPP encapsulation and CHAP) apply to these ! interfaces. ! interface async 1 dialer rotary-group 1 interface async 2 dialer rotary-group 1 Two-Way DDR with Authentication Example You can set up two-way DDR with authentication in which both the client and server have dial-in access to each other. This configuration is demonstrated in the following two subsections. Serial interface 6 Serial interface 5 Serial interface 4 Serial interface 1 Serial interface 2 Serial interface 3 Dialer rotary group 2 172.18.1.1 172.25.1.1 Dialer interface 1 Dialer interface 2 Dialer rotary group 1 54733 Router Configuring Legacy DDR Hubs Configuration Examples for Legacy DDR Hub DC-416 Cisco IOS Dial Technologies Configuration Guide Remote Configuration The following commands are executed on the remote side of the connection. This configuration provides authentication by identifying a password that must be provided on each end of the connection. username local password secret1 username remote password secret2 ! interface ethernet 0 ip address 172.30.44.1 255.255.255.0 ! interface async 7 ip address 172.30.45.2 255.255.255.0 async mode dedicated async default ip address 172.30.45.1 encapsulation ppp dialer in-band dialer string 1234 dialer-group 1 ! ip route 172.30.43.0 255.255.255.0 async 7 ip default-network 172.30.0.0 chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT dialer-list 1 protocol ip permit ! line 7 no exec modem InOut speed 38400 flowcontrol hardware modem chat-script generic Local Configuration The following commands are executed on the local side of the connection. As with the remote side configuration, this configuration provides authentication by identifying a password for each end of the connection. username remote password secret1 username local password secret2 ! interface ethernet 0 ip address 172.30.43.1 255.255.255.0 ! interface async 7 async mode dedicated async default ip address 172.30.45.2 dialer rotary-group 1 ! interface async 8 async mode dedicated async default ip address 172.30.45.2 dialer rotary-group 1 ! interface dialer 1 ip address 172.30.45.2 255.255.255.0 encapsulation ppp ppp authentication chap dialer in-band dialer map ip 172.30.45.2 name remote 4321 dialer load-threshold 80 ! Configuring Legacy DDR Hubs Configuration Examples for Legacy DDR Hub DC-417 Cisco IOS Dial Technologies Configuration Guide ip route 172.30.44.0 255.255.255.0 172.30.45.2 chat-script generic ABORT BUSY ABORT NO ## AT OK ATDT\T TIMEOUT 30 CONNECT ! router igrp 109 network 172.30.0.0 redistribute static passive-interface async 7 ! line 7 modem InOut speed 38400 flowcontrol hardware modem chat-script generic Frame Relay Support Examples The examples in this section present various combinations of interfaces, Frame Relay features, and DDR features. Frame Relay Access with In-Band Dialing and Static Mapping The following example configures a router for IP over Frame Relay using in-band dialing. A Frame Relay static map is used to associate the next hop protocol address to the DLCI. The dialer string allows dialing to only one destination. interface Serial0 ip address 10.1.1.1 255.255.255.0 encapsulation frame-relay frame-relay map ip 10.1.1.2 100 broadcast dialer in-band dialer string 4155551212 dialer-group 1 ! access-list 101 deny igrp any host 255.255.255.255 access-list 101 permit ip any any ! dialer-list 1 protocol ip list 101 Frame Relay Access with ISDN Dialing and DDR Dynamic Maps The following example shows a BRI interface configured for Frame Relay and for IP, Internet Protocol Exchange (IPX), and AppleTalk routing. No static maps are defined because this setup relies on Frame Relay Local Management Interface (LMI) signaling and Inverse ARP to determine the network addresses-to-DLCI mappings dynamically. (Because Frame Relay Inverse ARP is enabled by default, no command is required.) interface BRI0 ip address 10.1.1.1 255.255.255.0 ipx network 100 appletalk cable-range 100-100 100.1 appletalk zone ISDN no appletalk send-rtmps encapsulation frame-relay IETF dialer map ip 10.1.1.2 broadcast 4155551212 dialer map apple 100.2 broadcast 4155551212 dialer map ipx 100.0000.0c05.33ed broadcast 4085551234 dialer-group 1 ! Configuring Legacy DDR Hubs Configuration Examples for Legacy DDR Hub DC-418 Cisco IOS Dial Technologies Configuration Guide access-list 101 deny igrp any host 255.255.255.255 access-list 101 permit ip any any access-list 901 deny -1 FFFFFFFF 452 access-list 901 deny -1 FFFFFFFF 453 access-list 901 deny -1 FFFFFFFF 457 access-list 901 deny -1 FFFFFFFF 0 FFFFFFFF 452 access-list 901 deny -1 FFFFFFFF 0 FFFFFFFF 453 access-list 901 deny -1 FFFFFFFF 0 FFFFFFFF 457 access-list 901 permit -1 access-list 601 permit cable-range 100-100 broadcast-deny access-list 601 deny other-access ! dialer-list 1 protocol ip list 101 dialer-list 1 protocol novell list 901 dialer-list 1 protocol apple list 601 Frame Relay Access with ISDN Dialing and Subinterfaces The following example shows a BRI interface configured for Frame Relay and for IP, IPX, and AppleTalk routing. Two logical subnets are used; a point-to-point subinterface and a multipoint subinterface are configured. Frame Relay Annex A (LMI type Q933a) and Inverse ARP are used for dynamic routing. interface BRI0 no ip address encapsulation frame-relay dialer string 4155551212 dialer-group 1 frame-relay lmi-type q933a ! interface BRI0.1 multipoint ip address 10.1.100.1 255.255.255.0 ipx network 100 appletalk cable-range 100-100 100.1 appletalk zone ISDN no appletalk send-rtmps frame-relay interface-dlci 100 frame-relay interface-dlci 110 frame-relay interface-dlci 120 ! interface BRI0.2 point-to-point ip address 10.1.200.1 255.255.255.0 ipx network 200 appletalk cable-range 200-200 200.1 appletalk zone ISDN no appletalk send-rtmps frame-relay interface-dlci 200 broadcast IETF ! access-list 101 deny igrp any host 255.255.255.255 access-list 101 permit ip any any access-list 901 deny -1 FFFFFFFF 452 access-list 901 deny -1 FFFFFFFF 453 access-list 901 deny -1 FFFFFFFF 457 access-list 901 deny -1 FFFFFFFF 0 FFFFFFFF 452 access-list 901 deny -1 FFFFFFFF 0 FFFFFFFF 453 access-list 901 deny -1 FFFFFFFF 0 FFFFFFFF 457 access-list 901 permit -1 access-list 601 permit cable-range 100-100 broadcast-deny access-list 601 permit cable-range 200-200 broadcast-deny access-list 601 deny other-access Configuring Legacy DDR Hubs Configuration Examples for Legacy DDR Hub DC-419 Cisco IOS Dial Technologies Configuration Guide dialer-list 1 protocol ip list 101 dialer-list 1 protocol novell list 901 dialer-list 1 protocol apple list 601 X.25 Support Configuration Example The following example configures a router to support X.25 and DTR dialing: interface serial 0 ip address 172.18.170.19 255.255.255.0 encapsulation x25 x25 address 12345 x25 map ip 172.18.171.20 67890 broadcast dialer dtr dialer-group 1 ! access-list 101 deny igrp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 ! dialer-list 1 protocol ip list 101 LAPB Support Configuration Example The following example configures a router for LAPB encapsulation and in-band dialing: interface serial 0 ip address 172.18.170.19 255.255.255.0 encapsulation lapb dialer in-band dialer string 4155551212 dialer-group 1 ! access-list 101 deny igrp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 ! dialer-list 1 protocol ip list 101 Configuring Legacy DDR Hubs Configuration Examples for Legacy DDR Hub DC-420 Cisco IOS Dial Technologies Configuration Guide DC-421 Cisco IOS Dial Technologies Configuration Guide Configuring Peer-to-Peer DDR with Dialer Profiles This chapter describes how to configure the Cisco IOS software for the Dialer Profiles feature implementation of dial-on-demand routing (DDR). It includes the following main sections: • Dialer Profiles Overview • How to Configure Dialer Profiles • Monitoring and Maintaining Dialer Profile Connections • Configuration Examples Dialer Profiles For information about preparations for configuring dialer profiles, see the chapter “Preparing to Configure DDR” in this publication. The Dialer Profiles feature is contrasted with legacy DDR. For information about legacy DDR, see the other chapters in the “Dial-on-Demand Routing” part of this publication. For information about dial backup using dialer profiles, see the chapter “Configuring Dial Backup with Dialer Profiles” in this publication. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the commands in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Dialer Profiles Overview Dialer profiles allow the configuration of physical interfaces to be separated from the logical configuration required for a call, and they also allow the logical and physical configurations to be bound together dynamically on a per-call basis. A dialer profile consists of the following elements: • A dialer interface (a logical entity) configuration including one or more dial strings (each of which is used to reach one destination subnetwork) • A dialer map class that defines all the characteristics for any call to the specified dial string • An ordered dialer pool of physical interfaces to be used by the dialer interface Configuring Peer-to-Peer DDR with Dialer Profiles Dialer Profiles Overview DC-422 Cisco IOS Dial Technologies Configuration Guide Note Dialer profiles support most routed protocols; however, International Organization for Standardization Connectionless Network Service (ISO CLNS) is not supported. New Dialer Profile Model In earlier releases of the Cisco IOS software, dialer profiles in the same dialer pool needed encapsulation-specific configuration information entered under both the dialer profile interface and the ISDN interface. If any conflict arose between the logical and the physical interfaces, the dialer profile failed to work. In the new dialer profile model introduced by the Dynamic Multiple Encapsulations feature in Cisco IOS Release 12.1, the configuration on the ISDN interface is ignored and only the configuration on the profile interface is used, unless PPP name binding is used. Before a successful bind by CLID occurs, no encapsulation type and configuration are assumed or taken from the physical interfaces. When PPP is used and a caller identification (CLID) bind fails, a dialer profile still can be matched by PPP name authentication. In the new dialer profile model, multiple attempts are made to find a matching profile. The dialer profile software binds an incoming call on a physical dialer interface according to the following events, and in the order listed: 1. There is only one dialer profile configured to use the pool of which the physical interface is a member; this condition is the default bind. The physical interface must be a member of only this one pool. A default bind is possible only to a dialer profile when there are no dialer caller or dialer called commands configured on that profile. 2. The CLID matches what is configured in a dialer caller command on a dialer profile using a pool of which the physical interface is a member. 3. The DNIS that is presented matches what is configured in a dialer called command on a dialer profile using a pool of which the physical interface is a member. 4. If a bind has not yet occurred but the physical interface is configured for PPP encapsulation and CHAP or PAP authentication, and the CHAP or PAP name presented matches a dialer remote-name command configuration on a dialer profile using a pool of which the physical interface is a member, then the dialer profile software binds to that dialer profile. If none of the above events are successful, the call is not answered. The call is also disconnected during any of the first three events when, after the bind occurs and the physical interface is configured for PPP encapsulation and CHAP or PAP authentication, the CHAP or PAP name presented does not match what is configured in a dialer remote-name command on the dialer profile that was bound to the call. PPP encapsulation on an ISDN link is different from other encapsulation types because it runs on the B channel rather than the dialer profile interface. There are two possible configuration sources in a profile bind: the D and the dialer profile interfaces. Hence, a configuration conflict between the sources is possible. If a successful bind is accomplished by name authentication, the configuration used to bring PPP up is the one on the D interface. This is the name used to locate a dialer profile for the bind. The configuration on an ISDN interface goes under the D rather than a B channel, although B channels inherit the configuration from their D interface. However, the configuration on this found dialer profile could be different from the one on the D interface. For example, the ppp multilink command is configured on the D interface, but not on the dialer profile interface. The actual per-user configuration is the one on the dialer profile interface. In this case, per-user configuration is not achieved unless link control protocol (LCP) and authentication are Configuring Peer-to-Peer DDR with Dialer Profiles Dialer Profiles Overview DC-423 Cisco IOS Dial Technologies Configuration Guide renegotiated. Because PPP client software often does not accept renegotiation, this workaround is not acceptable. Therefore, the D interface configuration takes precedence over the dialer profile interface configuration. This is the only case where the configuration of the dialer profile is overruled. Dialer Interface A dialer interface configuration includes all settings needed to reach a specific destination subnetwork (and any networks reached through it). Multiple dial strings can be specified for the same dialer interface, each dial string being associated with a different dialer map class. Dialer Map Class The dialer map class defines all the characteristics for any call to the specified dial string. For example, the map class for one destination might specify a 56-kbps ISDN speed; the map class for a different destination might specify a 64-kbps ISDN speed. Dialer Pool Each dialer interface uses a dialer pool, a pool of physical interfaces ordered on the basis of the priority assigned to each physical interface. A physical interface can belong to multiple dialer pools, contention being resolved by priority. ISDN BRI and PRI interfaces can set a limit on the minimum and maximum number of B channels reserved by any dialer pools. A channel reserved by a dialer pool remains idle until traffic is directed to the pool. When dialer profiles are used to configure DDR, a physical interface has no configuration settings except encapsulation and the dialer pools with which the interface belongs. Note The preceding paragraph has one exception: commands that apply before authentication is complete must be configured on the physical (or BRI or PRI) interface and not on the dialer profile. Dialer profiles do not copy PPP authentication commands (or LCP commands) to the physical interface. Figure 57 shows a typical application of dialer profiles. Router A has dialer interface 1 for DDR with subnetwork 10.1.1.0, and dialer interface 2 for DDR with subnetwork 10.2.2.0. The IP address for dialer interface 1 is its address as a node in network 10.1.1.0; at the same time, that IP address serves as the IP address of the physical interfaces used by the dialer interface 1. Similarly, the IP address for dialer interface 2 is its address as a node in network 10.2.2.0. Configuring Peer-to-Peer DDR with Dialer Profiles Dialer Profiles Overview DC-424 Cisco IOS Dial Technologies Configuration Guide Figure 57 Typical Dialer Profiles Application A dialer interface uses only one dialer pool. A physical interface, however, can be a member of one or many dialer pools, and a dialer pool can have several physical interfaces as members. Figure 58 illustrates the relations among the concepts of dialer interface, dialer pool, and physical interfaces. Dialer interface 0 uses dialer pool 2. Physical interface BRI 1 belongs to dialer pool 2 and has a specific priority in the pool. Physical interface BRI 2 also belongs to dialer pool 2. Because contention is resolved on the basis of priority levels of the physical interfaces in the pool, BRI 1 and BRI 2 must be assigned different priorities in the pool. Perhaps BRI 1 is assigned priority 50 and BRI 2 is assigned priority 100 in dialer pool 2 (a priority of 100 is higher than a priority of 50). BRI 2 has a higher priority in the pool, and its calls will be placed first. Figure 58 Relations Among Dialer Interfaces, Dialer Pools, and Physical Interfaces Router B is on subnetwork 10.1.1.0. Networks 3, 4, and 5 are reached through it. Network 3 Network 4 Network 5 Network 6 Network 7 Network 8 Dialer interface 1 for subnetwork 10.1.1.0 and all networks reached through it. Router C is on subnetwork 10.2.2.0. Networks 6, 7, and 8 are reached through it. Dialer interface 2 for subnetwork 10.2.2.0 and all networks reached through it. 56952 BRI 0 BRI 1 Dialer pool 1 Dialer interface 0 Dialer interface 1 Dialer interface 2 Dialer pool 2 S4786 BRI 2 BRI 3 Dialer pool 3 Configuring Peer-to-Peer DDR with Dialer Profiles How to Configure Dialer Profiles DC-425 Cisco IOS Dial Technologies Configuration Guide How to Configure Dialer Profiles To configure dialer profiles, perform the task in the following section: • Configuring a Dialer Profile (Required) The following tasks can be configured whether you use legacy DDR or dialer profiles. Perform these tasks as needed for your network: • Configuring Dialer Profiles for Routed Protocols (As required) • Configuring Dialer Profiles for Transparent Bridging (As required) See the “Verifying the Dynamic Multiple Encapsulations Feature” section later in this chapter for tips on verifying that the feature is running in your network. See the “Configuration Examples Dialer Profiles” section at the end of this chapter for comprehensive configuration examples. Configuring a Dialer Profile To configure a dialer profile, perform the tasks in the following sections as required: • Configuring a Dialer Interface (Required) • Fancy Queueing and Traffic Shaping on Dialer Profile Interfaces (Optional) • Configuring a Map Class (Optional) • Configuring the Physical Interfaces (Required) Configuring a Dialer Interface Any number of dialer interfaces can be created for a router. Each dialer interface is the complete configuration for a destination subnetwork and any networks reached through it. The router on the destination subnetwork sends traffic on to the appropriate shadowed networks. To configure a dialer interface, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# interface dialer number Creates a dialer interface and begins interface configuration mode. Step 2 Router(config-if)# ip address address mask Specifies the IP address and mask of the dialer interface as a node in the destination network to be called. Step 3 Router(config-if)# encapsulation type Specifies the encapsulation type. Step 4 Router(config-if)# dialer string dial-string class class-name Specifies the remote destination to call and the map class that defines characteristics for calls to this destination. Step 5 Router(config-if)# dialer pool number Specifies the dialing pool to use for calls to this destination. Step 6 Router(config-if)# dialer-group group-number Assigns the dialer interface to a dialer group. Step 7 Router(config-if)# dialer-list dialer-group protocol protocol-name {permit | deny | list access-list-number} Specifies an access list by list number or by protocol and list number to define the “interesting” packets that can trigger a call. Configuring Peer-to-Peer DDR with Dialer Profiles How to Configure Dialer Profiles DC-426 Cisco IOS Dial Technologies Configuration Guide Fancy Queueing and Traffic Shaping on Dialer Profile Interfaces In earlier releases of the Cisco IOS software, fancy queueing and traffic shaping were configured under the physical interfaces, therefore the same queueing or traffic shaping scheme needed to be applied to all users that were sharing the same ISDN link. Beginning in Cisco IOS Release 12.1, you need only configure the queueing and traffic shaping schemes you desire on the dialer profile interface and the interface will take precedence over those configured on the ISDN B-channel interface. All the per-user encapsulation configuration has been moved to the dialer profile interfaces, separating it from hardware interfaces to make it dynamic and also to make per-user queueing and traffic shaping configuration possible. Note Per-user fancy queueing and traffic shaping work with both process switching and fast switching in the new dialer profile model. However, Frame Relay Traffic Shaping (FRTS) is not supported on the new dialer profile model. See the chapter “Policing and Shaping Overview” in the Cisco IOS Quality of Service Solutions Configuration Guide for more information about FRTS. Configuring a Map Class Map-class configuration is optional but allows you to specify different characteristics for different types of calls on a per-call-destination basis. For example, you can specify higher priority and a lower wait-for-carrier time for an ISDN-calls map class than for a modem-calls map class. You can also specify a different speed for some ISDN calls than for other ISDN calls. A specific map class is tied to a specific call destination by the use of the map-class name in the dialer-string command with the class keyword. To specify a map class and define its characteristics, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# map-class dialer classname Specifies a map class and begins map-class configuration mode. Step 2 Router(config-map-class)# dialer fast-idle seconds Specifies the fast idle timer value. Step 3 Router(config-map-class)# dialer idle-timeout seconds [inbound | either] Specifies the duration of idle time in seconds after which a line will be disconnected. By default, outbound traffic will reset the dialer idle timer. Adding the either keyword causes both inbound and outbound traffic to reset the timer; adding the inbound keyword causes only inbound traffic to reset the timer. Step 4 Router(config-map-class)# dialer wait-for-carrier-time seconds Specifies the length of time to wait for a carrier when dialing out to the dial string associated with the map class. Step 5 Router(config-map-class)# dialer isdn [speed speed] [spc] For ISDN only, specifies the bit rate used on the B channel associated with a specified map class or specifies that an ISDN semipermanent connection is to be used for calls associated with this map. Configuring Peer-to-Peer DDR with Dialer Profiles How to Configure Dialer Profiles DC-427 Cisco IOS Dial Technologies Configuration Guide Note The dialer idle-timeout interface configuration command specifies the duration of time before an idle connection is disconnected. Previously, both inbound and outbound traffic would reset the dialer idle timer; now you can specify that only inbound traffic will reset the dialer idle timer. Configuring the Physical Interfaces To configure a physical interface, use the following commands beginning in global configuration mode: Repeat this procedure for additional physical interfaces that you want to use with dialer profiles. Configuring Dialer Profiles for Routed Protocols Both legacy DDR and dialer profiles support the following routed protocols: AppleTalk, Banyan VINES, DECnet, IP, Novell Internet Protocol Exchange (IPX), and Xerox Network System (XNS). To configure dialer profiles for a routed protocol, perform the tasks in the relevant section: • Configuring Dialer Profiles for AppleTalk (As required) • Configuring Dialer Profiles for Banyan VINES (As required) • Configuring Dialer Profiles for DECnet (As required) Command Purpose Step 1 Router(config)# interface type number Specifies the physical interface and begins interface configuration mode. Step 2 Router(config-if)# encapsulation ppp Enables PPP encapsulation. Step 3 Router(config-if)# ppp authentication chap Specifies PPP Challenge Handshake Authentication Protocol (CHAP) authentication, if you also want to receive calls on this interface. Step 4 dialer pool-member number [priority priority] dialer pool-member number [priority priority] [min-link minimum] [max-link maximum] Places the interface in a dialing pool and, optionally, assigns the interface a priority. For ISDN interfaces, you may also specify the minimum number of channels reserved and maximum number of channels used on this interface. The minimum value applies to outgoing calls only, and specifies the number of channels or interfaces reserved for dial out in that dialer pool; the channels remain idle when no calls are active. The maximum value applies to both incoming and outgoing calls and sets the total number of connections for a particular dialer pool member. Step 5 Router(config-if)# dialer pool-member number [priority priority] or Router(config-if)# dialer pool-member number [priority priority] [min-link minimum] [max-link maximum] (Optional) Repeat Step 4 if you want to put the interface in additional dialing pools. Configuring Peer-to-Peer DDR with Dialer Profiles How to Configure Dialer Profiles DC-428 Cisco IOS Dial Technologies Configuration Guide • Configuring Dialer Profiles for IP (As required) • Configuring Dialer Profiles for Novell IPX (As required) • Configuring XNS over DDR (As required) Configuring Dialer Profiles for AppleTalk To configure dialer profiles for AppleTalk, you specify AppleTalk access lists and then configure the dialer interface for dialer profiles, defining the dialer list to be used. Use the dialer-list protocol command to define permit or deny conditions for the entire protocol; for a finer granularity, use the dialer-list protocol command with the list keyword. See the section “Configuring a Dialer Interface” earlier in this chapter for more information about defining dialer lists. Configuring Dialer Profiles for Banyan VINES To configure DDR for Banyan VINES, use one of the following commands in global configuration mode: After you specify VINES standard or extended access lists, configure the dialer interface for dialer profiles, defining the dialer list to be used. Use the dialer-list protocol command to define permit or deny conditions for the entire protocol; for a finer granularity, use the dialer-list protocol command with the list keyword. See the section “Configuring a Dialer Interface” earlier in this chapter for more information about defining dialer lists. Note The Banyan VINES neighbor command is not supported for Link Access Procedure, Balanced (LAPB) and X.25 encapsulations. Configuring Dialer Profiles for DECnet To configure dial-on-demand routing (DDR) for DECnet, use one of the following commands in global configuration mode: Command Purpose Router(config)# vines access-list access-list-number {permit | deny} source source-mask1 or Router(config)# vines access-list access-list-number {permit | deny} source source-mask [destination] [destination-mask] Specifies a VINES standard access list. Specifies a VINES extended access list. Command Purpose Router(config)# access-list access-list-number {permit | deny} source source-mask1 or Router(config)# access-list access-list-number {permit | deny} source source-mask [destination] [destination-mask] Specifies a DECnet standard access list. Specifies a DECnet extended access list. Configuring Peer-to-Peer DDR with Dialer Profiles How to Configure Dialer Profiles DC-429 Cisco IOS Dial Technologies Configuration Guide After you specify DECnet standard or extended access lists, configure the dialer interface for dialer profiles, defining the dialer list to be used. Use the dialer-list protocol command to define permit or deny conditions for the entire protocol; for a finer granularity, use the dialer-list protocol command with the list keyword. See the section “Configuring a Dialer Interface” earlier in this chapter for more information about defining dialer lists. You classify DECnet control packets, including hello packets and routing updates, using one or more of the following commands: dialer-list protocol decnet_router-L1 permit, dialer-list protocol decnet_router-L2 permit, and dialer-list protocol decnet_node permit. Configuring Dialer Profiles for IP To configure DDR for IP, use one of the following commands in global configuration mode: You can now also use simplified IP access lists that use the any keyword instead of the numeric forms of source and destination addresses and masks. Other forms of IP access lists are also available. For more information, see the chapter “IP Services Commands” in the Cisco IOS IP Command Reference. To use dynamic routing where multiple remote sites communicate with each other through a central site, you might need to disable the IP split horizon feature. Split horizon applies to Routing Information Protocol (RIP), Interior Gateway Routing Protocol (IGRP), and Enhanced IGRP. Depending on which routing protocol is configured, see the chapter “Configuring RIP,” “Configuring IGRP,” or “Configuring Enhanced IGRP” in this publication. Refer to the chapter “Configuring IP Routing Protocols” in the Cisco IOS IP Configuration Guide for more information. Configuring Dialer Profiles for Novell IPX On DDR links for Novell IPX, the link may come up often even when all client sessions are idle because the server sends watchdog or keepalive packets to all the clients approximately every 5 minutes. You can configure a local router or access server to idle out the DDR link and respond to the watchdog packets on behalf of the clients. Command Purpose Router(config)# access-list access-list-number {deny | permit} source [source-mask] or Router(config)# access-list access-list-number {deny | permit} protocol source source-mask destination destination-mask [operator operand] Specifies an IP standard access list. Specifies an IP extended access list. Configuring Peer-to-Peer DDR with Dialer Profiles How to Configure Dialer Profiles DC-430 Cisco IOS Dial Technologies Configuration Guide To modify the dialer profiles dialer interface configuration for Novell IPX, use the following commands in interface configuration mode: Configuring XNS over DDR To configure XNS for DDR, use one of the following commands in global configuration mode: After you specify an XNS access list, configure the dialer interface for dialer profiles, defining the dialer list to be used. Use the dialer-list protocol command to define permit or deny conditions for the entire protocol; for a finer granularity, use the dialer-list protocol command with the list keyword. See the section “Configuring a Dialer Interface” earlier in this chapter for more information about defining dialer lists. Configuring Dialer Profiles for Transparent Bridging The Cisco IOS software supports transparent bridging over both legacy DDR and dialer profiles, and it provides you some flexibility in controlling access and configuring the interface. To configure dialer profiles for bridging, perform the tasks in the following sections: • Defining the Protocols to Bridge (Required) • Specifying the Bridging Protocol (Required) • Controlling Access for Bridging (Required) • Configuring an Interface for Bridging (Required) Command Purpose Step 1 Router(config-if)# no ipx route-cache Disables fast switching for IPX. Step 2 Router(config-if)# ipx watchdog-spoof or Router(config-if)# ipx spx-spoof Enables IPX watchdog spoofing. Enables Sequenced Packet Exchange (SPX) keepalive spoofing. Step 3 Router(config-if)# ipx spx-idle-time delay-in-seconds Sets the idle time after which SPX keepalive spoofing begins. Command Purpose Router(config)# access-list access-list-number {deny | permit} source-network[.source-address [source-address-mask]] [destination-network[.destination-address [destination-address-mask]]] or Router(config)# access-list access-list-number {deny | permit} protocol [source-network[.source-host [source-network-mask.]source-host-mask] source-socket [destination-network [.destination-host [destination-network-mask.destination-host-mask] destination-socket[/pep]]] Specifies a standard XNS access list. Specifies an extended XNS access list. Configuring Peer-to-Peer DDR with Dialer Profiles How to Configure Dialer Profiles DC-431 Cisco IOS Dial Technologies Configuration Guide Defining the Protocols to Bridge IP packets are routed by default unless they are explicitly bridged; all others are bridged by default unless they are explicitly routed. To bridge IP packets, use the following command in global configuration mode: If you choose not to bridge another protocol, use the relevant command to enable routing of that protocol. For more information about tasks and commands, refer to the relevant chapter in the appropriate network protocol configuration guide, such as the Cisco IOS AppleTalk and Novell IPX Configuration Guide. Specifying the Bridging Protocol You must specify the type of spanning-tree bridging protocol to use and also identify a bridge group. To specify the spanning-tree protocol and a bridge group number, use the following command in global configuration mode: The bridge-group number is used when you configure the interface and assign it to a bridge group. Packets are bridged only among members of the same bridge group. Controlling Access for Bridging You can control access by defining any transparent bridge packet as interesting, or you can use the finer granularity of controlling access by Ethernet type codes. To control access for DDR bridging, perform one of the following tasks: • Permitting All Bridge Packets • Controlling Bridging Access by Ethernet Type Codes Note Spanning-tree bridge protocol data units (BPDUs) are always treated as uninteresting. Permitting All Bridge Packets To identify all transparent bridge packets as interesting, use the following command in global configuration mode: Command Purpose Router(config)# no ip routing Disables IP routing. Command Purpose Router(config)# bridge bridge-group protocol {ieee | dec} Defines the type of spanning-tree protocol and identifies a bridge group. Command Purpose Router(config)# dialer-list dialer-group protocol bridge permit Defines a dialer list that treats all transparent bridge packets as interesting. Configuring Peer-to-Peer DDR with Dialer Profiles How to Configure Dialer Profiles DC-432 Cisco IOS Dial Technologies Configuration Guide Controlling Bridging Access by Ethernet Type Codes To control access by Ethernet type codes, use the following commands in global configuration mode: For a table of some common Ethernet type codes, see the “Ethernet Type Codes” appendix in the Cisco IOS Bridging and IBM Networking Command Reference. Configuring an Interface for Bridging You can perform serial interfaces or ISDN interfaces for DDR bridging. To configure an interface for DDR bridging, complete all the tasks in the following sections: • Specifying the Interface (Required) • Configuring the Destination (Required) • Assigning the Interface to a Bridge Group (Required) Specifying the Interface To specify the interface and enter interface configuration mode, use the following command in global configuration mode: Configuring the Destination You can configure the destination by specifying either of the following: • A dial string—for unauthenticated calls to a single site • A dialer bridge map—when you want to use authentication To configure the destination for bridging over a specified interface, use the following command in interface configuration mode: Note You can define only one dialer bridge map for the interface. If you enter a different bridge map, the previous one is replaced immediately. Command Purpose Step 1 Router(config)# access-list access-list-number {permit | deny} type-code [mask] Identifies interesting packets by Ethernet type codes (access list numbers must be in the range 200 to 299). Step 2 Router(config)# dialer-list dialer-group protocol bridge list access-list-number Defines a dialer list for the specified access list. Command Purpose Router(config)# interface type number Specifies the serial or ISDN interface and enters interface configuration mode. Command Purpose Router(config-if)# dialer string dial-string Configures the dial string to call. Configuring Peer-to-Peer DDR with Dialer Profiles Monitoring and Maintaining Dialer Profile Connections DC-433 Cisco IOS Dial Technologies Configuration Guide Assigning the Interface to a Bridge Group Packets are bridged only among interfaces that belong to the same bridge group. To assign an interface to a bridge group, use the following command in interface configuration mode: Monitoring and Maintaining Dialer Profile Connections To monitor DDR dialer profile connections, use any of the following commands in privileged EXEC mode: Configuration Examples Dialer Profiles The following sections provide three comprehensive configuration examples: • Dialer Profile with Inbound Traffic Filter Example • Dialer Profile for Central Site with Multiple Remote Sites Example • Dialer Profile for ISDN BRI Backing Up Two Leased Lines Example • Dynamic Multiple Encapsulations over ISDN Example Command Purpose Router(config-if)# bridge-group bridge-group Assigns the specified interface to a bridge group. Command Purpose Router# show dialer interface Displays information for the interfaces configured for DDR dialer profiles. Router# show interfaces type number Displays statistics for configured interfaces. The output varies, depending on the network for which an interface has been configured. Router# show ipx interface [type number] Displays status about the IPX interface. Router# show ipx traffic Displays information about the IPX packets sent by the router or access server, including watchdog counters. Router# show appletalk traffic Displays information about the AppleTalk packets sent by the router or access server. Router# show vines traffic Displays information about the Banyan VINES packets sent by the router or access server. Router# show decnet traffic Displays information about the DECnet packets sent by the router or access server. Router# show xns traffic Displays information about the XNS packets sent by the router or access server. Router# clear dialer Clears the values of the general diagnostic statistics. Configuring Peer-to-Peer DDR with Dialer Profiles Configuration Examples Dialer Profiles DC-434 Cisco IOS Dial Technologies Configuration Guide Dialer Profile with Inbound Traffic Filter Example The following example shows a Cisco 5200 series router that has enabled the dialer idle-timeout command with the inbound keyword. This command allows only inbound traffic that conforms to the dialer list to establish a connection and reset the dialer idle timer. interface Serial0:23 no ip address no ip directed-broadcast encapsulation ppp dialer pool-member 1 max-link 2 isdn switch-type primary-5ess no cdp enable ppp authentication chap ! interface Dialer0 ip address 10.1.1.2 255.255.255.0 no ip directed-broadcast encapsulation ppp dialer remote-name 2610-2 dialer idle-timeout 30 inbound dialer string 2481301 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap ppp multilink ! access-list 101 permit icmp any any access-list 101 deny ip any any dialer-list 1 protocol ip list 101 Dialer Profile for Central Site with Multiple Remote Sites Example The following example shows a central site that can place or receive calls from three remote sites over four ISDN BRI lines. Each remote site is on a different IP subnet and has different bandwidth requirements; therefore, three dialer interfaces and three dialer pools are defined. ! This is a dialer profile for reaching remote subnetwork 10.1.1.1. interface Dialer1 ip address 10.1.1.1 255.255.255.0 encapsulation ppp dialer remote-name Smalluser dialer string 4540 dialer pool 3 dialer-group 1 ! This is a dialer profile for reaching remote subnetwork 10.2.2.2. interface Dialer2 ip address 10.2.2.2 255.255.255.0 encapsulation ppp dialer remote-name Mediumuser dialer string 5264540 class Eng dialer load-threshold 50 either dialer pool 1 dialer-group 2 ! This is a dialer profile for reaching remote subnetwork 10.3.3.3. interface Dialer3 ip address 10.3.3.3 255.255.255.0 Configuring Peer-to-Peer DDR with Dialer Profiles Configuration Examples Dialer Profiles DC-435 Cisco IOS Dial Technologies Configuration Guide encapsulation ppp dialer remote-name Poweruser dialer string 4156884540 class Eng dialer hold-queue 10 dialer load-threshold 80 dialer pool 2 dialer-group 2 ! This map class ensures that these calls use an ISDN speed of 56 kbps. map-class dialer Eng isdn speed 56 interface BRI0 encapsulation PPP ! BRI 0 has a higher priority than BRI 1 in dialer pool 1. dialer pool-member 1 priority 100 ppp authentication chap interface BRI1 encapsulation ppp dialer pool-member 1 priority 50 dialer pool-member 2 priority 50 ! BRI 1 has a reserved channel in dialer pool 3; the channel remains inactive ! until BRI 1 uses it to place calls. dialer pool-member 3 min-link 1 ppp authentication chap interface BRI2 encapsulation ppp ! BRI 2 has a higher priority than BRI 1 in dialer pool 2. dialer pool-member 2 priority 100 ppp authentication chap interface BRI3 encapsulation ppp ! BRI 3 has the highest priority in dialer pool 2. dialer pool-member 2 priority 150 ppp authentication chap Dialer Profile for ISDN BRI Backing Up Two Leased Lines Example The following example shows the configuration of a site that backs up two leased lines using one BRI. Two dialer interfaces are defined. Each serial (leased line) interface is configured to use one of the dialer interfaces as a backup. Both of the dialer interfaces use BRI 0, and BRI 0 is a member of the two dialer pools. Thus, BRI 0 can back up two different serial interfaces and can make calls to two different sites. interface dialer0 ip unnumbered loopback0 encapsulation ppp dialer remote-name Remote0 dialer pool 1 dialer string 5551212 dialer-group 1 interface dialer1 ip unnumbered loopback0 encapsulation ppp dialer remote-name Remote1 dialer pool 2 dialer string 5551234 dialer-group 1 Configuring Peer-to-Peer DDR with Dialer Profiles Configuration Examples Dialer Profiles DC-436 Cisco IOS Dial Technologies Configuration Guide interface bri 0 encapsulation PPP dialer pool-member 1 dialer pool-member 2 ppp authentication chap interface serial 0 ip unnumbered loopback0 backup interface dialer0 backup delay 5 10 interface serial 1 ip unnumbered loopback0 backup interface dialer1 backup delay 5 10 Dynamic Multiple Encapsulations over ISDN Example The following example shows a network access server named NAS1 with dialer profiles and LAPB, X.25, and PPP encapsulations configured. Although the BRI0 D interface uses X.25 encapsulation, the actual encapsulations running over the ISDN B channels are determined by the encapsulations configured on the profile interfaces bound to them. When an ISDN B channel connects to remote user RU2 using CLID 60043, Dialer1 is bound to this ISDN B channel by CLID binding. The protocol used is PPP; the X.25 configuration on the D interface has no effect. Because the ppp authentication chap command is configured, even though the binding is done by CLID, PPP authentication is still performed over the name RU2 before the protocol is allowed to proceed. The Dialer2 interface uses DNIS-plus-ISDN-subaddress binding and is bound to a B channel with an incoming call with DNIS 60045 and ISDN subaddress 12345. Also note that the High-Level Data Link Control (HDLC) encapsulation has no username associated. It is no longer necessary to configure the dialer remote-name command, as in the previous dialer profile model. When there is an ISDN B-channel connection to remote user RU1 using CLID 60036, LAPB encapsulation will run on this connection once CLID binding to Dialer0 takes place. This connection will operate as a standalone link independent of other activities over other ISDN B channels. version xx.x service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service udp-small-servers service tcp-small-servers ! virtual-profile virtual-template 1 virtual-profile aaa ! hostname NAS1 ! aaa new-model aaa authentication ppp default radius aaa authorization network radius enable secret 5 $1$0Ced$YYJJl2p8f94lc/.JSgw8n1 enable password 7 153D19270D2E ! username RU1 password 7 11260B2E1E16 username RU2 password 7 09635C221001 no ip domain-lookup Configuring Peer-to-Peer DDR with Dialer Profiles Configuration Examples Dialer Profiles DC-437 Cisco IOS Dial Technologies Configuration Guide ip domain-name cisco.com ip name-server 192.168.30.32 ip name-server 172.16.2.132 isdn switch-type basic-5ess ! interface Virtual-Template 1 encapsulation ppp ppp authentication chap ! interface Ethernet0 ip address 172.21.17.11 255.255.255.0 no ip mroute-cache no cdp enable ! interface Serial0 ip address 10.2.2.1 255.0.0.0 shutdown clock rate 56000 ppp authentication chap ! interface Serial1 ip address 10.0.0.1 255.0.0.0 shutdown ! interface BRI0 description PBX 60035 no ip address encapsulation x25 no ip mroute-cache no keepalive dialer pool-member 1 dialer pool-member 2 ! interface Dialer0 ip address 10.1.1.1 255.0.0.0 encapsulation lapb dce multi no ip route-cache no ip mroute-cache no keepalive dialer remote-name RU1 dialer idle-timeout 300 dialer string 60036 dialer caller 60036 dialer pool 1 dialer-group 1 no fair-queue ! interface Dialer1 ip address 10.1.1.1 255.0.0.0 encapsulation ppp no ip route-cache no ip mroute-cache dialer remote-name RU2 dialer string 60043 dialer caller 60043 dialer pool 2 dialer-group 1 no fair-queue no cdp enable ppp authentication chap ! interface Dialer2 ip address 10.1.1.1 255.0.0.0 encapsulation hdlc Configuring Peer-to-Peer DDR with Dialer Profiles Configuration Examples Dialer Profiles DC-438 Cisco IOS Dial Technologies Configuration Guide dialer called 60045:12345 dialer pool 1 dialer-group 1 fair-queue ! radius-server host 172.19.61.87 radius-server key foobar snmp-server community public RO ! line con 0 exec-timeout 0 0 line aux 0 transport input all line vty 0 4 password 7 10611B320C13 login ! end Verifying the Dynamic Multiple Encapsulations Feature To see statistics on each physical interface bound to the dialer interface, and to verify dialer interfaces configured for binding, use the show interfaces EXEC command. Look for the reports “Bound to:” and “Interface is bound to...” while remembering that this feature applies only to ISDN. Router# show interfaces dialer0 Dialer0 is up, line protocol is up Hardware is Unknown Internet address is 10.1.1.2/8 MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation PPP, loopback not set DTR is pulsed for 1 seconds on reset Interface is bound to BRI0:1 Last input 00:00:38, output never, output hang never Last clearing of “show interface” counters 00:05:36 Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 38 packets input, 4659 bytes 34 packets output, 9952 bytes Bound to: BRI0:1 is up, line protocol is up Hardware is BRI MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation PPP, loopback not set, keepalive not set Interface is bound to Dialer0 (Encapsulation PPP) LCP Open, multilink Open Last input 00:00:39, output 00:00:11, output hang never Last clearing of “show interface” counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 78 packets input, 9317 bytes, 0 no buffer Received 65 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 93 packets output, 9864 bytes, 0 underruns 0 output errors, 0 collisions, 7 interface resets 0 output buffer failures, 0 output buffers swapped out 4 carrier transitions Configuring Peer-to-Peer DDR with Dialer Profiles Configuration Examples Dialer Profiles DC-439 Cisco IOS Dial Technologies Configuration Guide At the end of the Dialer0 display, the show interfaces command is executed on each physical interface bound to it. In the next example, the physical interface is the B1 channel of the BRI0 link. This example also illustrates that the output under the B channel keeps all hardware counts that are not displayed under any logical or virtual access interface. The line in the report that states “Interface is bound to Dialer0 (Encapsulation LAPB)” indicates that this B interface is bound to the dialer 0 interface and that the encapsulation running over this connection is LAPB, not PPP, which is the encapsulation configured on the D interface and inherited by the B channel. Router# show interfaces bri0:1 BRI0:1 is up, line protocol is up Hardware is BRI MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation PPP, loopback not set, keepalive not set Interface is bound to Dialer0 (Encapsulation LAPB) LCP Open, multilink Open Last input 00:00:31, output 00:00:03, output hang never Last clearing of “show interface” counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 1 packets/sec 5 minute output rate 0 bits/sec, 1 packets/sec 110 packets input, 13994 bytes, 0 no buffer Received 91 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 135 packets output, 14175 bytes, 0 underruns 0 output errors, 0 collisions, 12 interface resets 0 output buffer failures, 0 output buffers swapped out 8 carrier transitions Any protocol configuration and states should be displayed from the dialer 0 interface. Configuring Peer-to-Peer DDR with Dialer Profiles Configuration Examples Dialer Profiles DC-440 Cisco IOS Dial Technologies Configuration Guide DC-441 Cisco IOS Dial Technologies Configuration Guide Configuring Snapshot Routing This chapter describes how to configure snapshot routing. It includes the following main sections: • Snapshot Routing Overview • How to Configure Snapshot Routing • Monitoring and Maintaining DDR Connections and Snapshot Routing • Configuration Examples for Snapshot Routing To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the snapshot routing commands mentioned in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Snapshot Routing Overview Snapshot routing enables a single router interface to call other routers during periods when the line protocol for the interface is up (these are called “active periods”). The router dials in to all configured locations during such active periods to get routes from all the remote locations. The router can be configured to exchange routing updates each time the line protocol goes from “down” to “up” or from “dialer spoofing” to “fully up.” The router can also be configured to dial the server router in the absence of regular traffic if the active period time expires. Snapshot routing is useful in two command situations: • Configuring static routes for dial-on-demand routing (DDR) interfaces • Reducing the overhead of periodic updates sent by routing protocols to remote branch offices over a dedicated serial line When configuring snapshot routing, you choose one router on the interface to be the client router and one or more other routers to be server routers. The client router determines the frequency at which routing information is exchanged between routers. Routing information is exchanged during an active period. During the active period, a client router dials all the remote server routers for which it has a snapshot dialer map defined in order to get routes from all the remote locations. The server router provides information about routes to each client router that calls. Configuring Snapshot Routing How to Configure Snapshot Routing DC-442 Cisco IOS Dial Technologies Configuration Guide At the end of the active period, the router takes a snapshot of the entries in the routing table. These entries remain frozen during a quiet period. At the end of the quiet period, another active period starts during which routing information is again exchanged; see Figure 59. Figure 59 Active and Quiet Periods in Snapshot Routing When the router makes the transition from the quiet period to the active period, the line might not be available for a variety of reasons. For example, the line might be down or busy, or the permanent virtual circuit (PVC) might be down. If this happens, the router has to wait through another entire quiet period before it can update its routing table entries. This wait might be a problem if the quiet period is very long—for example, 12 hours. To avoid the need to wait through the quiet period, you can configure a retry period. If the line is not available when the quiet period ends, the router waits for the amount of time specified by the retry period and then makes the transition to an active period. See to Figure 60. Figure 60 Retry Period in Snapshot Routing The retry period is also useful in a dialup environment in which there are more remote sites than router interface lines that dial in to a PRI and want routing information from that interface. For example, a PRI has 23 DS0s available, but you might have 46 remote sites. In this situation, you would have more dialer map commands than available lines. The router will try the dialer map commands in order and will use the retry time for the lines that it cannot immediately access. The following routed protocols support snapshot routing. Note that these are all distance-vector protocols. • AppleTalk—Routing Table Maintenance Protocol (RTMP) • Banyan VINES—Routing Table Protocol (RTP) • IP—Routing Information Protocol (RIP), Interior Gateway Routing Protocol (IGRP) • Internet Protocol Exchange (IPX)—RIP, Service Advertisement Protocol (SAP) How to Configure Snapshot Routing To configure snapshot routing, perform the tasks in the following sections: • Configuring the Client Router (Required) • Configuring the Server Router (Required) Active period Active period Quiet period S3105 Time (minutes) Active period Active period Quiet period Time (minutes) S3106 Active period Retry period Configuring Snapshot Routing How to Configure Snapshot Routing DC-443 Cisco IOS Dial Technologies Configuration Guide You can also monitor and maintain interfaces configured for snapshot routing. For tips on maintaining your network with snapshot routing, see the section “Monitoring and Maintaining DDR Connections and Snapshot Routing” later in this chapter. For an example of configuring snapshot routing, see the section “Configuration Examples for Snapshot Routing” at the end of this chapter. Configuring the Client Router To configure snapshot routing on the client router that is connected to a dedicated serial line, use the following commands beginning in global configuration mode: To configure snapshot routing on the client router that is connected to an interface configured for DDR, use the following commands beginning in global configuration mode: Repeat these steps for each map you want to define. Maps must be provided for all the remote server routers that this client router is to call during each active period. Because ISDN BRI and PRI automatically have rotary groups, you need not define a rotary group when configuring snapshot routing. To configure snapshot routing on the client router over an interface configured for BRI or PRI, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# interface serial number Specifies a serial interface. Step 2 Router(config-if)# snapshot client active-time quiet-time [suppress-statechange-updates] [dialer] Configures the client router. Command Purpose Step 1 Router(config)# interface serial number Specifies a serial interface. Step 2 Router(config-if)# dialer rotary-group number Configures a dialer rotary group. Step 3 Router(config-if)# interface dialer number Specifies a dialer interface. Step 4 Router(config-if)# snapshot client active-time quiet-time [suppress-statechange-updates] [dialer] Configures the client router. Step 5 Router(config-if)# dialer map snapshot sequence-number dial-string Defines a dialer map. Command Purpose Step 1 Router(config)# interface bri number Specifies a BRI interface. Step 2 Router(config-if)# snapshot client active-time quiet-time [suppress-statechange-updates] [dialer] Configures the client router. Step 3 Router(config-if)# dialer map snapshot sequence-number dial-string Defines a dialer map. Configuring Snapshot Routing Monitoring and Maintaining DDR Connections and Snapshot Routing DC-444 Cisco IOS Dial Technologies Configuration Guide Configuring the Server Router To configure snapshot routing on the server router that is connected to a dedicated serial line, use the following commands beginning in global configuration mode: To configure snapshot routing on the associated server router that is connected to an interface configured for DDR, use the following commands beginning in global configuration mode: The active period for the client router and its associated server routers should be the same. Monitoring and Maintaining DDR Connections and Snapshot Routing To monitor DDR connections and snapshot routing, use any of the following commands in privileged EXEC mode: Configuration Examples for Snapshot Routing The following example configures snapshot routing on an interface configured for DDR on the client router. In this configuration, a single client router can call multiple server routers. The client router dials to all different locations during each active period to get routes from all those remote locations. Command Purpose Step 1 Router(config)# interface serial number Specifies a serial interface. Step 2 Router(config-if)# snapshot server active-time [dialer] Configures the server router. Command Purpose Step 1 Router(config)# interface serial number Specifies a serial interface. Step 2 Router(config-if)# interface dialer number Specifies a dialer interface. Step 3 Router(config-if)# snapshot server active-time [dialer] Configures the server router. Command Purpose Router# show dialer [interface type number] Displays general diagnostics about the DDR interface. Router# show interfaces bri 0 Displays information about the ISDN interface. Router# clear snapshot quiet-time interface Terminates the snapshot routing quiet period on the client router within 2 minutes. Router# show snapshot [type number] Displays information about snapshot routing parameters. Router# clear dialer Clears the values of the general diagnostic statistics. Configuring Snapshot Routing Configuration Examples for Snapshot Routing DC-445 Cisco IOS Dial Technologies Configuration Guide The absence of the suppress-statechange-updates keyword means that routing updates will be exchanged each time the line protocol goes from “down” to “up” or from “dialer spoofing” to “fully up.” The dialer keyword on the snapshot client command allows the client router to dial the server router in the absence of regular traffic if the active period time expires. interface serial 0 dialer rotary-group 3 ! interface dialer 3 dialer in-band snapshot client 5 360 dialer dialer map snapshot 2 4155556734 dialer map snapshot 3 7075558990 The following example configures the server router: interface serial 2 snapshot server 5 dialer Configuring Snapshot Routing Configuration Examples for Snapshot Routing DC-446 Cisco IOS Dial Technologies Configuration Guide Dial-Backup Configuration DC-449 Cisco IOS Dial Technologies Configuration Guide Configuring Dial Backup for Serial Lines This chapter describes how to configure the primary interface to use the dial backup interface. It includes the following main sections: • Backup Serial Interface Overview • How to Configure Dial Backup • Configuration Examples for Dial Backup for Serial Interfaces To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the dial backup commands in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Backup Serial Interface Overview For a backup serial interface, an external DCE device, such as a modem attached to a circuit-switched service, must be connected to the backup serial interface. The external device must be capable of responding to a data terminal ready (DTR) Active signal by automatically dialing the preconfigured telephone number of the remote site. A backup interface is an interface that stays idle until certain circumstances occur; then it is activated. A backup interface for a serial interface can be an ISDN interface or a different serial interface. A backup interface can be configured to be activated when any of the following three circumstances occurs: • The primary line goes down. • The load on the primary line reaches a certain threshold. • The load on the primary line exceeds a specified threshold. To configure a dial backup to a serial interface, you must configure the interface to use the dial backup interface, specify the conditions in which the backup interface will be activated, and then configure the dial-backup interface for dial-on-demand routing (DDR). The DDR configuration specifies the conditions and destinations for dial calls. The serial interface (often called the primary interface) might be configured for DDR or for Frame Relay or X.25 over a leased line, but the backup tasks are the same in all three cases. Configuring Dial Backup for Serial Lines How to Configure Dial Backup DC-450 Cisco IOS Dial Technologies Configuration Guide Note Dial backup is also available using the Dialer Watch feature. Dialer Watch is based on routing characteristics instead of relying exclusively on interesting traffic conditions. For information about Dialer Watch, see the chapter “Configuring Dial Backup Using Dialer Watch” in this publication. To configure a backup interface for a serial interface based on one of the conditions listed, complete the following general steps: • Specify the interface and configure it as needed (for DDR, Frame Relay, or X.25). You can also specify and configure a Frame Relay subinterface. Refer to the chapters “Configuring Frame Relay” or “Configuring X.25” in the Cisco IOS Wide-Area Networking Configuration Guide. In this publication, see the chapter “Configuring Synchronous Serial Ports” and related chapters in the “Dial-on-Demand Routing” part for details. • Configure the primary interface or subinterface by specifying the dial backup interface and the conditions for activating the backup interface, as described in this chapter. • Configure the backup interface for DDR, as described in the “Dial-on-Demand Routing” part of this publication. See the chapters “Configuring Legacy DDR Spokes” (for point-to-point legacy DDR connections) or “Configuring Legacy DDR Hubs” (for point-to-multipoint legacy DDR connections) in this publication. If you have configured dialer profiles instead of legacy DDR, see the chapter “Configuring Dial Backup with Dialer Profiles” in this publication for backup information. How to Configure Dial Backup You must decide whether to activate the backup interface when the primary line goes down, when the traffic load on the primary line exceeds the defined threshold, or both. The tasks you perform depend on your decision. Perform the tasks in the following sections to configure dial backup: • Specifying the Backup Interface (Optional) • Defining the Traffic Load Threshold (Optional) • Defining Backup Line Delays (Optional) Then configure the backup interface for DDR, so that calls are placed as needed. See the chapters in the “Dial-on-Demand Routing” part of this publication for more information. For simple configuration examples, see the section “Configuration Examples for Dial Backup for Serial Interfaces” at the end of this chapter. Configuring Dial Backup for Serial Lines How to Configure Dial Backup DC-451 Cisco IOS Dial Technologies Configuration Guide Specifying the Backup Interface To specify a backup interface for a primary serial interface or subinterface, use one the following commands in interface configuration mode: Note When you enter the backup interface command, the configured physical or logical interface will be forced to standby mode. When you use a BRI for a dial backup (with Legacy DDR), neither of the B channels can be used because the physical BRI interface is in standby mode. However, with dialer profiles, only the logical dialer interface is placed in standby mode and the physical interface (BRI) still can be used for other connections by making it a member of another pool. When configured for legacy DDR, the backup interface can back up only one interface. For examples of selecting a backup line, see the sections “Dial Backup Using an Asynchronous Interface Example” and “Dial Backup Using DDR and ISDN Example” later in this chapter. Defining the Traffic Load Threshold You can configure dial backup to activate the secondary line based on the traffic load on the primary line. The software monitors the traffic load and computes a 5-minute moving average. If this average exceeds the value you set for the line, the secondary line is activated and, depending upon how the line is configured, some or all of the traffic will flow onto the secondary dialup line. To define how much traffic should be handled at one time on an interface, use the following command in interface configuration mode: Command Purpose Router(config-if)# backup interface type number or Cisco 7500 series routers: Router(config-if)# backup interface type slot/port or Cisco 7200 series routers: Router(config-if)# backup interface type slot/port-adapter/port Selects a backup interface. Command Purpose Router(config-if)# backup load {enable-threshold | never} {disable-load | never} Defines the traffic load threshold as a percentage of the available bandwidth of the primary line. Configuring Dial Backup for Serial Lines Configuration Examples for Dial Backup for Serial Interfaces DC-452 Cisco IOS Dial Technologies Configuration Guide Defining Backup Line Delays You can configure a value that defines how much time should elapse before a secondary line status changes after a primary line status has changed. You can define two delays: • A delay that applies after the primary line goes down but before the secondary line is activated • A delay that applies after the primary line comes up but before the secondary line is deactivated To define these delays, use the following command in interface configuration mode: For examples of how to define backup line delays, see the sections “Dial Backup Using an Asynchronous Interface Example” and “Dial Backup Using DDR and ISDN Example” at the end of this chapter. Configuration Examples for Dial Backup for Serial Interfaces The following sections present examples of specifying the backup interface: • Dial Backup Using an Asynchronous Interface Example • Dial Backup Using DDR and ISDN Example The following sections present examples of backup interfaces configured to be activated in three different circumstances: • The load on the primary line reaches a certain threshold. • The load on the primary line exceeds a specified threshold. • The primary line goes down. Dial Backup Using an Asynchronous Interface Example The following is an example for dial backup using asynchronous interface 1, which is configured for DDR: interface serial 0 ip address 172.30.3.4 255.255.255.0 backup interface async1 backup delay 10 10 ! interface async 1 ip address 172.30.3.5 255.255.255.0 dialer in-band dialer string 5551212 dialer-group 1 async dynamic routing dialer-list 1 protocol ip permit chat-script sillyman "" “atdt 5551212” TIMEOUT 60 “CONNECT” line 1 modem chat-script sillyman modem inout speed 9600 Command Purpose Router(config-if)# backup delay {enable-delay | never} {disable-delay | never} Defines backup line delays. Configuring Dial Backup for Serial Lines Configuration Examples for Dial Backup for Serial Interfaces DC-453 Cisco IOS Dial Technologies Configuration Guide Dial Backup Using DDR and ISDN Example The following example shows how to use an ISDN interface to back up a serial interface. Note When you use a BRI interface for dial backup, neither of the B channels can be used while the interface is in standby mode. Interface BRI 0 is configured to make outgoing calls to one number. This is a legacy DDR spoke example. interface serial 1 backup delay 0 0 backup interface bri 0 ip address 10.2.3.4 255.255.255.0 ! interface bri 0 ip address 10.2.3.5 255.255.255.0 dialer string 5551212 dialer-group 1 ! dialer-list 1 protocol ip permit Note Dialing will occur only after a packet is received to be output on BRI 0. We recommend using the dialer-list command with the protocol and permit keywords specified to control access for dial backup. Using this form of access control specifies that all packets are interesting. Dial Backup Service When the Primary Line Reaches Threshold Example The following example configures the secondary line (serial 1) to be activated only when the load of the primary line reaches a certain threshold: interface serial 0 backup interface serial 1 backup load 75 5 In this case, the secondary line will not be activated when the primary goes down. The secondary line will be activated when the load on the primary line is greater than 75 percent of the bandwidth of the primary line. The secondary line will then be brought down when the aggregate load between the primary and secondary lines fits within 5 percent of the primary bandwidth. The same example on a Cisco 7500 series router would be as follows: interface serial 1/1 backup interface serial 2/2 backup load 75 5 Dial Backup Service When the Primary Line Exceeds Threshold Example The following example configures the secondary line (serial 1) to activate when the traffic threshold on the primary line exceeds 25 percent: interface serial 0 backup interface serial 1 backup load 25 5 backup delay 10 60 Configuring Dial Backup for Serial Lines Configuration Examples for Dial Backup for Serial Interfaces DC-454 Cisco IOS Dial Technologies Configuration Guide When the aggregate load of the primary and the secondary lines returns to within 5 percent of the primary bandwidth, the secondary line is deactivated. The secondary line waits 10 seconds after the primary goes down before activating and remains active for 60 seconds after the primary returns and becomes active again. The same example on a Cisco 7500 series router would be as follows: interface serial 1/0 backup interface serial 2/0 backup load 25 5 backup delay 10 60 Dial Backup Service When the Primary Line Goes Down Example The following example configures the secondary line (serial 1) as a backup line that becomes active only when the primary line (serial 0) goes down. The backup line will not be activated because of load on the primary line. interface serial 0 backup interface serial 1 backup delay 30 60 The backup line is configured to activate 30 seconds after the primary line goes down and to remain on for 60 seconds after the primary line is reactivated. The same example on a Cisco 7500 series router would be as follows: interface serial 1/1 backup interface serial 2/0 backup delay 30 60 DC-455 Cisco IOS Dial Technologies Configuration Guide Configuring Dial Backup with Dialer Profiles This chapter describes how to configure dialer interfaces, which can be configured as the logical intermediary between one or more physical interfaces and another physical interface that is to function as backup. It includes the following main sections: • Dial Backup with Dialer Profiles Overview • How to Configure Dial Backup with Dialer Profiles • Configuration Example of Dialer Profile for ISDN BRI Backing Up Two Leased Lines To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the dial backup commands in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Dial Backup with Dialer Profiles Overview A backup interface is an interface that stays idle until certain circumstances occur; then it is activated. Dialer interfaces can be configured to use a specific dialing pool; in turn, physical interfaces can be configured to belong to the same dialing pool. See the section “Configuration Example of Dialer Profile for ISDN BRI Backing Up Two Leased Lines” at the end of this chapter for a comprehensive example of a dial backup interface using dialer profiles. In the example, one BRI functions as backup to two serial lines and can make calls to two different destinations. How to Configure Dial Backup with Dialer Profiles To configure a dialer interface and a specific physical interface to function as backup to other physical interfaces, perform the tasks in the following sections: • Configuring a Dialer Interface (Required) • Configuring a Physical Interface to Function As Backup (Required) • Configuring Interfaces to Use a Backup Interface (Required) Configuring Dial Backup with Dialer Profiles How to Configure Dial Backup with Dialer Profiles DC-456 Cisco IOS Dial Technologies Configuration Guide Configuring a Dialer Interface To configure the dialer interface that will be used as an intermediary between a physical interface that will function as backup interface and the interfaces that will use the backup, use the following commands beginning in global configuration mode: Configuring a Physical Interface to Function As Backup To configure the physical interface that is to function as backup, use the following commands beginning in global configuration mode: Configuring Interfaces to Use a Backup Interface To configure one or more interfaces to use a backup interface, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# interface dialer number Creates a dialer interface and begins interface configuration mode. Step 2 Router(config-if)# ip unnumbered loopback0 Specifies IP unnumbered loopback. Step 3 Router(config-if)# encapsulation ppp Specifies PPP encapsulation. Step 4 Router(config-if)# dialer remote-name username Specifies the Challenge Handshake Authentication Protocol (CHAP) authentication name of the remote router. Step 5 Router(config-if)# dialer string dial-string Specifies the remote destination to call. Step 6 Router(config-if)# dialer pool number Specifies the dialing pool to use for calls to this destination. Step 7 Router(config-if)# dialer-group group-number Assigns the dialer interface to a dialer group. Command Purpose Step 1 Router(config)# interface type number Specifies the interface and begins interface configuration mode. Step 2 Router(config-if)# encapsulation ppp Specifies PPP encapsulation. Step 3 Router(config-if)# dialer pool-member number Makes the interface a member of the dialing pool that the dialer interface will use; make sure the number arguments have the same value. Step 4 Router(config-if)# ppp authentication chap Specifies CHAP authentication. Command Purpose Step 1 Router(config)# interface type number Specifies the interface to be backed up and begins interface configuration mode. Step 2 Router(config-if)# ip unnumbered loopback0 Specifies IP unnumbered loopback. Configuring Dial Backup with Dialer Profiles Configuration Example of Dialer Profile for ISDN BRI Backing Up Two Leased Lines DC-457 Cisco IOS Dial Technologies Configuration Guide Configuration Example of Dialer Profile for ISDN BRI Backing Up Two Leased Lines The following example shows the configuration of a site that backs up two leased lines using one BRI. Two dialer interfaces are defined. Each serial (leased line) interface is configured to use one of the dialer interfaces as a backup. Both of the dialer interfaces use dialer pool 1, which has physical interface BRI 0 as a member. Thus, physical interface BRI 0 can back up two different serial interfaces and can make calls to two different sites. interface dialer0 ip unnumbered loopback0 encapsulation ppp dialer remote-name Remote0 dialer pool 1 dialer string 5551212 dialer-group 1 interface dialer1 ip unnumbered loopback0 encapsulation ppp dialer remote-name Remote1 dialer pool 1 dialer string 5551234 dialer-group 1 interface bri 0 encapsulation PPP dialer pool-member 1 ppp authentication chap interface serial 0 ip unnumbered loopback0 backup interface dialer 0 backup delay 5 10 interface serial 1 ip unnumbered loopback0 backup interface dialer1 backup delay 5 10 Step 3 Router(config-if)# backup interface dialer number Specifies the backup interface and begins interface configuration mode. Step 4 Router(config-if)# backup delay enable-delay disable-delay Specifies delay between the physical interface going down and the backup being enabled, and between the physical interface coming back up and the backup being disabled. Command Purpose Configuring Dial Backup with Dialer Profiles Configuration Example of Dialer Profile for ISDN BRI Backing Up Two Leased Lines DC-458 Cisco IOS Dial Technologies Configuration Guide DC-459 Cisco IOS Dial Technologies Configuration Guide Configuring Dial Backup Using Dialer Watch This chapter describes how to configure dial backup using the Dialer Watch feature. It includes the following main sections: • Dialer Watch Overview • How to Configure Dialer Backup with Dialer Watch • Configuration Examples for Dialer Watch To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the dial backup commands used to configure Dialer Watch, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Dialer Watch Overview Dialer Watch is a backup feature that integrates dial backup with routing capabilities. Prior dial backup implementations used the following conditions to trigger backup: • Interesting packets were defined at central and remote routers using dial-on-demand routing (DDR). • Connection loss occurred on a primary interface using a back up interface with floating static routes. • Traffic thresholds were exceeded using a dialer load threshold. Prior backup implementations may not have supplied optimum performance on some networks, such as those using Frame Relay multipoint subinterfaces or Frame Relay connections that do not support end-to-end permanent virtual circuit (PVC) status updates. Dialer Watch provides reliable connectivity without relying solely on defining interesting traffic to trigger outgoing calls at the central router. Dialer Watch uses the convergence times and characteristics of dynamic routing protocols. Integrating backup and routing features enables Dialer Watch to monitor every deleted route. By configuring a set of watched routes that define the primary interface, you are able to monitor and track the status of the primary interface as watched routes are added and deleted. Monitoring the watched routes is done in the following sequence: 1. Whenever a watched route is deleted, Dialer Watch checks whether there is at least one valid route for any of the defined watched IP addresses. 2. If no valid route exists, the primary line is considered down and unusable. Configuring Dial Backup Using Dialer Watch How to Configure Dialer Backup with Dialer Watch DC-460 Cisco IOS Dial Technologies Configuration Guide 3. If a valid route exists for at least one of the defined IP addresses and if the route is pointing to an interface other than the backup interface configured for Dialer Watch, the primary link is considered up. 4. If the primary link goes down, Dialer Watch is immediately notified by the routing protocol and the secondary link is brought up. 5. Once the secondary link is up, at the expiration of each idle timeout, the primary link is rechecked. 6. If the primary link remains down, the idle timer is indefinitely reset. 7. If the primary link is up, the secondary backup link is disconnected. Additionally, you can set a disable timer to create a delay for the secondary link to disconnect, after the primary link is reestablished. Dialer Watch provides the following advantages: • Routing—Backup initialization is linked to the dynamic routing protocol, rather than a specific interface or static route entry. Therefore, both primary and backup interfaces can be any interface type, and can be used across multiple interfaces and multiple routers. Dialer Watch also relies on convergence, which is sometimes preferred over traditional DDR links. • Routing protocol independent—Static routes or dynamic routing protocols, such as Interior Gateway Routing Protocol (IGRP), Enhanced IGRP (EIGRP) or Open Shortest Path First (OSPF) can be used. • Nonpacket semantics—Dialer Watch does not exclusively rely on interesting packets to trigger dialing. The link is automatically brought up when the primary line goes down without postponing dialing. • Dial backup reliability—DDR redial functionality is extended to dial indefinitely in the event that secondary backup lines are not initiated. Typically, DDR redial attempts are affected by enable-timeouts and wait-for-carrier time values. Intermittent media difficulties or flapping interfaces can cause problems for traditional DDR links. However, Dialer Watch automatically reestablishes the secondary backup line on ISDN, synchronous, and asynchronous serial links. The following prerequisites apply to Dialer Watch: • The router is dial backup capable, meaning the router has a data communications equipment (DCE), terminal adapter, or network termination 1 device attached that supports V.25bis. • The router is configured for DDR. This configuration includes traditional commands such as dialer map and dialer in-band commands, and so on. • Dialer Watch is only supported for IP at this time. For information on how to configure traditional DDR for dial backup, see the other chapters in the “Dial Backup” part of this publication. How to Configure Dialer Backup with Dialer Watch To configure Dialer Watch, perform the following tasks. All tasks are required except the last one to set a disable timer. • Determining the Primary and Secondary Interfaces (Required) • Determining the Interface Addresses and Networks to Watch (Required) • Configuring the Interface to Perform DDR Backup (Required) Configuring Dial Backup Using Dialer Watch How to Configure Dialer Backup with Dialer Watch DC-461 Cisco IOS Dial Technologies Configuration Guide • Creating a Dialer List (Required) • Setting the Disable Timer on the Backup Interface (Optional) Determining the Primary and Secondary Interfaces Decide which interfaces on which routers will act as primary and secondary interfaces. Unlike traditional backup methods, you can define multiple interfaces on multiple routers instead of a singly defined interface on one router. Determining the Interface Addresses and Networks to Watch Determine which addresses and networks are to be monitored or watched. Typically, this will be the address of an interface on a remote router or a network advertised by a central or remote router. Configuring the Interface to Perform DDR Backup To initiate Dialer Watch, you must configure the interface to perform DDR and backup. Use traditional DDR configuration commands, such as dialer maps, for DDR capabilities. To enable Dialer Watch on the backup interface, use the following command in interface configuration mode: Creating a Dialer List To define the IP addresses that you want watched, use the following command in global configuration mode: The dialer watch-list command is the means to detect if the primary interface is up or down. The primary interface is determined to be up when there is an available route with a valid metric to any of the addresses defined in this list, and it points to an interface other than the interface on which the dialer watch-group command is defined. The primary interface is determined to be down when there is no available route to any of the addresses defined in the dialer watch-list command. Setting the Disable Timer on the Backup Interface This task is optional. Under some conditions, you may want to implement a delay before the backup interface is dropped once the primary interface recovers. This delay can ensure stability, especially for flapping interfaces or interfaces experiencing frequent route changes. Command Purpose Router(config-if)# dialer watch-group group-number Enables Dialer Watch on the backup interface. Command Purpose Router(config)# dialer watch-list group-number ip ip-address address-mask Defines all IP addresses to be watched. Configuring Dial Backup Using Dialer Watch Configuration Examples for Dialer Watch DC-462 Cisco IOS Dial Technologies Configuration Guide Note The dialer watch-disable command used in Dialer Watch configurations was Replaced in Cisco IOS Release 12.3(11)T by the dialer watch-list delay command. When using the dialer watch-list delay command in software later than Cisco IOS Release 12.3(11)T, you can specify both a connect and disconnect timer for the disable timer. The disconnect time specifies that the disconnect timer is started when the secondary link is up and after the idle timeout period has expired, and only when software has determined that the primary route has come up In Cisco IOS Software Releases Prior to 12.3(11)T To apply a disable time, use the following command in interface configuration mode: In Cisco IOS Software Releases After 12.3(11)T To apply a disable time, use the following command in global configuration mode: Configuration Examples for Dialer Watch The dialer watch-disable command used in Dialer Watch configurations was replaced in Cisco IOS Release 12.3(11)T by the dialer watch-list delay command. The following sections provide examples of how to configure Dialer Watch in software before and after the dialer watch-disable command was replaced. • Dialer Watch Configuration Example Prior to Cisco IOS Release 12.3(11)T, page 463 • Dialer Watch Configuration Example After Cisco IOS Release 12.3(11)T, page 467 Command Purpose Router(config-if)# dialer watch-disable seconds Applies a disable time to the interface. Command Purpose Router(config-if)# dialer watch-list group-number delay {connect connect-time | disconnect disconnect-time} Configures a disable time. • group-number—Group number assigned to the list. Valid group numbers are from 1 to 255. • delay—Specifies that the router will delay dialing the secondary link when the primary link becomes unavailable. • connect connect-time—Time, in seconds, after which the router rechecks for availability of the primary link. If the primary link is still unavailable, the secondary link is then dialed. Valid times range from 1 to 2147483 seconds. • disconnect disconnect-time—Time, in seconds, that specifies when to disconnect. Disconnect occurs when the secondary link is up and after the idle timeout period has expired, and only when software has determined that the primary route has come up. Valid times range from 1 to 2147483 seconds. Configuring Dial Backup Using Dialer Watch Configuration Examples for Dialer Watch DC-463 Cisco IOS Dial Technologies Configuration Guide Dialer Watch Configuration Example Prior to Cisco IOS Release 12.3(11)T In the following example, an ISDN BRI line is used to back up a serial leased line connection by configuring the Dialer Watch feature on a router named maui-soho-01. The Dialer Watch feature enables the router to monitor the existence of a specified route. If that route is not present, the backup interface is activated. Unlike other backup methods, the Dialer Watch feature does not require interesting traffic to activate the backup interface. The configuration shown in Figure 61 uses legacy dial-on-demand routing (DDR) and the Open Shortest Path First (OSPF) routing protocol. Dialer profiles can be used in place of DDR. Once the backup connection is activated, you must ensure that the routing table is updated to use the new backup route. Additional information about the Dialer Watch feature is available at the following website: http://www.cisco.com/warp/public/129/bri-backup-map-watch.html For additional information on configuring legacy DDR, dialer profiles, PPP, and traditional dial backup features, see the relevant chapters in this publication. Figure 61 Dialer Watch for Frame Relay Interfaces Note The following example uses commands supported in Cisco IOS software prior to Release 12.3(11)T. See the updated example for configuring Dialer Watch after Cisco IOS Release 12.3(11)T that follows this example. Configuration for maui-soho-01 maui-soho-01# show running-config Building configuration... Current configuration : 1546 bytes ! version 12.1 no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname maui-soho-01 ! logging rate-limit console 10 except errors aaa new-model aaa authentication login default local aaa authentication login NO_AUTHEN none aaa authentication ppp default local bri0 172.20.10.2 bri1/0 172.20.10.1 192.168.10.1 s2/0 192.168.10.2 172.22.53.0/24 maui-soho-01 maui-nas-05 60177 ISDN (backup link) Serial network s0 (primary link) e0/0 Configuring Dial Backup Using Dialer Watch Configuration Examples for Dialer Watch DC-464 Cisco IOS Dial Technologies Configuration Guide !This is basic AAA configuration for PPP calls. enable secret 5 ! username maui-nas-05 password 0 cisco !Username for remote router (maui-nas-05) and shared secret. !Shared secret(used for CHAP authentication) must be the same on both sides. ip subnet-zero no ip finger ! isdn switch-type basic-ni ! interface Loopback0 ip address 172.17.1.1 255.255.255.0 ! interface Ethernet0 ip address 172.16.1.1 255.255.255.0 ! interface Serial0 !Primary link. ip address 192.168.10.2 255.255.255.252 encapsulation ppp ppp authentication chap ! interface BRI0 ip address 172.20.10.2 255.255.255.0 !IP address for the BRI interface (backup link). encapsulation ppp dialer idle-timeout 30 !Idle timeout(in seconds)for this backup link. !Dialer watch checks the status of the primary link every time the !idle-timeout expires. dialer watch-disable 15 !Delays disconnecting the backup interface for 15 seconds after the !primary interface is found to be up. dialer map ip 172.20.10.1 name maui-nas-05 broadcast 5550111 !Dialer map for the BRI interface of the remote router. dialer map ip 172.22.53.0 name maui-nas-05 broadcast 5550111 !Map statement for the route/network being watched by the !dialer watch-list command. !This address must exactly match the network configured with the !dialer watch-list command. !When the watched route disappears, this dials the specified phone number. dialer watch-group 8 !Enable Dialer Watch on this backup interface. !Watch the route specified with dialer watch-list 8. dialer-group 1 !Apply interesting traffic defined in dialer-list 1. isdn switch-type basic-ni isdn spid1 51255522220101 5550112 isdn spid2 51255522230101 5550112 ppp authentication chap !Use chap authentication. ! router ospf 5 log-adjacency-changes network 172.16.1.0 0.0.0.255 area 0 network 172.17.1.0 0.0.0.255 area 0 network 172.20.10.0 0.0.0.255 area 0 network 192.168.10.0 0.0.0.3 area 0 ! ip classless no ip http server ! Configuring Dial Backup Using Dialer Watch Configuration Examples for Dialer Watch DC-465 Cisco IOS Dial Technologies Configuration Guide dialer watch-list 8 ip 172.22.53.0 255.255.255.0 !This defines the route(s) to be watched. !This exact route(including subnet mask) must exist in the routing table. !Use the dialer watch-group 8 command to apply this list to the backup interface. access-list 101 remark Define Interesting Traffic access-list 101 deny ospf any any !Mark OSPF as uninteresting. !This will prevent OSPF hellos from keeping the link up. Access-list 101 permit ip any any dialer-list 1 protocol ip list 101 !Interesting traffic is defined by access-list 101. !This is applied to BRI0 using dialer-group 1. ! line con 0 login authentication NO_AUTHEN transport input none line vty 0 4 ! end Configuration for maui-nas-05 maui-nas-05# show running-config Building configuration... Current configuration: ! version 12.1 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname maui-nas-05 ! aaa new-model aaa authentication login default local aaa authentication login NO_AUTHEN none aaa authentication ppp default local ! -- This is basic AAA configuration for PPP calls. Enable secret 5 ! username maui-soho-01 password 0 cisco !Username for remote router (maui-soho-01) and shared secret. !Shared secret(used for CHAP authentication) must be the same on both sides. ! ip subnet-zero ! isdn switch-type basic-ni ! interface Loopback0 ip address 172.22.1.1 255.255.255.0 ! interface Ethernet0/0 ip address 172.22.53.105 255.255.255.0 ! interface Ethernet0/1 no ip address shutdown ! interface BRI1/0 !Backup link. ip address 172.20.10.1 255.255.255.0 encapsulation ppp Configuring Dial Backup Using Dialer Watch Configuration Examples for Dialer Watch DC-466 Cisco IOS Dial Technologies Configuration Guide dialer map ip 172.20.10.2 name maui-soho-01 broadcast !Dialer map with IP address and authenticated username for remote destination. !The name should match the authentication username provided by the remote side. !The dialer map statement is used even though this router is not dialing out. Dialer-group 1 !Apply interesting traffic defined in dialer-list 1. isdn switch-type basic-ni isdn spid1 51255501110101 5550111 isdn spid2 51255501120101 5550112 ppp authentication chap ! . . . ! interface Serial2/0 ip address 192.168.10.1 255.255.255.252 encapsulation ppp clockrate 64000 ppp authentication chap ! . . . ! router ospf 5 network 172.20.10.0 0.0.0.255 area 0 network 172.22.1.0 0.0.0.255 area 0 network 172.22.53.0 0.0.0.255 area 0 network 192.168.10.0 0.0.0.3 area 0 default-information originate ! ip classless ip route 0.0.0.0 0.0.0.0 Ethernet0/0 no ip http server ! dialer-list 1 protocol ip permit !This defines all IP traffic as interesting. ! line con 0 login authentication NO_AUTHEN transport input none line 97 102 line aux 0 line vty 0 4 ! end Configuring Dial Backup Using Dialer Watch Configuration Examples for Dialer Watch DC-467 Cisco IOS Dial Technologies Configuration Guide Dialer Watch Configuration Example After Cisco IOS Release 12.3(11)T The following example shows how to configure Dialer Watch using the dialer watch-list delay command that replaced the dialer watch-disable command. Configuration for maui-soho-01 maui-soho-01# show running-config Building configuration... Current configuration : 1546 bytes ! version 12.4 no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname maui-soho-01 ! logging rate-limit console 10 except errors aaa new-model aaa authentication login default local aaa authentication login NO_AUTHEN none aaa authentication ppp default local !This is basic AAA configuration for PPP calls. enable secret 5 ! username maui-nas-05 password 0 cisco !Username for remote router (maui-nas-05) and shared secret. !Shared secret(used for CHAP authentication) must be the same on both sides. ip subnet-zero no ip finger ! isdn switch-type basic-ni ! interface Loopback0 ip address 172.17.1.1 255.255.255.0 ! interface Ethernet0 ip address 172.16.1.1 255.255.255.0 ! interface Serial0 !Primary link. ip address 192.168.10.2 255.255.255.252 encapsulation ppp ppp authentication chap ! interface BRI0 ip address 172.20.10.2 255.255.255.0 !IP address for the BRI interface (backup link). encapsulation ppp dialer idle-timeout 30 !Idle timeout(in seconds)for this backup link. !Dialer watch checks the status of the primary link every time the !idle-timeout expires. dialer map ip 172.20.10.1 name maui-nas-05 broadcast 5550111 !Dialer map for the BRI interface of the remote router. dialer map ip 172.22.53.0 name maui-nas-05 broadcast 5550111 !Map statement for the route/network being watched by the !dialer watch-list command. !This address must exactly match the network configured with the !dialer watch-list command. Configuring Dial Backup Using Dialer Watch Configuration Examples for Dialer Watch DC-468 Cisco IOS Dial Technologies Configuration Guide !When the watched route disappears, this dials the specified phone number. dialer watch-group 8 !Enable Dialer Watch on this backup interface. !Watch the route specified with dialer watch-list 8. dialer-group 1 !Apply interesting traffic defined in dialer-list 1. isdn switch-type basic-ni isdn spid1 51255522220101 5552222 isdn spid2 51255522230101 5552223 ppp authentication chap !Use chap authentication. dialer watch-list 8 delay disconnect 15 !Delays disconnecting the backup interface for 15 seconds after the !primary interface is found to be up. ! router ospf 5 log-adjacency-changes network 172.16.1.0 0.0.0.255 area 0 network 172.17.1.0 0.0.0.255 area 0 network 172.20.10.0 0.0.0.255 area 0 network 192.168.10.0 0.0.0.3 area 0 ! ip classless no ip http server ! dialer watch-list 8 ip 172.22.53.0 255.255.255.0 !This defines the route(s) to be watched. !This exact route(including subnet mask) must exist in the routing table. !Use the dialer watch-group 8 command to apply this list to the backup interface. access-list 101 remark Define Interesting Traffic access-list 101 deny ospf any any !Mark OSPF as uninteresting. !This will prevent OSPF hellos from keeping the link up. Access-list 101 permit ip any any dialer-list 1 protocol ip list 101 !Interesting traffic is defined by access-list 101. !This is applied to BRI0 using dialer-group 1. ! line con 0 login authentication NO_AUTHEN transport input none line vty 0 4 ! end Configuration for maui-nas-05 maui-nas-05# show running-config Building configuration... Current configuration: ! version 12.4 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname maui-nas-05 ! aaa new-model aaa authentication login default local aaa authentication login NO_AUTHEN none aaa authentication ppp default local Configuring Dial Backup Using Dialer Watch Configuration Examples for Dialer Watch DC-469 Cisco IOS Dial Technologies Configuration Guide ! -- This is basic AAA configuration for PPP calls. Enable secret 5 ! username maui-soho-01 password 0 cisco !Username for remote router (maui-soho-01) and shared secret. !Shared secret(used for CHAP authentication) must be the same on both sides. ! ip subnet-zero ! isdn switch-type basic-ni ! interface Loopback0 ip address 172.22.1.1 255.255.255.0 ! interface Ethernet0/0 ip address 172.22.53.105 255.255.255.0 ! interface Ethernet0/1 no ip address shutdown ! interface BRI1/0 !Backup link. ip address 172.20.10.1 255.255.255.0 encapsulation ppp dialer map ip 172.20.10.2 name maui-soho-01 broadcast !Dialer map with IP address and authenticated username for remote destination. !The name should match the authentication username provided by the remote side. !The dialer map statement is used even though this router is not dialing out. Dialer-group 1 !Apply interesting traffic defined in dialer-list 1. isdn switch-type basic-ni isdn spid1 51255501110101 5550111 isdn spid2 51255501120101 5550112 ppp authentication chap ! ! <<-- irrelevant output removed ! interface Serial2/0 ip address 192.168.10.1 255.255.255.252 encapsulation ppp clockrate 64000 ppp authentication chap ! ! <<-- irrelevant output removed ! router ospf 5 network 172.20.10.0 0.0.0.255 area 0 network 172.22.1.0 0.0.0.255 area 0 network 172.22.53.0 0.0.0.255 area 0 network 192.168.10.0 0.0.0.3 area 0 default-information originate ! ip classless ip route 0.0.0.0 0.0.0.0 Ethernet0/0 no ip http server ! dialer-list 1 protocol ip permit !This defines all IP traffic as interesting. ! line con 0 login authentication NO_AUTHEN transport input none line 97 102 Configuring Dial Backup Using Dialer Watch Configuration Examples for Dialer Watch DC-470 Cisco IOS Dial Technologies Configuration Guide line aux 0 line vty 0 4 ! end Dial-Related Addressing Services DC-473 Cisco IOS Dial Technologies Configuration Guide Configuring Cisco Easy IP This chapter describes how to configure the Cisco Easy IP feature. It includes the following main sections: • Cisco Easy IP Overview • How to Configure Cisco Easy IP • Configuration Examples for Cisco Easy IP To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the Cisco Easy IP commands in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Cisco Easy IP Overview Cisco Easy IP enables transparent and dynamic IP address allocation for hosts in remote environments using the following functionality: • Cisco Dynamic Host Configuration Protocol (DHCP) server • Port Address Translation (PAT), a subset of Network Address Translation (NAT) • Dynamic PPP/IP Control Protocol (PPP/IPCP) WAN interface IP address negotiation With the Cisco IOS Easy IP, a Cisco router automatically assigns local IP addresses to remote hosts (such as small office, home office or SOHO routers) using DHCP with the Cisco IOS DHCP server, automatically negotiates its own registered IP address from a central server via PPP/IPCP, and uses PAT functionality to enable all SOHO hosts to access the Internet using a single registered IP address. Because Cisco IOS Easy IP uses existing port-level multiplexed NAT functionality within Cisco IOS software, IP addresses on the remote LAN are invisible to the Internet, making the remote LAN more secure. Cisco Easy IP provides the following benefits: • Minimizes Internet access costs for remote offices • Minimizes configuration requirements on remote access routers • Enables transparent and dynamic IP address allocation for hosts in remote environments • Improves network security capabilities at each remote site Configuring Cisco Easy IP Cisco Easy IP Overview DC-474 Cisco IOS Dial Technologies Configuration Guide • Conserves registered IP addresses • Maximizes IP address manageability Figure 62 shows a typical scenario for using the Cisco Easy IP feature. Figure 62 Telecommuter and Branch Office LANs Using Cisco Easy IP Steps 1 through 4 show how Cisco Easy IP works: Step 1 When a SOHO host generates “interesting” traffic (as defined by Access Control Lists) for dialup (first time only), the Easy IP router requests a single registered IP address from the access server at the central site via PPP/IPCP. (See Figure 63.) Figure 63 Cisco Easy IP Router Requests a Dynamic Global IP Address Step 2 The central site router replies with a dynamic global address from a local DHCP IP address pool. (See Figure 64.) Internet Central site Telecommuter LAN using an Easy IP router Branch office LAN using an Easy IP router Telecommuter LAN using an Easy IP router Branch office LAN using an Easy IP router S6771 Host A 10.0.0.1 Host B DHCP server Easy IP router SOHO Central site S6774 WAN link IPCP IP-address negotiation Configuring Cisco Easy IP Cisco Easy IP Overview DC-475 Cisco IOS Dial Technologies Configuration Guide Figure 64 Dynamic Global IP Address Delivered to the Cisco Easy IP Router Step 3 The Cisco Easy IP router uses port-level NAT functionality to automatically create a translation that associates the registered IP address of the WAN interface with the private IP address of the client. (See Figure 65.) Figure 65 Port-Level NAT Functionality Used for IP Address Translation Step 4 The remote hosts contain multiple static IP addresses while the Cisco Easy IP router obtains a single registered IP address using PPP/IPCP. The Cisco Easy IP router then creates port-level multiplexed NAT translations between these addresses so that each remote host address (inside private address) is translated to a single external address assigned to the Cisco Easy IP router. This many-to-one address translation is also called port-level multiplexing or PAT. Note that the NAT port-level multiplexing function can be used to conserve global addresses by allowing the remote routers to use one global address for many local addresses. (See Figure 66.) Host A 10.0.0.1 Host B DHCP server Easy IP router SOHO Central site 54720 WAN link Your global IP address is 172.18.9.4 Host A 10.0.0.1 Host B DHCP server Easy IP router SOHO Central site 54720 WAN link Your global IP address is 172.18.9.4 Configuring Cisco Easy IP How to Configure Cisco Easy IP DC-476 Cisco IOS Dial Technologies Configuration Guide Figure 66 Multiple Private Internal IP Addresses Bound to a Single Global IP Address How to Configure Cisco Easy IP Before using Cisco Easy IP, perform the following tasks: • Configure the ISDN switch type and service provider identifier (SPID), if using ISDN. • Configure the static route from LAN to WAN interface. • Configure the Cisco IOS DHCP server. For information about configuring ISDN switch types, see the chapter “Setting Up ISDN Basic Rate Service” earlier in this publication. For information about configuring static routes, refer to the chapter “Configuring IP Services” in the Cisco IOS IP Configuration Guide. The Cisco IOS DHCP server supports both DHCP and BOOTP clients and supports finite and infinite address lease periods. DHCP address binding information is stored on a remote host via remote copy protocol (RCP), FTP, or TFTP. Refer to the Cisco IOS IP Configuration Guide for DHCP configuration instructions. In its most simple configuration, a Cisco Easy IP router or access server will have a single LAN interface and a single WAN interface. Based on this model, to use Cisco Easy IP you must perform the tasks in the following sections: • Defining the NAT Pool (Required) • Configuring the LAN Interface (Required) • Defining NAT for the LAN Interface (Required) • Configuring the WAN Interface (Required) • Enabling PPP/IPCP Negotiation (Required) • Defining NAT for the Dialer Interface (Required) • Configuring the Dialer Interface (Required) For configuration examples, see the section “Configuration Examples for Cisco Easy IP” at the end of this chapter. Host A 10.0.0.1 Host B 10.0.0.2 DHCP server Easy IP router 172.18.9.4 NAT Table Inside Outside 10.0.0.1 10.0.0.2 172.18.9.4 : 4880 172.18.9.4 : 4881 SOHO Central site 54718 Configuring Cisco Easy IP How to Configure Cisco Easy IP DC-477 Cisco IOS Dial Technologies Configuration Guide Defining the NAT Pool The first step in enabling Cisco Easy IP is to create a pool of internal IP addresses to be translated. To define the NAT pool, use the following commands in global configuration mode: For information about creating access lists, refer to the chapter “Configuring IP Services” in the Cisco IOS IP Configuration Guide. Configuring the LAN Interface To configure the LAN interface, use the following commands beginning in global configuration mode: For information about assigning IP addresses and subnet masks to network interfaces, refer to the chapter “Configuring IP Services” in the Cisco IOS IP Configuration Guide. Defining NAT for the LAN Interface To ensure that the LAN interface is connected to the inside network (and therefore subject to NAT), use the following command in interface configuration mode: Configuring the WAN Interface To configure the WAN interface, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# access-list access-list-number permit source [source-wildcard] Defines a standard access list permitting those addresses that are to be translated. Step 2 Router(config)# ip nat inside source list access-list-number interface dialer-name overload Establishes dynamic source translation, identifying the access list defined in the prior step. Command Purpose Step 1 Router(config)# interface type number Selects a specific LAN interface and begins interface configuration mode. Step 2 Router(config-if)# ip address address mask Defines the IP address and subnet mask for this interface. Command Purpose Router(config-if)# ip nat inside Defines the interface as internal for NAT. Command Purpose Step 1 Router(config)# interface type number Selects the WAN interface and begins interface configuration mode. Step 2 Router(config-if)# no ip address Removes any associated IP address from this interface. Configuring Cisco Easy IP How to Configure Cisco Easy IP DC-478 Cisco IOS Dial Technologies Configuration Guide Enabling PPP/IPCP Negotiation To enable PPP/IPCP negotiation on the dialer interface, use the following commands beginning in global configuration mode: Defining NAT for the Dialer Interface To define that the dialer interface is connected to the outside network, use the following commands beginning in global configuration mode: Configuring the Dialer Interface To configure the dialer interface information, use the following commands beginning in global configuration mode: Step 3 Router(config-if)# encapsulation ppp Selects PPP as the encapsulation method for this interface. Step 4 Router(config-if)# dialer pool-member number Binds the WAN interface to the dialer interface. Command Purpose Command Purpose Step 1 Router(config)# interface dialer-name Selects the dialer interface and begins interface configuration mode. Step 2 Router(config-if)# ip address negotiated Enables PPP/IPCP negotiation for this interface. Command Purpose Step 1 Router(config)# interface dialer-name Selects the dialer interface and begins interface configuration mode. Step 2 Router(config-if)# ip nat outside Defines the interface as external for network address translation. Command Purpose Step 1 Router(config)# interface dialer-name Selects the dialer interface and begins interface configuration mode. Step 2 Router(config-if)# dialer wait-for-carrier-time seconds Specifies for a dialer interface the length of time the interface waits for a carrier before timing out. Step 3 Router(config-if)# dialer hold-queue packets Creates a dialer hold queue and specifies the number of packets to be held in it. Step 4 Router(config-if)# dialer remote-name username Specifies the remote router Challenge Handshake Authentication Protocol (CHAP) authentication name. Configuring Cisco Easy IP Configuration Examples for Cisco Easy IP DC-479 Cisco IOS Dial Technologies Configuration Guide Timeout Considerations Dynamic NAT translations time out automatically after a predefined default period. Although configurable, with the port-level NAT functionality in Cisco Easy IP, Domain Name System (DNS) User Datagram Protocol (UDP) translations time out after 5 minutes, while DNS translations time out after 1 minute by default. TCP translations time out after 24 hours by default, unless a TCP Reset (RST) or TCP Finish (FIN) is seen in the TCP stream, in which case the translation times out after 1 minute. If the Cisco IOS Easy IP router exceeds the dialer idle-timeout period, it is expected that all active TCP sessions were previously closed via an RST or FIN. NAT times out all TCP translations before the Cisco Easy IP router exceeds the dialer idle-timeout period. The router then renegotiates another registered IP address the next time the WAN link is brought up, thereby creating new dynamic NAT translations that bind the IP addresses of the LAN host to the newly negotiated IP address. Configuration Examples for Cisco Easy IP The following example shows how to configure BRI interface 0 (shown as interface bri0) to obtain its IP address via PPP/IPCP address negotiation: ! The following command defines the NAT pool. ip nat inside source list 101 interface dialer1 overload ! ! The following commands define the ISDN switch type. isdn switch type vn3 isdn tei-negotiation first-call ! ! The following commands define the LAN address and subnet mask. interface ethernet0 ip address 10.0.0.4 255.0.0.0 ! The following command defines ethernet0 as internal for NAT. ip nat inside ! ! The following commands binds the physical interface to the dialer1 interface. interface bri0 no ip address encapsulation ppp dialer pool-member 1 ! interface dialer1 ! ! The following command enables PPP/IPCP negotiation for this interface. ip address negotiated encapsulation ppp Step 5 Router(config-if)# dialer idle-timeout seconds Specifies the amount of idle time that can pass before calls to the central access server are disconnected. See the next section “Timeout Considerations,” for more details on this setting. Step 6 Router(config-if)# dialer string dialer-string Specifies the telephone number required to reach the central access server. Step 7 Router(config-if)# dialer pool number Specifies the dialing pool to use. Step 8 Router(config-if)# dialer-group group-number Assigns the dialer interface to a dialer group. Command Purpose Configuring Cisco Easy IP Configuration Examples for Cisco Easy IP DC-480 Cisco IOS Dial Technologies Configuration Guide ! ! The following command defines interface dialer1 as external for NAT. ip nat outside dialer remote-name dallas dialer idle-timeout 180 ! ! The following command defines the dialer string for the central access server. dialer string 4159991234 dialer pool 1 dialer-group 1 ! ! The following commands define the static route to the WAN interface. ip route 0.0.0.0 0.0.0.0 dialer1 access-list 101 permit ip 10.0.0.0 0.255.255.255 any dialer-list 1 protocol ip list 101 The following example shows how to configure an asynchronous interface (interface async1) to obtain its IP address via PPP/IPCP address negotiation: ! This command defines the NAT pool. ip nat inside source list 101 interface dialer 1 overload ! ! The following commands define the LAN IP address and subnet mask. interface ethernet0 ip address 10.0.0.4 255.0.0.0 ! ! The following command defines ethernet0 as internal for NAT. ip nat inside ! ! The following commands bind the physical dialer1 interface. interface async1 no ip address encapsulation ppp async mode dedicated dialer pool-member 1 ! interface dialer1 ! ! The following command enables PPP/IPCP negotiation for this interface. ip address negotiated encapsulation ppp ! ! The following command defines interface dialer1 as external for NAT. ip nat outside dialer wait-for-carrier-time 30 dialer hold-queue 10 dialer remote-name dallas dialer idle-timeout 180 ! ! The following command defines the dialer string for the central access server. dialer string 4159991234 dialer pool 1 dialer-group 1 ! ! The following commands define the static route to the WAN interface. ip route 0.0.0.0 0.0.0.0 dialer1 access-list 101 permit ip 10.0.0.0 0.255.255.255 any dialer-list 1 protocol ip list 101 Virtual Templates, Profiles, and Networks DC-483 Cisco IOS Dial Technologies Configuration Guide Configuring Virtual Template Interfaces This chapter describes how to configure virtual template interfaces. It includes the following main sections: • Virtual Template Interface Service Overview • How to Configure a Virtual Template Interface • Monitoring and Maintaining a Virtual Access Interface • Configuration Examples for Virtual Template Interface The following template and virtual interface limitations apply: • Although a system can generally support many virtual template interfaces, one template for each virtual access application is a more realistic limit. • When in use, each virtual access interface cloned from a template requires the same amount of memory as a serial interface. Limits to the number of virtual access interfaces that can be configured are determined by the platform. • Virtual access interfaces are not directly configurable by users, except by configuring a virtual template interface or including the configuration information of the user (through virtual profiles or per-user configuration) on an authentication, authorization, and accounting (AAA) server. However, information about an in-use virtual access interface can be displayed, and the virtual access interface can be cleared. • Virtual interface templates provide no direct value to users; they must be applied to or associated with a virtual access feature using a command with the virtual-template keyword. For example, the interface virtual-template command creates the virtual template interface and the multilink virtual-template command applies the virtual template to a multilink stack group. The virtual-profile virtual-template command specifies that a virtual template interface will be used as a source of configuration information for virtual profiles. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the virtual template interface commands mentioned in this chapter, refer to the Cisco IOS Dial Technologies Command Reference, Release 12.2. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Configuring Virtual Template Interfaces Virtual Template Interface Service Overview DC-484 Cisco IOS Dial Technologies Configuration Guide Virtual Template Interface Service Overview The Virtual Template Interface Service feature provides a generic service that can be used to apply predefined interface configurations (virtual template interfaces) in creating and freeing virtual access interfaces dynamically, as needed. Virtual template interfaces can be configured independently of any physical interface and applied dynamically, as needed, to create virtual access interfaces. When a user dials in, a predefined configuration template is used to configure a virtual access interface; when the user is done, the virtual access interface goes down and the resources are freed for other dial-in uses. A virtual template interface is a logical entity—a configuration for a serial interface but not tied to a physical interface—that can be applied dynamically as needed. Virtual access interfaces are virtual interfaces that are created, configured dynamically (for example, by cloning a virtual template interface), used, and then freed when no longer needed. Virtual template interfaces are one possible source of configuration information for a virtual access interface. Each virtual access interface can clone from only one template. But some applications can take configuration information from multiple sources; for example, virtual profiles can take configuration information from a virtual template interface, or from interface-specific configuration information stored from a user on a AAA server, or from network protocol configuration from a user stored on a AAA server, or all three. The result of using template and AAA configuration sources is a virtual access interface uniquely configured for a specific dial-in user. Figure 67 illustrates that a router can create a virtual access interface by first using the information from a virtual template interface (if any is defined for the application) and then using the information in a per-user configuration (if AAA is configured on the router and virtual profiles or per-user configuration or both are defined for the specific user). Figure 67 Possible Configuration Sources for Virtual Access Interfaces The virtual template interface service is intended primarily for customers with large numbers of dial-in users and provides the following benefits: • For easier maintenance, allows customized configurations to be predefined and then applied dynamically when the specific need arises. • For scalability, allows interface configuration to be separated from physical interfaces. Virtual interfaces can share characteristics, no matter what specific type of interface the user called on. • For consistency and configuration ease, allows the same predefined template to be used for all users dialing in for a specific application. • For efficient router operation, frees the virtual access interface memory for another dial-in use when the call from the user ends. Dials in S5832 Virtual access interface for ssmith Clone from a virtual interface template, if any ssmith Clone from per-user configuration (AAA), if any is configured Configuring Virtual Template Interfaces Virtual Template Interface Service Overview DC-485 Cisco IOS Dial Technologies Configuration Guide Features that Apply Virtual Template Interfaces The following features apply virtual template interfaces to create virtual access interfaces dynamically: • Virtual profiles • Virtual Private Dialup Networks (VPDN) • Multilink PPP (MLP) • Multichassis Multilink PPP (MMP) • Virtual templates for protocol translation • PPP over ATM Virtual templates are supported on all platforms that support these features. To create and configure a virtual template interface, compete the tasks in this chapter. To apply a virtual template interface, refer to the specific feature that applies the virtual template interface. All prerequisites depend on the feature that is applying a virtual template interface to create a virtual access interface. Virtual template interfaces themselves have no other prerequisites. The order in which you create virtual template interfaces and virtual profiles and configure the features that use the templates and profiles is not important. They must exist, however, before someone calling in can use them. Selective Virtual Access Interface Creation Optionally, you can configure a router to automatically determine whether to create a virtual access interface for each inbound connection. In particular, a call that is received on a physical asynchronous interface that uses a AAA per-user configuration can now be processed without a virtual access interface being created by a router that is also configured for virtual profiles. The following three criteria determine whether a virtual access interface is created: • Is there a virtual profile AAA configuration? • Is there a AAA per-user configuration? • Does the link interface support direct per-user AAA? A virtual access interface will be created in the following scenarios: • If there is a virtual profile AAA configuration. • If there is not a virtual profile AAA configuration, but there is a AAA per-user configuration and the link interface does not support direct per-user AAA (such as ISDN). A virtual access interface will not be created in the following scenarios: • If there is neither a virtual profile AAA configuration nor a AAA per-user configuration. • If there is not a virtual profile AAA configuration, but there is a AAA per-user configuration and the link interface does support direct per-user AAA (such as asynchronous). Configuring Virtual Template Interfaces How to Configure a Virtual Template Interface DC-486 Cisco IOS Dial Technologies Configuration Guide How to Configure a Virtual Template Interface To create and configure a virtual template interface, use the following commands beginning in global configuration mode: Note Configuring the ip address command within a virtual template is not recommended. Configuring a specific IP address in a virtual template can result in the establishment of erroneous routes and the loss of IP packets. Optionally, other PPP configuration commands can be added to the virtual template configuration. For example, you can add the ppp authentication chap command. All configuration commands that apply to serial interfaces can also be applied to virtual template interfaces, except shutdown and dialer commands. For virtual template interface examples, see the “Configuration Examples for Virtual Template Interface” section later in this chapter. Monitoring and Maintaining a Virtual Access Interface When a virtual template interface or a configuration from a user on a AAA server or both are applied dynamically, a virtual access interface is created. Although a virtual access interface cannot be created and configured directly, it can be displayed and cleared. To display or clear a specific virtual access interface, use the following commands in EXEC mode: Configuration Examples for Virtual Template Interface The following sections provide virtual template interface configuration examples: • Basic PPP Virtual Template Interface • Virtual Template Interface Command Purpose Step 1 Router(config)# interface virtual-template number Creates a virtual template interface and enters interface configuration mode. Step 2 Router(config-if)# ip unnumbered ethernet 0 Enables IP without assigning a specific IP address on the LAN. Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation on the virtual template Interface. Step 4 Router(config-if)# virtual-profile if-needed (Optional) Creates virtual-access interfaces only if the inbound connection requires one. Command Purpose Router> show interfaces virtual-access number Displays the configuration of the virtual access interface. Router> clear interface virtual-access number Tears down the virtual access interface and frees the memory for other dial-in uses. Configuring Virtual Template Interfaces Configuration Examples for Virtual Template Interface DC-487 Cisco IOS Dial Technologies Configuration Guide • Selective Virtual Access Interface • RADIUS Per-User and Virtual Profiles • TACACS+ Per-User and Virtual Profiles Basic PPP Virtual Template Interface The following example enables virtual profiles (configured only by virtual template) on straightforward PPP (no MLP), and configures a virtual template interface that can be cloned on a virtual access interface for dial-in users: virtual-profile virtual-template 1 interface virtual-template 1 ip unnumbered ethernet 0 encapsulation ppp ppp authentication chap Virtual Template Interface The following two examples configure a virtual template interface and then display the configuration of a virtual access interface when the template interface has been applied. This example uses a named Internet Protocol Exchange (IPX) access list: Router(config)# interface virtual-template 1 ip unnumbered Ethernet0 ipx ppp-client Loopback2 no cdp enable ppp authentication chap This example displays the configuration of the active virtual access interface that was configured by virtual-template 1, defined in the preceding example: Router# show interfaces virtual-access 1 configuration Virtual-Access1 is a L2F link interface interface Virtual-Access1 configuration... ip unnumbered Ethernet0 ipx ppp-client Loopback2 no cdp enable ppp authentication chap Selective Virtual Access Interface The following example shows how to create a virtual access interface for incoming calls that require a virtual access interface: aaa new-model aaa authentication ppp default local radius tacacs aaa authorization network default local radius tacacs virtual-profile if-needed virtual-profile virtual-template 1 virtual-profile aaa ! interface Virtual-Template1 Configuring Virtual Template Interfaces Configuration Examples for Virtual Template Interface DC-488 Cisco IOS Dial Technologies Configuration Guide ip unnumbered Ethernet 0 no ip directed-broadcast no keepalive ppp authentication chap ppp multilink RADIUS Per-User and Virtual Profiles The following examples show RADIUS user profiles that could be used for selective virtual access interface creation. This example shows AAA per-user configuration for a RADIUS user profile: RADIUS user profile: foo Password = "test" User-Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = "ip:inacl#1=deny 10.10.10.10 0.0.0.0", cisco-avpair = "ip:inacl#1=permit any" This example shows a virtual profile AAA configuration for a RADIUS user profile: RADIUS user profile: foo Password = "test" User-Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = "lcp:interface-config=keepalive 30\nppp max-bad-auth 4" TACACS+ Per-User and Virtual Profiles The following examples show TACACS+ user profiles that could be used for selective virtual access interface creation. This example shows AAA per-user configuration for a TACACS+ user profile: user = foo { name = "foo" global = cleartext test service = PPP protocol= ip { inacl#1="deny 10.10.10.10 0.0.0.0" inacl#1="permit any" } } This example shows a virtual profile AAA configuration for a TACACS+ user profile: TACACS+ user profile: user = foo { name = "foo" global = cleartext test service = PPP protocol= lcp { interface-config="keepalive 30\nppp max-bad-auth 4" } service = ppp protocol = ip { } } DC-489 Cisco IOS Dial Technologies Configuration Guide Configuring Virtual Profiles This chapter describes how to configure virtual profiles for use with virtual access interfaces. It includes the following main sections: • Virtual Profiles Overview • How Virtual Profiles Work—Four Configuration Cases • How to Configure Virtual Profiles • Troubleshooting Virtual Profile Configurations • Configuration Examples for Virtual Profiles Virtual profiles run on all Cisco IOS platforms that support Multilink PPP (MLP). We recommend that unnumbered addresses be used in virtual template interfaces to ensure that duplicate network addresses are not created on virtual access interfaces. Virtual profiles interoperate with Cisco dial-on-demand routing (DDR), MLP, and dialers such as ISDN. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the virtual profile commands mentioned in this chapter, refer to the Cisco IOS Dial Technologies Command Reference, Release 12.2. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Virtual Profiles Overview A virtual profile is a unique application that can create and configure a virtual access interface dynamically when a dial-in call is received and that can tear down the interface dynamically when the call ends. Virtual profiles support these encapsulation methods: • PPP • MLP • High-Level Data Link Control (HDLC) • Link Access Procedure, Balanced (LAPB) • X.25 • Frame Relay Configuring Virtual Profiles Virtual Profiles Overview DC-490 Cisco IOS Dial Technologies Configuration Guide Any commands for these encapsulations that can be configured under a serial interface can be configured under a virtual profile stored in a user file on an authentication, authorization, and accounting (AAA) server and a virtual profile virtual template configured locally. The AAA server daemon downloads them as text to the network access server and is able to handle multiple download attempts. The configuration information for a virtual profiles virtual access interface can come from a virtual template interface or from user-specific configuration stored on a AAA server, or both. If a B interface is bound by the calling line identification (CLID) to a created virtual access interface cloned from a virtual profile or a virtual template interface, only the configuration from the virtual profile or the virtual template takes effect. The configuration on the D interface is ignored unless successful binding occurs by PPP name. Both the link and network protocols run on the virtual access interface instead of the B channel, unless the encapsulation is PPP. Moreover, in previous releases of Cisco IOS software, downloading a profile from an AAA server and creating and cloning a virtual access interface was always done after the PPP call answer and link control protocol (LCP) up processes. The AAA download is part of authorization. But in the current release, these operations must be performed before the call is answered and the link protocol goes up. This restriction is a new AAA nonauthenticated authorization step. The virtual profile code handles multiple download attempts and identifies whether a virtual access interface was cloned from a downloaded virtual profile. When a successful download is done through nonauthenticated authorization and the configuration on the virtual profile has encapsulation PPP and PPP authentication, authentication is negotiated as a separate step after LCP comes up. The per-user configuration feature also uses configuration information gained from a AAA server. However, per-user configuration uses network configurations (such as access lists and route filters) downloaded during Network Control Protocol (NCP) negotiations. Two rules govern virtual access interface configuration by virtual profiles, virtual template interfaces, and AAA configurations: • Each virtual access application can have at most one template to clone from but can have multiple AAA configurations to clone from (virtual profiles AAA information and AAA per-user configuration, which in turn might include configuration for multiple protocols). • When virtual profiles are configured by virtual template, its template has higher priority than any other virtual template. See the section “How Virtual Profiles Work—Four Configuration Cases” for a description of the possible configuration sequences for configuration by virtual template or AAA or both. See the section “Multilink PPP Effect on Virtual Access Interface Configuration” for a description of the possible configuration sequences that depend on the presence or absence by MLP or another virtual access feature that clones a virtual template interface. DDR Configuration of Physical Interfaces Virtual profiles fully interoperate with physical interfaces in the following DDR configuration states when no other virtual access interface application is configured: • Dialer profiles are configured for the interface—The dialer profile is used instead of the virtual profiles configuration. • DDR is not configured on the interface—Virtual profiles overrides the current configuration. • Legacy DDR is configured on the interface—Virtual profiles overrides the current configuration. Configuring Virtual Profiles Virtual Profiles Overview DC-491 Cisco IOS Dial Technologies Configuration Guide Note If a dialer interface is used (including any ISDN dialer), its configuration is used on the physical interface instead of the virtual profiles configuration. Multilink PPP Effect on Virtual Access Interface Configuration As shown in Table 28, exactly how a virtual access interface will be configured depends on the following three factors: • Whether virtual profiles are configured by a virtual template, by AAA, by both, or by neither. In the table, these states are shown as “VP VT only,” “VP AAA only,” “VP VT and VP AAA,” and “No VP at all,” respectively. • The presence or absence of a dialer interface. • The presence or absence of MLP. The column label “MLP” is a stand-in for any virtual access feature that supports MLP and clones from a virtual template interface. In Table 28, “(Multilink VT)” means that a virtual template interface is cloned if one is defined for MLP or a virtual access feature that uses MLP. The order of items in any cell of the table is important. Where VP VT is shown above VP AAA, it means that first the virtual profile virtual template is cloned on the interface, and then the AAA interface configuration for the user is applied to it. The user-specific AAA interface configuration adds to the configuration and overrides any conflicting physical interface or virtual template configuration commands. Interoperability with Other Features That Use Virtual Templates Virtual profiles also interoperate with virtual access applications that clone a virtual template interface. Each virtual access application can have at most one template to clone from but can clone from multiple AAA configurations. Table 28 Virtual Profiles Configuration Cloning Sequence Virtual Profiles Configuration MLP No Dialer MLP Dialer No MLP No Dialer No MLP Dialer VP VT only VP VT VP VT VP VT VP VT VP AAA only (Multilink VT) VP AAA (Multilink VT) VP AAA VP AAA VP AAA VP VT and VP AAA VP VT VP AAA VP VT VP AAA VP VT VP AAA VP VT VP AAA No VP at all (Multilink VT)1 1. The multilink bundle virtual access interface is created and uses the default settings for MLP or the relevant virtual access feature that uses MLP. Dialer2 2. The multilink bundle virtual access interface is created and cloned from the dialer interface configuration. No virtual access interface is created. No virtual access interface is created. Configuring Virtual Profiles How Virtual Profiles Work—Four Configuration Cases DC-492 Cisco IOS Dial Technologies Configuration Guide The interaction between virtual profiles and other virtual template applications is as follows: • If virtual profiles are enabled and a virtual template is defined for it, the virtual profile virtual template is used. • If virtual profiles are configured by AAA alone (no virtual template is defined for virtual profiles), the virtual template for another virtual access application (virtual private dialup networks or VPDNs, for example) can be cloned onto the virtual access interface. • A virtual template, if any, is cloned to a virtual access interface before the virtual profiles AAA configuration or AAA per-user configuration. AAA per-user configuration, if used, is applied last. How Virtual Profiles Work—Four Configuration Cases This section describes virtual profiles and the various ways that they can work with virtual template interfaces, user-specific AAA interface configuration, and MLP or another feature that requires MLP. Virtual profiles separate configuration information into two logical parts: • Generic—Common configuration for dial-in users plus other router-dependent configuration. This common and router-dependent information can define a virtual template interface stored locally on the router. The generic virtual template interface is independent of and can override the configuration of the physical interface on which a user dialed in. • User-specific interface information—Interface configuration stored in a user file on an AAA server; for example, the authentication requirements and specific interface settings for a specific user. The settings are sent to the router in the response to the request from the router to authenticate the user, and the settings can override the generic configuration. This process is explained more in the section “Virtual Profiles Configured by AAA” later in this chapter. These logical parts can be used separately or together. Four separate cases are possible: • Case 1: Virtual Profiles Configured by Virtual Template—Applies the virtual template. • Case 2: Virtual Profiles Configured by AAA—Applies the user-specific interface configuration received from the AAA server. • Case 3: Virtual Profiles Configured by Virtual Template and AAA Configuration—Applies the virtual template and the user-specific interface configuration received from the AAA server. • Case 4: Virtual Profiles Configured by AAA, and a Virtual Template Defined by Another Application—Applies the other application’s virtual template interface and then applies the user-specific interface configuration received from the AAA server. Note All cases assume that AAA is configured globally on the router, that the user has configuration information in the user file on the AAA server, that PPP authentication and authorization proceed as usual, and that the AAA server sends user-specific configuration information in the authorization approval response packet to the router. The cases also assume that AAA works as designed and that the AAA server sends configuration information for the dial-in user to the router, even when virtual profiles by virtual template are configured. See the sections “Virtual Profiles Configured by Virtual Templates,” “Virtual Profiles Configured by AAA Configuration,” “Virtual Profiles Configured by Virtual Templates and AAA Configuration,” and “Virtual Profiles Configured by AAA Plus a VPDN Virtual Template on a VPDN Home Gateway” later in this chapter for examples of how to configure these cases. Configuring Virtual Profiles How Virtual Profiles Work—Four Configuration Cases DC-493 Cisco IOS Dial Technologies Configuration Guide Case 1: Virtual Profiles Configured by Virtual Template In the case of virtual profiles configured by virtual template, the software functions as follows: • If the physical interface is configured for dialer profiles (a DDR feature), the router looks for a dialer profile for the specific user. • If a dialer profile is found, it is used instead of virtual profiles. • If a dialer profile is not found for the user, or legacy DDR is configured, or DDR is not configured at all, virtual profiles create a virtual access interface for the user. The router applies the configuration commands that are in the virtual template interface to create and configure the virtual profile. The template includes generic interface information and router-specific information, but no user-specific information. No matter whether a user dialed in on a synchronous serial, an asynchronous serial, or an ISDN interface, the dynamically created virtual profile for the user is configured as specified in the virtual template. Then the router interprets the lines in the AAA authorization approval response from the server as Cisco IOS commands to apply to the virtual profile for the user. Data flows through the virtual profile, and the higher layers treat it as the interface for the user. For example, if a virtual template included only the three commands ip unnumbered ethernet 0, encapsulation ppp, and ppp authentication chap, the virtual profile for any dial-in user would include those three commands. In Figure 68, the dotted box represents the virtual profile configured with the commands that are in the virtual template, no matter which interface the call arrives on. Figure 68 Virtual Profiles by Virtual Template See the section “Configuring Virtual Profiles by Virtual Template” later in this chapter for configuration tasks for this case. Case 2: Virtual Profiles Configured by AAA In this case, no dialer profile (a DDR feature) is defined for the specific user and no virtual template for virtual profiles is defined, but virtual profiles by AAA are enabled on the router. During the PPP authorization phase for the user, the AAA server responds as usual to the router. The authorization approval contains configuration information for the user. The router interprets each of the lines in the AAA response from the server as Cisco IOS commands to apply to the virtual profile for the user. S5833 ip unnumbered ethernet 0 encapsulation ppp ppp authentication chap ip unnumbered ethernet 0 encapsulation ppp ppp authentication chap ip unnumbered ethernet 0 encapsulation ppp ppp authentication chap Synchronous Serial Upper layers Asynchronous Upper layers B1 B2 ISDN Upper layers Configuring Virtual Profiles How Virtual Profiles Work—Four Configuration Cases DC-494 Cisco IOS Dial Technologies Configuration Guide Note If MLP is negotiated, the MLP virtual template is cloned first (this is the second row), and then interface-specific commands included in the AAA response from the server for the user are applied. The MLP virtual template overrides any conflicting interface configuration, and the AAA interface configuration overrides any conflicting configuration from both the physical interface and the MLP virtual template. The router applies all the user-specific interface commands received from the AAA server. Suppose, for example, that the router interpreted the response by the AAA server as including only the following two commands for this user: ip address 10.10.10.10 255.255.255.255 keepalive 30 In Figure 69, the dotted box represents the virtual profile configured only with the commands received from the AAA server, no matter which interface the incoming call arrived on. On the AAA RADIUS server, the attribute-value (AV) pair might have read as follows, where “\n” means to start a new command line: cisco-avpair = “lcp:interface-config=ip address 10.10.10.10 255.255.255.0\nkeepalive 30”, Figure 69 Virtual Profiles by AAA Configuration See the section “Configuring Virtual Profiles by AAA Configuration” later in this chapter for configuration tasks for this case. Case 3: Virtual Profiles Configured by Virtual Template and AAA Configuration In this case, no DDR dialer profile is defined for the specific user, a virtual template for virtual profiles is defined, virtual profiles by AAA is enabled on the router, the router is configured for AAA, and a user-specific interface configuration for the user is stored on the AAA server. The router performs the following tasks in order: 1. Dynamically creates a virtual access interface cloned from the virtual template defined for virtual profiles. 2. Applies the user-specific interface configuration received from the AAA server. If any command in the user’s configuration conflicts with a command on the original interface or a command applied by cloning the virtual template, the user-specific command overrides the other command. 56953 ip address 10.1.1.1 255.255.255.255 keepalive 30 Synchronous Serial User ssmith Upper layers ip address 10.1.1.1 255.255.255.255 keepalive 30 Asynchronous User ssmith Upper layers ip address 10.1.1.1 255.255.255.255 keepalive 30 Upper layers B1 User ssmith B2 ISDN Configuring Virtual Profiles How Virtual Profiles Work—Four Configuration Cases DC-495 Cisco IOS Dial Technologies Configuration Guide Suppose that the router had the virtual template as defined in Case 1 and the AAA user configuration as defined in Case 2. In Figure 70 the dotted box represents the virtual profile configured with configuration information from both sources, no matter which interface the incoming call arrived on. The ip address command has overridden the ip unnumbered command. Figure 70 Virtual Profiles by Both Virtual Template and AAA Configuration See the section “Configuring Virtual Profiles by Both Virtual Template and AAA Configuration” later in this chapter for configuration tasks for this case. Case 4: Virtual Profiles Configured by AAA, and a Virtual Template Defined by Another Application In this case, no DDR dialer profile is defined for the specific user, virtual profiles by AAA are configured on the router but no virtual template is defined for virtual profiles, and a user-specific interface configuration is stored on the AAA server. In addition, a virtual template is configured for some other virtual access application (a VPDN, for example). The router performs the following tasks in order: 1. Dynamically creates a virtual access interface and clones the virtual template from the other virtual access application onto it. 2. Applies the user-specific interface configuration received from the AAA server. If any command in the virtual template conflicts with a command on the original interface, the template overrides it. If any command in the AAA interface configuration for the user conflicts with a command in the virtual template, the user AAA interface configuration conflicts will override the virtual template. If per-user configuration is also configured on the AAA server, that network protocol configuration is applied to the virtual access interface last. The result is a virtual interface unique to that user. 56954 encapsulation ppp ppp authentication chap ip address 10.1.1.1 255.255.255.255 keepalive 30 encapsulation ppp ppp authentication chap ip address 10.1.1.1 255.255.255.255 keepalive 30 encapsulation ppp ppp authentication chap ip address 10.1.1.1 255.255.255.255 keepalive 30 Synchronous Serial User ssmith Upper layers Asynchronous User ssmith Upper layers Upper layers B1 User ssmith B2 ISDN Configuring Virtual Profiles How to Configure Virtual Profiles DC-496 Cisco IOS Dial Technologies Configuration Guide How to Configure Virtual Profiles To configure virtual profiles for dial-in users, perform the tasks in one of the first three sections and then troubleshoot the configuration by performing the tasks in the last section: • Configuring Virtual Profiles by Virtual Template (As required) • Configuring Virtual Profiles by AAA Configuration (As required) • Configuring Virtual Profiles by Both Virtual Template and AAA Configuration (As required) • Troubleshooting Virtual Profile Configurations (As required) Note Do not define a DDR dialer profile for a user if you intend to define virtual profiles for the user. See the section “Configuration Examples for Virtual Profiles” at the end of this chapter for examples of how to use virtual profiles in your network configuration. Configuring Virtual Profiles by Virtual Template To configure virtual profiles by virtual template, complete these two tasks: • Creating and Configuring a Virtual Template Interface • Specifying a Virtual Template Interface for Virtual Profiles Note The order in which these tasks is performed is not crucial. However, both tasks must be completed before virtual profiles are used. Creating and Configuring a Virtual Template Interface Because a virtual template interface is a serial interface, all the configuration commands that apply to serial interfaces can also be applied to virtual template interfaces, except shutdown and dialer commands. To create and configure a virtual template interface, use the following commands beginning in global configuration mode: Other optional PPP configuration commands can be added to the virtual template configuration. For example, you can add the ppp authentication chap command. Command Purpose Step 1 Router(config)# interface virtual-template number Creates a virtual template interface and enters interface configuration mode. Step 2 Router(config-if)# ip unnumbered ethernet 0 Enables IP without assigning a specific IP address on the LAN. Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation on the virtual template interface. Configuring Virtual Profiles How to Configure Virtual Profiles DC-497 Cisco IOS Dial Technologies Configuration Guide Specifying a Virtual Template Interface for Virtual Profiles To specify a virtual template interface as the source of information for virtual profiles, use the following command in global configuration mode: Virtual template numbers range from 1 to 25. Configuring Virtual Profiles by AAA Configuration To configure virtual profiles by AAA only, complete these three tasks in any order. All tasks must be completed before virtual profiles are used. • On the AAA server, create user-specific interface configurations for each of the specific users to use this method. See your AAA server documentation for more detailed configuration information about your AAA server. • Configure AAA on the router, as described in the Cisco IOS Security Configuration Guide, Release 12.2. • Specify AAA as the source of information for virtual profiles. To specify AAA as the source of information for virtual profiles, use the following command in global configuration mode: If you also want to use per-user configuration for network protocol access lists or route filters for individual users, see the chapter “Configuring Per-User Configuration” in this publication. In this case, no virtual template interface is defined for virtual profiles. Configuring Virtual Profiles by Both Virtual Template and AAA Configuration Use of user-specific AAA interface configuration information with virtual profiles requires the router to be configured for AAA and requires the AAA server to have user-specific interface configuration AV-pairs. The relevant AV-pairs (on a RADIUS server) begin as follows: cisco-avpair = “lcp:interface-config=...”, The information that follows the equal sign (=) could be any Cisco IOS interface configuration command. For example, the line might be the following: cisco-avpair = “lcp:interface-config=ip address 192.168.200.200 255.255.255.0”, Use of a virtual template interface with virtual profiles requires a virtual template to be defined specifically for virtual profiles. Command Purpose Router(config)# virtual-profile virtual-template number Specifies the virtual template interface as the source of information for virtual profiles. Command Purpose Router(config)# virtual-profile aaa Specifies AAA as the source of user-specific interface configuration. Configuring Virtual Profiles How to Configure Virtual Profiles DC-498 Cisco IOS Dial Technologies Configuration Guide To configure virtual profiles by both virtual template interface and AAA configuration, complete the following tasks in any order. All tasks must be completed before virtual profiles are used. • On the AAA server, create user-specific interface configurations for each of the specific users to use this method. See your AAA server documentation for more detailed configuration information about your AAA server. • Configure AAA on the router, as described in the Cisco IOS Security Configuration Guide publication. • Creating and Configuring a Virtual Template Interface, described later in this chapter. • Specifying Virtual Profiles by Both Virtual Templates and AAA, described later in this chapter. Creating and Configuring a Virtual Template Interface To create and configure a virtual template interface, use the following commands beginning in global configuration mode: Because the software treats a virtual template interface as a serial interface, all the configuration commands that apply to serial interfaces can also be applied to virtual template interfaces, except shutdown and dialer commands. Other optional PPP configuration commands can also be added to the virtual template configuration. For example, you can add the ppp authentication chap command. Specifying Virtual Profiles by Both Virtual Templates and AAA To specify both the virtual template interface and the AAA per-user configuration as sources of information for virtual profiles, use the following commands in global configuration mode: If you also want to use per-user configuration for network protocol access lists or route filters for individual users, see the chapter “Configuring Per-User Configuration” in this publication. Command Purpose Step 1 Router(config)# interface virtual-template number Creates a virtual template interface and enters interface configuration mode. Step 2 Router(config-if)# ip unnumbered ethernet 0 Enables IP without assigning a specific IP address on the LAN. Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation on the virtual template interface. Command Purpose Step 1 Router(config)# virtual-profile virtual-template number Defines the virtual template interface as the source of information for virtual profiles. Step 2 Router(config)# virtual-profile aaa Specifies AAA as the source of user-specific configuration for virtual profiles. Configuring Virtual Profiles Troubleshooting Virtual Profile Configurations DC-499 Cisco IOS Dial Technologies Configuration Guide Troubleshooting Virtual Profile Configurations To troubleshoot the virtual profiles configurations, use any of the following debug commands in EXEC mode: Configuration Examples for Virtual Profiles The following sections provide examples for the four cases described in this chapter: • Virtual Profiles Configured by Virtual Templates • Virtual Profiles Configured by AAA Configuration • Virtual Profiles Configured by Virtual Templates and AAA Configuration • Virtual Profiles Configured by AAA Plus a VPDN Virtual Template on a VPDN Home Gateway In these examples, BRI 0 is configured for legacy DDR, and interface BRI 1 is configured for dialer profiles. Note that interface dialer 0 is configured for legacy DDR. Interface dialer 1 is a dialer profile. The intention of the examples is to show how to configure virtual profiles. In addition, the examples show the interoperability of DDR and dialer profiles in the respective cases with various forms of virtual profiles. The same user names (John and Rick) occur in all these examples. Note the different configuration allowed to them in each of the four examples. John is a normal user and can dial in to BRI 0 only. Rick is a privileged user who can dial in to BRI 0 and BRI 1. If Rick dials into BRI 1, the dialer profile will be used. If Rick dials into BRI 0, virtual profiles will be used. Because John does not have a dialer profile, only virtual profiles can be applied to John. To see an example of a configuration using virtual profiles and the Dynamic Multiple Encapsulations feature, see the “Multiple Encapsulations over ISDN” example in the chapter “Configuring Peer-to-Peer DDR with Dialer Profiles.” Virtual Profiles Configured by Virtual Templates The following example shows a router configured for virtual profiles by virtual template. (Virtual profiles do not have any interface-specific AAA configuration.) Comments in the example draw attention to specific features or ignored lines. Command Purpose Router# debug dialer Displays information about dial calls and negotiations and virtual profile events. Router# debug aaa per-user Displays information about the per-user configuration downloaded from the AAA server. Router# debug vtemplate Displays cloning information for a virtual access interface from the time it is cloned from a virtual template to the time it comes down. Configuring Virtual Profiles Configuration Examples for Virtual Profiles DC-500 Cisco IOS Dial Technologies Configuration Guide In this example, the same virtual template interface applies to both users; they have the same interface configurations. Router Configuration ! Enable AAA on the router. aaa new-model aaa authentication ppp default radius ! The following command is required. aaa authorization network radius enable secret 5 $1$koOn$/1QAylov6JFAElxRCrL.o/ enable password lab ! ! Specify configuration of virtual profiles by virtual template. ! This is the key command for this example. virtual-profile virtual-template 1 ! ! Define the virtual template. interface Virtual-Template 1 ip unnumbered ethernet 0 encapsulation ppp ppp authentication chap ! switch-type basic-dms100 interface BRI 0 description Connected to 103 encapsulation ppp no ip route-cache dialer rotary-group 0 ppp authentication chap ! interface BRI 1 description Connected to 104 encapsulation ppp ! Disable fast switching. no ip route-cache dialer pool-member 1 ppp authentication chap ! ! Configure dialer interface 0 for DDR for John and Rick. interface dialer 0 ip address 10.1.1.1 255.255.255.0 encapsulation ppp ! Enable legacy DDR. dialer in-band ! Disable fast switching. no ip route-cache dialer map ip 10.1.1.2 name john 1111 dialer map ip 10.1.1.3 name rick 2222 dialer-group 1 ppp authentication chap ! ! Configure dialer interface 1 for DDR to dial out to Rick. interface dialer 1 ip address 10.2.2.2 255.255.255.0 encapsulation ppp dialer remote-name rick dialer string 3333 dialer pool 1 dialer-group 1 ! Disable fast switching. no ip route-cache ppp authentication chap dialer-list 1 protocol ip permit Configuring Virtual Profiles Configuration Examples for Virtual Profiles DC-501 Cisco IOS Dial Technologies Configuration Guide Virtual Profiles Configured by AAA Configuration The following example shows the router configuration for virtual profiles by AAA and the AAA server configuration for user-specific interface configurations. John and Rick have different IP addresses. In the AAA configuration cisco-avpair lines, “\n” is used to indicate the start of a new Cisco IOS command line. AAA Configuration for John and Rick john Password = "welcome" User-Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = "lcp:interface-config=keepalive 75\nip address 172.16.100.100 255.255.255.0", rick Password = "emoclew" User-Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = "lcp:interface-config=keepalive 100\nip address 192.168.200.200 255.255.255.0" Router Configuration ! Enable AAA on the router. aaa new-model aaa authentication ppp default radius ! This is a key command for this example. aaa authorization network radius enable secret 5 $1$koOn$/1QAylov6JFAElxRCrL.o/ enable password lab ! ! Specify configuration of virtual profiles by aaa. ! This is a key command for this example. virtual-profiles aaa ! ! Interface BRI 0 is configured for legacy DDR. interface BRI 0 description Connected to 103 encapsulation ppp no ip route-cache dialer rotary-group 0 ppp authentication chap ! ! Interface BRI 1 is configured for dialer profiles. interface BRI 1 description Connected to 104 encapsulation ppp ! Disable fast switching. no ip route-cache dialer pool-member 1 ppp authentication chap ! ! Configure dialer interface 0 for DDR for John and Rick. interface dialer 0 ip address 10.1.1.1 255.255.255.0 encapsulation ppp ! Enable legacy DDR. dialer in-band ! Disable fast switching. no ip route-cache dialer map ip 10.1.1.2 name john 1111 dialer map ip 10.1.1.3 name rick 2222 Configuring Virtual Profiles Configuration Examples for Virtual Profiles DC-502 Cisco IOS Dial Technologies Configuration Guide dialer-group 1 ppp authentication chap ! ! Configure dialer interface 1 for DDR to dial out to Rick. interface dialer 1 ip address 10.2.2.2 255.255.255.0 encapsulation ppp dialer remote-name rick dialer string 3333 dialer pool 1 dialer-group 1 ! Disable fast switching. no ip route-cache ppp authentication chap dialer-list 1 protocol ip permit Virtual Profiles Configured by Virtual Templates and AAA Configuration The following example shows how virtual profiles can be configured by both virtual templates and AAA configuration. John and Rick can dial in from anywhere and have their same keepalive settings and their own IP addresses. The remaining AV pair settings are not used by virtual profiles. They are the network protocol access lists and route filters used by AAA-based per-user configuration. In the AAA configuration cisco-avpair lines, “\n” is used to indicate the start of a new Cisco IOS command line. AAA Configuration for John and Rick john Password = “welcome” User-Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = “lcp:interface-config=keepalive 75\nip address 10.16.100.100 255.255.255.0”, cisco-avpair = “ip:rte-fltr-out#0=router igrp 60”, cisco-avpair = “ip:rte-fltr-out#3=deny 172.16.0.0 0.255.255.255”, cisco-avpair = “ip:rte-fltr-out#4=deny 172.17.0.0 0.255.255.255”, cisco-avpair = “ip:rte-fltr-out#5=permit any” rick Password = “emoclew” User-Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = “lcp:interface-config=keepalive 100\nip address 192.168.200.200 255.255.255.0”, cisco-avpair = “ip:inacl#3=permit ip any any precedence immediate”, cisco-avpair = “ip:inacl#4=deny igrp 10.0.1.2 255.255.0.0 any”, cisco-avpair = “ip:outacl#2=permit ip any any precedence immediate”, cisco-avpair = “ip:outacl#3=deny igrp 10.0.9.10 255.255.0.0 any” Router Configuration ! Enable AAA on the router. aaa new-model aaa authentication ppp default radius ! This is a key command for this example. aaa authorization network radius enable secret 5 $1$koOn$/1QAylov6JFAElxRCrL.o/ enable password lab ! Configuring Virtual Profiles Configuration Examples for Virtual Profiles DC-503 Cisco IOS Dial Technologies Configuration Guide ! Specify use of virtual profiles and a virtual template. ! The following two commands are key for this example. virtual-profile virtual-template 1 virtual-profile aaa ! ! Define the virtual template. interface Virtual-Template 1 ip unnumbered ethernet 0 encapsulation ppp ppp authentication chap ! ! Interface BRI 0 is configured for legacy DDR. interface BRI 0 description Connected to 103 encapsulation ppp no ip route-cache dialer rotary-group 0 ppp authentication chap ! ! Interface BRI 1 is configured for dialer profiles. interface BRI 1 description Connected to 104 encapsulation ppp ! Disable fast switching. no ip route-cache dialer pool-member 1 ppp authentication chap ! ! Configure dialer interface 0 for DDR to dial out to John and Rick. interface dialer 0 ip address 10.1.1.1 255.255.255.0 encapsulation ppp dialer in-band ! Disable fast switching. no ip route-cache dialer map ip 10.1.1.2 name john 1111 dialer map ip 10.1.1.3 name rick 2222 dialer-group 1 ppp authentication chap ! ! Configure dialer interface 0 for DDR to dial out to Rick. interface dialer 1 ip address 10.2.2.2 255.255.255.0 encapsulation ppp dialer remote-name rick dialer string 3333 dialer pool 1 dialer-group 1 ! Disable fast switching. no ip route-cache ppp authentication chap ! dialer-list 1 protocol ip permit Configuring Virtual Profiles Configuration Examples for Virtual Profiles DC-504 Cisco IOS Dial Technologies Configuration Guide Virtual Profiles Configured by AAA Plus a VPDN Virtual Template on a VPDN Home Gateway Like the virtual profiles configured by AAA example earlier in this section, the following example shows the router configuration for virtual profiles by AAA. The user file on the AAA server also includes interface configuration for John and Rick, the two users. Specifically, John and Rick each have their own IP addresses when they are in privileged mode. In this case, however, the router is also configured as the VPDN home gateway. It clones the VPDN virtual template interface first and then clones the virtual profiles AAA interface configuration. If per-user configuration were configured on this router and the user file on the AAA server had network protocol information for the two users, that information would be applied to the virtual access interface last. In the AAA configuration cisco-avpair lines, “\n” is used to indicate the start of a new Cisco IOS command line. AAA Configuration for John and Rick john Password = "welcome" User-Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = "lcp:interface-config=keepalive 75\nip address 10.100.100.100 255.255.255.0", rick Password = "emoclew" User-Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = "lcp:interface-config=keepalive 100\nip address 192.168.200.200 255.255.255.0" Router Configuration !Configure the router as the VPDN home gateway. ! !Enable VPDN and specify the VPDN virtual template to use on incoming calls from the !network access server. vpdn enable vpdn incoming dallas_wan go_blue virtual-template 6 ! !Configure the virtual template interface for VPDN. interface virtual template 6 ip unnumbered ethernet 0 encapsulation ppp ppp authentication chap ! !Enable AAA on the router. aaa new-model aaa authentication ppp default radius aaa authorization network radius enable secret 5 $1$koOn$/1QAylov6JFAElxRCrL.o/ enable password lab ! !Specify configuration of virtual profiles by aaa. virtual-profiles aaa ! !Configure the physical synchronous serial 0 interface. interface Serial 0 description Connected to 101 encapsulation ppp Configuring Virtual Profiles Configuration Examples for Virtual Profiles DC-505 Cisco IOS Dial Technologies Configuration Guide !Disable fast switching. no ip route-cache ppp authentication chap ! !Configure serial interface 1 for DDR. S1 uses dialer rotary group 0, which is !defined on BRI interface 0. interface serial 1 description Connected to 102 encapsulation ppp dialer in-band ! Disable fast switching. no ip route-cache dialer rotary-group 0 ppp authentication chap ! interface BRI 0 description Connected to 103 encapsulation ppp no ip route-cache dialer rotary-group 0 ppp authentication chap ! interface BRI 1 description Connected to 104 encapsulation ppp !Disable fast switching. no ip route-cache dialer pool-member 1 ppp authentication chap ! !Configure dialer interface 0 for DDR to call and receive calls from John and Rick. interface dialer 0 ip address 10.1.1.1 255.255.255.0 encapsulation ppp !Enable legacy DDR. dialer in-band !Disable fast switching. no ip route-cache dialer map ip 10.1.1.2 name john 1111 dialer map ip 10.1.1.3 name rick 2222 dialer-group 1 ppp authentication chap ! !Configure dialer interface 1 for DDR to dial out to Rick. interface dialer 1 ip address 10.2.2.2 255.255.255.0 encapsulation ppp dialer remote-name rick dialer string 3333 dialer pool 1 dialer-group 1 !Disable fast switching. no ip route-cache ppp authentication chap dialer-list 1 protocol ip permit Configuring Virtual Profiles Configuration Examples for Virtual Profiles DC-506 Cisco IOS Dial Technologies Configuration Guide DC-507 Cisco IOS Dial Technologies Configuration Guide Configuring Virtual Private Networks This chapter describes how to configure, verify, maintain, and troubleshoot a Virtual Private Network (VPN). It includes the following main sections: • VPN Technology Overview • Prerequisites for VPNs • How to Configure a VPN • Verifying VPN Sessions • Monitoring and Maintaining VPNs • Troubleshooting VPNs • Configuration Examples for VPN To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature, or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the commands mentioned in this chapter, refer to the Cisco IOS Dial Technologies Command Reference, Release 12.2. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. VPN Technology Overview A VPN carries private data over a public network and extends remote access to users over a shared infrastructure. VPNs maintain the same security and management policies as a private network. They are the most cost-effective method of establishing a point-to-point connection between remote users and a central network. A benefit of VPNs or, more appropriately, access VPNs, is the way they delegate responsibilities for the network. The customer outsources the responsibility for the information technology (IT) infrastructure to an Internet service provider (ISP) that maintains the modems that the remote users dial in to (called modem pools), the access servers, and the internetworking expertise. The customer is then only responsible for authenticating its users and maintaining its network. Instead of connecting directly to the network by using the expensive Public Switched Telephone Network (PSTN), access VPN users need only use the PSTN to connect to the ISP local point of presence (POP). The ISP then uses the Internet to forward users from the POP to the customer network. Forwarding a user call over the Internet provides dramatic cost savings for the customer. Access VPNs use Layer 2 tunneling technologies to create a virtual point-to-point connection between users and the Configuring Virtual Private Networks VPN Technology Overview DC-508 Cisco IOS Dial Technologies Configuration Guide customer network. These tunneling technologies provide the same direct connectivity as the expensive PSTN by using the Internet. This means that users anywhere in the world have the same connectivity as they would at the customer headquarters. VPNs allow separate and autonomous protocol domains to share common access infrastructure including modems, access servers, and ISDN routers. VPNs use the following tunneling protocols to tunnel link-level frames: • Layer 2 Forwarding (L2F) • Layer 2 Tunneling Protocol (L2TP) • Point-to-Point Tunneling Protocol (PPTP) Using one of these protocols, an ISP or other access service can create a virtual tunnel to link customer remote sites or remote users with corporate home networks. In particular, a network access server (NAS) at the ISP POP exchanges PPP messages with the remote users and communicates by L2F, L2TP, or PPTP requests and responses with the customer tunnel server to set up tunnels. L2F, L2TP, and PPTP pass protocol-level packets through the virtual tunnel between endpoints of a point-to-point connection. Frames from the remote users are accepted by the ISP POP, stripped of any linked framing or transparency bytes, encapsulated in L2F, L2TP or PPTP, and forwarded over the appropriate tunnel. The customer tunnel server accepts these frames, strips the Layer 2 encapsulation, and processes the incoming frames for the appropriate interface. Cisco routers fast switch VPN traffic. In stack group environments in which some VPN traffic is offloaded to a powerful router, fast switching provides improved scalability. VPDN MIB The VPDN MIB offers a mechanism to track failures of user calls in a VPN system, allowing Simple Network Management Protocol (SNMP) retrieval of user call failure information, on a per-user basis. Refer to the Cisco VPDN Management MIB for a list of supported objects for the VPDN MIB. VPN Hardware Terminology As new tunneling protocols have been developed for VPNs, new terminology has been created to describe the hardware involved in VPNs. Fundamentally, two routers are needed for a VPN: • Network access server (NAS)—It receives incoming calls for dial-in VPNs and places outgoing calls for dial-out VPNs. Typically it is maintained by an ISP that wishes to provide VPN services to its customers. • Tunnel server—It terminates dial-in VPNs and initiates dial-out VPNs. Typically it is maintained by the ISP customer and is the contact point for the customer network. For the sake of clarity, we will use these generic terms, and not the technology-specific terms. Table 29 lists the generic terms ant the technology-specific terms that are often used for these devices. Configuring Virtual Private Networks VPN Technology Overview DC-509 Cisco IOS Dial Technologies Configuration Guide In dial-in scenarios, users dial in to the NAS, and the NAS forwards the call to the tunnel server using a VPN tunnel. In dial-out scenarios, the tunnel server initiates a VPN tunnel to the NAS, and the NAS dials out to the clients. VPN Architectures VPNs are designed on the basis of one of two architectural options: • Client-Initiated VPNs • NAS-Initiated VPNs Client-Initiated VPNs Users establish a tunnel across the ISP shared network to the customer network without an intermediate NAS participating in the tunnel negotiation and establishment. The customer manages the client software that initiates the tunnel. The main advantage of client-initiated VPNs is that they secure the connection between the client and the ISP. However, client-initiated VPNs are not as scalable and are more complex than NAS-initiated VPNs. Client-initiated VPNs are also referred to as voluntary tunneling. NAS-Initiated VPNs Users dial in to the ISP NAS, which establishes a tunnel to the private network. NAS-initiated VPNs are more robust than client-initiated VPNs and do not require the client to maintain the tunnel-creating software. NAS-initiated VPNs do not encrypt the connection between the client and the ISP, but this is not a concern for most customers because the PSTN is much more secure than the Internet. NAS-initiated VPNs are also referred to as compulsory tunneling. Note In Cisco’s VPN implementation, PPTP tunnels are client-initiated while L2F and L2TP tunnels are NAS-initiated. PPTP Dial-In with MPPE Encryption PPTP is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a VPN across TCP/IP-based data networks. PPTP supports on-demand, multiprotocol, virtual private networking over public networks, such as the Internet. Table 29 VPN Hardware Terminology Generic Term L2F Term L2TP Term PPTP Term Tunnel Server Home Gateway L2TP Network Server (LNS) PPTP Network Server (PNS) Network Access Server (NAS) NAS L2TP Access Concentrator (LAC) PPTP Access Concentrator (PAC) Configuring Virtual Private Networks VPN Technology Overview DC-510 Cisco IOS Dial Technologies Configuration Guide Cisco supports client-initiated VPNs using PPTP. Therefore only the client and the tunnel server need to be configured. The client first establishes basic connectivity by dialing in to an ISP. Once the client has established a PPP session, it initiates a PPTP tunnel to the tunnel server. The tunnel server is configured to terminate PPTP tunnels and clone virtual-access interfaces from virtual templates. Microsoft Point-to-Point Encryption (MPPE) is an outcropping technology that can be used to encrypt PPTP VPNs. It encrypts the entire session from the client to the tunnel server. This section describes the following aspects of PPTP and MPPE: • PPTP Tunnel Negotiation • Flow Control Alarm • MPPE Overview • MPPE Encryption Types PPTP Tunnel Negotiation The following describes the protocol negotiation events that establish a PPTP tunnel: 1. The client dials in to the ISP and establishes a PPP session. 2. The client establishes a TCP connection with the tunnel server. 3. The tunnel server accepts the TCP connection. 4. The client sends a PPTP SCCRQ message to the tunnel server. 5. The tunnel server establishes a new PPTP tunnel and replies with an SCCRP message. 6. The client initiates the session by sending an OCRQ message to the tunnel server. 7. The tunnel server creates a virtual-access interface. 8. The tunnel server replies with an OCRP message. Flow Control Alarm The flow control alarm is a new function that indicates if PPTP detects congestion or lost packets. When a flow control alarm goes off, PPTP reduces volatility and additional control traffic by establishing an accompanying stateful MPPE session. For more information, see the pptp flow-control static-rtt command and the output from the show vpdn session command in the “Verifying a Client-Initiated VPN” section. MPPE Overview MPPE is an encryption technology developed by Microsoft to encrypt point-to-point links. These PPP connections can be over a dialup line or over a VPN tunnel. MPPE works as a subfeature of Microsoft Point-to-Point Compression (MPPC). MPPC is a scheme used to compress PPP packets between Cisco and Microsoft client devices. The MPPC algorithm is designed to optimize bandwidth utilization in order to support multiple simultaneous connections. MPPE is negotiated using bits in the MPPC option within the Compression Control Protocol (CCP) MPPC configuration option (CCP configuration option number 18). Configuring Virtual Private Networks VPN Technology Overview DC-511 Cisco IOS Dial Technologies Configuration Guide MPPE uses the RC4 algorithm with either 40- or 128-bit keys. All keys are derived from the cleartext authentication password of the user. RC4 is stream cipher; therefore, the sizes of the encrypted and decrypted frames are the same size as the original frame. The Cisco implementation of MPPE is fully interoperable with that of Microsoft and uses all available options, including historyless mode. Historyless mode can increase throughput in lossy environments such as VPNs, because neither side needs to send CCP Resets Requests to synchronize encryption contexts when packets are lost. MPPE Encryption Types Two modes of MPPE encryption are offered: • Stateful MPPE Encryption • Stateless MPPE Encryption Stateful MPPE Encryption Stateful encryption provides the best performance but may be adversely affected by networks that experience substantial packet loss. If you choose stateful encryption, you should also configure flow control to minimize the detrimental effects of this lossiness. Because of the way that the RC4 tables are reinitialized during stateful synchronization, it is possible that two packets may be encrypted using the same key. For this reason, stateful encryption may not be appropriate for lossy network environments (such as Layer 2 tunnels on the Internet). Stateless MPPE Encryption Stateless encryption provides a lower level of performance, but will be more reliable in a lossy network environment. Caution If you choose stateless encryption, you should not configure flow control. L2F Dial-In VPNs use L2F or L2TP tunnels to tunnel the link layer of high-level protocols (for example, PPP frames or asynchronous High-Level Data Link Control (HDLC)). ISPs configure their NASs to receive calls from users and to forward the calls to the customer tunnel server. Usually, the ISP maintains only information about the tunnel server—the tunnel endpoint. The customer maintains the tunnel server users’ IP addresses, routing, and other user database functions. Administration between the ISP and the tunnel server is reduced to IP connectivity. Figure 71 shows the PPP link that runs between a client (the user hardware and software) and the tunnel server. The NAS and tunnel server establish an L2F tunnel that the NAS uses to forward the PPP link to the tunnel server. The VPN then extends from the client to the tunnel server. The L2F tunnel creates a virtual point-to-point connection between the client and the tunnel server. Configuring Virtual Private Networks VPN Technology Overview DC-512 Cisco IOS Dial Technologies Configuration Guide Figure 71 End-to-End Access VPN Protocol Flow: L2F, PPP, and IP The following sections give a functional description of the sequence of events that establish a VPN using L2F as the tunneling protocol: • Protocol Negotiation Sequence • L2F Tunnel Authentication Process The “Protocol Negotiation Sequence” section provides an overview of the negotiation events that take place as the VPN is established. The “L2F Tunnel Authentication Process” section provides a detailed description of how the NAS and tunnel server establish the L2F tunnel. Protocol Negotiation Sequence A user who wants to connect to the customer tunnel server first establishes a PPP connection to the ISP NAS. The NAS then establishes an L2F tunnel with the tunnel server. Finally, the tunnel server authenticates the client username and password and establishes the PPP connection with the client. Figure 72 shows the sequence of protocol negotiation events between the ISP NAS and the customer tunnel server. PSTN cloud Enterprise company intranet Internet cloud L2F Legend Client PPP IP 18987 Access VPN NAS Home gateway Configuring Virtual Private Networks VPN Technology Overview DC-513 Cisco IOS Dial Technologies Configuration Guide Figure 72 Protocol Negotiation Events Between Access VPN Devices The following explains the sequence of events shown in Figure 72: 1. The user client and the NAS conduct a standard PPP Link Control Protocol (LCP) negotiation. 2. The NAS begins PPP authentication by sending a Challenge Handshake Authentication Protocol (CHAP) challenge to the client. 3. The client replies with a CHAP response. 4. When the NAS receives the CHAP response, either the phone number that the user dialed in from (when using Dialed Number Information Service-based authentication) or the user domain name (when using authentication based on domain name) matches a configuration on either the NAS or its AAA server. This configuration instructs the NAS to create a VPN to forward the PPP session to the tunnel server by using an L2F tunnel. Because this is the first L2F session with the tunnel server, the NAS and the tunnel server exchange L2F_CONF packets, which prepare them to create the tunnel. Then they exchange L2F_OPEN packets, which open the L2F tunnel. 5. Once the L2F tunnel is open, the NAS and tunnel server exchange L2F session packets. The NAS sends an L2F_OPEN (Mid) packet to the tunnel server that includes the client information from the LCP negotiation, the CHAP challenge, and the CHAP response. The tunnel server forces this information on to a virtual access interface that it has created for the client and responds to the NAS with an L2F_OPEN (Mid) packet. 6. The tunnel server authenticates the CHAP challenge and response (using either local or remote AAA) and sends a CHAP Auth-OK packet to the client. This completes the three-way CHAP authentication. LCP Conf-Req LCP Conf-Ack LCP Conf-Req LCP Conf-Ack PPP authentication L2F or L2TP tunnel negotiation PPP authentication completed PPP packets 18989 L2F or L2TP session negotiation 1 2 3 4 5 6 7 Client NAS Home gateway Configuring Virtual Private Networks VPN Technology Overview DC-514 Cisco IOS Dial Technologies Configuration Guide 7. When the client receives the CHAP Auth-OK packet, it can send PPP encapsulated packets to the tunnel server. The client and the tunnel server can now exchange I/O PPP encapsulated packets. The NAS acts as a transparent PPP frame forwarder. Subsequent PPP incoming sessions (designated for the same tunnel server) do not repeat the L2F tunnel negotiation because the L2F tunnel is already open. L2F Tunnel Authentication Process When the NAS receives a call from a client that is to be tunneled to a tunnel server, it first sends a challenge to the tunnel server. The tunnel server then sends a combined challenge and response to the NAS. Finally, the NAS responds to the tunnel server challenge, and the two devices open the L2F tunnel. Before the NAS and tunnel server can authenticate the tunnel, they must have a common “tunnel secret.” A tunnel secret is a common shared secret that is configured on both the NAS and the tunnel server. For more information on tunnel secrets, see the “Configuring VPN Tunnel Authentication Using the L2TP Tunnel Password” section later in this chapter. By combining the tunnel secret with random value algorithms, which are used to encrypt the tunnel secret, the NAS and tunnel server authenticate each other and establish the L2F tunnel. Figure 73 shows the tunnel authentication process. Figure 73 L2F Tunnel Authentication Process L2F_CONF name = ISP_NAS challenge = A 1 2 3 4 5 6 L2F_CONF name = ENT_HGW challenge = B key=A'=MD5 {A+ ISP_NAS secret} L2F_OPEN key = B' = MD5 {B + ENT_HGW secret} L2F_OPEN key = A' All subsequent messages have key = B' All subsequent messages have key = A' 18988 NAS Home gateway Configuring Virtual Private Networks VPN Technology Overview DC-515 Cisco IOS Dial Technologies Configuration Guide The following explains the sequence of events shown in Figure 73: 1. Before the NAS and tunnel server open an L2F tunnel, both devices must have a common tunnel secret in their configurations. 2. The NAS sends an L2F_CONF packet that contains the NAS name and a random challenge value, A. 3. After the tunnel server receives the L2F_CONF packet, it sends an L2F_CONF packet back to the NAS with the tunnel server name and a random challenge value, B. This message also includes a key containing A' (the MD5 of the NAS secret and the value A). 4. When the NAS receives the L2F_CONF packet, it compares the key A' with the MD5 of the NAS secret and the value A. If the key and value match, the NAS sends an L2F_OPEN packet to the tunnel server with a key containing B' (the Message Digest 5 (MD5) of the tunnel server secret and the value B). 5. When the tunnel server receives the L2F_OPEN packet, it compares the key B' with the MD5 of the tunnel server secret and the value B. If the key and value match, the tunnel server sends an L2F_OPEN packet to the NAS with the key A'. 6. All subsequent messages from the NAS include key = B'; all subsequent messages from the tunnel server include key = A'. Once the tunnel server authenticates the client, the access VPN is established. The L2F tunnel creates a virtual point-to-point connection between the client and the tunnel server. The NAS acts as a transparent packet forwarder. When subsequent clients dial in to the NAS, the NAS and tunnel server need not repeat the L2F tunnel negotiation because the L2F tunnel is already open. L2TP Dial-In L2TP is an emerging Internet Engineering Task Force (IETF) standard that combines the best features of two existing tunneling protocols: Cisco L2F (L2F) and Microsoft Point-to-Point Tunneling Protocol (PPTP). L2TP offers the same full-range spectrum of features as L2F, but offers additional functionality. An L2TP-capable tunnel server will work with an existing L2F network access server and will concurrently support upgraded components running L2TP. Tunnel servers do not require reconfiguration each time an individual NAS is upgraded from L2F to L2TP. Table 30 offers a comparison of L2F and L2TP feature components. Table 30 L2F and L2TP Feature Comparison Function L2F L2TP Flow Control No Yes AVP hiding No Yes Tunnel server load sharing Yes Yes Tunnel server stacking/multihop support Yes Yes Tunnel server primary and secondary backup Yes Yes DNS name support Yes Yes Domain name flexibility Yes Yes Configuring Virtual Private Networks VPN Technology Overview DC-516 Cisco IOS Dial Technologies Configuration Guide Traditional dialup networking services support only registered IP addresses, which limits the types of applications that are implemented over VPNs. L2TP supports multiple protocols and unregistered and privately administered IP addresses over the Internet. This allows the existing access infrastructure, such as the Internet, modems, access servers, and ISDN terminal adapters (TAs), to be used. It also allows customers to outsource dial-out support, thus reducing overhead for hardware maintenance costs and 800 number fees, and allows them to concentrate corporate gateway resources. Figure 74 shows the L2TP architecture in a typical dialup environment. Figure 74 L2TP Architecture The following sections supply additional detail about the interworkings and Cisco implementation of L2TP. Using L2TP tunneling, an Internet service provider (ISP) or other access service can create a virtual tunnel to link customer remote sites or remote users with corporate home networks. The NAS located at the POP of the ISP exchanges PPP messages with remote users and communicates by way of L2TP requests and responses with the customer tunnel server to set up tunnels. L2TP passes protocol-level packets through the virtual tunnel between endpoints of a point-to-point connection. Frames from remote users are accepted by the POP of the ISP, stripped of any linked framing or transparency bytes, encapsulated in L2TP and forwarded over the appropriate tunnel. The customer tunnel server accepts these L2TP frames, strips the L2TP encapsulation, and processes the incoming frames for the appropriate interface. Figure 75 shows the L2TP tunnel detail and how user “lsmith” connects to the tunnel server to access the designated corporate intranet. Idle and absolute timeout Yes Yes Multilink PPP support Yes Yes Multichassis Multilink PPP support Yes Yes Security • All security benefits of PPP, including multiple per-user authentication options (CHAP, MS-CHAP, PAP). • Tunnel authentication mandatory. • All security benefits of PPP, including multiple per-user authentication options (CHAP, MS-CHAP, PAP). • Tunnel authentication optional. Table 30 L2F and L2TP Feature Comparison (continued) Function L2F L2TP PSTN or ISDN Corporate network ISP or public network L2TP tunnel LAC 16521 Dial client (PPP peer) LNS AAA server AAA server (RADIUS/TACACS+) (RADIUS/TACACS+) Configuring Virtual Private Networks VPN Technology Overview DC-517 Cisco IOS Dial Technologies Configuration Guide Figure 75 L2TP Tunnel Structure Incoming Call Sequence The following describes the events required to establish a VPN connection between a remote user, a NAS at the ISP POP, and the tunnel server at the home LAN using an L2TP tunnel: 1. The remote user initiates a PPP connection to the ISP, using the analog telephone system or ISDN. 2. The ISP network NAS accepts the connection at the POP, and the PPP link is established. 3. After the end user and NAS negotiate LCP, the NAS partially authenticates the end user with CHAP or PAP. The username, domain name, or Dialed Number Information Service (DNIS) is used to determine whether the user is a VPN client. If the user is not a VPN client, authentication continues, and the client will access the Internet or other contacted service. If the username is a VPN client, the mapping will name a specific endpoint (the tunnel server). 4. The tunnel endpoints, the NAS, and the tunnel server authenticate each other before any sessions are attempted within a tunnel. Alternatively, the tunnel server can accept tunnel creation without any tunnel authentication of the NAS. 5. Once the tunnel exists, an L2TP session is created for the end user. 6. The NAS will propagate the LCP negotiated options and the partially authenticated CHAP/PAP information to the tunnel server. The tunnel server will funnel the negotiated options and authentication information directly to the virtual access interface. If the options configured on the virtual template interface do not match the negotiated options with the NAS, the connection will fail, and a disconnect will be sent to the NAS. The result is that the exchange process appears to be between the dialup client and the remote tunnel server exclusively, as if no intermediary device (the NAS) is involved. Figure 76 offers a pictorial account of the L2TP incoming call sequence with its own corresponding sequence numbers. Note that the sequence numbers in Figure 76 are not related to the sequence numbers described in the previous table. LAC LNS ISP PSTN cloud Internet cloud Client: lsmith Corporate network = LT2P = PPP = IP 22110 Configuring Virtual Private Networks VPN Technology Overview DC-518 Cisco IOS Dial Technologies Configuration Guide Figure 76 L2TP Incoming Call Flow VPN Tunnel Authentication Search Order When a call to a NAS is to be tunneled to a tunnel server, the NAS must identify the tunnel server to which the call is to be forwarded. You can configure the router to authenticate users and also to select the outgoing tunnel on the basis of the following criteria: • The user domain name • The DNIS information in the incoming calls • Both the domain name and the DNIS information LAC LNS PSTN/ISDN WAN LAC RADIUS server LNS RADIUS server (6) Tunnel info in AV Pairs Local name (LAC) Tunnel password Tunnel type LNS IP address Request tunnel info (5) user = domain password = cisco (15) (20) (16) (21) Access request (15) (20) Access response (16) (21) Tunnel setup (7) Tunnel authentication CHAP challenge (8) Call setup (1) PPP LCP setup (2) User CHAP response (4) Pass (10) Pass (13) LAC CHAP response (12) CHAP response (19) PASS (22) User CHAP response + response indentifier + PPP negotiated parameters (14) User CHAP challenge (3) LNS CHAP response (9) Pass (17) Optional second CHAP challenge (18) CHAP challenge (11) 22106 Configuring Virtual Private Networks VPN Technology Overview DC-519 Cisco IOS Dial Technologies Configuration Guide VPN Tunnel Lookup Based on Domain Name When a NAS is configured to forward VPN calls on the basis of the user domain name, the user must use a username of the form username@domain. The NAS then compares the user domain name to the domain names it is configured to search for. When the NAS finds a match, it forwards the user call to the proper tunnel server. VPN Tunnel Lookup Based on DNIS Information When a NAS is configured to forward VPN calls on the basis of the user DNIS information, the NAS identifies the user DNIS information, which is provided on ISDN lines, and then forwards the call to the proper tunnel server. The ability to select a tunnel on the basis of DNIS information provides additional flexibility to network service providers that offer VPN services and to the corporations that use the services. Instead of having to use only the domain name for tunnel selection, tunnel selection can be based on the dialed number. With this feature, a corporation—which might have only one domain name—can provide multiple specific phone numbers for users to dial in to the NAS at the service provider POP. The service provider can select the tunnel to the appropriate services or portion of the corporate network on the basis of the dialed number. VPN Tunnel Lookup Based on Both Domain Name and DNIS Information When a service provider has multiple AAA servers configured, VPN tunnel authorization searches based on domain name can be time consuming and might cause the client session to time out. To provide more flexibility, service providers can now configure the NAS to perform tunnel authorization searches by domain name only, by DNIS only, or by both in a specified order. NAS AAA Tunnel Definition Lookup Authentication, authorization, and accounting (AAA) tunnel definition lookup allows the NAS to look up tunnel definitions using keywords. Two new Cisco AV pairs are added to support NAS tunnel definition lookup: tunnel type and l2tp-tunnel-password. These AV pairs are configured on the RADIUS server. Descriptions of the values are as follows: • tunnel type—Indicates that the tunnel type is either L2F or L2TP. This is an optional AV pair and if not defined, reverts to L2F, the default value. If you want to configure an L2TP tunnel, you must use the L2TP AV pair value. This command is case sensitive. • l2tp-tunnel-password—This value is the secret (password) used for L2TP tunnel authentication and L2TP AV pair hiding. This is an optional AV pair value; however, if it is not defined, the secret will default to the password associated with the local name on the NAS local username-password database. This AV pair is analogous to the l2tp local secret command. For example: request dialin l2tp ip 172.21.9.13 domain hoser.com l2tp local name dustie l2tp local secret partner Configuring Virtual Private Networks VPN Technology Overview DC-520 Cisco IOS Dial Technologies Configuration Guide is equivalent to the following RADIUS server configuration: acme.com Password = “cisco” cisco-avpair = “vpdn: tunnel-id=dustie”, cisco-avpair = “vpdn: tunnel-type=l2tp”, cisco-avpair = “vpdn: l2tp-tunnel-password=partner’, cisco-avpair = “vpdn: ip-addresses=172.21.9.13” Note The password for the domain must be “cisco.” This is hard-coded in Cisco IOS software. L2TP Dial-Out The L2TP dial-out feature enables tunnel servers to tunnel dial-out VPN calls using L2TP as the tunneling protocol. This feature enables a centralized network to efficiently and inexpensively establish a virtual point-to-point connection with any number of remote offices. Note Cisco routers can carry both dial-in and dial-out calls in the same L2TP tunnels. L2TP dial-out involves two devices: a tunnel server and a NAS. When the tunnel server wants to perform L2TP dial-out, it negotiates an L2TP tunnel with the NAS. The NAS then places a PPP call to the client(s) that the tunnel server wants to dial out to. Figure 77 shows a typical L2TP dial-out scenario. Figure 77 L2TP Dial-Out Process SCCRD SCCN OCRQ OCRP LAC calls PPP client PPP packets 26311 SCCRQ OCCN 2 1 4 5 6 7 3 LNS LAC PC VPDN session created VPDN session created Configuring Virtual Private Networks VPN Technology Overview DC-521 Cisco IOS Dial Technologies Configuration Guide The following explains the sequence of events described in Figure 77: 1. The tunnel server receives Layer 3 packets, which are to be dialed out, and forwards them to its dialer interface (either a dialer profile or dial-on-demand routing [DDR]). The dialer issues a dial call request to the VPN group, and the tunnel server creates a virtual access interface. If the dialer is a dialer profile, this interface becomes a member of the dial pool. If the dialer is DDR, the interface becomes a member of the rotary group. The VPN group creates a VPN session for this connection and sets it in the pending state. 2. The tunnel server and NAS establish an L2TP tunnel (unless a tunnel is already open). 3. The tunnel server sends an Outgoing Call ReQuest (OCRQ) packet to the NAS, which checks if it has a dial resource available. If the resource is available, the NAS responds to the tunnel server with an Outgoing Call RePly (OCRP) packet. If the resource is not available, the NAS responds with a Call Disconnect Notification (CDN) packet, and the session is terminated. 4. If the NAS has an available resource, it creates a VPN session and sets it in the pending state. 5. The NAS then initiates a call to the PPP client. When the NAS call connects to the PPP client, the NAS binds the call interface to the appropriate VPN session. 6. The NAS sends an Outgoing Call CoNnected (OCCN) packet to the tunnel server. The tunnel server binds the call to the appropriate VPN session and then brings the virtual access interface up. 7. The dialer on the tunnel server and the PPP client can now exchange PPP packets. The NAS acts as a transparent packet forwarder. If the dialer interface is a DDR and a virtual profile is configured, the PPP endpoint is the tunnel server virtual-access interface, not the dialer. All Layer 3 routes point to this interface instead of the dialer. Note Large-scale dial-out, Bandwidth Allocation Protocol (BAP), and Dialer Watch are not supported. All configuration must be local on the router. VPN Configuration Modes Overview Cisco VPN is configured using the VPN group configuration mode. VPN groups can now support the following: • One or both of the following tunnel server VPN subgroup configuration modes – Accept-dialin – Request-dialout • One or both of the following NAS VPN subgroup configuration modes – Request-dialin – Accept-dialout • One of the four VPN subgroup configuration modes A VPN group can act as either a tunnel server or a NAS, but not both. But individual routers can have both tunnel server VPN groups and NAS VPN groups. Table 31 list four VPDN group configuration commands that correspond to the configuration modes listed above. These command modes are accessed from VPN group mode; therefore, they are generically referred to as VPN subgroups. Configuring Virtual Private Networks VPN Technology Overview DC-522 Cisco IOS Dial Technologies Configuration Guide The keywords and arguments for the previous accept-dialin and request-dialin VPDN group configuration commands are now independent commands. The previous syntax is still supported, but when you display the configuration, the commands will appear in the new format. For example, to configure a NAS to request dial-in, you could use the old command, as follows: request-dialin l2tp ip 10.1.2.3 domain jgb.com However when you view the configuration, the keywords and arguments are displayed in the new format with individual commands: request dialin protocol l2tp domain jgb.com initiate-to ip 10.1.2.3 Similarly, the accept-dialout and request-dialout commands have subgroup commands that are used to specify information such as the tunneling protocol and dialer resource. Table 32 lists the new VPN subgroup commands and which command modes they apply to: The other VPN group commands are dependent on which VPN subgroups exist on the VPN group. Table 33 lists the VPN group commands and which subgroups you need to enable in order for them to be configurable. Table 31 New VPN Group Command Modes Command Command Mode Prompt Type of Service accept-dialin router(config-vpdn-acc-in)# tunnel server request-dialout router(config-vpdn-req-ou)# tunnel server request-dialin router(config-vpdn-req-in)# NAS accept-dialout router(config-vpdn-acc-ou)# NAS Table 32 VPN Subgroup Commands Command VPN Subgroups default all subgroups dialer accept-dialout dnis request-dialin domain request-dialin pool-member request-dialout protocol all subgroups rotary-group request-dialout virtual-template accept-dialin Configuring Virtual Private Networks VPN Technology Overview DC-523 Cisco IOS Dial Technologies Configuration Guide Prerequisites for VPNs Before configuring a VPN, you must complete the prerequisites described in Table 34. These prerequisites are discussed in the sections that follow. Table 33 VPN Group Commands Command VPN Subgroups accept-dialin tunnel server VPN group1 1. Tunnel server VPN groups can be configured for accept-dialin and/or request-dialout. accept-dialout NAS VPN group2 2. NAS VPN groups can be configured for accept-dialout and/or request-dialin. authen before-forward request-dialin default any subgroup force-local-chap accept-dialin initiate-to request-dialin or request-dialout lcp renegotiation accept-dialin local name any subgroup multilink request-dialin request-dialin NAS VPN Group2 request-dialout tunnel server VPN Group1 source-ip any subgroup terminate-from accept-dialin or accept-dialout Table 34 VPN Prerequisites Prerequisite Client-Initiated Dial-In NAS-Initiated Dial-In Dial-Out Configuring the LAN Interface Required Required Required Configuring AAA Optional Required Required Specifying the IP Address Pool and BOOTP Servers on the Tunnel Server Required Required N/A Commissioning the T1 Controllers on the NAS N/A Required N/A Configuring the Serial Channels for Modem Calls on the NAS N/A Required N/A Configuring the Modems and Asynchronous Lines on the NAS N/A Required N/A Configuring the Group-Asynchronous Interface on the NAS N/A Required N/A Configuring Virtual Private Networks VPN Technology Overview DC-524 Cisco IOS Dial Technologies Configuration Guide Configuring the LAN Interface To assign an IP address to the interface that will be carrying the VPN traffic and that brings up the interface, use the following commands on both the NAS and the tunnel server beginning in global configuration mode: Configuring AAA To enable AAA, use the following commands on both the NAS and the tunnel server in global configuration mode. If you use RADIUS or TACACS+ for AAA, you also need to point the router to the AAA server using either the radius-server host or the tacacs-server host command. Refer to the Cisco IOS Security Configuration Guide, Release 12.2, for a complete list of commands and configurable options for security and AAA implementation. For information on configuring remote AAA servers, refer to the CiscoSecure ACS documentation at: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/index.htm. Configuring the Dialer on a NAS N/A N/A Required Configuring the Dialer on a Tunnel Server N/A N/A Required Table 34 VPN Prerequisites Prerequisite Client-Initiated Dial-In NAS-Initiated Dial-In Dial-Out Command Purpose Step 1 Router(config)# interface interface-type number Enters interface configuration mode. Step 2 Router(config-if)# ip address ip-address subnet-mask Configures the IP address and subnet mask on the interface. Step 3 Router(config-if)# no shutdown Changes the state of the interface from administratively down to up. Command Purpose Step 1 Router(config)# aaa new-model Enables the AAA access control system. Step 2 Router(config)# aaa authentication login default {local | radius | tacacs} Enables AAA authentication at login and uses the local username database for authentication.1 Step 3 Router(config)# aaa authentication ppp default {local | radius | tacacs} Configures the AAA authentication method that is used for PPP and VPN connections.1 Step 4 Router(config)# aaa authorization network default {local | radius | tacacs} Configures the AAA authorization method that is used for network-related service requests.1 Step 5 Router(config)# aaa accounting network default start-stop {radius | tacacs} (Optional) Enables AAA accounting that sends a stop accounting notice at the end of the requested user process.1 Configuring Virtual Private Networks VPN Technology Overview DC-525 Cisco IOS Dial Technologies Configuration Guide Step 6 Router(config)# vpdn aaa override-server {aaa-server-ip-address | aaa-server-name} (Optional) Specifies the AAA servers to be used for VPDN tunnel authorization. If this command is not configured, the default AAA server configured for network authorization is used for VPDN authorization. Step 7 Router(config)# vpdn aaa attribute [{nas-ip-address vpdn-nas}| (nas-port vpdn-nas}] (Optional) Enables the reporting of AAA attributes from the HGW to the configured RADIUS or TACACS+ AAA server. This command is applicable only on the tunnel server and is disabled by default. Step 8 Router(config)# vpdn aaa untagged (Optional) Enables the application of untagged attribute values to all attribute sets for VPDN tunnels, unless a value for that attribute is already specified in the attribute set. This command is enabled by default, therefore configuration of this command is required only if the command has been previously disabled. Step 9 Router(config)# radius-server host ip-address [auth-port number] [acct-port number] Router(config)# radius-server key cisco or Router(config)# tacacs-server host ip-address [port integer] [key string] Specifies the RADIUS server IP address and optionally the ports to be used for authentication and accounting requests. Sets the authentication key and encryption key for all RADIUS communication. Note The RADIUS key must be “cisco.” This is hard-coded in Cisco IOS software. Specifies the TACACS+ server IP address and optionally the port to be used, and an authentication and encryption key. 1. If you specify more than one method, AAA will query the servers or databases in the order that they are entered. Command Purpose Configuring Virtual Private Networks VPN Technology Overview DC-526 Cisco IOS Dial Technologies Configuration Guide Specifying the IP Address Pool and BOOTP Servers on the Tunnel Server To specify the IP addresses and the BOOTP servers that will be assigned to VPN clients, use the following commands on the tunnel server in global configuration mode. The IP address pool is the addresses that the tunnel server assigns to clients. You must configure an IP address pool. You can also provide BOOTP servers. Domain Name System (DNS) servers translate host names to IP addresses. WINS servers, which are specified using the async-bootp nbns-server command, provide dynamic NetBIOS names that Windows devices use to communicate without IP addresses. Commissioning the T1 Controllers on the NAS To define the ISDN switch type and commission the T1 controllers to allow modem calls to come into the NAS, use the following commands beginning in global configuration mode: Command Purpose Step 1 HGW(config)# ip local pool default first-ip-address last-ip-address Configures the default local pool of IP address that will be used by clients. Step 2 HGW(config)# async-bootp dns-server ip-address1 [additional-ip-address] (Optional) Returns the configured addresses of DNS in response to BOOTP requests. Step 3 HGW(config)# async-bootp nbns-server ip-address1 [additional-ip-address] (Optional) Returns the configured addresses of Windows NT servers in response to BOOTP requests. Command Purpose Step 1 NAS(config)# isdn switch-type switch-type Enters the telco switch type. An ISDN switch type that is specified in global configuration mode is automatically propagated into the individual serial interfaces (for example, serial interface 0:23, 1:23, 2:23, and 3:23). Step 2 NAS(config)# controller t1 0 Accesses controller configuration mode for the first T1 controller, which is number 0. The controller ports are numbered 0 through 3 on the quad T1/PRI card. Step 3 NAS(config-controller)# framing framing-type Enters the T1 framing type. Step 4 NAS(config-controller)# linecode linecode Enters the T1 line-code type. Configuring Virtual Private Networks VPN Technology Overview DC-527 Cisco IOS Dial Technologies Configuration Guide Configuring the Serial Channels for Modem Calls on the NAS To configure the D channels (the signaling channels) to allow incoming voice calls to be routed to the integrated MICA technologies modems and to control the behavior of the individual B channels, use the following commands on the NAS beginning in global configuration mode: Step 5 NAS(config-controller)# clock source line primary Configures the access server to get its primary clocking from the T1 line assigned to controller 0. Line clocking comes from the remote switch. Step 6 NAS(config-controller)# pri-group timeslots range Assigns the T1 time slots as ISDN PRI channels. After you enter this command, a D-channel serial interface is instantly created (for example, S0:23), along with individual B-channel serial interfaces (S0:0, S0:1, and so on). The D-channel interface functions like a dialer for the B channels using the controller. If this was an E1 interface, the PRI group range would be 1 to 31. The D-channel serial interfaces would be S0:15, S1:15, S2:15, and S3:15. Command Purpose Command Purpose Step 1 NAS(config)# interface serial 0:23 Accesses configuration mode for the D-channel serial interface that corresponds to controller T1 0. The behavior of serial 0:0 through serial 0:22 is controlled by the configuration instructions provided for serial 0:23. This concept is also true for the other remaining D-channel configurations. Step 2 NAS(config-if)# isdn incoming-voice modem Enables analog modem voice calls that come in through the B channels to be connected to the integrated modems. Step 3 NAS(config-if)# exit Returns to global configuration mode. Step 4 NAS(config)# interface serial 1:23 NAS(config-if)# isdn incoming-voice modem NAS(config-if)# exit NAS(config)# interface serial 2:23 NAS(config-if)# isdn incoming-voice modem NAS(config-if)# exit NAS(config)# interface serial 3:23 NAS(config-if)# isdn incoming-voice modem NAS(config-if)# exit Configures the three remaining D channels with the same ISDN incoming-voice modem setting. Configuring Virtual Private Networks VPN Technology Overview DC-528 Cisco IOS Dial Technologies Configuration Guide Configuring the Modems and Asynchronous Lines on the NAS To define a range of modem lines and to enable PPP clients to dial in, bypass the EXEC facility, and automatically start PPP, use the following commands on the NAS beginning in global configuration mode. Configure the modems and lines after the ISDN channels are operational. Each modem corresponds with a dedicated asynchronous line inside the NAS. The modem speed of 115200 bps and hardware flow control are default values for integrated modems. Configuring the Group-Asynchronous Interface on the NAS To create a group-asynchronous interface and project protocol characteristics to the asynchronous interfaces, use the following commands on the NAS beginning in global configuration mode. The group-async interface is a template that controls the configuration of the specified asynchronous interfaces inside the NAS. Asynchronous interfaces are lines running in PPP mode. An asynchronous interface uses the same number as its corresponding line. Configuring all the asynchronous interfaces as an asynchronous group saves you time by reducing the number of configuration steps. Command Purpose Step 1 NAS(config)# line line-number [ending-line-number] Enters the modem line or range of modem lines (by entering an ending-line-number) that you want to configure. Step 2 NAS(config-line)# autoselect ppp Enables PPP clients to dial in, bypass the EXEC facility, and automatically start PPP on the lines. Step 3 NAS(config-line)# autoselect during-login Displays the username:password prompt as the modems connect. Note These two autoselect commands enable EXEC (shell) and PPP services on the same lines. Step 4 NAS(config-line)# modem inout Supports incoming and outgoing modem calls. Command Purpose Step 1 NAS(config)# interface group-async number Creates the group-asynchronous interface. Step 2 NAS(config-if)# ip unnumbered interface-type number Uses the IP address defined on the specified interface. Step 3 NAS(config-if)# encapsulation ppp Enables PPP. Step 4 NAS(config-if)# async mode interactive Configures interactive mode on the asynchronous interfaces. Interactive mode means that clients can dial in to the NAS and get a router prompt or PPP session. Dedicated mode means that only PPP sessions can be established on the NAS. Clients cannot dial in and get an EXEC (shell) session. Configuring Virtual Private Networks VPN Technology Overview DC-529 Cisco IOS Dial Technologies Configuration Guide Configuring the Dialer on a NAS To configure the dialer on a NAS for L2TP dial-out, use the following commands beginning in global configuration mode: Configuring the Dialer on a Tunnel Server To configure the dialer on an a tunnel server for L2TP dial-out, use the following commands beginning in global configuration mode: Step 5 NAS(config-if)# ppp authentication {chap | pap | chap pap | pap chap} Configures the authentication to be used on the interface during LCP negotiation. When both authentication methods are specified, the NAS first authenticates with the first method entered. If the first method is rejected by the client, the second authentication method is used. Step 6 NAS(config-if)# group-range range Specifies the range of asynchronous interfaces to include in the group, which is usually equal to the number of modems in the access server. Command Purpose Command Purpose Step 1 NAS(config)# interface dialer number Defines a dialer rotary group. Step 2 NAS(config-if)# ip unnumbered interface-type number Configures the dialer to use the interface IP address. Step 3 NAS(config-if)# encapsulation ppp Enables PPP encapsulation. Step 4 NAS(config-if)# dialer in-band Enables DDR on the dialer. Step 5 NAS(config-if)# dialer aaa Enables the dialer to use the AAA server to locate profiles for dialing information. Step 6 NAS(config-if)# dialer-group group-number Assigns the dialer to the specified dialer group. Step 7 NAS(config-if)# ppp authentication chap Specifies that CHAP authentication will be used. Command Purpose Step 1 LNS(config)# interface dialer number Defines a dialer rotary group. Step 2 LNS(config-if)# ip address ip-address subnet-mask Specifies an IP address for the group. Step 3 LNS(config-if)# encapsulation ppp Enables PPP encapsulation. Step 4 LNS(config-if)# dialer remote-name peer-name Specifies the name used to authenticate the remote router that is being dialed. Step 5 LNS(config-if)# dialer string dialer-number Specifies the number that is dialed. Step 6 LNS(config-if)# dialer vpdn Enables dial-out. Step 7 LNS(config-if)# dialer pool pool-number Specifies the dialer pool. Configuring Virtual Private Networks How to Configure a VPN DC-530 Cisco IOS Dial Technologies Configuration Guide How to Configure a VPN Configuration for both dial-in and dial-out VPNs is described in the following sections: • Enabling a VPN • Configuring VPN Tunnel Authentication Using the Host Name or Local Name • Configuring VPN Tunnel Authentication Using the L2TP Tunnel Password • Configuring Client-Initiated Dial-In VPN • Configuring NAS-Initiated Dial-In VPN • Configuring Dial-Out VPN • Configuring Advanced VPN Features See the section “Configuration Examples for VPN” later in this chapter for examples of how you can implement VPN in your network. Enabling a VPN To enable a VPN tunnel, use the following command in global configuration mode: To disable a VPN tunnel, use the clear vpdn tunnel command in EXEC mode. The no vpdn enable command does not automatically disable a VPN tunnel. Configuring VPN Tunnel Authentication Configuration VPN tunnel authentication enables routers to authenticate the other tunnel endpoint before establishing a VPN tunnel. It is required for L2F tunnels and optional for L2TP tunnels. Step 8 LNS(config-if)# dialer-group group-number Assigns the dialer to the specified dialer group. Step 9 LNS(config-if)# ppp authentication chap Specifies that CHAP authentication will be used. Command Purpose Command Purpose Router(config)# vpdn1 enable 1. The Cisco IOS command syntax uses the more specific term VPDN (virtual private dialup network) instead of VPN. Enables VPN. Configuring Virtual Private Networks How to Configure a VPN DC-531 Cisco IOS Dial Technologies Configuration Guide Disabling VPN Tunnel Authentication for L2TP Tunnels To disable VPN tunnel authentication for L2TP tunnels, use the following commands beginning in global configuration mode: Note Before you can configure any l2tp VPN group command, you must specify L2TP as the protocol for a VPN subgroup within the VPN group. For more information, see the “Configuring NAS-Initiated Dial-In VPN” and “Configuring Dial-Out VPN” sections later in this chapter. VPN tunnel authentication can be performed in the following ways: • Using local AAA on both the NAS and the tunnel server • Using RADIUS on the NAS and local AAA on the tunnel server • Using TACACS+ on the NAS and local AAA on the tunnel server This section discusses local tunnel authentication. For information on RADIUS and TACACS+, refer to the “NAS AAA Tunnel Definition Lookup” section earlier in this chapter and the Cisco IOS Security Configuration Guide, Release 12.2. VPN tunnel authentication requires that a single shared secret—called the tunnel secret—be configured on both the NAS and tunnel server. There are two methods for configuring the tunnel secret: • Configuring VPN Tunnel Authentication Using the Host Name or Local Name The tunnel secret is configured as a password by using the username command. • Configuring VPN Tunnel Authentication Using the L2TP Tunnel Password The tunnel secret is configured by using the l2tp tunnel password command. Command Purpose ISP_NAS(config)# vpdn-group group ISP_NAS(config-vpdn)# no l2tp tunnel authentication Disables VPN tunnel authentication for the specified VPN group. The VPN group will not challenge any router that attempts to open an L2TP tunnel. Configuring Virtual Private Networks How to Configure a VPN DC-532 Cisco IOS Dial Technologies Configuration Guide Configuring VPN Tunnel Authentication Using the Host Name or Local Name To configure VPN tunnel authentication using the hostname or local name commands, use the following commands beginning in global configuration mode: Configuring VPN Tunnel Authentication Using the L2TP Tunnel Password To configure VPN tunnel authentication using the l2tp tunnel password command, use the following commands beginning in global configuration: For sample VPN tunnel authentication configurations, see the “VPN Tunnel Authentication Examples” section later in this chapter. Command Purpose Step 1 ISP_NAS(config)# hostname host-name or ISP_NAS(config)# vpdn-group group ISP_NAS(config-vpdn)# local name tunnel-name Configures the router host name. By default, the router uses the host name as the tunnel name in VPN tunnel authentication. or (Optional) Configures the local name for the VPN group. When negotiating VPN tunnel authentication for this VPN group, the router will use the local name as the tunnel name. Step 2 ISP_NAS(config)# username tunnel-name password tunnel-secret Configures the other router’s tunnel name and the tunnel secret as a user name and password combination. Note The tunnel secret must be the same on both routers. Each router must have the other router’s tunnel name (specified by either the hostname or local name command) configured as a username with the tunnel secret as the password. Command Purpose Step 1 ISP_NAS(config)# vpdn-group group ISP_NAS(config-vpdn)# l2tp tunnel password tunnel-secret Configures the tunnel secret that will be used for VPN tunnel authentication for this VPN group and enters VPDN configuration mode. Step 2 ISP_NAS(config-vpdn)# local name tunnel-name ISP_NAS(config-vpdn)# exit ISP_NAS(config)# username tunnel-name password tunnel-secret (Optional) Configures the tunnel name of the router. (Optional) Configures the other router’s tunnel name and the tunnel secret as a user name. If the other router uses the l2tp tunnel password command to configure the tunnel secret, these commands are not necessary. Note The tunnel secret must be the same on both routers. Configuring Virtual Private Networks How to Configure a VPN DC-533 Cisco IOS Dial Technologies Configuration Guide Configuring Client-Initiated Dial-In VPN For client-initiated dial-in VPNs, complete the following tasks: • Configuring a Tunnel Server to Accept Dial-In (Required) • Configuring MPPE on the ISA Card (Optional) • Tuning PPTP (Optional) When configuring PPTP and MPPE, you should consider the following restrictions: • Only Cisco Express Forwarding (CEF) and process switching are supported. Regular fast switching is not supported. • PPTP does not support multilink. • VPDN multihop is not supported. • Because all PPTP signaling is over TCP, TCP configurations will affect PPTP performance in large-scale environments. • MPPE is not supported with TACACS. • MPPE is supported with RADIUS in Cisco IOS Releases 12.0(7)XE1 and later releases. • Windows clients must use MS-CHAP authentication in order for MPPE to work. • If you are performing mutual authentication with MS-CHAP and MPPE, both sides of the tunnel must use the same password. • To use MPPE with AAA, you must use a RADIUS server that supports the Microsoft Vendor specific attribute for MPPE-KEYS. CiscoSecure NT supports MPPE beginning with release 2.6. CiscoSecure UNIX does not support MPPE. Configuring a Tunnel Server to Accept PPTP Tunnels To configure a tunnel to accept tunneled PPP connections from a client, use the following commands beginning in global configuration mode: Command Purpose Step 1 PNS(config)# vpdn-group 1 Creates vpdn group 1. Step 2 PNS(config-vpdn)# accept-dialin Enables the tunnel server to accept dial-in requests. Step 3 PNS(config-vpdn-acc-in)# protocol pptp Specifies that the tunneling protocol will be PPTP. Step 4 PNS(config-vpdn-acc-in)# virtual-template template-number Specifies the number of the virtual template that will be used to clone the virtual-access interface. Step 5 PNS(config-vpdn-acc-in)# exit Exit to higher command mode. Step 6 PNS(config-vpdn)# local name localname (Optional) Specifies that the tunnel server will identify itself with this local name. If no local name is specified, the tunnel server will identify itself with its host name. Configuring Virtual Private Networks How to Configure a VPN DC-534 Cisco IOS Dial Technologies Configuration Guide Configuring MPPE on the ISA Card To offload MPPE encryption from the tunnel server processor to the ISA card, use the following commands beginning in global configuration mode: Tuning PPTP To tune PPTP, use one or more of the following commands in VPDN configuration mode: Configuring NAS-Initiated Dial-In VPN The following tasks must be completed for NAS-initiated dial-in VPNs: • Configuring a NAS to Request Dial-In (Required) • Configuring a Tunnel Server to Accept Dial-In (Required) • Creating the Virtual Template on the Network Server (Required) Configuring a NAS to Request Dial-In The NAS is a device that is typically (although not always) located at a service provider POP; initial configuration and ongoing management are done by the service provider. To configure a NAS to accept PPP calls and tunnel them to a tunnel server, use the following commands beginning in global configuration mode: Command Purpose Step 1 PNS(config)# controller isa slot/port Enters controller configuration mode on the ISA card. Step 2 PNS(config-controller)# encryption mppe Enables MPPE encryption Command Purpose PNS(config-vpdn)# pptp flow-control receive-window packets Specifies how many packets the client can send before it must wait for the acknowledgment from the tunnel server. PNS(config-vpdn)# pptp flow-control static-rtt milliseconds Specifies the timeout interval of the tunnel server between sending a packet to the client and receiving a response. PNS(config-vpdn)# pptp tunnel echo seconds Specifies the period of idle time on the tunnel that will trigger an echo message from the tunnel server to the client. Command Purpose Step 1 NAS(config)# vpdn-group 1 Creates VPN group 1. Step 2 NAS(config-vpdn)# request-dialin Enables the NAS to request L2F or L2TP dial-in requests. Step 3 NAS(config-vpdn-req-in)# protocol [l2f | l2tp | any] Specifies which tunneling protocol is to be used. Configuring Virtual Private Networks How to Configure a VPN DC-535 Cisco IOS Dial Technologies Configuration Guide Configuring a Tunnel Server to Accept Dial-In To configure a tunnel server to accept tunneled PPP connections from a NAS, use the following commands beginning in global configuration mode. The tunnel server is the termination point for a VPN tunnel. The tunnel server initiates outgoing calls to and receives incoming calls from the NAS. See the section “Tunnel Server Comprehensive Dial-in Configuration Example” later in this chapter for a configuration example. Creating the Virtual Template on the Network Server At this point, you can configure the virtual template interface with configuration parameters you want applied to virtual access interfaces. A virtual template interface is a logical entity configured for a serial interface. The virtual template interface is not tied to any physical interface and is applied dynamically, as needed. Virtual access interfaces are cloned from a virtual template interface, used on demand, and then freed when no longer needed. Step 4 NAS(config-vpdn-req-in)# domain domain-name or NAS(config-vpdn-req-in)# dnis dnis-number Specifies the domain name of the users that are to be tunneled. Specifies the DNIS number of users that are to be tunneled. You can configure multiple domain names and/or DNIS numbers for an individual request-dialin subgroup. Step 5 NAS(config-vpdn-req-in)# exit NAS(config-vpdn)# initiate-to ip ip-address Specifies the IP address that the NAS will establish the tunnel with. This is the IP address of the tunnel server. Step 6 NAS(config-vpdn)# vpdn search-order {domain | dnis | domain dnis | dnis domain} (Optional) Specifies the method that is used to determine if a dial-in call should be tunneled. If both keywords are entered, the NAS will search the criteria in the order they are entered. Command Purpose Command Purpose Step 1 LNS(config)# vpdn-group 1 Creates VPN group 1. Step 2 LNS(config-vpdn)# accept-dialin Enables the tunnel server to accept dial-in requests. Step 3 LNS(config-vpdn-acc-in)# protocol [l2f | l2tp | any] Specifies which tunneling protocol is to be used. Step 4 LNS(config-vpdn-acc-in)# virtual-template number Specifies the number of the virtual template that will be used to clone the virtual access interface. Step 5 LNS(config-vpdn-acc-in)# exit LNS(config-vpdn)# terminate-from hostname hostname Accepts tunnels that have this host name configured as a local name. Configuring Virtual Private Networks How to Configure a VPN DC-536 Cisco IOS Dial Technologies Configuration Guide To create and configure a virtual template interface, use the following commands beginning in global configuration mode: Optionally, you can configure other commands for the virtual template interface. For more information about configuring virtual template interfaces, refer to the “Configuring Virtual Template Interfaces” chapter in this publication. Configuring Dial-Out VPN The following tasks must be completed for dial-out VPNs: • Configuring a Tunnel Server to Request Dial-Out (Required) • Configuring a NAS to Accept Dial-Out (Required) Configuring a Tunnel Server to Request Dial-Out To configure a tunnel server to request dial-out tunneled PPP connections to a NAS, use the following commands beginning in global configuration mode: Command Purpose Step 1 HGW(config)# interface virtual-template number Create the virtual template that is used to clone virtual access interfaces. Step 2 HGW(config-if)# ip unnumbered interface-type number Specifies that the virtual access interfaces use the specified interface IP address. Step 3 HGW(config-if)# ppp authentication {chap | pap | chap pap | pap chap} Enables CHAP authentication using the local username database. Step 4 HGW(config-if)# peer default ip address pool pool Returns an IP address from the default pool to the client. Step 5 HGW(config-if)# encapsulation ppp Enables PPP encapsulation. Command Purpose Step 1 LNS(config)# vpdn-group 1 Creates VPN group 1. Step 2 LNS(config-vpdn)# request-dialout Enables the tunnel server to send L2TP dial-out requests. Step 3 LNS(config-vpdn-req-ou)# protocol l2tp Specifies L2TP as the tunneling protocol. Note L2TP is the only protocol that supports dial-out. Step 4 LNS(config-vpdn-req-ou)# pool-member pool-number or LNS(config-vpdn-req-ou)# rotary-group group-number Specifies the dialer profile pool that will be used to dial out. Specifies the dialer rotary group that will be used to dial out. You can configure only one dialer profile pool or dialer rotary group. Attempting to configure a second dialer resource will remove the first from the configuration. Configuring Virtual Private Networks How to Configure a VPN DC-537 Cisco IOS Dial Technologies Configuration Guide Configuring a NAS to Accept Dial-Out To configure a NAS to accept tunneled dial-out connections from a tunnel server, use the following commands beginning in global configuration mode: Configuring Advanced VPN Features The following optional tasks provide advanced VPN features: • Configuring Advanced Remote AAA Features • Configuring Per-User VPN • Configuring Preservation of IP ToS Field • Shutting Down a VPN Tunnel • Limiting the Number of Allowed Simultaneous VPN Sessions • Enabling Soft Shutdown of VPN Tunnels • Configuring Event Logging • Setting the History Table Size Configuring Advanced Remote AAA Features This section describes the following two advanced remote AAA features for VPNs: • Tunnel Server Load Balancing on the NAS AAA Server • DNS Name Support Step 5 LNS(config-vpdn-req-ou)# exit LNS(config-vpdn)# initiate-to ip ip-address Specifies the IP address that will be dialed out. This is the IP address of the NAS. Step 6 LNS(config-vpdn)# local name hostname Specifies that the L2TP tunnel will identify itself with this host name. Command Purpose Command Purpose Step 1 NAS(config)# vpdn-group 1 Creates VPN group 1. Step 2 NAS(config-vpdn)# accept-dialout Enables the NAS to accept L2TP dial-out requests. Step 3 NAS(config-vpdn-acc-ou)# protocol l2tp Specifies L2TP as the tunneling protocol. Note L2TP is the only protocol that supports dial-out. Step 4 NAS(config-vpdn-acc-ou)# dialer dialer-interface Specifies the dialer that is used to dial out to the client. Step 5 NAS(config-vpdn-acc-ou)# exit NAS(config-vpdn)# terminate-from hostname hostname Accepts L2TP tunnels that have this host name configured as a local name. Configuring Virtual Private Networks How to Configure a VPN DC-538 Cisco IOS Dial Technologies Configuration Guide Tunnel Server Load Balancing on the NAS AAA Server NAS AAA servers can forward users of the same domain name or DNIS to more than one tunnel server. The NAS AAA server can be configured to balance the load of calls equally among the tunnel servers, or it can designate different priority levels to the tunnel servers. To configure load balancing on a NAS RADIUS server, configure multiple IP addresses in the vpdn:ip-addresses attribute value (AV) pair. The IP addresses can be separated by either spaces or by commas. The following example shows a profile that will equally balance the load between three tunnel servers. user = terrapin.com{ profile_id = 29 profile_cycle = 7 radius=Cisco { check_items= { 2=cisco } reply_attributes= { 9,1="vpdn:l2tp-tunnel-password=cisco123" 9,1="vpdn:tunnel-type=l2tp" 9,1="vpdn:ip-addresses=172.16.171.11 172.16.171.12 172.16.171.13" 9,1="vpdn:tunnel-id=tunnel" } } } To specify different priorities for the tunnel servers, separate the IP addresses with a slash. The following AV pair instructs the RADIUS server to equally balance calls between 172.16.171.11 and 172.16.171.12. If both of those tunnel servers are unavailable, the RADIUS server will tunnel calls to 172.16.171.13. 9,1="vpdn:ip-addresses=172.16.171.11 172.16.171.12/172.16.171.13" DNS Name Support NAS AAA servers can resolve DNS names and translate them into IP addresses. The server will first look up the name in its name cache. If the name is not in the name cache, the server will resolve the name by using a DNS server. The following AV pair instructs the RADIUS server to resolve the DNS name "terrapin" and tunnel calls to the appropriate IP addresses: 9,1="vpdn:ip-addresses=terrapin" For detailed information about remote AAA configuration, refer to the CiscoSecure ACS documentation at http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/index.htm. Configuring Per-User VPN In a VPN that uses remote AAA, when a user dials in, the access server that receives the call forwards information about the user to its remote AAA server. With basic VPN, the access server sends only the user domain name (when performing authentication based on domain name) or the telephone number the user dialed in from (when performing authentication based on DNIS). Per-user VPN configuration sends the entire structured username to the AAA server the first time the router contacts the AAA server. This enables Cisco IOS software to customize tunnel attributes for individual users who use a common domain name or DNIS. Without VPN per-user configuration, Cisco IOS software sends only the domain name or DNIS to determine VPN tunnel attribute information. Then, if no VPN tunnel attributes are returned, Cisco IOS software sends the entire username string. Configuring Virtual Private Networks How to Configure a VPN DC-539 Cisco IOS Dial Technologies Configuration Guide Note Per-user VPN configuration supports only RADIUS as the AAA protocol. To configure per-user VPN, use the following commands beginning in global configuration mode: Configuring Preservation of IP ToS Field When L2TP data packets are created, they have a type of service (ToS) field of zero, which indicates normal service. This ignores the ToS field of the encapsulated IP packets that are being tunneled. To preserve quality of service (QoS) for tunneled packets by copying the ToS field of the IP packets’ onto the L2TP data packets when they are created at the tunnel server virtual access interface, use the following commands beginning in global configuration mode: Note The tunneled link must carry IP for the ToS field to be preserved. The encapsulated payload of Multilink PPP (MLP) connections is not IP, therefore this task has no effect when MLP is tunneled. Note Proxy PPP dial-in is not supported. Command Purpose Step 1 Router(config)# vpdn-group group-number Enters VPN group configuration mode. Step 2 Router(config-vpdn)# authen before-forward Specifies that the entire structured username be sent to the AAA server the first time the router contacts the AAA server. Command Purpose Step 1 LNS(config)# vpdn-group 1 Creates VPN group 1. Step 2 LNS(config-vpdn)# accept-dialin or LNS(config-vpdn)# request-dialout Enables the tunnel server to accept dial-in requests. Enables the tunnel server to send L2TP dial-out requests. Step 3 LNS(config-vpdn-acc-in)# protocol l2tp or LNS(config-vpdn-req-ou)# protocol l2tp Specifies L2TP as the tunneling protocol. Note L2TP is the only protocol that supports dial-out and IP ToS preservation. Step 4 LNS(config-vpdn-req-ou)# exit Returns to VPDN group configuration mode. Step 5 LNS(config-vpdn)# ip tos reflect Preserves the ToS field of the encapsulated IP packets. Configuring Virtual Private Networks How to Configure a VPN DC-540 Cisco IOS Dial Technologies Configuration Guide Shutting Down a VPN Tunnel To shut down a VPN tunnel, use the following command in privileged EXEC mode: Limiting the Number of Allowed Simultaneous VPN Sessions To set a limit for the maximum number of allowed simultaneous VPN sessions, use the following command in global configuration mode: To verify that the vpdn session-limit command is working properly, perform the following steps: Note If you use a Telnet session to connect to the NAS, enable the terminal monitor command, which ensures that your EXEC session is receiving the logging and debug output from the NAS. Step 1 Enter the vpdn session-limit 1 global configuration command on either the NAS or tunnel server. Step 2 Establish a VPN session by dialing in to the NAS using an allowed username and password. Step 3 Attempt to establish another VPN session by dialing in to the NAS using another allowed username and password. Step 4 A Syslog message similar to the following should appear on the console of the router: 00:11:17:%VPDN-6-MAX_SESS_EXCD:L2F HGW great_went has exceeded configured local session-limit and rejected user wilson@soam.com Step 5 Enter the show vpdn history failure command on the router. If you see output similar to the following, the session limit was successful: User:wilson@soam.com NAS:cliford_ball, IP address = 172.25.52.8, CLID = 2 Gateway:great_went, IP address = 172.25.52.7, CLID = 13 Log time:00:04:21, Error repeat count:1 Failure type:Exceeded configured VPDN maximum session limit. Failure reason: Command Purpose Router# clear vpdn tunnel {l2f nas-name hgw-name | l2tp [remote-name] [local-name]} Shuts down a specific tunnel and all the sessions within the tunnel. Command Purpose Router(config)# vpdn session-limit sessions Limits the number of simultaneous VPN sessions on the router to the number specified with the sessions argument. Configuring Virtual Private Networks How to Configure a VPN DC-541 Cisco IOS Dial Technologies Configuration Guide Enabling Soft Shutdown of VPN Tunnels To prevent new sessions from being established on a VPN tunnel without disturbing the service of existing sessions, use the following command in global configuration mode: When the vpdn softshut command is enabled on a NAS, the potential session will be authorized before it is refused. This authorization ensures that accurate accounting records can be kept. When the vpdn softshut command is enabled on a tunnel server, the reason for the session refusal will be returned to the NAS. This information is recorded in the VPN history failure table. To verify that the vpdn softshut command is working properly, perform the following steps: Step 1 Establish a VPN session by dialing in to the NAS using an allowed username and password. Step 2 Enter the vpdn softshut global configuration command on either the NAS or the tunnel server. Step 3 Verify that the original session is still active by entering the show vpdn command: ENT_HGW# show vpdn % No active L2TP tunnels L2F Tunnel and Session NAS CLID HGW CLID NAS Name HGW Name State 36 1 cliford_ball great_went open 172.25.52.8 172.25.52.7 CLID MID Username Intf State 36 1 mockingbird@gamehendge.com Vi1 open Step 4 Attempt to establish another VPN session by dialing in to the NAS using another allowed username and password. Step 5 A Syslog message similar to the following should appear on the console of the soft shutdown router: 00:11:17:%VPDN-6-SOFTSHUT:L2F HGW great_went has turned on softshut and rejected user wilson@soam.com Step 6 Enter the show vpdn history failure command on the soft shutdown router. If you see output similar to the following, the soft shutdown was successful: User:wilson@soam.com NAS:cliford_ball, IP address = 172.25.52.8, CLID = 2 Gateway:great_went, IP address = 172.25.52.7, CLID = 13 Log time:00:04:21, Error repeat count:1 Failure type:VPDN softshut has been activated. Failure reason: Command Purpose Router(config)# vpdn softshut1 1. When the vpdn softshut command is enabled, Multichassis Multilink PPP (MMP) L2F tunnels can still be created and established. Prevents new sessions from being established on a VPN tunnel without disturbing existing sessions. Configuring Virtual Private Networks Verifying VPN Sessions DC-542 Cisco IOS Dial Technologies Configuration Guide Configuring Event Logging The Syslog mechanism provides generic and failure event logging. Generic logging is a mixture of type error, warning, notification, and information logging for VPN. Logging can be done locally or at a remote tunnel destination. Both generic and failure event logging is enabled by default; therefore, if you wish to disable VPN failure events you must specifically configure the router or access server to do so. In order to disable the router to log VPN generic or history events, use the following commands in global configuration mode: Setting the History Table Size You may set the failure history table to a specific number of entries based on the amount of data you wish to track. To set the failure history table, use the following commands in global configuration mode: Verifying VPN Sessions The following sections detail the procedures used for verifying VPN sessions: • Verifying a Client-Initiated VPN • Verifying a NAS-Initiated VPN Verifying a Client-Initiated VPN To verify that a PPTP network functions properly, complete the following verification steps: Step 1 From the client, dial in to the ISP and establish a PPP session. Step 2 From the client, dial in to the tunnel server. Step 3 From the client, ping the tunnel server. From the client desktop: a. Click Start. b. Select Run. c. Enter ping tunnel-server-ip-address. d. Click OK. Command Purpose Router(config)# vpdn logging [local | remote] Enables generic event logging, locally or at a remote endpoint. Router(config)# vpdn history failure Enables the logging of failure events to the failure history table. Note By default, VPN failure history logging is enabled. Command Purpose Router(config)# vpdn history failure table-size entries (Optional) Sets the failure history table depth. Configuring Virtual Private Networks Verifying VPN Sessions DC-543 Cisco IOS Dial Technologies Configuration Guide e. Look at the terminal screen and verify that the tunnel server is sending ping reply packets to the client. Step 4 From the tunnel server, enter the show vpdn command and verify that the client has established a PPTP session. PNS# show vpdn % No active L2TP tunnels % No active L2F tunnels PPTP Tunnel and Session Information (Total tunnels=1 sessions=1) LocID RemID Remote Name State Remote Address Port Sessions 13 13 10.1.2.41 estabd 10.1.2.41 1136 1 LocID RemID TunID Intf Username State Last Chg 13 0 13 Vi3 estabd 000030 Step 5 For more detailed information, enter the show vpdn session all or show vpdn session window commands. The last line of output from the show vpdn session all command indicates the current status of the flow control alarm. PNS# show vpdn session all % No active L2TP tunnels % No active L2F tunnels PPTP Session Information (Total tunnels=1 sessions=1) Call id 13 is up on tunnel id 13 Remote tunnel name is 10.1.2.41 Internet Address is 10.1.2.41 Session username is unknown, state is estabd Time since change 000106, interface Vi3 Remote call id is 0 10 packets sent, 10 received, 332 bytes sent, 448 received Ss 11, Sr 10, Remote Nr 10, peer RWS 16 0 out of order packets Flow alarm is clear. The last line of output from the show vpdn session window command indicates the current status of the flow control alarm (under the heading “Congestion”) and the number of flow control alarms that have gone off during the session (under the heading “Alarms”). PNS# show vpdn session window % No active L2TP tunnels % No active L2F tunnels PPTP Session Information (Total tunnels=1 sessions=1) LocID RemID TunID ZLB-tx ZLB-rx Congestion Alarms Peer-RWS 13 0 13 0 1 clear 0 16 Step 6 For information on the virtual-access interface, enter the show ppp mppe virtual-access number command: PNS# show ppp mppe virtual-access3 Interface Virtual-Access3 (current connection) Hardware (ISA5/1, flow_id=13) encryption, 40 bit encryption, Stateless mode packets encrypted = 0 packets decrypted = 1 Configuring Virtual Private Networks Verifying VPN Sessions DC-544 Cisco IOS Dial Technologies Configuration Guide sent CCP resets = 0 receive CCP resets = 0 next tx coherency = 0 next rx coherency = 0 tx key changes = 0 rx key changes = 0 rx pkt dropped = 0 rx out of order pkt= 0 rx missed packets = 0 To update the key change information, reissue the show ppp mppe virtual-access3 command. PNS# show ppp mppe virtual-access3 Interface Virtual-Access3 (current connection) Hardware (ISA5/1, flow_id=13) encryption, 40 bit encryption, Stateless mode packets encrypted = 0 packets decrypted = 1 sent CCP resets = 0 receive CCP resets = 0 next tx coherency = 0 next rx coherency = 0 tx key changes = 0 rx key changes = 1 rx pkt dropped = 0 rx out of order pkt= 0 rx missed packets = 0 Verifying a NAS-Initiated VPN This section describes how to verify that an L2F dial-in scenario functions as shown in Figure 78. To verify connectivity, complete the following verification steps: • Step 1: Dialing In to the NAS • Step 2: Pinging the Tunnel Server • Step 3: Displaying Active Call Statistics on the Tunnel Server • Step 4: Pinging the Client • Step 5: Verifying That the Virtual-Access Interface Is Up and That LCP Is Open • Step 6: Viewing Active L2F Tunnel Statistics Configuring Virtual Private Networks Verifying VPN Sessions DC-545 Cisco IOS Dial Technologies Configuration Guide Figure 78 L2F Dial-In Topology Using Remote AAA Step 1 From the client, dial in to the NAS by using the PRI telephone number assigned to the NAS T1 trunks. Sometimes this telephone number is called the hunt group number. As the call comes in to the NAS, a LINK-3-UPDOWN message automatically appears on the NAS terminal screen. In the following example, the call comes in to the NAS on asynchronous interface 14. The asynchronous interface is up. *Jan 1 21:22:18.410: %LINK-3-UPDOWN: Interface Async14, changed state to up Note No debug commands are turned on to display this log message. Start troubleshooting the NAS if you do not see this message 30 seconds after the client first sends the call. Step 2 From the client, ping the tunnel server. From the client Windows 95 desktop, perform the following steps: a. Click Start. b. Select Run. c. Enter the ping ip-address command, where the IP address is the tunnel server address. d. Click OK. e. Look at the terminal screen and verify that the tunnel server is sending ping reply packets to the client. POTS lines Cisco AS5300 NAS CiscoSecure ACS UNIX server CiscoSecure ACS NT server 18024 Clients using modems Cisco 7206 home gateway ISP network Enterprise customer network Ethernet 172.22.66.23 172.22.66.18 172.22.66.18 L2F tunnel Ethernet Cisco 7500 edge router Frame Relay data network 4 TI PRI lines PSTN ISDN 172.22.66.13 Configuring Virtual Private Networks Verifying VPN Sessions DC-546 Cisco IOS Dial Technologies Configuration Guide Step 3 From the tunnel server, enter the show caller command and the show caller user name command to verify that the client received an IP address. The following example shows that Jeremy is using interface virtual-access 1 and IP address 172.30.2.1. The network administrator jane-admin is using console 0. ENT_HGW# show caller Line User Service Active con 0 jane-admin TTY 00:00:25 Vi1 jeremy@hgw.com PPP L2F 00:01:28 ENT_HGW# show caller user jeremy@hgw.com User: jeremy@hgw.com, line Vi1, service PPP L2F, active 00:01:35 PPP: LCP Open, CHAP (<- AAA), IPCP IP: Local 172.22.66.25, remote 172.30.2.1 VPDN: NAS ISP_NAS, MID 1, MID open HGW ENT_HGW, NAS CLID 36, HGW CLID 1, tunnel open Counts: 105 packets input, 8979 bytes, 0 no buffer 0 input errors, 0 CRC, 0 frame, 0 overrun 18 packets output, 295 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets Step 4 From the tunnel server, ping Jeremy’s PC at IP address 172.30.2.1: ENT_HGW# ping 172.30.2.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.30.2.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 128/132/152 ms Step 5 From the tunnel server, enter the show interface virtual-access 1 command to verify that the interface is up, that LCP is open, and that no errors are reported: ENT_HGW# show interface virtual-access 1 Virtual-Access1 is up, line protocol is up Hardware is Virtual Access interface Interface is unnumbered. Using address of FastEthernet0/0 (172.22.66.25) MTU 1500 bytes, BW 115 Kbit, DLY 100000 usec, reliablility 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set, keepalive set (10 sec) DTR is pulsed for 5 seconds on reset LCP Open Open: IPCP Last input 00:00:02, output never, output hang never Last clearing of "show interface" counters 3d00h Queueing strategy: fifo Output queue 1/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 114 packets input, 9563 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 27 packets output, 864 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions Configuring Virtual Private Networks Monitoring and Maintaining VPNs DC-547 Cisco IOS Dial Technologies Configuration Guide Step 6 From the tunnel server, display active tunnel statistics by entering the show vpdn command and the show vpdn tunnel all command: ENT_HGW# show vpdn % No active L2TP tunnels L2F Tunnel and Session NAS CLID HGW CLID NAS Name HGW Name State 36 1 ISP_NAS ENT_HGW open 172.22.66.23 172.22.66.25 CLID MID Username Intf State 36 1 jeremy@hgw.com Vi1 open ENT_HGW# show vpdn tunnel all % No active L2TP tunnels L2F Tunnel NAS name: ISP_NAS NAS CLID: 36 NAS IP address 172.22.66.23 Gateway name: ENT_HGW Gateway CLID: 1 Gateway IP address 172.22.66.25 State: open Packets out: 52 Bytes out: 1799 Packets in: 100 Bytes in: 7143 Monitoring and Maintaining VPNs To display useful information for monitoring and maintaining VPN sessions, use the following commands in privileged EXEC mode: Command Purpose Router# clear vpdn tunnel [pptp | l2f | l2tp] network-access-server gateway-name Shuts down a specific tunnel and all the sessions within the tunnel. Router# show interface virtual access number Displays information about the virtual access interface, LCP, protocol states, and interface statistics. The status of the virtual access interface should be: Virtual-Access3 is up, line protocol is up Router# show vpdn Displays a summary of all active VPN tunnels. Router# show vpdn domain Displays all VPN domains and DNIS groups configured on the NAS. Configuring Virtual Private Networks Troubleshooting VPNs DC-548 Cisco IOS Dial Technologies Configuration Guide Troubleshooting VPNs Troubleshooting components in VPN is not always straightforward because there are multiple technologies and OSI layers involved. To display detailed messages about VPN and VPN-related events, use the following commands in EXEC mode: Router# show vpdn group [name | name domain | name endpoint] Displays a summary of the relationships among VPDN groups and customer/VPDN profiles. When you include the name of the VPDN group, the output displays information on domain/DNIS, tunnel endpoint, session limits, group priority, active sessions, group status, and reserved sessions. Router# show vpdn history failure Displays information about VPN user failures. Router# show vpdn multilink Displays VPN multilink information. Router# show vpdn session [all | packets | sequence | state | timers | window] [interface | tunnel | username] Displays VPN session information including interface, tunnel, username, packets, status, and window statistics. Router# show vpdn tunnel [all | packets | state | summary | transport] [id | local-name | remote-name] Displays VPN tunnel information including tunnel protocol, ID, local and remote tunnel names, packets sent and received, tunnel, and transport status. Command Purpose Command Purpose Router# debug aaa authentication Displays information on AAA authentication. Router# debug aaa authorization Displays information on AAA authorization. Router# debug ppp chap Displays CHAP packet exchanges. Router# debug ppp mppe Displays debug messages for MPPE events. Router# debug ppp negotiation Displays information about packets sent during PPP startup and detailed PPP negotiation options. Router# debug vpdn error Displays errors that prevent a tunnel from being established or errors that cause an established tunnel to be closed. Router# debug vpdn event Displays messages about events that are part of normal tunnel establishment or shutdown. Router# debug vpdn l2tp-sequencing Displays message about L2TP tunnel sequencing. Router# debug vpdn l2x-data Display messages about L2F and L2TP data information. Router# debug vpdn l2x-errors Displays L2F and L2TP protocol errors that prevent L2F and L2TP establishment or prevent normal operation. Router# debug vpdn l2x-events Displays messages about events that are part of normal tunnel establishment or shutdown for L2F and L2TP. Router# debug vpdn l2x-packets or Router# debug vpdn packet Displays each protocol packet exchanged. This option may result in a large number of debug messages and should generally be used only on a debug chassis with a single active session. Configuring Virtual Private Networks Troubleshooting VPNs DC-549 Cisco IOS Dial Technologies Configuration Guide Successful Debug Examples The following sections provide examples of debug output from successful VPN sessions: • L2TP Dial-In Debug Output on NAS Example • L2TP Dial-In Debug Output on a Tunnel Server Example • L2TP Dial-Out Debug Output on a NAS Example • L2TP Dial-Out Debug Output on a Tunnel Server Example Figure 79 shows the topology used for the L2TP dial-in debug examples. Figure 79 Topology Diagram for L2TP Dial-In Debug Example L2TP Dial-In Debug Output on NAS Example The following is debug output from a successful L2TP dial-in session on a NAS for the topology shown in Figure 79: DJ# debug vpdn event VPDN events debugging is on DJ# debug vpdn l2x-events L2X protocol events debugging is on DJ# show debugging VPN: L2X protocol events debugging is on VPDN events debugging is on DJ# 20:47:33: %LINK-3-UPDOWN: Interface Async7, changed state to up 20:47:35: As7 VPDN: Looking for tunnel -- hoser.com -- 20:47:35: As7 VPDN: Get tunnel info for hoser.com with NAS DJ, IP 172.21.9.13 20:47:35: As7 VPDN: Forward to address 172.21.9.13 20:47:35: As7 VPDN: Forwarding... 20:47:35: As7 VPDN: Bind interface direction=1 20:47:35: Tnl/Cl 8/1 L2TP: Session FS enabled 20:47:35: Tnl/Cl 8/1 L2TP: Session state change from idle to wait-for-tunnel Dial client ISP or PSTN Corporate network LT2P tunnel LAC = DJ LNS = partner 22109 aaa new-model aaa authentication ppp default local username DJ password 7464756565656B vpdn enable vpdn group 1 request dialin 12 tp ip 172.21.9.13 domain cisco.com aaa new-model aaa authentication ppp default local username DJ password 7464756565656B interfacr virtual-template 1 ip unnumbered ethernet0 no ip mroute-cache ppp authentication chap vpdn enable vpdn group 1 accept dialin 12 tp virtual template 1 remote DJ Configuring Virtual Private Networks Troubleshooting VPNs DC-550 Cisco IOS Dial Technologies Configuration Guide 20:47:35: As7 8/1 L2TP: Create session 20:47:35: Tnl 8 L2TP: SM State idle 20:47:35: Tnl 8 L2TP: Tunnel state change from idle to wait-ctl-reply 20:47:35: Tnl 8 L2TP: SM State wait-ctl-reply 20:47:35: As7 VPDN: kath@hoser.com is forwarded 20:47:35: Tnl 8 L2TP: Got a challenge from remote peer, DJ 20:47:35: Tnl 8 L2TP: Got a response from remote peer, DJ 20:47:35: Tnl 8 L2TP: Tunnel Authentication success 20:47:35: Tnl 8 L2TP: Tunnel state change from wait-ctl-reply to established 20:47:35: Tnl 8 L2TP: SM State established 20:47:35: As7 8/1 L2TP: Session state change from wait-for-tunnel to wait-reply 20:47:35: As7 8/1 L2TP: Session state change from wait-reply to established 20:47:36: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async7, changed state to up L2TP Dial-In Debug Output on a Tunnel Server Example The following is debug output from a successful L2TP dial-in session on a tunnel server for the topology shown in Figure 79: tunnel# debug vpdn l2x-events L2X protocol events debugging is on 20:19:17: L2TP: I SCCRQ from DJ tnl 8 20:19:17: L2X: Never heard of DJ 20:19:17: Tnl 7 L2TP: New tunnel created for remote DJ, address 172.21.9.4 20:19:17: Tnl 7 L2TP: Got a challenge in SCCRQ, DJ 20:19:17: Tnl 7 L2TP: Tunnel state change from idle to wait-ctl-reply 20:19:17: Tnl 7 L2TP: Got a Challenge Response in SCCCN from DJ 20:19:17: Tnl 7 L2TP: Tunnel Authentication success 20:19:17: Tnl 7 L2TP: Tunnel state change from wait-ctl-reply to established 20:19:17: Tnl 7 L2TP: SM State established 20:19:17: Tnl/Cl 7/1 L2TP: Session FS enabled 20:19:17: Tnl/Cl 7/1 L2TP: Session state change from idle to wait-for-tunnel 20:19:17: Tnl/Cl 7/1 L2TP: New session created 20:19:17: Tnl/Cl 7/1 L2TP: O ICRP to DJ 8/1 20:19:17: Tnl/Cl 7/1 L2TP: Session state change from wait-for-tunnel to wait-connect 20:19:17: Tnl/Cl 7/1 L2TP: Session state change from wait-connect to established 20:19:17: Vi1 VPDN: Virtual interface created for kath@hoser.com 20:19:17: Vi1 VPDN: Set to Async interface 20:19:17: Vi1 VPDN: Clone from Vtemplate 1 filterPPP=0 blocking 20:19:18: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up 20:19:18: Vi1 VPDN: Bind interface direction=2 20:19:18: Vi1 VPDN: PPP LCP accepting rcv CONFACK 20:19:19: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up L2TP Dial-Out Debug Output on a NAS Example The following is sample output from the debug dialer events and show debugging EXEC commands for a successful dial-out session on a NAS: NAS# debug dialer events Dial on demand events debugging is on NAS# show debugging Dial on demand: Dial on demand events debugging is on VPN: Configuring Virtual Private Networks Troubleshooting VPNs DC-551 Cisco IOS Dial Technologies Configuration Guide L2X protocol events debugging is on VPDN events debugging is on NAS# *Mar 1 00:05:26.155:%SYS-5-CONFIG_I:Configured from console by console *Mar 1 00:05:26.899:%SYS-5-CONFIG_I:Configured from console by console *Mar 1 00:05:36.195:L2TP:I SCCRQ from lns_l2x0 tnl 1 *Mar 1 00:05:36.199:Tnl 1 L2TP:New tunnel created for remote lns_l2x0, address 10.40.1.150 *Mar 1 00:05:36.203:Tnl 1 L2TP:Got a challenge in SCCRQ, lns_l2x0 *Mar 1 00:05:36.207:Tnl 1 L2TP:O SCCRP to lns_l2x0 tnlid 1 *Mar 1 00:05:36.215:Tnl 1 L2TP:Tunnel state change from idle to wait-ctl-reply *Mar 1 00:05:36.231:Tnl 1 L2TP:I SCCCN from lns_l2x0 tnl 1 *Mar 1 00:05:36.235:Tnl 1 L2TP:Got a Challenge Response in SCCCN from lns_l2x0 *Mar 1 00:05:36.239:Tnl 1 L2TP:Tunnel Authentication success *Mar 1 00:05:36.239:Tnl 1 L2TP:Tunnel state change from wait-ctl-reply to established *Mar 1 00:05:36.243:Tnl 1 L2TP:SM State established *Mar 1 00:05:36.251:Tnl 1 L2TP:I OCRQ from lns_l2x0 tnl 1 *Mar 1 00:05:36.255:Tnl/Cl 1/1 L2TP:Session sequencing disabled *Mar 1 00:05:36.259:Tnl/Cl 1/1 L2TP:Session FS enabled *Mar 1 00:05:36.259:Tnl/Cl 1/1 L2TP:New session created *Mar 1 00:05:36.263:12C:Same state, 0 *Mar 1 00:05:36.267:DSES 12C:Session create *Mar 1 00:05:36.271:L2TP:Send OCRP *Mar 1 00:05:36.275:Tnl/Cl 1/1 L2TP:Session state change from idle to wait-cs-answer *Mar 1 00:05:36.279:DSES 0x12C:Building dialer map *Mar 1 00:05:36.283:Dialout 0x12C:Next hop name is 71014 *Mar 1 00:05:36.287:Serial0:23 DDR:rotor dialout [priority] *Mar 1 00:05:36.291:Serial0:23 DDR:Dialing cause dialer session 0x12C *Mar 1 00:05:36.291:Serial0:23 DDR:Attempting to dial 71014 *Mar 1 00:05:36.479:%LINK-3-UPDOWN:Interface Serial0:22, changed state to up *Mar 1 00:05:36.519:isdn_call_connect:Calling lineaction of Serial0:22 *Mar 1 00:05:36.519:Dialer0:Session free, 12C *Mar 1 00:05:36.523::0 packets unqueued and discarded *Mar 1 00:05:36.527:Se0:22 VPDN:Bind interface direction=1 *Mar 1 00:05:36.531:Se0:22 1/1 L2TP:Session state change from wait-cs-answer to established *Mar 1 00:05:36.531:L2TP:Send OCCN *Mar 1 00:05:36.539:Se0:22 VPDN:bound to vpdn session *Mar 1 00:05:36.555:Se0:22 1/1 L2TP:O FS failed *Mar 1 00:05:36.555:Se0:22 1/1 L2TP:O FS failed *Mar 1 00:05:42.515:%ISDN-6-CONNECT:Interface Serial0:22 is now connected to 71014 L2TP Dial-Out Debug Output on a Tunnel Server Example The following is sample debug output from the debug vpdn event, debug vpdn error, debug ppp chap, debug ppp negotiation, and debug dialer events commands for a successful dial-out session on a tunnel server: LNS# debug dialer events Dial on demand events debugging is on LNS# debug ppp negotiation PPP protocol negotiation debugging is on LNS# debug ppp chap PPP authentication debugging is on LNS# show debugging Configuring Virtual Private Networks Troubleshooting VPNs DC-552 Cisco IOS Dial Technologies Configuration Guide Dial on demand: Dial on demand events debugging is on PPP: PPP authentication debugging is on PPP protocol negotiation debugging is on VPN: VPDN events debugging is on VPDN errors debugging is on LNS# *Apr 22 19:48:32.419:%SYS-5-CONFIG_I:Configured from console by console *Apr 22 19:48:32.743:%SYS-5-CONFIG_I:Configured from console by console *Apr 22 19:48:33.243:Di0 DDR:dialer_fsm_idle() *Apr 22 19:48:33.271:Vi1 PPP:Phase is DOWN, Setup *Apr 22 19:48:33.279:Vi1 PPP:Phase is DOWN, Setup *Apr 22 19:48:33.279:Virtual-Access1 DDR:Dialing cause ip (s=10.60.1.160, d=10.10.1.110) *Apr 22 19:48:33.279:Virtual-Access1 DDR:Attempting to dial 71014 *Apr 22 19:48:33.279:Tnl/Cl 1/1 L2TP:Session sequencing disabled *Apr 22 19:48:33.279:Tnl/Cl 1/1 L2TP:Session FS enabled *Apr 22 19:48:33.283:Tnl/Cl 1/1 L2TP:Session state change from idle to wait-for-tunnel *Apr 22 19:48:33.283:Tnl/Cl 1/1 L2TP:Create dialout session *Apr 22 19:48:33.283:Tnl 1 L2TP:SM State idle *Apr 22 19:48:33.283:Tnl 1 L2TP:O SCCRQ *Apr 22 19:48:33.283:Tnl 1 L2TP:Tunnel state change from idle to wait-ctl-reply *Apr 22 19:48:33.283:Tnl 1 L2TP:SM State wait-ctl-reply *Apr 22 19:48:33.283:Vi1 VPDN:Bind interface direction=2 *Apr 22 19:48:33.307:Tnl 1 L2TP:I SCCRP from lac_l2x0 *Apr 22 19:48:33.307:Tnl 1 L2TP:Got a challenge from remote peer, lac_l2x0 *Apr 22 19:48:33.307:Tnl 1 L2TP:Got a response from remote peer, lac_l2x0 *Apr 22 19:48:33.311:Tnl 1 L2TP:Tunnel Authentication success *Apr 22 19:48:33.311:Tnl 1 L2TP:Tunnel state change from wait-ctl-reply to established *Apr 22 19:48:33.311:Tnl 1 L2TP:O SCCCN to lac_l2x0 tnlid 1 *Apr 22 19:48:33.311:Tnl 1 L2TP:SM State established *Apr 22 19:48:33.311:L2TP:O OCRQ *Apr 22 19:48:33.311:Vi1 1/1 L2TP:Session state change from wait-for-tunnel to wait-reply *Apr 22 19:48:33.367:Vi1 1/1 L2TP:I OCRP from lac_l2x0 tnl 1, cl 0 *Apr 22 19:48:33.367:Vi1 1/1 L2TP:Session state change from wait-reply to wait-connect *Apr 22 19:48:33.631:Vi1 1/1 L2TP:I OCCN from lac_l2x0 tnl 1, cl 1 *Apr 22 19:48:33.631:Vi1 1/1 L2TP:Session state change from wait-connect to established *Apr 22 19:48:33.631:Vi1 VPDN:Connection is up, start LCP negotiation now *Apr 22 19:48:33.631:%LINK-3-UPDOWN:Interface Virtual-Access1, changed state to up *Apr 22 19:48:33.631:Vi1 DDR:dialer_statechange(), state=4Dialer statechange to up Virtual-Access1 *Apr 22 19:48:33.631:Vi1 DDR:dialer_out_call_connected() *Apr 22 19:48:33.631:Vi1 DDR:dialer_bind_profile() to Di0 *Apr 22 19:48:33.631:%DIALER-6-BIND:Interface Virtual-Access1 bound to profile Dialer0Dialer call has been placed Virtual-Access1 *Apr 22 19:48:33.635:Vi1 PPP:Treating connection as a callout *Apr 22 19:48:33.635:Vi1 PPP:Phase is ESTABLISHING, Active Open *Apr 22 19:48:33.635:Vi1 LCP:O CONFREQ [Closed] id 1 len 15 *Apr 22 19:48:33.635:Vi1 LCP: AuthProto CHAP (0x0305C22305) *Apr 22 19:48:33.635:Vi1 LCP: MagicNumber 0x50E7EC2A (0x050650E7EC2A) *Apr 22 19:48:33.663:Vi1 LCP:I CONFREQ [REQsent] id 1 len 15 *Apr 22 19:48:33.663:Vi1 LCP: AuthProto CHAP (0x0305C22305) *Apr 22 19:48:33.663:Vi1 LCP: MagicNumber 0x10820474 (0x050610820474) *Apr 22 19:48:33.663:Vi1 LCP:O CONFACK [REQsent] id 1 len 15 *Apr 22 19:48:33.663:Vi1 LCP: AuthProto CHAP (0x0305C22305) *Apr 22 19:48:33.663:Vi1 LCP: MagicNumber 0x10820474 (0x050610820474) *Apr 22 19:48:33.663:Vi1 LCP:I CONFACK [ACKsent] id 1 len 15 *Apr 22 19:48:33.663:Vi1 LCP: AuthProto CHAP (0x0305C22305) *Apr 22 19:48:33.663:Vi1 LCP: MagicNumber 0x50E7EC2A (0x050650E7EC2A) *Apr 22 19:48:33.663:Vi1 LCP:State is Open *Apr 22 19:48:33.663:Vi1 PPP:Phase is AUTHENTICATING, by both *Apr 22 19:48:33.663:Vi1 CHAP:Using alternate hostname lns0 *Apr 22 19:48:33.663:Vi1 CHAP:O CHALLENGE id 1 len 25 from "lns0" Configuring Virtual Private Networks Troubleshooting VPNs DC-553 Cisco IOS Dial Technologies Configuration Guide *Apr 22 19:48:33.679:Vi1 CHAP:I CHALLENGE id 1 len 35 from "user0@foo.com0" *Apr 22 19:48:33.679:Vi1 AUTH:Started process 0 pid 92 *Apr 22 19:48:33.679:Vi1 CHAP:Using alternate hostname lns0 *Apr 22 19:48:33.683:Vi1 CHAP:O RESPONSE id 1 len 25 from "lns0" *Apr 22 19:48:33.695:Vi1 CHAP:I SUCCESS id 1 len 4 *Apr 22 19:48:33.699:Vi1 CHAP:I RESPONSE id 1 len 35 from "user0@foo.com0" *Apr 22 19:48:33.699:Vi1 CHAP:O SUCCESS id 1 len 4 *Apr 22 19:48:33.699:Vi1 DDR:dialer_remote_name() for user0@foo.com0 *Apr 22 19:48:33.699:Vi1 PPP:Phase is UP *Apr 22 19:48:33.703:Vi1 IPCP:O CONFREQ [Closed] id 1 len 10 *Apr 22 19:48:33.703:Vi1 IPCP: Address 10.20.1.150 (0x030614140196) *Apr 22 19:48:33.703:Vi1 CCP:O CONFREQ [Closed] id 1 len 10 *Apr 22 19:48:33.703:Vi1 CCP: LZSDCP history 1 check mode SEQ process UNCOMPRESSSED (0x170600010201) *Apr 22 19:48:33.711:Vi1 IPCP:I CONFREQ [REQsent] id 1 len 10 *Apr 22 19:48:33.715:Vi1 IPCP: Address 10.20.1.120 (0x030614140178) *Apr 22 19:48:33.715:Vi1 IPCP:O CONFACK [REQsent] id 1 len 10 *Apr 22 19:48:33.715:Vi1 IPCP: Address 10.20.1.120 (0x030614140178) *Apr 22 19:48:33.715:Vi1 CCP:I CONFREQ [REQsent] id 1 len 10 *Apr 22 19:48:33.715:Vi1 CCP: LZSDCP history 1 check mode SEQ process UNCOMPRESSSED (0x170600010201) *Apr 22 19:48:33.715:Vi1 CCP:O CONFACK [REQsent] id 1 len 10 *Apr 22 19:48:33.715:Vi1 CCP: LZSDCP history 1 check mode SEQ process UNCOMPRESSSED (0x170600010201) *Apr 22 19:48:33.719:Vi1 IPCP:I CONFACK [ACKsent] id 1 len 10 *Apr 22 19:48:33.719:Vi1 IPCP: Address 10.20.1.150 (0x030614140196) *Apr 22 19:48:33.719:Vi1 IPCP:State is Open *Apr 22 19:48:33.719:Vi1 DDR:Dialer protocol up *Apr 22 19:48:33.719:Dialer0:dialer_ckt_swt_client_connect:incoming circuit switched call *Apr 22 19:48:33.719:Di0 IPCP:Install route to 10.20.1.120 *Apr 22 19:48:33.719:Vi1 CCP:I CONFACK [ACKsent] id 1 len 10 *Apr 22 19:48:33.719:Vi1 CCP: LZSDCP history 1 check mode SEQ process UNCOMPRESSSED (0x170600010201) *Apr 22 19:48:33.719:Vi1 CCP:State is Open *Apr 22 19:48:34.699:%LINEPROTO-5-UPDOWN:Line protocol on Interface Virtual-Access1, changed state to up VPN Troubleshooting Methodology This section describes a methodology for troubleshooting the VPN shown in Figure 80. First, view the debug output from a successful call. If your debug output does not match the successful output, follow the remaining steps to begin troubleshooting the network. The bolded lines of debug output indicate important information. The following sections detail the steps involved in VPN troubleshooting: • Comparing Your Debug Output to the Successful Debug Output • Troubleshooting VPN Negotiation • Troubleshooting PPP Negotiation • Troubleshooting AAA Negotiation Configuring Virtual Private Networks Troubleshooting VPNs DC-554 Cisco IOS Dial Technologies Configuration Guide Figure 80 Troubleshooting Flow Diagram for Access VPN with Remote AAA If you are accessing the NAS and tunnel server through a Telnet connection, you need to enable the terminal monitor command. This command ensures that your EXEC session is receiving the logging and debug output from the devices. When you finish troubleshooting, use the undebug all command to turn off all debug commands. Isolating debug output helps you efficiently build a network. Is PPP negotiation successful? Access VPN functions properly No No No No Yes, and client can ping home gateway Yes, and client can ping home gateway Yes, and client can ping home gateway Yes, but client cannot ping home gateway Yes, but client cannot ping home gateway Yes, but client cannot ping home gateway Yes, but client cannot ping home gateway Yes, and client can ping home gateway Contact support personnel Does your output match successful output? Contact support personnel Access VPN functions properly Is AAA negotiation successful? Contact support personnel Access VPN functions properly Access VPN functions properly Contact support personnel Is L2F negotiation successful? 23834 View successful VPDN-event debug output Troubleshoot L2F negotiation Troubleshoot PPP negotiation Troubleshoot AAA negotiation Configuring Virtual Private Networks Troubleshooting VPNs DC-555 Cisco IOS Dial Technologies Configuration Guide Comparing Your Debug Output to the Successful Debug Output Enable the debug vpdn-event command on both the NAS and the tunnel server and dial in to the NAS. The following debug output shows successful VPN negotiation on the NAS and tunnel server: NAS# Jan 7 00:19:35.900: %LINK-3-UPDOWN: Interface Async9, changed state to up Jan 7 00:19:39.532: sVPDN: Got DNIS string As9 Jan 7 00:19:39.532: As9 VPDN: Looking for tunnel -- hgw.com -- Jan 7 00:19:39.540: As9 VPDN: Get tunnel info for hgw.com with NAS ISP_NAS, IP172.22.66.25 Jan 7 00:19:39.540: As9 VPDN: Forward to address 172.22.66.25 Jan 7 00:19:39.540: As9 VPDN: Forwarding... Jan 7 00:19:39.540: As9 VPDN: Bind interface direction=1 Jan 7 00:19:39.540: As9 VPDN: jeremy@hgw.com is forwarded Jan 7 00:19:40.540: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async9, changed state to up ENT_HGW# Jan 7 00:19:39.967: VPDN: Chap authentication succeeded for ISP_NAS Jan 7 00:19:39.967: Vi1 VPDN: Virtual interface created for jeremy@hgw.com Jan 7 00:19:39.967: Vi1 VPDN: Set to Async interface Jan 7 00:19:39.971: Vi1 VPDN: Clone from Vtemplate 1 filterPPP=0 blocking 6w5d: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up Jan 7 00:19:40.051: Vi1 VPDN: Bind interface direction=2 Jan 7 00:19:40.051: Vi1 VPDN: PPP LCP accepted rcv CONFACK Jan 7 00:19:40.051: Vi1 VPDN: PPP LCP accepted sent CONFACK 6w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up If you see the debug output shown but cannot ping the tunnel server, go to the next section, “Troubleshooting PPP Negotiation.” If you do not see the above debug output, go to the section “Troubleshooting VPN Negotiation” later in this chapter. Troubleshooting VPN Negotiation The following sections describe several common misconfigurations that prevent successful VPN (either L2F or L2TP) negotiation: • Misconfigured NAS Tunnel Secret • Misconfigured Tunnel Server Tunnel Secret • Misconfigured Tunnel Name • Control Packet Problem on the NAS Misconfigured NAS Tunnel Secret The NAS and the tunnel server must both have the same usernames with the same password to authenticate the L2F tunnel. These usernames are called the tunnel secret. In this scenario, these usernames are ISP_NAS and ENT_HGW. The password is cisco for both usernames on both systems. If one of the tunnel secrets on the NAS is incorrect, you will see the following debug output when you dial in to the NAS and the debug vpdn l2x-errors command is enabled on the NAS and tunnel server: NAS# Jan 1 00:26:49.899: %LINK-3-UPDOWN: Interface Async3, changed state to up Jan 1 00:26:54.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async3, cha nged state to up Jan 1 00:27:00.559: L2F: Resending L2F_OPEN, time #1 Configuring Virtual Private Networks Troubleshooting VPNs DC-556 Cisco IOS Dial Technologies Configuration Guide Jan 1 00:27:05.559: L2F: Resending L2F_ECHO, time #1 Jan 1 00:27:05.559: L2F: Resending L2F_OPEN, time #2 Jan 1 00:27:10.559: L2F: Resending L2F_ECHO, time #2 Jan 1 00:27:10.559: L2F: Resending L2F_OPEN, time #3 Jan 1 00:27:15.559: L2F: Resending L2F_ECHO, time #3 Jan 1 00:27:15.559: L2F: Resending L2F_OPEN, time #4 Jan 1 00:27:20.559: L2F: Resending L2F_ECHO, time #4 Jan 1 00:27:20.559: L2F: Resending L2F_OPEN, time #5 Jan 1 00:27:25.559: L2F: Resending L2F_ECHO, time #5 Jan 1 00:27:25.559: L2F: Resend packet (type 2) around too long, time to kill off the tunnel NAS# ENT_HGW# Jan 1 00:26:53.645: L2F: Packet has bogus2 key C8353FAB B6369121 5w6d: %VPDN-6-AUTHENFAIL: L2F HGW , authentication failure for tunnel ISP_NAS; Invalid key 5w6d: %VPDN-5-UNREACH: L2F NAS 172.22.66.23 is unreachable Jan 1 00:27:00.557: L2F: Gateway received tunnel OPEN while in state closed ENT_HGW# The phrase “time to kill off the tunnel” in the NAS debug output indicates that the tunnel was not opened. The phrase “Packet has bogus2 key” in the tunnel server debug output indicates that the NAS has an incorrect tunnel secret. To avoid this problem, make sure that you configure both the NAS and tunnel server for the same two tunnel secret usernames with the same password. Misconfigured Tunnel Server Tunnel Secret If one of the tunnel secret usernames on the tunnel server is incorrect, the following debug output appears when you dial in to the NAS and the debug vpdn l2x-errors command is enabled on the NAS and tunnel server: NAS# Jan 1 00:45:27.123: %LINK-3-UPDOWN: Interface Async7, changed state to up Jan 1 00:45:30.939: L2F: Packet has bogus1 key B6C656EE 5FAC6B3 Jan 1 00:45:30.939: %VPDN-6-AUTHENFAIL: L2F NAS ISP_NAS, authentication failure for tunnel ENT_HGW; Invalid key Jan 1 00:45:31.935: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async7, cha nged state to up Jan 1 00:45:35.559: L2F: Resending L2F_OPEN, time #1 Jan 1 00:45:35.559: L2F: Packet has bogus1 key B6C656EE 5FAC6B3 ENT_HGW# Jan 1 00:45:30.939: L2F: Tunnel authentication succeeded for ISP_NAS Jan 1 00:45:35.559: L2F: Gateway received tunnel OPEN while in state open Jan 1 00:45:40.559: L2F: Gateway received tunnel OPEN while in state open Jan 1 00:45:45.559: L2F: Gateway received tunnel OPEN while in state open Jan 1 00:45:50.559: L2F: Gateway received tunnel OPEN while in state open Notice how this output is similar to the debug output you see when the NAS has a misconfigured tunnel secret username. This time you see the phrase “Packet has bogus1 key” on the NAS instead of the tunnel server. This phrase tells you that the tunnel server has an incorrect tunnel secret username. To avoid this problem, make sure that you configure both the NAS and tunnel server for the same two tunnel secret usernames with the same password. Configuring Virtual Private Networks Troubleshooting VPNs DC-557 Cisco IOS Dial Technologies Configuration Guide Misconfigured Tunnel Name If the NAS and tunnel server do not have matching tunnel names, they cannot establish an L2F tunnel. On the tunnel server, these tunnel names are configured under the vpdn-group 1 command by using the local name command. On the NAS, these names are configured on the RADIUS server. The tunnel server must be configured to accept tunnels from the name that the NAS sends it. This is done using the accept-dialin l2f virtual-template 1 remote ISP_NAS command, where ISP_NAS is the name. The name it returns to the NAS is configured using the local name ENT_HGW command, where ENT_HGW is the name. These commands appear in the following running configuration: vpdn-group 1 accept-dialin l2f virtual-template 1 remote ISP_NAS local name ENT_HGW On the RADIUS server, the tunnel names are configured by adding profiles to the NAS_Group group with the names ISP_NAS and ENT_HGW. In the following debug output, the NAS attempted to open a tunnel using the name isp. Because the tunnel server did not know this name, it did not open the tunnel. To see the following debug output, enable the debug vpdn l2x-events and debug vpdn l2x-errors commands on the tunnel server: ENT_HGW# Jan 1 01:28:54.207: L2F: L2F_CONF received Jan 1 01:28:54.207: L2X: Never heard of isp Jan 1 01:28:54.207: L2F: Couldn't find tunnel named isp To avoid the problem described, make sure that the tunnel names match on the tunnel server and on the RADIUS server. Control Packet Problem on the NAS The following example assumes that you suspect an error in parsing control packets. You can use the debug vpdn packet command with the control keyword to verify control packet information. ISP_NAS# debug vpdn packet control 20:50:27: %LINK-3-UPDOWN: Interface Async7, changed state to up 20:50:29: Tnl 9 L2TP: O SCCRQ 20:50:29: Tnl 9 L2TP: O SCCRQ, flg TLF, ver 2, len 131, tnl 0, cl 0, ns 0, nr 0 20:50:29: contiguous buffer, size 131 C8 02 00 83 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 80 0A 00 00 00 03 00 00 00 03 80 0A 00 00 00 04 00 00 00 ... 20:50:29: Tnl 9 L2TP: Parse AVP 0, len 8, flag 0x0x8000 (M) 20:50:29: Tnl 9 L2TP: Parse SCCRP 20:50:29: Tnl 9 L2TP: Parse AVP 2, len 8, flag 0x0x8000 (M) 20:50:29: Tnl 9 L2TP: Protocol Ver 256 20:50:29: Tnl 9 L2TP: Parse AVP 3, len 10, flag 0x0x8000 (M) 20:50:29: Tnl 9 L2TP: Framing Cap 0x0x3 20:50:29: Tnl 9 L2TP: Parse AVP 4, len 10, flag 0x0x8000 (M) 20:50:29: Tnl 9 L2TP: Bearer Cap 0x0x3 20:50:29: Tnl 9 L2TP: Parse AVP 6, len 8, flag 0x0x0 20:50:29: Tnl 9 L2TP: Firmware Ver 0x0x1120 20:50:29: Tnl 9 L2TP: Parse AVP 7, len 12, flag 0x0x8000 (M) 20:50:29: Tnl 9 L2TP: Hostname DJ 20:50:29: Tnl 9 L2TP: Parse AVP 8, len 25, flag 0x0x0 20:50:29: Tnl 9 L2TP: Vendor Name Cisco Systems, Inc. 20:50:29: Tnl 9 L2TP: Parse AVP 9, len 8, flag 0x0x8000 (M) 20:50:29: Tnl 9 L2TP: Assigned Tunnel ID 8 20:50:29: Tnl 9 L2TP: Parse AVP 10, len 8, flag 0x0x8000 (M) 20:50:29: Tnl 9 L2TP: Rx Window Size 4 Configuring Virtual Private Networks Troubleshooting VPNs DC-558 Cisco IOS Dial Technologies Configuration Guide 20:50:29: Tnl 9 L2TP: Parse AVP 11, len 22, flag 0x0x8000 (M) 20:50:29: Tnl 9 L2TP: Chlng D807308D106259C5933C6162ED3A1689 20:50:29: Tnl 9 L2TP: Parse AVP 13, len 22, flag 0x0x8000 (M) 20:50:29: Tnl 9 L2TP: Chlng Resp 9F6A3C70512BD3E2D44DF183C3FFF2D1 20:50:29: Tnl 9 L2TP: No missing AVPs in SCCRP 20:50:29: Tnl 9 L2TP: Clean Queue packet 0 20:50:29: Tnl 9 L2TP: I SCCRP, flg TLF, ver 2, len 153, tnl 9, cl 0, ns 0, nr 1 contiguous pak, size 153 C8 02 00 99 00 09 00 00 00 00 00 01 80 08 00 00 00 00 00 02 80 08 00 00 00 02 01 00 80 0A 00 00 00 03 00 00 00 03 80 0A 00 00 00 04 00 00 00 ... 20:50:29: Tnl 9 L2TP: I SCCRP from DJ 20:50:29: Tnl 9 L2TP: O SCCCN to DJ tnlid 8 20:50:29: Tnl 9 L2TP: O SCCCN, flg TLF, ver 2, len 42, tnl 8, cl 0, ns 1, nr 1 20:50:29: contiguous buffer, size 42 C8 02 00 2A 00 08 00 00 00 01 00 01 80 08 00 00 00 00 00 03 80 16 00 00 00 0D 4B 2F A2 50 30 13 E3 46 58 D5 35 8B 56 7A E9 85 20:50:29: As7 9/1 L2TP: O ICRQ to DJ 8/0 20:50:29: As7 9/1 L2TP: O ICRQ, flg TLF, ver 2, len 48, tnl 8, cl 0, ns 2, nr 1 20:50:29: contiguous buffer, size 48 C8 02 00 30 00 08 00 00 00 02 00 01 80 08 00 00 00 00 00 0A 80 08 00 00 00 0E 00 01 80 0A 00 00 00 0F 00 00 00 04 80 0A 00 00 00 12 00 00 00 ... 20:50:29: Tnl 9 L2TP: Clean Queue packet 1 20:50:29: Tnl 9 L2TP: Clean Queue packet 2 20:50:29: Tnl 9 L2TP: I ZLB ctrl ack, flg TLF, ver 2, len 12, tnl 9, cl 0, ns 1, nr 2 contiguous pak, size 12 C8 02 00 0C 00 09 00 00 00 01 00 02 20:50:30: As7 9/1 L2TP: Parse AVP 0, len 8, flag 0x0x8000 (M) 20:50:30: As7 9/1 L2TP: Parse ICRP 20:50:30: As7 9/1 L2TP: Parse AVP 14, len 8, flag 0x0x8000 (M) 20:50:30: As7 9/1 L2TP: Assigned Call ID 1 20:50:30: As7 9/1 L2TP: No missing AVPs in ICRP 20:50:30: Tnl 9 L2TP: Clean Queue packet 2 20:50:30: As7 9/1 L2TP: I ICRP, flg TLF, ver 2, len 28, tnl 9, cl 1, ns 1, nr 3 contiguous pak, size 28 C8 02 00 1C 00 09 00 01 00 01 00 03 80 08 00 00 00 00 00 0B 80 08 00 00 00 0E 00 01 20:50:30: As7 9/1 L2TP: O ICCN to DJ 8/1 20:50:30: As7 9/1 L2TP: O ICCN, flg TLF, ver 2, len 203, tnl 8, cl 1, ns 3, nr 2 20:50:30: contiguous buffer, size 203 C8 02 00 CB 00 08 00 01 00 03 00 02 80 08 00 00 00 00 00 0C 80 0A 00 00 00 18 00 00 DA C0 80 0A 00 00 00 13 00 00 00 02 00 28 00 00 00 1B 02 ... 20:50:30: Tnl 9 L2TP: Clean Queue packet 3 20:50:30: As7 9/1 L2TP: I ZLB ctrl ack, flg TLF, ver 2, len 12, tnl 9, cl 1, ns 2, nr 4 contiguous pak, size 12 C8 02 00 0C 00 09 00 01 00 02 00 04 20:50:30: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async7, changed state to up If you fixed the problem in your configuration, return to the section “Verifying VPN Sessions” earlier in this chapter. If your call still cannot successfully complete L2F negotiation, contact your support personnel. Configuring Virtual Private Networks Troubleshooting VPNs DC-559 Cisco IOS Dial Technologies Configuration Guide Troubleshooting PPP Negotiation This section first shows debug output of successful PPP negotiation. The subsequent sections explain several common problems that prevent successful PPP negotiation: • Successful PPP Negotiation Debug Output • Non-Cisco Device Connectivity Problem • Mismatched Username Example Enable the debug ppp negotiation command on the tunnel server and dial in to the NAS. Successful PPP Negotiation Debug Output The following debug output shows successful PPP negotiation on the tunnel server: 1d02h: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up *Feb 4 14:14:40.505: Vi1 PPP: Treating connection as a dedicated line *Feb 4 14:14:40.505: Vi1 PPP: Phase is ESTABLISHING, Active Open *Feb 4 14:14:40.505: Vi1 PPP: Treating connection as a dedicated line *Feb 4 14:14:40.505: Vi1 PPP: Phase is AUTHENTICATING, by this end *Feb 4 14:14:40.509: Vi1 PPP: Phase is UP If your call successfully completed PPP negotiation, but you still cannot ping the tunnel server, go to the section “Troubleshooting AAA Negotiation” later in this chapter. Non-Cisco Device Connectivity Problem The debug ppp authentication and debug ppp negotiation commands are enabled to decipher a CHAP negotiation problem. This is due to a connectivity problem between a Cisco and non-Cisco device. Also note that the service-timestamps command is enabled on the router. The service-timestamps command is helpful to decipher timing and keepalive issues, and we recommend that you always enable this command. Router# debug ppp authentication PPP authentication debugging is on Router# debug ppp negotiation PPP protocol negotiation debugging is on 3:22:53: ppp: sending CONFREQ, type = 3 (CI_AUTHTYPE), value = C223/5 3:22:53: ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = C6091F. 3:22:55: ppp: sending CONFREQ, type = 3 (CI_AUTHTYPE), value = C223/5 3:22:55: ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = C6091F 3:22:55: PPP BRI0: B-Channel 1: received config for type = 0x0 (??) 3:22:55: PPP BRI0: B-Channel 1: rcvd unknown option 0x0 rejected 3:22:55: PPP BRI0: B-Channel 1: received config for type = 0x1 (MRU) value = 0x5 F4 rejected 3:22:55: PPP BRI0: B-Channel 1: received config for type = 0x3 (AUTHTYPE) value = 0xC223 value = 0x5 acked 3:22:55: PPP BRI0: B-Channel 1: received config for type = 0x11 (MULTILINK_MRRU) rejected 3:22:55: PPP BRI0: B-Channel 1: received config for type = 0x13 (UNKNOWN) 3:22:55: PPP BRI0: B-Channel 1: rcvd unknown option 0x13 rejected 3:22:55: ppp: config REJ received, type = 3 (CI_AUTHTYPE), value = C223/5 3:22:55: ppp: sending CONFREQ, type = 3 (CI_AUTHTYPE), value = C223/5 3:22:55: ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = C6091F 3:22:55: PPP BRI0: B-Channel 1: received config for type = 0x3 (AUTHTYPE) value= 0xC2. Success rate is 0 percent (0/5) moog#23 value = 0x5 acked Configuring Virtual Private Networks Troubleshooting VPNs DC-560 Cisco IOS Dial Technologies Configuration Guide 3:22:55: ppp: config REJ received, type = 3 (CI_AUTHTYPE), value = C223/5 3:22:55: ppp: BRI0: B-Channel 1 closing connection because remote won't authenticate 3:22:55: ppp: sending CONFREQ, type = 3 (CI_AUTHTYPE), value = C223/5 3:22:55: ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = C6091F 3:22:55: %ISDN-6-DISCONNECT: Interface BRI0: B-Channel 1 disconnected from 0123 5820040 , call lasted 2 seconds 3:22:56: %LINK-3-UPDOWN: Interface BRI0: B-Channel 1, changed state to down Indication: Mismatched Username Example The following debug ppp chap sample output excerpt shows a CHAP authentication failure caused by a configuration mismatch between devices. Verifying and correcting any username and password mismatch should remedy this problem. Router# debug ppp chap ppp: received conf.ig for type = 5 (MAGICNUMBER) value = 1E24718 acked PPP BRI0: B-Channel 1: state = ACKSENT fsm_rconfack(C021): rcvd id E6 ppp: config ACK received, type = 3 (CI_AUTHTYPE), value = C223 ppp: config ACK received, type = 5 (CI_MAGICNUMBER), value = 28CEF76C BRI0: B-Channel 1: PPP AUTH CHAP input code = 1 id = 83 len = 16 BRI0: B-Channel 1: PPP AUTH CHAP input code = 2 id = 96 len = 28 BRI0: B-Channel 1: PPP AUTH CHAP input code = 4 id = 83 len = 21 BRI0: B-Channel 1: Failed CHAP authentication with remote. Remote message is: MD compare failed If your call cannot successfully complete PPP negotiation, contact your support personnel. Troubleshooting AAA Negotiation This section first shows debug output of successful AAA negotiation. The subsequent sections explain several common misconfigurations that prevent successful AAA negotiation: • Successful AAA Negotiation • Incorrect User Password • Error Contacting RADIUS Server • Misconfigured AAA Authentication Successful AAA Negotiation Enable the debug aaa authentication and debug aaa authorization commands on the tunnel server and dial in to the NAS. The following debug output shows successful AAA negotiation on the tunnel server. This output has been edited to exclude repetitive lines. ENT_HGW# Jan 7 19:29:44.132: AAA/AUTHEN: create_user (0x612D550C) user='ENT_HGW' ruser=' ' port='' rem_addr='' authen_type=CHAP service=PPP priv=1 Jan 7 19:29:44.132: AAA/AUTHEN/START (384300079): port='' list='default' action =SENDAUTH service=PPP Jan 7 19:29:44.132: AAA/AUTHEN/START (384300079): found list default Jan 7 19:29:44.132: AAA/AUTHEN/START (384300079): Method=LOCAL Jan 7 19:29:44.132: AAA/AUTHEN (384300079): status = PASS Jan 7 19:29:44.132: AAA/AUTHEN: create_user (0x612D550C) user='ISP_NAS' ruser=' ' port='' rem_addr='' authen_type=CHAP service=PPP priv=1 Configuring Virtual Private Networks Troubleshooting VPNs DC-561 Cisco IOS Dial Technologies Configuration Guide Jan 7 19:29:44.132: AAA/AUTHEN/START (2545876944): port='' list='default' actio n=SENDAUTH service=PPP Jan 7 19:29:44.132: AAA/AUTHEN/START (2545876944): found list default Jan 7 19:29:44.132: AAA/AUTHEN/START (2545876944): Method=LOCAL Jan 7 19:29:44.132: AAA/AUTHEN (2545876944): status = PASS Jan 7 19:29:44.228: AAA/AUTHEN: create_user (0x612F1F78) user='jeremy@hgw.com' ruser='' port='Virtual-Access1' rem_addr='408/5550945' authen_type=CHAP service= PPP priv=1 Jan 7 19:29:44.228: AAA/AUTHEN/START (101773535): port='Virtual-Access1' list='' action=LOGIN service=PPP Jan 7 19:29:44.228: AAA/AUTHEN/START (101773535): using "default" list Jan 7 19:29:44.228: AAA/AUTHEN/START (101773535): Method=LOCAL Jan 7 19:29:44.228: AAA/AUTHEN (101773535): status = ERROR Jan 7 19:29:44.228: AAA/AUTHEN/START (101773535): Method=RADIUS Jan 7 19:29:44.692: AAA/AUTHEN (101773535): status = PASS Jan 7 19:29:44.692: Vi1 AAA/AUTHOR/LCP: Authorize LCP Jan 7 19:29:44.692: AAA/AUTHOR/LCP Vi1 (3630870259): Port='Virtual-Access1' list='' service=NET Jan 7 19:29:44.692: AAA/AUTHOR/LCP: Vi1 (3630870259) user='jeremy@hgw.com' Jan 7 19:29:44.692: AAA/AUTHOR/LCP: Vi1 (3630870259) send AV service=ppp Jan 7 19:29:44.692: AAA/AUTHOR/LCP: Vi1 (3630870259) send AV protocol=lcp Jan 7 19:29:44.692: AAA/AUTHOR/LCP (3630870259) found list "default" Jan 7 19:29:44.692: AAA/AUTHOR/LCP: Vi1 (3630870259) Method=RADIUS Jan 7 19:29:44.692: AAA/AUTHOR (3630870259): Post authorization status = PASS_REPL Jan 7 19:29:44.696: Vi1 AAA/AUTHOR/FSM: We can start IPCP 6w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up Jan 7 19:29:47.792: Vi1 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 172.30.2.1 If the above debug output appears, but you still cannot ping the tunnel server, contact your support personnel and troubleshoot your network backbone. If you did not see the debug output above, you need to troubleshoot AAA negotiation. Incorrect User Password If the user password is incorrect (or it is incorrectly configured), the tunnel will be established, but the tunnel server will not authenticate the user. If the user password is incorrect, the following debug output appears on the NAS and tunnel server when you dial in to the NAS and the debug vpdn l2x-errors and debug vpdn l2x-events commands are enabled: ISP_NAS# Jan 1 01:00:01.555: %LINK-3-UPDOWN: Interface Async12, changed state to up Jan 1 01:00:05.299: L2F: Tunnel state closed Jan 1 01:00:05.299: L2F: MID state closed Jan 1 01:00:05.299: L2F: Open UDP socket to 172.22.66.25 Jan 1 01:00:05.299: L2F: Tunnel state opening Jan 1 01:00:05.299: As12 L2F: MID jeremy@hgw.com state waiting_for_tunnel Jan 1 01:00:05.303: L2F: L2F_CONF received Jan 1 01:00:05.303: L2F: Removing resend packet (L2F_CONF) Jan 1 01:00:05.303: ENT_HGW L2F: Tunnel state open Jan 1 01:00:05.307: L2F: L2F_OPEN received Jan 1 01:00:05.307: L2F: Removing resend packet (L2F_OPEN) Jan 1 01:00:05.307: L2F: Building nas2gw_mid0 Jan 1 01:00:05.307: L2F: L2F_CLIENT_INFO: CLID/DNIS 4089548021/5550945 Jan 1 01:00:05.307: L2F: L2F_CLIENT_INFO: NAS-Port Async12 Jan 1 01:00:05.307: L2F: L2F_CLIENT_INFO: Client-Bandwidth-Kbps 115 Jan 1 01:00:05.307: L2F: L2F_CLIENT_INFO: NAS-Rate L2F/26400/28800 Jan 1 01:00:05.307: As12 L2F: MID jeremy@hgw.com state opening Jan 1 01:00:05.307: L2F: Tunnel authentication succeeded for ENT_HGW Jan 1 01:00:05.391: L2F: L2F_OPEN received Jan 1 01:00:05.391: L2F: Got a MID management packet Jan 1 01:00:05.391: L2F: Removing resend packet (L2F_OPEN) Jan 1 01:00:05.391: As12 L2F: MID jeremy@hgw.com state open Configuring Virtual Private Networks Troubleshooting VPNs DC-562 Cisco IOS Dial Technologies Configuration Guide Jan 1 01:00:05.391: As12 L2F: MID synced NAS/HG Clid=47/12 Mid=1 Jan 1 01:00:05.523: L2F: L2F_CLOSE received Jan 1 01:00:05.523: %VPDN-6-AUTHENERR: L2F HGW ENT_HGW cannot locate a AAA server for As12 user jeremy@hgw.com; Authentication failure ENT_HGW# Jan 1 01:00:05.302: L2F: L2F_CONF received Jan 1 01:00:05.302: L2F: Creating new tunnel for ISP_NAS Jan 1 01:00:05.302: L2F: Tunnel state closed Jan 1 01:00:05.302: L2F: Got a tunnel named ISP_NAS, responding Jan 1 01:00:05.302: L2F: Open UDP socket to 172.22.66.23 Jan 1 01:00:05.302: ISP_NAS L2F: Tunnel state opening Jan 1 01:00:05.306: L2F: L2F_OPEN received Jan 1 01:00:05.306: L2F: Removing resend packet (L2F_CONF) Jan 1 01:00:05.306: ISP_NAS L2F: Tunnel state open Jan 1 01:00:05.306: L2F: Tunnel authentication succeeded for ISP_NAS Jan 1 01:00:05.310: L2F: L2F_OPEN received Jan 1 01:00:05.310: L2F: L2F_CLIENT_INFO: CLID/DNIS 4089548021/5550945 Jan 1 01:00:05.310: L2F: L2F_CLIENT_INFO: NAS-Port Async12 Jan 1 01:00:05.310: L2F: L2F_CLIENT_INFO: Client-Bandwidth-Kbps 115 Jan 1 01:00:05.310: L2F: L2F_CLIENT_INFO: NAS-Rate L2F/26400/28800 Jan 1 01:00:05.310: L2F: Got a MID management packet Jan 1 01:00:05.310: L2F: MID state closed Jan 1 01:00:05.310: L2F: Start create mid intf process for jeremy@hgw.com 5w6d: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up Jan 1 01:00:05.390: Vi1 L2X: Discarding packet because of no mid/session Jan 1 01:00:05.390: Vi1 L2F: Transfer NAS-Rate L2F/26400/28800 to LCP Jan 1 01:00:05.390: Vi1 L2F: Finish create mid intf for jeremy@hgw.com Jan 1 01:00:05.390: Vi1 L2F: MID jeremy@hgw.com state open 5w6d: %VPDN-6-AUTHENERR: L2F HGW ENT_HGW cannot locate a AAA server for Vi1 user jeremy@hgw.com; Authentication failure Error Contacting RADIUS Server If the aaa authorization command on the tunnel server is configured with the default radius none keywords, the tunnel server may allow unauthorized access to your network. This command is an instruction to first use RADIUS for authorization. The tunnel server first contacts the RADIUS server (because of the radius keyword). If an error occurs when the tunnel server contacts the RADIUS server, the tunnel server does not authorize the user (because of the none keyword). To see the following debug output, enable the debug aaa authorization command on the tunnel server and dial in to the NAS: ENT_HGW# *Feb 5 17:27:36.166: Vi1 AAA/AUTHOR/LCP: Authorize LCP *Feb 5 17:27:36.166: AAA/AUTHOR/LCP Vi1 (3192359105): Port='Virtual-Access1' list='' service=NET *Feb 5 17:27:36.166: AAA/AUTHOR/LCP: Vi1 (3192359105) user='jeremy@hgw.com' *Feb 5 17:27:36.166: AAA/AUTHOR/LCP: Vi1 (3192359105) send AV service=ppp *Feb 5 17:27:36.166: AAA/AUTHOR/LCP: Vi1 (3192359105) send AV protocol=lcp *Feb 5 17:27:36.166: AAA/AUTHOR/LCP (3192359105) found list "default" *Feb 5 17:27:36.166: AAA/AUTHOR/LCP: Vi1 (3192359105) Method=RADIUS *Feb 5 17:27:36.166: AAA/AUTHOR (3192359105): Post authorization status = ERROR *Feb 5 17:27:36.166: AAA/AUTHOR/LCP: Vi1 (3192359105) Method=NONE *Feb 5 17:27:36.166: AAA/AUTHOR (3192359105): Post authorization status = PASS_ADD *Feb 5 17:27:36.166: Vi1 CHAP: O SUCCESS id 1 len 4 Caution Using the none keyword can allow unauthorized access to your network. Because of the risk of such errors occurring, we strongly recommend that you do not use the none keyword in your aaa commands. Configuring Virtual Private Networks Configuration Examples for VPN DC-563 Cisco IOS Dial Technologies Configuration Guide Misconfigured AAA Authentication If you reverse the order of the local and radius keywords in the aaa authentication ppp command on the tunnel server, the L2F tunnel cannot be established. The command should be configured as aaa authentication ppp default local radius. If you configure the command as aaa authentication ppp default radius local, the tunnel server first tries to authenticate the L2F tunnel using RADIUS. The RADIUS server sends the following message to the tunnel server. To see this message, enable the debug radius command. ENT_HGW# Jan 1 01:34:47.827: RADIUS: SENDPASS not supported (action=4) The RADIUS protocol does not support inbound challenges. This means that RADIUS is designed to authenticate user information, but it is not designed to be authenticated by others. When the tunnel server requests the tunnel secret from the RADIUS server, it responds with the “SENDPASS not supported” message. To avoid this problem, use the aaa authentication ppp default local radius command on the tunnel server. If your call still cannot successfully complete AAA negotiation, contact your support personnel. Configuration Examples for VPN This section provides the following configuration examples: • Client-Initiated Dial-In Configuration Example • VPN Tunnel Authentication Examples • NAS Comprehensive Dial-In Configuration Example • Tunnel Server Comprehensive Dial-in Configuration Example • NAS Configured for Both Dial-In and Dial-Out Example • Tunnel Server Configured for Both Dial-In and Dial-Out Example • RADIUS Profile Examples • TACACS+ Profile Examples Client-Initiated Dial-In Configuration Example The following example shows the running configuration of a tunnel server configured for PPTP using an ISA card to perform 40-bit MPPE encryption. It does not have an AAA configuration. Current configuration ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname PNS ! no logging console guaranteed enable password lab ! Configuring Virtual Private Networks Configuration Examples for VPN DC-564 Cisco IOS Dial Technologies Configuration Guide username tester41 password 0 lab41 ! ip subnet-zero no ip domain-lookup ! vpdn enable ! vpdn-group 1 ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 local name cisco_pns ! memory check-interval 1 ! controller ISA 5/0 encryption mppe ! process-max-time 200 ! interface FastEthernet0/0 ip address 10.1.1.12 255.255.255.0 no ip directed-broadcast duplex auto speed auto ! interface FastEthernet0/1 ip address 10.1.2.12 255.255.255.0 no ip directed-broadcast duplex auto speed auto ! interface Serial1/0 no ip address no ip directed-broadcast shutdown framing c-bit cablelength 10 dsu bandwidth 44210 ! interface Serial1/1 no ip address no ip directed-broadcast shutdown framing c-bit cablelength 10 dsu bandwidth 44210 ! interface FastEthernet4/0 no ip address no ip directed-broadcast shutdown duplex half ! interface Virtual-Template1 ip unnumbered FastEthernet0/0 no ip directed-broadcast ip mroute-cache no keepalive ppp encrypt mppe 40 ppp authentication ms-chap ! Configuring Virtual Private Networks Configuration Examples for VPN DC-565 Cisco IOS Dial Technologies Configuration Guide ip classless ip route 172.29.1.129 255.255.255.255 1.1.1.1 ip route 172.29.63.9 255.255.255.255 1.1.1.1 no ip http server ! line con 0 exec-timeout 0 0 transport input none line aux 0 line vty 0 4 login ! end VPN Tunnel Authentication Examples The following examples shows several possibilities for performing local tunnel authentication. These examples only show the information relevant to tunnel authentication. Tunnel Secret Configured Using the Local Name Command The following examples are for a NAS and tunnel server that configure the tunnel names by using local name VPN group commands. The NAS tunnel name is ISP_NAS, the tunnel server tunnel name is ENT_HGW, and the tunnel secret is tunnelme. NAS Configuration The NAS tunnel name is specified by the local name command. The tunnel server tunnel name and tunnel secret are specified by the username command. username ENT_HGW password 7 tunnelme . . . vpdn-group 1 local name ISP_NAS Tunnel Server Configuration The tunnel server tunnel name is specified by the local name command. The NAS tunnel name and tunnel secret are specified by the username command. username ISP_NAS password 7 tunnelme . . . vpdn-group 1 local name ENT_HGW Tunnel Secret Configured Using the L2TP Tunnel Password Command The following example is for a NAS and tunnel server that both configure the tunnel secret using the l2tp tunnel password command. Because both routers use this command, they do not need to use either username or local name commands for tunnel authentication. The tunnel secret is tunnelme. NAS Configuration vpdn-group 1 request-dialin protocol l2tp l2tp tunnel password tunnelme Configuring Virtual Private Networks Configuration Examples for VPN DC-566 Cisco IOS Dial Technologies Configuration Guide Tunnel Server Configuration vpdn-group 1 accept-dialin protocol l2tp l2tp tunnel password tunnelme Tunnel Secret Configuration Using Different Tunnel Authentication Methods The follow example is for a NAS that uses the username command to specify the tunnel secret and a tunnel server that uses the l2tp tunnel password command to specify the tunnel secret. NAS Configuration username adrian password garf1eld . . . vpdn-group 1 local name stella Tunnel Server Configuration vpdn-group 1 accept--dialin protocol l2tp local name adrian l2tp tunnel password garf1eld NAS Comprehensive Dial-In Configuration Example The following example shows a NAS configured to tunnel PPP calls to a tunnel server using L2TP and local authentication and authorization: ! Enable AAA authentication and authorization with RADIUS as the default method aaa new-model aaa authentication ppp default radius aaa authorization network default radius ! username ISP_NAS password 7 tunnelme username ENT_HGW password 7 tunnelme ! vpdn enable ! ! Configure VPN to first search on the client domain name and then on the DNIS vpdn search-order domain dnis ! Allow a maximum of 10 simultaneous VPN sessions vpdn session-limit 10 ! ! Configure VPN to initiate VPN dial-in sessions vpdn-group 1 request-dialin ! Specify L2TP as the tunneling protocol protocol l2TP ! Tunnel clients with the domain name “hgw.com” domain hgw.com ! Establish a tunnel with IP address 172.22.66.25 initiate-to ip 172.22.66.25 ! Identify the tunnel using the name “ISP_NAS” local name ISP_NAS ! Configuring Virtual Private Networks Configuration Examples for VPN DC-567 Cisco IOS Dial Technologies Configuration Guide ! Defines the ISDN switch type as primary-5ess isdn switch-type primary-5ess ! ! Commissions the T1 controller to allow modem calls in to the NAS controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! interface Ethernet0 ip address 172.22.66.23 255.255.255.192 ! ! Configure the Serial channel to allow modem calls in to the NAS interface Serial0:23 no ip address isdn switch-type primary-5ess isdn incoming-voice modem no cdp enable ! ! interface Group-Async1 ip unnumbered Ethernet0 encapsulation ppp async mode interactive no peer default ip address ppp authentication chap pap group-range 1 96 ! ip classless ip route 0.0.0.0 0.0.0.0 172.22.66.1 ! ! Specifies the RADIUS server IP address, authorization port, and accounting port radius-server host 172.22.66.16 auth-port 1645 acct-port 1646 ! Specifies the authentication key to be used with the RADIUS server radius-server key cisco ! line con 0 transport input none ! Configures the modems line 1 96 autoselect during-login autoselect ppp modem InOut line aux 0 line vty 0 4 ! end Tunnel Server Comprehensive Dial-in Configuration Example The following example show a tunnel server configured to accept L2TP tunnels from a NAS using local authentication and authorization: aaa new-model ! Configure AAA to first use the local database and then contact the RADIUS server for ! PPP authentication aaa authentication ppp default local radius ! Configure AAA network authorization and accounting by using the RADIUS server aaa authorization network default radius aaa accounting network default start-stop radius ! Configuring Virtual Private Networks Configuration Examples for VPN DC-568 Cisco IOS Dial Technologies Configuration Guide username ISP_NAS password 7 tunnelme username ENT_HGW password 7 tunnelme ! vpdn enable ! Prevent any new VPN sessions from being established without disturbing existing ! sessions vpdn softshut ! ! Configure VPN to accept dial-in sessions vpdn-group 1 accept-dialin ! Specify L2TP as the tunneling protocol protocol l2tp ! Specify that virtual-access interfaces be cloned from virtual template 1 virtual-template 1 ! Accept dial-in requests from a router using the tunnel name “ISP_NAS” terminate-from hostname ISP_NAS ! Identify the tunnel using the tunnel name “ENT_HGW” local name ENT_HGW ! interface Ethernet0/0 ip address 172.22.66.25 255.255.255.192 no ip directed-broadcast ! interface Virtual-Template1 ! Use the IP address of interface Ethernet 0 ip unnumbered Ethernet0 ! Returns an IP address from the default pool to the VPN client peer default ip address pool default ! Use CHAP to authenticate PPP ppp authentication chap ! ip local pool default 172.30.2.1 172.30.2.96 ip classless ip route 0.0.0.0 0.0.0.0 172.22.66.1 ! ! Specifies the RADIUS server IP address, authorization port, and accounting port radius-server host 172.22.66.13 auth-port 1645 acct-port 1646 ! Specifies the authentication key to be used with the RADIUS server radius-server key cisco NAS Configured for Both Dial-In and Dial-Out Example You can configure a NAS to simultaneously initiate L2TP or L2F dial-in tunnels to a tunnel server and also accept L2TP dial-out tunnels from a tunnel server. In the following example, the VPN group of a NAS is configured to dial in using L2F and to dial out using L2TP as the tunneling protocol and dialer interface 2. The example only shows the VPN group and dialer configuration: vpdn-group 1 request-dialin protocol l2f domain jgb.com accept-dialout protocol l2tp dialer 2 local name cerise terminate-from hostname reuben initiate-to ip 172.1.2.3 ! Configuring Virtual Private Networks Configuration Examples for VPN DC-569 Cisco IOS Dial Technologies Configuration Guide interface Dialer2 ip unnumbered Ethernet0 encapsulation ppp dialer in-band dialer aaa dialer-group 1 ppp authentication chap Tunnel Server Configured for Both Dial-In and Dial-Out Example You can configure a tunnel server to simultaneously receive L2TP or L2F dial-in tunnels from a NAS and also initiate L2TP dial-out tunnels to a NAS. In the following example, a tunnel server VPN group is configured to dial in using virtual template 1 to clone the virtual access interface and to dial out using dialer pool 1. The example only shows the VPN group and dialer configuration: vpdn-group 1 accept-dialin protocol l2tp virtual-template 1 request-dialout protocol l2tp pool-member 1 local name reuben terminate-from hostname cerise initiate-to ip 10.3.2.1 ! interface Dialer2 ip address 172.19.2.3 255.255.128 encapsulation ppp dialer remote-name reuben dialer string 5551234 dialer vpdn dialer pool 1 dialer-group 1 ppp authentication chap RADIUS Profile Examples The following sections show VPN RADIUS profiles configured using CiscoSecure version 2.3.1: • RADIUS Domain Profile • RADIUS User Profile RADIUS Domain Profile The following example show a profile that is configured on the NAS RADIUS server to tunnel calls from users who dial-in with the domain name terrapin.com. The NAS will balance calls between the tunnel servers at 172.16.171.11 and 172.16.171.12. If both of those tunnel servers are unavailable, the NAS will tunnel calls to 172.16.171.13. user = terrapin.com{ profile_id = 29 set server current-failed-logins = 0 profile_cycle = 7 radius=Cisco { Configuring Virtual Private Networks Configuration Examples for VPN DC-570 Cisco IOS Dial Technologies Configuration Guide check_items= { 2=cisco } reply_attributes= { 9,1="vpdn:l2tp-tunnel-password=cisco123" 9,1="vpdn:tunnel-type=l2tp" 9,1="vpdn:ip-addresses=172.16.171.11 172.16.171.12/172.16.171.13" 9,1="vpdn:tunnel-id=tunnel" } } } Note check_items={2=cisco} is a hard-coded password. This password must be "cisco." RADIUS User Profile The following example shows a profile that is configured on the tunnel server RADIUS server to authorize and authenticate user sailor@terrapin.com: user = sailor@terrapin.com{ profile_id = 28 profile_cycle = 2 radius=Cisco { check_items= { 2=cisco } reply_attributes= { 6=2 7=1 } } } Note check_items={2=cisco} is a hard-coded password. This password must be "cisco." TACACS+ Profile Examples The following sections show VPN TACACS+ profiles configured using CiscoSecure version 2.2.2: • TACACS+ Domain Profile • TACACS+ User Profile • TACACS+ Tunnel Profiles TACACS+ Domain Profile The following example shows a profile that is configured on the NAS TACACS+ server to tunnel users who dial in with the domain name guava.com: user = guava.com{ profile_id = 83 profile_cycle = 1 service=ppp { protocol=vpdn { set tunnel-id=isp set ip-addresses="10.31.1.50" Configuring Virtual Private Networks Configuration Examples for VPN DC-571 Cisco IOS Dial Technologies Configuration Guide set nas-password="little" set gw-password="birdies" } protocol=lcp { } } } TACACS+ User Profile The following example shows a profile that is configured on the tunnel server TACACS+ to authorize and authenticate user geaner@guava.com: user = geaner@guava.com{ profile_id = 85 profile_cycle = 1 password = chap "daisies" service=ppp { protocol=ip { default attribute=permit } protocol=lcp { } } } TACACS+ Tunnel Profiles The following examples show a profile that is configured on the tunnel server TACACS+ server to authenticate the tunnel. See the “Configuring VPN Tunnel Authentication Using the Host Name or Local Name” and “Configuring VPN Tunnel Authentication Using the L2TP Tunnel Password” sections earlier in this chapter for more information on tunnel authentication. Note Only the tunnel server AAA server can perform tunnel authentication. Tunnel authentication must be performed locally by the NAS. user = tunnel-server { profile_id = 82 profile_cycle = 1 password = chap "3stone" service=ppp { protocol=ip { default attribute=permit } protocol=lcp { } } } Configuring Virtual Private Networks Configuration Examples for VPN DC-572 Cisco IOS Dial Technologies Configuration Guide PPP Configuration DC-575 Cisco IOS Dial Technologies Configuration Guide Configuring Asynchronous SLIP and PPP This chapter describes how to configure asynchronous Serial Line Internet Protocol (SLIP) and PPP. It includes the following main sections: • Asynchronous SLIP and PPP Overview • How to Configure Asynchronous SLIP and PPP • Configuration Examples for Asynchronous SLIP and PPP To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the commands in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Asynchronous SLIP and PPP Overview PPP and SLIP define methods of sending IP packets over standard asynchronous serial lines with minimum line speeds of 1200 baud. Using SLIP or PPP encapsulation over asynchronous lines is an inexpensive way to connect personal computers (PCs) to a network. PPP and SLIP over asynchronous dialup modems allow a home computer to be connected to a network without the cost of a leased line. Dialup PPP and SLIP links can also be used for remote sites that need only occasional remote node or backup connectivity. Both public-domain and vendor-supported PPP and SLIP implementations are available for a variety of computer applications. The Cisco IOS software concentrates a large number of SLIP or PPP PC or workstation client hosts onto a network interface that allows the PCs to communicate with any host on the network. The Cisco IOS software can support any combination of SLIP or PPP lines and lines dedicated to normal asynchronous devices such as terminals and modems. Refer to RFC 1055 for more information about SLIP, and RFCs 1331 and 1332 for more information about PPP. SLIP is an older protocol. PPP is a newer, more robust protocol than SLIP, and it contains functions that can detect or prevent misconfiguration. PPP also provides greater built-in security mechanisms. Configuring Asynchronous SLIP and PPP Asynchronous SLIP and PPP Overview DC-576 Cisco IOS Dial Technologies Configuration Guide Note Most asynchronous serial links have very low bandwidth. Take care to configure your system so the links will not be overloaded. Consider using default routes and filtering routing updates to prevent them from being sent on these asynchronous lines. Figure 81 illustrates a typical asynchronous SLIP or PPP remote-node configuration. Figure 81 Sample SLIP or PPP Remote-Node Configuration Responding to BOOTP Requests The BOOTP protocol allows a client machine to discover its own IP address, the address of the router, and the name of a file to be loaded in to memory and executed. There are typically two phases to using BOOTP: first, the client’s address is determined and the boot file is selected; then the file is transferred, typically using the TFTP. PPP and SLIP clients can send BOOTP requests to the Cisco IOS software, and the Cisco IOS software responds with information about the network. For example, the client can send a BOOTP request to learn its IP address and where the boot file is located, and the Cisco IOS software responds with the information. BOOTP supports the extended BOOTP requests specified in RFC 1084 and works for both PPP and SLIP encapsulation. BOOTP compares to Reverse Address Resolution Protocol (RARP) as follows: RARP is an older protocol that allows a client to determine its IP address if it knows its hardware address. (Refer to the Cisco IOS IP Configuration Guide for more information about RARP.) However, RARP is a hardware link protocol, so it can be implemented only on hosts that have special kernel or driver modifications that allow access to these raw packets. BOOTP does not require kernel modifications. Asynchronous Network Connections and Routing Line configuration commands configure a connection to a terminal or a modem. Interface configuration (async) commands, described in this chapter, configure a line as an asynchronous network interface over which networking functions are performed. The Cisco IOS software also supports IP routing connections for communication that requires connecting one network to another. UNIX host S1470a Access server Remote PC Remote Macintosh AppleShare file server PC server UNIX server Configuring Asynchronous SLIP and PPP How to Configure Asynchronous SLIP and PPP DC-577 Cisco IOS Dial Technologies Configuration Guide The Cisco IOS software supports protocol translation for PPP and SLIP between other network devices running Telnet, local-area transport (LAT), or X.25. For example, you can send IP packets across a public X.25 packet assembler/disassembler (PAD) network using SLIP or PPP encapsulation when SLIP or PPP protocol translation is enabled. For more information, see the chapter “Configuring Protocol Translation and Virtual Asynchronous Devices” in this publication. If asynchronous dynamic routing is enabled, you can enable routing at the user level by using the routing keyword with the slip or ppp EXEC command. Asynchronous interfaces offer both dedicated and dynamic address assignment, configurable hold queues and IP packet sizes, extended BOOTP requests, and permit and deny conditions for controlling access to lines. Figure 82 shows a sample asynchronous routing configuration. Figure 82 Sample Asynchronous Routing Configuration Asynchronous Interfaces and Broadcasts The Cisco IOS software recognizes a variety of IP broadcast addresses. When a router receives an IP packet from an asynchronous client, it rebroadcasts the packet onto the network without changing the IP header. The Cisco IOS software receives the SLIP or PPP client broadcasts and responds to BOOTP requests with the current IP address assigned to the asynchronous interface from which the request was received. This facility allows the asynchronous client software to automatically learn its own IP address. How to Configure Asynchronous SLIP and PPP To configure SLIP and PPP, perform the tasks in the following sections; all tasks are optional: • Configuring Network-Layer Protocols over PPP and SLIP (Optional) • Configuring Asynchronous Host Mobility (Optional) • Making Additional Remote Node Connections (Optional) UNIX host S1658 TCP/IP routing Asynchronous serial line Configuring Asynchronous SLIP and PPP How to Configure Asynchronous SLIP and PPP DC-578 Cisco IOS Dial Technologies Configuration Guide • Configuring Remote Access to NetBEUI Services (Optional) • Configuring Performance Parameters (Optional) Configuring Network-Layer Protocols over PPP and SLIP You can configure network-layer protocols, such as AppleTalk, IP, and Internet Protocol Exchange (IPX), over PPP and SLIP. SLIP supports only IP, but PPP supports each of these protocols. See the sections that follow to configure these protocols over PPP and SLIP. Configuring IP and PPP To enable IP-PPP (IPCP) on a synchronous or asynchronous interface, use the following commands in interface configuration mode: Configuring IPX and PPP You can configure IPX over PPP (IPXCP) on synchronous serial and asynchronous serial interfaces using one of two methods. The first method associates an asynchronous interface with a loopback interface configured to run IPX. It permits you to configure IPX-PPP on asynchronous interfaces only. The second method permits you to configure IPX-PPP on asynchronous and synchronous serial interfaces. However, it requires that you specify a dedicated IPX network number for each interface, which can require a substantial number of network numbers for a large number of interfaces. You can also configure IPX to run on virtual terminal lines configured for PPP. See the section “Enabling IPX and PPP over X.25 to an IPX Network on Virtual Terminal Lines” later in this chapter. Note If you are configuring IPX-PPP on asynchronous interfaces, you should filter routing updates on the interface. Most asynchronous serial links have very low bandwidth, and routing updates take up a great deal of bandwidth. The previous task table uses the ipx update interval command to filter SAP updates. For more information about filtering routing updates, see the section about creating filters for updating the routing table in the chapter “Configuring Novell IPX” in the Cisco IOS AppleTalk and Novell IPX Configuration Guide. Command Purpose Step 1 Router(config-if)# ip address ip-address mask [secondary] or Router(config-if)# ip unnumbered type number Configures IP routing on the interface. Configures IP unnumbered routing on a serial interface. Step 2 Router(config-if)# encapsulation ppp Enables PPP encapsulation on the serial interface. Step 3 Router(config-if)# async mode interactive Enables interactive mode on an asynchronous interface. Configuring Asynchronous SLIP and PPP How to Configure Asynchronous SLIP and PPP DC-579 Cisco IOS Dial Technologies Configuration Guide IPX and PPP and Associating Asynchronous Interfaces with Loopback Interfaces To permit IPX client connections to an asynchronous interface, the interface must be associated with a loopback interface configured to run IPX. To permit such connections, use the following commands beginning in global configuration mode: IPX and PPP Using Dedicated IPX Network Numbers for Each Interface To enable IPX and PPP, use the following commands beginning in global configuration mode. The first five steps are required. The last step is optional. Enabling IPX and PPP over X.25 to an IPX Network on Virtual Terminal Lines You can enable IPX-PPP on virtual terminal lines, which permits clients to log in to a virtual terminal on a router, invoke a PPP session at the EXEC prompt to a host, and run IPX to the host. Command Purpose Step 1 Router(config)# ipx routing [node] Enables IPX routing. Step 2 Router(config)# interface loopback number Creates a loopback interface, which is a virtual interface existing only inside the router, and begins interface configuration mode. Step 3 Router(config-if)# ipx network network1 1. Every interface must have a unique IPX network number. Enables IPX routing on the loopback interface. Step 4 Router(config-if)# exit Exits to global configuration mode. Step 5 Router(config)# interface async number Enters interface configuration mode for the asynchronous interface. Step 6 Router(config-if)# ip unnumbered type number Configures IP unnumbered routing on the interface. Step 7 Router(config-if)# encapsulation ppp Enables PPP encapsulation on the interface. Step 8 Router(config-if)# async mode interactive Enables interactive mode on an asynchronous interface. Step 9 Router(config-if)# ipx ppp-client loopback number Assigns the asynchronous interface to the loopback interface configured for IPX. Step 10 Router(config-if)# ipx update interval Turns off Service Advertising Protocol (SAP) updates to optimize bandwidth on asynchronous interfaces. Command Purpose Step 1 Router(config)# ipx routing [node] Enables IPX routing. Step 2 Router(config)# interface loopback number Creates a loopback interface, which is a virtual interface existing only inside the router, and begins interface configuration mode. Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation on the interface. Step 4 Router(config-if)# async mode interactive Enables interactive mode on an asynchronous interface. Step 5 Router(config-if)# ipx network network1 1. Every interface must have a unique IPX network number. Enables IPX routing on the interface. Step 6 Router(config-if)# ipx update interval (Optional) Turns off SAP updates to optimize bandwidth on asynchronous interfaces. Configuring Asynchronous SLIP and PPP How to Configure Asynchronous SLIP and PPP DC-580 Cisco IOS Dial Technologies Configuration Guide For example, in Figure 83, the client terminal on the X.25 network logs in to the access server via a virtual terminal line, which is configured for IPX-PPP. When the user connects to the access server and the EXEC prompt appears, enter the PPP command to connect to the IPX host. The virtual terminal is configured to run IPX, so when the PPP session is established from the access server, the terminal can access the IPX host using an IPX application. Figure 83 IPX-PPP on a Virtual Asynchronous Interface To enable IPX to run over your PPP sessions on virtual terminal lines, use the following commands beginning in global configuration mode: Configuring AppleTalk and PPP You can configure an asynchronous interface so that users can access AppleTalk zones by dialing in to the router via PPP through this interface. Users accessing the network can run AppleTalk and IP natively on a remote Macintosh, access any available AppleTalk zones from Chooser, use networked peripherals, and share files with other Macintosh users. This feature is referred to as AppleTalk Control Protocol (ATCP). You create a virtual network that exists only for accessing an AppleTalk internet through the server. To create a new AppleTalk zone, enter the appletalk virtual-net command and use a new zone name; this network number is then the only one associated with this zone. To add network numbers to an existing AppleTalk zone, use this existing zone name in the command; this network number is then added to the existing zone. Routing is not supported on these interfaces. To enable ATCP for PPP, use the following commands in interface configuration (asynchronous) mode: Access server X.25 WAN Terminal running IPX-PPP Running protocol translation IPX host S3752 Command Purpose Step 1 Router(config)# ipx routing [node] Enables IPX routing. Step 2 Router(config)# interface loopback number Creates a loopback interface and begins interface configuration mode. Step 3 Router(config-if)# ipx network network1 1. Every loopback interface must have a unique IPX network number. Enables a virtual IPX network on the loopback interface. Step 4 Router(config-if)# vty-async ipx ppp-client loopback number Enables IPX-PPP on virtual terminal lines by assigning it to the loopback interface configured for IPX. Command Purpose Step 1 Router(config-if)# encapsulation ppp Defines encapsulation as PPP on this interface. Step 2 Router(config-if)# appletalk virtual-net network-number zone-name Creates an internal network on the server. Step 3 Router(config-if)# appletalk client-mode Enables client-mode on this interface. Configuring Asynchronous SLIP and PPP How to Configure Asynchronous SLIP and PPP DC-581 Cisco IOS Dial Technologies Configuration Guide Configuring IP and SLIP To enable IP-SLIP on a synchronous or asynchronous interface, use the following commands in interface configuration mode: Configuring Asynchronous Host Mobility The access server supports a packet tunneling strategy that extends the internetwork—in effect creating a virtual private link for the mobile user. When a user activates asynchronous host mobility, the access server on which the remote user dials in becomes a remote point of presence (POP) for the home network of the user. Once logged in, users experience a server environment identical to the one that they experience when they connect directly to the “home” access server. Once the network-layer connection is made, data packets are tunneled at the physical or data link layer instead of at the protocol layer. In this way, raw data bytes from dial-in users are transported directly to the “home” access server, which processes the protocols. Figure 84 illustrates the implementation of asynchronous host mobility on an extended internetwork. A mobile user connects to an access server on the internetwork and, by activating asynchronous host mobility, is connected to a “home” access server configured with the appropriate username. The user sees an authentication dialog or prompt from the “home” system and can proceed as if he or she were connected directly to that device. Figure 84 Asynchronous Host Mobility Asynchronous host mobility is enabled with the tunnel EXEC command and the ip tcp async-mobility server global configuration command. The ip tcp async-mobility server command establishes asynchronous listening on TCP tunnel port 57. The tunnel command sets up a network-layer connection to the specified destination. Both commands must be used. The access server accepts the connection, attaches it to a virtual terminal line, and runs a command parser capable of running the normal dial-in services. After the connection is established, data is transferred between the modem and network connection with a minimum of interpretations. When communications are complete, the network connection can be closed and terminated from either end. Command Purpose Step 1 Router(config-if)# ip address ip-address mask or Router(config-if)# ip unnumbered type number Configures IP routing on the interface. Configures IP unnumbered routing on a serial interface. Step 2 Router(config-if)# encapsulation slip Enables SLIP encapsulation on the serial interface. Step 3 Router(config-if)# async mode interactive Enables interactive mode on an asynchronous interface. Access server (home) Telecommuting user Internet Company network Data packets are encapsulated and "tunneled" to the home communications server where the protocols are translated S3244 Configuring Asynchronous SLIP and PPP How to Configure Asynchronous SLIP and PPP DC-582 Cisco IOS Dial Technologies Configuration Guide To enable asynchronous host mobility, use the following commands beginning in global configuration mode: To connect from a router other than a Cisco router, you must use Telnet. After a connection is established, you receive an authentication dialog or prompt from your home router, and can proceed as if you are connected directly to that router. When communications are complete, the network connection can be closed and terminated from either end of the connection. Making Additional Remote Node Connections This section describes how to connect devices across telephone lines by using PPP and SLIP. It includes the following sections: • Creating PPP Connections • Making SLIP Connections Creating PPP Connections When you connect from a remote node computer through an asynchronous port on an access server to the EXEC facility to connect from the access server to a device on the network, use the following command in EXEC mode: If you specify an address for the TACACS server using /default or tacacs-server, the address must be the first parameter in the command after you type ppp. If you do not specify an address or enter /default, you are prompted for an IP address or host name. You can enter /default at this point. For example, if you are working at home on the device named ntpc in Figure 85 and want to connect to Server 1 using PPP, you could dial in to the access server. When you connect to the EXEC prompt on the access server, enter the ppp command to connect with the device. Command Purpose Step 1 Router(config)# ip tcp async-mobility server Enables asynchronous listening on TCP tunnel port 57. Step 2 Router(config)# exit Returns to user EXEC mode. Step 3 Router# tunnel host Sets up a network-layer connection to a router by specifying its Internet name or address. Replace the host argument with the name or address of the device that you want to connect to. Command Purpose Router> ppp {/default | {remote-ip-address | remote-name} [@tacacs-server]} [/routing] Creates a PPP connection. Configuring Asynchronous SLIP and PPP How to Configure Asynchronous SLIP and PPP DC-583 Cisco IOS Dial Technologies Configuration Guide Figure 85 Using the ppp Command To terminate a session, disconnect from the device on the network using the command specific to that device. Then, exit from EXEC mode by using the exit command. Making SLIP Connections To make a serial connection to a remote host by using SLIP, use the following command in EXEC mode: Your system administrator can configure SLIP to expect a specific address or to provide one for you. It is also possible to set up SLIP in a mode that compresses packets for more efficient use of bandwidth on the line. If you specify an address for the TACACS server using /default or tacacs-server, the address must be the first parameter in the command after you type slip. If you do not specify an address or enter /default, you are prompted for an IP address or host name. You can enter /default at this point. If you do not use the tacacs-server argument to specify a TACACS server for SLIP address authentication, the TACACS server specified at login (if any) is used for the SLIP address query. To optimize bandwidth on a line, SLIP enables compression of the SLIP packets using Van Jacobson TCP header compression as defined in RFC 1144. To terminate a session, disconnect from the device on the network using the command specific to that device. Then, exit from EXEC mode by using the exit command. Configuring Remote Access to NetBEUI Services NetBIOS Extended User Interface (NetBEUI) is a simple networking protocol developed by IBM for use by PCs in a LAN environment. It is an extension of the original Network Basic Input/Output System (NetBIOS) from IBM. NetBEUI uses a broadcast-based name to 802.x address translation mechanism. Because NetBEUI has no network layer, it is a nonroutable protocol. The NetBIOS Frames Control Protocol (NBFCP) enables packets from a NetBEUI application to be transferred via a PPP connection. NetBEUI/PPP is supported in the access server and Cisco enterprise images only. Using the Cisco IOS implementation, remote NetBEUI users can have access to LAN-based NetBEUI services. The PPP link becomes the ramp for the remote node to access NetBIOS services on the LAN. (See Figure 86.) An Logical Link Control, type 2 (LLC2) connection is set up between the remote access client and router, and a second LLC2 connection is set up between the router and the remote access (NetBEUI) server. Server 1 S1472a ntpc Command Purpose Router> slip [/default] {remote-ip-address | remote-name} [@tacacs-server] [/routing]} [/compressed] Creates a SLIP connection. Configuring Asynchronous SLIP and PPP How to Configure Asynchronous SLIP and PPP DC-584 Cisco IOS Dial Technologies Configuration Guide Figure 86 NetBEUI Connection By supporting NetBEUI remote clients over PPP, Cisco routers function as a native NetBEUI dial-in router for remote NetBEUI clients. Thus, you can offer remote access to a NetBEUI network through asynchronous or ISDN connections. To enable a remote access client using a NetBEUI application to connect with the remote router providing NetBEUI services, configure interfaces on the remote access client side and the remote router side by using the following command in interface configuration mode: To view NetBEUI connection information, use the following command in EXEC mode: Configuring Performance Parameters To tune IP performance, complete the tasks in the following sections: • Compressing TCP Packet Headers (As required) • Setting the TCP Connection Attempt Time (As required) • Compressing IPX Packet Headers over PPP (As required) • Enabling Fast Switching (As required) • Controlling Route Cache Invalidation (As required) • Customizing SLIP and PPP Banner Messages (As required) Compressing TCP Packet Headers You can compress the headers of your TCP/IP packets to reduce their size and thereby increase performance. Header compression is particularly useful on networks with a large percentage of small packets, such as those supporting many Telnet connections. This feature compresses only the TCP Router Remote access client Modem LLC2 PPP Modem LLC2 NetBEUI server NetBEUI connection S3910 Command Purpose Router(config-if)# netbios nbf Enables NBFCP on each side of a NetBEUI connection. Command Purpose Router> show nbf sessions Views NetBEUI connection information. Configuring Asynchronous SLIP and PPP How to Configure Asynchronous SLIP and PPP DC-585 Cisco IOS Dial Technologies Configuration Guide header, so it has no effect on UDP packets or other protocol headers. The TCP header compression technique, described fully in RFC 1144, is supported on serial lines using High-Level Data Link Control (HDLC) or PPP encapsulation. You must enable compression on both ends of a serial connection. You can optionally specify outgoing packets to be compressed only when TCP incoming packets on the same interface are compressed. If you do not specify this option, the Cisco IOS software will compress all traffic. The default is no compression. You can also specify the total number of header compression connections that can exist on an interface. You should configure one connection for each TCP connection through the specified interface. To enable compression, use the following commands in interface configuration mode: Note When compression is enabled, fast switching is disabled. Fast processors can handle several fast interfaces, such as T1 lines, that are running header compression. However, you should think carefully about traffic characteristics in your network before compressing TCP headers. You might want to use the monitoring commands to help compare network utilization before and after enabling header compression. Setting the TCP Connection Attempt Time You can set the amount of time that the Cisco IOS software will wait to attempt to establish a TCP connection. In previous versions of the Cisco IOS software, the system would wait a fixed 30 seconds when attempting to make the connection. This amount of time is not enough in networks that have dialup asynchronous connections, such as a network consisting of dial-on-demand links that are implemented over modems, because it will affect your ability to use Telnet over the link (from the router) if the link must be brought up. Because the connection attempt time is a host parameter, it does not pertain to traffic going through the router, just to traffic originated at it. To set the TCP connection attempt time, use the following command in global configuration mode: Compressing IPX Packet Headers over PPP The Cisco IOS software permits compression of IPX packet headers over various WAN media. There are two protocols for IPX compression on point-to-point links: • CIPX, also known as Telebit style compression • Shiva compression, which is proprietary Command Purpose Step 1 Router(config-if)# ip tcp header-compression [passive] Enables TCP header compression. Step 2 Router(config-if)# ip tcp compression-connections number Specifies the total number of header compression connections that can exist on an interface. Command Purpose Router(config)# ip tcp synwait-time seconds Sets the amount of time for which the Cisco IOS software will wait to attempt to establish a TCP connection. Configuring Asynchronous SLIP and PPP How to Configure Asynchronous SLIP and PPP DC-586 Cisco IOS Dial Technologies Configuration Guide Cisco routers support IPX Header Compression (CIPX) on all point-to-point Novell interfaces over various WAN media. CIPX is described in RFC 1553, Compressing IPX Headers Over WAN Media. The CIPX algorithm is based on the same concepts as Van Jacobson TCP/IP header compression algorithm. CIPX operates over PPP WAN links using either the IPXCP or IPXWAN communications protocols. CIPX compresses all IPX headers and IPX/NCP headers for Novell packets with the following Network Control Program (NCP) packet types: • 0x2222—NCP request from workstation • 0x3333—NCP replies from file server In this version of software, CIPX is configurable only for PPP links. CIPX header compression can reduce header information from 30 bytes down to as little as 1 byte. This reduction can save bandwidth and reduce costs associated with IPX routing over WAN links that are configured to use IPXCP or IPXWAN. Consider the following issues before implementing CIPX: • CIPX is supported on all point-to-point IPX interfaces using PPP or IPXWAN processing (or both). • CIPX needs to be negotiated for both directions of the link, because it uses the reverse direction of the link for communicating decompression problems back to the originating peer. In other words, all peer routers must have CIPX enabled. To configure CIPX, use the following command in global configuration mode: Note We recommend that you keep a slot value of 16. Because slots are maintained in the router buffer, a larger number can impact buffer space for other operations. Enabling Fast Switching Fast switching involves the use of a high-speed switching cache for IP routing. With fast switching, destination IP addresses are stored in the high-speed cache so that some time-consuming table lookups can be avoided. The Cisco IOS software generally offers better packet transfer performance when fast switching is enabled. To enable or disable fast switching, use the following commands in interface configuration mode: Command Purpose Router(config)# ipx compression cipx number-of-slots Compresses IPX packet headers in a PPP session. Command Purpose Step 1 Router(config-if)# ip route-cache Enables fast-switching (use of a high-speed route cache for IP routing). Step 2 Router(config-if)# no ip route-cache Disables fast switching and enables load balancing on a per-packet basis. Configuring Asynchronous SLIP and PPP How to Configure Asynchronous SLIP and PPP DC-587 Cisco IOS Dial Technologies Configuration Guide Controlling Route Cache Invalidation The high-speed route cache used by IP fast switching is invalidated when the IP routing table changes. By default, the invalidation of the cache is delayed slightly to avoid excessive CPU load while the routing table is changing. To control route cache invalidation, use the following commands in global configuration mode as needed for your network: Note This task normally should not be necessary. It should be performed only under the guidance of technical staff. Incorrect configuration can seriously degrade the performance of your router. Customizing SLIP and PPP Banner Messages This feature enables you to customize the banner that is displayed when making a SLIP or PPP connection to avoid connectivity problems the default banner message causes in some non-Cisco SLIP and PPP dialup software. This feature is particularly useful when legacy client applications require a specialized connection string. To configure the SLIP-PPP banner message, use the following command in global configuration mode: You can also use tokens in the banner message to display current IOS configuration variables. Tokens are keywords of the form $(token). When you include tokens in a banner command, Cisco IOS will replace $(token) with the corresponding configuration variable. Table 35 lists the tokens that you can use in the banner slip-ppp command. Command Purpose Step 1 Router(config)# no ip cache-invalidate-delay Allows immediate invalidation of the cache. Step 2 Router(config)# ip cache-invalidate-delay [minimum maximum quiet-threshold] Delays invalidation of the cache. Command Purpose Router(config)# banner slip-ppp d message d Configures the SLIP-PPP banner to display a customized message. Table 35 SLIP Banner Tokens Tokens Information Displayed in Banner Global $(hostname) Hostname of the router $(domain) Domain name of the router Slip/PPP Banner-Specific $(peer-ip) IP address of the peer machine $(gate-ip) IP address of the gateway machine $(encap) Encapsulation type (SLIP, PPP, and so on) Configuring Asynchronous SLIP and PPP Configuration Examples for Asynchronous SLIP and PPP DC-588 Cisco IOS Dial Technologies Configuration Guide Configuration Examples for Asynchronous SLIP and PPP This section provides the following examples: • Basic PPP Configurations Examples • Remote Node NetBEUI Examples • Remote Network Access Using PPP Basic Configuration Example • Remote Network Access Using PPP and Routing IP Example • Remote Network Access Using a Leased Line with Dial-Backup and PPP Example • Multilink PPP Using Multiple Asynchronous Interfaces Example Basic PPP Configurations Examples The following example illustrates how to make a connection when the system administrator defines a default IP address by including the peer default ip address command in interface configuration mode. Note The peer default ip address command replaces the async default ip address command. Once a correct password is entered, you are placed in SLIP mode, and the IP address appears: Router> slip Password: Entering SLIP mode. Your IP address is 192.168.7.28, MTU is 1524 bytes The following example shows the prompts displayed and the response required when dynamic addressing is used to assign the SLIP address: Router> slip IP address or hostname? 192.168.6.15 Password: Entering SLIP mode Your IP address is 192.168.6.15, MTU is 1524 bytes In the previous example, the address 192.168.6.15 had been assigned as the default. Password verification is still required before SLIP mode can be enabled, as follows: Router> slip default Password: Entering SLIP mode Your IP address is 192.168.6.15, MTU is 1524 bytes The following example illustrates the implementation of header compression on the interface with the IP address 172.16.2.1: Router> slip 172.16.2.1 /compressed Password: $(encap-alt) Encapsulation type displayed as SL/IP instead of SLIP $(mtu) MTU size Table 35 SLIP Banner Tokens (continued) Configuring Asynchronous SLIP and PPP Configuration Examples for Asynchronous SLIP and PPP DC-589 Cisco IOS Dial Technologies Configuration Guide Entering SLIP mode. Interface IP address is 172.16.2.1, MTU is 1500 bytes. Header compression will match your system. In the preceding example, the interface is configured for ip tcp header-compression passive, which permitted the user to enter the /compressed keyword at the EXEC mode prompt. The message “Header compression will match your system” indicates that the user has specified compression. If the line was configured for ip tcp header-compression on, this line would read “Header compression is On.” The following example specifies a TACACS server named parlance for address authentication: Router> slip 10.0.0.1@parlance Password: Entering SLIP mode. Interface IP address is 10.0.0.1, MTU is 1500 bytes Header compression will match your system. The following example sets the SLIP-PPP banner using several tokens and the percent sign (%) as the delimiting character: Router(config)# banner slip-ppp % Enter TEXT message. End with the character '%'. Starting $(encap) connection from $(gate-ip) to $(peer-ip) using a maximum packet size of $(mtu) bytes... % When you enter the slip command, you will see the following banner. Notice that the $(token) syntax is replaced by the corresponding configuration variables. Starting SLIP connection from 192.168.69.96 to 172.16.80.8 using a maximum packet size of 1500 bytes... Remote Node NetBEUI Examples In the following example, asynchronous interface 7 and Ethernet interface 0 are configured to enable NetBEUI connectivity between the corporate telecommuter client and the remote access (NetBEUI) server. The PC client is running the Chat legacy application in Windows NT to connect with the remote server. (See Figure 87.) Figure 87 Connecting a Remote NetBEUI Client to a Server Through a Router The configuration for the router is as follows: interface async 7 netbios nbf encapsulation ppp Router Telecommuter corporate traveler Modem Modem LLC2 NetBEUI server NetBEUI connection S3911 Remote access client Interface async 7 Interface Ethernet 0 Configuring Asynchronous SLIP and PPP Configuration Examples for Asynchronous SLIP and PPP DC-590 Cisco IOS Dial Technologies Configuration Guide You would also need to configure security, such as TACACS+, RADIUS, or another form of login authentication on the router. Remote Network Access Using PPP Basic Configuration Example Figure 88 illustrates a simple network configuration that includes remote PCs with modems connected via modem to a router. The cloud is a Public Switched Telephone Network (PSTN). The modems are connected via asynchronous lines, and the access server is connected to a local network. In this example, the following is configured: • An asynchronous line on the access server configured to use PPP encapsulation. • An interface on the access server for the modem connection; this interface also needs to be configured to accept incoming modem calls. • A default IP address for each incoming line. Figure 88 Remote Network Access Using PPP This default address indicates the address of the remote PC to the server, unless the user explicitly specifies another when starting the PPP session. The server is configured for interactive mode with autoselect enabled, which allows the user to automatically begin a PPP session upon detection of a PPP packet from the remote PC; or, the remote PC can explicitly begin a PPP session by entering the ppp EXEC command at the prompt. The configuration is as follows: ip routing ! interface ethernet 0 ip address 192.168.32.12 255.255.255.0 ! interface async 1 encapsulation ppp async mode interactive async default ip address 192.168.32.51 async dynamic address ip unnumbered ethernet 0 line 1 autoselect ppp modem callin speed 19200 Logical network S3290 Configuring Asynchronous SLIP and PPP Configuration Examples for Asynchronous SLIP and PPP DC-591 Cisco IOS Dial Technologies Configuration Guide Remote Network Access Using PPP and Routing IP Example Figure 89 illustrates a network configuration that provides routing functionality, allowing routing updates to be passed across the asynchronous lines. This network is composed of remote and local PCs connected via modem and network connections to an access server. This access server is connected to a second access server via an asynchronous line running TCP/IP. The second access server is connected to a local network via modem. For this scenario, you will need to configure the following: • An asynchronous line on both access servers configured to use PPP encapsulation • An interface on both access servers for the modem connection and for this interface to be configured to accept incoming modem calls • A default IP address for each incoming line • IP routing on all configured interfaces Figure 89 Routing on an Asynchronous Line Using PPP The configuration is as follows: interface async 1 encapsulation ppp async mode interactive async default ip address 192.168.32.10 async dynamic address ip unnumbered ethernet 0 async dynamic routing If you want to pass IP routing updates across the asynchronous link, enter the following commands: line 1 autoselect ppp modem callin speed 19200 Next, enter the following commands to configure the asynchronous lines between the access servers beginning in global configuration mode: interface async 2 async default ip address 192.168.32.55 ip tcp header compression passive Logical network S3291 TCP/IP (async) Configuring Asynchronous SLIP and PPP Configuration Examples for Asynchronous SLIP and PPP DC-592 Cisco IOS Dial Technologies Configuration Guide Finally, configure routing as described in the Cisco IOS IP Configuration Guide using one of the following methods. The server can route packets three different ways. • Use ARP, which is the default behavior. • Use a default-gateway by entering the command ip default-gateway x.x.x.x, where x.x.x.x is the IP address of a locally attached router. • Run an IP routing protocol such as Routing Information Protocol (RIP), Interior Gateway Routing Protocol (IGRP), Enhanced IGRP (EIGRP), or Open Shortest Path First (OSPF). Remote Network Access Using a Leased Line with Dial-Backup and PPP Example Figure 90 illustrates a scenario where two networks are connected via access servers on a leased line. Redundancy is provided by a dial-backup line over the PSTN so that if the primary leased line goes down, the dial-backup line will be automatically brought up to restore the connection. This configuration would be useful for using an auxiliary port as the backup port for a synchronous port. For this scenario, you would need to configure the following: • Two asynchronous interfaces on each access server • Two modem interfaces • A default IP address for each interface • Dial-backup on one modem interface per access server • An interface connecting to the related network of an access server Figure 90 Asynchronous Leased Line with Backup The configuration for this scenario follows: hostname routerA ! username routerB password cisco chat-script backup "" "AT" TIMEOUT 30 OK atdt\T TIMEOUT 30 CONNECT \c ! ! interface Serial0 backup interface Async1 ip address 192.168.222.12 255.255.255.0 ! interface Async1 ip address 172.16.199.1 255.255.255.0 encapsulation ppp Leased line Dial-backup line Network A Network B Access server 1 Access server 2 S3292 Configuring Asynchronous SLIP and PPP Configuration Examples for Asynchronous SLIP and PPP DC-593 Cisco IOS Dial Technologies Configuration Guide async default ip address 172.16.199.2 async dynamic address async dynamic routing async mode dedicated dialer in-band dialer map IP 172.16.199.2 name routerB modem-script backup broadcast 3241129 dialer-group 1 ppp authentication chap ! dialer-list 1 protocol ip permit ! line aux 0 modem InOut rxspeed 38400 txspeed 38400 Multilink PPP Using Multiple Asynchronous Interfaces Example The following example shows how to configure MLP using multiple asynchronous interfaces: chat-script backup "" "AT" TIMEOUT 30 OK atdt\T TIMEOUT 30 CONNECT \c ! ip address-pool local ip pool foo 10.0.1.5 10.0.1.15 ! int as 1 (2, 3) no ip address dialer in-band encapsulation ppp ppp multilink dialer-rotary 1 ! interface dialer 1 encaps ppp ip unnumbered ethernet 0 peer default ip addr pool foo ppp authentication chap ppp multilink dialer in-band dialer map ip 10.200.100.9 name WAN-R3 modem-script backup broadcast 2322036 dialer load-threshold 5 either dialer-group 1 ! dialer-list 1 protocol ip permit ! line line 1 3 modem InOut speed 115000 Configuring Asynchronous SLIP and PPP Configuration Examples for Asynchronous SLIP and PPP DC-594 Cisco IOS Dial Technologies Configuration Guide DC-595 Cisco IOS Dial Technologies Configuration Guide Configuring Media-Independent PPP and Multilink PPP This chapter describes how to configure the PPP and Multilink PPP (MLP) features that can be configured on any interface. It includes the following main sections: • PPP Encapsulation Overview • Configuring PPP and MLP • Configuring MLP Interleaving and Queueing • Configuring MLP Inverse Multiplexer and Distributed MLP • Monitoring and Maintaining PPP and MLP Interfaces • Configuration Examples for PPP and MLP This chapter also describes address pooling for point-to-point links, which is available on all asynchronous serial, synchronous serial, and ISDN interfaces. See the chapter “Configuring Asynchronous SLIP and PPP” in this publication for information about PPP features and requirements that apply only to asynchronous lines and interfaces. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the PPP commands in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. PPP Encapsulation Overview PPP, described in RFC 1661, encapsulates network layer protocol information over point-to-point links. You can configure PPP on the following types of physical interfaces: • Asynchronous serial • High-Speed Serial Interface (HSSI) • ISDN • Synchronous serial By enabling PPP encapsulation on physical interfaces, PPP can also be in effect on calls placed by the dialer interfaces that use the physical interfaces. Configuring Media-Independent PPP and Multilink PPP Configuring PPP and MLP DC-596 Cisco IOS Dial Technologies Configuration Guide The current implementation of PPP supports option 3, authentication using Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP), option 4, Link Quality Monitoring (LQM), and option 5, Magic Number configuration options. The software always sends option 5 and negotiates for options 3 and 4 if so configured. All other options are rejected. Magic Number support is available on all serial interfaces. PPP always attempts to negotiate for Magic Numbers, which are used to detect looped-back lines. Depending on how the down-when-looped command is configured, the router might shut down a link if it detects a loop. The software provides the CHAP and PAP on serial interfaces running PPP encapsulation. For detailed information about authentication, refer to the Cisco IOS Security Configuration Guide. Beginning with Cisco IOS Release 11.2 F, Cisco supported fast switching of incoming and outgoing DECnet and CLNS packets over PPP. Configuring PPP and MLP To configure PPP on a serial interface (including ISDN), perform the following task in interface configuration mode. This task is required for PPP encapsulation. • Enabling PPP Encapsulation You can also complete the tasks in the following sections; these tasks are optional but offer a variety of uses and enhancements for PPP on your systems and networks: • Enabling CHAP or PAP Authentication • Enabling Link Quality Monitoring • Configuring Compression of PPP Data • Configuring Microsoft Point-to-Point Compression • Configuring IP Address Pooling • Configuring PPP Reliable Link • Disabling or Reenabling Peer Neighbor Routes • Configuring PPP Half-Bridging • Configuring Multilink PPP • Configuring MLP Interleaving • Enabling Distributed CEF Switching • Creating a Multilink Bundle • Assigning an Interface to a Multilink Bundle • Disabling PPP Multilink Fragmentation • Verifying the MLP Inverse Multiplexer Configuration See the section “Monitoring and Maintaining PPP and MLP Interfaces” later in this chapter for tips on maintaining PPP. See the “Configuration Examples for PPP and MLP” at the end of this chapter for ideas on how to implement PPP and MLP in your network. Configuring Media-Independent PPP and Multilink PPP Configuring PPP and MLP DC-597 Cisco IOS Dial Technologies Configuration Guide Enabling PPP Encapsulation To enable PPP on serial lines to encapsulate IP and other network protocol datagrams, use the following command in interface configuration mode: PPP echo requests are used as keepalives to minimize disruptions to the end users of your network. The no keepalive command can be used to disable echo requests. Enabling CHAP or PAP Authentication PPP with CHAP or PAP authentication is often used to inform the central site about which remote routers are connected to it. With this authentication information, if the router or access server receives another packet for a destination to which it is already connected, it does not place an additional call. However, if the router or access server is using rotaries, it sends the packet out the correct port. CHAP and PAP were originally specified in RFC 1334, and CHAP is updated in RFC 1994. These protocols are supported on synchronous and asynchronous serial interfaces. When using CHAP or PAP authentication, each router or access server identifies itself by a name. This identification process prevents a router from placing another call to a router to which it is already connected, and also prevents unauthorized access. Access control using CHAP or PAP is available on all serial interfaces that use PPP encapsulation. The authentication feature reduces the risk of security violations on your router or access server. You can configure either CHAP or PAP for the interface. Note To use CHAP or PAP, you must be running PPP encapsulation. When CHAP is enabled on an interface and a remote device attempts to connect to it, the local router or access server sends a CHAP packet to the remote device. The CHAP packet requests or “challenges” the remote device to respond. The challenge packet consists of an ID, a random number, and the host name of the local router. The required response has two parts: • An encrypted version of the ID, a secret password, and the random number • Either the host name of the remote device or the name of the user on the remote device When the local router or access server receives the response, it verifies the secret password by performing the same encryption operation as indicated in the response and looking up the required host name or username. The secret passwords must be identical on the remote device and the local router. Because this response is sent, the password is never sent in clear text, preventing other devices from stealing it and gaining illegal access to the system. Without the proper response, the remote device cannot connect to the local router. CHAP transactions occur only when a link is established. The local router or access server does not request a password during the rest of the call. (The local device can, however, respond to such requests from other devices during a call.) Command Purpose Router(config-if)# encapsulation ppp Enables PPP encapsulation. Configuring Media-Independent PPP and Multilink PPP Configuring PPP and MLP DC-598 Cisco IOS Dial Technologies Configuration Guide When PAP is enabled, the remote router attempting to connect to the local router or access server is required to send an authentication request. If the username and password specified in the authentication request are accepted, the Cisco IOS software sends an authentication acknowledgment. After you have enabled CHAP or PAP, the local router or access server requires authentication from remote devices. If the remote device does not support the enabled protocol, no traffic will be passed to that device. To use CHAP or PAP, you must perform the following tasks: • Enable PPP encapsulation. • Enable CHAP or PAP on the interface. • For CHAP, configure host name authentication and the secret or password for each remote system with which authentication is required. To enable PPP encapsulation, use the following command in interface configuration mode: To enable CHAP or PAP authentication on an interface configured for PPP encapsulation, use the following command in interface configuration mode: The ppp authentication chap optional keyword if-needed can be used only with Terminal Access Controller Access Control System (TACACS) or extended TACACS. With authentication, authorization, and accounting (AAA) configured on the router and list names defined for AAA, the list-name optional keyword can be used with AAA/TACACS+. Caution If you use a list-name that has not been configured with the aaa authentication ppp command, you disable PPP on the line. Add a username entry for each remote system from which the local router or access server requires authentication. Command Purpose Router(config-if)# encapsulation ppp Enables PPP encapsulation on an interface. Command Purpose Router(config-if)# ppp authentication {chap | chap pap | pap chap | pap} [if-needed] [list-name | default] [callin] Defines the authentication methods supported and the order in which they are used. Configuring Media-Independent PPP and Multilink PPP Configuring PPP and MLP DC-599 Cisco IOS Dial Technologies Configuration Guide To specify the password to be used in CHAP or PAP caller identification, use the following command in global configuration mode: Make sure this password does not include spaces or underscores. To configure TACACS on a specific interface as an alternative to global host authentication, use one of the following commands in interface configuration mode: Use the ppp use-tacacs command with TACACS and Extended TACACS. Use the aaa authentication ppp command with AAA/TACACS+. For an example of CHAP, see the section “CHAP with an Encrypted Password Examples” at the end of this chapter. CHAP is specified in RFC 1994, PPP Challenge Handshake Authentication Protocol (CHAP). Enabling Link Quality Monitoring Link Quality Monitoring (LQM) is available on all serial interfaces running PPP. LQM will monitor the link quality, and if the quality drops below a configured percentage, the router will shut down the link. The percentages are calculated for both the incoming and outgoing directions. The outgoing quality is calculated by comparing the total number of packets and bytes sent with the total number of packets and bytes received by the destination node. The incoming quality is calculated by comparing the total number of packets and bytes received with the total number of packets and bytes sent by the destination peer. Note LQM is not compatible with Multilink PPP. When LQM is enabled, Link Quality Reports (LQRs) are sent, in place of keepalives, every keepalive period. All incoming keepalives are responded to properly. If LQM is not configured, keepalives are sent every keepalive period and all incoming LQRs are responded to with an LQR. LQR is specified in RFC 1989, PPP Link Quality Monitoring. Command Purpose Router(config)# username name [user-maxlinks link-number] password secret Configures identification. Optionally, you can specify the maximum number of connections a user can establish. To use the user-maxlinks keyword, you must also use the aaa authorization network default local command and PPP encapsulation and name authentication on all the interfaces the user will be accessing. Command Purpose Router(config-if)# ppp use-tacacs [single-line] or Router(config-if)# aaa authentication ppp Configures TACACS. Configuring Media-Independent PPP and Multilink PPP Configuring PPP and MLP DC-600 Cisco IOS Dial Technologies Configuration Guide To enable LQM on the interface, use the following command in interface configuration mode: The percentage argument specifies the link quality threshold. That percentage must be maintained, or the link is deemed to be of poor quality and is taken down. Configuring Compression of PPP Data You can configure point-to-point software compression on serial interfaces that use PPP encapsulation. Compression reduces the size of a PPP frame via lossless data compression. PPP encapsulations support both predictor and Stacker compression algorithms. If most of your traffic is already compressed files, do not use compression. Most routers support software compression only, but in the Cisco 7000 series routers, hardware compression and distributed compression are also available, depending on the interface processor and compression service adapter hardware installed in the router. To configure compression, complete the tasks in one of the following sections: • Software Compression • Hardware-Dependent Compression Software Compression Software compression is available in all router platforms. Software compression is performed by the main processor in the router. Compression is performed in software and might significantly affect system performance. We recommend that you disable compression if the router CPU load exceeds 65 percent. To display the CPU load, use the show process cpu EXEC command. To configure compression over PPP, use the following commands in interface configuration mode: Hardware-Dependent Compression When you configure Stacker compression on Cisco 7000 series routers with a 7000 Series Route Switch Processor (RSP7000), on Cisco 7200 series routers, and on Cisco 7500 series routers, there are three methods of compression: hardware compression, distributed compression, and software compression. Command Purpose Router(config-if)# ppp quality percentage Enables LQM on the interface. Command Purpose Step 1 Router(config-if)# encapsulation ppp Enables encapsulation of a single protocol on the serial line. Step 2 Router(config-if)# compress [predictor | stac | mppc [ignore-pfc]] Enables compression. Configuring Media-Independent PPP and Multilink PPP Configuring PPP and MLP DC-601 Cisco IOS Dial Technologies Configuration Guide Hardware and distributed compression are available on routers that have the SA-Comp/1 and SA-Comp/4 data compression service adapters (CSAs). CSAs are available on Cisco 7200 series routers, on Cisco 7500 series routers with second-generation Versatile Interface Processors (VIP2s), and on Cisco 7000 series routers with the RSP7000 and 7000 Series Chassis Interface (RSP7000CI). (CSAs require VIP2 model VIP2-40.) To configure hardware or distributed compression over PPP, use the following commands in interface configuration mode: Specifying the compress stac command with no options causes the router to use the fastest available compression method: • If the router contains a CSA, compression is performed in the CSA hardware (hardware compression). • If the CSA is not available, compression is performed in the software installed on the VIP2 (distributed compression). • If the VIP2 is not available, compression is performed in the main processor of the router (software compression). Using hardware compression in the CSA frees the main processor of the router for other tasks. You can also configure the router to use the VIP2 to perform compression by using the distributed option, or to use the main processor of the router by using the software option. If the VIP2 is not available, compression is performed in the main processor of the router. When compression is performed in software installed in the main processor of the router, it might substantially affect system performance. We recommend that you disable compression in the main processor of the router if the router CPU load exceeds 40 percent. To display the CPU load, use the show process cpu EXEC command. Specifying the compress stac command with no options causes the router to use the fastest available compression method. Configuring Microsoft Point-to-Point Compression Microsoft Point-to-Point Compression (MPPC) is a scheme used to compress PPP packets between Cisco and Microsoft client devices. The MPPC algorithm is designed to optimize bandwidth utilization in order to support multiple simultaneous connections. The MPPC algorithm uses a Lempel-Ziv (LZ)-based algorithm with a continuous history buffer called a dictionary. The Compression Control Protocol (CCP) configuration option for MPPC is 18. Command Purpose Step 1 Router(config-if)# encapsulation ppp Enables encapsulation of a single protocol on the serial line. Step 2 Cisco 7000 series with RSP7000 and Cisco 7500 series routers Router(config-if)# compress stac [distributed | software] Cisco 7200 series routers Router(config-if)# compress stac [csa slot | software] Enables compression. Configuring Media-Independent PPP and Multilink PPP Configuring PPP and MLP DC-602 Cisco IOS Dial Technologies Configuration Guide Exactly one MPPC datagram is encapsulated in the PPP information field. The PPP protocol field indicates the hexadecimal type of 00FD for all compressed datagrams. The maximum length of the MPPC datagram sent over PPP is the same as the MTU of the PPP interface; however, this length cannot be greater than 8192 bytes because the history buffer is limited to 8192 bytes. If compressing the data results in data expansion, the original data is sent as an uncompressed MPPC packet. The history buffers between compressor and decompressor are synchronized by maintaining a 12-bit coherency count. If the decompressor detects that the coherency count is out of sequence, the following error recovery process is performed: 1. Reset Request (RR) packet is sent from the decompressor. 2. The compressor then flushes the history buffer and sets the flushed bit in the next packet it sends. 3. Upon receiving the flushed bit set packet, the decompressor flushes the history buffer. Synchronization is achieved without CCP using the Reset Acknowledge (RA) packet, which can consume additional time. Compression negotiation between a router and a Windows 95 client occurs through the following process: 1. Windows 95 sends a request for both STAC (option 17) and MPPC (option 18) compression. 2. The router sends a negative acknowledgment (NAK) requesting only MPPC. 3. Windows 95 resends the request for MPPC. 4. The router sends an acknowledgment (ACK) confirming MPPC compression negotiation. MPPC Restrictions The following restrictions apply to the MPPC feature: • MPPC is supported only with PPP encapsulation. • Compression can be processor intensive because it requires a reserved block of memory to maintain the history buffer. Do not enable modem or hardware compression because it may cause performance degradation, compression failure, or data expansion. • Both ends of the point-to-point link must be using the same compression method (STAC, Predictor, or MPPC, for example). Configuring MPPC PPP encapsulation must be enabled before you can configure MPPC. For information on how to configure PPP encapsulation, see the section “Enabling PPP Encapsulation” earlier in this chapter. There is only one command required to configure MPPC. The existing compress command supports the mppc keyword, which prepares the interface to initiate CCP and negotiates MPPC with the Microsoft client. To set MPPC once PPP encapsulation is configured on the router, use the following command in interface configuration mode: Command Purpose Router(config-if)# compress [mppc [ignore-pfc]] Enables MPPC on the interface. Configuring Media-Independent PPP and Multilink PPP Configuring PPP and MLP DC-603 Cisco IOS Dial Technologies Configuration Guide The ignore-pfc keyword instructs the router to ignore the protocol field compression flag negotiated by LCP. For example, the uncompressed standard protocol field value for IP is 0x0021 and 0x21 when compression is enabled. When the ignore-pfc option is enabled, the router will continue to use the uncompressed value (0x0021). Using the ignore-pfc option is helpful for some asynchronous driver devices that use an uncompressed protocol field (0x0021), even though the protocol field compression is negotiated between peers. displays protocol rejections when the debug ppp negotiation command is enabled. These errors can be remedied by setting the ignore-pfc option. Sample debug ppp negotiation Command Output Showing Protocol Reject PPP Async2: protocol reject received for protocol = 0x2145 PPP Async2: protocol reject received for protocol = 0x2145 PPP Async2: protocol reject received for protocol = 0x2145 Configuring IP Address Pooling A point-to-point interface must be able to provide a remote node with its IP address through the IP Control Protocol (IPCP) address negotiation process. The IP address can be obtained from a variety of sources. The address can be configured through the command line, entered with an EXEC-level command, provided by TACACS+ or the Dynamic Host Configuration Protocol (DHCP), or from a locally administered pool. IP address pooling uses a pool of IP addresses from which an incoming interface can provide an IP address to a remote node through IPCP address negotiation process. IP address pooling also enhances configuration flexibility by allowing multiple types of pooling to be active simultaneously. See the chapter “Configuring Asynchronous SLIP and PPP” in this publication for additional information about address pooling on asynchronous interfaces and about the Serial Line Internet Protocol (SLIP). Peer Address Allocation A peer IP address can be allocated to an interface through several methods: • Dialer map lookup—This method is used only if the peer requests an IP address, no other peer IP address has been assigned, and the interface is a member of a dialer group. • PPP or SLIP EXEC command—An asynchronous dialup user can enter a peer IP address or host name when PPP or SLIP is invoked from the command line. The address is used for the current session and then discarded. • IPCP negotiation—If the peer presents a peer IP address during IPCP address negotiation and no other peer address is assigned, the presented address is acknowledged and used in the current session. • Default IP address—The peer default ip address command and the member peer default ip address command can be used to define default peer IP addresses. • TACACS+ assigned IP address—During the authorization phase of IPCP address negotiation, TACACS+ can return an IP address that the user being authenticated on a dialup interface can use. This address overrides any default IP address and prevents pooling from taking place. • DHCP retrieved IP address—If configured, the routers acts as a proxy client for the dialup user and retrieves an IP address from a DHCP server. That address is returned to the DHCP server when the timer expires or when the interface goes down. Configuring Media-Independent PPP and Multilink PPP Configuring PPP and MLP DC-604 Cisco IOS Dial Technologies Configuration Guide • Local address pool—The local address pool contains a set of contiguous IP addresses (a maximum of 1024 addresses) stored in two queues. The free queue contains addresses available to be assigned and the used queue contains addresses that are in use. Addresses are stored to the free queue in first-in, first-out (FIFO) order to minimize the chance the address will be reused, and to allow a peer to reconnect using the same address that it used in the last connection. If the address is available, it is assigned; if not, another address from the free queue is assigned. • Chat script (asynchronous serial interfaces only)—The IP address in the dialer map command entry that started the script is assigned to the interface and overrides any previously assigned peer IP address. • Virtual terminal/protocol translation—The translate command can define the peer IP address for a virtual terminal (pseudo asynchronous interface). • The pool configured for the interface is used, unless TACACS+ returns a pool name as part of AAA. If no pool is associated with a given interface, the global pool named default is used. Precedence Rules The following precedence rules of peer IP address support determine which address is used. Precedence is listed from most likely to least likely: 1. AAA/TACACS+ provided address or addresses from the pool named by AAA/TACACS+ 2. An address from a local IP address pool or DHCP (typically not allocated unless no other address exists) 3. Dialer map lookup address (not done unless no other address exists) 4. Address from an EXEC-level PPP or SLIP command, or from a chat script 5. Configured address from the peer default ip address command or address from the protocol translate command 6. Peer provided address from IPCP negotiation (not accepted unless no other address exists) Interfaces Affected Address pooling is available on all asynchronous serial, synchronous serial, ISDN BRI, and ISDN PRI interfaces that are running PPP. Choosing the IP Address Assignment Method The IP address pooling feature now allows configuration of a global default address pooling mechanism, per-interface configuration of the address pooling mechanism, and per-interface configuration of a specific address or pool name. You can define the type of IP address pooling mechanism used on router interfaces in one or both of the ways described in the following sections: • Defining the Global Default Address Pooling Mechanism • Configuring IP Address Assignment Configuring Media-Independent PPP and Multilink PPP Configuring PPP and MLP DC-605 Cisco IOS Dial Technologies Configuration Guide Defining the Global Default Address Pooling Mechanism The global default mechanism applies to all point-to-point interfaces that support PPP encapsulation and that have not otherwise been configured for IP address pooling. You can define the global default mechanism to be either DHCP or local address pooling. To configure the global default mechanism for IP address pooling, perform the tasks in one of following sections: • Defining DHCP as the Global Default Mechanism • Defining Local Address Pooling as the Global Default Mechanism After you have defined a global default mechanism, you can disable it on a specific interface by configuring the interface for some other pooling mechanism. You can define a local pool other than the default pool for the interface or you can configure the interface with a specific IP address to be used for dial-in peers. You can also control the DHCP network discovery mechanism; see the following section for more information: • Controlling DHCP Network Discovery Defining DHCP as the Global Default Mechanism DHCP specifies the following components: • A DHCP server—A host-based DHCP server configured to accept and process requests for temporary IP addresses. • A DHCP proxy-client—A Cisco access server configured to arbitrate DHCP calls between the DHCP server and the DHCP client. The DHCP client-proxy feature manages a pool of IP addresses available to dial-in clients without a known IP address. To enable DHCP as the global default mechanism, use the following commands in global configuration mode: In Step 2, you can provide as few as one or as many as ten DHCP servers for the proxy-client (the Cisco router or access server) to use. DHCP servers provide temporary IP addresses. Command Purpose Step 1 Router(config)# ip address-pool dhcp-proxy-client Specifies DHCP client-proxy as the global default mechanism. Step 2 Router(config)# ip dhcp-server [ip-address | name] (Optional) Specifies the IP address of a DHCP server for the proxy client to use. Configuring Media-Independent PPP and Multilink PPP Configuring PPP and MLP DC-606 Cisco IOS Dial Technologies Configuration Guide Defining Local Address Pooling as the Global Default Mechanism To specify that the global default mechanism to use is local pooling, use the following commands in global configuration mode: If no other pool is defined, a local pool called “default” is used. Optionally, you can associate an address pool with a named pool group. Controlling DHCP Network Discovery To allow peer routers to dynamically discover Domain Name System (DNS) and NetBIOS name server information configured on a DHCP server using PPP IP Control Protocol (IPCP) extensions, use the following command in global configuration mode: The ip dhcp-client network-discovery global configuration command provides a way to control the DHCP network discovery mechanism. The number of DHCP Inform or Discovery messages can be set to 1 or 2, which determines how many times the system sends the DHCP Inform or Discover messages before stopping network discovery. You can set a time-out period from 3 to 15 seconds, or leave the default time-out period at 15 seconds. Default for the informs and discovers keywords is 0, which disables the transmission of these messages. Configuring IP Address Assignment After you have defined a global default mechanism for assigning IP addresses to dial-in peers, you can configure the few interfaces for which it is important to have a nondefault configuration. You can do any of the following; • Define a nondefault address pool for use by a specific interface. • Define DHCP on an interface even if you have defined local pooling as the global default mechanism. • Specify one IP address to be assigned to all dial-in peers on an interface. • Make temporary IP addresses available on a per-interface basis to asynchronous clients using SLIP or PPP. Command Purpose Step 1 Router(config)# ip address-pool local Specifies local pooling as the global default mechanism. Step 2 Router(config)# ip local pool {named-address-pool | default} {first-IP-address [last-IP-address]} [group group-name] [cache-size size]} Creates one or more local IP address pools. Command Purpose Router(config)# ip dhcp-client network-discovery informs number-of-messages discovers number-of-messages period seconds Provides control of the DHCP network discovery mechanism by allowing the number of DHCP Inform and Discover messages to be sent, and a time-out period for retransmission, to be configured. Configuring Media-Independent PPP and Multilink PPP Configuring PPP and MLP DC-607 Cisco IOS Dial Technologies Configuration Guide To define a nondefault address pool for use on an interface, use the following commands beginning in global configuration mode: To define DHCP as the IP address mechanism for an interface, use the following commands beginning in global configuration mode: To define a specific IP address to be assigned to all dial-in peers on an interface, use the following commands beginning in global configuration mode: Configuring PPP Reliable Link PPP reliable link is Cisco’s implementation of RFC 1663, PPP Reliable Transmission, which defines a method of negotiating and using Numbered Mode Link Access Procedure, Balanced (LAPB) to provide a reliable serial link. Numbered Mode LAPB provides retransmission of error packets across the serial link. Although LAPB protocol overhead consumes some bandwidth, you can offset that consumption by the use of PPP compression over the reliable link. PPP compression is separately configurable and is not required for use of a reliable link. Note PPP reliable link is available only on synchronous serial interfaces, including ISDN BRI and ISDN PRI interfaces. PPP reliable link cannot be used over V.120, and does not work with Multilink PPP. Command Purpose Step 1 Router(config)# ip local pool {named-address-pool | default} {first-IP-address [last-IP-address]} [group group-name] [cache-size size]} Creates one or more local IP address pools. Step 2 Router(config)# interface type number Specifies the interface and begins interface configuration mode. Step 3 Router(config-if)# peer default ip address pool pool-name-list Specifies the pool or pools for the interface to use. Command Purpose Step 1 Router(config)# interface type number Specifies the interface and begins interface configuration mode. Step 2 Router(config-if)# peer default ip address pool dhcp Specifies DHCP as the IP address mechanism on this interface. Command Purpose Step 1 Router(config)# interface type number Specifies the interface and begins interface configuration mode. Step 2 Router(config-if)# peer default ip address ip-address Specifies the IP address to assign. Configuring Media-Independent PPP and Multilink PPP Configuring PPP and MLP DC-608 Cisco IOS Dial Technologies Configuration Guide To configure PPP reliable link on a specified interface, use the following command in interface configuration mode: Having reliable links enabled does not guarantee that all connections through the specified interface will in fact use reliable link. It only guarantees that the router will attempt to negotiate reliable link on this interface. Troubleshooting PPP You can troubleshoot PPP reliable link by using the debug lapb command and the debug ppp negotiations, debug ppp errors, and debug ppp packets commands. You can determine whether LAPB has been established on a connection by using the show interface command. Disabling or Reenabling Peer Neighbor Routes The Cisco IOS software automatically creates neighbor routes by default; that is, it automatically sets up a route to the peer address on a point-to-point interface when the PPP IPCP negotiation is completed. To disable this default behavior or to reenable it once it has been disabled, use the following commands in interface configuration mode: Note If entered on a dialer or asynchronous group interface, this command affects all member interfaces. Configuring PPP Half-Bridging For situations in which a routed network needs connectivity to a remote bridged Ethernet network, a serial or ISDN interface can be configured to function as a PPP half-bridge. The line to the remote bridge functions as a virtual Ethernet interface, and the serial or ISDN interface on the router functions as a node on the same Ethernet subnetwork as the remote network. The bridge sends bridge packets to the PPP half-bridge, which converts them to routed packets and forwards them to other router processes. Likewise, the PPP half-bridge converts routed packets to Ethernet bridge packets and sends them to the bridge on the same Ethernet subnetwork. Note An interface cannot function as both a half-bridge and a bridge. Command Purpose Router(config-if)# ppp reliable-link Enables PPP reliable link. Command Purpose Step 1 Router(config-if)# no peer neighbor-route Disables creation of neighbor routes. Step 2 Router(config-if)# peer neighbor-route Reenables creation of neighbor routes. Configuring Media-Independent PPP and Multilink PPP Configuring PPP and MLP DC-609 Cisco IOS Dial Technologies Configuration Guide Figure 91 shows a router with a serial interface configured as a PPP half-bridge. The interface functions as a node on the Ethernet subnetwork with the bridge. Note that the serial interface has an IP address on the same Ethernet subnetwork as the bridge. Figure 91 Router Serial Interface Configured as a Half-Bridge Note The Cisco IOS software supports no more than one PPP half-bridge per Ethernet subnetwork. To configure a serial interface to function as a half-bridge, use the following commands beginning in global configuration mode as appropriate for your network: Note You must enter the ppp bridge command either when the interface is shut down or before you provide a protocol address for the interface. For more information about AppleTalk addressing, refer to the “Configuring AppleTalk” chapter of the Cisco IOS AppleTalk and Novell IPX Configuration Guide. For more information about IPX addresses and encapsulations, refer to the “Configuring Novell IPX” chapter of the Cisco IOS AppleTalk and Novell IPX Configuration Guide. S4763 ATM 4/0.100 172.31.5.9 Ethernet subnet 172.31.5.0 Command Purpose Step 1 Router(config)# interface serial number Specifies the interface and begins interface configuration mode. Step 2 Router(config-if)# ppp bridge appletalk Router(config-if)# ppp bridge ip Router(config-if)# ppp bridge ipx [novell-ether | arpa | sap | snap] Enables PPP half-bridging for one or more routed protocols: AppleTalk, IP, or Internet Protocol Exchange (IPX). Step 3 Router(config-if)# ip address n.n.n.n Router(config-if)# appletalk address network.node Router(config-if)# appletalk cable-range cable-range network.node Router(config-if)# ipx network network Provides a protocol address on the same subnetwork as the remote network. Configuring Media-Independent PPP and Multilink PPP Configuring PPP and MLP DC-610 Cisco IOS Dial Technologies Configuration Guide Configuring Multilink PPP The Multilink PPP feature provides load balancing functionality over multiple WAN links, while providing multivendor interoperability, packet fragmentation and proper sequencing, and load calculation on both inbound and outbound traffic. The Cisco implementation of MLP supports the fragmentation and packet sequencing specifications in RFC 1990. Additionally, you can change the default endpoint discriminator value that is supplied as part of user authentication. Refer to RFC 1990 for more information about the endpoint discriminator. MLP allows packets to be fragmented and the fragments to be sent at the same time over multiple point-to-point links to the same remote address. The multiple links come up in response to a defined dialer load threshold. The load can be calculated on inbound traffic, outbound traffic, or on either, as needed for the traffic between the specific sites. MLP provides bandwidth on demand and reduces transmission latency across WAN links. MLP is designed to work over synchronous and asynchronous serial and BRI and PRI types of single or multiple interfaces that have been configured to support both dial-on-demand rotary groups and PPP encapsulation. Perform the tasks in the following sections, as required for your network, to configure MLP: • Configuring MLP on Synchronous Interfaces • Configuring MLP on Asynchronous Interfaces • Configuring MLP on a Single ISDN BRI Interface • Configuring MLP on Multiple ISDN BRI Interfaces • Configuring MLP Using Multilink Group Interfaces • Changing the Default Endpoint Discriminator Configuring MLP on Synchronous Interfaces To configure Multilink PPP on synchronous interfaces, you configure the synchronous interfaces to support PPP encapsulation and Multilink PPP. To configure a synchronous interface, use the following commands beginning in global configuration mode: Repeat these steps for additional synchronous interfaces, as needed. Command Purpose Step 1 Router(config)# interface serial number Specifies an asynchronous interface. Step 2 Router(config-if)# no ip address Specifies no IP address for the interface. Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation. Step 4 Router(config-if)# no fair-queue Disables WFQ on the interface. Step 5 Router(config-if)# ppp multilink Enables Multilink PPP. Step 6 Router(config-if)# pulse-time seconds Enables pulsing DTR signal intervals on the interface. Configuring Media-Independent PPP and Multilink PPP Configuring PPP and MLP DC-611 Cisco IOS Dial Technologies Configuration Guide Configuring MLP on Asynchronous Interfaces To configure MLP on asynchronous interfaces, configure the asynchronous interfaces to support dial-on-demand routing (DDR) and PPP encapsulation, and then configure a dialer interface to support PPP encapsulation, bandwidth on demand, and Multilink PPP. To configure an asynchronous interface to support DDR and PPP encapsulation, use the following commands beginning in global configuration mode: Repeat these steps for additional asynchronous interfaces, as needed. At some point, adding more asynchronous interfaces does not improve performance, With the default maximum transmission unit (MTU) size, MLP should support three asynchronous interfaces using V.34 modems. However, packets might be dropped occasionally if the maximum transmission unit (MTU) size is small or large bursts of short frames occur. To configure a dialer interface to support PPP encapsulation and Multilink PPP, use the following commands beginning in global configuration mode: Configuring MLP on a Single ISDN BRI Interface To enable MLP on a single ISDN BRI interface, you are not required to define a dialer rotary group separately because ISDN interfaces are dialer rotary groups by default. Command Purpose Step 1 Router(config)# interface async number Specifies an asynchronous interface and begins interface configuration mode. Step 2 Router(config-if)# no ip address Specifies no IP address for the interface. Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation. Step 4 Router(config-if)# dialer in-band Enables DDR on the interface. Step 5 Router(config-if)# dialer rotary-group number Includes the interface in a specific dialer rotary group. Command Purpose Step 1 Router(config)# interface dialer number Defines a dialer rotary group. Step 2 Router(config-if)# no ip address Specifies no IP address for the interface. Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation. Step 4 Router(config-if)# dialer in-band Enables DDR on the interface. Step 5 Router(config-if)# dialer load-threshold load [inbound | outbound | either] Configures bandwidth on demand by specifying the maximum load before the dialer places another call to a destination. Step 6 Router(config-if)# ppp multilink Enables Multilink PPP. Configuring Media-Independent PPP and Multilink PPP Configuring PPP and MLP DC-612 Cisco IOS Dial Technologies Configuration Guide To enable PPP on an ISDN BRI interface, use the following commands beginning in global configuration mode: If you do not use PPP authentication procedures (Step 8), your telephone service must pass caller ID information. The load threshold number is required. For an example of configuring MLP on a single ISDN BRI interface, see the section “MLP on One ISDN BRI Interface Example” at the end of this chapter. When MLP is configured and you want a multilink bundle to be connected indefinitely, use the dialer idle-timeout command to set a very high idle timer. (The dialer-load threshold 1 command no longer keeps a multilink bundle of n links connected indefinitely, and the dialer-load threshold 2 command no longer keeps a multilink bundle of two links connected indefinitely.) Configuring MLP on Multiple ISDN BRI Interfaces To enable MLP on multiple ISDN BRI interfaces, set up a dialer rotary interface and configure it for Multilink PPP, and then configure the BRI interfaces separately and add them to the same rotary group. To set up the dialer rotary interface for the BRI interfaces, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# interface bri number Specifies an interface and begins interface configuration mode. Step 2 Router(config-if)# ip address ip-address mask [secondary] Provides an appropriate protocol address for the interface. Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation. Step 4 Router(config-if)# dialer idle-timeout seconds [inbound | either] Specifies the duration of idle time in seconds after which a line will be disconnected. By default, outbound traffic will reset the dialer idle timer. Adding the either keyword causes both inbound and outbound traffic to reset the timer; adding the inbound keyword causes only inbound traffic to reset the timer. Step 5 Router(config-if)# dialer load-threshold load Specifies the dialer load threshold for bringing up additional WAN links. Step 6 Router(config-if)# dialer map protocol next-hop-address [name hostname] [spc] [speed 56 | 64] [broadcast] [dial-string[:isdn-subaddress]] Configures the ISDN interface to call the remote site. Step 7 Router(config-if)# dialer-group group-number Controls access to this interface by adding it to a dialer access group. Step 8 Router(config-if)# ppp authentication pap (Optional) Enables PPP authentication. Step 9 Router(config-if)# ppp multilink Enables MLP on the dialer rotary group. Command Purpose Step 1 Router(config)# interface dialer number Specifies the dialer rotary interface and begins interface configuration mode. Step 2 Router(config-if)# ip address address mask Specifies the protocol address for the dialer rotary interface. Configuring Media-Independent PPP and Multilink PPP Configuring PPP and MLP DC-613 Cisco IOS Dial Technologies Configuration Guide If you do not use PPP authentication procedures (Step 10), your telephone service must pass caller ID information. To configure each of the BRI interfaces to belong to the same rotary group, use the following commands beginning in global configuration mode: Repeat Steps 1 through 6 for each BRI that you want to belong to the same dialer rotary group. When MLP is configured and you want a multilink bundle to be connected indefinitely, use the dialer idle-timeout command to set a very high idle timer. (The dialer load-threshold 1 command no longer keeps a multilink bundle of n links connected indefinitely and the dialer load-threshold 2 command no longer keeps a multilink bundle of two links connected indefinitely.) Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation. Step 4 Router(config-if)# dialer in-band Specifies in-band dialing. Step 5 Router(config-if)# dialer idle-timeout seconds [inbound | either] Specifies the duration of idle time in seconds after which a line will be disconnected. By default, both inbound and outbound traffic will reset the dialer idle timer. Including the inbound keyword will cause only inbound traffic to reset the timer. Step 6 Router(config-if)# dialer map protocol next-hop-address [name hostname] [spc] [speed 56 | 64] [broadcast] [dial-string[:isdn-subaddress]] Maps the next hop protocol address and name to the dial string needed to reach it. Step 7 Router(config-if)# dialer load-threshold load Specifies the dialer load threshold, using the same threshold as the individual BRI interfaces. Step 8 Router(config-if)# dialer-group number Controls access to this interface by adding it to a dialer access group. Step 9 Router(config-if)# ppp authentication chap (Optional) Enables PPP CHAP authentication. Step 10 Router(config-if)# ppp multilink Enables Multilink PPP. Command Purpose Command Purpose Step 1 Router(config)# interface bri number Specifies one of the BRI interfaces. Step 2 Router(config-if)# no ip address Specifies that it does not have an individual protocol address. Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation. Step 4 Router(config-if)# dialer idle-timeout seconds [inbound | either] Specifies the duration of idle time in seconds after which a line will be disconnected. By default, outbound traffic will reset the dialer idle timer. Adding the either keyword causes both inbound and outbound traffic to reset the timer; adding the inbound keyword causes only inbound traffic to reset the timer. Step 5 Router(config-if)# dialer rotary-group number Adds the interface to the rotary group. Step 6 Router(config-if)# dialer load-threshold load Specifies the dialer load threshold for bringing up additional WAN links. Configuring Media-Independent PPP and Multilink PPP Configuring PPP and MLP DC-614 Cisco IOS Dial Technologies Configuration Guide Note Previously, when MLP was used in a dialer profile, a virtual access interface was always created as the bundle. It was bound to both the B channel and the dialer profile interfaces after creation and cloning. The dialer profile interface could act as the bundle without help from a virtual access interface. But with the Dynamic Multiple Encapsulations feature available in Cisco IOS Release 12.1, it is no longer the virtual access interface that is added into the connected group of the dialer profile, but the dialer profile itself. The dialer profile becomes a connected member of its own connected group. See the “Dynamic Multiple Encapsulations over ISDN Example” in the chapter “Configuring Peer-to-Peer DDR with Dialer Profiles” in this publication, for more information about dynamic multiple encapsulations and its relation to Multilink PPP. For an example of configuring MLP on multiple ISDN BRI interfaces, see the section “MLP on Multiple ISDN BRI Interfaces Example” at the end of this chapter. Configuring MLP Using Multilink Group Interfaces MLP can be configured by assigning a multilink group to a virtual template configuration. Virtual templates allow a virtual access interface to dynamically clone interface parameters from the specified virtual template. If a multilink group is assigned to a virtual template, and then the virtual template is assigned to a physical interface, all links that pass through the physical interface will belong to the same multilink bundle. A multilink group interface configuration will override a global multilink virtual template configured with the multilink virtual template command. Multilink group interfaces can be used with ATM, PPP over Frame Relay, and serial interfaces. To configure MLP using a multilink group interface, perform the following tasks: • Configure the multilink group. • Assign the multilink group to a virtual template. • Configure the physical interface to use the virtual template. To configure the multilink group, use the following commands beginning in global configuration mode: To assign the multilink group to a virtual template, perform the following task beginning in global configuration mode: Command Purpose Router(config)# interface multilink group-number Creates a multilink bundle and enters multilink interface configuration mode to configure the bundle. Router(config-if)# ip address address mask Sets a primary IP address for an interface. Router(config-if)# encapsulation ppp Enables PPP encapsulation. Router(config-if)# ppp multilink Enables MLP on an interface. Router(config)# interface virtual template number Creates a virtual template interface that can be configured and applied dynamically in creating virtual access interfaces. Router(config-if)# ppp multilink group group-number Restricts a physical link to joining only a designated multilink-group interface. Configuring Media-Independent PPP and Multilink PPP Configuring MLP Interleaving and Queueing DC-615 Cisco IOS Dial Technologies Configuration Guide To configure the physical interface and assign the virtual template to it, perform the following task beginning in global configuration mode. This example is for an ATM interface. However, multilink group interfaces can also be used with PPP over Frame Relay interfaces and serial interfaces. To see an example of how to configure MLP over an ATM PVC using a multilink group, see the section “MLP Using Multilink Group Interfaces over ATM Example” at the end of this chapter. Changing the Default Endpoint Discriminator By default, when the system negotiates use of MLP with the peer, the value that is supplied for the endpoint discriminator is the same as the username used for authentication. That username is configured for the interface by the Cisco IOS ppp chap hostname or ppp pap sent-username command, or defaults to the globally configured host name (or stack group name, if this interface is a Stack Group Bidding Protocol, or SGBP, group member). To override or change the default endpoint discriminator, use the following command in interface configuration mode: To see an example of how to change the default endpoint discriminator, see the section “Changing the Default Endpoint Discriminator Example” at the end of this chapter. Configuring MLP Interleaving and Queueing Interleaving on MLP allows large packets to be multilink encapsulated and fragmented into a small enough size to satisfy the delay requirements of real-time traffic; small real-time packets are not multilink encapsulated and are sent between fragments of the large packets. The interleaving feature also provides a special transmit queue for the smaller, delay-sensitive packets, enabling them to be sent earlier than other flows. Weighted fair queueing on MLP works on the packet level, not at the level of multilink fragments. Thus, if a small real-time packet gets queued behind a larger best-effort packet and no special queue has been reserved for real-time packets, the small packet will be scheduled for transmission only after all the fragments of the larger packet are scheduled for transmission. Weighted fair queueing is now supported on all interfaces that support Multilink PPP, including MLP virtual access interfaces and virtual interface templates. Weighted fair-queueing is enabled by default. Router(config)# interface atm interface-number.subinterface-number point-to-point Configures an ATM interface and enters interface configuration mode. Router(config-if)# pvc vpi/vci Creates or assigns a name to an ATM permanent virtual circuit (PVC), specifies the encapsulation type on an ATM PVC, and enters ATM virtual circuit configuration mode. Router(config-if-atm-vc)# protocol ppp virtual-template name Configures VC multiplexed encapsulation on a PVC. Command Purpose Router(config-if)# ppp multilink endpoint {hostname | ip IP-address | mac LAN-interface | none | phone telephone-number | string char-string} Overrides or changes the default endpoint discriminator the system uses when negotiating the use of MLP with the peer. Configuring Media-Independent PPP and Multilink PPP Configuring MLP Interleaving and Queueing DC-616 Cisco IOS Dial Technologies Configuration Guide Fair queueing on MLP overcomes a prior restriction. Previously, fair queueing was not allowed on virtual access interfaces and virtual interface templates. Interleaving provides the delay bounds for delay-sensitive voice packets on a slow link that is used for other best-effort traffic. Interleaving applies only to interfaces that can configure a multilink bundle interface. These restrictions include virtual templates, dialer interfaces, and ISDN BRI or PRI interfaces. Multilink and fair queueing are not supported when a multilink bundle is off-loaded to a different system using Multichassis Multilink PPP (MMP). Thus, interleaving is not supported in MMP networking designs. MLP support for interleaving can be configured on virtual templates, dialer interfaces, and ISDN BRI or PRI interfaces. To configure interleaving, complete the following tasks: • Configure the dialer interface, BRI interface, PRI interface, or virtual template, as defined in the relevant chapters of this manual. • Configure MLP and interleaving on the interface or template. Note Fair queueing, which is enabled by default, must remain enabled on the interface. Configuring MLP Interleaving To configure MLP and interleaving on a configured and operational interface or virtual interface template, use the following commands beginning in interface configuration mode: Interleaving statistics can be displayed by using the show interfaces command, specifying the particular interface on which interleaving is enabled. Interleaving data is displayed only if there are interleaves. For example, the following line shows interleaves: Output queue: 315/64/164974/31191 (size/threshold/drops/interleaves) Command Purpose Step 1 Router(config-if)# ppp multilink Enables Multilink PPP. Step 2 Router(config-if)# ppp multilink interleave Enables interleaving of packets among the fragments of larger packets on an MLP bundle. Step 3 Router(config-if)# ppp multilink fragment delay milliseconds Specifies a maximum size, in units of time, for packet fragments on an MLP bundle. Step 4 Router(config-if)# ip rtp reserve lowest-udp-port range-of-ports [maximum-bandwidth] Reserves a special queue for real-time packet flows to specified destination UDP ports, allowing real-time traffic to have higher priority than other flows. Step 5 Router(config-if)# exit Exits interface configuration mode. Step 6 Router(config)# multilink virtual-template 1 For virtual templates only, applies the virtual template to the multilink bundle.1 1. This step is not used for ISDN or dialer interfaces. Configuring Media-Independent PPP and Multilink PPP Configuring MLP Inverse Multiplexer and Distributed MLP DC-617 Cisco IOS Dial Technologies Configuration Guide Configuring MLP Inverse Multiplexer and Distributed MLP The distributed MLP feature combines T1/E1 lines in a VIP on a Cisco 7500 series router into a bundle that has the combined bandwidth of the multiple T1/E1 lines. This is done using a VIP MLP link. You choose the number of bundles and the number of T1/E1 lines in each bundle, which allows you to increase the bandwidth of your network links beyond that of a single T1/E1 line without having to purchase a T3 line. Nondistributed MLP can only perform limited links, with CPU usage quickly reaching 90% with only a few T1/E1 lines running MLP. With distributed MLP, you can increase the router’s total capacity. The MLP Inverse Multiplexer feature was designed for Internet service providers (ISPs) that want to have the bandwidth of multiple T1 lines with performance comparable to that of an inverse multiplexer without the need of buying standalone inverse-multiplexing equipment. A Cisco router supporting VIPs can bundle multiple T1 lines in a CT3 or CE3 interface. Bundling is more economical than purchasing an inverse multiplexer, and eliminates the need to configure another piece of equipment. This feature supports the CT3 CE3 data rates without taxing the RSP and CPU by moving the data path to the VIP. This feature also allows remote sites to purchase multiple T1 lines instead of a T3 line, which is especially useful when the remote site does not need the bandwidth of an entire T3 line. This feature allows multilink fragmentation to be disabled, so multilink packets are sent using Cisco Express Forwarding (CEF) on all platforms, if fragmentation is disabled. CEF is now supported with fragmentation enabled or disabled. Figure 92 shows a typical network using a VIP MLP link. The Cisco 7500 series router is connected to the network with a CT3 line that has been configured with VIP MLP to carry two bundles of four T1 lines each. One of these bundles goes out to a Cisco 2500 series router and the other goes out to a Cisco 3800 series router. Figure 92 Diagram of a Typical VIP MLP Topology Before beginning the MLP Inverse Multiplexer configuration tasks, make note of the following prerequisites and restrictions. Prerequisites • Distributed CEF switching must be enabled for distributed MLP. • One of the following port adapters is required: – CT3IP – PA-MC-T3 Cisco 7200 Cisco 7500 PSTN Cisco 7200 Cisco 2500 Cisco 3800 T1s T1s CT3 CT3 Channelized T3 with two bundles of four T1 Channelized T3 with two bundles of two T1s each 32378 Configuring Media-Independent PPP and Multilink PPP Configuring MLP Inverse Multiplexer and Distributed MLP DC-618 Cisco IOS Dial Technologies Configuration Guide – PA-MC-2T3+ – PA-MC-E3 – PA-MC-8T1 – PA-MC-4T1 – PA-MC-8E1 • All 16 E1s can be bundled from a PA-MC-E3 in a VIP4-80. Restrictions • The Multilink Inverse Multiplexer feature is supported only on the Cisco 7500 series routers. • For bundles using IP, all lines in the bundle must have the same IP access list. • Only one port adapter can be installed in a VIP. • T1 and E1 lines cannot be mixed in a bundle. • T1 lines in a bundle must have the same bandwidth. • All lines in a bundle must have identical configurations. • T1 lines can be combined in one bundle or up to 16 bundles per VIP. • E1 lines can be combined in one bundle or up to 12 bundles per VIP. • A maximum of eight T1 lines can be bundled on the VIP2-50 with two MB of SRAM. • A maximum of 16 T1 lines can be bundled on the VIP2-50 with four or eight MB of SRAM. • A maximum of 12 E1 lines can be bundled on the VIP2-50 with four or eight MB of SRAM. • A maximum of 40 T1 lines can be bundled on the VIP4-80. • Hardware compression is not supported. • Encryption is not supported. • Fancy/custom queueing is supported. • MLP fragmentation is supported. • Software compression is not recommended because CPU usage would negate performance gains. • The maximum differential delay supported is 50 milliseconds. • VIP CEF is limited to IP only; all other protocols are sent to the RSP. Enabling fragmentation reduces the delay latency among bundle links, but adds some load to the CPU. Disabling fragmentation may result in better throughput. If your data traffic is consistently of a similar size, we recommend disabling fragmentation. In this case, the benefits of fragmentation may be outweighed by the added load on the CPU. To configure a multilink bundle, perform the tasks in the following sections: • Enabling Distributed CEF Switching (Required for Distributed MLP) • Creating a Multilink Bundle (Required) • Assigning an Interface to a Multilink Bundle (Required) • Disabling PPP Multilink Fragmentation (Optional) • Verifying the MLP Inverse Multiplexer Configuration (Optional) Configuring Media-Independent PPP and Multilink PPP Configuring MLP Inverse Multiplexer and Distributed MLP DC-619 Cisco IOS Dial Technologies Configuration Guide Enabling Distributed CEF Switching To enable distributed MLP, first enable distributed CEF (dCEF) switching using the following command in global configuration mode: Creating a Multilink Bundle To create a multilink bundle, use the following commands beginning in global configuration mode: Assigning an Interface to a Multilink Bundle To assign an interface to a multilink bundle, use the following commands in interface configuration mode: Command Purpose Router(config)# ip cef distributed Enables dCEF switching. Command Purpose Step 1 Router(config)# interface multilink group-number Assigns a multilink group number and begins interface configuration mode. Step 2 Router(config-if)# ip address address mask Assigns an IP address to the multilink interface. Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation. Step 4 Router(config-if)# ppp multilink Enables Multilink PPP. Command Purpose Step 1 Router(config-if)# no ip address Removes any specified IP address. Step 2 Router(config-if)# keepalive Sets the frequency of keepalive packets. Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation. Step 4 Router(config-if)# ppp multilink group group-number Restricts a physical link to joining only the designated multilink-group interface. Step 5 Router(config-if)# ppp multilink Enables Multilink PPP. Step 6 Router(config-if)# ppp authentication chap (Optional) Enables CHAP authentication. Step 7 Router(config-if)# pulse-time seconds (Optional) Configures DTR signal pulsing. Configuring Media-Independent PPP and Multilink PPP Monitoring and Maintaining PPP and MLP Interfaces DC-620 Cisco IOS Dial Technologies Configuration Guide Disabling PPP Multilink Fragmentation By default, PPP multilink fragmentation is enabled. To disable PPP multilink fragmentation, use the following command in interface configuration mode: Verifying the MLP Inverse Multiplexer Configuration To display information about the newly created multilink bundle, use the show ppp multilink command in EXEC mode: Router# show ppp multilink Multilink1, bundle name is group1 Bundle is Distributed 0 lost fragments, 0 reordered, 0 unassigned, sequence 0x0/0x0 rcvd/sent 0 discarded, 0 lost received, 1/255 load Member links:4 active, 0 inactive (max not set, min not set) Serial1/0/0:1 Serial1/0/0/:2 Serial1/0/0/:3 Serial1/0/0/:4 Monitoring and Maintaining PPP and MLP Interfaces To monitor and maintain virtual interfaces, use the following command in EXEC mode: Configuration Examples for PPP and MLP The following sections provide various PPP configuration examples: • CHAP with an Encrypted Password Examples • User Maximum Links Configuration Example • MPPC Interface Configuration Examples • IP Address Pooling Example • DHCP Network Control Example • PPP Reliable Link Examples • MLP Examples • MLP Interleaving and Queueing for Real-Time Traffic Example Command Purpose Router(config-if)# ppp multilink fragment disable (Optional) Disables PPP multilink fragmentation. Command Purpose Router> show ppp multilink Displays MLP and MMP bundle information. Configuring Media-Independent PPP and Multilink PPP Configuration Examples for PPP and MLP DC-621 Cisco IOS Dial Technologies Configuration Guide • T3 Controller Configuration for an MLP Multilink Inverse Multiplexer Example • Multilink Interface Configuration for Distributed MLP Example CHAP with an Encrypted Password Examples The following examples show how to enable CHAP on serial interface 0 of three devices: Configuration of Router yyy hostname yyy interface serial 0 encapsulation ppp ppp authentication chap username xxx password secretxy username zzz password secretzy Configuration of Router xxx hostname xxx interface serial 0 encapsulation ppp ppp authentication chap username yyy password secretxy username zzz password secretxz Configuration of Router zzz hostname zzz interface serial 0 encapsulation ppp ppp authentication chap username xxx password secretxz username yyy password secretzy When you look at the configuration file, the passwords will be encrypted and the display will look similar to the following: hostname xxx interface serial 0 encapsulation ppp ppp authentication chap username yyy password 7 121F0A18 username zzz password 7 1329A055 User Maximum Links Configuration Example The following example shows how to configure the username sTephen and establish a maximum of five connections. sTephen can connect through serial interface 1/0, which has a dialer map configured for it, or through PRI interface 0/0:23, which has dialer profile interface 0 dedicated to it. The aaa authorization network default local command must be configured. PPP encapsulation and authentication must be enabled on all the interfaces that sTephen can connect to. aaa new-model aaa authorization network default local enable secret saintstephen enable password witharose ! username sTephen user-maxlinks 5 password gardenhegoes Configuring Media-Independent PPP and Multilink PPP Configuration Examples for PPP and MLP DC-622 Cisco IOS Dial Technologies Configuration Guide ! interface Serial0/0:23 no ip address encapsulation ppp dialer pool-member 1 ppp authentication chap ppp multilink ! interface Serial1/0 ip address 10.2.2.4 255.255.255.0 encapsulation ppp dialer in-band dialer map ip 10.2.2.13 name sTephen 12345 dialer-group 1 ppp authentication chap ! interface Dialer0 ip address 10.1.1.4 255.255.255.0 encapsulation ppp dialer remote-name sTephen dialer string 23456 dialer pool 1 dialer-group 1 ppp authentication chap ppp multilink ! dialer-list 1 protocol ip permit MPPC Interface Configuration Examples The following example configures asynchronous interface 1 to implement MPPC and ignore the protocol field compression flag negotiated by LCP: interface async1 ip unnumbered ethernet0 encapsulation ppp async default routing async dynamic routing async mode interactive peer default ip address 172.21.71.74 compress mppc ignore-pfc The following example creates a virtual access interface (virtual-template interface 1) and serial interface 0, which is configured for X.25 encapsulation. MPPC values are configured on the virtual-template interface and will ignore the negotiated protocol field compression flag. interface ethernet0 ip address 172.20.30.102 255.255.255.0 ! interface virtual-template1 ip unnumbered ethernet0 peer default ip address pool vtemp1 compress mppc ignore-pfc ! interface serial0 no ipaddress no ip mroute-cache encapsulation x25 x25 win 7 x25 winout 7 x25 ips 512 x25 ops 512 Configuring Media-Independent PPP and Multilink PPP Configuration Examples for PPP and MLP DC-623 Cisco IOS Dial Technologies Configuration Guide clock rate 50000 ! ip local pool vtemp1 172.20.30.103 172.20.30.104 ip route 0.0.0.0 0.0.0.0 172.20.30.1 ! translate x25 31320000000000 virtual-template 1 IP Address Pooling Example The following example configures a modem to dial in to a Cisco access server and obtain an IP address from the DHCP server. This configuration allows the user to log in and browse an NT network. Notice that the dialer 1 and group-async 1 interfaces are configured with the ip unnumbered loopback command, so that the broadcast can find the dialup clients and the client can see the NT network. ! hostname secret ! aaa new-model aaa authentication login default local aaa authentication ppp default if-needed local aaa authentication ppp chap local enable secret 5 encrypted-secret enable password EPassWd1 ! username User1 password 0 PassWd2 username User2 password 0 PassWd3 username User3 password 0 PassWd4 no ip domain-lookup ip dhcp-server 10.47.0.131 async-bootp gateway 10.47.0.1 async-bootp nbns-server 10.47.0.131 isdn switch-type primary-4ess ! ! controller t1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller t1 1 framing esf clock source line secondary linecode b8zs ! interface loopback 0 ip address 10.47.252.254 255.255.252.0 ! interface ethernet 0 ip address 10.47.0.5 255.255.252.0 ip helper-address 10.47.0.131 ip helper-address 10.47.0.255 no ip route-cache no ip mroute-cache ! interface serial 0 no ip address no ip mroute-cache shutdown ! Configuring Media-Independent PPP and Multilink PPP Configuration Examples for PPP and MLP DC-624 Cisco IOS Dial Technologies Configuration Guide interface serial 1 no ip address shutdown ! interface serial 0:23 no ip address encapsulation ppp no ip mroute-cache dialer rotary-group 1 dialer-group 1 isdn incoming-voice modem no fair-queue no cdp enable ! interface group-async 1 ip unnumbered loopback 0 ip helper-address 10.47.0.131 ip tcp header-compression passive encapsulation ppp no ip route-cache no ip mroute-cache async mode interactive peer default ip address dhcp no fair-queue no cdp enable ppp authentication chap group-range 1 24 ! interface dialer 1 ip unnumbered loopback 0 encapsulation ppp dialer in-band dialer-group 1 no peer default ip address no fair-queue no cdp enable ppp authentication chap ppp multilink ! router ospf 172 redistribute connected subnets redistribute static network 10.47.0.0 0.0.3.255 area 0 network 10.47.156.0 0.0.3.255 area 0 network 10.47.168.0 0.0.3.255 area 0 network 10.47.252.0 0.0.3.255 area 0 ! ip local pool RemotePool 10.47.252.1 10.47.252.24 ip classless ip route 10.0.140.0 255.255.255.0 10.59.254.254 ip route 10.2.140.0 255.255.255.0 10.59.254.254 ip route 10.40.0.0 255.255.0.0 10.59.254.254 ip route 10.59.254.0 255.255.255.0 10.59.254.254 ip route 172.23.0.0 255.255.0.0 10.59.254.254 ip route 192.168.0.0 255.255.0.0 10.59.254.254 ip ospf name-lookup no logging buffered access-list 101 deny ip any host 255.255.255.255 access-list 101 deny ospf any any access-list 101 permit ip any any dialer-list 1 protocol ip list 101 snmp-server community public RO ! Configuring Media-Independent PPP and Multilink PPP Configuration Examples for PPP and MLP DC-625 Cisco IOS Dial Technologies Configuration Guide line con 0 line 1 24 autoselect during-login autoselect ppp modem InOut transport input all line aux 0 line vty 0 4 password PassWd5 ! scheduler interval 100 end DHCP Network Control Example The following partial example adds the ip dhcp-client network-discovery command to the previous “IP Address Pooling Example” to allow peer routers to more dynamically discover DNS and NetBIOS name servers. If the ip dhcp-client network-discovery command is disabled, the system falls back to the static configurations made using the async-bootp dns-server and async-bootp nb-server global configuration commands. ! hostname secret ! aaa new-model aaa authentication login default local aaa authentication ppp default if-needed local aaa authentication ppp chap local enable secret 5 encrypted-secret enable password EPassWd1 ! username User1 password 0 PassWd2 username User2 password 0 PassWd3 username User3 password 0 PassWd4 no ip domain-lookup ip dhcp-server 10.47.0.131 ip dhcp-client network-discovery informs 2 discovers 2 period 12 async-bootp gateway 10.47.0.1 async-bootp nbns-server 10.47.0.131 isdn switch-type primary-4ess . . . PPP Reliable Link Examples The following example enables PPP reliable link and STAC compression on BRI 0: interface BRI0 description Enables stac compression on BRI 0 ip address 172.1.1.1 255.255.255.0 encapsulation ppp dialer map ip 172.1.1.2 name baseball 14195386368 compress stac ppp authentication chap dialer-group 1 ppp reliable-link Configuring Media-Independent PPP and Multilink PPP Configuration Examples for PPP and MLP DC-626 Cisco IOS Dial Technologies Configuration Guide The following example shows output of the show interfaces command when PPP reliable link is enabled. The LAPB output lines indicate that PPP reliable link is provided over LAPB. Router# show interfaces serial 0 Serial0 is up, line protocol is up Hardware is HD64570 Description: connects to enkidu s 0 Internet address is 172.21.10.10/8 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation PPP, loopback not set LCP Open Open: IPCP, CDP LAPB DTE, state CONNECT, modulo 8, k 7, N1 12048, N2 20 T1 3000, T2 0, interface outage (partial T3) 0, T4 0, PPP over LAPB VS 1, VR 1, tx NR 1, Remote VR 1, Retransmissions 0 Queues: U/S frames 0, I frames 0, unack. 0, reTx 0 IFRAMEs 1017/1017 RNRs 0/0 REJs 0/0 SABM/Es 1/1 FRMRs 0/0 DISCs 0/0 Last input 00:00:18, output 00:00:08, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0 (size/max/drops); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/64/0 (size/threshold/drops) Conversations 0/1 (active/max active) Reserved Conversations 0/0 (allocated/max allocated) 5 minute input rate 3000 bits/sec, 4 packets/sec 5 minute output rate 3000 bits/sec, 7 packets/sec 1365 packets input, 107665 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 2064 packets output, 109207 bytes, 0 underruns 0 output errors, 0 collisions, 4 interface resets 0 output buffer failures, 0 output buffers swapped out 4 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up MLP Examples This section contains the following MLP examples: • MLP on Synchronous Serial Interfaces Example • MLP on One ISDN BRI Interface Example • MLP on Multiple ISDN BRI Interfaces Example • MLP Using Multilink Group Interfaces over ATM Example • Changing the Default Endpoint Discriminator Example MLP on Synchronous Serial Interfaces Example MLP provides characteristics most similar to hardware inverse multiplexers, with good manageability and Layer 3 services support. Figure 93 shows a typical inverse multiplexing application using two Cisco routers and Multilink PPP over four T1 lines. Configuring Media-Independent PPP and Multilink PPP Configuration Examples for PPP and MLP DC-627 Cisco IOS Dial Technologies Configuration Guide Figure 93 Inverse Multiplexing Application Using Multilink PPP The following example shows the configuration commands used to create the inverse multiplexing application: Router A Configuration hostname RouterA ! ! username RouterB password your_password ip subnet-zero multilink virtual-template 1 ! interface Virtual-Template1 ip unnumbered Ethernet0 ppp authentication chap ppp multilink ! interface Serial0 no ip address encapsulation ppp no fair-queue ppp multilink pulse-time 3 ! interface Serial1 no ip address encapsulation ppp no fair-queue ppp multilink pulse-time 3 ! interface Serial2 no ip address encapsulation ppp no fair-queue ppp multilink pulse-time 3 ! interface Serial3 no ip address encapsulation ppp no fair-queue ppp multilink pulse-time 3 ! interface Ethernet0 ip address 10.17.1.254 255.255.255.0 ! router rip network 10.0.0.0 ! end Router A Ethernet Ethernet Router B T1 connection 60144 Configuring Media-Independent PPP and Multilink PPP Configuration Examples for PPP and MLP DC-628 Cisco IOS Dial Technologies Configuration Guide Router B Configuration hostname RouterB ! ! username RouterB password your_password ip subnet-zero multilink virtual-template 1 ! interface Virtual-Template1 ip unnumbered Ethernet0 ppp authentication chap ppp multilink ! interface Serial0 no ip address encapsulation ppp no fair-queue ppp multilink pulse-time 3 ! interface Serial1 no ip address encapsulation ppp no fair-queue ppp multilink pulse-time 3 ! interface Serial2 no ip address encapsulation ppp no fair-queue ppp multilink pulse-time 3 ! interface Serial3 no ip address encapsulation ppp no fair-queue ppp multilink pulse-time 3 ! interface Ethernet0 ip address 10.17.2.254 255.255.255.0 ! router rip network 10.0.0.0 ! end MLP on One ISDN BRI Interface Example The following example enables MLP on BRI interface 0. Because an ISDN interface is a rotary group by default, when one BRI is configured, no dialer rotary group configuration is required. interface bri 0 description connected to ntt 81012345678902 ip address 172.31.1.7 255.255.255.0 encapsulation ppp dialer idle-timeout 30 dialer load-threshold 40 either dialer map ip 172.31.1.8 name atlanta 81012345678901 Configuring Media-Independent PPP and Multilink PPP Configuration Examples for PPP and MLP DC-629 Cisco IOS Dial Technologies Configuration Guide dialer-group 1 ppp authentication pap ppp multilink MLP on Multiple ISDN BRI Interfaces Example The following example configures multiple ISDN BRI interfaces to belong to the same dialer rotary group for Multilink PPP. The dialer rotary-group command is used to assign each of the ISDN BRI interfaces to that dialer rotary group. interface BRI0 no ip address encapsulation ppp dialer idle-timeout 500 dialer rotary-group 0 dialer load-threshold 30 either ! interface BRI1 no ip address encapsulation ppp dialer idle-timeout 500 dialer rotary-group 0 dialer load-threshold 30 either ! interface BRI2 no ip address encapsulation ppp dialer idle-timeout 500 dialer rotary-group 0 dialer load-threshold 30 either ! interface Dialer0 ip address 10.0.0.2 255.0.0.0 encapsulation ppp dialer in-band dialer idle-timeout 500 dialer map ip 10.0.0.1 name atlanta broadcast 81012345678901 dialer load-threshold 30 either dialer-group 1 ppp authentication chap ppp multilink MLP Using Multilink Group Interfaces over ATM Example The following example configures MLP over an ATM PVC using a multilink group: interface multilink 1 ip address 10.200.83.106 255.255.255.252 ip tcp header-compression iphc-format delay 20000 service policy output xyz encapsulation ppp ppp multilink ppp multilink fragment delay 10 ppp multilink interleave ppp timeout multilink link remove 10 ip rtp header-compression iphc-format interface virtual-template 3 bandwidth 128 ppp multilink group 1 Configuring Media-Independent PPP and Multilink PPP Configuration Examples for PPP and MLP DC-630 Cisco IOS Dial Technologies Configuration Guide interface atm 4/0.1 point-to-point pvc 0/32 abr 100 80 protocol ppp virtual-template 3 Changing the Default Endpoint Discriminator Example The following partial example changes the MLP endpoint discriminator from the default CHAP host name C-host1 to the E.164-compliant telephone number 1 603 555-1212: . . . interface dialer 0 ip address 10.1.1.4 255.255.255.0 encapsulation ppp dialer remote-name R-host1 dialer string 23456 dialer pool 1 dialer-group 1 ppp chap hostname C-host1 ppp multilink endpoint phone 16035551212 . . . MLP Interleaving and Queueing for Real-Time Traffic Example The following example defines a virtual interface template that enables MLP interleaving and a maximum real-time traffic delay of 20 milliseconds, and then applies that virtual template to the MLP bundle: interface virtual-template 1 ip unnumbered ethernet 0 ppp multilink ppp multilink interleave ppp multilink fragment delay 20 ip rtp interleave 32768 20 1000 multilink virtual-template 1 The following example enables MLP interleaving on a dialer interface that controls a rotary group of BRI interfaces. This configuration permits IP packets to trigger calls. interface BRI 0 description connected into a rotary group encapsulation ppp dialer rotary-group 1 ! interface BRI 1 no ip address encapsulation ppp dialer rotary-group 1 ! interface BRI 2 encapsulation ppp dialer rotary-group 1 ! interface BRI 3 no ip address encapsulation ppp dialer rotary-group 1 ! Configuring Media-Independent PPP and Multilink PPP Configuration Examples for PPP and MLP DC-631 Cisco IOS Dial Technologies Configuration Guide interface BRI 4 encapsulation ppp dialer rotary-group 1 ! interface Dialer 0 description Dialer group controlling the BRIs ip address 10.1.1.1 255.255.255.0 encapsulation ppp dialer map ip 10.1.1.2 name angus 14802616900 dialer-group 1 ppp authentication chap ! Enables Multilink PPP interleaving on the dialer interface and reserves ! a special queue. ppp multilink ppp multilink interleave ip rtp reserve 32768 20 1000 ! Keeps fragments of large packets small enough to ensure delay of 20 ms or less. ppp multilink fragment delay 20 dialer-list 1 protocol ip permit T3 Controller Configuration for an MLP Multilink Inverse Multiplexer Example In the following example, the T3 controller is configured and four channelized interfaces are created: controller T3 1/0/0 framing m23 cablelength 10 t1 1 timeslots 1-24 t1 2 timeslots 1-24 t1 3 timeslots 1-24 t1 4 timeslots 1-24 Multilink Interface Configuration for Distributed MLP Example In the following example, four multilink interfaces are created with distributed CEF switching and MLP enabled. Each of the newly created interfaces is added to a multilink bundle. interface multilink1 ip address 10.0.0.0 10.255.255.255 ppp chap hosstname group 1 ppp multilink ppp multilink group 1 interface serial 1/0/0/:1 no ip address encapsulation ppp ip route-cache distributed no keepalive ppp multilink ppp multilink group 1 interface serial 1/0/0/:2 no ip address encapsulation ppp ip route-cache distributed no keepalive ppp chap hostname group 1 ppp multilink ppp multilink group 1 Configuring Media-Independent PPP and Multilink PPP Configuration Examples for PPP and MLP DC-632 Cisco IOS Dial Technologies Configuration Guide interface serial 1/0/0/:3 no ip address encapsulation ppp ip route-cache distributed no keepalive ppp chap hostname group 1 ppp multilink ppp multilink group 1 interface serial 1/0/0/:4 no ip address encapsulation ppp ip route-cache distributed no keepalive ppp chap hostname group 1 ppp multilink ppp multilink group 1 DC-633 Cisco IOS Dial Technologies Configuration Guide Configuring Multichassis Multilink PPP This chapter describes how to configure Multichassis Multilink PPP (MLP). It includes the following main sections: • Multichassis Multilink PPP Overview • How to Configure MMP • Monitoring and Maintaining MMP Virtual Interfaces • Configuration Examples for MMP To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the MMP commands mentioned in this chapter, refer to the Cisco IOS Dial Technologies Command Reference, Release 12. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Multichassis Multilink PPP Overview Prior to Release 11.2, Cisco IOS supported Multilink PPP (MLP). Beginning with Release 11.2, Cisco IOS software also supports Multichassis Multilink PPP (MMP). MLP provides the capability of splitting and recombining packets to a single end system across a logical pipe (also called a bundle) formed by multiple links. MMP provides bandwidth on demand and reduces transmission latency across WAN links. MMP, however, provides the additional capability for links to terminate at multiple routers with different remote addresses. MMP can also handle both analog and digital traffic. MLP is intended for situations with large pools of dial-in users, in which a single chassis cannot provide enough dial ports. This feature allows companies to provide a single dialup number to its users and to apply the same solution to analog and digital calls. This feature allows Internet service providers (ISPs), for example, to allocate a single ISDN rotary number to several ISDN PRIs across several routers. This capability allows for easy expansion and scalability and for assured fault tolerance and redundancy. MMP allows network access servers to be stacked together and to appear as a single network access server chassis so that if one network access server fails, another network access server in the stack can accept calls. With large-scale dial-out, these features are available for both outgoing and incoming calls. Configuring Multichassis Multilink PPP Multichassis Multilink PPP Overview DC-634 Cisco IOS Dial Technologies Configuration Guide Stack Groups Routers or access servers are configured to belong to groups of peers called stack groups. All members of the stack group are peers; stack groups do not need a permanent lead router. Any stack group member can answer calls coming from a single access number, which is usually an ISDN PRI hunt group. Calls can come in from remote user devices, such as routers, modems, ISDN terminal adapters, and PC cards. Once a connection is established with one member of a stack group, that member owns the call. If a second call comes in from the same client and a different router answers the call, the router establishes a tunnel and forwards all packets that belong to the call to the router that owns the call. Establishing a tunnel and forwarding calls through it to the router that owns the call is sometimes called projecting the PPP link to the call master. If a more powerful router is available, it can be configured as a member of the stack group and the other stack group members can establish tunnels and forward all calls to it. In such a case, the other stack group members are just answering calls and forwarding traffic to the more powerful offload router. Note High-latency WAN lines between stack group members can make stack group operation inefficient. Call Handling and Bidding MMP call handling, bidding, and Layer 2 forwarding operations in the stack group proceed as follows: 1. When the first call comes in to the stack group, router A answers. 2. In the bidding, router A wins because it already has the call. Router A becomes the call-master for that session with the remote device. (Router A might also be called the host to the master bundle interface.) 3. When the remote device that initiated the call needs more bandwidth, it makes a second MLP call to the group. 4. When the second call comes in, router D answers it and informs the stack group. Router A wins the bidding because it already is handling the session with that remote device. 5. Router D establishes a tunnel to router A and forwards the raw PPP data to router A. 6. Router A reassembles and resequences the packets. 7. If more calls come in to router D and they too belong to router A, the tunnel between routers A and D enlarges to handle the added traffic. Router D does not establish an additional tunnel to router A. 8. If more calls come in and are answered by any other router, that router also establishes a tunnel to router A and forwards the raw PPP data. 9. The reassembled data is passed on the corporate network as if it had all come through one physical link. Figure 94 shows the call handling an bidding process in a typical MLP scenario. Configuring Multichassis Multilink PPP Multichassis Multilink PPP Overview DC-635 Cisco IOS Dial Technologies Configuration Guide Figure 94 Typical MLP Scenario In contrast to Figure 94, Figure 95 features an offload router. Access servers that belong to a stack group answer calls, establish tunnels, and forward calls to a Cisco 4700 router that wins the bidding and is the call master for all the calls. The Cisco 4700 reassembles and resequences all the packets that come in through the stack group. Figure 95 MLP with an Offload Router as a Stack Group Member Note You can build stack groups using different access-server, switching, and router platforms. However, universal access servers such as the Cisco AS5200 should not be combined with ISDN-only access servers such as the Cisco 4000 series platform. Because calls from the central office are allocated in an arbitrary way, this combination could result in an analog call being delivered to a digital-only access server, which would not be able to handle the call. MMP support on a group of routers requires that each router be configured to support the following: • Multilink PPP • Stack Group Bidding Protocol (SGBP) • Virtual template used for cloning interface configuration to support MMP S4788 Router ISDN PRI access Digital Stack group on a corporate network Remote user Internal service provider A B C D E Analog S4789 Router ISDN PRI access Digital Stack group on a corporate network Remote user Internal service provider A B Cisco 4700 C D E Analog Configuring Multichassis Multilink PPP How to Configure MMP DC-636 Cisco IOS Dial Technologies Configuration Guide MMP is supported on the Cisco 2500, 4500, and 7500 series platforms and on synchronous serial, asynchronous serial, ISDN BRI, ISDN PRI, and dialer interfaces. MMP does not require reconfiguration of telephone company switches. Dialer profiles are not supported for SGBP (Stack Group Bidding Protocol). How to Configure MMP To configure MMP, perform the tasks in the following sections, in the order listed: • Configuring the Stack Group and Identifying Members (Required) • Configuring a Virtual Template and Creating a Virtual Template Interface (Required) See the section “Monitoring and Maintaining MMP Virtual Interfaces” later in this chapter for tips on maintaining MMP. See the examples in the section “Configuration Examples for MMP” later in this chapter for ideas on how to configure MMP in your network. Configuring the Stack Group and Identifying Members To configure the stack group on the router, use the following commands in global configuration mode: Repeat these steps for each additional stack group peer. Note Only one stack group can be configured per access server or router. Configuring a Virtual Template and Creating a Virtual Template Interface You need to configure a virtual template for MMP when asynchronous or synchronous serial interfaces are used, but dialers are not defined. When dialers are configured on the physical interfaces, do not specify a virtual template interface. Command Purpose Step 1 Router(config)# username name password password Creates authentication credentials for the stack group. Step 2 Router(config)# sgbp group name Creates the stack group and assign this router to it. Step 3 Router(config)# sgbp member peer-name [peer-ip-address] Specifies a peer member of the stack group. Configuring Multichassis Multilink PPP Monitoring and Maintaining MMP Virtual Interfaces DC-637 Cisco IOS Dial Technologies Configuration Guide To configure a virtual template for any nondialer interfaces, use the following commands beginning in global configuration mode: If dialers are or will be configured on the physical interfaces, the ip unnumbered command, mentioned in Step 4, will be used in configuring the dialer interface. For examples that show MMP configured with and without dialers, see the “Configuration Examples for MMP” at the end of this chapter. Note Never define a specific IP address on the virtual template because projected virtual access interfaces are always cloned from the virtual template interface. If a subsequent PPP link also gets projected to a stack member with a virtual access interface already cloned and active, we will have identical IP addresses will be on the two virtual interfaces. IP will erroneously route between them. For more information about address pooling, see the “Configuring Media-Independent PPP and Multilink PPP” chapter. Monitoring and Maintaining MMP Virtual Interfaces To monitor and maintain virtual interfaces, use any of the following commands in EXEC mode: Command Purpose Step 1 Router(config)# multilink virtual-template number Defines a virtual template for the stack group. This step is not required if ISDN interfaces or other dialers are configured and used by the physical interfaces. Step 2 Router(config)# ip local pool default ip-address Specifies an IP address pool by using any pooling mechanism—for example, IP local pooling or Dynamic Host Configuration Protocol (DHCP) pooling. Step 3 Router(config)# interface virtual-template number Creates a virtual template interface and enters interface configuration mode. This step is not required if ISDN interfaces or other dialers are configured and used by the physical interfaces. Step 4 Router(config-if)# ip unnumbered ethernet 0 Specifies unnumbered IP. Step 5 Router(config-if)# no ip route-cache Disables fast switching, which enables per-packet load sharing and enhances performance on slower serial links. Step 6 Router(config-if)# encapsulation ppp Enables PPP encapsulation on the virtual template interface. Step 7 Router(config-if)# ppp multilink Enables Multilink PPP on the virtual template interface. Step 8 Router(config-if)# ppp authentication chap Enables PPP authentication on the virtual template interface. Command Purpose Router> show ppp multilink Displays MLP and MMP bundle information. Router> show sgbp Displays the status of the stack group members. Router> show sgbp queries Displays the current seed bid value. Configuring Multichassis Multilink PPP Configuration Examples for MMP DC-638 Cisco IOS Dial Technologies Configuration Guide Configuration Examples for MMP The following sections provide w MMP configuration examples without and with dialers: • MMP Using PRI But No Dialers • MMP with Dialers • MMP with Offload Server MMP Using PRI But No Dialers The following example shows the configuration of MMP when no dialers are involved. Comments in the configuration discuss the commands. Variations are shown for a Cisco AS5200 access server or Cisco 4000 series router and for an E1 or T1 controller. sgbp group stackq sgbp member systemb 10.1.1.2 sgbp member systemc 10.1.1.3 username stackq password therock ! First make sure the multilink virtual template number is defined globally on ¡ each router that is a member of the stack group. multilink virtual-template 1 ! If you have not configured any dialer interfaces for the physical interfaces in ! question (PRI, BRI, async, sync serial), you can define a virtual template. interface virtual-template 1 ip unnumbered e0 no ip route-cache ppp authentication chap ppp multilink ! Never define a specific IP address on the virtual template because projected ! virtual access interfaces are always cloned from the virtual template interface. ! If a subsequent PPP link also gets projected to a stack member with a virtual ! access interface already cloned and active, identical IP addresses will be on ! on the two virtual interfaces. IP will erroneously route between them. ! On an AS5200 or 4XXX platform. ! On a TI controller. ! controller T1 0 framing esf linecode b8zs pri-group timeslots 1-24 ! interface serial 0:23 no ip address encapsulation ppp no ip route-cache ppp authentication chap ppp multilink ! ! On an E1 controller. ! controller E1 0 framing crc4 linecode hdb3 pri-group timeslots 1-31 Configuring Multichassis Multilink PPP Configuration Examples for MMP DC-639 Cisco IOS Dial Technologies Configuration Guide interface serial 0:15 no ip address encapsulation ppp no ip route-cache ppp authentication chap ppp multilink MMP with Dialers When dialers are configured on the physical interfaces and when the interface itself is a dialer, do not specify a virtual template interface. For dialers, you only need to define the stack group name, common password, and its members across all the stack members. No virtual template interface is defined at all. Only the PPP commands in dialer interface configuration are applied to the bundle interface. Subsequent projected PPP links are also cloned with the PPP commands from the dialer interface. Dialer profiles are not supported for SGBP (Stack Group Bidding Protocol). This section includes the following examples: • MMP with Explicitly Defined Dialer • MMP with ISDN PRI but No Explicitly Defined Dialer MMP with Explicitly Defined Dialer The following example includes a dialer that is explicitly specified by the interface dialer command and configured by the commands that immediately follow: sgbp group stackq sgbp member systemb 10.1.1.2 sgbp member systemc 10.1.1.3 username stackq password therock interface dialer 1 ip unnumbered e0 dialer map ..... encapsulation ppp ppp authentication chap dialer-group 1 ppp multilink ! ! On a T1 controller controller T1 0 framing esf linecode b8zs pri-group timeslots 1-24 interface Serial0:23 no ip address encapsulation ppp dialer in-band dialer rotary 1 dialer-group 1 ! ! Or on an E1 Controller controller E1 0 framing crc4 linecode hdb3 Configuring Multichassis Multilink PPP Configuration Examples for MMP DC-640 Cisco IOS Dial Technologies Configuration Guide pri-group timeslots 1-31 interface serial 0:15 no ip address encapsulation ppp no ip route-cache ppp authentication chap ppp multilink MMP with ISDN PRI but No Explicitly Defined Dialer ISDN PRIs and BRIs by default are dialer interfaces. That is, a PRI configured without an explicit interface dialer command is still a dialer interface. The following example configures ISDN PRI. The D-channel configuration on serial interface 0:23 is applied to all the B channels. MMP is enabled, but no virtual interface template needs to be defined. sgbp group stackq sgbp member systemb 10.1.1.2 sgbp member systemc 10.1.1.3 username stackq password therock isdn switch-type primary-4ess controller t1 0 framing esf linecode b8zs pri-group timeslots 1-23 isdn switch-type basic-net3 interface Serial0:23 ip unnumbered e0 dialer map ..... encap ppp ppp authentication chap dialer-group 1 dialer rot 1 ! ppp multilink MMP with Offload Server The following example shows a virtual template interface for a system that is being configured as an offload server (via the sgbp seed-bid offload command). All other stack group members must be defined with the sgbp seed-bid default command (or if you do not enter any sgbp seed-bid command, it defaults to this command). multilink virtual-template 1 sgbp group stackq sgbp member systemb 10.1.1.2 sgbp member systemc 10.1.1.3 sgbp seed-bid offload username stackq password therock interface virtual-template 1 ip unnumbered e0 no ip route-cache ppp authentication chap ppp multilink Callback and Bandwidth Allocation Configuration DC-643 Cisco IOS Dial Technologies Configuration Guide Configuring Asynchronous Callback This chapter describes how to configure Cisco IOS software to call back an asynchronous device that dials in, requests a callback from the router, and then disconnects. It includes the following main sections: • Asynchronous Callback Overview • How to Configure Asynchronous Callback • Configuration Examples for Asynchronous Callback To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the commands mentioned in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Asynchronous Callback Overview Asynchronous callback is supported for the PPP and AppleTalk Remote Access (ARA) protocols. Callback is also supported on other interface types for PPP, including ISDN and any device that calls in and connects to the router at the EXEC level. All callback sessions are returned on TTY lines. ARA is supported on virtual terminal lines, but also is supported on TTY lines if the vty-arap command is used. PPP, however, is supported on interfaces. Therefore, to enable PPP callback, you must enter the autoselect ppp command on the callback lines. All current security mechanisms supported in Cisco IOS software are supported by the callback facility, including the following: • TACACS+ • Challenge Handshake Authentication Protocol (CHAP) and Password Authentication Protocol (PAP) for PPP • Per-user authentication for EXEC callback and ARA callback The call originator must have the appropriate permissions set on the router before it can initiate a callback session. Configuring Asynchronous Callback How to Configure Asynchronous Callback DC-644 Cisco IOS Dial Technologies Configuration Guide Callback is useful for two purposes: • Cost savings on toll calls For example, suppose it costs more to call from clients in Zone A to devices in Zone D than to call from Zone D to Zone A—costs are lower when devices in Zone D call back clients in Zone A. • Consolidation and centralization of phone billing For example, if a corporation has 64 dial-in clients, enabling its routers to call back these clients consolidates billing. Instead of 64 phone bills, the corporation receives one bill. How to Configure Asynchronous Callback To configure asynchronous callback, perform the tasks in the following sections: • Configuring Callback PPP Clients (Required) • Enabling PPP Callback on Outgoing Lines (Required) • Enabling Callback Clients That Dial In and Connect to the EXEC Prompt (Required) • Configuring Callback ARA Clients (Required) See the section “Configuration Examples for Asynchronous Callback” at the end of this chapter for ideas on how to implement asynchronous callback. Configuring Callback PPP Clients You can call back PPP clients that dial in to asynchronous interfaces. You can enable callback to the following two types of PPP clients: • Clients that implement PPP callback per RFC 1570 (as an link control protocol, or LCP, negotiated extension). • Clients that do not negotiate callback but can put themselves in answer-mode, whereby a callback from the router is accepted. This section describes how to enable callback to each of these types of PPP clients. Accepting Callback Requests from RFC-Compliant PPP Clients To accept a callback request from an RFC 1570 PPP-compliant client, use the following command in interface (asynchronous) configuration mode: To configure Cisco IOS software to call back the originating PPP client, see the section “Enabling PPP Callback on Outgoing Lines” later in this chapter. Command Purpose Router(config-if)# ppp callback accept Enables callback requests from RFC 1570 PPP-compliant clients on an asynchronous interface. Configuring Asynchronous Callback How to Configure Asynchronous Callback DC-645 Cisco IOS Dial Technologies Configuration Guide Accepting Callback Requests from Non-RFC-Compliant PPP Clients Placing Themselves in Answer Mode A PPP client can put itself in answer-mode and can still be called back by the router, even though it cannot specifically request callback. To enable callback on the router to this type of client, use the following command in interface (asynchronous) configuration mode: To configure Cisco IOS software to call back the originating PPP client, see the next section, “Enabling PPP Callback on Outgoing Lines.” Enabling PPP Callback on Outgoing Lines After enabling PPP clients to connect to an asynchronous interface and wait for a callback, you must place one or more TTY lines in PPP mode. Although calls from PPP clients enter through an asynchronous interface, the calls exit the client on a line placed in PPP mode. To enable PPP client callback on outgoing TTY lines, use the following commands beginning in global configuration mode: A client can issue a callback dial string; that dial string is used only if the dial string on the router is specified as NULL or is not defined. The recommended PPP chat script follows: chat-script name ABORT ERROR ABORT BUSY ““ “ATZ” OK “ATDT \T” TIMEOUT 30 CONNECT \c See the section “Callback to a PPP Client Example” at the end of this chapter for a configuration example. Command Purpose Router(config-if)# ppp callback initiate Initiates callback requests from non-RFC 1570 PPP-compliant clients on an asynchronous interface. Command Purpose Step 1 Router(config)# chat-script script-name expect-send Defines a chat script to be applied when a PPP client requests callback. Step 2 Router(config)# username name [callback-dialstring telephone-number] Specifies a per-username callback dial string. Step 3 Router(config)# username name [callback-rotary rotary-group-number] Specifies a per-username rotary group for callback. Step 4 Router(config)# username name [callback-line [tty] line-number [ending-line-number]] Specifies a per-username line or set of lines for callback. Step 5 Router(config)# line [tty] line-number [ending-line-number] Enters line configuration mode. Step 6 Router(config-line)# autoselect ppp Configures automatic PPP startup on a line or set of lines. Step 7 Router(config-line)# login {authentication | local} Enables authentication on the line. Step 8 Router(config-line)# script callback regexp Applies a chat script to a line or set of lines. Step 9 Router(config-line)# callback forced-wait number-of-seconds Delays the callback for client modems that require a rest period before receiving a callback. Configuring Asynchronous Callback How to Configure Asynchronous Callback DC-646 Cisco IOS Dial Technologies Configuration Guide Note Normally a router avoids line and modem noise by clearing the initial data received within the first one or two seconds. However, when the autoselect PPP feature is configured, the router flushes characters initially received and then waits for more traffic. This flush causes time out problems with applications that send only one carriage return. To ensure that the input data sent by a modem or other asynchronous device is not lost after line activation, enter the no flush-at-activation line configuration command. Enabling Callback Clients That Dial In and Connect to the EXEC Prompt You can call back clients that dial in to a TTY line and connect to the EXEC prompt. To enable callback, use the following commands beginning in global configuration mode: The recommended EXEC chat script follows: chat-script name ABORT ERROR ABORT BUSY ““ “ATZ” OK “ATDT \T” TIMEOUT 30 CONNECT \c See the section “Callback Clients That Connect to the EXEC Prompt Example” at the end of this chapter for a configuration example. Command Purpose Step 1 Router(config)# service exec-callback Enables EXEC callback. Step 2 Router(config)# chat-script script-name expect-send Defines a chat script to be applied when clients dial in to the EXEC prompt. Step 3 Router(config)# username name [callback-dialstring telephone-number] Specifies a per-username callback dial string. Step 4 Router(config)# username name [callback-rotary rotary-group-number] Specifies a per-username rotary group for callback. Step 5 Router(config)# username name [callback-line [aux | tty] line-number [ending-line-number]] Specifies a per-username line or set of lines for callback. Step 6 Router(config)# username name [nocallback-verify] Does not require authentication on EXEC callback. Step 7 Router(config)# line [tty] line-number [ending-line-number] Enters line configuration mode. Step 8 Router(config-line)# script callback regexp Applies a chat script to the line or a set of lines. Step 9 Router(config-line)# callback forced-wait number-of-seconds Delays the callback for client modems that require a rest period before receiving a callback. Configuring Asynchronous Callback Configuration Examples for Asynchronous Callback DC-647 Cisco IOS Dial Technologies Configuration Guide Configuring Callback ARA Clients To configure callback of ARA clients, use the following commands beginning in global configuration mode. These steps assume that you have already enabled AppleTalk routing and ARA. The recommended ARA chat script follows and includes vendor-specific extensions on the Telebit 3000 modem to disable error control. Refer to the manual for your modem for the specific commands to disable error correction for ARA. chat-script name ABORT ERROR ABORT BUSY ““ “ATZ” OK “ATS180=0” OK “ATS181=1” OK “ATDT \T” TIMEOUT 60 CONNECT \c See the section “Callback to an ARA Client Example” at the end of this chapter for an example of calling back a PPP client. Configuration Examples for Asynchronous Callback The following sections provide asynchronous callback configuration examples: • Callback to a PPP Client Example • Callback Clients That Connect to the EXEC Prompt Example • Callback to an ARA Client Example Command Purpose Step 1 Router(config)# arap callback Enables callback to an ARA client. Step 2 Router(config)# chat-script script-name expect-send Defines a chat script to be applied when an ARA client connects to a TTY line and requests callback. Step 3 Router(config)# line [tty] line-number [ending-line-number] Enters line configuration mode. Step 4 Router(config-line)# arap enable Enables ARA on the line. Step 5 Router(config-line)# autoselect arap Configures automatic protocol startup on the line. Step 6 Router(config-line)# login {authentication | local} Enables authentication on the line. Step 7 Router(config-line)# script arap-callback regexp Applies an ARA-specific chat script to a line or set of lines. Step 8 Router(config-line)# callback forced-wait number-of-seconds Delays the callback for client modems that require a rest period before receiving a callback. Step 9 Router(config-line)# exit Returns to global configuration mode. Step 10 Router(config)# username name [callback-dialstring telephone-number] Specifies a per-username callback dial string. Step 11 Router(config)# username name [callback-rotary rotary-group-number] Specifies a per-username rotary group for callback. Step 12 Router(config)# username name [callback-line [tty] line-number [ending-line-number]] Specifies a per-username line or set of lines for callback. Configuring Asynchronous Callback Configuration Examples for Asynchronous Callback DC-648 Cisco IOS Dial Technologies Configuration Guide Callback to a PPP Client Example The following example shows the process of configuring callback to a PPP client on rotary 77. PAP authentication is enabled for PPP on the asynchronous interfaces. The login local command enables local username authentication on lines 7, 8, and 9. The remote PPP client host name is Ted, and the callback number is fixed at 1234567. username Ted callback-dialstring “1234567“ callback-rotary 77 password Rhoda interface async 7 ip unnumbered ethernet 0 encapsulation ppp no keepalive async default ip address 10.1.1.1 async mode interactive ppp callback accept ppp authentication pap interface async 8 ip unnumbered ethernet 0 encapsulation ppp no keepalive async default ip address 10.1.1.2 async mode interactive ppp callback accept ppp authentication pap interface async 9 ip unnumbered ethernet 0 encapsulation ppp no keepalive async default ip address 10.1.1.3 async mode interactive ppp callback accept ppp authentication pap line 7 login local modem InOut rotary 77 autoselect ppp line 8 login local modem InOut rotary 77 autoselect ppp line 9 login local modem InOut rotary 77 autoselect ppp Configuring Asynchronous Callback Configuration Examples for Asynchronous Callback DC-649 Cisco IOS Dial Technologies Configuration Guide Callback Clients That Connect to the EXEC Prompt Example The following example shows the process to configure an outgoing callback on the same line as the incoming request. The login local command enables local username authentication on lines 4 and 7. Reauthentication is required upon reconnection. service exec-callback username milarepa callback-dialstring ““ password letmein line 4 login local line 7 login local Callback to an ARA Client Example The following example shows the process of configuring callback to an ARA client on line 7. The login local command enables local username authentication on lines 4 and 7. Line 7 will always be used for ARA callback, whether the incoming call enters line 4, 7, or 8. appletalk routing arap callback arap network 422 router test username excalibur callback-dialstring “123456“ callback-line 7 password guenivere line 4 login local modem InOut autoselect arap arap enable line 7 login local modem InOut autoselect arap arap enable line 8 login local modem InOut autoselect arap arap enable Configuring Asynchronous Callback Configuration Examples for Asynchronous Callback DC-650 Cisco IOS Dial Technologies Configuration Guide DC-651 Cisco IOS Dial Technologies Configuration Guide Configuring PPP Callback This chapter describes how to configure PPP callback for dial-on-demand routing (DDR). It includes the following main sections: • PPP Callback for DDR Overview • How to Configure PPP Callback for DDR • MS Callback Overview • How to Configure MS Callback • Configuration Examples for PPP Callback This feature implements the following callback specifications of RFC 1570: • For the client—Option 0, location is determined by user authentication. • For the server—Option 0, location is determined by user authentication; Option 1, dialing string; and Option 3, E.164 number. Return calls are made through the same dialer rotary group but not necessarily the same line as the initial call. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the PPP callback commands mentioned in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. PPP Callback for DDR Overview PPP callback provides a client/server relationship between the endpoints of a point-to-point connection. PPP callback allows a router to request that a dialup peer router call back. The callback feature can be used to control access and toll costs between the routers. When PPP callback is configured on the participating routers, the calling router (the callback client) passes authentication information to the remote router (the callback server), which uses the host name and dial string authentication information to determine whether to place a return call. If the authentication is successful, the callback server disconnects and then places a return call. The remote username of the return call is used to associate it with the initial call so that packets can be sent. Configuring PPP Callback How to Configure PPP Callback for DDR DC-652 Cisco IOS Dial Technologies Configuration Guide Both routers on a point-to-point link must be configured for PPP callback; one must function as a callback client and one must be configured as a callback server. The callback client must be configured to initiate PPP callback requests, and the callback server must be configured to accept PPP callback requests and place return calls. See the section “MS Callback Overview” later in this chapter if you are using PPP callback between a Cisco router or access server and client devices configured for Windows 95 and Windows NT. Note If the return call fails (because the line is not answered or the line is busy), no retry occurs. If the callback server has no interface available when attempting the return call, it does not retry. How to Configure PPP Callback for DDR To configure PPP callback for DDR, perform the following tasks: • Configuring a Router as a Callback Client (Required) • Configuring a Router as a Callback Server (Required) For an example of configuring PPP callback, see the section “Configuration Examples for PPP Callback” at the end of this chapter. Configuring a Router as a Callback Client To configure a router interface as a callback client, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# interface type number Specifies the interface and enters interface configuration mode. Step 2 Router(config-if)# dialer in-band [no-parity | odd-parity] Enables DDR. Specifies parity, if needed, on synchronous or asynchronous serial interfaces. Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation. Step 4 Router(config-if)# ppp authentication {chap | pap} Enables CHAP or PAP authentication. Step 5 Router(config-if)# dialer map protocol next-hop-address name hostname dial-string Maps the next hop address to the host name and phone number. Step 6 Router(config-if)# ppp callback request Enables the interface to request PPP callback for this callback map class. Step 7 Router(config-if)# dialer hold-queue packets timeout seconds (Optional) Configures a dialer hold queue to store packets for this callback map class. Configuring PPP Callback MS Callback Overview DC-653 Cisco IOS Dial Technologies Configuration Guide Configuring a Router as a Callback Server To configure a router as a callback server, use the following commands beginning in global configuration mode: Note On the PPP callback server, the dialer enable-timeout command functions as the timer for returning calls to the callback client. MS Callback Overview MS Callback provides client/server callback services for Microsoft Windows 95 and Microsoft Windows NT clients. MS Callback supports the Microsoft Callback Control Protocol (MSCB). MSCB is a Microsoft proprietary protocol that is used by Windows 95 and Windows NT clients. MS Callback supports negotiated PPP Link Control Protocol (LCP) extensions initiated and agreed upon by the Microsoft client. The MS Callback feature is added to existing PPP Callback functionality. Therefore, if you configure your Cisco access server to perform PPP Callback using Cisco IOS Release 11.3(2)T or later, MS Callback is automatically available. Command Purpose Step 1 Router(config)# interface type number Specifies the interface and enters interface configuration mode. Step 2 Router(config-if)# dialer in-band [no-parity | odd-parity] Enables DDR. Specifies parity, if needed, on synchronous or asynchronous serial interfaces. Step 3 Router(config-if)# encapsulation ppp Enables PPP encapsulation. Step 4 Router(config-if)# ppp authentication {chap | pap} Enables CHAP or PAP authentication. Step 5 Router(config-if)# dialer map protocol next-hop-address name hostname class classname dial-string Maps the next hop address to the host name and phone number, using the name of the map class established for PPP callback on this interface. Step 6 Router(config-if)# dialer hold-queue number timeout seconds (Optional) Configures a dialer hold queue to store packets to be transferred when the callback connection is established. Step 7 Router(config-if)# dialer enable-timeout seconds (Optional) Configures a timeout period between calls. Step 8 Router(config-if)# ppp callback accept Configures the interface to accept PPP callback. Step 9 Router(config-if)# isdn fast-rollover-delay seconds (ISDN only) Configures the time to wait before another call is placed on a B channel to allow the prior call to be torn down completely. Step 10 Router(config-if)# dialer callback-secure (Optional) Enables callback security, if desired. Step 11 Router(config-if)# exit Returns to global configuration mode. Step 12 Router(config-map-class)# map-class dialer classname Configures a dialer map class for PPP callback. Step 13 Router(config-map-class)# dialer callback-server [username] Configures a dialer map class as a callback server. Configuring PPP Callback How to Configure MS Callback DC-654 Cisco IOS Dial Technologies Configuration Guide MS Callback supports authentication, authorization, and accounting (AAA) security models using a local database or AAA server. MSCB uses LCP callback options with suboption type 6. The Cisco MS Callback feature supports clients with a user-specified callback number and server specified (preconfigured) callback number. MS Callback does not affect non-Microsoft machines that implement standard PPP LCP extensions as described in RFC 1570. In this scenario, MS Callback is transparent. The following are restrictions of the MS Callback feature: • The Cisco access server and client must be configured for PPP and PPP callback. • The router or access server must be configured to use CHAP or PAP authorization. • MS Callback is only supported on the Public Switched Telephone Network (PSTN) and ISDN links. • MS Callback is only supported for IP. How to Configure MS Callback If you configure the Cisco access server for PPP callback, MS Callback is enabled by default. You need not configure additional parameters on the Cisco access server. If an interface is configured to accept PPP callbacks, and a client attempts to cancel the callback, Cisco IOS software will refuse the request and disconnect the client. If a client is allowed to cancel callbacks, the ppp callback permit command must be configured on the interface. To debug PPP connections using MS Callback, see the debug ppp cbcp command in the Cisco IOS Debug Command Reference publication. For more information on configuring MS Callback, see the following URL. http://www.cisco.com/en/US/customer/tech/tk801/tk36/ technologies_configuration_example09186a0080094338.shtml Configuration Examples for PPP Callback The following example configures a PPP callback server and client to call each other. The PPP callback server is configured on an ISDN BRI interface in a router in Atlanta. The callback server requires an enable timeout and a map class to be defined. The PPP callback client is configured on an ISDN BRI interface in a router in Dallas. The callback client does not require an enable timeout and a map class to be defined. The dialer map command is not required on the Cisco access server when MS Callback is enabled. PPP Callback Server interface bri 0 ip address 10.1.1.7 255.255.255.0 encapsulation ppp dialer callback-secure dialer enable-timeout 2 dialer map ip 10.1.1.8 name class1 class dial1 81012345678901 dialer-group 1 ppp callback accept ppp authentication chap ! map-class dialer dial1 dialer callback-server user1 Configuring PPP Callback Configuration Examples for PPP Callback DC-655 Cisco IOS Dial Technologies Configuration Guide PPP Callback Client interface bri 0 ip address 10.1.1.8 255.255.255.0 encapsulation ppp dialer map ip 10.1.1.7 name class2 81012345678902 dialer-group 1 ppp callback request ppp authentication chap Configuring PPP Callback Configuration Examples for PPP Callback DC-656 Cisco IOS Dial Technologies Configuration Guide DC-657 Cisco IOS Dial Technologies Configuration Guide Configuring ISDN Caller ID Callback This chapter describes how to configure the ISDN Caller ID Callback feature. It includes the following main sections: • ISDN Caller ID Callback Overview • How to Configure ISDN Caller ID Callback • Monitoring and Troubleshooting ISDN Caller ID Callback • Configuration Examples for ISDN Caller ID Callback The ISDN Caller ID Callback feature conflicts with dialer callback security inherent in the dialer profiles feature for dial-on-demand routing (DDR). If dialer callback security is configured, it takes precedence; ISDN caller ID callback is ignored. Caller ID screening requires a local switch that is capable of delivering the caller ID to the router or access server. If you enable caller ID screening but do not have such a switch, no calls will be allowed in. ISDN caller ID callback requires DDR to be configured and bidirectional dialing to be working between the calling and callback routers. Detailed DDR prerequisites depend on whether you have configured legacy DDR or dialer profiles. For a legacy DDR configuration, ISDN caller ID callback has the following prerequisite: • A dialer map command is configured for the dial string that is used in the incoming call setup message. The dial string is used in the callback. For a dialer profiles configuration, ISDN caller ID callback has the following prerequisites: • A dialer caller command is configured to screen for the dial-in number. • A dialer string command is configured with the number to use in the callback. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the ISDN caller ID callback commands mentioned in this chapter, refer to the Cisco IOS Dial Technologies Command Reference, Release 12.2. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Configuring ISDN Caller ID Callback ISDN Caller ID Callback Overview DC-658 Cisco IOS Dial Technologies Configuration Guide ISDN Caller ID Callback Overview ISDN caller ID callback allows the initial incoming call from the client to the server to be rejected on the basis of the caller ID message contained in the ISDN setup message, and it allows a callback to be initiated to the calling destination. Before Cisco IOS Release 11.2 F, ISDN callback functionality required PPP or Combinet Packet Protocol (CPP) client authentication and client/server callback negotiation to proceed. If authentication and callback negotiation were successful, the callback server had to disconnect the call and then place a return call. Both the initial call and the return call were subject to tolls, and when service providers charge by the minute, even brief calls could be expensive. This feature is independent of the encapsulation in effect and can be used with various encapsulations, such as PPP, High-Level Data Link Control (HDLC), Frame Relay, and X.25. The ISDN Caller ID Callback feature allows users to control costs because charges do not apply to the initial, rejected call. ISDN caller ID callback allows great flexibility for you to define which calls to accept, which to deny, and which calls to reject initially but for which the router should initiate callback. The feature works by using existing ISDN caller ID screening, which matches the number in the incoming call against numbers configured on the router, determining the best match for the number in the incoming call, and then, if configured, initiating callback to the number configured on the router. When a call is received, the entire list of configured numbers is checked and the configuration of the best match number determines the action: • If the incoming number is best matched by a number that is configured for callback, the incoming call is rejected and callback is initiated. • If the incoming number is best matched by another entry in the list of configured numbers, the call is accepted. • If the incoming number does not match any entry in the configured list, the call is rejected and no callback is started. “Don’t care” characters are allowed in the caller ID screening configuration on the router and are used to determine the best match. For more information and examples, see the “Best Match System Examples” section later in this document. Callback After the Best Match Is Determined The details of router activities after the router finds a best match with callback depend on the DDR feature that is configured. The ISDN Caller ID Callback feature works with the following DDR features: • Legacy DDR • Dialer Profiles Legacy DDR If legacy DDR is configured for the host or user that is identified in the incoming call message, the router performs the following actions: 1. Checks the table of configured numbers for caller ID callback. 2. Searches the dialer map entries for a number that “best matches” the incoming call string. Configuring ISDN Caller ID Callback How to Configure ISDN Caller ID Callback DC-659 Cisco IOS Dial Technologies Configuration Guide 3. Waits for a configured length of time to expire. 4. Initiates callback to the number provided in the dialer map command. Dialer Profiles If the dialer profiles are configured for the host or user identified in the incoming call message, the router performs the following actions: 1. Searches through all the dialer pool members to match the incoming call number to a dialer caller number. 2. Initiates a callback to the dialer profile. 3. Waits for a configured length of time to expire. 4. Calls the number identified in the dialer string command associated with the dialer profile. Timing and Coordinating Callback on Both Sides When an incoming call arrives and the router finds a best match configured for callback, the router uses the value configured by the dialer enable-timeout command to determine the length of time to wait before making the callback. The minimum value of the timer is 1 second; the default value of the timer is 15 seconds. The interval set for this feature on the router must be much less than that set for DDR fast call rerouting for ISDN (that interval is set by the dialer wait-for-carrier-time command) on the calling (remote) side. We recommend setting the dialer wait-for-carrier timer on the calling side to twice the length of the dialer enable-timeout timer on the callback side. Note The remote site cannot be configured for multiple dial-in numbers because a busy callback number or a rejected call causes the second number to be tried. That number might be located at a different site, defeating the purpose of the callback. How to Configure ISDN Caller ID Callback To configure ISDN caller ID callback, perform the tasks in the following sections. The required configuration tasks depend whether you have configured legacy DDR or dialer profiles. • Configuring ISDN Caller ID Callback for Legacy DDR (As required) • Configuring ISDN Caller ID Callback for Dialer Profiles (As required) For configuration examples, see the section “Configuration Examples for ISDN Caller ID Callback” at the end of this chapter. Configuring ISDN Caller ID Callback for Legacy DDR This section provides configuration tasks for the local (server, callback) side and the remote (client, calling) side. Configuring ISDN Caller ID Callback How to Configure ISDN Caller ID Callback DC-660 Cisco IOS Dial Technologies Configuration Guide On the callback (local) side, to configure ISDN caller ID callback when legacy DDR is configured, use the following commands in interface configuration mode: On the calling (remote) side, to set the timer for fast call rerouting, use the following command in interface configuration mode: Configuring ISDN Caller ID Callback for Dialer Profiles This section provides configuration tasks for the local side and the remote side. On the callback (local) side, to configure ISDN caller ID callback when the dialer profiles are configured, use the following commands in interface configuration mode: On the calling (remote) side, to set the timer for fast call rerouting, use the following command in interface configuration mode: Command Purpose Step 1 Router(config-if)# isdn caller remote-number callback or Router(config-if)# dialer caller number callback Configures caller ID screening and callback when a dialer rotary is not configured. Configures caller ID screening and callback when a dialer rotary (dialer interface) is configured. Step 2 Router(config-if)# dialer enable-timeout seconds Configures the time to wait before initiating callback. Command Purpose Router(config-if)# dialer wait-for-carrier-time seconds Changes the ISDN fast call rerouting timer to double the length of the enable timeout timer. Command Purpose Step 1 Router(config-if)# dialer caller number callback Configures caller ID screening and callback. Step 2 Router(config-if)# dialer enable-timeout seconds Configures the time to wait before initiating callback. Command Purpose Router(config-if)# dialer wait-for-carrier-time seconds Changes the ISDN fast call rerouting timer to double the length of the enable timeout timer. Configuring ISDN Caller ID Callback Monitoring and Troubleshooting ISDN Caller ID Callback DC-661 Cisco IOS Dial Technologies Configuration Guide Monitoring and Troubleshooting ISDN Caller ID Callback To monitor and troubleshoot ISDN caller ID callback, use the following commands in EXEC mode as needed: Configuration Examples for ISDN Caller ID Callback The following sections provide ISDN caller ID callback configuration examples: • Best Match System Examples • Simple Callback Configuration Examples • ISDN Caller ID Callback with Dialer Profiles Examples • ISDN Caller ID Callback with Legacy DDR Example Best Match System Examples The best match is determined by matching the incoming number against the numbers in the configured callback commands, starting with the right-most character in the numbers and using the letter X for any “don’t care” characters in the configured commands. If multiple configured numbers match an incoming number, the best match is the one with the fewest “don’t care” characters. The reason for using a system based on right-most matching is that a given number can be represented in many different ways. For example, all the following items might be used to represent the same number, depending on the circumstances (international call, long-distance domestic call, call through a PBX, and so forth): 011 1 408 555 7654 1 408 555 7654 408 555 7654 555 7654 5 7654 Command Purpose Router# show dialer Displays information about the status and configuration of the ISDN interface on the router. Router# debug isdn event Displays ISDN events occurring on the user side (on the router) of the ISDN interface. The ISDN events that can be displayed are Q.931 events (call setup and tear down of ISDN network connections). Router# debug isdn q931 Displays Layer 3 signaling messages, protocol transitions and processes, the line protocol state, and the channel IDs for each ISDN interface. Configuring ISDN Caller ID Callback Configuration Examples for ISDN Caller ID Callback DC-662 Cisco IOS Dial Technologies Configuration Guide Best Match Based on the Number of “Don’t Care” Characters Example The following example assumes that you have an incoming call from one of the numbers from the previous example entered (4085557654), and that you configured the following numbers for callback on the router (disregarding for the moment the commands that can be used to configure callback): 555xxxx callback 5552xxx callback 555865x 5554654 callback xxxxx The first number listed is the best match for the incoming number (in the configured number, the three numbers and four Xs all match the incoming number); the line indicates that callback is to be initiated. The last line has five Xs; it is not the best match for the calling number. Note The last number in the list shown allows calls from any other number to be accepted without callback. When you use such a line, you must make sure that the number of Xs in the line exceeds the number of Xs in any other line. In the last line, five Xs are used; the other lines use at most four Xs. The order of configured numbers is not important; the router searches the entire list and then determines the best match. Best Match with No Callback Configured Example The following example assumes that a call comes from the same number (4085557654) and that only the following numbers are configured: 5552xxx callback 555865x 5554654 callback xxxxx In this case, the best match is in the final line listed, so the incoming call is accepted but callback is not initiated. No Match Configured Example The following example assumes that a call comes from the same number (4085557654) and that only the following numbers are configured: 5552xxx callback 555865x 5554654 callback In this case, there is no match at all, and the call is just rejected. Simple Callback Configuration Examples The following example assumes that callback calls will be made only to numbers in the 555 and 556 exchanges but that any other number can call in: isdn caller 408555xxxx callback isdn caller 408556xxxx callback isdn caller xxxxx Configuring ISDN Caller ID Callback Configuration Examples for ISDN Caller ID Callback DC-663 Cisco IOS Dial Technologies Configuration Guide The following example configures the router to accept a call with a delivered caller ID equal to 4155551234: isdn caller 4155551234 The following example configures the router to accept a call with a delivered caller ID equal to 41555512 with any digits in the last two positions: isdn caller 41555512xx The following example configures the router to make a callback to a delivered caller ID equal to 41555512 with any digits in the last two positions. (The router rejects the call initially, and then makes the callback.) The router accepts calls from any other numbers. isdn caller 41555512xx callback isdn caller xxx ISDN Caller ID Callback with Dialer Profiles Examples The following example shows the configuration of a central site that can place or receive calls from three remote sites over four ISDN BRI lines. Each remote site is on a different IP subnet and has different bandwidth requirements. Therefore, three dialer interfaces and three dialer pools are defined. ! This is a dialer profile for reaching remote subnetwork 10.1.1.1. interface dialer 1 ip address 10.1.1.1 255.255.255.0 encapsulation ppp dialer remote-name Smalluser dialer string 4540 dialer pool 3 dialer-group 1 dialer caller 14802616900 callback dialer caller 1480262xxxx callback ! ! This is a dialer profile for reaching remote subnetwork 10.2.2.2. interface dialer 2 ip address 10.2.2.2 255.255.255.0 encapsulation ppp dialer remote-name Mediumuser dialer string 5264540 class Eng dialer load-threshold 50 either dialer pool 1 dialer-group 2 dialer caller 14805364540 callback dialer caller 1480267xxxx callback dialer enable-timeout 2 ! ! This is a dialer profile for reaching remote subnetwork 10.3.3.3. interface dialer 3 ip address 10.3.3.3 255.255.255.0 encapsulation ppp dialer remote-name Poweruser dialer string 4156884540 class Eng dialer hold-queue 10 dialer load-threshold 80 dialer pool 2 dialer-group 2 ! ! This map class ensures that these calls use an ISDN speed of 56 kbps. map-class dialer Eng isdn speed 56 Configuring ISDN Caller ID Callback Configuration Examples for ISDN Caller ID Callback DC-664 Cisco IOS Dial Technologies Configuration Guide ! interface bri 0 encapsulation PPP ! BRI 0 has a higher priority than BRI 1 in dialer pool 1. dialer pool-member 1 priority 100 ppp authentication chap ! interface bri 1 encapsulation ppp dialer pool-member 1 priority 50 dialer pool-member 2 priority 50 ! BRI 1 has a reserved channel in dialer pool 3; the channel remains inactive ! until BRI 1 uses it to place calls. dialer pool-member 3 min-link 1 ppp authentication chap ! interface bri 2 encapsulation ppp ! BRI 2 has a higher priority than BRI 1 in dialer pool 2. dialer pool-member 2 priority 100 ppp authentication chap ! interface bri 3 encapsulation ppp ! BRI 3 has the highest priority in dialer pool 2. dialer pool-member 2 priority 150 ppp authentication chap ISDN Caller ID Callback with Legacy DDR Example This section provides two examples of caller ID callback with legacy DDR: • Individual Interface Example • Dialer Rotary Group Example Individual Interface Example The following example configures a BRI interface for legacy DDR and ISDN caller ID callback: interface bri 0 description Connected to NTT 81012345678901 ip address 10.1.1.7 255.255.255.0 no ip mroute-cache encapsulation ppp isdn caller 81012345678902 callback dialer enable-timeout 2 dialer map ip 10.1.1.8 name spanky 81012345678902 dialer-group 1 ppp authentication chap Configuring ISDN Caller ID Callback Configuration Examples for ISDN Caller ID Callback DC-665 Cisco IOS Dial Technologies Configuration Guide Dialer Rotary Group Example The following example configures BRI interfaces to connect into a rotary group (dialer group) and then configures a dialer interface for that dialer group. This configuration permits IP packets to trigger calls. The dialer interface is configured to initiate callback to any number in the 1-480-261 exchange and to accept calls from two other specific numbers. interface bri 0 description connected into a rotary group encapsulation ppp dialer rotary-group 1 ! interface bri 1 no ip address encapsulation ppp dialer rotary-group 1 ! interface bri 2 encapsulation ppp dialer rotary-group 1 ! interface bri 3 no ip address encapsulation ppp dialer rotary-group 1 ! interface bri 4 encapsulation ppp dialer rotary-group 1 ! interface dialer 1 description Dialer group controlling the BRIs ip address 10.1.1.1 255.255.255.0 encapsulation ppp dialer map ip 10.1.1.2 name angus 14802616900 dialer map ip 10.1.1.3 name shamus 14802616901 dialer map ip 10.1.1.4 name larry 14807362060 dialer map ip 10.1.1.5 name wally 19165561424 dialer map ip 10.1.1.6 name shemp 12129767448 dialer-group 1 ppp authentication chap ! dialer caller 1480261xxxx callback dialer caller 19165561424 dialer caller 12129767448 ! dialer-list 1 protocol ip permit Configuring ISDN Caller ID Callback Configuration Examples for ISDN Caller ID Callback DC-666 Cisco IOS Dial Technologies Configuration Guide DC-667 Cisco IOS Dial Technologies Configuration Guide Configuring BACP This chapter describes how to configure the Bandwidth Allocation Control Protocol (BACP), described in RFC 2125. It includes the following main sections: • BACP Overview • How to Configure BACP • Monitoring and Maintaining Interfaces Configured for BACP • Troubleshooting BACP • Configuration Examples for BACP BACP requires a system only to have the knowledge of its own phone numbers and link types. A system must be able to provide the phone numbers and link type to its peer to satisfy the call control mechanism. (Certain situations might not be able to satisfy this requirement; numbers might not be present because of security considerations.) BACP is designed to operate in both the virtual interface environment and the dialer interface environment. It can operate over any physical interface that is Multilink PPP-capable and has a dial capability; at initial release, BACP supports ISDN and asynchronous serial interfaces. The addition of any link to an existing multilink bundle is controlled by a Bandwidth Allocation Protocol (BAP) call or callback request message, and the removal of a link can be controlled by a link drop message. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the PPP BACP commands in this chapter, refer to the Cisco IOS Dial Technologies Command Reference, Release 12.2. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Configuring BACP BACP Overview DC-668 Cisco IOS Dial Technologies Configuration Guide BACP Overview The BACP provides Multilink PPP (MLP) peers with the ability to govern link utilization. Once peers have successfully negotiated BACP, they can use the BAP, which is a subset of BACP, to negotiate bandwidth allocation. BAP provides a set of rules governing dynamic bandwidth allocation through call control; a defined method for adding and removing links from a multilink bundle for Multilink PPP is used. BACP provides the following benefits: • Allows multilink implementations to interoperate by providing call control through the use of link types, speeds, and telephone numbers. • Controls thrashing caused by links being brought up and removed in a short period of time. • Ensures that both ends of the link are informed when links are added or removed from a multilink bundle. For simplicity, the remaining text of this chapter makes no distinction between BACP and BAP; only BACP is mentioned. BACP Configuration Options PPP BACP can be configured to operate in the following ways: • Passive mode (default)—The system accepts incoming calls; the calls might request callback, addition of a link, or removal of a link from a multilink bundle. The system also monitors the multilink load by default. Passive mode is for virtual template interfaces or for dialer interfaces. • Active mode—The system initiates outbound calls, sets the parameters for outbound calls, and determines whether links should be added to or removed from a multilink bundle. The system also monitors the multilink load by default. Active mode is for dialer interfaces, but not for virtual template interfaces. (If you attempt to configure active mode on a virtual template interface, no calls will be made.) A virtual or dialer interface must be configured either to make call requests or to make callback requests, but it cannot be configured to do both. Support of BACP on virtual interfaces in an Multichassis Multilink PPP (MMP) environment is restricted to incoming calls on the multilink group. Support of BACP for outgoing calls is provided by dialer interface configuration only. BACP supports only ISDN and asynchronous serial interfaces. Dialer support is provided only for legacy dial-on-demand routing (DDR) dialer configurations; BACP cannot be used in conjunction with the DDR dialer profiles feature. BACP is configured on virtual template interfaces and physical interfaces that are multilink capable. For both the virtual template interfaces and the dialer interfaces, BACP requires MMP and bidirectional dialing to be working between the routers that will negotiate control and allocation of bandwidth for the multilink bundle. Configuring BACP How to Configure BACP DC-669 Cisco IOS Dial Technologies Configuration Guide How to Configure BACP Before you configure BACP on an interface, determine the following important information. The router might be unable to connect to a peer if this information is incorrect. • Type of link (ISDN or analog) to be used. Link types must match on the local and remote ends of the link. • Line speed needed to reach the remote peer. The speed configured for the local physical interface must be at least that of the link. The bandwidth command or the dialer map command with the speed keyword can be used. • Local telephone number to be used for incoming PPP BACP calls, if it is different from a rotary group base number or if incoming PPP BACP calls should be directed to a specific number. During negotiations with a peer, PPP BACP might respond with a telephone number delta, indicating that the peer should modify certain digits of the dialed phone number and dial again to reach the PPP BACP interface or to set up another link. BACP can be configured on a virtual template interface or on a dialer interface (including dialer rotary groups and ISDN interfaces). To configure BACP on a selected interface or interface template, perform the following tasks in the order listed: • Enabling BACP (Required) Passive mode is in effect and the values of several parameters are set by default when PPP BACP is enabled. If you can accept all the passive mode parameters, do not continue with the tasks. • Modifying BACP Passive Mode Default Settings (As required) or • Configuring Active Mode BACP (As required) Note You can configure one interface in passive mode and another in active mode so that one interface accepts incoming call requests and makes callback requests (passive mode), and the other interface makes call requests and accepts callback requests (active mode). A dialer or virtual template interface should be configured to reflect the required dial capability of the interface. A dial-in pool (in passive mode) might have no requirement to dial out but might want remote users to add multiple links, with the remote user incurring the cost of the call. Similarly, a dial-out configuration (active mode) suggests that the router is a client, rather than a server, on that link. The active-mode user incurs the cost of additional links. You might need to configure a base telephone number, if it is applicable to your dial-in environment. This number is one that remote users can dial to establish a connection. Otherwise, individual PPP BACP links might need numbers. Information is provided in the task lists for configuring passive mode or active mode PPP BACP. See the ppp bap number command options in the task lists. You can also troubleshoot BACP configuration and operations and monitor interfaces configured for PPP BACP. For details, see the “Troubleshooting BACP” and “Monitoring and Maintaining Interfaces Configured for BACP” sections later in this chapter. See the section “Configuration Examples for BACP” at the end of this chapter for examples of PPP BACP configuration. Configuring BACP How to Configure BACP DC-670 Cisco IOS Dial Technologies Configuration Guide Enabling BACP To enable PPP bandwidth allocation control and dynamic allocation of bandwidth, use one of the following commands in interface configuration mode: When PPP BACP is enabled, it is in passive mode by default and the following settings are in effect: • Allows a peer to initiate link addition. • Allows a peer to initiate link removal. • Requests that a peer initiate link addition. • Waits 20 seconds before timing out on pending actions. • Waits 3 seconds before timing out on not receiving a response from a peer. • Makes only one attempt to call a number. • Makes up to three retries for sending a request. • Searches for and logs up to five free dialers. • Makes three attempts to send a call status indication. • Adds only ISDN links to a multilink bundle. • Monitors load. The default settings will be in effect in the environment for which the ppp multilink bap command is entered: • Virtual template interface, if that is where the command is entered. When the command is entered in a virtual template interface, configuration applies to any virtual access interface that is created dynamically under Multilink PPP, the application that defines the template. • Dialer interface, if that is where the command is entered. See the section “Basic BACP Configurations” at the end of this chapter for an example of how to configure BACP. Command Purpose Router(config-if)# ppp multilink bap or Router(config-if)# ppp multilink bap required Enables PPP BACP bandwidth allocation negotiation. Enables PPP BACP bandwidth allocation negotiation and enforces mandatory negotiation of BACP for the multilink bundle. Configuring BACP How to Configure BACP DC-671 Cisco IOS Dial Technologies Configuration Guide Modifying BACP Passive Mode Default Settings To modify the default parameter values or to configure additional parameters in passive mode, use the following commands, as needed, in interface configuration mode for the interface or virtual template interface that is configured for PPP BACP: See the section “Passive Mode Dialer Rotary Group Members with One Dial-In Number” later in this chapter for an example of how to configure passive mode parameters. Configuring Active Mode BACP To configure active mode BACP, use the following commands in interface configuration mode for the dialer interface on which BACP was enabled. For your convenience, the commands that make BACP function in active mode are presented before the commands that change default parameters or add parameters. Command Purpose Router(config-if)# ppp bap timeout pending seconds Modifies the timeout on pending actions. Router(config-if)# ppp bap timeout response seconds Modifies the timeout on not receiving a response from a peer. Router(config-if)# ppp bap max dial-attempts number Modifies the number of attempts to call a number. Router(config-if)# ppp bap max ind-retries number Modifies the number of times to send a call status indication. Router(config-if)# ppp bap max req-retries number Modifies the number of retries of a particular request. Router(config-if)# ppp bap max dialers number Modifies the maximum number of free dialers logged. Router(config-if)# ppp bap link types analog or Router(config-if)# ppp bap link types isdn analog Specifies that only analog links can be added to a multilink bundle. Allows both ISDN and analog links to be added. Router(config-if)# ppp bap number default phone-number For all DDR-capable interfaces in the group, specifies a primary telephone number for the peer to call for PPP BACP negotiation, if different from any base number defined on the dialer interface or virtual template interface. Router(config-if)# ppp bap number secondary phone-number For BRI interfaces on which a different number is provided for each B channel, specifies the secondary telephone number. Router(config-if)# ppp bap drop timer seconds Specifies a time to wait between outgoing link drop requests. Router(config-if)# no ppp bap monitor load Disables the default monitoring of load and the validation of peer requests against load thresholds. Command Purpose Router(config-if)# ppp bap call request Enables the interface to initiate the addition of links to the multilink bundle. Router(config-if)# ppp bap callback accept Enables the interface to initiate the addition of links upon peer request. Configuring BACP Monitoring and Maintaining Interfaces Configured for BACP DC-672 Cisco IOS Dial Technologies Configuration Guide When BACP is enabled, multiple dialer maps to one destination are not needed when they differ only by number. That is, once the initial call has been made to create the bundle, further dialing attempts are realized through the BACP phone number negotiation. Outgoing calls are supported through the use of dialer maps. However, when an initial incoming call creates a dynamic dialer map, the router can dial out if the peer supplies a phone number. This capability is achieved by the dynamic creation of static dialer maps for BACP. These temporary dialer maps can be displayed by using the show dialer map command. These temporary dialer maps last only as long as the BACP group lasts and are removed when the BACP group or the associated map is removed. Monitoring and Maintaining Interfaces Configured for BACP To monitor interfaces configured for PPP BACP, use any of the following commands in EXEC mode: Router(config-if)# ppp bap drop after-retries Enables the interface to drop a link without negotiation after receiving no response to retries to send a drop request. Router(config-if)# ppp bap call timer seconds Sets the time to wait between outgoing call requests. Router(config-if)# ppp bap timeout pending seconds Modifies the timeout on pending actions. Router(config-if)# ppp bap timeout response seconds Modifies the timeout on not receiving a response from a peer. Router(config-if)# ppp bap max dial-attempts number Modifies the number of attempts to call a number. Router(config-if)# ppp bap max ind-retries number Modifies the number of times to send a call status indication. Router(config-if)# ppp bap max req-retries number Modifies the number of retries of a particular request. Router(config-if)# ppp bap max dialers number Modifies the maximum number of free dialers logged. Router(config-if)# ppp bap link types analog or Router(config-if)# ppp bap link types isdn analog Specifies that only analog links can be added to a multilink bundle. Allows both ISDN and analog links to be added. Router(config-if)# ppp bap number default phone-number For all DDR-capable interfaces in the group, specifies a primary telephone number for the peer to call for PPP BACP negotiation, if different from any base number defined on the dialer interface or virtual template interface. Router(config-if)# ppp bap number secondary phone-number For BRI interfaces on which a different number is provided for each B channel, specifies the secondary telephone number. Command Purpose Command Purpose Router> show ppp bap group [name] Displays information about all PPP BACP multilink bundle groups or a specific, named multilink bundle group. Router> show ppp bap queues Displays information about the BACP queues. Router> show ppp multilink Displays information about the dialer interface, the multilink bundle, and the group members. Router> show dialer Displays BACP numbers dialed and the reasons for the calls. Router> show dialer map Displays configured dynamic and static dialer maps and dynamically created BACP temporary static dialer maps. Configuring BACP Troubleshooting BACP DC-673 Cisco IOS Dial Technologies Configuration Guide Troubleshooting BACP To troubleshoot the BACP configuration and operation, use the following debug commands: Configuration Examples for BACP The following sections provide BACP configuration examples: • Basic BACP Configurations • Dialer Rotary Group with Different Dial-In Numbers • Passive Mode Dialer Rotary Group Members with One Dial-In Number • PRI Interface with No Defined PPP BACP Number • BRI Interface with No Defined BACP Number Basic BACP Configurations The following example configures an ISDN BRI interface for BACP to make outgoing calls and prevent the peer from negotiating link drops: interface bri 0 ip unnumbered ethernet 0 dialer load-threshold 10 either dialer map ip 172.21.13.101 name bap-peer 12345668899 encapsulation ppp ppp multilink bap ppp bap call request ppp bap callback accept no ppp bap call accept no ppp bap drop accept ppp bap pending timeout 30 ppp bap number default 5664567 ppp bap number secondary 5664568 The following example configures a dialer rotary group to accept incoming calls: interface async 1 no ip address encapsulation ppp dialer rotary-group 1 ppp bap number default 5663456 ! ! Set the bandwidth to suit the modem/line speed on the remote side. interface bri 0 no ip address bandwidth 38400 encapsulation ppp Command Purpose Router> debug ppp bap [error | event | negotiation] Displays BACP errors, protocol actions, and negotiation events and transitions. Router> debug ppp multilink events Displays information about events affecting multilink bundles established for BACP. Configuring BACP Configuration Examples for BACP DC-674 Cisco IOS Dial Technologies Configuration Guide dialer rotary-group 1 ppp bap number default 5663457 ! interface bri 1 no ip address encapsulation ppp dialer rotary-group 1 ppp bap number default 5663458 ! interface dialer1 ip unnumbered ethernet 0 encapsulation ppp ppp multilink bap ppp bap call accept ppp bap link types isdn analog dialer load threshold 30 ppp bap timeout pending 60 The following example configures a virtual template interface to use BACP in passive mode: multilink virtual-template 1 ! interface virtual-template 1 ip unnumbered ethernet 0 encapsulation ppp ppp multilink bap ppp authentication chap callin The bundle is created from any MMP-capable interface. The following example creates a bundle on a BRI interface: interface bri 0 no ip address encapsulation ppp ppp multilink ppp bap number default 4000 ppp bap number secondary 4001 Dialer Rotary Group with Different Dial-In Numbers The following example configures a dialer rotary group that has four members, each with a different number, and that accepts incoming dial attempts. The dialer interface does not have a base phone number; the interface used to establish the first link in the multilink bundle will provide the appropriate number from its configuration. interface bri 0 no ip address encapsulation ppp dialer rotary-group 1 no fair-queue no cdp enable ppp bap number default 6666666 ! interface bri 1 no ip address encapsulation ppp dialer rotary-group 1 no fair-queue no cdp enable ppp bap number default 6666667 ! Configuring BACP Configuration Examples for BACP DC-675 Cisco IOS Dial Technologies Configuration Guide interface bri 2 no ip address encapsulation ppp dialer rotary-group 1 no fair-queue no cdp enable ppp bap number default 6666668 ! interface bri 3 no ip address encapsulation ppp dialer rotary-group 1 no fair-queue no cdp enable ppp bap number default 6666669 ! interface dialer 1 ip unnumbered Ethernet0 encapsulation ppp dialer in-band dialer idle-timeout 300 dialer-group 1 no fair-queue no cdp enable ppp authentication chap ppp multilink bap ppp bap call accept ppp bap callback request ppp bap timeout pending 20 ppp bap timeout response 2 ppp bap max dial-attempts 2 ppp bap monitor load Passive Mode Dialer Rotary Group Members with One Dial-In Number The following example, a dialer rotary group with two members each with the same number, accepts incoming dial attempts. The dialer interface has a base phone number because each of its member interfaces is in a hunt group and the same number can be used to access each individual interface. interface bri 0 no ip address encapsulation ppp dialer rotary-group 1 no fair-queue no cdp enable ! interface bri 1 no ip address encapsulation ppp dialer rotary-group 1 no fair-queue no cdp enable ! interface dialer 1 ip unnumbered Ethernet0 encapsulation ppp dialer in-band dialer idle-timeout 300 dialer-group 1 no fair-queue no cdp enable Configuring BACP Configuration Examples for BACP DC-676 Cisco IOS Dial Technologies Configuration Guide ppp authentication chap ppp multilink bap ppp bap call accept ppp bap callback request ppp bap timeout pending 20 ppp bap timeout response 2 ppp bap max dial-attempts 2 ppp bap monitor load ppp bap number default 6666666 PRI Interface with No Defined PPP BACP Number In the following example, a PRI interface has no BACP number defined and accepts incoming dial attempts (passive mode). The PRI interface has no base phone number defined, so each attempt to add a link would result in a delta of zero being provided to the calling peer. To establish the bundle, the peer should then dial the same number as it originally used. interface serial 0:23 ip unnumbered Ethernet0 encapsulation ppp dialer in-band dialer idle-timeout 300 dialer-group 1 no fair-queue no cdp enable ppp authentication chap ppp multilink bap ppp bap call accept ppp bap callback request ppp bap timeout pending 20 ppp bap timeout response 2 ppp bap max dial-attempts 2 ppp bap monitor load BRI Interface with No Defined BACP Number In the following example, the BRI interface has no base phone number defined. The number that it uses to establish the bundle is that from the dialer map, and all phone delta operations are applied to that number. interface bri 0 ip unnumbered Ethernet0 encapsulation ppp dialer in-band dialer idle-timeout 300 dialer map ip 10.1.1.1 name bap_peer speed 56 19998884444 dialer-group 1 no fair-queue no cdp enable ppp authentication chap ppp multilink bap ppp bap call request ppp bap timeout pending 20 ppp bap timeout response 2 ppp bap max dial-attempts 2 ppp bap monitor load Dial Access Specialized Features DC-679 Cisco IOS Dial Technologies Configuration Guide Configuring Large-Scale Dial-Out This chapter describes how to configure large-scale dial-out. It includes the following main sections: • Large-Scale Dial-Out Overview • How to Configure Large-Scale Dial-Out • Monitoring and Maintaining the Large-Scale Dial-Out Network • Configuration Examples for Large-Scale Dial-Out Consider these restrictions when configuring large-scale dial-out: • Large-scale dial-out supports only IP over PPP encapsulation. • Large-scale dial-out does not support tunneling protocols such as Layer 2 Forwarding Protocol (L2F) and Layer 2 Tunneling Protocol (L2TP). • Virtual profiles depend on PPP authentication; however, this authentication can create a problem for Ascend devices, which do not allow devices to authenticate them when answering a call (bidirectional authentication is not supported). • The IP address of the remote device must be known before dialing out. Large-scale dial-out does not support dynamic IP address assignment. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the commands mentioned in this chapter, refer to Cisco IOS Dial Technologies Command Reference, Release 12.2. To locate documentation of other commands that appear in this chapter, use Cisco IOS Command Reference Master Index or search online. Large-Scale Dial-Out Overview In previous dial-on-demand routing (DDR) networking strategies, only incoming calls could take advantage of features such as dialer and virtual profiles, Multichassis Multilink PPP (MMP) support, and the ability to use an authentication, authorization, and accounting (AAA) server to store attributes. MMP allows network access servers to be stacked together and appear as a single network access server chassis so that if one network access server fails, another network access server in the stack can accept calls. MMP also provides stacked network access servers access to a local Internet point of presence (POP) using a single telephone number. This capability allows for easy expansion and scalability and for assured fault tolerance and redundancy. Now, with large-scale dial-out, these features are available for both outgoing and incoming calls. Configuring Large-Scale Dial-Out Large-Scale Dial-Out Overview DC-680 Cisco IOS Dial Technologies Configuration Guide Large-scale dial-out eliminates the need to configure dialer maps on every network access server for every destination. Instead, you create remote site profiles that contain outgoing call attributes (telephone number, service type, and so on) on the AAA server. The profile is downloaded by the network access server when packet traffic requires a call to be placed to a remote site. Additionally, large-scale dial-out addresses congestion management by seeking an uncongested, alternative network access server within the same POP when the designated primary network access server experiences port congestion. Large-scale dial-out also enables scalable dial-out service to many remote sites across one or more Cisco network access servers or Cisco routers. This capability is especially beneficial to both Internet service providers (ISPs) and large-scale enterprise customers because it can simplify network configuration and management. Large-scale dial-out streamlines activities such as service maintenance and scheduled activities like application upgrades from a centralized location. Large enterprise networks such as those used by retail stores, supermarket chains, and franchise restaurants can use large-scale dial-out to easily update daily prices and inventory information from a central server to all branch locations in one process, using the same network access servers that they currently use for dial-in functions. Additional benefits of using large-scale dial-out include the following: • Allows dialing the same router from any router in a stack group. Using a primary network access server, you can configure static routes for a given remote host or network. If the primary network access server is congested or has no links available, it will search for an alternate server within the stack, and force that server to dial out. • Eliminates the need to configure dialer maps in individual network access servers. The user profiles, along with dial parameters, can be centrally stored on an AAA server such as a Cisco Secure Access Control Server (ACS). • Supports extended TACACS (also TACACS+), RADIUS using Cisco attribute-value (AV) pairs, and the Ascend proprietary RADIUS extension for dial-out operation. • Provides a way to associate an IP address with a user name and user profile using the static route and host name association features. If there are no names on the IP static route, the Domain Name System (DNS) support function can be used to determine the user name that is associated with the IP address. If a name is not found, the destination IP address is used for the name. • Allows dynamic static routes to be configured on the centralized AAA server, that is, static routes stored centrally on an AAA server that can be dynamically downloaded by the router as needed. • Provides support for MMP and the Stack Group Bidding Protocol (SGBP). SGBP unites each Cisco access server in a virtual stack, which enables the access servers to become virtually tied together. If all ports on a given network access server are already being used, the other network access servers on the stack can be used for outbound calls. Single calls and multilink calls are now supported across the multichassis stack group. • Supports dial-out over an asynchronous line, when a chat script is configured. • Allows ports to be reserved for dial-in and dial-out. Large-scale dial-out enables scalable dial-out service; that is, configuration information is stored in a central server, and many network access servers can access this information using either the RADIUS or extended TACACS protocols. One or more network access servers can advertise summary routes to the remote destinations and then dynamically download the dial-out profile configurations as needed. Large-scale dial-out also allows dialing the same remote network or host from any router in a stack group. You configure static routes for a particular remote host or network on a router in a stack group that you designate as the primary network access server for that remote network or host. When a primary network access server experiences port congestion, it searches for an alternate network access server within the stack group to dial out and, when found, forces the alternate to dial the remote network. Figure 96 illustrates the large-scale dial-out solution. Configuring Large-Scale Dial-Out Large-Scale Dial-Out Overview DC-681 Cisco IOS Dial Technologies Configuration Guide Figure 96 Large-Scale Dial-Out Components Large-scale dial-out relies on per-user static routes in AAA and redistributed static and redistributed connected routes to put better routes pointing to the same remote on the alternate network access server. You can use any routing protocol that supports redistributing static and connected routes and that supports Flash memory updates when a routing topology changes. The Open Shortest Path First (OSPF) and Enhanced Interior Gateway Routing Protocol (EIGRP) routing protocols are recommended. Next Hop Definition A next hop address or remote name that you define is used in an AAA server lookup to retrieve the user profile from the remote network or host. The name is passed to the AAA server by the router software. Static Routes Static routes can be dynamically downloaded from an AAA server by the network access servers or can be manually configured on the network access servers. Dynamic static routes are installed on the network access server by an AAA server. The routes are downloaded at system startup and updated periodically, so that route changes are reflected within a configurable interval of time. Large-scale dial-out allows multiple AAA transactions with 50 static routes per AAA server transaction. There is no set limit for the number of AAA server transactions which can be configured, however configuring too many transactions may impact the performance of your network. Performance effects will depend on the configurations and platforms used in your network. Stack Groups The network access server stack group redistributes the routes of the remote networks. If the number is large, the routes are summarized. Packets destined for remote networks are routed to the primary network access server for the remote network. AAA server DNS server 18079 Analog Modem Remote LAN router ISDN SGBP stack Configuring Large-Scale Dial-Out How to Configure Large-Scale Dial-Out DC-682 Cisco IOS Dial Technologies Configuration Guide If the static route that points to the next hop of the network access server has a name, that name with the -out suffix attached becomes the profile name. If no profile name is configured in the route statement that defines the remote location, the router can use reverse DNS lookup to map the IP route to a profile name. The next hop address on the static route is used in reverse DNS to obtain the name of the remote network. This name is then used in the AAA server lookup to retrieve the remote user profile. If no name is returned by DNS, the network access server uses the destination IP address with the -out suffix appended as the name. If the primary network access server is congested, an alternate network access server may dial out. The primary network access server initiates stack group bidding for the outgoing call. The least congested network access server wins the bid and downloads the user profile. After a call is connected on an alternate network access server, a better per-user route from the AAA profile is installed on the alternate network access server. Subsequent packets destined for the remote network are routed to the alternate network access server while the call is connected. Packets stored in the dialer hold queue on the primary network access server are switched to the alternate network access server when the new route is distributed to the primary network access server. How to Configure Large-Scale Dial-Out To configure large-scale dial-out perform the tasks in the following sections: • Complying with Large-Scale Dial-Out Prerequisites (Required) • Establishing the Route to the Remote Network (As required) • Enabling AAA and Static Route Download (Required) • Enabling Access to the AAA Server (Required) • Enabling Reverse DNS (Required) • Enabling SGBP Dial-Out Connection Bidding (Required) • Defining a User Profile (Required) See the section “Monitoring and Maintaining the Large-Scale Dial-Out Network” later in this chapter for tips on maintaining large-scale dial-out. See the examples in the section “Configuration Examples for Large-Scale Dial-Out” at the end of this chapter for ideas on how you can implement large-scale dial-out in your network. Complying with Large-Scale Dial-Out Prerequisites The following prerequisites apply to large-scale dial-out: • Virtual profiles depend on PPP authentication; therefore the network access server, the remote device, or both must authenticate the connection to use virtual profiles. • You must configure SGBP to allow a primary network access server that is congested or otherwise unable to dial out to select an alternate network access server to dial out. Configure SGBP using the sgbp group and sgbp member global configuration commands before enabling the stack group to bid for dial-out connection. Configuring SGBP is described in the chapter “Configuring Multichassis Multilink PPP” in this publication. The Cisco IOS Dial Technologies Command Reference describes the commands to configure a stack group. Configuring Large-Scale Dial-Out How to Configure Large-Scale Dial-Out DC-683 Cisco IOS Dial Technologies Configuration Guide Additionally, all members of the stack group must be in the same routing autonomous system, and the redistribute static and redistribute connected commands must already be configured. The stack group supports all routing protocols, but routing protocols such as EIGRP and OSPF, which support redistributing static and connected routes and Flash memory updates when topology changes, are recommended. • You must configure AAA network security services using the aaa new-model, aaa authentication, aaa authorization, and aaa accounting global configuration commands. For more information about AAA, see the chapter “AAA Overview” in the Cisco IOS Security Configuration Guide. The Cisco IOS Security Command Reference describes the commands to configure AAA. You will also need to configure your network access server to communicate with the applicable security server, either an extended TACACS or RADIUS daemon. If you are using RADIUS and Ascend attributes, use the non-standard keyword with the radius-server host command to enable your Cisco router, acting as a network access server, to recognize that the RADIUS security server is using a vendor-proprietary version of RADIUS. Use the radius-server key command to specify the shared secret text string used between your Cisco router and the RADIUS server. For more information, see the chapter “Configuring RADIUS” in the Cisco IOS Security Configuration Guide. If you are using extended TACACS, use the tacacs-server host command to specify the IP address of one or more extended TACACS daemons. Use the tacacs-server key command to specify the shared secret text string used between your Cisco router and the extended TACACS daemon. For more information, see the chapter about configuring extended TACACS in the Cisco IOS Security Configuration Guide. Establishing the Route to the Remote Network The task in this section is optional; you only need to perform it when routes will not be downloaded statically from the AAA server. To establish a route to the remote network or host (next hop) that holds the user profile, use the ip route command in global configuration mode: The name you define is used in an AAA server lookup to retrieve the AAA profile of the remote network. Enabling AAA and Static Route Download AAA network security must be enabled before you perform the tasks in this section. For more information about enabling AAA, see the chapter “AAA Overview” in the Cisco IOS Security Configuration Guide. Enabling the static route download feature allows static routes to be configured at a centrally located AAA server. Static routes are downloaded when the system is started, and you define a period of time between route updates when you enable the feature. Command Purpose Router(config)# ip route network-number [network-mask] {address | interface} [distance] [name name] Establishes a static route to a remote network to obtain a user profile. Configuring Large-Scale Dial-Out How to Configure Large-Scale Dial-Out DC-684 Cisco IOS Dial Technologies Configuration Guide Note Static route download is not mandatory for the large-scale dial-out feature; however, it makes configuration of static routes more manageable by allowing the configuration to be centralized on a server. To enable the static route download feature, use the following commands in global configuration mode: Use the show ip route command to see the routes installed by these commands. Enabling Access to the AAA Server To configure the dialer interface to access the AAA server and retrieve the user profile, use the following command in interface configuration mode for a dialer rotary group leader: Enabling Reverse DNS To instruct the dialer to use reverse DNS on dial out, use the following command in interface configuration mode: The user profile name passed to the AAA server by the system is reverse-dns-name-out; the -out suffix is automatically appended to the DNS name and is required to create unique dial-out and dial-in profiles. Enabling SGBP Dial-Out Connection Bidding You must configure SGBP before performing the tasks in this section. The chapter “Configuring Multichassis Multilink PPP” in this publication describes the tasks you perform to configure a stack group. To configure stack group bidding, use the following command in global configuration mode: Command Purpose Step 1 Router(config)# aaa new-model Enables the AAA server. Step 2 Router(config)# aaa route download [time] Downloads static routes from the AAA server periodically using the host name of the router. Step 3 Router(config)# aaa authorization configuration default [radius | tacacs+] Downloads configuration information from the AAA server. Command Purpose Router(config-if)# dialer aaa Allows the dialer to use the AAA server to locate profiles for dialing information. Command Purpose Router(config-if)# dialer dns Uses reverse DNS to obtain the name of the user profile of the remote network. Configuring Large-Scale Dial-Out How to Configure Large-Scale Dial-Out DC-685 Cisco IOS Dial Technologies Configuration Guide Once the stack group has been configured and enabled for dial-out connection bidding, configure the dialer interface to search for an alternate network access server in the event of port congestion. Use the following commands in interface configuration mode: See the section “Stack Group and Static Route Download Configuration Example” at the end of this chapter for an example of how to configure stack groups and static routes. Defining a User Profile Attributes are used to define specific AAA elements in a user profile. Large-scale dial-out supports a subset of Ascend AV pairs and RADIUS attributes, as well as a map class attribute that provides outbound dialing services, as described in Table 36. The only required attribute is the Cisco AV pair outbound:dial-number; all others are optional. If the AAA server does not support Cisco AV pairs, attribute #227, Ascend-Dial-Number, can be substituted. If there are equivalent Cisco AV pairs and Ascend-specific attributes, Cisco recommends using the Cisco AV pairs. For additional information about defining user profiles, see the chapter “RADIUS Attribute-Pairs” in the CiscoSecure ACS for Windows NT User Guide 2.0 publication and the chapter “TACACS+ Attribute-Value Pairs” in the Cisco IOS Security Configuration Guide. For an example of a user profile that uses the supported attributes, see the section “User Profile on an Ascend RADIUS Server for NAS1 Example” at the end of this chapter. Note For the attributes listed in Table 4, the value of a string is 0 to 253 octects; the value of an integer is a 32-bit value ordered high byte first. Command Purpose Router(config)# sgbp dial-bids Allows the stack group to bid for the dial-out call. Command Purpose Step 1 Router(config-if)# dialer congestion-threshold links Forces the dialer to search for another uncongested system in the stack group. Step 2 Router(config-if)# dialer reserved-links {dialin-link | dialout-link} Reserves links for dial in and dial-out. Configuring Large-Scale Dial-Out How to Configure Large-Scale Dial-Out DC-686 Cisco IOS Dial Technologies Configuration Guide Table 36 Large-Scale Dial-Out Outbound Service Attributes Number Attribute Description Ascend AV Pairs #214 Ascend-Send-Secret Specifies the password that the network access server uses when the remote site challenges the network access server to authenticate using either Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP). Cisco AV Pair: None TACACS+ Support: service = outbound { send-secret = VALUE } Value: Password string Note The password is encrypted. This attribute requires a special RADIUS daemon that supports CHAP or PAP authentication. #227 Ascend-Dial-Number Defines the number to dial. Cisco AV Pair: cisco-avpair="outbound:dial-number=VALUE" TACACS+ Support: service = outbound { dial-number = VALUE } Value: Dial string Note This attribute defines the plain dial number. It can be used in different profiles, whereas the callback-dialstring attribute is only for callbacks. Configuring Large-Scale Dial-Out How to Configure Large-Scale Dial-Out DC-687 Cisco IOS Dial Technologies Configuration Guide #231 Ascend-Send-Auth Specifies the authentication protocol that the network access server requests when initiating a connection using PPP. The answering side of the connection determines which authentication protocol, if any, that the connection uses. The network access server will refuse to negotiate PAP if CHAP is selected, but will negotiate CHAP if PAP is selected. Cisco AV Pair: cisco-avpair="outbound:send-auth=VALUE" TACACS+ Support: service = outbound { send-auth = none/pap/chap } Value: 0: Send-Auth-None 1: Send-Auth-PAP 2: Send-Auth-CHAP #247 Ascend-Data-SVC Specifies the type of data service that the link uses for outgoing calls. Cisco AV Pair: cisco-avpair="outbound:data-service=VALUE" TACACS+ Support: service = outbound { data-service = VALUE } Value: 0: Switched-Voice-Bearer #248 Ascend-Force-56 Determines whether the network access server uses only the 56K portion of a channel, even when all 64K appear to be available. Cisco AV Pair: cisco-avpair="outbound:force-56=VALUE" TACACS+ Support: service = outbound { force-56 = VALUE } Value: 0: Force-56-No 1: Force-56-Yes Table 36 Large-Scale Dial-Out Outbound Service Attributes (continued) Number Attribute Description Configuring Large-Scale Dial-Out How to Configure Large-Scale Dial-Out DC-688 Cisco IOS Dial Technologies Configuration Guide RADIUS (IETF) Attributes #10 Framed-Routing Indicates a routing method when a router is used to access a network. Cisco AV Pair: None TACACS+ Support: service = outbound { routing = VALUE } Value: 0: None 1: Broadcast 2: Listen 3: Broadcast-Listen Note This attribute is currently supported only for PPP service. #19 Callback-Number Defines a dialing string to be used for call back. (Service is both outbound and PPP.) Cisco AV Pair: cisco-avpir="outbound:callback-dialstring=VALUE" TACACS+ Support: Equivalent to the existing callback-dialstring attribute. Value: Dial string Note This is an alternate way of setting a callback number using a standard RADIUS attribute. Table 36 Large-Scale Dial-Out Outbound Service Attributes (continued) Number Attribute Description Configuring Large-Scale Dial-Out How to Configure Large-Scale Dial-Out DC-689 Cisco IOS Dial Technologies Configuration Guide #61 NAS-Port-Type Indicates the type of physical port that the network access server is using to authenticate the user. Cisco AV Pair: None TACACS+ Support: None Value: 0: Asynchronous 1: Synchronous 2: ISDN-Synchronous Note This attribute is currently supported only for PPP service. Map Class Attribute (unnumbered) map-class Allows the user profile to reference information configured in a map class of the same name on the network access server that dials out. Cisco AV Pair: cisco-avpair="outbound:map-class=VALUE" TACACS+ Support: service = outbound { map-class = VALUE } Value: Name string, which must match the name of a map class on the dial-out network access server. Table 36 Large-Scale Dial-Out Outbound Service Attributes (continued) Number Attribute Description Configuring Large-Scale Dial-Out Monitoring and Maintaining the Large-Scale Dial-Out Network DC-690 Cisco IOS Dial Technologies Configuration Guide Monitoring and Maintaining the Large-Scale Dial-Out Network To monitor and maintain a large-scale dial-out network, use any of the following commands in EXEC mode: Configuration Examples for Large-Scale Dial-Out The following sections provide examples of how you can configure large-scale dial-out in your network: • Stack Group and Static Route Download Configuration Example • User Profile on an Ascend RADIUS Server for NAS1 Example • Asynchronous Dialing Configuration Examples Stack Group and Static Route Download Configuration Example The following example configures NAS1 as the primary network access server and NAS2 as the secondary network access server, in a stack group for dial-out. The remote router is configured to answer calls. Figure 97 illustrates the configuration. Figure 97 Stack Group and Static Route Download Configuration Command Purpose Router> clear dialer sessions Removes all dialer sessions and disconnects links. Router> clear ip route download {* | network-number network-mask | reload} Removes all or specified IP routes on the router. With the reload option, forces reload of dynamic static routes before the update timer expires. Router> show dialer sessions Displays all dialer sessions. Router> show ip route [static [download]] Displays all static IP routes or those installed using the AAA route download function. AAA server NAS2 NAS1 DNS server 18080 Remote ISDN SGBP stack Configuring Large-Scale Dial-Out Configuration Examples for Large-Scale Dial-Out DC-691 Cisco IOS Dial Technologies Configuration Guide At the console for NAS1, ping 20.1.1.1. This action creates a multilink bundle with two links. NAS1 dials out the first link, and NAS2 dials out the second link. The router named Remote is using the CHAP host name echo-8.cisco.com. A user profile for NAS1 on an Ascend RADIUS server is listed in the section “User Profile on an Ascend RADIUS Server for NAS1 Example” later in this chapter. Primary Network Access Server Configuration for NAS1 version 12.0 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname NAS1 ! aaa new-model aaa authentication ppp default radius local aaa authorization network default radius none aaa authorization configuration default radius aaa route download 720 enable password 7 1236173C1B0F ! username NAS2 password 7 05080F1C2243 username NAS1 password 7 030752180500 username dialbid password 7 121A0C041104 username echo-8.cisco.com password 7 02050D480809 ip subnet-zero ip domain-name cisco.com ip name-server 172.31.2.132 ip name-server 172.22.30.32 ! virtual-profile virtual-template 2 ! sgbp group dialbid sgbp seed-bid offload sgbp member NAS2 172.21.17.17 sgbp dial-bids isdn switch-type basic-5ess ! ! interface Ethernet 0 ip address 172.21.17.18 255.255.255.0 no ip directed-broadcast no ip mroute-cache media-type 10BaseT no cdp enable ! interface Virtual-Template 1 ip address 10.1.1.1 255.255.255.252 no ip directed-broadcast ! interface Virtual-Template 2 ip unnumbered Virtual-Template 1 no ip directed-broadcast ppp multilink multilink load-threshold 1 outbound ! interface BRI 0 description PBX 60043 no ip address no ip directed-broadcast encapsulation ppp Configuring Large-Scale Dial-Out Configuration Examples for Large-Scale Dial-Out DC-692 Cisco IOS Dial Technologies Configuration Guide dialer rotary-group 1 isdn switch-type basic-5ess no fair-queue ! interface Dialer 1 ip unnumbered Ethernet 0 no ip directed-broadcast encapsulation ppp no ip mroute-cache dialer in-band dialer dns dialer aaa dialer hold-queue 5 dialer congestion-threshold 5 dialer reserved-links 1 0 dialer-group 1 no fair-queue ppp authentication chap callin ppp multilink ! router eigrp 200 redistribute connected redistribute static network 172.21.0.0 ! ip default-gateway 172.21.17.1 ip classless ip route 0.0.0.0 0.0.0.0 172.21.17.1 ! dialer-list 1 protocol ip permit radius-server host 172.31.61.87 auth-port 1645 acct-port 1646 radius-server key foobar ! end Secondary Network Access Server Configuration for NAS2 version 12.0 service timestamps debug datetime msec service timestamps log uptime service password-encryption ! hostname NAS2 ! boot system flash aaa new-model aaa authentication ppp default radius local aaa authorization network default radius none aaa authorization configuration default radius enable password 7 022916700202 ! username NAS1 password 7 104D000A0618 username dialbid password 7 070C285F4D06 username echo-8.cisco.com password 7 0822455D0A16 ip subnet-zero ip domain-name cisco.com ip name-server 172.22.30.32 ip name-server 172.31.2.132 ! virtual-profile virtual-template 2 ! sgbp group dialbid sgbp member NAS1 172.21.17.18 Configuring Large-Scale Dial-Out Configuration Examples for Large-Scale Dial-Out DC-693 Cisco IOS Dial Technologies Configuration Guide sgbp dial-bids isdn switch-type basic-5ess ! interface Ethernet 0 ip address 172.21.17.17 255.255.255.0 no ip directed-broadcast media-type 10BaseT ! interface Virtual-Template 1 ip address 10.1.1.1 255.255.255.252 no ip directed-broadcast ! interface Virtual-Template 2 ip unnumbered Virtual-Template 1 no ip directed-broadcast ppp multilink multilink load-threshold 1 outbound ! interface BRI 0 no ip address no ip directed-broadcast encapsulation ppp dialer rotary-group 0 isdn switch-type basic-5ess no fair-queue ! interface Dialer 0 ip unnumbered Ethernet 0 no ip directed-broadcast encapsulation ppp dialer in-band dialer dns dialer aaa dialer hold-queue 5 dialer congestion-threshold 5 dialer reserved-links 1 0 dialer-group 1 no fair-queue ppp authentication chap callin ppp multilink ! router eigrp 200 redistribute connected redistribute static network 172.21.0.0 ! ip default-gateway 172.21.17.1 ip classless ip route 0.0.0.0 0.0.0.0 172.21.17.1 ! dialer-list 1 protocol ip permit ! radius-server host 172.31.61.87 auth-port 1645 acct-port 1646 radius-server key foobar ! end Configuring Large-Scale Dial-Out Configuration Examples for Large-Scale Dial-Out DC-694 Cisco IOS Dial Technologies Configuration Guide Remote Router Configuration version 12.0 service timestamps debug datetime msec service timestamps log uptime service password-encryption service udp-small-servers service tcp-small-servers ! hostname Remote ! boot system flash enable password 7 002B012D0D5F ! username dialbid password 7 14141B180F0B ip subnet-zero no ip domain-lookup ! isdn switch-type basic-5ess ! interface Loopback 0 ip address 172.31.229.41 255.255.255.255 no ip directed-broadcast no ip route-cache no ip mroute-cache ! interface Loopback 1 ip address 10.1.1.1 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache ! interface Loopback 2 ip address 10.1.2.1 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache ! interface Loopback 3 ip address 10.3.1.1 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache ! interface Ethernet 0 ip address 172.21.12.15 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache ! interface BRI 0 no ip address no ip directed-broadcast encapsulation ppp no ip route-cache no ip mroute-cache dialer rotary-group 3 dialer-group 1 isdn switch-type basic-5ess no fair-queue ! interface Dialer 3 ip unnumbered Loopback 0 no ip directed-broadcast Configuring Large-Scale Dial-Out Configuration Examples for Large-Scale Dial-Out DC-695 Cisco IOS Dial Technologies Configuration Guide encapsulation ppp no ip route-cache no ip mroute-cache dialer in-band dialer idle-timeout 10000 dialer-group 1 no fair-queue ppp authentication chap callin ppp chap hostname echo-8.cisco.com ppp chap password 7 045802150C2E ppp multilink ! ip default-gateway 172.21.12.1 ip classless ip route 0.0.0.0 0.0.0.0 1.1.1.1 ! dialer-list 1 protocol ip permit User Profile on an Ascend RADIUS Server for NAS1 Example The following example shows a dial-out profile and a static route download profile in AAA. The dial-out profile username must have “-out” appended to it. The static route download profile username always has “-N” appended. The router downloads NAS1-1, NAS1-2, through NAS1-N. When NAS1-N fails, the router does not try NAS1-N+1. The static route download profile cannot have more than 50 static routes defined. echo-8.cisco.com-out Password = "cisco", User-Service-Type = Outbound-User cisco-avpair = "outbound:addr=172.31.229.41", cisco-avpair = "outbound:dial-number=60039", NAS1-1 Password = "cisco" User-Service-Type = Outbound-User, cisco-avpair = "ip:route=10.1.3.0 255.255.255.0 172.31.229.41 200", cisco-avpair = "ip:route=10.1.2.0 255.255.255.0 172.31.229.41 200", cisco-avpair = "ip:route=10.1.1.0 255.255.255.0 172.31.229.41 200", cisco-avpair = "ip:route=172.31.229.41 255.255.255.255 Dialer1 200 name echo-8.cisco.com" Note Note that all text between quotation marks must be typed on one line. Static routes can also be defined using the Framed-Route Internet Engineering Task Force (IETF) standard. The following example shows how the previous example for NAS1 would look using the Framed-Route IETF standard: NAS1-1 Password = "cisco" User-Service-Type = Outbound-User, Framed-Route = "10.1.3.0/24 172.31.229.41.200", Framed-Route = "10.1.2.0/24 172.31.229.41.200", Framed-Route = "10.1.1.0/24 172.31.229.41.200", Framed-Route = "172.31.229.41/32 Dialer1 200 name echo-8.cisco.com" Configuring Large-Scale Dial-Out Configuration Examples for Large-Scale Dial-Out DC-696 Cisco IOS Dial Technologies Configuration Guide Asynchronous Dialing Configuration Examples Large-scale dial-out supports dialing out using an asynchronous line. This type of dialing requires that a chat script be configured and that the script dialer command be configured in the line commands for any asynchronous interface that may be dialing out. The following examples are provided in this section: • Asynchronous Dialing Example • Asynchronous and Synchronous Dialing Example Asynchronous Dialing Example The following example shows an asynchronous dialing configuration: chat-script dial "" "ATZ" OK "ATDT\T" TIMEOUT 60 CONNECT ! interface Async 1 no ip address no ip directed-broadcast encapsulation ppp dialer in-band dialer rotary-group 0 async dynamic address async dynamic routing async mode dedicated no cdp enable ! interface Dialer 0 ip address 172.21.30.32 255.255.255.0 no ip directed-broadcast encapsulation ppp no ip mroute-cache bandwidth 64 dialer in-band dialer idle-timeout 60 dialer enable-timeout 10 dialer hold-queue 50 dialer-group 1 no cdp enable ! line 1 script dialer dial modem InOut transport input all Asynchronous and Synchronous Dialing Example The following example creates a dialer rotary group for the asynchronous interfaces and a dialer rotary group for the PRI interfaces. Any dial-in or dial-out reservations are applied only to the PRI dialer interface. In the following configuration example: • Destinations that require modem calls have static routes that point to Dialer 0. • Destinations that require digital connections have static routes that point to Dialer 1. • The dialer reserved-links command applies to all connections made over the PRI interfaces in dialer rotary group 1, even if they come from an asynchronous interface. Configuring Large-Scale Dial-Out Configuration Examples for Large-Scale Dial-Out DC-697 Cisco IOS Dial Technologies Configuration Guide chat-script dial "" "ATZ" OK "ATDT\T" TIMEOUT 60 CONNECT ! interface Serial 0:23 no ip address no ip directed-broadcast no keepalive dialer rotary-group 1 isdn switch-type primary-5ess isdn incoming-voice modem no cdp enable ! interface Async 1 no ip address no ip directed-broadcast encapsulation ppp dialer in-band dialer rotary-group 0 async dynamic address async dynamic routing async mode dedicated no cdp enable ! interface Dialer 0 ip address 172.21.30.32 255.255.255.0 no ip directed-broadcast encapsulation ppp no ip mroute-cache bandwidth 64 dialer in-band dialer dns dialer aaa dialer idle-timeout 60 dialer enable-timeout 10 dialer hold-queue 50 dialer-group 1 no cdp enable ! interface Dialer 1 ip address unnumbered eth0 no ip directed-broadcast dialer in-band dialer dns dialer aaa dialer reserved-links 22 0 no cdp enable ! line 1 script dialer dial modem InOut transport input all Configuring Large-Scale Dial-Out Configuration Examples for Large-Scale Dial-Out DC-698 Cisco IOS Dial Technologies Configuration Guide DC-699 Cisco IOS Dial Technologies Configuration Guide Configuring per-User Configuration This chapter describes per-user configuration, a large-scale dial solution. It includes the following main sections: • Per-User Configuration Overview • How to Configure a AAA Server for Per-User Configuration • Monitoring and Debugging Per-User Configuration Settings • Configuration Examples for Per-User Configuration This set of features is supported on all platforms that support Multilink PPP (MLP). A virtual access interface created dynamically for any user dial-in session is deleted when the session ends. The resources used during the session are returned for other dial-in uses. When a specific user dials in to a router, the use of a per-user configuration from an authentication, authorization, and accounting (AAA) server requires that AAA is configured on the router and that a configuration for that user exists on the AAA server. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the commands mentioned in this chapter, refer to the Cisco IOS Dial Technologies Command Reference, Release 12.2 and the Cisco IOS Security Command Reference, Release 12.2. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. Per-User Configuration Overview Per-user configuration provides a flexible, scalable, easily maintained solution for customers with a large number of dial-in users. This solution can tie together the following dial-in features: • Virtual template interfaces, generic interface configuration and router-specific configuration information stored in the form of a virtual template interface that can be applied (cloned ) to a virtual access interface each time any user dials in. This configuration is described in the chapter “Configuring Virtual Template Interfaces” in this publication. • AAA per-user security and interface configuration information stored on a separate AAA server and sent by the AAA server to the access server or router in response to authorization requests during the PPP authentication phase. The per-user configuration information can add to or override the generic configuration on a virtual interface. Configuring per-User Configuration Per-User Configuration Overview DC-700 Cisco IOS Dial Technologies Configuration Guide • Virtual profiles, which can use either or both of the two sources of information listed in the previous bullets for virtual interface configuration. When a user dials in, virtual profiles can apply the generic interface configuration and then apply the per-user configuration to create a unique virtual access interface for that user. This configuration is described in the chapter “Configuring Virtual Profiles” in this publication. The per-user configuration feature provides these benefits: • Maintenance ease for service providers with a large number of access servers and a very large number of dial-in users. Service providers need not update all their routers and access servers when user-specific information changes; instead, they can update one AAA server. • Scalability. By separating generic virtual interface configuration on the router from the configuration for each individual, Internet service providers and other enterprises with large numbers of dial-in users can provide a uniquely configured interface for each individual user. In addition, by separating the generic virtual interface configuration from the physical interfaces on the router, the number and types of physical interfaces on the router or access server are not intrinsic barriers to growth. General Operational Processes In general, the per-user configuration process on the Cisco router or network access server proceeds as follows: 1. The user dials in. 2. The authentication and authorization phases occur. a. If AAA is configured, the router sends an authorization request to the AAA server. b. If the AAA server has information (attribute-value or AV pairs, or other configuration parameters) that defines a configuration for the specific user, the server includes it in the information in the approval response packet. Figure 98 illustrates the request and response part of the process that happens when a user dials in, given that AAA is configured and that the AAA server has per-user configuration information for the dial-in user. c. The router looks for AV pairs in the AAA approval response. d. The router caches the configuration parameters. Note TACACS servers treat authentication and authorization as two phases; RADIUS servers combine authentication and authorization into a single step. For more detailed information, refer to your server documentation. Configuring per-User Configuration Per-User Configuration Overview DC-701 Cisco IOS Dial Technologies Configuration Guide Figure 98 Per-User Configuration Authentication and Authorization 3. A virtual access interface is created for this user. a. The router finds the virtual template that is set up for virtual profiles, if any, and applies the commands to the virtual access interface. b. The router looks for the AV pairs to apply to this virtual access interface to configure it for the dial-in user. c. The AV pairs are sent to the Cisco IOS command-line parser, which interprets them as configuration commands and applies them to configure this virtual access interface. The result of this process is a virtual access interface configured uniquely for the dial-in user. When the user ends the call, the virtual access interface is deleted and its resources are returned for other dial-in uses. Note The use of virtual profiles can modify the process that occurs between the user dial-in and the use of AAA configuration information. For more information, see the chapter “Configuring Virtual Profiles” in this publication. Operational Processes with IP Address Pooling During IP Control Protocol (IPCP) address negotiation, if an IP pool name is specified for a user, the network access server checks whether the named pool is defined locally. If it is, no special action is required and the pool is consulted for an IP address. If the required pool is not present (either in the local configuration or as a result of a previous download operation), an authorization call to obtain it is made using the special username: pools-nas-name where nas-name is the configured name of the network access server. In response, the AAA server downloads the configuration of the required pool. This pool username can be changed using Cisco IOS configuration, for example: aaa configuration config-name nas1-pools-definition.cisco.us This command has the effect of changing the username that is used to download the pool definitions from the default name “pools-nas-name” to “nas1-pools-definition.cisco.com.” 2. Authorization request Network access server or router 3. Approval response packet contains AV pairs 4. Cisco network access server or router caches the AV pairs AAA server 1. ISDN user dials in S5870 Configuring per-User Configuration Per-User Configuration Overview DC-702 Cisco IOS Dial Technologies Configuration Guide On a TACACS+ server, the entries for an IP address pool and a user of the pool might be as follows: user = nas1-pools { service = ppp protocol = ip { pool-def#1 = "aaa 10.0.0.1 10.0.0.3" pool-def#2 = "bbb 10.1.0.1 10.1.0.10" pool-def#3 = "ccc 10.2.0.1 10.2.0.20" pool-timeout=60 } } user = georgia { login = cleartext lab service = ppp protocol = ip { addr-pool=bbb } } On a RADIUS server, the entries for the same IP address pool and user would be as follows: nas1-pools Password = “cisco” User-Service-Type=Outbound-User cisco-avpair = "ip:pool-def#1=aaa 10.0.0.1 10.0.0.3", cisco-avpair = "ip:pool-def#2=bbb 10.1.0.1 10.1.0.10", cisco-avpair = "ip:pool-def#3=ccc 10.2.0.1 10.2.0.20", cisco-avpair = "ip:pool-timeout=60” georgia Password = “lab” User-Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = “ip:addr-pool=bbb” Note This entry specifies a User-Service-Type of Outbound-User. This attribute is supplied by the network access server to prevent ordinary logins from using the well-known username and password combination of nas1-pools/cisco. Pools downloaded to a Cisco network access server are not retained in nonvolatile memory and automatically disappear whenever the access server or router restarts. Downloaded pools can also be made to time out automatically by adding a suitable AV pair. For more information, see the section “Supported Attrubutes for AV Pairs” and the pool-timeout attribute in Table 37. Downloaded pools are marked as dynamic in the output of the show ip local pool command. Deleting Downloaded Pools To delete downloaded pools, you can do either of the following: • Manually delete the definition from the network access server. For example, if “bbb” is the name of a downloaded pool, you can enter the Cisco IOS no ip local pool bbb command. Deleting a pool definition does not interrupt service for current users. If a pool is deleted and then redefined to include a pool address that is currently allocated, the new pool understands and tracks the address as expected. • Set an AV pair pool-timeout value; this is a more desirable solution. The pool-timeout AV pair starts a timer when the pool is downloaded. Once the timer expires, the pools are deleted. The next reference to the pools again causes an authorization call to be made, and the pool definition is downloaded again. This method allows definitions to be made and changed on the AAA server and propagated to network access servers. Configuring per-User Configuration Per-User Configuration Overview DC-703 Cisco IOS Dial Technologies Configuration Guide Supported Attributes for AV Pairs Table 37 provides a partial list of the Cisco-specific supported attributes for AV pairs that can be used for per-user virtual interface configuration. For complete lists of Cisco-specific, vendor-specific, and TACACS+ supported attributes, see the Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference. Table 37 Partial List of Cisco-Specific Supported AV Pair Attributes Attribute Meaning inacl# An input access list definition. For IP, standard or extended access list syntax can be used, although you cannot mix them within a single list. For Internet Protocol Exchange (IPX), only extended syntax is recognized. The value of this attribute is the text that comprises the body of a named access list definition. outacl#1 1. The “outacl” attribute still exists and retains its old meaning. An output access list definition. For IP, standard or extended access list syntax can be used. For IPX, only extended syntax is recognized. The value of this attribute is the text that comprises the body of a named access list definition. rte-fltr-in# An input route filter. For IP, standard or extended access list syntax can be used, although you cannot mix them within a single list. For IPX, only extended syntax is recognized. The first line of this filter must specify a routing process. Subsequent lines comprise the body of a named access list. rte-fltr-out# An output route filter. For IP, standard or extended access list syntax can be used, although you cannot mix them within a single list. For IPX, only extended syntax is recognized. The first line of this filter must specify a routing process. Subsequent lines comprise the body of a named access list. route#2 2. The “route” attribute, without a trailing #, is still recognized for backward compatibility with the TACACS+ protocol specification, but if multiple static routes are required in TACACS+, full “route#” names will need to be employed. Static routes, for IP and IPX. The value is text of the form destination-address mask [gateway]. sap# IPX static Service Advertising Protocol (SAP). The value is text from the body of an ipx sap configuration command. sap-fltr-in# IPX input SAP filter. Only extended access list syntax is recognized. The value is text from the body of an extended IPX access-list configuration command. (The Novell socket number for SAP filtering is 452.) sap-fltr-out# IPX output SAP filter. Only extended access-list command syntax is recognized. The value is text from the body of an extended IPX access-list configuration command. pool-def# An IP pool definition. The value is text from the body of an ip local pool configuration command. pool-timeout An IP pool definition. The body is an integer representing a timeout, in minutes. Configuring per-User Configuration Per-User Configuration Overview DC-704 Cisco IOS Dial Technologies Configuration Guide Table 38 provides examples for each attribute on an AAA TACACS+ server. Table 39 provides examples for each attribute on an AAA RADIUS server. Table 38 TACACS+ Server AV Pair Examples for Each Attribute Attribute TACACS+ Server Examples inacl# IP: inacl#3="permit ip any any precedence immediate" inacl#4="deny igrp 10.0.1.2 255.255.0.0 any" IPX: inacl#1="deny 3C01.0000.0000.0001" inacl#2="deny 4C01.0000.0000.0002" outacl# outacl#2="permit ip any any precedence immediate" outacl#3="deny igrp 10.0.9.10 255.255.0.0 any" rte-fltr-in# IP: rte-fltr-in#1="router igrp 60" rte-fltr-in#3="permit 10.0.3.4 255.255.0.0" rte-fltr-in#4="deny any" IPX: rte-fltr-in#1="deny 3C01.0000.0000.0001" rte-fltr-in#2="deny 4C01.0000.0000.0002" rte-fltr-out# rte-fltr-out#1="router igrp 60" rte-fltr-out#3="permit 10.0.5.6 255.255.0.0" rte-fltr-out#4="permit any" route# IP: route#1="10.0.0.0 255.0.0.0 1.2.3.4" route#2="10.1.0.0 255.0.0.0" IPX: route#1="4C000000 ff000000 10.12.3.4" route#2="5C000000 ff000000 10.12.3.5" sap# sap#1="4 CE1-LAB 1234.0000.0000.0001 451 4" sap#2="5 CE3-LAB 2345.0000.0000.0001 452 5" sap-fltr-in# sap-fltr-in#1="deny 6C01.0000.0000.0001" sap-fltr-in#2="permit -1" sap-fltr-out# sap-fltr-out#1="deny 6C01.0000.0000.0001" sap-fltr-out#2="permit -1" pool-def# pool-def#1 = "aaa 10.0.0.1 1.0.0.3" pool-def#2 = "bbb 10.1.0.1 2.0.0.10" pool-def#3 = "ccc 10.2.0.1 3.0.0.20" pool-timeout pool-timeout=60 Table 39 RADIUS Server AV Pair Examples for Each Attribute Attribute RADIUS Server Examples lcp:interface-config1 cisco-avpair = "lcp:interface-config=ip address 10.0.0.0 255.255.255.0", inacl# cisco-avpair = "ip:inacl#3=permit ip any any precedence immediate", cisco-avpair = "ip:inacl#4=deny igrp 10.0.1.2 255.255.0.0 any", Configuring per-User Configuration How to Configure a AAA Server for Per-User Configuration DC-705 Cisco IOS Dial Technologies Configuration Guide How to Configure a AAA Server for Per-User Configuration The configuration requirements and the structure of per-user configuration information is set by the specifications of each type of AAA server. Refer to your server documentation for more detailed information. The following sections about TACACS and RADIUS servers are specific to per-user configuration: • Configuring a Freeware TACACS Server for Per-User Configuration (As required) • Configuring a CiscoSecure TACACS Server for Per-User Configuration (As required) • Configuring a RADIUS Server for Per-User Configuration (As required) See the section “Monitoring and Debugging Per-User Configuration Settings” later in this chapter for tips on troubleshooting per-user configuration settings. See the section “Configuration Examples for Per-User Configuration” at the end of this chapter for examples of configuring RADIUS and TACACS servers. outacl# cisco-avpair = "ip:outacl#2=permit ip any any precedence immediate", cisco-avpair = "ip:outacl#3=deny igrp 10.0.9.10 255.255.0.0 any", rte-fltr-in# IP: cisco-avpair = "ip:rte-fltr-in#1=router igrp 60", cisco-avpair = "ip:rte-fltr-in#3=permit 10.0.3.4 255.255.0.0", cisco-avpair = "ip:rte-fltr-in#4=deny any", IPX: cisco-avpair = "ipx:rte-fltr-in=deny 3C01.0000.0000.0001", rte-fltr-out# cisco-avpair = "ip:rte-fltr-out#1=router igrp 60", cisco-avpair = "ip:rte-fltr-out#3=permit 10.0.5.6 255.255.0.0", cisco-avpair = "ip:rte-fltr-out#4=permit any", route# IP: cisco-avpair = "ip:route=3.10.0.0 255.0.0.0 1.2.3.4", cisco-avpair = "ip:route=4.10.0.0 255.0.0.0", IPX: cisco-avpair = "ipx:route=4C000000 ff000000 10.12.3.4", cisco-avpair = "ipx:route=5C000000 ff000000 10.12.3.5" sap# cisco-avpair = "ipx:sap=4 CE1-LAB 1234.0000.0000.0001 451 4", cisco-avpair = "ipx:sap=5 CE3-LAB 2345.0000.0000.0001 452 5", sap-fltr-in# cisco-avpair = "ipx:sap-fltr-in=deny 6C01.0000.0000.0001", cisco-avpair = "ipx:sap-fltr-in=permit -1" sap-fltr-out# cisco-avpair = "ipx:sap-fltr-out=deny 6C01.0000.0000.0001", cisco-avpair = "ipx:sap-fltr-out=permit -1" pool-def# cisco-avpair = "ip:pool-def#1=aaa 10.0.0.1 1.0.0.3", cisco-avpair = "ip:pool-def#2=bbb 10.1.0.1 2.0.0.10", cisco-avpair = "ip:pool-def#3=ccc 10.2.0.1 3.0.0.20", pool-timeout cisco-avpair = "ip:pool-timeout=60" 1. This attribute is specific to RADIUS servers. It can be used to add Cisco IOS interface configuration commands to specific user configuration information. Table 39 RADIUS Server AV Pair Examples for Each Attribute (continued) Attribute RADIUS Server Examples Configuring per-User Configuration How to Configure a AAA Server for Per-User Configuration DC-706 Cisco IOS Dial Technologies Configuration Guide Configuring a Freeware TACACS Server for Per-User Configuration On a TACACS server, the entry in the user file takes a standard form. In the freeware version of TACACS+, the following lines appear in order: • “User =” followed by the username, a space, and an open brace • Authentication parameters • Authorization parameters • One or more AV pairs • End brace on a line by itself The general form of a freeware TACACS user entry is shown in the following example: user = username { authentication parameters go here authorization parameters go here } The freeware TACACS user entry form is also shown by the following examples for specific users: user= Router1 Password= cleartext welcome Service= PPP protocol= ip { ip:route=10.0.0.0 255.0.0.0 ip:route=10.1.0.0 255.0.0.0 ip:route=10.2.0.0 255.0.0.0 ip:inacl#5=deny 10.5.0.1 } user= Router2 Password= cleartext lab Service= PPP protocol= ip { ip:addr-pool=bbb } For more requirements and detailed information, refer to your AAA server documentation. Configuring a CiscoSecure TACACS Server for Per-User Configuration The format of an entry in the user file in the AAA database is generally name = value. Some values allow additional subparameters to be specified and, in these cases, the subparameters are enclosed in braces ({}). The following simple example depicts an AAA database showing the default user, one group, two users that belong to the group, and one user that does not: # Sample AA Database 1 unknown_user = { password = system #Use the system's password file (/etc/passwd) } group = staff { # Password for staff who do not have their own. password = des "sefjkAlM7zybE" service = shell { # Allow any commands with any attributes. default cmd = permit default attribute = permit } Configuring per-User Configuration How to Configure a AAA Server for Per-User Configuration DC-707 Cisco IOS Dial Technologies Configuration Guide } user = joe { # joe uses the group password. member = "staff" } user = pete { # pete has his own password. member = "staff" password = des "alkd9Ujiqp2y" } user = anita { # Use the "default" user password mechanism defined above. service = shell { cmd = telnet { # Allow Telnet to any destination } } } For more information about the requirements and details of configuring the CiscoSecure server, see the CiscoSecure UNIX Server User Guide. Configuring a RADIUS Server for Per-User Configuration On a RADIUS server, the format of an entry in the users file includes the following lines in order: • Username and password • User service type • Framed protocol • One or more AV pairs Note All these AV pairs are vendor specific. To use them, RADIUS servers must support the use of vendor-specific AV pairs. Patches for some servers are available from the Cisco Consulting Engineering (CE) customer-support organization. The structure of an AV pair for Cisco platforms starts with cisco-avpair followed by a space, an equal sign, and another space. The rest of the line is within double quotation marks and, for all lines but the last, ends with a comma. Inside the double quotation marks is a phrase indicating the supported attribute, another equal sign, and a Cisco IOS command. The following examples show two different partial user configurations on a RADIUS server. Router1 Password = "welcome" User-Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = “ip:route=10.0.0.0 255.0.0.0”, cisco-avpair = “ip:route=10.1.0.0 255.0.0.0”, cisco-avpair = “ip:route=10.2.0.0 255.0.0.0”, cisco-avpair = “ip:inacl#5=deny 10.5.0.1” Router2 Password = "lab" User-Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = "ip:addr-pool=bbb" Configuring per-User Configuration Monitoring and Debugging Per-User Configuration Settings DC-708 Cisco IOS Dial Technologies Configuration Guide Monitoring and Debugging Per-User Configuration Settings Per-user configuration information exists on AAA servers only and is configured there, as described in the “How to Configure a AAA Server for Per-User Configuration” section. For more information about configuring an application that can tie AAA per-user configuration information to generic interface and router configuration, see the chapter “Configuring Virtual Profiles” in this publication. Virtual profiles are required for combining per-user configuration information and generic interface and router configuration information to create virtual access interfaces for individual ISDN B channels. However, you can monitor and debug the per-user configuration settings on the router or access server that are set from an AAA server. Table 40 indicates some of the commands to use for each attribute. Configuration Examples for Per-User Configuration The following sections provide two comprehensive examples: • TACACS+ Freeware Examples • RADIUS Examples These examples show router or access server configuration and AV pair configuration on an AAA server. TACACS+ Freeware Examples This section provides the TACACS+ freeware versions of the following examples: • IP Access Lists and Static Routes Using Virtual Profiles over ISDN BRI • IPX Per-User SAP Filters Using IPXWAN and Virtual Profiles by a Synchronous Interface Table 40 Monitoring and Debugging Per-User Configuration Commands Attribute show Commands debug Commands inacl# outacl# show ip access-list show ip interface interface show ipx access-list show ipx interface debug aaa authorization debug aaa per-user rte-fltr-in# rte-fltr-out# show ip access-list show ip protocols debug aaa authorization debug aaa per-user route# show ip route show ipx route debug aaa authorization debug aaa per-user sap# show ipx servers debug aaa authorization debug aaa per-user sap-fltr-in# sap-fltr-out# show ipx access-list show ipx interface debug aaa authorization debug aaa per-user pool-def# pool-timeout show ip local pool [name] — Configuring per-User Configuration Configuration Examples for Per-User Configuration DC-709 Cisco IOS Dial Technologies Configuration Guide IP Access Lists and Static Routes Using Virtual Profiles over ISDN BRI The following example provides configurations for the TACACS+ freeware daemon, the network access server, and the peer router named Router1. On the TACACS+ AAA server, peer router Router1 has a configuration that includes static routes and IP access lists. TACACS+ Freeware Daemon Configuration File key = tac123 user = Router1 { global = cleartext welcome service = ppp protocol = ip { route#1=”10.0.0.0 255.0.0.0" route#2=”10.1.0.0 255.0.0.0" route#3=”10.2.0.0 255.0.0.0" inacl#1=”deny 10.5.0.1" } } Current Network Access Server Configuration version 11.3 service timestamps debug datetime localtime service udp-small-servers service tcp-small-servers ! hostname Router2 ! aaa new-model aaa authentication ppp default tacacs+ aaa authorization network tacacs+ enable secret 5 $1$koOn$/1QAylov6JFAElxRCrL.o/ enable password lab ! username Router1 password 7 15050E0007252621 ip host Router2 172.21.114.132 ip domain-name cisco.com ip name-server 172.19.2.132 ip name-server 192.168.30.32 isdn switch-type basic-5ess interface Ethernet 0 ip address 172.21.114.132 255.255.255.224 no ip mroute-cache media-type 10BaseT ! interface Virtual-Template1 ip unnumbered Ethernet0 no cdp enable ! ! interface BRI0 ip unnumbered Ethernet0 no ip mroute-cache encapsulation ppp no ip route-cache dialer idle-timeout 300 dialer map ip 10.5.0.1 name Router1 broadcast 61482 dialer-group 1 no fair-queue ppp authentication chap ! ! Configuring per-User Configuration Configuration Examples for Per-User Configuration DC-710 Cisco IOS Dial Technologies Configuration Guide ip default-gateway 172.21.114.129 no ip classless ip route 0.0.0.0 0.0.0.0 172.21.114.129 ! virtual-profile virtual-template 1 dialer-list 1 protocol ip permit tacacs-server host 172.21.114.130 tacacs-server key tac123 Current Peer Configuration for Router1 version 11.3 no service pad ! hostname Router1 ! enable secret 5 $1$m1WK$RsjborN1Z.XZuFqsrtSnp/ enable password lab ! username Router2 password 7 051C03032243430C ip host Router1 172.21.114.134 ip domain-name cisco.com ip name-server 172.19.2.132 ip name-server 192.168.30.32 isdn switch-type basic-5ess ! interface Ethernet0 ip address 172.21.114.134 255.255.255.224 no ip route-cache shutdown ! interface BRI0 ip address 10.5.0.1 255.0.0.0 encapsulation ppp dialer map ip 172.21.114.132 name Router2 broadcast 61483 dialer-group 1 no fair-queue ! ip default-gateway 172.21.114.129 no ip classless ip route 172.21.0.0 255.255.0.0 BRI0 dialer-list 1 protocol ip permit ! line con 0 exec-timeout 0 0 line vty 0 4 password lab login end Configuring per-User Configuration Configuration Examples for Per-User Configuration DC-711 Cisco IOS Dial Technologies Configuration Guide IPX Per-User SAP Filters Using IPXWAN and Virtual Profiles by a Synchronous Interface The following example provides configurations for the TACACS+ daemon and the peer router named Router1. On the TACACS+ AAA server, user ny has a configuration that includes inbound and outbound SAP filters. TACACS+ Freeware Daemon Configuration File for User key = tac123 user = Router1 { global = cleartext welcome service = ppp protocol = ipx { sap=”101 CYBER-01 40.0000.0000.0001 400 10" sap=”202 CYBER-02 40.0000.0000.0001 401 10" sap=”303 CYBER-03 40.0000.0000.0001 402 10" sap-fltr-out#1=”deny 40 101" sap-fltr-out#2=”deny 40 202" sap-fltr-out#3=”permit -1" sap-fltr-in#1=”permit 30 444" sap-fltr-in#2=”deny -1" Current Remote Peer (Router1) Configuration version 11.3 ! hostname Router1 ! enable password lab ! username Router2 password 7 140017070F0B272E ip host Router1 172.21.114.131 ip name-server 172.19.2.132 ip name-server 192.168.30.32 ipx routing 0000.0c47.090d ipx internal-network 30 ! interface Ethernet0 ip address 172.21.114.131 255.255.255.224 ! interface Serial1 no ip address encapsulation ppp ipx ipxwan 0 unnumbered peer-Router1 clockrate 4000000 ! ipx sap 444 ZEON-4 30.0000.0000.0001 444 10 ipx sap 555 ZEON-5 30.0000.0000.0001 555 10 ipx sap 666 ZEON-6 30.0000.0000.0001 666 10 ! Current Network Access Server (Router2) Configuration version 11.3 service timestamps debug uptime ! hostname Router2 ! aaa new-model aaa authentication ppp default tacacs+ aaa authorization network tacacs+ enable password lab ! username Router1 password 7 044C0E0A0C2E414B ip host LA 172.21.114.133 ip name-server 192.168.30.32 Configuring per-User Configuration Configuration Examples for Per-User Configuration DC-712 Cisco IOS Dial Technologies Configuration Guide ip name-server 172.19.2.132 ipx routing 0000.0c47.12d3 ipx internal-network 40 ! interface Ethernet0 ip address 172.21.114.133 255.255.255.224 ! interface Virtual-Template1 no ip address ipx ipxwan 0 unnumbered nas-Router2 no cdp enable ! interface Serial1 ip unnumbered Ethernet0 encapsulation ppp ipx ipxwan 0 unnumbered nas-Router2 ppp authentication chap ! ipx sap 333 DEEP9 40.0000.0000.0001 999 10 ! virtual-profile virtual-template 1 tacacs-server host 172.21.114.130 tacacs-server key tac123 RADIUS Examples This section provides the RADIUS versions of the following examples: • IP Access Lists and Static Routes Using Virtual Profiles over ISDN BRI • IPX Per-User SAP Filters Using IPXWAN and Virtual Profiles by a Synchronous Interface IP Access Lists and Static Routes Using Virtual Profiles over ISDN BRI The following example shows a remote peer (Router1) configured to dial in to a BRI on a Cisco network access server (Router2), which requests user configuration information from an AAA server (radiusd): RADIUS User File (Router1) Password = "welcome" User-Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = "ip:route=10.1.0.0 255.0.0.0", cisco-avpair = "ip:route=10.2.0.0 255.0.0.0", cisco-avpair = "ip:route=10.3.0.0 255.0.0.0", cisco-avpair = "ip:inacl#5=deny 10.0.0.1" Current Network Access Server Configuration version 11.3 service timestamps debug datetime localtime service udp-small-servers service tcp-small-servers ! hostname Router2 ! aaa new-model aaa authentication ppp default radius aaa authorization network radius enable secret 5 $1$koOn$/1QAylov6JFAElxRCrL.o/ enable password lab Configuring per-User Configuration Configuration Examples for Per-User Configuration DC-713 Cisco IOS Dial Technologies Configuration Guide ! username Router1 password 7 15050E0007252621 ip host Router2 172.21.114.132 ip domain-name cisco.com ip name-server 172.19.2.132 ip name-server 192.168.30.32 isdn switch-type basic-5ess interface Ethernet0 ip address 172.21.114.132 255.255.255.224 no ip mroute-cache media-type 10BaseT ! interface Virtual-Template1 ip unnumbered Ethernet0 no cdp enable ! interface BRI0 ip unnumbered Ethernet0 no ip mroute-cache encapsulation ppp no ip route-cache dialer idle-timeout 300 dialer map ip 10.5.0.1 name Router1 broadcast 61482 dialer-group 1 no fair-queue ppp authentication chap ! ip default-gateway 172.21.114.129 no ip classless ip route 0.0.0.0 0.0.0.0 172.21.114.129 ! virtual-profile vtemplate 1 dialer-list 1 protocol ip permit radius-server host 172.21.114.130 radius-server key rad123 Current Peer Configuration for Router1 version 11.3 no service pad ! hostname Router1 ! enable secret 5 $1$m1WK$RsjborN1Z.XZuFqsrtSnp/ enable password lab ! username Router2 password 7 051C03032243430C ip host Router1 172.21.114.134 ip domain-name cisco.com ip name-server 172.19.2.132 ip name-server 192.168.30.32 isdn switch-type basic-5ess ! interface Ethernet0 ip address 172.21.114.134 255.255.255.224 no ip route-cache shutdown ! interface BRI0 ip address 10.5.0.1 255.0.0.0 encapsulation ppp dialer map ip 172.21.114.132 name Router2 broadcast 61483 dialer-group 1 no fair-queue Configuring per-User Configuration Configuration Examples for Per-User Configuration DC-714 Cisco IOS Dial Technologies Configuration Guide ! ip default-gateway 172.21.114.129 no ip classless ip route 172.21.0.0 255.255.0.0 BRI0 dialer-list 1 protocol ip permit ! line con 0 exec-timeout 0 0 line vty 0 4 password lab login ! end Output of ping Command from Router1 Router1# ping 172.21.114.132 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.21.114.132, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) (fails due to access list deny) RADIUS Debug Output radrecv: Request from host ac157284 code=1, id=46, length=67 Client-Id = 172.21.114.132 Client-Port-Id = 1112670208 User-Name = “Router1” CHAP-Password = “\037\317\213\326*\236)#+\266\243\255x\331\370v\334” User-Service-Type = Framed-User Framed-Protocol = PPP Sending Ack of id 46 to ac157284 (172.21.114.132) User-Service-Type = Framed-User Framed-Protocol = PPP [Vendor 9] cisco-avpair = “ip:route=10.0.0.0 255.0.0.0” [Vendor 9] cisco-avpair = “ip:route=10.1.0.0 255.0.0.0” [Vendor 9] cisco-avpair = “ip:route=10.2.0.0 255.0.0.0” [Vendor 9] cisco-avpair = “ip:inacl#5=deny 10.0.0.1” Network Access Server (Router2) show and debug Command Output Router2# show debug General OS: AAA Authorization debugging is on PPP: PPP authentication debugging is on Multilink activity debugging is on ISDN: ISDN events debugging is on Dial on demand: Dial on demand events debugging is on VTEMPLATE: Virtual Template debugging is on pr 4 08:30:09: ISDN BR0: received HOST_INCOMING_CALL Bearer Capability i = 0x080010 *Apr 4 08:30:09: ------------------- Channel ID i = 0x0101 *Apr 4 08:30:09: IE out of order or end of ‘private’ IEs -- Bearer Capability i = 0x8890 Configuring per-User Configuration Configuration Examples for Per-User Configuration DC-715 Cisco IOS Dial Technologies Configuration Guide *Apr 4 08:30:09: Channel ID i = 0x89 *Apr 4 08:30:09: Called Party Number i = 0xC1, ‘61483’ *Apr 4 08:30:09: ISDN BR0: Event: Received a call from on B1 at 64 Kb/s *Apr 4 08:30:09: ISDN BR0: Event: Accepting the call %LINK-3-UPDOWN: Interface BRI0:1, changed state to up *Apr 4 08:30:09: ISDN BR0: received HOST_CONNECT Channel ID i = 0x0101 *Apr 4 08:30:09: ------------------- Channel ID i = 0x89 *Apr 4 08:30:09: ISDN BR0: Event: Connected to on B1 at 64 Kb/s *Apr 4 08:30:09: PPP BRI0:1: Send CHAP challenge id=30 to remote *Apr 4 08:30:10: PPP BRI0:1: CHAP response received from Router1 *Apr 4 08:30:10: PPP BRI0:1: CHAP response id=30 received from Router1 *Apr 4 08:30:10: AAA/AUTHOR/LCP: authorize LCP *Apr 4 08:30:10: AAA/AUTHOR/LCP: BRI0:1: (0): user=’Router1’ *Apr 4 08:30:10: AAA/AUTHOR/LCP: BRI0:1: (0): send AV service=ppp *Apr 4 08:30:10: AAA/AUTHOR/LCP: BRI0:1: (0): send AV protocol=lcp *Apr 4 08:30:10: AAA/AUTHOR/LCP: BRI0:1: (2084553184): Method=RADIUS *Apr 4 08:30:10: AAA/AUTHOR (2084553184): Post authorization status = PASS_ADD *Apr 4 08:30:10: PPP BRI0:1: Send CHAP success id=30 to remote *Apr 4 08:30:10: PPP BRI0:1: remote passed CHAP authentication. *Apr 4 08:30:10: VTEMPLATE Reuse vaccess1, New Recycle queue size:0 *Apr 4 08:30:10: VTEMPLATE set default vaccess1 with no ip address *Apr 4 08:30:10: Virtual-Access1 VTEMPLATE hardware address 0000.0c46.154a *Apr 4 08:30:10: VTEMPLATE vaccess1 has a new cloneblk vtemplate, now it has vtemplate *Apr 4 08:30:10: VTEMPLATE undo default settings vaccess1 *Apr 4 08:30:10: VTEMPLATE ************* CLONE VACCESS1 ******************Apr 4 08:30:10: VTEMPLATE Clone from vtemplate1 to vaccess1 interface Virtual-Access1 no ip address encap ppp ip unnumbered ethernet 0 end %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up *Apr 4 08:30:10: AAA/AUTHOR/LCP: authorize LCP *Apr 4 08:30:10: AAA/AUTHOR/LCP: Virtual-Access1: (0): user=’Router1’ *Apr 4 08:30:10: AAA/AUTHOR/LCP: Virtual-Access1: (0): send AV service=ppp *Apr 4 08:30:10: AAA/AUTHOR/LCP: Virtual-Access1: (0): send AV protocol=lcp *Apr 4 08:30:10: AAA/AUTHOR/LCP: Virtual-Access1: (1338953760): Method=RADIUS *Apr 4 08:30:10: AAA/AUTHOR (1338953760): Post authorization status = PASS_ADD *Apr 4 08:30:10: AAA/AUTHOR/FSM: Virtual-Access1: (0): can we start IPCP? *Apr 4 08:30:10: AAA/AUTHOR/FSM: Virtual-Access1: (0): user=’Router1’ *Apr 4 08:30:10: AAA/AUTHOR/FSM: Virtual-Access1: (0): send AV service=ppp *Apr 4 08:30:10: AAA/AUTHOR/FSM: Virtual-Access1: (0): send AV protocol=ip *Apr 4 08:30:10: AAA/AUTHOR/FSM: Virtual-Access1: (1716082074): Method=RADIUS *Apr 4 08:30:10: AAA/AUTHOR (1716082074): Post authorization status = PASS_ADD *Apr 4 08:30:10: AAA/AUTHOR/FSM: Virtual-Access1: we can start IPCP (0x8021) *Apr 4 08:30:10: MLP Bad link Virtual-Access1 *Apr 4 08:30:10: AAA/AUTHOR/FSM: Virtual-Access1: (0): can we start UNKNOWN? *Apr 4 08:30:10: AAA/AUTHOR/FSM: Virtual-Access1: (0): user=’Router1’ *Apr 4 08:30:10: AAA/AUTHOR/FSM: Virtual-Access1: (0): send AV service=ppp *Apr 4 08:30:10: AAA/AUTHOR/FSM: Virtual-Access1: (0): send AV protocol=unknown *Apr 4 08:30:10: AAA/AUTHOR/FSM: Virtual-Access1: (2526612868): Method=RADIUS *Apr 4 08:30:10: AAA/AUTHOR (2526612868): Post authorization status = PASS_ADD *Apr 4 08:30:10: AAA/AUTHOR/FSM: Virtual-Access1: we can start UNKNOWN (0x8207) *Apr 4 08:30:10: MLP Bad link Virtual-Access1 *Apr 4 08:30:10: BRI0:1: Vaccess started from dialer_remote_name *Apr 4 08:30:10: AAA/AUTHOR/FSM: BRI0:1: (0): can we start IPCP? *Apr 4 08:30:10: AAA/AUTHOR/FSM: BRI0:1: (0): user=’Router1’ *Apr 4 08:30:10: AAA/AUTHOR/FSM: BRI0:1: (0): send AV service=ppp Configuring per-User Configuration Configuration Examples for Per-User Configuration DC-716 Cisco IOS Dial Technologies Configuration Guide *Apr 4 08:30:10: AAA/AUTHOR/FSM: BRI0:1: (0): send AV protocol=ip *Apr 4 08:30:10: AAA/AUTHOR/FSM: BRI0:1: (3920403585): Method=RADIUS *Apr 4 08:30:10: AAA/AUTHOR (3920403585): Post authorization status = PASS_ADD *Apr 4 08:30:10: AAA/AUTHOR/FSM: BRI0:1: we can start IPCP (0x8021) *Apr 4 08:30:10: AAA/AUTHOR/FSM: BRI0:1: (0): can we start UNKNOWN? *Apr 4 08:30:10: AAA/AUTHOR/FSM: BRI0:1: (0): user=’Router1’ *Apr 4 08:30:10: AAA/AUTHOR/FSM: BRI0:1: (0): send AV service=ppp *Apr 4 08:30:10: AAA/AUTHOR/FSM: BRI0:1: (0): send AV protocol=unknown *Apr 4 08:30:10: AAA/AUTHOR/FSM: BRI0:1: (3439943223): Method=RADIUS *Apr 4 08:30:10: AAA/AUTHOR (3439943223): Post authorization status = PASS_ADD *Apr 4 08:30:10: AAA/AUTHOR/FSM: BRI0:1: we can start UNKNOWN (0x8207) %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up *Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: start: her address 10.0.0.1, we want 0.0.0.0 *Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: (0): user=’Router1’ *Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: (0): send AV servi*Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: (0): send AV service=ppp *Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: (0): send AV protocol=ip *Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: (0): send AV addr*10.0.0.1 *Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: (3215797579): Method=RADIUS *Apr 4 08:30:13: AAA/AUTHOR (3215797579): Post authorization status = PASS_ADD *Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: Processing AV service=ppp *Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: Processing AV protocol=ip *Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: Processing AV addr*10.0.0.1 *Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: Processing AV route=10.1.0.0 255.0.0.0 *Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: Processing AV route=10.2.0.0 255.0.0.0 *Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: Processing AV route=10.3.0.0 255.0.0.0 *Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: Processing AV inacl#5=deny 10.0.0.1 *Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: authorization succeeded *Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: done: her address 10.0.0.1, we want 10.0.0.1 *Apr 4 08:30:13: AAA/AUTHOR/IPCP: Virtual-Access1: authorization succeeded *Apr 4 08:30:13: AAA/AUTHOR: Virtual-Access1: parse_cmd ‘ip route 10.0.0.0 255.0.0.0 10.0.0.1’ ok (0) *Apr 4 08:30:13: AAA/AUTHOR: Virtual-Access1: enqueue peruser IP txt=no ip route 10.0.0.0 255.0.0.0 10.0.0.1 *Apr 4 08:30:13: AAA/AUTHOR: Virtual-Access1: parse_cmd ‘ip route 11.0.0.0 255.0.0.0 10.0.0.1’ ok (0) *Apr 4 08:30:13: AAA/AUTHOR: Virtual-Access1: enqueue peruser IP txt=no ip route 11.0.0.0 255.0.0.0 10.0.0.1 *Apr 4 08:30:13: AAA/AUTHOR: Virtual-Access1: parse_cmd ‘ip route 12.0.0.0 255.0.0.0 10.0.0.1’ ok (0) *Apr 4 08:30:13: AAA/AUTHOR: Virtual-Access1: enqueue peruser IP txt=no ip route 12.0.0.0 255.0.0.0 10.0.0.1 *Apr 4 08:30:13: AAA/AUTHOR: parse ‘ip access-list standard Virtual-Access1#1’ ok (0) *Apr 4 08:30:13: AAA/AUTHOR: parse ‘deny 10.0.0.1’ ok (0) *Apr 4 08:30:13: AAA/AUTHOR: Virtual-Access1: enqueue peruser IP txt=no ip access-list standard Virtual-Access1#1 *Apr 4 08:30:13: VTEMPLATE vaccess1 has a new cloneblk AAA, now it has vtemplate/AAA *Apr 4 08:30:13: VTEMPLATE ************* CLONE VACCESS1 ***************** *Apr 4 08:30:13: VTEMPLATE Clone from AAA to vaccess1 interface Virtual-Access1 ip access-group Virtual-Access1#1 in *Apr 4 08:30:13: AAA/AUTHOR: Virtual-Access1: vaccess parse ‘interface Virtual-Access1 ip access-group Virtual-Access1#1 in ‘ ok (0) *Apr 4 08:30:13: AAA/AUTHOR/FSM: Check for unauthorized mandatory AV’s *Apr 4 08:30:13: AAA/AUTHOR/FSM: Processing AV service=ppp *Apr 4 08:30:13: AAA/AUTHOR/FSM: Processing AV protocol=unknown *Apr 4 08:30:13: AAA/AUTHOR/FSM: succeeded %ISDN-6-CONNECT: Interface BRI0:1 is now connected to Router1 Configuring per-User Configuration Configuration Examples for Per-User Configuration DC-717 Cisco IOS Dial Technologies Configuration Guide Router2# show ip access-list Standard IP access list Virtual-Access1#1 (per-user) deny 10.0.0.1 Router2# show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR Gateway of last resort is 172.21.114.129 to network 0.0.0.0 U 10.0.0.0/8 [1/0] via 10.3.0.1 U 10.1.0.0/8 [1/0] via 10.3.0.1 U 10.2.0.0/8 [1/0] via 10.3.0.1 10.3.0.0/8 is subnetted, 1 subnets C 10.3.0.1 is directly connected, Virtual-Access1 172.21.0.0/16 is subnetted, 1 subnets C 172.21.114.128 is directly connected, Ethernet0 S* 0.0.0.0/0 [1/0] via 172.21.114.129 Router2# show interfaces virtual-access 1 Virtual-Access1 is up, line protocol is up Hardware is Virtual Access interface Interface is unnumbered. Using address of Ethernet0 (172.21.114.132) MTU 1500 bytes, BW 64 Kbit, DLY 100000 usec, rely 255/255, load 1/255 Encapsulation PPP, loopback not set, keepalive set (10 sec) DTR is pulsed for 5 seconds on reset LCP Open, multilink Closed Open: IPCP, CDP Last input 5d04h, output never, output hang never Last clearing of “show interface” counters 00:06:42 Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 76 packets input, 3658 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 141 packets output, 2909 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions Router2# show ip interface virtual-access 1 Virtual-Access1 is up, line protocol is up Interface is unnumbered. Using address of Ethernet0 (172.21.114.132) Broadcast address is 255.255.255.255 Peer address is 10.0.0.1 MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Outgoing access list is not set Inbound access list is Virtual-Access1#1 Proxy ARP is enabled Security level is default Configuring per-User Configuration Configuration Examples for Per-User Configuration DC-718 Cisco IOS Dial Technologies Configuration Guide Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is disabled Router2# debug ip packet IP packet debugging is on Router2# *Apr 4 08:30:42: IP: s=172.21.114.129 (Ethernet0), d=255.255.255.255, len 186, rcvd 2 *Apr 4 08:30:42: IP: s=10.0.0.1 (Virtual-Access1), d=172.21.114.132, len 104, a*Apr 4 08:30:42: IP: s=10.0.0.1 (Virtual-Access1), d=172.21.114.132, len 104, access denied *Apr 4 08:30:42: IP: s=172.21.114.132 (local), d=10.0.0.1 (Virtual-Access1), len 4, sending *Apr 4 08:30:42: IP: s=10.0.0.1 (Virtual-Access1), d=172.21.114.132, len 104, access denied *Apr 4 08:30:44: IP: s=10.0.0.1 (Virtual-Access1), d=172.21.114.132, len 104, access denied *Apr 4 08:30:44: IP: s=172.21.114.132 (local), d=10.0.0.1 (Virtual-Access1), len 16, sending *Apr 4 08:30:44: IP: s=10.0.0.1 (Virtual-Access1), d=172.21.114.132, len 104, access denied IPX Per-User SAP Filters Using IPXWAN and Virtual Profiles by a Synchronous Interface The following examples show a remote peer (Router1) configured to dial in to a synchronous interface on a Cisco network access server (Router2), which requests user configuration information from an AAA server (radiusd): RADIUS User File (Router 1) Password = "welcome" User-Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = "ipx:sap=101 CYBER-01 40.0000.0000.0001 400 10", cisco-avpair = "ipx:sap=202 CYBER-02 40.0000.0000.0001 401 10", cisco-avpair = "ipx:sap=303 CYBER-03 40.0000.0000.0001 402 10", cisco-avpair = "ipx:sap-fltr-out#20=deny 40 101", cisco-avpair = "ipx:sap-fltr-out#21=deny 40 202", cisco-avpair = "ipx:sap-fltr-out#22=permit -1", cisco-avpair = "ipx:sap-fltr-in#23=permit 30 444", cisco-avpair = "ipx:sap-fltr-in#23=deny -1" Current Remote Peer (Router 1) Configuration hostname Router1 ! enable password lab ! username Router2 password 7 140017070F0B272E ip host Router1 172.21.114.131 ip name-server 172.19.2.132 ip name-server 192.168.30.32 ipx routing 0000.0c47.090d ipx internal-network 30 ! interface Ethernet0 ip address 172.21.114.131 255.255.255.224 ! Configuring per-User Configuration Configuration Examples for Per-User Configuration DC-719 Cisco IOS Dial Technologies Configuration Guide interface Serial1 no ip address encapsulation ppp ipx ipxwan 0 unnumbered peer-Router1 clockrate 4000000 ! ipx sap 444 ZEON-4 30.0000.0000.0001 444 10 ipx sap 555 ZEON-5 30.0000.0000.0001 555 10 ipx sap 666 ZEON-6 30.0000.0000.0001 666 10 ! ... version 12.1 service timestamps debug uptime ! hostname Router2 ! aaa new-model aaa authentication ppp default radius aaa authorization network radius enable password lab ! username Router1 password 7 044C0E0A0C2E414B ip host Router2 172.21.114.133 ip name-server 172.22.30.32 ip name-server 192.168.2.132 ipx routing 0000.0c47.12d3 ipx internal-network 40 ! interface Ethernet0 ip address 172.21.114.133 255.255.255.224 ! interface Virtual-Template1 no ip address ipx ipxwan 0 unnumbered nas-Router2 no cdp enable ! interface Serial1 ip unnumbered Ethernet0 encapsulation ppp ipx ipxwan 0 unnumbered nas-Router2 ppp authentication chap ! ipx sap 333 DEEP9 40.0000.0000.0001 999 10 ! virtual-profile vtemplate 1 radius-server host 172.21.114.130 radius-server key rad123 RADIUS debug Output radrecv: Request from host ac157285 code=1, id=23, length=67 Client-Id = 172.21.114.133 Client-Port-Id = 1399128065 User-Name = “Router1” CHAP-Password = “%”(\012I$\262\352\031\276\024\302\277\225\347z\274” User-Service-Type = Framed-User Framed-Protocol = PPP Sending Ack of id 23 to ac157285 (172.21.114.133) User-Service-Type = Framed-User Framed-Protocol = PPP [Vendor 9] cisco-avpair = “ipx:sap=101 CYBER-01 40.0000.0000.0001 400 10” [Vendor 9] cisco-avpair = “ipx:sap=202 CYBER-02 40.0000.0000.0001 401 10” [Vendor 9] cisco-avpair = “ipx:sap=303 CYBER-03 40.0000.0000.0001 402 10” [Vendor 9] cisco-avpair = “ipx:sap-fltr-out#20=deny1 40 101” Configuring per-User Configuration Configuration Examples for Per-User Configuration DC-720 Cisco IOS Dial Technologies Configuration Guide [Vendor 9] cisco-avpair = “ipx:sap-fltr-out#21=deny 40 202” [Vendor 9] cisco-avpair = “ipx:sap-fltr-out#22=permit -1” [Vendor 9] cisco-avpair = “ipx:sap-fltr-in#23=permit 30 444” [Vendor 9] cisco-avpair = “ipx:sap-fltr-in#23=deny -1” Network Access Server show Command Output Router2# show ipx servers Codes: S - Static, P - Periodic, E - EIGRP, N - NLSP, H - Holddown, + = detail 5 Total IPX Servers Table ordering is based on routing and server info Type Name Net Address Port Route Hops Itf s 101 CYBER-01 40.0000.0000.0001:0400 conn 10 Int s 202 CYBER-02 40.0000.0000.0001:0401 conn 10 Int s 303 CYBER-03 40.0000.0000.0001:0402 conn 10 Int S 333 DEEP9 40.0000.0000.0001:0999 conn 10 Int P 444 ZEON-4 30.0000.0000.0001:0444 7/01 11 Vi1 Router1# show ipx servers Codes: S - Static, P - Periodic, E - EIGRP, N - NLSP, H - Holddown, + = detail 5 Total IPX Servers Table ordering is based on routing and server info Type Name Net Address Port Route Hops Itf P 303 CYBER-03 40.0000.0000.0001:0402 7/01 11 Se1 P 333 DEEP9 40.0000.0000.0001:0999 7/01 11 Se1 S 444 ZEON-4 30.0000.0000.0001:0444 conn 10 Int S 555 ZEON-5 30.0000.0000.0001:0555 conn 10 Int S 666 ZEON-6 30.0000.0000.0001:0666 conn 10 Int Router2# show ipx access-list IPX sap access list Virtual-Access1#2 permit 30 444 deny FFFFFFFF IPX sap access list Virtual-Access1#3 deny 40 101 deny 40 202 permit FFFFFFFF DC-721 Cisco IOS Dial Technologies Configuration Guide Configuring Resource Pool Management This chapter describes the Cisco Resource Pool Management (RPM) feature. It includes the following main sections: • RPM Overview • How to Configure RPM • Verifying RPM Components • Troubleshooting RPM • Configuration Examples for RPM To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature, or refer to the software release notes for a specific release. For more information, see the “Identifying Supported Platforms” section in the “Using Cisco IOS Software” chapter. For a complete description of the commands mentioned in this chapter, refer to the Cisco IOS Dial Technologies Command Reference, Release 12.2. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. RPM Overview Cisco RPM enables telephone companies and Internet service providers (ISPs) to share dial resources for wholesale and retail dial network services. With RPM, telcos and ISPs can count, control, and manage dial resources and provide accounting for shared resources when implementing different service-level agreements. You can configure RPM in a single, standalone Cisco network access server (NAS) by using RPM or, optionally, across multiple NAS stacks by using one or more external Cisco Resource Pool Manager Servers (RPMS). Cisco RPM gives data network service providers the capability to do the following: • Have the flexibility to include local retail dial services in the same NAS with the wholesale dial customers. • Manage customer use of shared resources such as modems or High-Level Data Link Control (HDLC) controllers for data calls. • Offer advanced wholesale dialup services using a Virtual Private Dialup Network (VPDN) to enterprise accounts and ISPs. • Deploy Data over Voice Bearer Service (DoVBS). Configuring Resource Pool Management RPM Overview DC-722 Cisco IOS Dial Technologies Configuration Guide • Manage call sessions by differentiating dial customers through customer profiles. The customer profile determines where resources are allocated and is based on the incoming Dialed Number Information Service (DNIS) number or Calling Line Identification (CLID). • Efficiently use resource groups such as modems to offer differing over subscription rates and dial service-level agreements. Note Ear and Mouth Feature Group B (E&M-FGB) is the only signaling type supported for channel-associated signaling (CAS) on T1 and T3 facilities; R2 is supported for E1 facilities. FG D is not supported. Cisco IOS software collects DNIS digits for the signaling types FGB, PRI, and SS7 and only E&M-FGB and R2 CAS customer profiles are supported. For all other CAS signaling types, use the default DNIS group customer profiles. Components of Incoming and Outgoing Call Management Cisco RPM manages both incoming calls and outgoing sessions. Cisco RPM differentiates dial customers through configured customer profiles based on the DNIS and call type determined at the time of an incoming call. The components of incoming call management in the Cisco RPM are described in the following sections: • Customer Profile Types • DNIS Groups • Call Types • Resource Groups • Resource Services You can use Cisco RPM to answer all calls and differentiate customers by using VPDN profiles and groups. The components of outgoing session management in the Cisco RPM are described in the following sections: • VPDN Groups • VPDN Profiles Note These components of Cisco RPM are enabled after the NAS and other equipment has been initially set up, configured, and verified for proper operation of the dial, PPP, VPDN, and authentication, authorization, and accounting (AAA) segments. Refer to the Cisco IOS documentation for these other segments for installation, configuration, and troubleshooting information before attempting to use RPM. Configured DNIS groups and resource data can be associated to customer profiles. These customer profiles are selected by the incoming call DNIS number and call type and then used to identify resource allocations based on the associated resource groups and defined resource services. After the call is answered, customer profiles can also be associated with VPDN groups so the configured VPDN sessions and other data necessary to set up or reject a VPDN session are applied to the answered calls. VPDN group data includes associated domain name or DNIS, IP addresses of endpoints, maximum sessions per endpoint, maximum Multilink PPP (MLP) bundles per VPDN group, maximum links per MLP bundle, and other tunnel information. Configuring Resource Pool Management RPM Overview DC-723 Cisco IOS Dial Technologies Configuration Guide Customer Profile Types There are three types of customer profiles in Cisco RPM, which are described in the following sections: • Customer Profiles • Default Customer Profiles • Backup Customer Profiles Additionally, you can create a customer profile template and associate it with a customer profile; it is then integrated into the customer profile. Customer Profiles A customer profile defines how and when to answer a call. Customer profiles include the following components (see Figure 99): • Customer profile name and description—Name and description of the customer. • Session limits—Maximum number of standard sessions. • Overflow limits—Maximum number of overflow sessions. • DNIS groups. • CLID. • Resource groups. • Resource services. • VPDN groups and VPDN profiles. • Call treatment—Determines how calls that exceed the session and overflow limits are treated. Figure 99 Components of a Customer Profile The incoming side of the customer profile determines if the call will be answered using parameters such as DNIS and call type from the assigned DNIS group and session limits. The call is then assigned the appropriate resource within the resource group defined in the customer profile. Each configured customer profile includes a maximum allowed session value and an overflow value. As sessions are started and ended, session counters are incremented and decremented so customer status is kept current. This information is used to monitor the customer resource limit and determine the appropriate call treatment based on the configured session limits. 28523 Incoming call management Accept call Outgoing session management • Customer profile name • If no matches occur, session is sent to local authentication • Session limits • Overflow limits • DNIS groups • Resource groups • Resource services • VPDN profile or group • Direct remote services or or Configuring Resource Pool Management RPM Overview DC-724 Cisco IOS Dial Technologies Configuration Guide The outgoing side of the customer profile directs the answered call to the appropriate destination: • To a local AAA server of retail dial applications and Internet/intranet access. • To a tunnel that is established between the NAS or L2TP Access Concentrator (LAC) to a wholesale VPDN home gateway of a dial customer, or L2TP Network Server (LNS) using Layer 2 Forwarding Protocol (L2F) or Layer 2 Tunneling Protocol (L2TP) technology. Default Customer Profiles Default customer profiles are identical to standard customer profiles, except that they do not have any associated DNIS groups. Default customer profiles are created using the reserved keyword default for the DNIS group. Default customer profiles are used to provide session counting and resource assignment to incoming calls that do not match any of the configured DNIS groups. Although specific resources and DNIS groups can be assigned to customer profiles, default customer profiles allow resource pooling for the calls that do not match the configured DNIS groups or where the DNIS is not provided. Retail dial services and domain-based VPDN use default customer profiles. When multiple default customer profiles are used, the call type (speech, digital, V.110, or V.120) of the default DNIS group is used to identify which default customer profile to use for an incoming call. At most, four default profiles (one for each call type) can be configured. Note If default customer profiles are not defined, then calls that do not match a DNIS group in a customer profile are rejected with a “no answer” or “busy” call treatment sent to the switch. Backup Customer Profiles Backup customer profiles are customer profiles configured locally on the Cisco NAS and are used to answer calls based on a configured allocation scheme when the link between the Cisco NAS and Cisco RPMS is disabled. See the section “Configuring Customer Profiles Using Backup Customer Profiles” for more information about configuring backup customer profiles. Customer Profile Template With RPM, users can also implement wholesale dial services without using VPDN tunnels to complete dial-in calls to destinations of the end customer. This capability is accomplished with components of the AAA groups and the PPP configurations. The AAA group provides IP addresses of AAA servers for authentication and accounting. The PPP configurations allow users to configure the Cisco IOS PPP feature set on each customer profile. In this current implementation, PPP configuration is based on the following: • Applicable IP address pool(s) or default local list of IP addresses • Primary and secondary Domain Name System (DNS) or Windows Internet naming service (WINS) • Number of links allowed for each call using MLP Note The AAA and PPP integration applies to a single NAS environment. To add PPP configurations to a customer profile, you must create a customer profile template. Once you create the template and associate it with a customer profile using the source template command, it is integrated into the customer profile. Configuring Resource Pool Management RPM Overview DC-725 Cisco IOS Dial Technologies Configuration Guide The RPM customer profile template for the PPP command set, when used with the Cisco IOS feature, Server Groups Selected by DNIS, presents a strong single NAS solution for providers of wholesale dial services, as follows: • Call acceptance is determined by the RPM before call answering, using the configured size limits and resource availability. • The answered call then uses the PPP configuration defined in the template to initiate authentication, obtain an IP address, and select a DNS or WINS that is located at the customer site. • The same DNIS that was used to choose the customer profile selects the servers for authentication/authorization and accounting that are located at the wholesale customer’s site. The section “Configuring a Customer Profile Template” later in this chapter describes how to create a customer profile template so that you can configure the Cisco IOS PPP features on a customer profile, but this section does not list the existing PPP command set. For information about the PPP command set, refer to the Cisco IOS Dial Technologies Command Reference. DNIS Groups A DNIS group is a configured list of DNIS called party numbers that correspond to the numbers dialed to access particular customers, service offerings, or both. For example, if a customer from phone number 000-1234 calls a number 000-5678, the DNIS provides information on the number dialed—000-5678. Cisco RPM checks the DNIS number of inbound calls against the configured DNIS groups, as follows: • If Cisco RPM finds a match, it uses the configured information in the customer profile to which the DNIS group is assigned. • If Cisco RPM does not find a match, it uses the configured information in the customer profile to which the default DNIS group is assigned. • The DNIS/call type sequence can be associated only with one customer profile. CLID Groups A CLID group is a configured list of CLID calling party numbers. The CLID group specifies a list of numbers to reject if the group is associated with a call discriminator. For example, if a customer from phone number 000-1234 calls a number 000-5678, the CLID provides information on the calling party number—000-1234. A CLID can be associated with only one CLID group. Call Types Call types from calls originating from ISDN, SS7, and CAS (CT1, CT3, and CE1) are used to assign calls to the appropriate resource. Call types for ISDN and SS7 are based on Q.931 bearer capability. Call types for CAS are assigned based on static channel configuration. Supported call types are as follows: • Speech • Digital • V.110 • V.120 Configuring Resource Pool Management RPM Overview DC-726 Cisco IOS Dial Technologies Configuration Guide Note Voice over IP, fax over IP, and dial-out calls are not supported in RPM. Resource Groups Cisco RPM enables you to maximize the use of available shared resources within a Cisco NAS for various resource allocation schemes to support service-level agreements. Cisco RPM allows you to combine your Cisco NAS resource groups with call types (speech, digital, V.110, and V.120) and optional resource modem services. Resource groups and services are configured for customer profiles and assigned to incoming calls through DNIS groups and call types. Resource groups have the following characteristics: • Are configured on the Cisco NAS and applied to a customer profile. • Represent groupings of similar hardware or firmware that are static and do not change on a per-call basis. • Can define resources that are port-based or not port-based: – Port-based resources are identified by physical location, such as a range of port/slot numbers (for example, modems or terminal adapters). – Non-port-based resources are identified by a single size parameter (for example, HDLC framers or V.120 terminal adapters—V.120 terminal adapters are currently implemented as part of Cisco IOS software). Resource assignments contain combinations of Cisco NAS resource groups, optional resource modem services, and call types. The NAS resources in resource groups that have not been assigned to a customer profile will not be used. Note To support ISDN DoVBS, use a DNIS group and a configured customer profile to direct the speech call to the appropriate digital resource. The resource group assigned to this customer profile will be “digital resources” and also have a call type of “speech,” so the call will terminate on an HDLC controller rather than a modem. Resource Services A resource service contains a finite series of resource command strings that can be used to help dynamically configure an incoming connection. Services supported by a resource group are determined by the combination of hardware and firmware installed. Currently, resource service options can be configured and applied to resource groups. Resource services can be defined to affect minimum and maximum speed, modulation, error correction, and compression, as shown in Table 41. Table 41 Resource Services Service Options Comments min-speed <300–56000>, any Must be a V.90 increment. max-speed <300–56000>, any Must be a V.90 increment. modulation k56flex, v22bis, v32bis, v34, v90, any None. Configuring Resource Pool Management RPM Overview DC-727 Cisco IOS Dial Technologies Configuration Guide VPDN Groups The VPDN group contains the data required to build a VPDN tunnel from the RPM NAS LAC to the LNS. In the context of RPM, VPDN is authorized by first associating a customer profile with a VPDN group, and second by associating the VPDN group to the DNIS group used for that customer profile. VPDN group data includes the endpoint IP addresses. Cisco RPM enables you to specify multiple IP endpoints for a VPDN group, as follows: • If two or more IP endpoints are specified, Cisco RPM uses a load-balancing method to ensure that traffic is distributed across the IP endpoints. • For DNIS-based VPDN dial service, VPDN groups are assigned to customer profiles based on the incoming DNIS number and the configured DNIS groups. • For domain-based VPDN dial service, VPDN groups are assigned to the customer profile or the default customer profile with the matching call-type assignment. • For either DNIS-based or domain-based VPDN dial services, there is a customer profile or default customer profile for the initial resource allocation and customer session limits. The VPDN group provides call management by allowing limits to be applied to both the number of MLP bundles per tunnel and the number of links per MLP bundle. Limits can also restrict the number of sessions per IP endpoint. If you require more granular control of VPDN counters, use VPDN profiles. VPDN Profiles VPDN profiles allow session and overflow limits to be imposed for a particular customer profile. These limits are unrelated to the limits imposed by the customer profile. A customer profile is associated with a VPDN profile. A VPDN profile is associated with a VPDN group. VPDN profiles are required only when these additional counters are required for VPDN usage per customer profile. Call Treatments Call treatment determines how calls are handled when certain events require the call to be rejected. For example, if the session and overflow limits for one of your customers have been exceeded, any additional calls will receive a busy signal (see Table 42). error-correction 1apm, mn14 This is a hidden command. compression mnps, v42bis This is a hidden command. Table 41 Resource Services (continued) Service Options Comments Configuring Resource Pool Management RPM Overview DC-728 Cisco IOS Dial Technologies Configuration Guide Details on RPM Call Processes On the incoming call management of the customer profile, the following sequence occurs to determine if a call is answered: 1. The incoming DNIS is mapped to a DNIS group; if there is no incoming DNIS number, or the DNIS number provided does not match any configured DNIS group, the DNIS group default is used. 2. The mapped DNIS group is checked against configured call discriminator profiles to confirm if this DNIS group/call-type combination is disallowed. If there is a match, the call is immediately rejected. 3. Once a DNIS group or a default DNIS group is identified, the customer profile associated with that DNIS group and the call type (from the bearer capability for ISDN call, statically configured for CAS calls) is selected. If there is no corresponding customer profile, the call is rejected. 4. The customer profile includes a session limit value and an overflow limit value. If these thresholds are not met, the call is then assigned the appropriate resource defined in the customer profile. If the thresholds are met, the call is rejected. Table 42 Call-Treatment Table Event Call-Treatment Option Results Customer profile not found No answer (default) The caller receives rings until the switch eventually times out. Implies that the NAS was appropriate, but resources were unavailable. The caller should try later. Busy The switch drops the call from the NAS and sends a busy signal back to the caller. The call is rejected based on not matching a DNIS group/call type and customer profile. Can be used to immediately reject the call and free up the circuit. Customer profile limits exceeded Busy The switch drops the call from the NAS and sends a busy signal back to the caller. NAS resource not available Channel not available (default) The switch sends the call to the next channel in the trunk group. The call can be answered, but the NAS does not have any available resources in the resource groups. Allows the switch to try additional channels until it gets to a different NAS in the same trunk group that has the available resources. Busy The switch drops the call from the NAS and sends a busy signal back to the caller. Can be used when the trunk group does not span additional NASes. Call discrimination match No answer The caller receives rings until the switch eventually times out. Configuring Resource Pool Management RPM Overview DC-729 Cisco IOS Dial Technologies Configuration Guide 5. If resources are available from the resource group defined in the customer profile, the call is answered. Otherwise, the call is rejected. 6. As sessions start and end, the session counters increase and decrease, so the customer profile call counters are kept current. See Figure 100 for a graphical illustration of the RPM call processes. Figure 100 Incoming Call Management: RPM Functional Description After the call is answered and if VPDN is enabled, Cisco RPM checks the customer profile for an assigned VPDN group or profile. The outgoing session management of the customer profile directs the answered call to the appropriate destination (see Figure 101), as follows: • To a local AAA server of retail dial applications and Internet/intranet access. • To a tunnel that is established between the NAS or LAC and a wholesale VPDN home gateway from a dial customer or LNS using L2F or L2TP tunneling technology. Figure 101 Outgoing Call Management: RPM Functional Description for VPDN Profiles and Groups If a VPDN profile is found, the limits are checked, as follows: • If the limits have not been exceeded, the VPDN group data associated with that VPDN profile is used to build a VPDN tunnel. • If the VPDN limits have been exceeded, the call is disconnected. Incoming call DNIS group/ call type Call discriminator DNIS/call type Base Apply resource service Accept call Resource group Overflow Virtual Range Resource group Limit 26421 Physical Customer profile VPDN enable Customer profile VPDN profile Base = Optional Overflow Bundles Accept VPDN VPDN group Links 26420 Configuring Resource Pool Management RPM Overview DC-730 Cisco IOS Dial Technologies Configuration Guide If a VPDN group is found within the customer profile, the VPDN group data is used to build a VPDN tunnel, as follows: • If the VPDN group limits (number of multilink bundles, number of links per bundle) have not been exceeded, a VPDN tunnel is built. • If the limits have been reached, the call is disconnected. If no VPDN profile is assigned to the customer profile and VPDN is enabled, non-RPM VPDN service is attempted. If the attempt fails, the call is processed as a retail dial service call if local AAA service is available. Accounting Data You can generate accounting data for network dial service usage in NAS AAA attribute format. You can configure the Cisco NAS to generate AAA accounting records for access to external AAA server option. The accounting start and stop records in AAA attribute format are sent to the external AAA server using either RADIUS server hosts or TACACS+ protocols for accounting data storage. Table 43 lists the new fields in the AAA accounting packets. Data over Voice Bearer Services DoVBS is a dial service that uses a customer profile and an associated resource group of digital resources to direct data calls with a speech call type to HDLC controllers. To support ISDN DoVBS, use a DNIS group and a configured customer profile to direct the speech call to the appropriate digital resource. The resource group assigned to this customer profile will be “digital resources” and will also have a call type of speech, so the call will terminate on an HDLC controller rather than a modem. Table 43 AAA Accounting Records Accounting Start Record Accounting Stop Record Call-Type CAS-Group-Name Customer-Profile-Name Customer-Profile-Active-Sessions DNIS-Group-Name Overflow MLP-Session_ID Modem-Speed-Receive Modem-Speed-Transmit VPDN-Domain-Name VPDN-Tunnel-ID VPDN-HomeGateway VPDN-Group-Active-Sessions Disconnect-Cause Modem-Speed-Receive Modem-Speed-Transmit MLP-Session-ID Configuring Resource Pool Management RPM Overview DC-731 Cisco IOS Dial Technologies Configuration Guide Call Discriminator Profiles The Cisco RPM CLID/DNIS Call Discriminator feature lets you specify a list of calling party numbers to be rejected for inbound calls. This Cisco IOS Release 12.2 CLID/DNIS call screening feature expands previous call screening features in Cisco RPM. CLID/DNIS call screening provides an additional way to screen calls on the basis of CLID/DNIS for both local and remote RPM. Cisco RPM CLID/DNIS Call Discriminator profiles enable you to process calls differently on the basis of the call type and CLID combination. Resource pool management offers a call discrimination feature that rejects calls on the basis of a CLID group and a call type filter. When a call arrives at the NAS, the CLID and the call type are matched against a table of disallowed calls. If the CLID and call type match entries in this table, the call is rejected before it is assigned Cisco NAS resources or before any other Cisco RPM processing occurs. This is called precall screening. Precall screening decides whether the call is allowed to be processed. You can use the following types of discriminators to execute precall screening: • ISDN discriminator—Accepts a call if the calling number matches a number in a group of configured numbers (ISDN group). This is also called white box screening. If you configure an ISDN group, only the calling numbers specified in the group are accepted. • DNIS discriminator—Accepts a call if the called party number matches a number in a group of configured numbers (DNIS group). If you set up a DNIS group, only the called party numbers in the group are accepted. DNIS gives you information about the called party. • Cisco RPM CLID/DNIS discriminator—Rejects a call if the calling number matches a number in a group of configured numbers (CLID/DNIS group). This is also called black box screening. If you configure a discriminator with a CLID group, the calling party numbers specified in the group are rejected. CLID gives you information about the caller. Similarly, if you configure a discriminator with a DNIS group, the called party numbers specified in the group are rejected. The Cisco RPM CLID/DNIS Call Discriminator Feature is independent of ISDN or DNIS screening done by other subsystems. ISDN or DNIS screening and Cisco RPM CLID/DNIS screening can both be present in the same system. Both features are executed if configured. Similarly, if DNIS Preauthorization using AAA is configured, it is present in addition to Cisco RPM CLID/DNIS screening. Refer to the Cisco IOS Security Configuration Guide for more information about call preauthorization. In Cisco RPM CLID/DNIS screening, the discriminator can be a CLID discriminator, a DNIS discriminator, or a discriminator that screens on both the CLID and DNIS. The resulting discrimination logic is: • If a discriminator contains just DNIS groups, it is a DNIS discriminator that ignores CLID. The DNIS discriminator blocks the call if the called number is in a DNIS group, which the call type references. • If a discriminator contains just CLID groups, it is a CLID discriminator that ignores DNIS. The CLID discriminator blocks the call if the calling number is in a CLID group, which the call type references. • If a discriminator contains both CLID and DNIS groups, it is a logical AND discriminator. It blocks the call if the calling number and called number are in the CLID or DNIS group, and the call type references the corresponding discriminator. Figure 102 shows how call discrimination can be used to restrict a specific DNIS group to only modem calls by creating call discrimination settings for the DNIS group and the other supported call types (digital, V.110, and V.120). Configuring Resource Pool Management RPM Overview DC-732 Cisco IOS Dial Technologies Configuration Guide Figure 102 Call Discrimination Incoming Call Preauthentication With ISDN PRI or channel-associated signaling (CAS), information about an incoming call is available to the NAS before the call is connected. The available call information includes: • The DNIS, also referred to as the called number • The CLID, also referred to as the calling number • The call type, also referred to as the bearer capability The Preauthentication with ISDN PRI and Channel-Associated Signalling feature introduced in Cisco IOS Release 12.2 allows a Cisco NAS to decide—on the basis of the DNIS number, the CLID number, or the call type—whether to connect an incoming call. When an incoming call arrives from the public network switch, but before it is connected, this feature enables the NAS to send the DNIS number, CLID number, and call type to a RADIUS server for authorization. If the server authorizes the call, the NAS accepts the call. If the server does not authorize the call, the NAS sends a disconnect message to the public network switch to reject the call. The Preauthentication with ISDN PRI and Channel-Associated Signalling feature offers the following benefits: • With ISDN PRI, it enables user authentication and authorization before a call is answered. With CAS, the call must be answered; however, the call can be dropped if preauthentication fails. • It enables service providers to better manage ports using their existing RADIUS solutions. • Coupled with a preauthentication RADIUS server application, it enables service providers to efficiently manage the use of shared resources to offer differing service-level agreements. For more information about the Preauthentication with ISDN PRI and Channel-Associated Signalling feature, refer to the Cisco IOS Security Configuration Guide. 23734 dnis123 5267000 5267001 CD Name Call discriminator definitions Internal disallowed calls table DNIS groups CD123 CDabc CDspeech CDv120 DNIS Group dnis123 dnisabc dnisspeech default DNIS 5267000 5267001 5271299 527499 default Call Type speech speech digital digitalv110v120 v120 Call Types speech digital digitalv110v120 v120 Reject calls to DNIS group dnis123 with speech call type Reject calls to DNIS group dnisabc with digital call type Reject calls to DNIS group dnisspeech that are not speech Reject all calls that are V.120 Reject calls to 5267000 with speech call type Reject calls to 5267001 with speech call type Reject digital calls to 5271299 Accept only speech calls to 5274999 Reject all V.120 calls dnisabc 527 1299 dnisspeech 5274999 Reserved keyword identifying default DNIS reaching all values Configuring Resource Pool Management RPM Overview DC-733 Cisco IOS Dial Technologies Configuration Guide RPM Standalone Network Access Server A single NAS using Cisco RPM can provide the following: • Wholesale VPDN dial service to corporate customers • Direct remote services • Retail dial service to end users Figure 103 and Figure 104 show multiple connections to a Cisco AS5300 NAS. Incoming calls to the NAS can use ISDN PRI signaling, CAS, or the SS7 signaling protocol. Figure 103 shows incoming calls that are authenticated locally for retail dial services or forwarded through VPDN tunnels for wholesale dial services. Note This implementation does not use Cisco RPM CLID/DNIS Call Discriminator Feature. If you are not using Cisco RPMS and you have more than one Cisco NAS, you must manually configure each NAS by using Cisco IOS commands. Resource usage information is not shared between NASes. Figure 103 Retail Dial Service Using RPM Figure 104 shows a method of implementing wholesale dial services without using VPDN tunnels by creating individual customer profiles that consist of AAA groups and PPP configurations. The AAA groups provide IP addresses of AAA servers for authentication and accounting. The PPP configurations enable you to set different PPP parameter values on each customer profile. A customer profile typically includes the following PPP parameters: • Applicable IP address pools or a default local list of IP addresses • Primary and secondary DNS or WINS • Authentication method such as the Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), or Microsoft CHAP Version 1 (MS-CHAP) • Number of links allowed for each call using Multilink PPP Note The AAA and PPP integration applies to a single NAS environment; the external RPMS solution is not supported. Modem Remote user Terminal adapter Router PSTN PRI CAS SS7 Cisco AS5300 (NAS) Internet/ intranet 18021 AAA server (Optional) Configuring Resource Pool Management RPM Overview DC-734 Cisco IOS Dial Technologies Configuration Guide Figure 104 Resource Pool Management with Direct Remote Services Call Processing For call processing, incoming calls are matched to a DNIS group and the customer profile associated with that DNIS group. If a match is found, the customer profile session and overflow limits are applied and if available, the required resources are allocated. If a DNIS group is not found, the customer profile associated with the default DNIS group is used. The call is rejected if a customer profile using the default DNIS group cannot be found. After the call is answered and if VPDN is enabled, the Cisco RPM checks the customer profile for an assigned VPDN group or profile. If a VPDN group is found, Cisco RPM authorizes VPDN by matching the group domain name or DNIS with the incoming call. If a match is found, VPDN profile session and overflow limits are applied, and, if the limits are not exceeded, tunnel negotiation begins. If the VPDN limits are exceeded, the call is disconnected. If no VPDN profile is assigned to the customer profile and VPDN is enabled, non-RPM VPDN service will be attempted. If it fails, the call is processed as a retail dial service call if local AAA service is available. Base Session and Overflow Session Limits Cisco RPM enables you to set base and overflow session limits in each customer profile. The base session limit determines the maximum number of nonoverflow sessions supported for a customer profile. When the session limit is reached, if overflow sessions are not enabled, any new calls are rejected. If overflow sessions are enabled, new sessions up to the session overflow limit are processed and marked as overflow for call handling and accounting. WAN infrastructure Modem Remote user Terminal adapter Router PSTN Optional local AAA Cisco AS5300 (NAS) Customer profiles 28307 Customer A Customer B AAA DNS AAA DNS DNIS Configuring Resource Pool Management RPM Overview DC-735 Cisco IOS Dial Technologies Configuration Guide The session overflow limit determines the allowable number of sessions above the session limit. If the session overflow limit is greater than zero, overflow sessions are enabled and the maximum number of allowed sessions is the session limit plus the session overflow limit. While the session overflow limit has been reached, any new calls are rejected. Table 44 summarizes the effects of session and session overflow limits. Enabling overflow sessions is useful for allocating extra sessions for preferred customers at premium rates. Overflow sessions can also be useful for encouraging customers to adequately forecast bandwidth usage or for special events when normal session usage is exceeded. For example, if a customer is having a corporate-wide program and many people are expected to request remote access, you could enable many overflow sessions and charge a premium rate for the excess bandwidth requirements. Note An overflow call is a call received while the session limit is exceeded and is in an overflow state. When a call is identified as an overflow call, the call maintains the overflow status throughout its duration, even if the number of current sessions returns below the session limit. VPDN Session and Overflow Session Limits Cisco RPM enables you to configure base and overflow session limits per VPDN profile for managing VPDN sessions. Note The VDPN session and session overflow limits are independent of the limits set in the customer profiles. The base VPDN session limit determines the maximum number of nonoverflow sessions supported for a VPDN profile. When the VPDN session limit is reached, if overflow sessions are not enabled, any new VPDN calls using the VPDN profile sessions are rejected. If overflow sessions are enabled, new sessions up to the session overflow limit are processed and marked as overflow for VPDN accounting. The VPDN session overflow limit determines the number of sessions above the session limit allowed in the VPDN group. If the session overflow limit is greater than zero, overflow sessions are enabled and the maximum number of allowed sessions is the session limit plus the session overflow limit. While the session overflow limit has been reached, any new calls are rejected. Enabling VPDN overflow sessions is useful for allocating extra sessions for preferred customers at premium rates. Overflow sessions are also useful for encouraging customers to adequately forecast bandwidth usage or for special events when normal session usage is exceeded. For example, if a Table 44 Effects of Session Limit and Session Overflow Limit Settings Combinations Base Session Limit Session Overflow Limit Call Handling 0 0 Reject all calls. 10 0 Accept up to 10 sessions. 10 10 Accept up to 20 sessions and mark sessions 11 to 20 as overflow sessions. 0 10 Accept up to 10 sessions and mark sessions 1 to 10 as overflow. All 0 Accept all calls. 0 All Accept all calls and mark all calls as overflow. Configuring Resource Pool Management RPM Overview DC-736 Cisco IOS Dial Technologies Configuration Guide customer is having a corporate-wide program and many people are expected to request remote access, you could enable many overflow sessions and charge a premium rate for the extra bandwidth requirements. VPDN MLP Bundle and Links-per-Bundle Limits To ensure that resources are not consumed by a few users with MLP connections, Cisco RPM also enables you to specify the maximum number of MLP bundles that can open in a VPDN group. In addition, you can specify the maximum number of links for each MLP bundle. For example, if standard ISDN users access the VPDN profile, limit this setting to two links per bundle. If video conferencing is used, increase this setting to accommodate the necessary bandwidth (usually six links). These limits have no overflow option and are configured under the VPDN group component. VPDN Tunnel Limits For increased VPDN tunnel management, Cisco RPM enables you to set an IP endpoint session limit for each IP endpoint. IP endpoints are configured for VPDN groups. Figure 105 and Figure 106 show logical flowcharts of RPM call processing for a standalone NAS with and without the RPM Direct Remote Services feature. Configuring Resource Pool Management RPM Overview DC-737 Cisco IOS Dial Technologies Configuration Guide Figure 105 RPM Call-Processing Flowchart for a Standalone Network Access Server DNIS and call type Yes Yes Yes Yes Yes No No No No No No Call discriminator match 22609 Reject—Session limit call treatment busy Yes Mapped DNIS customer profile exists Has CP reached maximum connections Overflow configured and maximum not exceeded Resources available Default customer profile match Reject—No resource call treatment: CNA (default) or busy Reject call treatment: No answer Reject—No CP call treatment: No answer (default) or busy Answer call Check VPDN Configuring Resource Pool Management RPM Overview DC-738 Cisco IOS Dial Technologies Configuration Guide Figure 106 Flowchart for a Standalone Network Access Server with RPM Direct Remote Services DNIS and call type Yes Yes Yes Yes Yes No No No No No Call discriminator match 29584 Reject—Session limit call treatment busy Mapped DNIS customer profile exists Has CP reached maximum connections Overflow configured and maximum not exceeded Resources available Reject—No resource call treatment: CNA (default) or busy Reject call treatment: No answer Reject—No CP call treatment: No answer (default) or busy Answer call Check PPP Template Configuring Resource Pool Management RPM Overview DC-739 Cisco IOS Dial Technologies Configuration Guide RPM Using the Cisco RPMS Figure 107 shows a typical resource pooling network scenario using RPMS. Figure 107 RPM Scenario Using RPMS Resource Manager Protocol Resource Manager Protocol (RMP) is a robust, recoverable protocol used for communication between the Cisco RPMS and the NAS. Each NAS client uses RMP to communicate resource management requests to the Cisco RPMS server. RPMS also periodically polls the NAS clients to query their current call information or address error conditions when they occur. RMP also allows for protocol attributes that make it extensible and enable support for customer billing requirements. Figure 108 shows the relationship of Cisco RPM CLID/DNIS Call Discriminator Feature and RMP. Figure 108 Cisco RPM CLID/DNIS Call Discriminator Feature and RMP Note RMP must be enabled on all NASes that communicate with the Cisco RPM CLID/DNIS Call Discriminator Feature. Modem Modem Terminal adapter Router PSTN/ ISDN PRI CT1 CE1 UG group VPDN tunnel VPDN tunnel L2F/L2TP L2F/L2TP 17243 Customer A Customer B AAA server AAA server AAA proxy server(Optional) Home gateway router Home gateway router CO CO Cisco RPMS Internet/ intranet RMP protocol RMP interface NAS Cisco RPMS with RMP installed 17244 Configuring Resource Pool Management RPM Overview DC-740 Cisco IOS Dial Technologies Configuration Guide Direct Remote Services Direct remote services is an enhancement to Cisco RPM implemented in Cisco IOS Release 12.0(7)T that enables service providers to implement wholesale dial services without using VPDN tunnels. A customer profile that has been preconfigured with a PPP template to define the unique PPP services for the wholesale dial customer is selected by the incoming DNIS and call type. At the same time, the DNIS is used to select AAA server groups for authentication/authorization and for accounting for the customer. PPP Common Configuration Architecture (CCA) is the new component of the RPM customer profile that enables direct remote services. The full PPP command set available in Cisco IOS software is configurable per customer profile for wholesale dial applications. A customer profile typically includes the following PPP parameters: • Local or named IP address pools • Primary and secondary DNS or WINS addresses • Authentication method (PAP, CHAP, MS-CHAP) • Multilink PPP links per bundle limits The AAA session information is selected by the incoming DNIS. AAA server lists provide the IP addresses of AAA servers for authentication, authorization, and accounting in the wholesale local network of the customer. The server lists for both authentication and authorization and for accounting contain the server addresses, AAA server type, timeout, retransmission, and keys per server. When direct remote services is implemented on a Cisco NAS, the following sequence occurs: 1. The NAS sends an authorization request packet to the AAA server by using the authentication method (PAP, CHAP, MSCHAP) that has been configured through PPP. 2. The AAA server accepts the authorization request and returns one of the following items to the NAS: – A specific IP address – An IP address pool name – Nothing 3. Depending on the response from the AAA server, the NAS assigns one of the following items to the user through the DNS/WINS: – The IP address returned by the AAA server – An IP address randomly assigned from the named IP address pool – An IP address from a pool specified in the customer profile template Note If the AAA server sends back to the NAS a named IP address pool and that name does not exist on the NAS, the request for service is denied. If the AAA server does not send anything back to the NAS and there is an IP address pool name configured in the customer profile template, an address from that pool is used for the session. RPM Process with RPMS and SS7 For information on SS7 implementation for RPM, refer to the document Cisco Resource Pool Manager Server 1.0 SS7 Implementation. Configuring Resource Pool Management How to Configure RPM DC-741 Cisco IOS Dial Technologies Configuration Guide Additional Information About Cisco RPM For more information about Cisco RPM, see the following documents: • AAA Server Group • Cisco Access VPN Solutions Using Tunneling Technology • Cisco AS5200 Universal Access Server Software Configuration Guide • Cisco AS5300 Software Configuration Guide • Cisco AS5800 Access Server Software ICG • Cisco Resource Pool Manager Server Configuration Guide • Cisco Resource Pool Manager Server Installation Guide • Cisco Resource Pool Manager Server Solutions Guide • Dial Solutions Quick Configuration Guide • RADIUS Multiple UDP Ports Support • Redundant Link Manager • Release Notes for Cisco Resource Pool Manager Server Release 1.0 • Resource Pool Management • Resource Pool Management with Direct Remote Services • Resource Pool Manager Customer Profile Template • Selecting AAA Server Groups Based on DNIS • SS7 Continuity Testing for Network Access Servers • SS7 Dial Solution System Integration How to Configure RPM Read and comply with the following restrictions and prerequisites before beginning RPM configuration: • RPM is supported on Cisco AS5300, Cisco AS5400, and Cisco AS5800 Universal Access Servers • Modem pooling and RPM are not compatible. • The Cisco RPM CLID/DNIS Call Discriminator Feature must have Cisco RPM configured. • CLID screening is not available to channel-associated signaling (CAS) interrupt level calls. • Cisco RPM requires the NPE 300 processor when implemented on the Cisco AS5800. • For Cisco AS5200 and Cisco AS5300 access servers, Cisco IOS Release 12.0(4)XI1 or later releases must be running on the NAS. • For Cisco AS5800, Cisco IOS Release 12.0(5)T or later releases must be running on the NAS. • A minimum of 64 MB must be available on the DMM cards. • The RPM application requires an NPE 300. • For call discriminator profiles, the Cisco AS5300, Cisco AS5400, or Cisco AS5800 Universal Access Servers require a minimum of 16 MB Flash memory and 128 MB DRAM memory, and need to be configured for VoIP as an H.323-compliant gateway. The following tasks must be performed before configuring RPM: Configuring Resource Pool Management How to Configure RPM DC-742 Cisco IOS Dial Technologies Configuration Guide • Accomplish initial configuration as described in the appropriate Universal Access Server Software Configuration Guide. Perform the following tasks as required. – Set your local AAA – Define your TACACS+ server for RPM – Define AAA accounting – Ensure PPP connectivity – Ensure VPDN connectivity Refer to the document Configuring the NAS for Basic Dial Access for more information. To configure your NAS for RPM, perform the following tasks: • Enabling RPM (Required) • Configuring DNIS Groups (As required) • Creating CLID Groups (As required) • Configuring Discriminator Profiles (As required) • Configuring Resource Groups (As required) • Configuring Service Profiles (As required) • Configuring Customer Profiles (As required) • Configuring a Customer Profile Template (As required) • Placing the Template in the Customer Profile (As required) • Configuring AAA Server Groups (As required) • Configuring VPDN Profiles (As required) • Configuring VPDN Groups (As required) • Counting VPDN Sessions by Using VPDN Profiles (As required) • Limiting the Number of MLP Bundles in VPDN Groups (As required) • Configuring Switched 56 over CT1 and RBS (As required) See the section “Troubleshooting RPM” later in this chapter for troubleshooting tips. See the section “Configuration Examples for RPM” at the end of this chapter for examples of how to configure RPM in your network. Enabling RPM To enable RPM, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# resource-pool enable Turns on RPM. Step 2 Router(config)# resource-pool call treatment resource channel-not-available Creates a resource group for resource management. Step 3 Router(config)# resource-pool call treatment profile no-answer Sets up the signal sent back to the telco switch in response to incoming calls. Step 4 Router(config) # resource-pool aaa protocol local Specifies which protocol to use for resource management. Configuring Resource Pool Management How to Configure RPM DC-743 Cisco IOS Dial Technologies Configuration Guide Note If you have an RPMS, you need not define VPDN groups/profiles, customer profiles, or DNIS groups on the NAS; you need only define resource groups. Configure the remaining items by using the RPMS system. Configuring DNIS Groups This configuration task is optional. To configure DNIS groups, use the following commands beginning in global configuration mode: For default DNIS service, no DNIS group configuration is required. The following characteristics and restrictions apply to DNIS group configuration: • Each DNIS group/call-type combination can apply to only one customer profile. • You can use up to four default DNIS groups (one for each call type). • You must statically configure CAS call types. • You can use x, X or . as wildcards within each DNIS number. Command Purpose Step 1 Router(config)# dialer dnis group dnis-group-name Creates a DNIS group. The name you specify in this step must match the name entered when configuring the customer profile. Step 2 Router(config-called-group)# call-type cas {digital | speech} Statically sets the call-type override for incoming CAS calls. Step 3 Router(config-called-group)# number number Enters DNIS numbers to be used in the customer profile. (Wildcards can be used.) Configuring Resource Pool Management How to Configure RPM DC-744 Cisco IOS Dial Technologies Configuration Guide Creating CLID Groups You can add multiple CLID groups to a discriminator profile. You can organize CLID numbers for a customer or service type into a CLID group. Add all CLID numbers into one CLID group, or subdivide the CLID numbers using criteria such as call type, geographical location, or division. To create CLID groups, use the following commands beginning in global configuration mode: Configuring Discriminator Profiles Discriminator profiles enable you to process calls differently on the basis of the call type and CLID/DNIS combination. The “Call Discriminator Profiles” section earlier in this chapter describes the different types of discriminator profiles that you can create. To configure discriminator profiles for RPM implementation, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# dialer clid group clid-group-name Creates a CLID group, assigns it a name of up to 23 characters, and enters CLID configuration mode. The CLID group must be the same as the group specified in the customer profile configuration. Refer to the Resource Pool Management with Direct Remote Services document for information on configuring customer profiles. Step 2 Router(config-clid-group)# number clid-group-number Enters CLID configuration mode, and adds a CLID number to the dialer CLID group that is used in the customer profile. The CLID number can have up to 65 characters. You can use x, X or . as wildcards within each CLID number. The CLID screening feature rejects this number if it matches the CLID of an incoming call. Command Purpose Step 1 Router(config)# resource-pool profile discriminator name Creates a call discriminator profile and assigns it a name of up to 23 characters. Step 2 Router(config-call-d)# call-type {all | digital | speech | v110 | v120} Specifies the type of calls you want to block. The NAS will not answer the call-type you specify. Configuring Resource Pool Management How to Configure RPM DC-745 Cisco IOS Dial Technologies Configuration Guide To verify discriminator profile settings, use the following commands: Step 1 Use the show resource-pool discriminator name command to verify the call discriminator profiles that you configured. If you enter the show resource-pool discriminator command without including a call discriminator name, a list of all current call discriminator profiles appears. If you enter a call discriminator profile name with the show resource-pool discriminator command, the number of calls rejected by the selected call discriminator appears. Router# show resource-pool discriminator List of Call Discriminator Profiles: deny_CLID Router# show resource-pool discriminator deny_CLID 1 calls rejected Step 2 Use the show dialer command to display general diagnostic information for interfaces configured for the dialer. Router# show dialer [interface] type number Step 3 Router(config-call-d)# clid group {clid-group-name | default} Optional. Associates a CLID group with the discriminator. If you do not specify a clid-group-name, the default discriminator in the RM is used. Any CLID number coming in on a call is in its respective default group unless it is specifically assigned a clid-group-name. After a CLID group is associated with a call type in a discriminator, it cannot be used in any other discriminator. Step 4 Router(config-call-d)# dnis group {dnis-group-name | default} Optional. Associates a DNIS group with the discriminator. If you do not specify a dnis-group-name, the default discriminator in the RM is used. Any DNIS number coming in on a call is in its respective default group unless it is specifically assigned a dnis-group-name. After a DNIS group is associated with a call type in a discriminator, it cannot be used in any other discriminator. Command Purpose Configuring Resource Pool Management How to Configure RPM DC-746 Cisco IOS Dial Technologies Configuration Guide Configuring Resource Groups To configure resource groups, use the following commands beginning in global configuration mode: For external Cisco RPMS environments, configure resource groups on the NAS before defining them on external RPMS servers. For standalone NAS environments, first configure resource groups before using them in customer profiles. Resource groups can apply to multiple customer profiles. Note You can separate physical resources into groups. However, do not put heterogeneous resources in the same group. Do not put MICA technologies modems in the same group as Microcom modems. Do not put modems and HDLC controllers in the same resource group. Do not configure the port and limit command parameters in the same resource group. Configuring Service Profiles To configure service profiles, use the following commands beginning in global configuration mode: Service profiles are used to configure modem service parameters for Nextport and MICA technologies modems, and support speech, digital, V.110, and V.120 call types. Error-correction and compression are hidden parameters that may be included in a service profile. Command Purpose Step 1 Router(config)# resource-pool group resource name Creates a resource group and assign it a name of up to 23 characters. Step 2 Router(config-resource-group)# range {port {slot/port slot/port}} | {limit number} Associates a range of modems or other physical resources with this resource group: • For port-based resources, use the physical locations of the resources. • For non-port-based resources, use a single integer limit. Specify the maximum number of simultaneous connections supported by the resource group. Up to 192 connections may be supported, depending on the hardware configuration of the access server. Command Purpose Step 1 Router(config)# resource-pool profile service name Creates a service profile and assign it a name of up to 23 characters. Step 2 Router(config-service-profil)# modem min-speed {speed | any} max-speed {speed | any [modulation value]} Specifies the desired modem parameter values. The range for min-speed and max-speed is 300 to 56000 bits per second. Configuring Resource Pool Management How to Configure RPM DC-747 Cisco IOS Dial Technologies Configuration Guide Configuring Customer Profiles To configure customer profiles, use the following commands beginning in global configuration mode: Customer profiles are used so that service providers can assign different service characteristics to different customers. Note the following characteristics of customer profiles: • Multiple resources of the same call type are used sequentially. • The limits imposed are per customer (DNIS)—not per resource. • A digital resource with a call type of speech allows for Data over Speech Bearer Service (DoSBS). Configuring Default Customer Profiles Default customer profiles are identical to standard customer profiles, except they do not have any associated DNIS groups. To define a default customer profile, use the reserved keyword default for the DNIS group: The rest of the customer profile is configured as shown in the previous section “Configuring Customer Profiles.” Configuring Customer Profiles Using Backup Customer Profiles Backup customer profiles are customer profiles configured locally on the Cisco NAS and are used to answer calls on the basis of a configured allocation scheme when the link between the Cisco NAS and Cisco RPMS is disabled. To enable the backup feature, you need to have already configured the following on the router: • The resource-pool aaa protocol group name local command. • All customer profiles and DNIS groups on the NAS. Command Purpose Step 1 Router(config)# resource-pool profile customer name Creates a customer profile. Step 2 Router(config-customer-pro)# dnis group {dnis-group-name | default} Includes a group of DNIS numbers in the customer profile. Step 3 Router(config-customer-pro)# limit base-size {number | all} Specifies the base size usage limit. Step 4 Router(config-customer-pro)# limit overflow-size {number | all} Specifies the oversize size usage limit. Step 5 Router(config-customer-pro)# resource WORD {digital | speech | v110 | v120} [service WORD] Assigns resources and supported call types to the customer profile. Command Purpose Step 1 Router(config)# resource-pool profile customer name Assigns a name to the default customer profile. Step 2 Router(config-customer-pro)# dnis group default Assigns the default DNIS group to the customer profile. This sets up the customer profile such that it will use the default DNIS configuration, which is automatically set on the NAS. Configuring Resource Pool Management How to Configure RPM DC-748 Cisco IOS Dial Technologies Configuration Guide The backup customer profile can contain all of the elements defined in a standard customer profile, including base size or overflow parameters. However, when the connection between the Cisco NAS and Cisco RPMS is unavailable, session counting and session limits are not applied to incoming calls. Also, after the connection is reestablished, there is no synchronization of call counters between the Cisco NAS and Cisco RPMS. Configuring Customer Profiles for Using DoVBS To configure customer profiles for using DoVBS, use the following commands beginning in global configuration command mode: To support ISDN DoVBS, use a DNIS group and a configured customer profile to direct the speech call to the appropriate digital resource. The DNIS group assigned to the customer profile should have a call type of speech. The resource group assigned to this customer profile will be digital resources and also have a call type of speech, so the call will terminate on an HDLC controller rather than a modem. See the section “Customer Profile Configuration for DoVBS Example” at the end of this chapter for a configuration example. Configuring a Customer Profile Template Customer profile templates provide a way to keep each unique situation for a customer separate for both security and accountability. This is an optional configuration task. To configure a template and place it in a customer profile, ensure that all basic configuration tasks and the RPM configuration tasks have been completed and verified before attempting to configure the customer profile templates. To add PPP configurations to a customer profile, create a customer profile template. Once you create the template and associate it with a customer profile by using the source template command, it is integrated into the customer profile. Command Purpose Step 1 Router(config)# resource-pool profile customer name Assigns a name to a customer profile. Step 2 Router(config-customer-pro)# dnis group name Assigns a DNIS group to the customer profile. DNIS numbers are assigned as shown in the previous section. Step 3 Router(config)# limit base-size {number | all} Specifies the VPDN base size usage limit. Step 4 Router(config)# limit overflow-size {number | all} Specifies the VPDN overflow size usage limit. Step 5 Router(config-customer-pro)# resource name {digital | speech | v110 | v120} [service name] Specifies resource names to use within the customer profile. Configuring Resource Pool Management How to Configure RPM DC-749 Cisco IOS Dial Technologies Configuration Guide To configure a template in RPM, use the following commands beginning in global configuration mode: Typical Template Configuration The following example shows a typical template configuration: template Word multilink {max-fragments frag-num | max-links num | min-links num} peer match aaa-pools peer default ip address {pool pool-name1 [pool-name2] | dhcp} ppp ipcp {dns | wins} A.B.C.D [W.X.Y.Z] resource-pool profile customer WORD source template Word aaa group-configuration aaa-group-name template acme_direct peer default ip address pool tahoe ppp authentication chap isdn-users ppp multilink Verifying Template Configuration To verify your template configuration, perform the following steps: Step 1 Enter the show running-config EXEC command (where the template name is “PPP1”): Router# Router# show running-config begin template . . . Command Purpose Step 1 Router(config)# template name Creates a customer profile template and assign a unique name that relates to the customer that will be receiving it. Note Steps 2, 3, and 4 are optional. Enter multilink, peer, and ppp commands appropriate to the application requirements of the customer. Step 2 Router(config-template)# peer default ip address pool pool-name (Optional) Specifies that the customer profile to which this template is attached will use a local IP address pool with the specified name. Step 3 Router(config-template)# ppp authentication chap (Optional) Sets the PPP link authentication method. Step 4 Router(config-template)# ppp multilink (Optional) Enables Multilink PPP for this customer profile. Step 5 Router(config-template)# exit Exits from template configuration mode; returns to global configuration mode. Step 6 Router(config)# resource-pool profile customer name Enters customer profile configuration mode for the customer to which you wish to assign this template. Step 7 Router(config-customer-profi)# source template name Attaches the customer profile template you have just configured to the customer profile. Configuring Resource Pool Management How to Configure RPM DC-750 Cisco IOS Dial Technologies Configuration Guide template PPP1 peer default ip address pool pool1 pool2 ppp ipcp dns 10.1.1.1 10.1.1.2 ppp ipcp wins 10.1.1.3 10.1.1.4 ppp multilink max-links 2 . . . Step 2 Ensure that your template appears in the configuration file. Placing the Template in the Customer Profile To place your template in the customer profile, use the following commands beginning in global configuration command mode: To verify the placement of your template in the customer profile, perform the following steps: Step 1 Enter the show resource-pool customer EXEC command: Router# show resource-pool customer List of Customer Profiles: CP1 CP2 Step 2 Look at the list of customer profiles and make sure that your profile appears in the list. Step 3 To verify a particular customer profile configuration, enter the show resource-pool customer name EXEC command (where the customer profile name is “CP1”): Router# show resource-pool customer CP1 97 active connections 120 calls accepted 210 max number of simultaneous connections 50 calls rejected due to profile limits 0 calls rejected due to resource unavailable 90 minutes spent with max connections 5 overflow connections 2 overflow states entered 0 overflow connections rejected 0 minutes spent in overflow 13134 minutes since last clear command Command Purpose Step 1 Router(config)# resource-pool profile customer name Assigns a name to a customer profile. Step 2 Router(config-customer-pr)# source template Associates the template with the customer profile. Configuring Resource Pool Management How to Configure RPM DC-751 Cisco IOS Dial Technologies Configuration Guide Configuring AAA Server Groups To configure AAA server groups, use the following commands beginning in global configuration mode: AAA server groups are lists of AAA server hosts of a particular type. The Cisco RPM currently supports RADIUS and TACACS+ server hosts. A AAA server group lists the IP addresses of the selected server hosts. You can use a AAA server group to define a distinct list of AAA server hosts and apply this list to the Cisco RPM application. Note that the AAA server group feature works only when the server hosts in a group are of the same type. Configuring VPDN Profiles A VPDN profile is required only if you want to impose limits on the VPDN tunnel that are separate from the customer limits. Command Purpose Step 1 Router(config)# aaa new-model Enables AAA on the NAS. Step 2 Router(config)# radius-server key key or Router(config)# tacacs-server key key Set the authentication and encryption key used for all RADIUS or TACACS+ communications between the NAS and the RADIUS or TACACS+ daemon. Step 3 Router(config)# radius-server host {hostname | ip-address key} [auth-port port acct-port port] or Router(config)# tacacs-server host ip-address key Specifies the host name or IP address of the server host before configuring the AAA server group. You can also specify the UDP destination ports for authentication and for accounting. Step 4 Router(config)# aaa group server {radius | tacacs+} group-name Selects the AAA server type you want to place into a server group and assign a server group name. Step 5 Router(config-sg radius)# server ip-address Specifies the IP address of the selected server type. This must be the same IP address that was assigned to the server host in Step 3. Step 6 Router(config-sg radius)# exit Returns to global configuration mode. Step 7 Router(config)# resource-pool profile customer name Enters customer profile configuration mode for the customer to which you wish to assign this AAA server group. Step 8 Router(config-customer-profil)# aaa group-configuration group-name Associates this AAA server group (named in Step 4) with the customer profile named in Step 7. Configuring Resource Pool Management How to Configure RPM DC-752 Cisco IOS Dial Technologies Configuration Guide To configure VPDN profiles, use the following commands beginning in global configuration mode: Configuring VPDN Groups To configure VPDN groups, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# resource-pool profile vpdn profile-name Creates a VPDN profile and assigns it a profile name Step 2 Router(config-vpdn-profile)# limit base-size {number | all} Specifies the maximum number of simultaneous base VPDN sessions to be allowed for this VPDN group under the terms of the service-level agreement (SLA). The range is 0 to 1000 sessions. If all sessions are to be designated as base VPDN sessions, specify all. Step 3 Router(config-vpdn-profile)# limit overflow-size {number | all} Specifies the maximum number of simultaneous overflow VPDN sessions to be allowed for this VPDN group under the terms of the SLA. The range is 0 to 1000 sessions. If all sessions are to be designated as overflow VPDN sessions, specify all. Step 4 Router(config-vpdn-profile)# exit Returns to global configuration mode. Step 5 Router(config)# resource-pool profile customer name Enters customer profile configuration mode for the customer to which you wish to assign this VPDN group. Step 6 Router(config-customer-profi)# vpdn profile profile-name or Router(config-customer-profi)# vpdn group group-name Attaches the VPDN profile you have just configured to the customer profile to which it belongs, or, if the limits imposed by the VPDN profile are not required, attaches VPDN group instead (see the section “Configuring VPDN Groups” later in this chapter). Command Purpose Step 1 Router(config)# vpdn enable Enables VPDN sessions on the NAS. Step 2 Router(config)# vpdn-group group-name Creates a VPDN group and assigns it a unique name. Each VPDN group can have multiple endpoints (HGW/LNSs). Step 3 Router(config-vpdn)# request dialin {l2f | l2tp} {ip ip-address} {domain domain-name | dnis dnis-number} Specifies the tunneling protocol to be used to reach the remote peer defined by a specific IP address if a dial-in request is received for the specified domain name or DNIS number. The IP address that qualifies the session is automatically generated and need not be entered again. Step 4 Router(config-vpdn)# multilink {bundle-number | link-number} Specifies the maximum number of bundles and links for all multilink users in the VPDN group. The range for both bundles and links is 0 to 32767. In general, each user requires one bundle. Configuring Resource Pool Management How to Configure RPM DC-753 Cisco IOS Dial Technologies Configuration Guide A VPDN group consists of VPDN sessions that are combined and placed into a customer profile or a VPDN profile. Note the following characteristics of VPDN groups: • The dnis-group-name argument is required to authorize the VPDN group with RPM. • A VPDN group placed in a customer profile allows VPDN connections for the customer using that profile. • A VPDN group placed in a VPDN profile allows the session limits configured for that profile to apply to all of the VPDN sessions within that VPDN group. • VPDN data includes an associated domain name or DNIS, an endpoint IP address, the maximum number of MLP bundles, and the maximum number of links per MLP bundle; this data can optionally be located on a AAA server. See the sections “VPDN Configuration Example” and “VPDN Load Sharing and Backing Up Between Multiple HGW/LNSs Example” at the end of this chapter for examples of using VPDN with RPM. Counting VPDN Sessions by Using VPDN Profiles Session counting is provided for each VPDN profile. One session is brought up each time a remote client dials into a HGW/LNS router by using the NAS/LAC. Sessions are counted by using VPDN profiles. If you do not want to count the number of VPDN sessions, do not set up any VPDN profiles. VPDN profiles count sessions in one or more VPDN groups. Step 5 Router(config-vpdn)# loadsharing ip ip-address [limit number] Configures the endpoints for loadsharing. This router will share the load of IP traffic with the first router specified in Step 2. The limit keyword limits the number of simultaneous sessions that are sent to the remote endpoint (HGW/LNS). This limit can be 0 to 32767 sessions. Step 6 Router(config-vpdn)# backup ip ip-address [limit number] [priority number] Sets up a backup HGW/LNS router. The number of sessions per backup can be limited. The priority number can be 2 to 32767. The highest priority is 2, which is the first HGW/LNS router to receive backup traffic. The lowest priority, which is the default, is 32767. Step 7 Router(config-vpdn)# exit Returns to global configuration mode. Step 8 Router(config)# resource-pool profile vpdn profile-name or Router(config)# resource-pool profile customer name Enters either VPDN profile configuration mode or customer profile configuration mode, depending on whether you want to allow VPDN connections for a customer profile, or allow combined session counting on all of the VPDN sessions within a VPDN profile. Step 9 Router(config-vpdn-profile)# vpdn group group-name or Router(config-customer-profi)# vpdn group group-name Attaches the VPDN group to either the VPDN profile or the customer profile specified in Step 8. Command Purpose Configuring Resource Pool Management How to Configure RPM DC-754 Cisco IOS Dial Technologies Configuration Guide To configure VPDN profile session counting, use the following commands beginning in global configuration mode: To verify session counting and view VPDN group information configured under resource pooling, use the show resource-pool vpdn group command. In this example, two different VPDN groups are configured under two different customer profiles: Router# show resource-pool vpdn group List of VPDN Groups under Customer Profiles Customer Profile customer1:customer1-vpdng Customer Profile customer2:customer2-vpdng List of VPDN Groups under VPDN Profiles VPDN Profile customer1-profile:customer1-vpdng To display the contents of a specific VPDN group, use the show resource-pool vpdn group name command. This example contains one domain name, two DNIS called groups, and two endpoints: Router# show resource-pool vpdn group customer2-vpdng VPDN Group customer2-vpdng found under Customer Profiles: customer2 Tunnel (L2TP) ------ dnis:cg1 dnis:cg2 dnis:jan Endpoint Session Limit Priority Active Sessions Status Reserved Sessions -------- ------------- -------- --------------- ------ ----------------- 172.21.9.67 * 1 0 OK - 10.1.1.1 * 2 0 OK - --------------- ------------- --------------- ----------------- Total * 0 0 To display the contents of a specific VPDN profile, use the show resource-pool vpdn profile name command, as follows: Router# show resource-pool vpdn profile ? WORD VPDN profile name Router# show resource-pool vpdn profile customer1-profile 0 active connections 0 max number of simultaneous connections 0 calls rejected due to profile limits Command Purpose Step 1 Router(config)# resource-pool profile vpdn name Creates a VPDN profile. Step 2 Router(config-vpdn-profile)# vpdn-group name Router(config-vpdn-profile)# exit Associates a VPDN group to the VPDN profile. VPDN sessions done within this VPDN group will be counted by the VPDN profile. Step 3 Router(config)# resource-pool profile customer name Router(config-customer-profi)# vpdn profile name Links the VPDN group to a customer profile. Step 4 Router(config-customer-profi)# ^Z Router# Returns to EXEC mode to perform verification steps. Configuring Resource Pool Management How to Configure RPM DC-755 Cisco IOS Dial Technologies Configuration Guide 0 calls rejected due to resource unavailable 0 overflow connections 0 overflow states entered 0 overflow connections rejected 1435 minutes since last clear command Note Use the debug vpdn event command to troubleshoot VPDN profile limits, session limits, and MLP connections. First, enable this command; then, send a call into the access server. Interpret the debug output and make configuration changes as needed. To debug the L2F or L2TP protocols, use the debug vpdn l2x command: Router# debug vpdn l2x ? error VPDN Protocol errors event VPDN event l2tp-sequencing L2TP sequencing l2x-data L2F/L2TP data packets l2x-errors L2F/L2TP protocol errors l2x-events L2F/L2TP protocol events l2x-packets L2F/L2TP control packets packet VPDN packet Limiting the Number of MLP Bundles in VPDN Groups Cisco IOS software enables you to limit the number of MLP bundles and links supported for each VPDN group. A bundle name consists of a username endpoint discriminator (for example, an IP address or phone number) sent during LCP negotiation. To limit the number of MLP bundles in VPDN groups, use the following commands beginning in global configuration mode: The following example shows the show vpdn multilink command output for verifying MLP bundle limits: Router# show vpdn multilink Multilink Bundle Name VPDN Group Active links Reserved links Bundle/Link Limit --------------------- ---------- ------------ -------------- ----------------- twv@anycompany.com vgdnis 0 0 */* Note Use the debug vpdn event and debug resource-pooling commands to troubleshoot VPDN profile limits, session limits, and MLP connections. First, enable this command; then, send a call into the access server. Interpret the debug output and make configuration changes as needed. Command Purpose Step 1 Router(config)# vpdn-group name Creates a VPDN group. Step 2 Router(config-vpdn)# multilink {bundle number | link number} Limits the number of MLP bundles per VPDN group and links per bundle.1 These settings limit the number of users that can multilink. 1. Both the NAS/LAC and the HGW/LNS router must be configured to support multilink before a client can use multilink to connect to a HGW/LNS. Configuring Resource Pool Management How to Configure RPM DC-756 Cisco IOS Dial Technologies Configuration Guide Configuring Switched 56 over CT1 and RBS To configure switched 56 over CT1 and RBS, use the following commands beginning in global configuration mode. Perform this task on the Cisco AS5200 and Cisco AS5300 access servers only. To verify switched 56 over CT1, use the show dialer dnis command as follows: Router# show dialer dnis group List of DNIS Groups: default mdm_grp1 Router# show dialer dnis group mdm_grp1 Called Number:2001 0 total connections 0 peak connections 0 calltype mismatches Called Number:2002 0 total connections 0 peak connections 0 calltype mismatches Called Number:2003 0 total connections 0 peak connections 0 calltype mismatches Called Number:2004 0 total connections 0 peak connections 0 calltype mismatches . . . Command Purpose Step 1 Router(config)# controller t1 number Specifies a controller and begins controller configuration mode. Step 2 Router(config-controller)# cas-group 0 timeslots 1-24 type e&m-fgb {dtmf | mf} {dnis} Creates a CAS group and assigns time slots. Step 3 Router(config-controller)# framing {sf | esf} Specifies framing. Step 4 Router(config-controller)# linecode {ami | b8zs} Enters the line code. Step 5 Router(config-controller)# exit Returns to global configuration mode. Step 6 Router(config)# dialer dnis group name Creates a dialer called group. Step 7 Router(config-called-group)# call-type cas digital Assigns a call type as digital (switch 56). Step 8 Router(config-called-group)# exit Returns to global configuration mode. Step 9 Router(config)# interface serial number:number Router(config-if)# Specifies the logical serial interface, which was dynamically created when the cas-group command was issued. This command also enters interface configuration mode, where you configure the core protocol characteristics for the serial interface. Configuring Resource Pool Management Verifying RPM Components DC-757 Cisco IOS Dial Technologies Configuration Guide Router# show dialer dnis number List of Numbers: default 2001 2002 2003 2004 . . . Verifying RPM Components The following sections provide call-counter and call-detail output for the different RPM components: • Verifying Current Calls • Verifying Call Counters for a Customer Profile • Clearing Call Counters • Verifying Call Counters for a Discriminator Profile • Verifying Call Counters for a Resource Group • Verifying Call Counters for a DNIS Group • Verifying Call Counters for a VPDN Profile • Verifying Load Sharing and Backup Verifying Current Calls The following output from the show resource-pool call command shows the details for all current calls, including the customer profile and resource group, and the matched DNIS group: Router# show resource-pool call Shelf 0, slot 0, port 0, channel 15, state RM_RPM_RES_ALLOCATED Customer profile ACME, resource group isdn-ports DNIS number 301001 Shelf 0, slot 0, port 0, channel 14, state RM_RPM_RES_ALLOCATED Customer profile ACME, resource group isdn-ports DNIS number 301001 Shelf 0, slot 0, port 0, channel 11, state RM_RPM_RES_ALLOCATED Customer profile ACME, resource group MICA-modems DNIS number 301001 Verifying Call Counters for a Customer Profile The following output from the show resource-pool customer command shows the call counters for a given customer profile. These counters include historical data and can be cleared. Router# show resource-pool customer ACME 3 active connections 41 calls accepted 3 max number of simultaneous connections Configuring Resource Pool Management Verifying RPM Components DC-758 Cisco IOS Dial Technologies Configuration Guide 11 calls rejected due to profile limits 2 calls rejected due to resource unavailable 0 minutes spent with max connections 5 overflow connections 1 overflow states entered 11 overflow connections rejected 10 minutes spent in overflow 214 minutes since last clear command Clearing Call Counters The clear resource-pool command clears the call counters. Verifying Call Counters for a Discriminator Profile The following output from the show resource-pool discriminator command shows the call counters for a given discriminator profile. These counters include historical data and can be cleared. Router# show resource-pool discriminator List of Call Discriminator Profiles: deny_DNIS Router# show resource-pool discriminator deny_DNIS 1 calls rejected Verifying Call Counters for a Resource Group The following output from the show resource-pool resource command shows the call counters for a given resource group. These counters include historical data and can be cleared. Router# show resource-pool resource List of Resources: isdn-ports MICA-modems Router# show resource-pool resource isdn-ports 46 resources in the resource group 2 resources currently active 8 calls accepted in the resource group 2 calls rejected due to resource unavailable 0 calls rejected due to resource allocation errors Configuring Resource Pool Management Verifying RPM Components DC-759 Cisco IOS Dial Technologies Configuration Guide Verifying Call Counters for a DNIS Group The following output from the show dialer dnis command shows the call counters for a given DNIS group. These counters include historical data and can be cleared. Router# show dialer dnis group ACME_dnis_numbers DNIS Number:301001 11 total connections 5 peak connections 0 calltype mismatches Verifying Call Counters for a VPDN Profile The following output from the show resource-pool vpdn command shows the call counters for a given VPDN profile or the tunnel information for a given VPDN group. These counters include historical data and can be cleared. Router# show resource-pool vpdn profile ACME_VPDN 2 active connections 2 max number of simultaneous connections 0 calls rejected due to profile limits 0 calls rejected due to resource unavailable 0 overflow connections 0 overflow states entered 0 overflow connections rejected 215 minutes since last clear command Router# show resource-pool vpdn group outgoing-2 VPDN Group outgoing-2 found under VPDN Profiles: ACME_VPDN Tunnel (L2F) ------ dnis:301001 dnis:ACME_dnis_numbers Endpoint Session Limit Priority Active Sessions Status Reserved Sessions -------- ------------- -------- --------------- ------ ----------------- 172.16.1.9 * 1 2 OK - -------- ------------- --------------- ----------------- Total * 2 0 Verifying Load Sharing and Backup The following example from the show running-config EXEC command shows two different VPDN customer groups: Router# show running-config Building configuration... . . . vpdn-group customer1-vpdng request dialin protocol l2f domain cisco.com Configuring Resource Pool Management Troubleshooting RPM DC-760 Cisco IOS Dial Technologies Configuration Guide domain cisco2.com dnis customer1-calledg initiate-to ip 172.21.9.67 loadsharing ip 172.21.9.68 limit 100 backup ip 172.21.9.69 priority 5 vpdn-group customer2-vpdng request dialin protocol l2tp dnis customer2-calledg domain acme.com initiate-to ip 172.22.9.5 Troubleshooting RPM Test and verify that ISDN, CAS, SS7, PPP, AAA, and VPDN are working properly before implementing RPM. Once RPM is implemented, the only debug commands needed for troubleshooting RPM are as follows: • debug resource pool • debug aaa authorization The debug resource-pool command is useful as a first step to ensure proper operation. It is usually sufficient for most cases. Use the debug aaa authorization command for troubleshooting VPDN and modem service problems. Problems that might typically occur are as follows: • No DNIS group found or no customer profile uses a default DNIS • Call discriminator blocks the DNIS • Customer profile limits exceeded • Resource group limits exceeded Note Always enable the debug and log time stamps when troubleshooting RPM. This section provides the following topics for troubleshooting RPM: • Resource-Pool Component • Resource Group Manager • Signaling Stack • AAA Component • VPDN Component • Troubleshooting DNIS Group Problems • Troubleshooting Call Discriminator Problems • Troubleshooting Customer Profile Counts • Troubleshooting Resource Group Counts • Troubleshooting VPDN • Troubleshooting RPMS Configuring Resource Pool Management Troubleshooting RPM DC-761 Cisco IOS Dial Technologies Configuration Guide Resource-Pool Component The resource-pool component contains two modules—a dispatcher and a local resource-pool manager. The dispatcher interfaces with the signaling stack, resource-group manager, and AAA, and is responsible for maintaining resource-pool call state and status information. The state transitions can be displayed by enabling the resource-pool debug traces. Table 45 summarizes the resource pooling states. The resource-pool state can be used to isolate problems. For example, if a call fails authorization in the RM_RES_AUTHOR state, investigate further with AAA authorization debugs to determine whether the problem lies in the resource-pool manager, AAA, or dispatcher. The resource-pool component also contains local customer profiles and discriminators, and is responsible for matching, configuring, and maintaining the associated counters and statistics. The resource-pool component is responsible for the following: • Configuration of customer profiles or discriminators • Matching a customer profile or discriminator for local profile configuration • Counters/statistics for customer profiles or discriminators • Active call information displayed by the show resource-pool call command The RPMS debug commands are summarized in Table 46. Table 45 Resource Pooling States State Description RM_IDLE No call activity. RM_RES_AUTHOR Call waiting for authorization; message sent to AAA. RM_RES_ALLOCATING Call authorized; resource group manager allocating. RM_RES_ALLOCATED Resource allocated; connection acknowledgment sent to signaling state. Call should get connected and become active. RM_AUTH_REQ_IDLE Signaling module disconnected call while in RM_RES_AUTHOR. Waiting for authorization response from AAA. RM_RES_REQ_IDLE Signaling module disconnected call while in RM_RES_ALLOCATING. Waiting for resource allocation response from resource group manager. Table 46 Debug Commands for RPM Command Purpose debug resource-pool This debug output should be sufficient for most RPM troubleshooting situations. debug aaa authorization This debug output provides more specific information and shows the actual DNIS numbers passed and call types used. Configuring Resource Pool Management Troubleshooting RPM DC-762 Cisco IOS Dial Technologies Configuration Guide Successful Resource Pool Connection The following sample output from the debug resource-pool command displays a successful RPM connection. The entries in bold are of particular importance. *Mar 1 02:14:57.439: RM state:RM_IDLE event:DIALER_INCALL DS0:0:0:0:21 *Mar 1 02:14:57.439: RM: event incoming call *Mar 1 02:14:57.443: RM state:RM_DNIS_AUTHOR event:RM_DNIS_RPM_REQUEST DS0:0:0:0:21 *Mar 1 02:14:57.447: RM:RPM event incoming call *Mar 1 02:14:57.459: RPM profile ACME found *Mar 1 02:14:57.487: RM state:RM_RPM_RES_AUTHOR event:RM_RPM_RES_AUTHOR_SUCCESS DS0:0:0:0:21 *Mar 1 02:14:57.487: Allocated resource from res_group isdn-ports *Mar 1 02:14:57.491: RM:RPM profile "ACME", allocated resource "isdn-ports" successfully *Mar 1 02:14:57.495: RM state:RM_RPM_RES_ALLOCATING event:RM_RPM_RES_ALLOC_SUCCESS DS0:0:0:0:21 *Mar 1 02:14:57.603: %LINK-3-UPDOWN: Interface Serial0:21, changed state to up *Mar 1 02:15:00.879: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0:21, changed state to up Dialer Component The dialer component contains DNIS groups and is responsible for configuration, and maintenance of counters and statistics. The resource-pool component is responsible for the following: • DNIS number statistics or counters • Configuring DNIS groups Resource Group Manager Resource groups are created, maintained, allocated, freed, and tallied by the resource group manager. The resource group manager is also responsible for service profiles, which are applied to resources at call setup time. The resource group manager is responsible for: • Allocating resources when the profile has been authorized and a valid resource group is received • Statistics or configuration of resource groups • Configuring or applying service profiles to resource groups • Collecting DNIS number information for channel-associated signaling calls Signaling Stack The signaling stacks currently supported in resource pooling are CAS and ISDN. The signaling stack delivers the incoming call to the resource-pool dispatcher and provides call-type and DNIS number information to the resource-pool dispatcher. Depending on configuration, call connect attempts may fail if the signaling stacks do not send the DNIS number and the call type to the resource-pool dispatcher. Call attempts will also fail if signaling stacks disconnect prematurely, not giving enough time for authorization or resource allocation processes to complete. Therefore, investigate the signaling stack when call attempts or call treatment behavior does not meet expectations. For ISDN, the debug isdn q931 command can be used to isolate errors between resource pooling, signaling stack, and switch. For CAS, the debug modem csm, service internal, and Configuring Resource Pool Management Troubleshooting RPM DC-763 Cisco IOS Dial Technologies Configuration Guide modem-mgmt csm debug-rbs commands are used on Cisco AS5200 and Cisco AS5300 access servers, while the debug csm and debug trunk cas port number timeslots number commands are used on the Cisco AS5800 access server. AAA Component In context with resource pooling, the AAA component is responsible for the following: • Authorization of profiles between the resource-pool dispatcher and local or external resource-pool manager • Accounting messages between the resource-pool dispatcher and external resource-pool manager for resource allocation • VPDN authorization between VPDN and the local or external resource-pool manager • VPDN accounting messages between VPDN and the external resource-pool manager • Overflow accounting records between the AAA server and resource-pool dispatcher • Resource connect speed accounting records between the AAA server and resource group VPDN Component The VPDN component is responsible for the following: • Creating VPDN groups and profiles • Searching or matching groups based on domain or DNIS • Maintaining counts and statistics for the groups and profiles • Setting up the tunnel between the NAS/LAC and HGW/LNS The VPDN component interfaces with AAA to get VPDN tunnel authorization on the local or remote resource-pool manager. VPDN and AAA debugging traces should be used for troubleshooting. Troubleshooting DNIS Group Problems The following output from the debug resource-pool command displays a customer profile that is not found for a particular DNIS group: *Mar 1 00:38:21.011: RM state:RM_IDLE event:DIALER_INCALL DS0:0:0:0:3 *Mar 1 00:38:21.011: RM: event incoming call *Mar 1 00:38:21.015: RM state:RM_DNIS_AUTHOR event:RM_DNIS_RPM_REQUEST DS0:0:0:0:3 *Mar 1 00:38:21.019: RM:RPM event incoming call *Mar 1 00:38:21.103: RPM no profile found for call-type digital in default DNIS number *Mar 1 00:38:21.155: RM:RPM profile rejected do not allocate resource *Mar 1 00:38:21.155: RM state:RM_RPM_RES_AUTHOR event:RM_RPM_RES_AUTHOR_FAIL DS0:0:0:0:3 *Mar 1 00:38:21.163: RM state:RM_RPM_DISCONNECTING event:RM_RPM_DISC_ACK DS0:0:0:0:3 Configuring Resource Pool Management Troubleshooting RPM DC-764 Cisco IOS Dial Technologies Configuration Guide Troubleshooting Call Discriminator Problems The following output from the debug resource-pool command displays an incoming call that is matched against a call discriminator profile: *Mar 1 00:35:25.995: RM state:RM_IDLE event:DIALER_INCALL DS0:0:0:0:4 *Mar 1 00:35:25.999: RM: event incoming call *Mar 1 00:35:25.999: RM state:RM_DNIS_AUTHOR event:RM_DNIS_RPM_REQUEST DS0:0:0:0:4 *Mar 1 00:35:26.003: RM:RPM event incoming call *Mar 1 00:35:26.135: RM:RPM profile rejected do not allocate resource *Mar 1 00:35:26.139: RM state:RM_RPM_RES_AUTHOR event:RM_RPM_RES_AUTHOR_FAIL DS0:0:0:0:4 *Mar 1 00:35:26.143: RM state:RM_RPM_DISCONNECTING event:RM_RPM_DISC_ACK DS0:0:0:0:4 Troubleshooting Customer Profile Counts The following output from the debug resource-pool command displays what happens once the customer profile limits have been reached: *Mar 1 00:43:33.275: RM state:RM_IDLE event:DIALER_INCALL DS0:0:0:0:9 *Mar 1 00:43:33.279: RM: event incoming call *Mar 1 00:43:33.279: RM state:RM_DNIS_AUTHOR event:RM_DNIS_RPM_REQUEST DS0:0:0:0:9 *Mar 1 00:43:33.283: RM:RPM event incoming call *Mar 1 00:43:33.295: RPM count exceeded in profile ACME *Mar 1 00:43:33.315: RM:RPM profile rejected do not allocate resource *Mar 1 00:43:33.315: RM state:RM_RPM_RES_AUTHOR event:RM_RPM_RES_AUTHOR_FAIL DS0:0:0:0:9 *Mar 1 00:43:33.323: RM state:RM_RPM_DISCONNECTING event:RM_RPM_DISC_ACK DS0:0:0:0:9 Troubleshooting Resource Group Counts The following output from the debug resource-pool command displays the resources within a resource group all in use: *Mar 1 00:52:34.411: RM state:RM_IDLE event:DIALER_INCALL DS0:0:0:0:19 *Mar 1 00:52:34.411: RM: event incoming call *Mar 1 00:52:34.415: RM state:RM_DNIS_AUTHOR event:RM_DNIS_RPM_REQUEST DS0:0:0:0:19 *Mar 1 00:52:34.419: RM:RPM event incoming call *Mar 1 00:52:34.431: RPM profile ACME found *Mar 1 00:52:34.455: RM state:RM_RPM_RES_AUTHOR event:RM_RPM_RES_AUTHOR_SUCCESS DS0:0:0:0:19 *Mar 1 00:52:34.459: All resources in res_group isdn-ports are in use *Mar 1 00:52:34.463: RM state:RM_RPM_RES_ALLOCATING event:RM_RPM_RES_ALLOC_FAIL DS0:0:0:0:19 *Mar 1 00:52:34.467: RM:RPM failed to allocate resources for "ACME" Troubleshooting VPDN Troubleshooting problems that might typically occur are as follows: • Customer profile is not associated with a VPDN profile or VPDN group (the call will be locally terminated in this case. Regular VPDN can still succeed even if RPM/VPDN fails). • VPDN profile limits have been reached (call answered but disconnected). • VPDN group limits have been reached (call answered but disconnected). • VPDN endpoint is not reachable (call answered but disconnected). Configuring Resource Pool Management Troubleshooting RPM DC-765 Cisco IOS Dial Technologies Configuration Guide Troubleshooting RPM/VPDN Connection The following sample output from the debug resource-pool command displays a successful RPM/VPDN connection. The entries in bold are of particular importance. *Mar 1 00:15:53.639: Se0:10 RM/VPDN/rm-session-request: Allocated vpdn info for domain NULL MLP Bundle SOHO *Mar 1 00:15:53.655: RM/VPDN/ACME_VPDN: VP LIMIT/ACTIVE/RESERVED/OVERFLOW are now 6/0/0/0 *Mar 1 00:15:53.659: RM/VPDN/ACME_VPDN: Session reserved for outgoing-2 *Mar 1 00:15:53.695: Se0:10 RM/VPDN: Session has been authorized using dnis:ACME_dnis_numbers *Mar 1 00:15:53.695: Se0:10 RM/VPDN/session-reply: NAS name HQ-NAS *Mar 1 00:15:53.699: Se0:10 RM/VPDN/session-reply: Endpoint addresses 172.16.1.9 *Mar 1 00:15:53.703: Se0:10 RM/VPDN/session-reply: VPDN tunnel protocol l2f *Mar 1 00:15:53.703: Se0:10 RM/VPDN/session-reply: VPDN Group outgoing-2 *Mar 1 00:15:53.707: Se0:10 RM/VPDN/session-reply: VPDN domain dnis:ACME_dnis_numbers *Mar 1 00:15:53.767: RM/VPDN: MLP Bundle SOHO Session Connect with 1 Endpoints: *Mar 1 00:15:53.771: IP 172.16.1.9 OK *Mar 1 00:15:53.771: RM/VPDN/rm-session-connect/ACME_VPDN: VP LIMIT/ACTIVE/RESERVED/OVERFLOW are now 6/1/0/0 *Mar 1 00:15:54.815: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0:10, changed state to up *Mar 1 00:15:57.399: %ISDN-6-CONNECT: Interface Serial0:10 is now connected to SOHO Troubleshooting Customer/VPDN Profile The following sample output from the debug resource-pool command displays when there is no VPDN group associated with an incoming DNIS group. However, the output from the debug resource-pool command, as shown here, does not effectively reflect the problem: *Mar 1 03:40:16.483: Se0:15 RM/VPDN/rm-session-request: Allocated vpdn info for domain NULL MLP Bundle SOHO *Mar 1 03:40:16.515: Se0:15 RM/VPDN/rm-session-request: Authorization failed *Mar 1 03:40:16.527: %VPDN-6-AUTHORERR: L2F NAS HQ-NAS cannot locate a AAA server for Se0:15 user SOHO *Mar 1 03:40:16.579: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up *Mar 1 03:40:17.539: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0:15, changed state to up *Mar 1 03:40:17.615: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up *Mar 1 03:40:19.483: %ISDN-6-CONNECT: Interface Serial0:15 is now connected to SOHO Whenever the debug resource-pool command offers no further assistance besides the indication that authorization has failed, enter the debug aaa authorization command to further troubleshoot the problem. In this case, the debug aaa authorization command output appears as follows: *Mar 1 04:03:49.846: Se0:19 RM/VPDN/rm-session-request: Allocated vpdn info for domain NULL MLP Bundle SOHO *Mar 1 04:03:49.854: Se0:19 AAA/AUTHOR/RM vpdn-session (3912941997): Port='DS0:0:0:0:19' list='default' service=RM *Mar 1 04:03:49.858: AAA/AUTHOR/RM vpdn-session: Se0:19 (3912941997) user='301001' *Mar 1 04:03:49.862: Se0:19 AAA/AUTHOR/RM vpdn-session (3912941997): send AV service=resource-management *Mar 1 04:03:49.866: Se0:19 AAA/AUTHOR/RM vpdn-session (3912941997): send AV protocol=vpdn-session *Mar 1 04:03:49.866: Se0:19 AAA/AUTHOR/RM vpdn-session (3912941997): send AV rm-protocol-version=1.0 *Mar 1 04:03:49.870: Se0:19 AAA/AUTHOR/RM vpdn-session (3912941997): send AV rm-nas-state=3278356 *Mar 1 04:03:49.874: Se0:19 AAA/AUTHOR/RM vpdn-session (3912941997): send AV rm-call-handle=27 Configuring Resource Pool Management Troubleshooting RPM DC-766 Cisco IOS Dial Technologies Configuration Guide *Mar 1 04:03:49.878: Se0:19 AAA/AUTHOR/RM vpdn-session (3912941997): send AV multilink-id=SOHO *Mar 1 04:03:49.878: Se0:19 AAA/AUTHOR/RM vpdn-session (3912941997): found list "default" *Mar 1 04:03:49.882: Se0:19 AAA/AUTHOR/RM vpdn-session (3912941997): Method=LOCAL *Mar 1 04:03:49.886: Se0:19 AAA/AUTHOR/RM/local (3912941997): Received AV service=resource-management *Mar 1 04:03:49.890: Se0:19 AAA/AUTHOR/RM/local (3912941997): Received AV protocol=vpdn-session *Mar 1 04:03:49.890: Se0:19 AAA/AUTHOR/RM/local (3912941997): Received AV rm-protocol-version=1.0 *Mar 1 04:03:49.894: Se0:19 AAA/AUTHOR/RM/local (3912941997): Received AV rm-nas-state=3278356 *Mar 1 04:03:49.898: Se0:19 AAA/AUTHOR/RM/local (3912941997): Received AV rm-call-handle=27 *Mar 1 04:03:49.902: Se0:19 AAA/AUTHOR/RM/local (3912941997): Received AV multilink-id=SOHO *Mar 1 04:03:49.906: Se0:19 AAA/AUTHOR/VPDN/RM/LOCAL: Customer ACME has no VPDN group for session dnis:ACME_dnis_numbers *Mar 1 04:03:49.922: Se0:19 AAA/AUTHOR (3912941997): Post authorization status = FAIL Troubleshooting VPDN Profile Limits The following output from the debug resource-pool command displays that VPDN profile limits have been reached: *Mar 1 04:57:53.762: Se0:13 RM/VPDN/rm-session-request: Allocated vpdn info for domain NULL MLP Bundle SOHO *Mar 1 04:57:53.774: RM/VPDN/ACME_VPDN: VP LIMIT/ACTIVE/RESERVED/OVERFLOW are now 0/0/0/0 *Mar 1 04:57:53.778: RM/VPDN/ACME_VPDN: Session outgoing-2 rejected due to Session Limit *Mar 1 04:57:53.798: Se0:13 RM/VPDN/rm-session-request: Authorization failed *Mar 1 04:57:53.802: %VPDN-6-AUTHORFAIL: L2F NAS HQ-NAS, AAA authorization failure for Se0:13 user SOHO; At Session Max *Mar 1 04:57:53.866: %ISDN-6-DISCONNECT: Interface Serial0:13 disconnected from SOHO, call lasted 2 seconds *Mar 1 04:57:54.014: %LINK-3-UPDOWN: Interface Serial0:13, changed state to down *Mar 1 04:57:54.050: RM state:RM_RPM_RES_ALLOCATED event:DIALER_DISCON DS0:0:0:0:13 *Mar 1 04:57:54.054: RM:RPM event call drop *Mar 1 04:57:54.054: Deallocated resource from res_group isdn-ports Troubleshooting VPDN Group Limits The following debug resource-pool command display shows that VPDN group limits have been reached. From this display, the problem is not obvious. To troubleshoot further, use the debug aaa authorization command described in the “Troubleshooting RPMS” section later in this chapter: *Mar 1 05:02:22.314: Se0:17 RM/VPDN/rm-session-request: Allocated vpdn info for domain NULL MLP Bundle SOHO *Mar 1 05:02:22.334: RM/VPDN/ACME_VPDN: VP LIMIT/ACTIVE/RESERVED/OVERFLOW are now 5/0/0/0 *Mar 1 05:02:22.334: RM/VPDN/ACME_VPDN: Session reserved for outgoing-2 *Mar 1 05:02:22.358: Se0:17 RM/VPDN/rm-session-request: Authorization failed *Mar 1 05:02:22.362: %VPDN-6-AUTHORFAIL: L2F NAS HQ-NAS, AAA authorization failure for Se0:17 user SOHO; At Multilink Bundle Limit *Mar 1 05:02:22.374: %ISDN-6-DISCONNECT: Interface Serial0:17 disconnected from SOHO, call lasted 2 seconds *Mar 1 05:02:22.534: %LINK-3-UPDOWN: Interface Serial0:17, changed state to down *Mar 1 05:02:22.570: RM state:RM_RPM_RES_ALLOCATED event:DIALER_DISCON DS0:0:0:0:17 *Mar 1 05:02:22.574: RM:RPM event call drop *Mar 1 05:02:22.574: Deallocated resource from res_group isdn-ports Configuring Resource Pool Management Troubleshooting RPM DC-767 Cisco IOS Dial Technologies Configuration Guide Troubleshooting VPDN Endpoint Problems The following output from the debug resource-pool command displays that the IP endpoint for the VPDN group is not reachable: *Mar 1 05:12:22.330: Se0:21 RM/VPDN/rm-session-request: Allocated vpdn info for domain NULL MLP Bundle SOHO *Mar 1 05:12:22.346: RM/VPDN/ACME_VPDN: VP LIMIT/ACTIVE/RESERVED/OVERFLOW are now 5/0/0/0 *Mar 1 05:12:22.350: RM/VPDN/ACME_VPDN: Session reserved for outgoing-2 *Mar 1 05:12:22.382: Se0:21 RM/VPDN: Session has been authorized using dnis:ACME_dnis_numbers *Mar 1 05:12:22.386: Se0:21 RM/VPDN/session-reply: NAS name HQ-NAS *Mar 1 05:12:22.386: Se0:21 RM/VPDN/session-reply: Endpoint addresses 172.16.1.99 *Mar 1 05:12:22.390: Se0:21 RM/VPDN/session-reply: VPDN tunnel protocol l2f *Mar 1 05:12:22.390: Se0:21 RM/VPDN/session-reply: VPDN Group outgoing-2 *Mar 1 05:12:22.394: Se0:21 RM/VPDN/session-reply: VPDN domain dnis:ACME_dnis_numbers *Mar 1 05:12:25.762: %ISDN-6-CONNECT: Interface Serial0:21 is now connected to SOHO *Mar 1 05:12:27.562: %VPDN-5-UNREACH: L2F HGW 172.16.1.99 is unreachable *Mar 1 05:12:27.578: RM/VPDN: MLP Bundle SOHO Session Connect with 1 Endpoints: *Mar 1 05:12:27.582: IP 172.16.1.99 Destination unreachable Troubleshooting RPMS In general, the debug aaa authorization command is not used for RPM troubleshooting unless the debug resource-pool command display is too vague. The debug aaa authorization command is more useful for troubleshooting with RPMS. Following is sample output: Router# debug aaa authorization AAA Authorization debugging is on Router# show debug General OS: AAA Authorization debugging is on Resource Pool: resource-pool general debugging is on The following output from the debug resource-pool and debug aaa authorization commands shows a successful RPM connection: *Mar 1 06:10:35.450: AAA/MEMORY: create_user (0x723D24) user='301001' ruser=''port='DS0:0:0:0:12' rem_addr='102' authen_type=NONE service=NONE priv=0 *Mar 1 06:10:35.462: DS0:0:0:0:12 AAA/AUTHOR/RM call-accept (2784758907): Port='DS0:0:0:0:12' list='default' service=RM *Mar 1 06:10:35.466: AAA/AUTHOR/RM call-accept: DS0:0:0:0:12 (2784758907) user= '301001' *Mar 1 06:10:35.470: DS0:0:0:0:12 AAA/AUTHOR/RM call-accept (2784758907): send AV service=resource-management *Mar 1 06:10:35.470: DS0:0:0:0:12 AAA/AUTHOR/RM call-accept (2784758907): send AV protocol=call-accept *Mar 1 06:10:35.474: DS0:0:0:0:12 AAA/AUTHOR/RM call-accept (2784758907): send AV rm-protocol-version=1.0 *Mar 1 06:10:35.478: DS0:0:0:0:12 AAA/AUTHOR/RM call-accept (2784758907): send AV rm-nas-state=7513368 *Mar 1 06:10:35.482: DS0:0:0:0:12 AAA/AUTHOR/RM call-accept (2784758907): send AV rm-call-type=speech *Mar 1 06:10:35.486: DS0:0:0:0:12 AAA/AUTHOR/RM call-accept (2784758907): send AV rm-request-type=dial-in *Mar 1 06:10:35.486: DS0:0:0:0:12 AAA/AUTHOR/RM call-accept (2784758907): send AV rm-link-type=isdn Configuring Resource Pool Management Configuration Examples for RPM DC-768 Cisco IOS Dial Technologies Configuration Guide *Mar 1 06:10:35.490: DS0:0:0:0:12 AAA/AUTHOR/RM call-accept (2784758907): found list "default" *Mar 1 06:10:35.494: DS0:0:0:0:12 AAA/AUTHOR/RM call-accept (2784758907): Method=LOCAL *Mar 1 06:10:35.498: DS0:0:0:0:12 AAA/AUTHOR/RM/local (2784758907):Received DNIS=301001 *Mar 1 06:10:35.498: DS0:0:0:0:12 AAA/AUTHOR/RM/local (2784758907):Received CLID=102 *Mar 1 06:10:35.502: DS0:0:0:0:12 AAA/AUTHOR/RM/local (2784758907):Received Port=DS0:0:0:0:12 *Mar 1 06:10:35.506: DS0:0:0:0:12 AAA/AUTHOR/RM/local (2784758907): Received AV service=resource-management *Mar 1 06:10:35.510: DS0:0:0:0:12 AAA/AUTHOR/RM/local (2784758907): Received AV protocol=call-accept *Mar 1 06:10:35.510: DS0:0:0:0:12 AAA/AUTHOR/RM/local (2784758907): Received AV rm-protocol-version=1.0 *Mar 1 06:10:35.514: DS0:0:0:0:12 AAA/AUTHOR/RM/local (2784758907): Received AV rm-nas-state=7513368 *Mar 1 06:10:35.518: DS0:0:0:0:12 AAA/AUTHOR/RM/local (2784758907): Received AV rm-call-type=speech *Mar 1 06:10:35.522: DS0:0:0:0:12 AAA/AUTHOR/RM/local (2784758907): Received AV rm-request-type=dial-in *Mar 1 06:10:35.526: DS0:0:0:0:12 AAA/AUTHOR/RM/local (2784758907): Received AV rm-link-type=isdn *Mar 1 06:10:35.542: AAA/AUTHOR (2784758907): Post authorization status = PASS_REPL *Mar 1 06:10:35.546: DS0:0:0:0:12 AAA/AUTHOR/RM/call-accept (2784758907): Processing AV service=resource-management *Mar 1 06:10:35.550: DS0:0:0:0:12 AAA/AUTHOR/RM/call-accept (2784758907): Processing AV protocol=call-accept *Mar 1 06:10:35.554: DS0:0:0:0:12 AAA/AUTHOR/RM/call-accept (2784758907): Processing AV rm-protocol-version=1.0 *Mar 1 06:10:35.558: DS0:0:0:0:12 AAA/AUTHOR/RM/call-accept (2784758907): Processing AV rm-response-code=overflow *Mar 1 06:10:35.558: DS0:0:0:0:12 AAA/AUTHOR/RM/call-accept (2784758907): Processing AV rm-call-handle=47 *Mar 1 06:10:35.562: DS0:0:0:0:12 AAA/AUTHOR/RM/call-accept (2784758907): Processing AV rm-call-count=2 *Mar 1 06:10:35.566: DS0:0:0:0:12 AAA/AUTHOR/RM/call-accept (2784758907): Processing AV rm-cp-name=ACME *Mar 1 06:10:35.570: DS0:0:0:0:12 AAA/AUTHOR/RM/call-accept (2784758907): Processing AV rm-rg-name#0=MICA-modems *Mar 1 06:10:35.574: DS0:0:0:0:12 AAA/AUTHOR/RM/call-accept (2784758907): Processing AV rm-rg-service-name#0=gold *Mar 1 06:10:35.578: DS0:0:0:0:12 AAA/AUTHOR/RM/call-accept (2784758907): Processing AV rm-call-treatment=busy *Mar 1 06:10:35.582: DS0:0:0:0:12 AAA/AUTHOR/RM/call-accept (2784758907): Processing AV rm-call-type=speech Configuration Examples for RPM The following sections provide RPM configuration examples: • Standard Configuration for RPM Example • Customer Profile Configuration for DoVBS Example • DNIS Discriminator Profile Example • CLID Discriminator Profile Example • Direct Remote Services Configuration Example • VPDN Configuration Example • VPDN Load Sharing and Backing Up Between Multiple HGW/LNSs Example Configuring Resource Pool Management Configuration Examples for RPM DC-769 Cisco IOS Dial Technologies Configuration Guide Standard Configuration for RPM Example The following example demonstrates a basic RPM configuration: resource-pool enable resource-pool call treatment resource busy resource-pool call treatment profile no-answer ! resource-pool group resource isdn-ports range limit 46 resource-pool group resource MICA-modems range port 1/0 2/23 ! resource-pool profile customer ACME limit base-size 30 limit overflow-size 10 resource isdn-ports digital resource MICA-modems speech service gold dnis group ACME_dnis_numbers ! resource-pool profile customer DEFAULT limit base-size 10 resource MICA-modems speech service silver dnis group default resource-pool profile discriminator deny_DNIS call-type digital dnis group bye-bye ! resource-pool profile service gold modem min-speed 33200 max-speed 56000 modulation v90 resource-pool profile service silver modem min-speed 19200 max-speed 33200 modulation v34 ! resource-pool aaa protocol local ! dialer dnis group ACME_dnis_numbers number 301001 dialer dnis group bye-bye number 301005 Tips • Replace the command string resource isdn-ports digital in the previous example with resource isdn-ports speech to set up DoVBS. See the section, “Customer Profile Configuration for DoVBS Example,” for more information. Digital calls to 301001 are associated with the customer ACME by using the resource group “isdn-ports.” • Speech calls to 301001 are associated with the customer ACME by using the resource group “mica-modems” and allow for V.90 connections (anything less than V.90 is also allowed). • Digital calls to 301005 are denied. • All other speech calls to any other DNIS number are associated with the customer profile “DEFAULT” by using the resource group “mica-modems” and allow for V.34 connections (anything more than V.34 is not allowed; anything less than V.34 is also allowed). • All other digital calls to any other DNIS number are not associated with a customer profile and are therefore not allowed. Configuring Resource Pool Management Configuration Examples for RPM DC-770 Cisco IOS Dial Technologies Configuration Guide • The customer profile named “DEFAULT” serves as the default customer profile for speech calls only. If the solution uses an external RPMS server, this same configuration can be used for backup resource pooling if communication is lost between the NAS and the RPMS. Customer Profile Configuration for DoVBS Example To allow ISDN calls with a speech bearer capability to be directed to digital resources, make the following change (highlighted in bold) to the configuration shown in the previous section, “Standard Configuration for RPM Example”: resource-pool profile customer ACME limit base-size 30 limit overflow-size 10 resource isdn-ports speech dnis group ACME_dnis_numbers This change causes ISDN speech calls (in addition to ISDN digital calls) to be directed to the resource “isdn-ports”; thus, ISDN speech calls provide DoVBS. DNIS Discriminator Profile Example The following is sample configuration for a DNIS discriminator. It shows how to enable resource pool management, configure a customer profile, create DNIS groups, and add numbers to the DNIS groups. aaa new-model ! ! Enable resource pool management resource-pool enable ! resource-pool group resource digital range limit 20 ! ! Configure customer profile resource-pool profile customer cp1 limit base-size all limit overflow-size 0 resource digital digital dnis group ok ! ! isdn switch-type primary-5ess ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! interface Loopback1 ip address 192.168.0.0 255.255.255.0 ! interface Serial0:23 ip unnumbered Loopback1 encapsulation ppp ip mroute-cache dialer-group 1 isdn switch-type primary-5ess Configuring Resource Pool Management Configuration Examples for RPM DC-771 Cisco IOS Dial Technologies Configuration Guide no peer default ip address ppp authentication chap ! ! Configure DNIS groups dialer dnis group blot number 5552003 number 3456789 number 2345678 number 1234567 ! dialer dnis group ok number 89898989 number 5551003 ! dialer-list 1 protocol ip permit CLID Discriminator Profile Example The following is a sample configuration of a CLID discriminator. It shows how to enable resource pool management, configure resource groups, configure customer profiles, configure CLID groups and DNIS groups, and add them to discriminator profiles. version xx.x no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname cisco-machine ! aaa new-model aaa authentication login djm local ! username eagle password *** username infiniti password *** spe 1/0 1/7 firmware location system:/ucode/mica_port_firmware spe 2/0 2/7 firmware location system:/ucode/mica_port_firmware ! ! Enable resource pool management resource-pool enable ! ! Configure resource groups resource-pool group resource digital range limit 20 ! ! Configure customer profiles resource-pool profile customer cp1 limit base-size all limit overflow-size 0 resource digital digital dnis group ok ! ! Configure discriminator profiles resource-pool profile discriminator baadaabing call-type digital clid group stompIt ! Configuring Resource Pool Management Configuration Examples for RPM DC-772 Cisco IOS Dial Technologies Configuration Guide resource-pool profile discriminator baadaaboom call-type digital clid group splat ! ip subnet-zero ! isdn switch-type primary-5ess chat-script dial ABORT BUSY "" AT OK "ATDT \T" TIMEOUT 30 CONNECT \c ! ! mta receive maximum-recipients 0 partition flash 2 8 8 ! ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 shutdown clock source line secondary 1 ! controller T1 2 shutdown clock source line secondary 2 ! controller T1 3 shutdown clock source line secondary 3 ! controller T1 4 shutdown clock source line secondary 4 ! controller T1 5 shutdown clock source line secondary 5 ! controller T1 6 shutdown clock source line secondary 6 ! controller T1 7 shutdown clock source line secondary 7 ! interface Loopback0 ip address 192.168.12.1 255.255.255.0 ! interface Loopback1 ip address 192.168.15.1 255.255.255.0 ! interface Loopback2 ip address 192.168.17.1 255.255.255.0 ! interface Ethernet0 ip address 10.0.39.15 255.255.255.0 no ip route-cache no ip mroute-cache ! Configuring Resource Pool Management Configuration Examples for RPM DC-773 Cisco IOS Dial Technologies Configuration Guide interface Serial0 no ip address no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232 ! interface Serial1 no ip address no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232 ! interface Serial2 no ip address no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232 ! interface Serial3 no ip address no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232 ! interface Serial0:23 ip unnumbered Loopback1 encapsulation ppp ip mroute-cache dialer-group 1 isdn switch-type primary-5ess no peer default ip address ppp authentication chap pap ! interface FastEthernet0 ip address 10.0.38.15 255.255.255.0 no ip route-cache no ip mroute-cache duplex half speed 100 ! ! ip local pool default 192.168.13.181 192.168.13.226 ip classless ip route 172.25.0.0 255.0.0.0 Ethernet0 ip route 172.19.0.0 255.0.0.0 Ethernet0 no ip http server ! ! ! Configure DNIS groups dialer dnis group blot number 4085551003 number 5552003 number 2223333 number 3456789 number 2345678 number 1234567 Configuring Resource Pool Management Configuration Examples for RPM DC-774 Cisco IOS Dial Technologies Configuration Guide ! dialer dnis group ok number 89898989 number 4084442002 number 4085552002 number 5551003 ! dialer clid group splat number 12321224 ! ! Configure CLID groups dialer clid group zot number 2121212121 number 4085552002 ! dialer clid group snip number 1212121212 ! dialer clid group stompIt number 4089871234 ! dialer clid group squash number 5656456 dialer-list 1 protocol ip permit ! ! ! line con 0 exec-timeout 0 0 logging synchronous transport input none line 1 96 no exec exec-timeout 0 0 autoselect ppp line aux 0 line vty 0 4 exec-timeout 0 0 transport input none ! scheduler interval 1000 end Direct Remote Services Configuration Example The following example shows a direct remote services configuration: resource-pool profile customer ACME limit base-size 30 limit overflow-size 10 resource isdn-ports digital resource MICA-modems speech service gold dnis group ACME_dnis_numbers aaa group-configuration tahoe source template acme_direct ! resource-pool profile customer DEFAULT limit base-size 10 resource MICA-modems speech service silver dnis group default Configuring Resource Pool Management Configuration Examples for RPM DC-775 Cisco IOS Dial Technologies Configuration Guide resource-pool profile discriminator deny_DNIS call-type digital dnis group bye-bye ! resource-pool profile service gold modem min-speed 33200 max-speed 56000 modulation v90 resource-pool profile service silver modem min-speed 19200 max-speed 33200 modulation v34 ! resource-pool aaa protocol local ! template acme_direct peer default ip address pool tahoe ppp authentication chap isdn-users ppp multilink ! dialer dnis group ACME_dnis_numbers number 301001 dialer dnis group bye-bye number 301005 VPDN Configuration Example Adding the following commands to those listed in the section “Standard Configuration for RPM Example” earlier in this chapter allows you to use VPDN by setting up a VPDN profile and a VPDN group: Note If the limits imposed by the VPDN profile are not required, do not configure the VPDN profile. Replace the vpdn profile ACME_VPDN command under the customer profile ACME with the vpdn group outgoing-2 command. resource-pool profile vpdn ACME_VPDN limit base-size 6 limit overflow-size 0 vpdn group outgoing-2 ! resource-pool profile customer ACME limit base-size 30 limit overflow-size 10 resource isdn-ports digital resource MICA-modems speech service gold dnis group ACME_dnis_numbers ! vpdn profile ACME_VPDN ! vpdn enable ! vpdn-group outgoing-2 request dialin protocol 12f dnis ACME_dnis_numbers local name HQ-NAS initiate-to ip 172.16.1.9 multilink bundle 1 multilink link 2 ! dialer dnis group ACME_dnis_numbers number 301001 Configuring Resource Pool Management Configuration Examples for RPM DC-776 Cisco IOS Dial Technologies Configuration Guide VPDN Load Sharing and Backing Up Between Multiple HGW/LNSs Example Cisco IOS software enables you to balance and back up VPDN sessions across multiple tunnel endpoints (HGW/LNS). When a user or session comes into the NAS/LAC, a VPDN load-balancing algorithm is triggered and applied to the call. The call is then passed to an available HGW/LNS. You can modify this function by limiting the number of sessions supported on an HGW/LNS router and limiting the number of MLP bundles and links. Figure 109 shows an example of one NAS/LAC that directs calls to two HGW/LNS routers by using the L2TP tunneling protocol. Each router has a different number of supported sessions and works at a different speed. The NAS/LAC is counting the number of active simultaneous sessions sent to each HGW/LNS. Figure 109 Home Gateway Load Sharing and Backup In a standalone NAS environment (no RPMS server used), the NAS has complete knowledge of the status of tunnel endpoints. Balancing across endpoints is done by a “least-filled tunnel” or a “next-available round robin” approach. In an RPMS-controlled environment, RPMS has the complete knowledge of tunnel endpoints. However, the NAS still has the control over those tunnel endpoints selected by RPMS. A standalone NAS uses the following default search criteria for load-balancing traffic across multiple endpoints (HGW/LNS): • Select any idle endpoint—an HGW/LNS with no active sessions. • Select an active endpoint that currently has a tunnel established with the NAS. • If all specified load-sharing routers are busy, select the backup HGW. If all endpoints are busy, report that the NAS cannot find an IP address to establish the call. Note This default search order criteria is independent of the Cisco RPMS application scenario. A standalone NAS uses a different load-sharing algorithm than the Cisco RPMS. This search criteria will change as future enhancements become available. AS5000 series NAS POTS line BRI line PSTN L2TP tunnel L2TP tunnel PRI 16747 Modem Cisco 776 Cisco 7246 home gateway 200 sessions Cisco 3640 home gateway 50 sessions PC IP network Configuring Resource Pool Management Configuration Examples for RPM DC-777 Cisco IOS Dial Technologies Configuration Guide The following is an example of VPDN load sharing between multiple HGW/LNSs: vpdn enable ! vpdn-group outgoing-2 request dialin protocol l2tp dnis ACME_dnis_numbers local name HQ-NAS initiate-to ip 172.16.1.9 loadsharing ip 172.16.1.9 limit 200 loadsharing ip 172.16.2.17 limit 50 backup ip 172.16.3.22 Configuring Resource Pool Management Configuration Examples for RPM DC-778 Cisco IOS Dial Technologies Configuration Guide DC-779 Cisco IOS Dial Technologies Configuration Guide Configuring Wholesale Dial Performance Optimization This chapter describes the Wholesale Dial Performance Optimization feature in the following sections: • Wholesale Dial Performance Optimization Feature Overview • How to Configure Automatic Command Execution • How to Configure TCP Clear Performance Optimization • Verifying Configuration of TCP Clear Performance Optimization Note This task provides inbound and outbound performance optimization for wholesale dial customers who provide ports to America Online (AOL). It is configured only on Cisco AS5800 access servers. Wholesale Dial Performance Optimization Feature Overview Both the inbound and outbound aspects of this feature are enabled using the autocommand-options telnet-faststream command. • Outbound—Provides stream processing, allowing the output data processing to occur at the interrupt level. Being event driven, this removes polling and process switching overhead. In addition, the flow control algorithm is enhanced to handle the higher volume of traffic and to eliminate some out-of-resource conditions that could result in abnormal termination of the session. • Inbound—Provides stream processing with the same improvements as for outbound traffic. Also, it removes scanning for special escape characters in the data stream; this is very process-intensive and is not required for this application. (In other situations, the escape characters allow for a return to the privileged EXEC mode prompt (#) on the router.) In addition, Nagle’s algorithm is used to form the inbound data stream into larger packets, thus minimizing packet-processing overhead. This configuration is designed to provide more efficiency in the data transfers for AOL port suppliers who are using a Cisco network access server to communicate with a wholesale dial carrier. The Cisco AS5800 access server is required to support all dial-in lines supported by two complete T3 connections (that is, 1344 connections) running TCP Clear connections to an internal host. The desired average data throughput for these connections is 6 kbps outbound and 3 kbps inbound. When using the autocommand-options telnet-faststream command, no special character processing, including break recognition, is performed on incoming data from the dial shelf. This requires the TCP Clear connection to run as the sole connection on the TTY line. This sole connection is terminated by TTY line termination or TCP connection termination, with no EXEC session capability for the user. This Configuring Wholesale Dial Performance Optimization How to Configure Automatic Command Execution DC-780 Cisco IOS Dial Technologies Configuration Guide has been implemented by specifying a new autocommand-options telnet-faststream command that, in conjunction with the autocommand telnet command with the /stream option, enables Telnet faststream processing. This capability is also available for TACACS/RADIUS attribute-value pair processing, because this processing uses the autocommand facility. How to Configure Automatic Command Execution The following are three options for configuring the autocommand telnet /stream line configuration command: • Automatic command execution can be configured on the lines. • Automatic command execution can be configured using user ID and password. • Automatic command execution can also be configured at a TACACS/RADIUS server, if the username authentication is to be performed there, rather than on the router. To configure automatic command execution on the lines of a Cisco AS5800 universal network access server, use the following commands beginning in global configuration mode: To configure automatic command execution using a user ID and password on a Cisco AS5800 universal network access server, use the following commands beginning in global configuration mode: You can also configure automatic command execution at a TACACS/RADIUS server if the username authentication is to be performed there rather than on the router. The AV-pair processing allows autocommand to be configured. How to Configure TCP Clear Performance Optimization To enable TCP Clear performance optimization, automatic command execution must be configured to enable Telnet faststream capability. To implement TCP Clear performance optimization on a Cisco AS5800 universal network access server, use the following commands beginning in global configuration mode: Command Purpose Step 1 Router(config)# line 1/3/00 1/11/143 Selects the lines to be configured and begins line configuration mode. Step 2 Router(config-line)# autocommand telnet aol-host 5190 /stream Configures autocommand on the lines. Command Purpose Step 1 Router(config)# username aol password aol Defines the user ID and password. Step 2 Router(config)# username aol autocommand telnet aol-host 5190 /stream Configures autocommand on the user ID. Configuring Wholesale Dial Performance Optimization Verifying Configuration of TCP Clear Performance Optimization DC-781 Cisco IOS Dial Technologies Configuration Guide Verifying Configuration of TCP Clear Performance Optimization To check for correct configuration, use the show line command. In the following example, Telnet faststream is enabled under “Capabilities”. Router# show line 1/4/00 Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int * 1/4/00 Digital modem - inout - - - 1 0 0/0 - Line 1/4/00, Location: "", Type: "" Length: 24 lines, Width: 80 columns Status: PSI Enabled, Ready, Connected, Active, No Exit Banner Modem Detected Capabilities: Hardware Flowcontrol In, Hardware Flowcontrol Out Modem Callout, Modem RI is CD, Line usable as async interface Hangup on Last Close, Modem Autoconfigure, Telnet Faststream Modem state: Ready Modem hardware state: CTS DSR DTR RTS modem=1/4/00, vdev_state(0x00000000)=CSM_OC_STATE, bchan_num=(T1 1/2/0:7:20) vdev_status(0x00000001): VDEV_STATUS_ACTIVE_CALL. Group codes: 0, Modem Configured Special Chars: Escape Hold Stop Start Disconnect Activation ^^x none - - none Timeouts: Idle EXEC Idle Session Modem Answer Session Dispatch never never none not set Idle Session Disconnect Warning never Login-sequence User Response 00:00:30 Autoselect Initial Wait not set Modem type is 9600. Session limit is not set. Time since activation: never Editing is enabled. History is enabled, history size is 10. DNS resolution in show commands is enabled Full user help is disabled Allowed transports are telnet. Preferred is lat. Automatically execute command "telnet 10.100.254.254 2145 /stream" No output characters are padded Command Purpose Step 1 Router(config)# line 1/3/00 1/11/143 Selects the lines to be configured and begins line configuration mode. Step 2 Router(config-line)# autocommand telnet-faststream Enables the TCP Clear performance optimization on the selected lines. Configuring Wholesale Dial Performance Optimization Verifying Configuration of TCP Clear Performance Optimization DC-782 Cisco IOS Dial Technologies Configuration Guide Dial Access Scenarios DC-785 Cisco IOS Dial Technologies Configuration Guide Dial Networking Business Applications This chapter provides an introduction to common dial networking scenarios used by service providers and enterprises and includes the following sections: • Dial Networking for Service Providers and Enterprises • Common Dial Applications • IP Address Strategies Providing dial access means to set up one or more access servers or routers to allow on-demand connectivity for individual remote nodes or remote offices. The dial network solutions described in this chapter are based on business case scenarios. Depending on your business application, dial access has different implementations. Dial Networking for Service Providers and Enterprises Service providers tend to supply public and private dial-in services for businesses or individual home users. Enterprises tend to provide private dial-in access for employees dialing in from remote LANs (such as a remote office) or individual remote nodes (such as a telecommuter). Additionally, there are hybrid forms of dial access—virtual private dialup networks (VPDNs)—that are jointly owned, operated, and set up by both service providers and enterprises. Figure 110 displays a common dial topology used by an Internet service provider (ISP). The central dial-in site is owned and controlled by the ISP, who only accepts dial-in calls. Enterprises and individual remote clients have no administrative control over the point of presence (POP) of the ISP. Note Many additional dial network strategies exist for different business applications. This overview is intended to provide only a sample of the most common dial business needs as experienced by the Cisco dial escalation team. Dial Networking Business Applications Dial Networking for Service Providers and Enterprises DC-786 Cisco IOS Dial Technologies Configuration Guide Figure 110 Sample Dial Network for an ISP Enterprises can provide bidirectional access services with remote LANs and one-way dial-in access for standalone remote nodes. Bidirectional access means that remote LANs can dial in to the enterprise, and the enterprise can dial out to the remote LANs. A remote LAN can be a large remote office or a small home office. A standalone remote node can be an individual PC that is dynamically assigned an IP address from the modem pool of the enterprise. In most cases, an enterprise has complete administrative control over its local and remote devices. (See Figure 111.) Internet access ISDN or analog network provided by telephone company Internet service provider for remote nodes and remote LANs Large business LAN dialing in to the Internet Standalone remote node dialing in to the Internet S6555 Dial Networking Business Applications Dial Networking for Service Providers and Enterprises DC-787 Cisco IOS Dial Technologies Configuration Guide Figure 111 Sample Dial Network for an Enterprise Service providers and enterprises both benefit from a hybrid dial solution called VPDN. Service providers offer virtually private access to enterprises by providing the dial-in access devices for the enterprise to use (for example, access servers and modem pools). In this solution, service providers construct the networking fabric for city-to-city dial connectivity for the enterprise. Enterprises provide only a home gateway router (with no attached modems) and a WAN connection to their service provider. VPDN dial solutions enable the enterprise to continue to maintain complete administrative control over its remote locations and network resource privileges. (See Figure 112.) Enterprise resources such as file servers and e-mail hosts ISDN or analog network provided by telephone company Corporate headquarters dialing out to remote offices and allowing dial-in from remote nodes and home offices Home office dialing in to headquarters with a Cisco 766, Cisco 1600 series, or terminal adapter Remote node telecommuter dialing in to headquarters Remote office using a Cisco 4500 series Remote office dialing in to headquarters Headquarters dialing out to remote office S6554 Dial Networking Business Applications Common Dial Applications DC-788 Cisco IOS Dial Technologies Configuration Guide Figure 112 Sample VPDN for Service Providers and Enterprises Common Dial Applications The hardware and software configuration designs for dial networks are derived from business operations needs. This section describes several of the most common business dial scenarios that Cisco Systems is supporting for basic IP and security services. Refer to the scenario that best describes your business or networking needs: • The following dial scenarios are commonly used by service providers. For detailed description and configuration information, see the chapter “Telco and ISP Dial Scenarios and Configurations” later in this manual. – Scenario 1, Small- to Medium-Scale POPs (one or two access servers at the central dial-in site) – Scenario 2, Large-Scale POPs (more than two access servers at the central dial-in site, Multichassis Multilink PPP or MMP) – Scenario 3, PPP Calls over X.25 Networks • The following dial scenarios are commonly used by enterprises. For detailed description and configuration information, see the chapter “Enterprise Dial Scenarios and Configurations.” – Scenario 1, Remote Offices and Telecommuters Dialing In to a Central Site – Scenario 2, Bidirectional Dial Between Central Sites and Remote Offices – Scenario 3, Telecommuters Dialing In to a Mixed Protocol Environment S6556 Cisco 4500 home gateway for 0com.com IP network Cisco 7200 home gateway for cisco.com Cisco 2501 home gateway for descend.com T1 ATM Firewall Firewall Firewall Terminal adapter Service provider leasing access servers and large modem pools out to enterprise customers PRI HSSI BRI Analog T3 Telecommuter making a modem call in to cisco.com ISDN or analog network provided by telephone company Dial Networking Business Applications IP Address Strategies DC-789 Cisco IOS Dial Technologies Configuration Guide IP Address Strategies Exponential growth in the remote access router market has created new addressing challenges for ISPs and enterprise users. Companies that use dial technologies seek addressing solutions that will: • Minimize Internet access costs for remote offices • Minimize configuration requirements on remote access routers • Enable transparent and dynamic IP address allocation for hosts in remote environments • Improve network security capabilities at each remote small office, home office site • Conserve registered IP addresses • Maximize IP address manageability Remote networks have variable numbers of end systems that need access to the Internet; therefore, some ISPs are interested in allocating just one IP address to each remote LAN. In enterprise networks where telecommuter populations are increasing in number, network administrators need solutions that ease configuration and management of remote routers and provide conservation and dynamic allocation of IP addresses within their networks. These solutions are especially important when network administrators implement large dial-up user pools where ISDN plays a major role. Choosing an Addressing Scheme Use an IP addressing scheme that is appropriate for your business scenario as described in the following sections: • Classic IP Addressing • Cisco Easy IP Additionally, here are some addressing issues to keep in mind while you evaluate different IP address strategies: • How many IP addresses do you need? • Do you want remote clients to dial in to your network and connect to server-based services, which require statically assigned IP addresses? • Is your primary goal to provide Internet services to a network (for example, surfing the web, downloading e-mail, using TCP/IP applications)? • Can you conduct business with only a few registered IP addresses? • Do you need a single contiguous address space, or can you function with two non-contiguous address spaces? Classic IP Addressing This section describes two classic IP addressing strategies that you can use to set up dial-in access. Classic IP addresses are statically or dynamically assigned from your network to each site router or dial-in client. The IP address strategy you use depends on whether you are allowing remote LANs or individual remote clients to dial in. Dial Networking Business Applications IP Address Strategies DC-790 Cisco IOS Dial Technologies Configuration Guide A remote LAN usually consists of a single router at the gateway followed by multiple nodes such as 50 PCs. The IP address on the gateway router is fixed or statically assigned (for example, 3.3.3.3). This device always uses the address 3.3.3.3 to dial in to the enterprise or service provider network. There is also a segment or subnet associated with the gateway router (for example, 2.1.1.0 255.255.255.0), which is defined by the dial-in security server. For individual remote clients dialing in, a specific range or pool of IP addresses is defined by the gateway access server and dynamically assigned to each node. When a remote node dials in, it receives an address from the specified address pool. This pool of addresses usually resides locally on the network access server. Whereas, the remote LANs have predefined or statically assigned addresses. The accompanying subnet is usually statically assigned too. (See Figure 113.) Figure 113 Classic IP Address Allocation Here are some advantages and disadvantages of manually assigning IP addresses: • Advantages – Web servers or Xservers can be stationed at remote locations. – Since addresses are members of your network, they are perfectly transparent. • Disadvantages – IP address assignments can be difficult to administer or manage. You may also need to use complicated subnetting configurations. – Statically assigned IP addresses use up precious address space. – Strong routing configuration skills are usually required. Cisco Easy IP Two of the key problems facing the Internet are depletion of IP address space and scaling in routing. The Cisco Easy IP feature combines Network Address Translation (NAT) and PPP/Internet Protocol Control Protocol (IPCP). This feature enables a Cisco router to automatically negotiate its own registered WAN Local address pool 10.1.1.1 10.1.1.2 10.1.1.3 10.1.1.4 10.1.1.5 User 760 10.3.3.3 10.2.1.0 255.255.255.0 Cisco AS5200 Cisco 760 PRI BRI ISDN or analog network Laptop 10.1.1.1 Laptop 10.1.1.2 Headquarters 10.2.1.0 10.3.3.3 PC PC TACACS+ server 56955 Dial Networking Business Applications IP Address Strategies DC-791 Cisco IOS Dial Technologies Configuration Guide interface IP address from a central server and allows all remote hosts to access the global Internet using this single registered IP address. Because Cisco Easy IP uses existing port-level multiplexed NAT functionality within the Cisco IOS software, IP addresses on the remote LAN are invisible to the Internet. Cisco Easy IP Component Technologies Cisco Easy IP solution is a scalable, standards-based, “plug-and-play” solution that comprises a combination of the following technologies: • NAT—Described in RFC 1631. NAT operates on a router that usually connects two or more networks together. Using Cisco Easy IP, at least one of these networks (designated as “inside” or “LAN”) is addressed with private (RFC 1918) addresses that must be converted into a registered address before packets are forwarded onto the other registered network (designated as “outside” or “WAN”). Cisco IOS software provides the ability to define one-to-one translations (NAT) as well as many-to-one translations (Port Address Translation [PAT]). Within the context of Cisco Easy IP, PAT is used to translate all internal private addresses to a single outside registered IP address. • PPP/IPCP—Defined in RFC 1332. This protocol enables users to dynamically configure IP addresses over PPP. A Cisco Easy IP router uses PPP/IPCP to dynamically negotiate its own WAN interface address from a central access server or DHCP server. Figure 114 shows an example of how Cisco Easy IP works. A range of registered or unregistered IP addresses are used inside a company’s network. When a dial-up connection is initiated by an internal node, the router uses the Cisco Easy IP feature to rewrite the IP header belonging to each packet and translate the private address into the dynamically assigned and registered IP address, which could be borrowed from a service provider. Figure 114 Translating and Borrowing IP Addresses For a more detailed description of how Cisco Easy IP works, see the chapter “Configuring Cisco Easy IP.” PC PC ISDN network ISDN BRI Inside Outside 10.0.0.2 10.0.0.2 10.0.0.3 172.29.2.1: 4011 172.29.2.1: 4012 10.0.0.3 Inside interface 10.0.0.1 Outside registered address borrowed from service provider 172.29.2.1 Service provider network DHCP server Outside Address Inside IP Address NAT table 54717 Dial Networking Business Applications IP Address Strategies DC-792 Cisco IOS Dial Technologies Configuration Guide Key Benefits of Using Cisco Easy IP The Cisco Easy IP feature provides the following benefits: • Reduces Internet access costs by using dynamically allocated IP addresses. Using dynamic IP address negotiation (PPP/IPCP) at each remote site substantially reduces Internet access costs. Static IP addresses cost more to purchase compared to dynamically allocated or rented IP addresses. Cisco Easy IP enables you to rent IP addresses. In addition, dynamically assigned IP addresses saves you time and money associated with subnet mask configuration tasks on hosts. It also eliminates the need to configure host IP addresses when moving from network to network. • Simplifies IP address management. Cisco Easy IP enables ISPs to allocate a single registered IP address to each remote LAN. Because only a single registered IP address is required to provide global Internet access to all users on an entire remote LAN, customers and ISPs can use their registered IP addresses more efficiently. • Conserves registered IP addresses. Suppose you want to connect to the Internet, but not all your hosts have globally unique IP addresses. NAT enables private IP internetworks that use nonregistered or overlapping IP addresses to connect to the Internet. NAT is configured on the router at the border of a stub domain (referred to as the inside network) and a public network such as the Internet (referred to as the outside network). The private addresses you set up on the inside of your network translate in to a single registered IP addresses on the outside of your network. • Provides remote LAN IP address privacy. Because Cisco Easy IP uses existing port-level multiplexed NAT functionality within Cisco IOS software, IP addresses on the remote LAN are invisible to the Internet, making the LAN inherently more secure. As seen by the external network, the source IP address of all traffic from the remote LAN is the single registered IP address of the WAN interface for the Cisco Easy IP router. DC-793 Cisco IOS Dial Technologies Configuration Guide Enterprise Dial Scenarios and Configurations This chapter provides sample configurations for specific dial scenarios used by enterprise networks (not telephone companies or Internet service providers). Each configuration is designed to support IP network traffic with basic security for the specified scenario. The following scenarios are described: • Scenario 1—Remote Offices and Telecommuters Dialing In to a Central Site • Scenario 2—Bidirectional Dial Between Central Sites and Remote Offices • Scenario 3—Telecommuters Dialing In to a Mixed Protocol Environment Note If you use Token card-based security in your dial network, we recommend that you enable Password Authentication Protocol (PAP) authentication and disable the Multilink protocol to maximize dial-in performance. Remote User Demographics Employees stationed in remote offices or disparate locations often dial in to central sites or headquarter offices to download or upload files and check e-mail. These employees often dial in to the corporate network from a remote office LAN using ISDN or from another location such as a hotel room using a modem. The following remote enterprise users typically dial in to enterprise networks: • Full-time telecommuters—Employees using stationary workstations to dial in from a small office, home office (SOHO), making ISDN connections with terminal adapters or PC cards through the public telephone network, and operating at higher speeds over the network, which rules out the need for a modem. • Travelers—Employees such as salespeople that are not in a steady location for more than 30 percent of the time usually dial in to the network with a laptop and modem through the public telephone network, and primarily access the network to check E-mail or transfer a few files. • Workday extenders—Employees that primarily work in the company office, occasionally dial in to the enterprise with a mobile or stationary workstation plus modem, and primarily access the network to check E-mail or transfer a few files. Enterprise Dial Scenarios and Configurations Demand and Scalability DC-794 Cisco IOS Dial Technologies Configuration Guide Demand and Scalability You need to evaluate scalability and design issues before you build a dial enterprise network. As the number of company employees increases, the number of remote users who need to dial in increases. A good dial solution scales upward as the demand for dial-in ports grows. For example, it is not uncommon for a fast-growing enterprise to grow from a demand of 100 modems to 250 modems in less than one year. You should always maintain a surplus of dial-in ports to accommodate company growth and occasional increases in access demand. In the early stages of a fast-growing company that has 100 modems installed for 6000 registered remote users, only 50 to 60 modems might be active at the same time. As demand grows over one year, 250 modems might be installed to support 10,000 registered token card holders. During special company occasions, such as worldwide conventions, demand for remote access can also increase significantly. During such activities, dial-in lines are used heavily throughout the day and evening by remote sales people using laptops to access E-mail and share files. This behavior is indicative of sales people working away from their home territories or sales offices. Network administrators need to prepare for these remote access bursts, which cause significant increases for remote access demand. Remote Offices and Telecommuters Dialing In to a Central Site Remote office LANs typically dial in to other networks using ISDN. Remote offices that use Frame Relay require a more costly dedicated link. Connections initiated by remote offices and telecommuters are brought up on an as-needed basis, which results in substantial cost savings for the company. In dial-on-demand scenarios, users are not connected for long periods of time. The number of remote nodes requiring access is relatively low, and the completion time for the dial-in task is short. Central sites typically do not dial out to the remote LANs. Instead, central sites respond to calls. Remote sites initiate calls. For example, a field sales office might use ISDN to dial in to and browse a central site’s intranet. Additionally a warehouse comprising five employees can use ISDN to log in to a remote network server to download or upload product order information. For an example of bidirectional dialing, see the section “Bidirectional Dial Between Central Sites and Remote Offices” later in this chapter. Note Dial-on-demand routing (DDR) uses static routes or snapshot routing. For IP-only configurations, static routes are commonly used for remote dial-in. For Internet Protocol Exchange (IPX) networking, snapshot routing is often used to minimize configuration complexity. Network Topologies Figure 115 shows an example of a remote office that places digital calls in to a central site network. The remote office router can be any Cisco router with a BRI physical interface, such as a Cisco 766 or Cisco 1604 router. The central office gateway router can be any Cisco router that supports PRI connections, such as a Cisco 3600 series, Cisco 4000 series, or Cisco 7000 series router. Enterprise Dial Scenarios and Configurations Remote Offices and Telecommuters Dialing In to a Central Site DC-795 Cisco IOS Dial Technologies Configuration Guide Figure 115 Remote Office Dialing In to a Central Site Figure 116 shows an example of a remote office and telecommuter dialing in to a central site. The remote office places digital calls. The telecommuter places analog calls. The remote office router can be any Cisco router with a BRI interface, such as a Cisco 766, Cisco 1604, or Cisco 2503 router. The central office gateway router is a Cisco AS5300 series access server or a Cisco 3640 router, which supports both PRI and analog connections. Figure 116 Remote Office and Telecommuter Dialing In to a Central Site Dial-In Scenarios The configuration examples in the following sections provide different combinations of dial-in scenarios, which can be derived from Figure 115 and Figure 116: • Cisco 1604 Remote Office Router Dialing In to a Cisco 3620 Access Router • Remote Office Router Dialing In to a Cisco 3620 Router PC running Windows 95 and dialing in to the central site BRI Cisco 766 or 1604 dialing in to the central site S6692 ISDN telephone network PRI Central site IP network Cisco 3600, 4000, or 7000 series Remote office LAN Analog network Telecommuter dialing in to the central site with Windows 95 and a 28.8 internal modem PC running Windows 95 BRI Remote office LAN Cisco 766, 1604, or 2503 dialing in to the central office S6693 ISDN network PRI Central site IP network Cisco 3640 or Cisco AS5300 Enterprise Dial Scenarios and Configurations Remote Offices and Telecommuters Dialing In to a Central Site DC-796 Cisco IOS Dial Technologies Configuration Guide • Cisco 700 Series Router Using Port Address Translation to Dial In to a Cisco AS5300 Access Server • Cisco 3640 Central Site Router Configuration to Support ISDN and Modem Calls • Cisco AS5300 Central Site Configuration Using Remote Security Note Be sure to include your own IP addresses, host names, and security passwords where appropriate if you use these examples in your own network. Cisco 1604 Remote Office Router Dialing In to a Cisco 3620 Access Router This section provides a common configuration for a Cisco 1604 remote office router dialing in to a Cisco 3620 access router positioned at a central enterprise site. Only ISDN digital calls are supported in this scenario. No analog modem calls are supported. All calls are initiated by the remote router on an as-needed basis. The Cisco 3620 router is not set up to dial out to the Cisco 1604 router. (Refer to Figure 115.) The Cisco 1604 and Cisco 3620 routers use the IP unnumbered address configurations, MLP, and the dial-load threshold feature, which brings up the second B channel when the first B channel exceeds a certain limit. Because static routes are used, a routing protocol is not configured. A default static route is configured on the Cisco 1604 router, which points back to the central site. The central site also has a static route that points back to the remote LAN. Static route configurations assume that you have only one LAN segment at each remote office. Cisco 1604 Router Configuration The following configuration runs on the Cisco 1604 router, shown in Figure 115. This SOHO router places digital calls in to the Cisco 3620 central site access router. See the next example for the running configuration of the Cisco 3620 router. version xx.x service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service udp-small-servers no service tcp-small-servers ! hostname remotelan1 ! enable secret cisco ! username NAS password dialpass username admin password cisco isdn switch-type basic-5ess ! interface Ethernet0 ip address 10.2.1.1 255.255.255.0 ! interface BRI0 ip unnumbered Ethernet0 encapsulation ppp dialer map ip 10.1.1.10 name NAS 5551234 dialer load-threshold 100 either dialer-group 1 no fair-queue ppp authentication chap pap callin ppp multilink Enterprise Dial Scenarios and Configurations Remote Offices and Telecommuters Dialing In to a Central Site DC-797 Cisco IOS Dial Technologies Configuration Guide ! ip classless ip route 0.0.0.0 0.0.0.0 10.1.1.10 ip route 10.1.1.10 255.255.255.255 BRI0 dialer-list 1 protocol ip permit ! line con 0 line vty 0 4 login local ! end Cisco 3620 Router Configuration The following sample configuration runs on the Cisco 3620 router shown in Figure 115. This modular access router has one 2-port PRI network module installed in slot 1 and one 1-port Ethernet network module installed in slot 0. The router receives only digital ISDN calls from the Cisco 1604 router. The configuration for the Cisco 1604 router was provided in the previous example. version xx.x service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service udp-small-servers no service tcp-small-servers ! hostname NAS ! aaa new-model aaa authentication login default local aaa authentication login console enable aaa authentication login vty local aaa authentication login dialin local aaa authentication ppp default local aaa authentication ppp dialin if-needed local enable secret cisco ! username admin password cisco username remotelan1 password dialpass async-bootp dns-server 10.1.3.1 10.1.3.2 isdn switch-type primary-5ess ! controller T1 1/0 framing esf clock source line linecode b8zs pri-group timeslots 1-24 ! controller T1 1/1 framing esf clock source line linecode b8zs pri-group timeslots 1-24 ! interface Loopback0 ip address 10.1.2.254 255.255.255.0 ! interface Ethernet 0/0 ip address 10.1.1.10 255.255.255.0 ip summary address eigrp 10 10.1.2.0 255.255.255.0 ! Enterprise Dial Scenarios and Configurations Remote Offices and Telecommuters Dialing In to a Central Site DC-798 Cisco IOS Dial Technologies Configuration Guide interface Serial 1/0:23 no ip address encapsulation ppp isdn incoming-voice modem dialer rotary-group 0 dialer-group 1 no fair-queue no cdp enable ! interface Serial 1/1:23 no ip address encapsulation ppp isdn incoming-voice modem dialer rotary-group 0 dialer-group 1 no fair-queue no cdp enable ! interface Dialer0 ip unnumbered Loopback0 no ip mroute-cache encapsulation ppp peer default ip address pool dialin_pool dialer in-band dialer-group 1 no fair-queue no cdp enable ppp authentication chap pap dialin ppp multilink ! router eigrp 10 network 10.0.0.0 passive-interface Dialer0 default-metric 64 100 250 100 1500 redistribute static no auto-summary ! ip local pool dialin_pool 10.1.2.1 10.1.2.50 ip default-gateway 10.1.1.1 ip route 10.2.1.1 255.255.255.255 Dialer0 ip route 10.2.1.0 255.255.255.0 10.2.1.1 ip classless ! dialer-list 1 protocol ip permit ! line con 0 login authentication console line aux 0 login authentication console line vty 0 4 login authentication vty transport input telnet rlogin ! end Enterprise Dial Scenarios and Configurations Remote Offices and Telecommuters Dialing In to a Central Site DC-799 Cisco IOS Dial Technologies Configuration Guide Remote Office Router Dialing In to a Cisco 3620 Router This section provides a common configuration for a Cisco 700 or 800 series remote office router placing digital calls in to a Cisco 3620 router positioned at a central enterprise site. All calls are initiated by the remote router on an as-needed basis. The Cisco 3620 router is not set up to dial out to the remote office router. (See Figure 115.) Cisco 700 Series Router Configuration The following configuration task is for a Cisco 700 series ISDN router placing digital calls in to a central site router that supports ISDN PRI, such as the Cisco 3620 router. In this scenario, ISDN unnumbered interfaces with static routes are pointing back to the Cisco 3620. To configure the router, use the following commands in EXEC mode. However, this configuration assumes that you are starting from the router’s default configuration. To return the router to its default configuration, issue the set default command. Command Purpose Step 1 > > set systemname remotelan1 remotelan1> At the system prompt level, specifies the host name of the router, which is also used when responding to Challenge Handshake Authentication Protocol (CHAP) authentication with the Cisco 3620. For CHAP authentication, the system’s name must match the username configured on the Cisco 3620. Step 2 remotelan1> set ppp secret client remotelan1> Enter new password: dialpass remotelan1> Enter new password: dialpass Sets the transmit and receive password for the client. This is the password which is used in response to CHAP authentication requests, and it must match the username password configured on the Cisco 3620 router. Step 3 remotelan1> set encapsulation ppp Sets PPP encapsulation for incoming and outgoing authentication instead of CPP. Step 4 remotelan1> set ppp multilink on Enables Multilink PPP (MLP). Step 5 remotelan1> set user nas remotelan1> New user nas being created Creates the profile named nas, which is reserved for the Cisco 3620 router. Step 6 remotelan1:nas> set ip 0.0.0.0 Specifies the LAN IP address. The sequence 0.0.0.0 means that it will use the address assigned to it from the central Cisco 3620 router. See Step 14. Step 7 remotelan1:nas> set ip framing none Configures the profiles to not use Ethernet framing. Step 8 remotelan1:nas> set ip route destination 0.0.0.0 gateway 10.1.1.10 Sets the default route to point to the Ethernet IP address of the Cisco 3620 router. Step 9 remotelan1:nas> set timeout 300 Sets the idle time at which the B channel will be dropped. In this case, the line is dropped after 300 seconds of idle time. Step 10 remotelan1:nas> set 1/2 number 5551234 Sets the number to call when dialing out of the first and second B channel. Step 11 remotelan1:nas> cd lan Enters LAN profile mode. Step 12 remotelan1:LAN> set bridging off Turns bridging off. Step 13 remotelan1:LAN> set ip routing on Turns on IP routing. Step 14 remotelan1:LAN> set ip address 10.2.1.1 Sets the LAN IP address for the interface. Enterprise Dial Scenarios and Configurations Remote Offices and Telecommuters Dialing In to a Central Site DC-800 Cisco IOS Dial Technologies Configuration Guide After you configure the Cisco 760 or Cisco 770 series router, the final configuration should resemble the following: set systemname remotelan1 set ppp secret client set encapsulation ppp set ppp multilink on cd lan set bridging off set ip routing on set ip 10.2.1.1 set subnet 255.255.255.0 set user nas set bridging off set ip 0.0.0.0 set ip netmask 0.0.0.0 set ip framing none set ip route destination 0.0.0.0 gateway 10.1.1.10 set timeout 300 set 1 number 5551234 set 2 number 5551234 The previous software configuration does not provide for any access security. To provide access security, use the following optional commands in EXEC mode: Cisco 3620 Router Configuration The following example provides a sample configuration for the Cisco 3620 router. This modular access router has one 2-port PRI network module installed in slot 1 and one 1-port Ethernet network module installed in slot 0. The router receives only digital ISDN calls over T1 lines from the Cisco 700 series remote office router, which was described in the previous example. version xx.x service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service udp-small-servers no service tcp-small-servers hostname NAS ! aaa new-model aaa authentication login default local Command Purpose Router> set ppp authentication incoming chap Provides CHAP authentication to incoming calls. Router> set callerid Requires the calling parties number to be matched against the configured receive numbers (such as set by the set callidreceive # command). This command also denies all incoming calls if no callidreceive number is configured. Router> set remoteaccess protected Specifies a remote system password, which enables you to make changes on the router from a remote location. Router> set localaccess protected Specifies a local system password, which enables you to make changes on the router from a local console connection. Router> set password system Sets the system password for the previous access configurations. Enterprise Dial Scenarios and Configurations Remote Offices and Telecommuters Dialing In to a Central Site DC-801 Cisco IOS Dial Technologies Configuration Guide aaa authentication login console enable aaa authentication login vty local aaa authentication login dialin local aaa authentication ppp default local aaa authentication ppp dialin if-needed local enable secret cisco ! username admin password cisco username remotelan1 password dialpass ! async-bootp dns-server 10.1.3.1 10.1.3.2 isdn switch-type primary-5ess ! controller T1 1/0 framing esf clock source line linecode b8zs pri-group timeslots 1-24 ! controller T1 1/1 framing esf clock source line linecode b8zs pri-group timeslots 1-24 ! interface Loopback0 ip address 10.1.2.254 255.255.255.0 ! interface Ethernet 0/0 ip address 10.1.1.10 255.255.255.0 ip summary address eigrp 10 10.1.2.0 255.255.255.0 ! interface Serial 1/0:23 no ip address encapsulation ppp isdn incoming-voice modem dialer rotary-group 0 dialer-group 1 no fair-queue no cdp enable ! interface Serial 1/1:23 no ip address encapsulation ppp isdn incoming-voice modem dialer rotary-group 0 dialer-group 1 no fair-queue no cdp enable ! interface Dialer0 ip unnumbered Loopback0 no ip mroute-cache encapsulation ppp peer default ip address pool dialin_pool dialer in-band dialer-group 1 no fair-queue no cdp enable ppp authentication chap pap dialin ppp multilink ! Enterprise Dial Scenarios and Configurations Remote Offices and Telecommuters Dialing In to a Central Site DC-802 Cisco IOS Dial Technologies Configuration Guide router eigrp 10 network 10.0.0.0 passive-interface Dialer0 default-metric 64 100 250 100 1500 redistribute static no auto-summary ! ip local pool dialin_pool 10.1.2.1 10.1.2.50 ip default-gateway 10.1.1.1 ip route 10.2.1.1 255.255.255.255 Dialer0 ip route 10.2.1.0 255.255.255.0 10.2.1.1 ip classless ! dialer-list 1 protocol ip permit ! line con 0 login authentication console line aux 0 login authentication console line vty 0 4 login authentication vty transport input telnet rlogin ! end Cisco 700 Series Router Using Port Address Translation to Dial In to a Cisco AS5300 Access Server This section shows a Cisco 700 series router using the port address translation (PAT) feature to dial in to a Cisco AS5300 central site access server. IP addresses are assigned from the central site, which leverages the PAT feature to streamline multiple devices at the remote site through a single assigned address. In this example, the Cisco 700 series router has a private range of IP addresses used on the Ethernet side. However, the router is able to translate between the local private addresses and the dynamically registered address on the WAN interface. (See Figure 115.) Cisco 700 Series Configuration The sample configuration in this section allows PCs on a LAN to boot up and acquire their IP address dynamically from a Cisco 700 series router, which in turn translates the private addresses into a single IP address assigned from a Cisco AS5300 central site router. The Cisco 700 series router also passes information via DHCP regarding the Domain Name System (DNS) server (in this example, 10.2.10.1) and the Windows Internet naming service (WINS) server (in this example, 10.2.11.1) along with the domain name. A possible sequence of events would be a remote PC running Windows 95 boots up on the Ethernet segment and gets its IP address and network information from the Cisco 700 series router. The PC then opens up Netscape and attempts to view a web page at the central site, which causes the router to dial in to the central site. The router dynamically obtains its address from the central site pool of addresses and uses it to translate between the private address on the local Ethernet segment and the registered IP address borrowed from the central site router. Enterprise Dial Scenarios and Configurations Remote Offices and Telecommuters Dialing In to a Central Site DC-803 Cisco IOS Dial Technologies Configuration Guide To configure a remote router, use the following commands beginning in EXEC mode: After you configure the router, the configuration should resemble the following: set systemname remotelan1 set encapsulation ppp set ppp secret client set ppp multilink on set dhcp server set dhcp dns primary 10.2.10.1 set dhcp wins 10.2.11.1 set dhcp domain nas.com set user nas set bridging off Command Purpose Step 1 > > set systemname remotelan1 Router> At the system prompt level, specifies the host name of the router, which is also used when responding to CHAP authentication with the Cisco 3620 router. For CHAP authentication, the system’s name must match the username configured on the Cisco 3620. Step 2 Router> set ppp secret client Router> Enter new password: dialpass Router> Enter new password: dialpass Sets the transmit and receive password for the client. This is the password which is used in response to CHAP authentication requests, and it must match the username password configured on the Cisco 3620 router. Step 3 Router> set encapsulation ppp Sets PPP encapsulation for incoming and outgoing authentication instead of CPP. Step 4 Router> set ppp multilink on Enables MLP. Step 5 Router> set dhcp server Enables the router to act as a DHCP server and assign addresses from the private network. By default, all DHCP client addresses are assigned from the 10.0.0.0 network. Step 6 Router> set dhcp dns primary 10.2.10.1 Passes the DNS server IP address to the DHCP client. Step 7 Router> set dhcp wins 10.2.11.1 Passes the IP address of the WINS server to the DHCP client. Step 8 Router> set dhcp domain nas.com Sets the DHCP domain name for the Cisco 3620 central site router. Step 9 Router> set user nas Router> New user nas being created Creates the profile named nas, which is setup for the Cisco 3620 router. Step 10 Router:nas> set ip pat on Enables Port Address Translation (PAT) on the router. Step 11 Router:nas> set ip framing none Configures the profiles to not use Ethernet framing. Step 12 Router:nas> set ip route destination 0.0.0.0 gateway 10.1.1.0 Sets the default route to point to the Ethernet IP address of Cisco 3620 router. Step 13 Router:nas> set 1 number 5551234 Sets the number to call when dialing out of the first B channel. Step 14 Router:nas> set 2 number 5551234 Sets the number to call when dialing out of the second B channel. Step 15 Router:nas> cd lan Enters LAN profile mode. Step 16 Router:LAN> set bridging off Turns bridging off. Step 17 Router:LAN> set ip routing on Turns IP routing on. Enterprise Dial Scenarios and Configurations Remote Offices and Telecommuters Dialing In to a Central Site DC-804 Cisco IOS Dial Technologies Configuration Guide set ip routing on set ip framing none set ip pat on set ip route destination 0.0.0.0 gateway 10.1.1.0 set 1 number 5551234 set 2 number 5551234 Cisco AS5300 Router Configuration The following example configures a Cisco AS5300 router for receiving calls from the router in the previous example. Note This configuration can also run on a Cisco 4000, Cisco 3600, or Cisco 7000 series router. However, the interface numbering scheme for these routers will be in the form of slot/port. Additionally, the clocking will be set differently. Refer to your product configuration guides and configuration notes for more details. ! version xx.x service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service udp-small-servers no service tcp-small-servers ! hostname NAS ! aaa new-model aaa authentication login default local aaa authentication login console enable aaa authentication login vty local aaa authentication login dialin local aaa authentication ppp default local aaa authentication ppp dialin if-needed local enable secret cisco ! username admin password cisco username remotelan1 password dialpass ! async-bootp dns-server 10.1.3.1 10.1.3.2 isdn switch-type primary-5ess ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface Loopback0 ip address 10.1.2.254 255.255.255.0 ! Enterprise Dial Scenarios and Configurations Remote Offices and Telecommuters Dialing In to a Central Site DC-805 Cisco IOS Dial Technologies Configuration Guide interface Ethernet0 ip address 10.1.1.10 255.255.255.0 ip summary address eigrp 10 10.1.2.0 255.255.255.0 ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! interface Serial0:23 no ip address encapsulation ppp isdn incoming-voice modem dialer rotary-group 0 dialer-group 1 no fair-queue no cdp enable ! interface Serial1:23 no ip address encapsulation ppp isdn incoming-voice modem dialer rotary-group 0 dialer-group 1 no fair-queue no cdp enable ! interface Dialer0 ip unnumbered Loopback0 no ip mroute-cache encapsulation ppp peer default ip address pool dialin_pool dialer in-band dialer-group 1 no fair-queue no cdp enable ppp authentication chap pap dialin ppp multilink ! router eigrp 10 network 10.0.0.0 passive-interface Dialer0 default-metric 64 100 250 100 1500 redistribute static no auto-summary ! ip local pool dialin_pool 10.1.2.1 10.1.2.50 ip default-gateway 10.1.1.1 ip route 10.2.1.1 255.255.255.255 Dialer0 ip route 10.2.1.0 255.255.255.0 10.2.1.1 ip classless ! dialer-list 1 protocol ip permit ! line con 0 login authentication console line aux 0 login authentication console Enterprise Dial Scenarios and Configurations Remote Offices and Telecommuters Dialing In to a Central Site DC-806 Cisco IOS Dial Technologies Configuration Guide line vty 0 4 login authentication vty transport input telnet rlogin ! end In this configuration, the local pool is using a range of unused addresses on the same subnet on which the Ethernet interface is configured. The addresses will be used for the remote devices dialing in to the Cisco AS5300 access server. Cisco 3640 Central Site Router Configuration to Support ISDN and Modem Calls The following configuration allows remote LANs and standalone remote users with modems to dial in to a central site. Figure 116 shows the network topology. The Cisco 3640 router has the following hardware configuration for this scenario: • One 2-port ISDN-PRI network module installed in slot 1. • One digital modem network module installed in slot 2 and slot 3. • One 1-port Ethernet network module installed in slot 0. Note Each MICA technologies digital modem card has its own group async configuration. Additionally, a single range of asynchronous lines is used for each modem card. For additional interface numbering information, refer to the document Digital Modem Network Module Configuration Note. version xx.x service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service udp-small-servers no service tcp-small-servers ! hostname NAS ! aaa new-model aaa authentication login default local aaa authentication login console enable aaa authentication login vty local aaa authentication login dialin local aaa authentication ppp default local aaa authentication ppp dialin if-needed local enable secret cisco ! username admin password cisco username remotelan1 password dialpass1 username remotelan2 password dialpass2 username PCuser1 password dialpass3 username PCuser2 password dialpass4 ! async-bootp dns-server 10.1.3.1 10.1.3.2 isdn switch-type primary-5ess ! controller T1 1/0 framing esf clock source line linecode b8zs pri-group timeslots 1-24 ! Enterprise Dial Scenarios and Configurations Remote Offices and Telecommuters Dialing In to a Central Site DC-807 Cisco IOS Dial Technologies Configuration Guide controller T1 1/1 framing esf clock source line linecode b8zs pri-group timeslots 1-24 ! interface Loopback0 ip address 10.1.2.254 255.255.255.0 ! interface Ethernet0/0 ip address 10.1.1.10 255.255.255.0 ip summary address eigrp 10 10.1.2.0 255.255.255.0 ! interface Serial 1/0:23 no ip address encapsulation ppp isdn incoming-voice modem dialer rotary-group 0 dialer-group 1 no fair-queue no cdp enable ! interface Serial 1/1:23 no ip address encapsulation ppp isdn incoming-voice modem dialer rotary-group 0 dialer-group 1 no fair-queue no cdp enable ! interface Group-Async1 ip unnumbered Loopback0 encapsulation ppp async mode interactive peer default ip address pool dialin_pool no cdp enable ppp authentication chap pap dialin group-range 65 88 ! interface Group-Async2 ip unnumbered Loopback0 encapsulation ppp async mode interactive peer default ip address pool dialin_pool no cdp enable ppp authentication chap pap dialin group-range 97 120 ! interface Dialer0 ip unnumbered Loopback0 no ip mroute-cache encapsulation ppp peer default ip address pool dialin_pool dialer in-band dialer-group 1 no fair-queue no cdp enable ppp authentication chap pap dialin ppp multilink ! Enterprise Dial Scenarios and Configurations Remote Offices and Telecommuters Dialing In to a Central Site DC-808 Cisco IOS Dial Technologies Configuration Guide router eigrp 10 network 10.0.0.0 passive-interface Dialer0 no auto-summary ! ip local pool dialin_pool 10.1.2.1 10.1.2.50 ip default-gateway 10.1.1.1 ip classless ! dialer-list 1 protocol ip permit ! line con 0 login authentication console line 65 88 autoselect ppp autoselect during-login login authentication dialin modem DialIn line 97 120 autoselect ppp autoselect during-login login authentication dialin modem DialIn line aux 0 login authentication console line vty 0 4 login authentication vty transport input telnet rlogin ! end Cisco AS5300 Central Site Configuration Using Remote Security The previous examples in this section configured static CHAP authentication on the central router using the username command. A more common configuration to support modem and ISDN calls on a single chassis is to use the AAA security model and an external security server at the central site. We recommend that you have a solid understanding of basic security principles and the AAA model before you set up this configuration. For more information about security, see the Cisco IOS Security Configuration Guide. Central Site Cisco AS5300 Configuration Using TACACS+ Authentication The following example assumes that you are running TACACS+ on the remote security server: version xx.x service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service udp-small-servers no service tcp-small-servers ! hostname NAS ! aaa new-model aaa authentication login console enable aaa authentication login vty tacacs+ aaa authentication login dialin tacacs+ aaa authentication ppp default tacacs+ aaa authentication ppp dialin if-needed tacacs+ enable secret cisco ! Enterprise Dial Scenarios and Configurations Remote Offices and Telecommuters Dialing In to a Central Site DC-809 Cisco IOS Dial Technologies Configuration Guide async-bootp dns-server 10.1.3.1 10.1.3.2 isdn switch-type primary-5ess ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface Loopback0 ip address 10.1.2.254 255.255.255.0 ! interface Ethernet0 ip address 10.1.1.10 255.255.255.0 ip summary address eigrp 10 10.1.2.0 255.255.255.0 ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! interface Serial0:23 no ip address encapsulation ppp isdn incoming-voice modem dialer rotary-group 0 dialer-group 1 no fair-queue no cdp enable ! interface Serial1:23 no ip address encapsulation ppp isdn incoming-voice modem dialer rotary-group 0 dialer-group 1 no fair-queue no cdp enable ! interface Group-Async1 ip unnumbered Loopback0 encapsulation ppp async mode interactive peer default ip address pool dialin_pool no cdp enable ppp authentication chap pap dialin group-range 1 48 ! interface Dialer0 ip unnumbered Loopback0 no ip mroute-cache encapsulation ppp peer default ip address pool dialin_pool dialer in-band dialer-group 1 Enterprise Dial Scenarios and Configurations Remote Offices and Telecommuters Dialing In to a Central Site DC-810 Cisco IOS Dial Technologies Configuration Guide no fair-queue no cdp enable ppp authentication chap pap dialin ppp multilink ! router eigrp 10 network 10.0.0.0 passive-interface Dialer0 redistribute static default-metric 64 100 250 100 1500 no auto-summary ! ip local pool dialin_pool 10.1.2.1 10.1.2.50 ip default-gateway 10.1.1.1 ip classless ! dialer-list 1 protocol ip permit ! line con 0 login authentication console line 1 48 autoselect ppp autoselect during-login login authentication dialin modem DialIn line aux 0 login authentication console line vty 0 4 login authentication vty transport input telnet rlogin end TACACS+ Security Server Entry The following example can be configured on a remote TACACS+ security server, which complements the Cisco AS5300 access server configuration listed in the previous example: user = remotelan1 { chap = cleartext "dialpass1" service = ppp protocol = ip { addr = 10.2.1.1 route = "10.2.1.0 255.255.255.0" } } user = PCuser1 { login = cleartext "dialpass2" chap = cleartext "dialpass2" service = ppp protocol = ip { addr-pool = dialin_pool } service = exec { autocmd = "ppp negotiate" } } user = PCuser2 { login = cleartext "dialpass3" chap = cleartext "dialpass3" service = ppp protocol = ip { addr-pool = dialin_pool } Enterprise Dial Scenarios and Configurations Bidirectional Dial Between Central Sites and Remote Offices DC-811 Cisco IOS Dial Technologies Configuration Guide service = exec { autocmd = "ppp negotiate" } Bidirectional Dial Between Central Sites and Remote Offices Sometimes a gateway access server at headquarters is required to dial out to a remote site while simultaneously receiving incoming calls. This type of network is designed around a specific business support model. Dial-In and Dial-Out Network Topology Figure 117 shows a typical dial-in and dial-out network scenario, which amounts to only 25 percent of all dial topologies. The Cisco AS5300 access server at headquarters initiates a connection with a Cisco 1604 router at remote office 1. After a connection is established, the file server at the remote site (shown as Inventory child host) runs a batch processing application with the mainframe at headquarters (shown as Inventory totals parent host). While files are being transferred between remote office 1 and headquarters, remote office 2 is successfully dialing in to headquarters. Figure 117 Headquarters Configured for Dial-In and Dial-out Networking PRI BRI BRI PRI Inventory totals parent host PC responding to dial-out calls from headquarters PC dialing in to headquarters PC running Windows 95 Digital phone Dial-in Dial-out Headquarters Cisco AS5200 configured for dial-in and dial-out calling ISDN Analog ISDN Analog S6550 Cisco 1604 Inventory child host Remote office #1 responding to dial-out calls from headquarters Remote office #2 initiating calls into headquarters Cisco 1604 Enterprise Dial Scenarios and Configurations Bidirectional Dial Between Central Sites and Remote Offices DC-812 Cisco IOS Dial Technologies Configuration Guide There are some restrictions for dial-out calling. Dial-out analog and digital calls are commonly made to remote ISDN routers, such as the Cisco 1604 router. On the whole, dial out calls are not made from a central site router to a remote PC but rather from a remote PC in to the central site. However, central site post offices often call remote office routers on demand to deliver E-mail. Callback is enabled on dial-in scenarios only. The majority of a dial out software configuration is setup on the router at headquarters, not the remote office router. Dialing out to a stack group of multiple chassis is not supported by Cisco IOS software. Note that Multichassis Multilink PPP (MMP) and virtual private dialup networks (VPDNs) are dial-in only solutions. Dialer Profiles and Virtual Profiles Profiles are set up to discriminate access on a user-specific basis. For example, if the chief network administrator is dialing in to the enterprise, a unique user profile can be created with an idle timeout of one year, and universal access privileges to all networks in the company. For less fortunate users, access can be restricted to an idle timeout of 10 seconds and network connections setup for only a few addresses. Depending on the size and scope of your dial solution, you can set up two different types of profiles: dialer profiles or virtual profiles. Dialer profiles are individual user profiles set up on routers or access servers in a small-scale dial solution. This type of profile is configured locally on the router and is limited by the number of interfaces that exist on the router. When an incoming call comes into the dial pool, the dialer interface binds the caller to a dialer profile via the caller ID or the caller name. Figure 118 shows an example of how dialer profiles can be used when: • You need to bridge over multiple ISDN channels. • You want to use ISDN to back up a WAN link, but still have the ISDN interface available during those times that the WAN link is up. • A security server, such as a AAA TACACS or RADIUS server, is not available for use. Note For more information about dialer profiles, see the chapters “Configuring Peer-to-Peer DDR with Dialer Profiles” and “Configuring Dial Backup with Dialer Profiles.” Figure 118 Dial-In Scenario for Dialer Profiles S6818 PRI BRI BRI Remote office network Cisco 1600 series router configured without dialer profiles Cisco 1600 series router configured without dialer profiles Cisco AS5200 configured with one dialer profile for each Cisco 1600 remote office router Headquarter network Remote office network ISDN telephone network Enterprise Dial Scenarios and Configurations Bidirectional Dial Between Central Sites and Remote Offices DC-813 Cisco IOS Dial Technologies Configuration Guide Virtual profiles are user-specific profiles for large-scale dial solutions; however, these profiles are not manually configured on each router or access server. A virtual profile is a unique PPP application that can create and configure a virtual access interface dynamically when a dial-in call is received, and tear down the interface dynamically when the call ends. The configuration information for a virtual access interface in a virtual profile can come from the virtual template interface, or from user-specific configuration information stored on an AAA server, or both. The virtual profile user-specific configuration stored on the AAA server is identified by the authentication name for the call-in user. (That is, if the AAA server authenticates the user as samson, the user-specific configuration is listed under samson in the AAA user file.) The virtual profile user-specific configuration should include only the configuration that is not shared by multiple users. Shared configuration should be placed in the virtual template interface, where it can be cloned on many virtual access interfaces as needed. AAA configurations are much easier to manage for large numbers of dial-in users. Virtual profiles can span across a group of access servers, but a AAA server is required. Virtual profiles are set up independently of which access server, interface, or port number users connect to. For users that share duplicate configuration information, it is best to enclose the configuration in a virtual template. This requirement eliminates the duplication of commands in each of the user records on the AAA server. The user-specific AAA configuration used by virtual profiles is interface configuration information and downloaded during link control protocol (LCP) negotiations. Another feature, called per-user configuration, also uses configuration information gained from a AAA server. However, per-user configuration uses network configuration (such as access lists and route filters) downloaded during NCP negotiations. Figure 119 shows an example of how virtual profiles are used: • A large-scale dial-in solution is available, which includes many access servers or routers (for example, three or more devices stacked together in an MMP scenario). • Discrimination between large numbers of users is needed. • Setup and maintenance of a user profile for each dial-in user on each access server or router is much too time consuming. • A security server, such as a AAA TACACS or RADIUS server, is available for use. Note For a virtual profile configuration example, see the section “Large-Scale Dial-In Configuration Using Virtual Profiles” later in this chapter. For more information about virtual profiles, see the chapters “Configuring Virtual Profiles” and “Configuring Per-User Configuration” in this publication. Enterprise Dial Scenarios and Configurations Bidirectional Dial Between Central Sites and Remote Offices DC-814 Cisco IOS Dial Technologies Configuration Guide Figure 119 Dial-In Scenario for Virtual Profiles Running Access Server Configurations In most cases, dialer profiles are configured on access servers or routers that receive calls and must discriminate between users, such as many different remote routers dialing in. (See Figure 120.) Figure 120 Remote Cisco 1600s Dialing In to a Cisco AS5300 at the Central Site Access servers or routers that only place calls (not receive calls) do not need any awareness of configured dialer profiles. Remote routers do not need to discriminate on the basis of which device they are calling in to. For example, if multiple Cisco 1600 series routers are dialing in to one Cisco AS5300 access Headquarters network S6816 AAA TACACS+ security server configured with user-profile information Cisco AS5200s getting user-profile information from the AAA security server PRI PRI PRI Hunt group telephone number 555-1234 ISDN telephone network 100 remote offices reporting to headquarters with 100 Cisco 1600 series routers S6817 PRI Cisco AS5200 receiving calls from Cisco 1600 series routers Headquarters network Cisco 1600 series remote office LAN Cisco 1600 series remote office LAN Cisco 1600 series remote office LAN ISDN telephone network Enterprise Dial Scenarios and Configurations Bidirectional Dial Between Central Sites and Remote Offices DC-815 Cisco IOS Dial Technologies Configuration Guide server, the Cisco 1600 series routers should not be configured with dialer profiles. The Cisco AS5300 access server should be configured with dialer profiles. Do not configure dialer profiles on devices that only make calls. The configurations examples in the following section are provided for different types of dial scenarios, which can be derived from Figure 117 through Figure 120: • Examples with dialer profiles: – Cisco AS5300 Access Server Configuration with Dialer Profiles – Cisco 1604 ISDN Router Configuration with Dialer Profiles – Cisco 1604 Router Asynchronous Configuration with Dialer Profiles • Examples without dialer profiles: – Cisco AS5300 Access Server Configuration Without Dialer Profiles – Cisco 1604 ISDN Router Configuration Without Dialer Profiles – Cisco 1604 Router Asynchronous Configuration Without Dialer Profiles • Large-Scale Dial-In Configuration Using Virtual Profiles Note Be sure to include your own IP addresses, host names, and security passwords where appropriate if configuring these examples in your network. Cisco AS5300 Access Server Configuration with Dialer Profiles The following bidirectional dial configuration runs on the Cisco AS5300 access server at headquarters in Figure 117. This configuration enables calls to be sent to the SOHO router and received from remote hosts and clients. The calling is bidirectional. version xx.x service udp-small-servers service tcp-small-servers ! hostname 5300 ! aaa new-model aaa authentication login default local aaa authentication login console enable aaa authentication login vty local aaa authentication login dialin local aaa authentication ppp default local aaa authentication ppp dialin if-needed local enable secret cisco ! username async1 password cisco username async2 password cisco username async3 password cisco username async4 password cisco username async5 password cisco username async6 password cisco username async7 password cisco username async8 password cisco username isdn1 password cisco username isdn2 password cisco username isdn3 password cisco username isdn4 password cisco username isdn5 password cisco Enterprise Dial Scenarios and Configurations Bidirectional Dial Between Central Sites and Remote Offices DC-816 Cisco IOS Dial Technologies Configuration Guide username isdn6 password cisco username isdn7 password cisco username isdn8 password cisco username DialupAdmin password cisco ! isdn switch-type primary-dms100 chat-script cisco-default ABORT ERROR "" "AT" OK "ATDT\T" TIMEOUT 60 CONNECT ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface loopback 1 ip address 172.18.38.40 255.255.255.128 ! interface loopback 2 ip address 172.18.38.130 255.255.255.128 ! interface Ethernet0 ip address 172.18.39.40 255.255.255.0 no ip mroute-cache ip ospf priority 0 ! interface Serial0:23 no ip address no ip mroute-cache encapsulation ppp isdn incoming-voice modem dialer pool-member 2 ! interface Serial1:23 no ip address no ip mroute-cache encapsulation ppp isdn incoming-voice modem dialer pool-member 2 ! interface Group-Async1 no ip address no ip mroute-cache encapsulation ppp async mode interactive dialer in-band dialer pool-member 1 ppp authentication chap pap group-range 1 48 ! interface Dialer10 ip unnumbered loopback 1 encapsulation ppp peer default ip address dialin_pool dialer remote-name async1 dialer string 14085268983 dialer hold-queue 10 dialer pool 1 dialer-group 1 Enterprise Dial Scenarios and Configurations Bidirectional Dial Between Central Sites and Remote Offices DC-817 Cisco IOS Dial Technologies Configuration Guide ppp authentication pap chap callin ppp pap sent-username DialupAdmin password 7 07063D11542 ! interface Dialer11 ip unnumbered loopback 1 encapsulation ppp no peer default ip address pool dialer remote-name async2 dialer string 14085262012 dialer hold-queue 10 dialer pool 1 dialer-group 1 ppp authentication pap chap callin ppp pap sent-username DialupAdmin password 7 07063D11542 ! interface Dialer12 ip unnumbered loopback 1 encapsulation ppp no peer default ip address pool dialer remote-name async3 dialer string 14085260706 dialer hold-queue 10 dialer pool 1 dialer-group 1 ppp authentication pap chap callin ppp pap sent-username DialupAdmin password 7 07063D11542 ! interface Dialer13 ip unnumbered loopback 1 encapsulation ppp no peer default ip address pool dialer remote-name async4 dialer string 14085262731 dialer hold-queue 10 dialer pool 1 dialer-group 1 ppp authentication pap chap callin ppp pap sent-username DialupAdmin password 7 07063D11542 ! interface Dialer14 ip unnumbered loopback 1 encapsulation ppp no peer default ip address pool dialer remote-name async5 dialer string 14085264431 dialer hold-queue 10 dialer pool 1 dialer-group 1 ppp authentication pap chap callin ppp pap sent-username DialupAdmin password 7 07063D11542 ! interface Dialer15 ip unnumbered loopback 1 encapsulation ppp no peer default ip address pool dialer remote-name async6 dialer string 14085261933 dialer hold-queue 10 dialer pool 1 dialer-group 1 ppp authentication pap chap callin ppp pap sent-username DialupAdmin password 7 07063D11542 ! Enterprise Dial Scenarios and Configurations Bidirectional Dial Between Central Sites and Remote Offices DC-818 Cisco IOS Dial Technologies Configuration Guide interface Dialer16 ip unnumbered loopback 1 encapsulation ppp no peer default ip address pool dialer remote-name async7 dialer string 14085267631 dialer hold-queue 10 dialer pool 1 dialer-group 1 ppp authentication pap chap callin ppp pap sent-username DialupAdmin password 7 07063D11542 ! interface Dialer17 ip unnumbered loopback 2 encapsulation ppp no peer default ip address pool dialer remote-name async8 dialer string 14085265153 dialer hold-queue 10 dialer pool 2 dialer-group 1 ppp authentication chap pap ! interface Dialer18 ip unnumbered loopback 2 encapsulation ppp no peer default ip address pool dialer remote-name isdn1 dialer string 14085267887 dialer hold-queue 10 dialer pool 2 dialer-group 1 ppp authentication chap pap ! interface Dialer19 ip unnumbered loopback 2 encapsulation ppp no peer default ip address pool dialer remote-name isdn2 dialer string 14085261591 dialer hold-queue 10 dialer pool 2 dialer-group 1 ppp authentication chap pap ! interface Dialer20 ip unnumbered loopback 2 encapsulation ppp no peer default ip address pool dialer remote-name isdn3 dialer string 14085262118 dialer hold-queue 10 dialer pool 2 dialer-group 1 ppp authentication chap pap ! interface Dialer21 ip unnumbered loopback 2 encapsulation ppp no peer default ip address pool dialer remote-name isdn4 dialer string 14085263757 dialer hold-queue 10 dialer pool 2 Enterprise Dial Scenarios and Configurations Bidirectional Dial Between Central Sites and Remote Offices DC-819 Cisco IOS Dial Technologies Configuration Guide dialer-group 1 ppp authentication chap pap ! interface Dialer22 ip unnumbered loopback 2 encapsulation ppp no peer default ip address pool dialer remote-name isdn5 dialer string 14085263769 dialer hold-queue 10 dialer pool 2 dialer-group 1 ppp authentication chap pap ! interface Dialer23 ip unnumbered loopback 2 encapsulation ppp no peer default ip address pool dialer remote-name isdn6 dialer string 14085267884 dialer hold-queue 10 dialer pool 2 dialer-group 1 ppp authentication chap pap ! interface Dialer24 ip unnumbered loopback 2 encapsulation ppp no peer default ip address pool dialer remote-name isdn7 dialer string 14085267360 dialer hold-queue 10 dialer pool 2 dialer-group 1 ppp authentication chap pap ! interface Dialer25 ip unnumbered loopback 2 encapsulation ppp no peer default ip address pool dialer remote-name isdn8 dialer string 14085260361 dialer hold-queue 10 dialer pool 2 dialer-group 1 ppp authentication chap pap ! router ospf 1 redistribute static subnets passive-interface Dialer1 passive-interface Dialer2 network 172.18.0.0 0.0.255.255 area 0 ! ip local pool dialin_pool 10.1.2.1 10.1.2.50 ip domain-name cisco.com ip classless ! dialer-list 1 protocol ip permit ! line con 0 exec-timeout 0 0 line 1 24 no exec exec-timeout 0 0 Enterprise Dial Scenarios and Configurations Bidirectional Dial Between Central Sites and Remote Offices DC-820 Cisco IOS Dial Technologies Configuration Guide autoselect during-login autoselect ppp script dialer cisco-default login local modem InOut modem autoconfigure type microcom_hdms transport input telnet line aux 0 line vty 0 1 exec-timeout 60 0 password cisco login line vty 2 5 exec-timeout 5 0 password cisco login ! end Cisco 1604 ISDN Router Configuration with Dialer Profiles The following configuration runs on the remote office Cisco 1604 router, which receives calls from the Cisco AS5300 central site access server. (See Figure 117.) version xx.x service udp-small-servers service tcp-small-servers ! hostname isdn1 ! enable password cisco ! username 5300 password cisco username isdn1 password cisco isdn switch-type basic-5ess ! interface Ethernet0 ip address 172.18.40.1 255.255.255.0 ! interface BRI0 no ip address encapsulation ppp dialer pool-member 1 ppp authentication chap pap ! interface Dialer1 ip address 172.18.38.131 255.255.255.128 encapsulation ppp no peer default ip address pool dialer remote-name 5300 dialer string 14085269328 dialer hold-queue 10 dialer pool 2 dialer-group 1 ppp authentication chap pap ! ip classless ip route 0.0.0.0 0.0.0.0 172.18.38.130 dialer-list 1 protocol ip permit ! line con 0 line vty 0 4 Enterprise Dial Scenarios and Configurations Bidirectional Dial Between Central Sites and Remote Offices DC-821 Cisco IOS Dial Technologies Configuration Guide password cisco login password cisco login ! end Cisco 1604 Router Asynchronous Configuration with Dialer Profiles The following asynchronous configuration runs on the remote office Cisco 1604 router, which receives calls from the Cisco AS5300 central site access server. (See Figure 117.) version xx.x service udp-small-servers service tcp-small-servers ! hostname async1 ! enable password cisco ! username 5300 password cisco username async1 password cisco chat script dial_out ““ “ATDT\T” timeout 60 connect \c ! interface Ethernet0 ip address 172.18.41.1 255.255.255.0 ! interface serial 0 physical-layer async no ip address encapsulation ppp dialer pool-member 1 ppp authentication chap pap ! interface Dialer10 ip address 172.18.38.41 255.255.255.128 encapsulation ppp no peer default ip address pool dialer remote-name 5300 dialer string 14085269328 dialer hold-queue 10 dialer pool 1 dialer-group 1 ppp authentication chap pap ! ip classless ip route 0.0.0.0 0.0.0.0 172.18.38.40 dialer-list 1 protocol ip permit ! line con 0 line 1 password cisco login script modem dial_out ! end Enterprise Dial Scenarios and Configurations Bidirectional Dial Between Central Sites and Remote Offices DC-822 Cisco IOS Dial Technologies Configuration Guide Cisco AS5300 Access Server Configuration Without Dialer Profiles The following bidirectional dial configuration runs on the Cisco AS5300 access server at headquarters in Figure 117. This configuration enables calls to be sent to the SOHO router and received from remote hosts and clients. The calling is bidirectional. version xx.x service udp-small-servers service tcp-small-servers ! hostname 5300 ! aaa new-model aaa authentication login default local aaa authentication login console enable aaa authentication login vty local aaa authentication login dialin local aaa authentication ppp default local aaa authentication ppp dialin if-needed local enable secret cisco ! username async1 password cisco username async2 password cisco username async3 password cisco username async4 password cisco username async5 password cisco username async6 password cisco username async7 password cisco username async8 password cisco username isdn1 password cisco username isdn2 password cisco username isdn3 password cisco username isdn4 password cisco username isdn5 password cisco username isdn6 password cisco username isdn7 password cisco username isdn8 password cisco username DialupAdmin password cisco ! isdn switch-type primary-dms100 chat-script cisco-default ABORT ERROR "" "AT" OK "ATDT\T" TIMEOUT 60 CONNECT ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 description ISDN Controller 0 ! controller T1 1 framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 description ISDN Controller 1 ! interface Ethernet0 ip address 172.18.39.40 255.255.255.0 no ip mroute-cache ip ospf priority 0 ! Enterprise Dial Scenarios and Configurations Bidirectional Dial Between Central Sites and Remote Offices DC-823 Cisco IOS Dial Technologies Configuration Guide interface Serial0:23 no ip address no ip mroute-cache encapsulation ppp isdn incoming-voice modem dialer rotary-group 2 ! interface Serial1:23 no ip address no ip mroute-cache encapsulation ppp isdn incoming-voice modem dialer rotary-group 2 ! interface Group-Async1 no ip address no ip mroute-cache encapsulation ppp async dynamic address async mode interactive dialer in-band dialer rotary-group 1 ppp authentication pap callin ppp pap sent-username HQ5300 password 7 09434678520A group-range 1 24 ! interface Dialer1 ip address 172.18.38.40 255.255.255.128 encapsulation ppp no peer default ip address pool dialer in-band dialer map ip 172.18.38.41 name async1 14445558983 dialer map ip 172.18.38.42 name async2 14445552012 dialer map ip 172.18.38.43 name async3 14445550706 dialer map ip 172.18.38.44 name async4 14445552731 dialer map ip 172.18.38.45 name async5 14445554431 dialer map ip 172.18.38.46 name async6 14445551933 dialer map ip 172.18.38.47 name async7 14445557631 dialer map ip 172.18.38.48 name async8 14445555153 dialer hold-queue 10 dialer-group 1 ppp authentication pap chap callin ppp pap sent-username DialupAdmin password 7 07063D11542 ! interface Dialer2 ip address 172.18.38.130 255.255.255.128 encapsulation ppp no peer default ip address pool dialer in-band dialer map ip 172.18.38.131 name isdn1 14445557887 dialer map ip 172.18.38.132 name isdn2 14445551591 dialer map ip 172.18.38.133 name isdn3 14445552118 dialer map ip 172.18.38.134 name isdn4 14445553757 dialer map ip 172.18.38.135 name isdn5 14445553769 dialer map ip 172.18.38.136 name isdn6 14445557884 dialer map ip 172.18.38.137 name isdn7 14445557360 dialer map ip 172.18.38.138 name isdn8 14445550361 dialer hold-queue 10 dialer-group 1 ppp authentication chap pap ppp multilink ! Enterprise Dial Scenarios and Configurations Bidirectional Dial Between Central Sites and Remote Offices DC-824 Cisco IOS Dial Technologies Configuration Guide router ospf 1 redistribute static subnets passive-interface Dialer1 passive-interface Dialer2 network 172.18.0.0 0.0.255.255 area 0 ! ip domain-name cisco.com ip classless ! dialer-list 1 protocol ip permit ! line con 0 exec-timeout 0 0 line 1 24 no exec exec-timeout 0 0 autoselect during-login autoselect ppp script dialer cisco-default login local modem InOut modem autoconfigure type microcom_hdms transport input telnet line aux 0 line vty 0 1 exec-timeout 60 0 password cisco login line vty 2 5 exec-timeout 5 0 password cisco login ! end Cisco 1604 ISDN Router Configuration Without Dialer Profiles The following configuration runs on the remote office Cisco 1604 router, which dials in to the Cisco AS5300 access server at headquarters in Figure 117. This configuration does not receive calls from the Cisco AS5300 access server. ! version 11.1 service udp-small-servers service tcp-small-servers ! hostname isdn1 ! enable password cisco ! username 5300 password cisco username isdn1 password cisco isdn switch-type basic-5ess ! interface Ethernet0 ip address 172.18.40.1 255.255.255.0 ! interface BRI0 ip address 172.18.38.131 255.255.255.128 encapsulation ppp dialer map ip 172.18.38.130 name 5300 14085269328 Enterprise Dial Scenarios and Configurations Bidirectional Dial Between Central Sites and Remote Offices DC-825 Cisco IOS Dial Technologies Configuration Guide dialer-group 1 ppp authentication chap pap ! ip classless ip route 0.0.0.0 0.0.0.0 172.18.38.130 dialer-list 1 protocol ip permit ! line con 0 line vty 0 4 password cisco login password cisco login ! end Cisco 1604 Router Asynchronous Configuration Without Dialer Profiles The following asynchronous configuration runs on the remote office Cisco 1604 router, which dials in to the Cisco AS5300 access server at headquarters in Figure 117. This configuration does not receive calls from the Cisco AS5300 access server. version xx.x service udp-small-servers service tcp-small-servers ! hostname async1 ! enable password cisco ! username 5300 password cisco username async1 password cisco chat script dial_out ““ “ATDT\T” timeout 60 connect \c ! interface Ethernet0 ip address 172.18.41.1 255.255.255.0 ! interface serial 0 physical-layer async ip address 172.18.38.41 255.255.255.128 encapsulation ppp dialer in-band dialer map ip 172.18.38.40 name 5300 modem-script dial_out 14085559328 dialer-group 1 ppp authentication chap pap ! ip classless ip route 0.0.0.0 0.0.0.0 172.18.38.40 dialer-list 1 protocol ip permit ! line con 0 line 1 password cisco login password cisco login ! end Enterprise Dial Scenarios and Configurations Telecommuters Dialing In to a Mixed Protocol Environment DC-826 Cisco IOS Dial Technologies Configuration Guide Large-Scale Dial-In Configuration Using Virtual Profiles The following example is used on each central site stack member shown in Figure 119. This configuration is for a large-scale dial-in scenario. aaa new-model aaa authentication login default none aaa authentication ppp default radius aaa authentication ppp admin local aaa authorization network radius isdn switch-type primary-5ess ! interface Serial0:23 no ip address no ip mroute-cache no cdp enable ppp authentication chap ! tacacs-server host 172.18.203.45 virtual-profile aaa The following example configures an entry running on a RADIUS security server, which is queried by each central site stack member when a call comes in. This entry includes the virtual profile configuration information for remote users dialing in to the central site stack solution. In this example, virtual profiles are configured by both virtual templates and AAA configuration. John and Rick can dial in from anywhere and have their same keepalive settings and their own IP addresses. The remaining attribute-value pair settings are not used by virtual profiles. They are the network-protocol access lists and route filters used by AAA-based per-user configuration. In the AAA configuration cisco-avpair lines, “\n” is used to indicate the start of a new Cisco IOS command line. john Password = “welcome” User-Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = “lcp:interface-config=keepalive 75\nip address 100.100.100.100 255.255.255.0”, cisco-avpair = “ip:rte-fltr-out#0=router igrp 60”, cisco-avpair = “ip:rte-fltr-out#3=deny 171.0.0.0 0.255.255.255”, cisco-avpair = “ip:rte-fltr-out#4=deny 172.0.0.0 0.255.255.255”, cisco-avpair = “ip:rte-fltr-out#5=permit any” rick Password = “emoclew” User-Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = “lcp:interface-config=keepalive 100\nip address 200.200.200.200 255.255.255.0”, cisco-avpair = “ip:inacl#3=permit ip any any precedence immediate”, cisco-avpair = “ip:inacl#4=deny igrp 0.0.1.2 255.255.0.0 any”, cisco-avpair = “ip:outacl#2=permit ip any any precedence immediate”, cisco-avpair = “ip:outacl#3=deny igrp 0.0.9.10 255.255.0.0 any” Telecommuters Dialing In to a Mixed Protocol Environment The scenario in this section describes how to provide remote access to employees who dial in to a mixed protocol enterprise network. The sample configurations provided in this section assume that enterprise telecommuters are dialing in with modems or terminal adapters from outside the LAN at headquarters. Enterprise Dial Scenarios and Configurations Telecommuters Dialing In to a Mixed Protocol Environment DC-827 Cisco IOS Dial Technologies Configuration Guide The following sections are provided: • Description • Enterprise Network Topology • Mixed Protocol Dial-In Scenarios Description Sometimes an enterprise conducts its daily business operations across internal mixed protocol environments. (See Figure 121 and Table 47.) For example, an enterprise might deploy an IP base across the entire intranet while still allowing file sharing with other protocols such as AppleTalk and AppleTalk Remote Access (ARA). Enterprise Dial Scenarios and Configurations Telecommuters Dialing In to a Mixed Protocol Environment DC-828 Cisco IOS Dial Technologies Configuration Guide Figure 121 Large Enterprise with a Multiprotocol Network Table 47 Typical Mixed Protocol Environment Applications Running on the Network Server Remote or Local Client Applications Protocol Used to Support the Network Internal Supporting Department Windows NT Windows 95 or Windows 3.1 running on PCs IP Marketing, human resources, engineering, and customer support UNIX SunOS or Solaris running on a UNIX-based workstation or NCD IP Engineering and customer support bigcompany.com NT server IP PC S6553 External/internal web server Mixed protocol network layout for bigcompany.com AppleTalk server UNIX AppleTalk IP network for engineering or marketing clients running Windows or Solaris AppleTalk network for documentation or creative services running Mac OS system software Mac Mac Enterprise Dial Scenarios and Configurations Telecommuters Dialing In to a Mixed Protocol Environment DC-829 Cisco IOS Dial Technologies Configuration Guide Enterprise Network Topology Figure 122 shows a sample enterprise network, which supports 10,000 registered token card holders. Some registered users might use their access privileges each day, while others might use their access privileges very infrequently, such as only on business trips. The dial-in access provisioned for outsiders, such as partners or vendors, is supported separately in a firewalled setup. Five Cisco AS5300 access servers are positioned to provide 250 dial-in ports for incoming modem calls. A Catalyst 1900 is used as a standalone switch to provide Ethernet switching between the Cisco AS5300 access servers and the 100BASET interfaces on the backbone routers. Two Cisco 7200 series routers are used to reduce the processing workload on the access servers and provide access to the company’s backbone. If the Cisco 7200 series routers were not used in the network solution, the Cisco AS5300 access servers could not update routing tables, especially if 20 to 30 additional routers existed on the company’s backbone. Two additional backbone switches are used to provide access to the company network. Note Depending on your networking needs, the Cisco 7200 series routers could be substituted by one or more Cisco 3640 series routers. Additionally, the Cisco AS5300 access servers could be replaced by Cisco 3640 routers loaded with MICA digital modem cards. AppleTalk Mac OS System Software 7.5 running on Macintosh computers AppleTalk Documentation and creative services NetWare Novell NetWare client software IPX Marketing, and human resources, engineering, customer support Table 47 Typical Mixed Protocol Environment (continued) Applications Running on the Network Server Remote or Local Client Applications Protocol Used to Support the Network Internal Supporting Department Enterprise Dial Scenarios and Configurations Telecommuters Dialing In to a Mixed Protocol Environment DC-830 Cisco IOS Dial Technologies Configuration Guide Figure 122 Sample Enterprise Network Topology If you are setting up dial-in access for remote terminal adapters, the settings configured on the terminal adapters must match the setting on the access server or router. Depending on your business application, terminal adapters can operate in many different modes. (See Table 48.) Mixed Protocol Dial-In Scenarios The examples in the following sections are intended to run on each network device featured in Figure 122, which allows remote users to dial in to a mixed protocol environment: • Cisco 7200 #1 Backbone Router • Cisco 7200 #2 Backbone Router • Cisco AS5300 Universal Access Server Note Be sure to include your own IP addresses, host names, and security passwords where appropriate. Telecommuter PCs fitted with terminal adapters dialing in to headquarters Mixed protocol network leading to clients, hosts, and other routers Hunt group dial-in number 1-800-555-1212 Sales people dialing in with internal modem Cisco AS5200 stack group Catalyst 1900 Cisco 7200 #2 Cisco 7200 #1 Headquarters network 2 backbone switches ISDN and analog network S6552 Table 48 Options for Terminal Adapter Settings Terminal Adapter Mode Comments Synchronous PPP We recommend you use this mode for most terminal adapter scenarios. By default, Cisco access servers and routers have synchronous PPP enabled. Therefore, additional configuration is not required on the router or access server. V.120 Use this mode for asynchronous to synchronous communication, which can be used to tunnel character mode sessions over synchronous ISDN. We recommend you use this mode with midrange routers, such as the Cisco 4500 series router. V.110 Use this modem for setting up cellular modem access. Enterprise Dial Scenarios and Configurations Telecommuters Dialing In to a Mixed Protocol Environment DC-831 Cisco IOS Dial Technologies Configuration Guide Cisco 7200 #1 Backbone Router The following configuration runs on the router labeled Cisco 7200 #1 in Figure 122. Fast Ethernet interface 0/0 connects to the corporate backbone switch. Fast Ethernet interface 1/0 connects to the Catalyst 1900 switch, which in turn connects to the Cisco AS5300 access servers. version xx.x no service udp-small-servers no service tcp-small-servers ! hostname bbone-dial1 ! aaa new-model aaa authentication login default local aaa authentication login console enable ! username admin password cisco ! boot system flash slot0: enable secret appletalk routing ipx routing ! interface FastEthernet0/0 ip address 10.0.1.52 255.255.255.192 appletalk cable-range 1000-1000 appletalk zone Networking Infrastructure ipx network 1000 ! interface FastEthernet1/0 ip address 10.1.1.2 255.255.255.224 no ip redirects appletalk cable-range 7650-7650 7650.1 appletalk zone Dial-Up Net ipx network 7650 ! standby ip 10.1.1.1 standby priority 101 standby preempt ! router eigrp 109 redistribute static network 10.0.0.0 no auto-summary ! ip classless ip http server no logging console ! ip route 10.1.2.0 255.255.255.192 10.1.1.10 ! line con 0 login authentication console ! line vty 0 4 login authentication default end Enterprise Dial Scenarios and Configurations Telecommuters Dialing In to a Mixed Protocol Environment DC-832 Cisco IOS Dial Technologies Configuration Guide Cisco 7200 #2 Backbone Router The following configuration runs on the router labeled Cisco 7200 #2 in Figure 122. Fast Ethernet interface 0/0 connects to the corporate backbone switch. Fast Ethernet interface 1/0 connects to the Catalyst 1900 switch, which in turn connects to the Cisco AS5300 access servers. version xx.x no service udp-small-servers no service tcp-small-servers ! hostname bbone-dial2 ! aaa new-model aaa authentication login default local aaa authentication login console enable ! username admin password cisco ! boot system flash slot0: enable secret appletalk routing ipx routing ! interface FastEthernet0/0 ip address 10.0.1.116 255.255.255.192 appletalk cable-range 1001-1001 appletalk zone Networking Infrastructure ipx network 1001 ! interface FastEthernet1/0 ip address 10.1.1.3 255.255.255.224 no ip redirects appletalk cable-range 7650-7650 7650.2 appletalk zone Dial-Up Net ipx network 7650 ! standby ip 10.1.1.1 ! router eigrp 109 redistribute static network 10.0.0.0 no auto-summary ! ip classless ip http server no logging console ! ip route 10.1.2.0 255.255.255.192 10.1.1.10 ! line con 0 login authentication console ! line vty 0 4 login authentication console ! end Enterprise Dial Scenarios and Configurations Telecommuters Dialing In to a Mixed Protocol Environment DC-833 Cisco IOS Dial Technologies Configuration Guide Cisco AS5300 Universal Access Server The following configuration runs on each Cisco AS5300 access server in the stack group shown in Figure 122: version xx.x service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service udp-small-servers no service tcp-small-servers ! appletalk routing ipx routing appletalk virtual net 7651 Dial-Up Net arap network 7652 Dial-Up Net ! hostname NAS ! aaa new-model aaa authentication login default local aaa authentication login console enable aaa authentication login vty local aaa authentication login dialin local aaa authentication ppp default local aaa authentication ppp dialin if-needed local aaa authentication arap default auth-guest local enable secret cisco ! username admin password cisco username pcuser1 password mypass isdn switch-type primary-5ess ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface loopback 0 ip address 10.1.2.0 255.255.255.192 ipx network 7651 ! interface Ethernet0 ip address 10.1.1.10 255.255.255.0 appletalk cable-range 7650 appletalk zone Dial-Up-Net ipx network 7650 ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! Enterprise Dial Scenarios and Configurations Telecommuters Dialing In to a Mixed Protocol Environment DC-834 Cisco IOS Dial Technologies Configuration Guide interface Serial0:23 no ip address encapsulation ppp isdn incoming-voice modem dialer rotary-group 0 dialer-group 1 no fair-queue no cdp enable ! interface Serial1:23 no ip address encapsulation ppp isdn incoming-voice modem dialer rotary-group 0 dialer-group 1 no fair-queue no cdp enable ! interface Group-Async1 ip unnumbered Ethernet0 encapsulation ppp async mode interactive peer default ip address pool dialin_pool appletalk client-mode ipx ppp-client no cdp enable ppp authentication chap pap dialin group-range 1 48 ! interface Dialer0 ip unnumbered Ethernet0 no ip mroute-cache encapsulation ppp peer default ip address pool dialin_pool ipx ppp-client appletalk client-mode dialer in-band dialer-group 1 no fair-queue no cdp enable ppp authentication chap pap dialin ppp multilink ! ip local pool dialin_pool 10.1.2.1 10.1.2.62 ip default-gateway 10.1.1.1 ip classless ip route 0.0.0.0 0.0.0.0 10.1.1.1 ! dialer-list 1 protocol ip permit ! async-bootp dns-server 10.1.0.40 10.1.0.170 async-bootp nbns-server 10.0.235.228 10.0.235.229 ! xremote buffersize 72000 xremote tftp host 10.0.2.74 ! Enterprise Dial Scenarios and Configurations Telecommuters Dialing In to a Mixed Protocol Environment DC-835 Cisco IOS Dial Technologies Configuration Guide line con 0 login authentication console line 1 48 autoselect ppp autoselect during-login autoselect arap arap enable arap authentication default arap timelimit 240 arap warningtime 15 login authentication dialin modem DialIn terminal-type dialup line aux 0 login authentication console line vty 0 4 login authentication vty transport input telnet rlogin ! end Enterprise Dial Scenarios and Configurations Telecommuters Dialing In to a Mixed Protocol Environment DC-836 Cisco IOS Dial Technologies Configuration Guide DC-837 Cisco IOS Dial Technologies Configuration Guide Telco and ISP Dial Scenarios and Configurations This chapter provides sample hardware and software configurations for specific dial scenarios used by telcos, Internet service providers (ISPs), regional Bell operating companies (RBOCs), inter-exchange carriers (IXCs), and other service providers. Each configuration in this chapter is designed to enable IP network traffic with basic security authentication. The following scenarios are described: • Scenario 1—Small- to Medium-Scale POPs • Scenario 2—Large-Scale POPs • Scenario 3—PPP Calls over X.25 Networks Note In all of these scenarios, you can replace the Cisco AS5200 access server with Cisco AS5300 or Cisco AS5800 access server. This hardware exchange provides higher call density performance and increases the number of PRI interfaces and modem ports on each chassis. Small- to Medium-Scale POPs Many small-to-medium-sized ISPs configure one or two access servers to provide dial-in access for their customers. Many of these dial-in customers use individual remote PCs that are not connected to LANs. Using the Windows 95 dialup software, remote clients initiate analog or digital connections using modems or home office ISDN BRI terminal adapters. This section provides three types of single user dial-in scenarios for service providers: • Individual Remote PCs Using Analog Modems • Individual PCs Using ISDN Terminal Adapters • Mixture of ISDN and Analog Modem Calls Note Be sure to include your own IP addresses, host names, and security passwords where appropriate. The following sample configurations assume that the dial-in clients are individual PCs running PPP, connecting to an IP network, and requiring only basic security authentication. Telco and ISP Dial Scenarios and Configurations Small- to Medium-Scale POPs DC-838 Cisco IOS Dial Technologies Configuration Guide Individual Remote PCs Using Analog Modems ISPs can configure a single Cisco access servers to receive analog calls from remote PCs connected to modems, as shown in Figure 123. The point of presence (POP) at the ISP central site could also be a Cisco 2511 access server connected to external modems. Network Topology Figure 123 shows a small-scale dial-in scenario using modems. Figure 123 Remote PC Using an Analog Modem to Dial In to a Cisco Access Server Running Configuration for ISDN PRI The following sample configuration runs on the Cisco access server, as shown in Figure 123, which enables remote analog users to dial in: version xx.x service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service udp-small-servers no service tcp-small-servers ! hostname NAS ! aaa new-model aaa authentication login console enable aaa authentication login vty tacacs+ aaa authentication login dialin tacacs+ aaa authentication ppp default tacacs+ aaa authentication ppp dialin if-needed tacacs+ enable secret cisco ! async-bootp dns-server 10.1.3.1 10.1.3.2 isdn switch-type primary-5ess ! controller T1 0 framing esf clock source line primary Analog modem T1 PRI Cisco AS5200 used to provide Internet access by an ISP PC running Windows 95 and accessing the Internet Standard telephone network (POTS) Analog calls Internet S6537 Telco and ISP Dial Scenarios and Configurations Small- to Medium-Scale POPs DC-839 Cisco IOS Dial Technologies Configuration Guide linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface Loopback0 ip address 10.1.2.254 255.255.255.0 ! interface Ethernet0 ip address 10.1.1.10 255.255.255.0 ip summary address eigrp 10 10.1.2.0 255.255.255.0 ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! interface Serial0:23 no ip address encapsulation ppp isdn incoming-voice modem ! interface Serial1:23 no ip address isdn incoming-voice modem ! interface Group-Async1 ip unnumbered Loopback0 encapsulation ppp async mode interactive peer default ip address pool dialin_pool no cdp enable ppp authentication chap pap dialin group-range 1 48 ! router eigrp 10 network 10.0.0.0 passive-interface Dialer0 no auto-summary ! ip local pool dialin_pool 10.1.2.1 10.1.2.50 ip default-gateway 10.1.1.1 ip classless ! dialer-list 1 protocol ip permit ! line con 0 login authentication console line 1 48 autoselect ppp autoselect during-login login authentication dialin modem DialIn ! line aux 0 login authentication console Telco and ISP Dial Scenarios and Configurations Small- to Medium-Scale POPs DC-840 Cisco IOS Dial Technologies Configuration Guide line vty 0 4 login authentication vty transport input telnet rlogin ! end Some service providers use a remote TACACS+ or RADIUS security server in this dial-in scenario. The following example shows a TACACS+ entry that appears in the configuration file of a remote security server: user = PCuser1 { login = cleartext "dialpass1" chap = cleartext "dialpass1" service = ppp protocol = ip { addr-pool = dialin_pool } service = exec { autocmd = "ppp negotiate" } } user = PCuser2 { login = cleartext "dialpass2" chap = cleartext "dialpass2" service = ppp protocol = ip { addr-pool = dialin_pool } service = exec { autocmd = "ppp negotiate" } } user = PCuser3 { login = cleartext "dialpass3" chap = cleartext "dialpass3" service = ppp protocol = ip { addr-pool = dialin_pool } service = exec { autocmd = "ppp negotiate" } } Running Configuration for Robbed-Bit Signaling The following example shows a single Cisco access server configured to support remote client PCs dialing in with analog modems over traditional T1 lines. Digital ISDN calls do not transmit across these older types of channelized lines. The configuration assumes that the client can dial in and connect to the router in either terminal emulation mode (text only) or PPP packet mode. Note The following configuration works only for analog modem calls. It includes no serial D-channel configuration (Serial 0:23 and Serial 1:23). version xx.x service timestamps debug datetime msec service timestamps log datetime msec service password-encryption Telco and ISP Dial Scenarios and Configurations Small- to Medium-Scale POPs DC-841 Cisco IOS Dial Technologies Configuration Guide no service udp-small-servers no service tcp-small-servers ! hostname NAS ! aaa new-model aaa authentication login console enable aaa authentication login vty tacacs+ aaa authentication login dialin tacacs+ aaa authentication ppp default tacacs+ aaa authentication ppp dialin if-needed tacacs+ enable secret cisco ! async-bootp dns-server 10.1.3.1 10.1.3.2 isdn switch-type primary-5ess ! controller T1 0 framing esf clock source line primary linecode b8zs cas-group 0 timeslots 1-24 type e&m-fgb ! controller T1 1 framing esf clock source line secondary linecode b8zs cas-group 0 timeslots 1-24 type e&m-fgb ! interface Loopback0 ip address 10.1.2.254 255.255.255.0 ! interface Ethernet0 ip address 10.1.1.10 255.255.255.0 ip summary address eigrp 10 10.1.2.0 255.255.255.0 ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! interface Group-Async1 ip unnumbered Loopback0 encapsulation ppp async mode interactive peer default ip address pool dialin_pool no cdp enable ppp authentication chap pap dialin group-range 1 48 ! router eigrp 10 network 10.0.0.0 passive-interface Dialer0 no auto-summary ! ip local pool dialin_pool 10.1.2.1 10.1.2.50 ip default-gateway 10.1.1.1 ip classless ! dialer-list 1 protocol ip permit ! Telco and ISP Dial Scenarios and Configurations Small- to Medium-Scale POPs DC-842 Cisco IOS Dial Technologies Configuration Guide line con 0 login authentication console line 1 48 autoselect ppp autoselect during-login login authentication dialin modem DialIn line aux 0 login authentication console line vty 0 4 login authentication vty transport input telnet rlogin ! end Individual PCs Using ISDN Terminal Adapters ISPs can configure a single Cisco access server to receive digital multilink calls from remote PCs connected to terminal adapters, as shown in Figure 124. The POP at the central site of the ISP can be any Cisco router that supports ISDN PRI, such as the Cisco 4700-M router loaded with a channelized T1 PRI network module. Network Topology Figure 124 shows a small-scale dial-in scenario using terminal adapters. Figure 124 Remote PC Using a Terminal Adapter to Dial In to a Cisco Access Server To configure one Cisco access server to accept both incoming ISDN and analog calls from individual terminal adapters and modems, see the section “Mixture of ISDN and Analog Modem Calls” later in this chapter. Terminal adapter BRI T1 PRI Cisco AS5200 used to provide Internet access by an ISP Home office remote PC running Windows 95 ISDN network Digital calls Internet S6536 Telco and ISP Dial Scenarios and Configurations Small- to Medium-Scale POPs DC-843 Cisco IOS Dial Technologies Configuration Guide Terminal Adapter Configuration Example The following example configures a Cisco access server to enable PCs fitted with internal or external terminal adapters to dial in to an IP network. The terminal adapter configuration is set up for asynchronous-to-synchronous PPP conversion. In some cases, PPP authentication must be set up for the Password Authentication Protocol (PAP). Some terminal adapters support only PAP authentication. version xx.x service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service udp-small-servers no service tcp-small-servers ! hostname NAS ! aaa new-model aaa authentication login console enable aaa authentication login vty tacacs+ aaa authentication login dialin tacacs+ aaa authentication ppp default tacacs+ aaa authentication ppp dialin if-needed tacacs+ enable secret cisco ! async-bootp dns-server 10.1.3.1 10.1.3.2 isdn switch-type primary-5ess ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface Loopback0 ip address 10.1.2.254 255.255.255.0 ! interface Ethernet0 ip address 10.1.1.10 255.255.255.0 ip summary address eigrp 10 10.1.2.0 255.255.255.0 ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! interface Serial0:23 no ip address encapsulation ppp dialer rotary-group 0 dialer-group 1 no fair-queue no cdp enable ! Telco and ISP Dial Scenarios and Configurations Small- to Medium-Scale POPs DC-844 Cisco IOS Dial Technologies Configuration Guide interface Serial1:23 no ip address encapsulation ppp dialer rotary-group 0 dialer-group 1 no fair-queue no cdp enable ! interface Dialer0 ip unnumbered Loopback0 no ip mroute-cache encapsulation ppp peer default ip address pool dialin_pool dialer in-band dialer-group 1 no fair-queue no cdp enable ppp authentication chap pap dialin ppp multilink ! router eigrp 10 network 10.0.0.0 passive-interface Dialer0 no auto-summary ! ip local pool dialin_pool 10.1.2.1 10.1.2.50 ip default-gateway 10.1.1.1 ip classless ! dialer-list 1 protocol ip permit ! line con 0 login authentication console line 1 48 autoselect ppp autoselect during-login login authentication dialin modem DialIn line aux 0 login authentication console line vty 0 4 login authentication vty transport input telnet rlogin ! end Telco and ISP Dial Scenarios and Configurations Small- to Medium-Scale POPs DC-845 Cisco IOS Dial Technologies Configuration Guide Mixture of ISDN and Analog Modem Calls ISPs can configure a single Cisco access server to receive calls from a mixture of remote PCs connected to terminal adapters and modems, as shown in Figure 125. Figure 125 Remote PCs Making Digital Calls and Analog Calls to a Cisco Access Server Combination of Modem and ISDN Dial-In Configuration Example The following example shows a combination of the modem and ISDN dial-in configurations. Using the bearer capability information element in the call setup packet, the incoming calls are labeled as data or voice. After the calls enter the access server, they are routed either to the serial configuration or to the modems and group asynchronous configuration. Note This configuration assumes that only individual remote PCs are dialing in; no remote routers are dialing in. For a remote router dial-in configuration, see the chapter “Enterprise Dial Scenarios and Configurations” in this publication. version xx.x service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service udp-small-servers no service tcp-small-servers ! hostname NAS ! Terminal adapter BRI T1 PRI ISP using a Cisco AS5200 to provide Internet access Modem Home office PC running Windows 95 and making analog modem calls in to the Internet Home office PC running Windows 95 and making digital calls in to the Internet ISDN Internet Analog S6535 Telco and ISP Dial Scenarios and Configurations Small- to Medium-Scale POPs DC-846 Cisco IOS Dial Technologies Configuration Guide aaa new-model aaa authentication login console enable aaa authentication login vty tacacs+ aaa authentication login dialin tacacs+ aaa authentication ppp default tacacs+ aaa authentication ppp dialin if-needed tacacs+ enable secret cisco ! async-bootp dns-server 10.1.3.1 10.1.3.2 isdn switch-type primary-5ess ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface Loopback0 ip address 10.1.2.254 255.255.255.0 ! interface Ethernet0 ip address 10.1.1.10 255.255.255.0 ip summary address eigrp 10 10.1.2.0 255.255.255.0 ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! interface Serial0:23 no ip address encapsulation ppp isdn incoming-voice modem dialer rotary-group 0 dialer-group 1 no fair-queue no cdp enable ! interface Serial1:23 no ip address encapsulation ppp isdn incoming-voice modem dialer rotary-group 0 dialer-group 1 no fair-queue no cdp enable ! interface Group-Async1 ip unnumbered Loopback0 encapsulation ppp async mode interactive peer default ip address pool dialin_pool no cdp enable ppp authentication chap pap dialin group-range 1 48 Telco and ISP Dial Scenarios and Configurations Large-Scale POPs DC-847 Cisco IOS Dial Technologies Configuration Guide ! interface Dialer0 ip unnumbered Loopback0 no ip mroute-cache encapsulation ppp peer default ip address pool dialin_pool dialer in-band dialer-group 1 no fair-queue no cdp enable ppp authentication chap pap dialin ppp multilink ! router eigrp 10 network 10.0.0.0 passive-interface Dialer0 no auto-summary ! ip local pool dialin_pool 10.1.2.1 10.1.2.50 ip default-gateway 10.1.1.1 ip classless ! dialer-list 1 protocol ip permit ! line con 0 login authentication console line 1 48 autoselect ppp autoselect during-login login authentication dialin modem DialIn line aux 0 login authentication console line vty 0 4 login authentication vty transport input telnet rlogin end Large-Scale POPs This section describes how to set up a stack of access servers for a large-scale dial solution and includes the following sections: • Scaling Considerations • How Stacking Works • Stack Group of Access Servers Using MMP with an Offload Processor Examples Scaling Considerations Because of the significant increase in demand for Internet access, large POPs are required by many Telcos and ISPs. Internet access configurations can be set up to enable users who dial in with individual computers to make mixed ISDN multilink or modem connections using a stack of Cisco access servers that run Multichassis Multilink PPP (MMP). You must consider scalability and call density issues when designing a large-scale dial-in POP. Because access servers have physical limitations, such as how many dial-in users can be supported on one device, you should consider the conditions and recommendations described in Table 49. Telco and ISP Dial Scenarios and Configurations Large-Scale POPs DC-848 Cisco IOS Dial Technologies Configuration Guide Note Depending on the size of your POP requirement, you can replace the Cisco AS5200 access server with a Cisco AS5300, Cisco AS5800, or Cisco AccessPath. This hardware exchange provides higher call density performance and increases the number of ISDN PRI ports, channelized ports, and modem ports on each chassis. How Stacking Works Before you install and configure a stack of access servers, you should understand the basic concepts described in the following sections and how they work together in a large-scale dial-in solution: • A Typical Multilink PPP Session • Using Multichassis Multilink PPP • Setting Up an Offload Server • Using the Stack Group Bidding Protocol • Using L2F A Typical Multilink PPP Session A basic multilink session is an ISDN connection between two routing devices, such as a Cisco 766 router and a Cisco AS5200 access server. Figure 126 shows a remote PC connecting to a Cisco 766 ISDN router, which in turn opens two B-channel connections at 128 kbps across an ISDN network. The Multilink PPP (MLP) session is brought up. The Cisco 766 router sends four packets across the network to the Cisco AS5200, which in turn reassembles the packets back into the correct order and sends them out the LAN port to the Internet. Table 49 Recommended Configurations for Different Remote Access Needs Dial-in Demand You Need to Support Recommended Configuration PCs dialing in, 75 to 90 percent modem calls, 10 to 25 percent ISDN calls (terminal adapters or routers), and support for fewer than 96 (T1) to 116 (E1) simultaneous dial-in connections. Two Cisco access servers configured for IP, basic security, MMP, L2F, and no offload server. PCs dialing in, less than 50 percent modem calls, more than 50 percent ISDN calls (terminal adapters or routers), dial-in only, and 250 or more simultaneous links into the offload server. Three or more Cisco access servers configured for IP, remote security, MMP, and L2F. Each Cisco access server is configured to offload its segmentation and reassembly of the multilink sessions onto an offload server, such as a Cisco 7202 or Cisco 4700 router. Telco and ISP Dial Scenarios and Configurations Large-Scale POPs DC-849 Cisco IOS Dial Technologies Configuration Guide Figure 126 A Typical Multilink PPP Session Using Multichassis Multilink PPP The dial solution becomes more complex when the scenario is scaled to include multiple multilink calls connecting across multiple chassis. Figure 127 shows a terminal adapter making a call in to the Cisco AS5200, labeled #1. However, only one of the access server’s 48 B channels is available to accept the call. The other channels are busy with calls. As a result, one of the terminal adapter’s two B channels is redirected to device #2. At this point, a multilink multichassis session is shared between two Cisco AS5200s that belong to the same stack group. Packet fragments A and C go to device #1. Packet fragments B and D go to device #2. Because device #1 is the first access server to receive a packet and establish a link, this access server creates a virtual interface and becomes the bundle master. The bundle master takes ownership of the MLP session with the remote device. The Multichassis Multilink PPP (MMP) protocol forwards the second link from device #2 to the bundle master, which in turn bundles the two B channels together and provides 128 kbps to the end user. Layer 2 Forwarding (L2F) is the mechanism that device #2 uses to forward all packet fragments received from the terminal adapter to device #1. In this way, all packets and calls virtually appear to terminate at device #1. S6752 Hunt group 555-1001 Dial-in session #1 PC running Windows 95 Cisco 766 ISDN network 4 4 2 2 1 1 3 3 Internet access Service provider network Cisco AS5200 Telco and ISP Dial Scenarios and Configurations Large-Scale POPs DC-850 Cisco IOS Dial Technologies Configuration Guide Figure 127 A Stack Group of Access Servers Using MMP Without an Offload Processor Setting Up an Offload Server Because MMP is a processor-intensive application, you might need to offload the processing or segmentation and reassembly from the Cisco access servers to a router with a more powerful CPU, such as the Cisco 4700-M or Cisco 7206. We recommend that you include an offload server for dial-in solutions that support more than 50 percent ISDN calls or more than 10 multilink sessions per Cisco access server. (See Figure 128.) Analog network S6751 A Remote security server Stack of two Cisco AS5200 access servers used in one service provider network Hunt group 555-1001 #1 #2 Terminal PC adapter Modem PC Dial-in session #2 ISDN network C D D B A B C Internet access Telco and ISP Dial Scenarios and Configurations Large-Scale POPs DC-851 Cisco IOS Dial Technologies Configuration Guide Figure 128 A Stack Group of Access Servers Using MMP with an Offload Processor Using the Stack Group Bidding Protocol The Stack Group Bidding Protocol (SGBP) is a critical component used in multichassis multilink sessions. SGBP unites each Cisco access server in a virtual stack, which enables the access servers to become virtually tied together. Each independent stack member communicates with the other members and determines which devices’ CPU should be in charge of running the multilink session and packet reassembly—the duty of the bundle master. The goal of SGBP is to find a common place to forward the links and ensure that this destination has enough CPU power to perform the segmentation and packet reassembly. (See Figure 128.) When SGBP in configured on each Cisco access server, each access server sends out a query to each stack group member stating, for example, “I have a call coming in from walt@options.com. What is your bid for this user?” Each access server then consults the following default bidding criteria and answers the query accordingly: • Do I have an existing call or link for the user walt@options.com? If I do, then bid very high to get this second link in to me. • If I do not have an existing call for walt@options.com, then bid a value that is proportional to how much CPU power I have available. • How busy am I supporting other users? 4 B A 1 D C 2 3 3 2 1 D C B A PC running Windows 95 Cisco 766 Modem PC Terminal adapter PC Dial-in session #2 Dial-in session #1 Remote security server Using L2F, all packets are encapsulated and forwarded to the Cisco 7206 for reassembly of the multilink and single link process Hunt group 555-1001 #1 #2 #3 Stack of three Cisco AS5200 access servers used in one service provider network Analog network ISDN network S6486 Internet access HSSI Cisco 7206 used for offload processing and has a rigged bid for each call 4 Telco and ISP Dial Scenarios and Configurations Large-Scale POPs DC-852 Cisco IOS Dial Technologies Configuration Guide Note An offload server will always serve as the bundle master by bidding a higher value than the other devices. Using L2F L2F is a critical component used in multichassis multilink sessions. If an access server is not in charge of a multilink session, the access server encapsulates the fragmented PPP frames and forwards them to the bundle master using L2F. The master device receives the calls, not through the dial port (such as a dual T1/PRI card), but through the LAN or Ethernet port. L2F simply tunnels packet fragments to the device that owns the multilink session for the call. If you include an offload server in your dial-in scenario, it creates all the virtual interfaces, owns all the multilink sessions, and reassembles all the fragmented packets received by L2F via the other stackgroup members. (Refer to Figure 128.) Stack Group of Access Servers Using MMP with an Offload Processor Examples The following sections provide examples for the devices shown in Figure 128: • Cisco Access Server #1 • Cisco Access Server #2 • Cisco Access Server #3 • Cisco 7206 as Offload Server • RADIUS Remote Security Examples Note Be sure to include your own IP addresses, host names, and security passwords where appropriate. Cisco Access Server #1 The following configuration runs on the Cisco access server labeled #1 in Figure 128: version xx.x service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service udp-small-servers no service tcp-small-servers ! hostname AS5200-1 ! aaa new-model aaa authentication login default local aaa authentication login console enable aaa authentication login vty local aaa authentication login dialin radius aaa authentication ppp default local aaa authentication ppp dialin if-needed radius aaa authorization exec local radius aaa authorization network radius aaa accounting network start-stop radius aaa accounting exec start-stop radius Telco and ISP Dial Scenarios and Configurations Large-Scale POPs DC-853 Cisco IOS Dial Technologies Configuration Guide enable secret cisco ! username admin password cisco username MYSTACK password STACK-SECRET sgbp group MYSTACK sgbp member AS5200-2 10.1.1.12 sgbp member AS5200-3 10.1.1.13 sgbp member 7200 10.1.1.14 async-bootp dns-server 10.1.3.1 10.1.3.2 isdn switch-type primary-5ess ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface Loopback0 ip address 10.1.2.62 255.255.255.192 ! interface Ethernet0 ip address 10.1.1.11 255.255.255.0 ip summary address eigrp 10 10.1.2.0 255.255.255.192 ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! interface Serial0:23 no ip address encapsulation ppp isdn incoming-voice modem dialer rotary-group 0 dialer-group 1 no fair-queue no cdp enable ! interface Serial1:23 no ip address encapsulation ppp isdn incoming-voice modem dialer rotary-group 0 dialer-group 1 no fair-queue no cdp enable ! interface Group-Async1 ip unnumbered Loopback0 encapsulation ppp async mode interactive peer default ip address pool dialin_pool no cdp enable ppp authentication chap pap dialin group-range 1 48 Telco and ISP Dial Scenarios and Configurations Large-Scale POPs DC-854 Cisco IOS Dial Technologies Configuration Guide ! interface Dialer0 ip unnumbered Loopback0 no ip mroute-cache encapsulation ppp peer default ip address pool dialin_pool dialer in-band dialer-group 1 no fair-queue no cdp enable ppp authentication chap pap dialin ppp multilink ! router eigrp 10 network 10.0.0.0 passive-interface Dialer0 no auto-summary ! ip local pool dialin_pool 10.1.2.1 10.1.2.50 ip default-gateway 10.1.1.1 ip classless ! dialer-list 1 protocol ip permit radius-server host 10.1.1.23 auth-port 1645 acct-port 1646 radius-server host 10.1.1.24 auth-port 1645 acct-port 1646 radius-server key cisco ! line con 0 login authentication console line 1 48 autoselect ppp autoselect during-login login authentication dialin modem DialIn line aux 0 login authentication console line vty 0 4 login authentication vty transport input telnet rlogin ! end Cisco Access Server #2 The following configuration runs on the Cisco access server labeled #2 shown in Figure 128: version xx.x service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service udp-small-servers no service tcp-small-servers ! hostname AS5200-2 ! aaa new-model aaa authentication login default local aaa authentication login console enable aaa authentication login vty local aaa authentication login dialin radius aaa authentication ppp default local aaa authentication ppp dialin if-needed radius aaa authorization exec local radius Telco and ISP Dial Scenarios and Configurations Large-Scale POPs DC-855 Cisco IOS Dial Technologies Configuration Guide aaa authorization network radius aaa accounting network start-stop radius aaa accounting exec start-stop radius enable secret cisco ! username admin password cisco username MYSTACK password STACK-SECRET sgbp group MYSTACK sgbp member AS5200-1 10.1.1.11 sgbp member AS5200-3 10.1.1.13 sgbp member 7200 10.1.1.14 async-bootp dns-server 10.1.3.1 10.1.3.2 isdn switch-type primary-5ess ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface Loopback0 ip address 10.1.2.126 255.255.255.192 ! interface Ethernet0 ip address 10.1.1.12 255.255.255.0 ip summary address eigrp 10 10.1.2.64 255.255.255.192 ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! interface Serial0:23 no ip address encapsulation ppp isdn incoming-voice modem dialer rotary-group 0 dialer-group 1 no fair-queue no cdp enable ! interface Serial1:23 no ip address encapsulation ppp isdn incoming-voice modem dialer rotary-group 0 dialer-group 1 no fair-queue no cdp enable ! interface Group-Async1 ip unnumbered Loopback0 encapsulation ppp async mode interactive peer default ip address pool dialin_pool Telco and ISP Dial Scenarios and Configurations Large-Scale POPs DC-856 Cisco IOS Dial Technologies Configuration Guide no cdp enable ppp authentication chap pap dialin group-range 1 48 ! interface Dialer0 ip unnumbered Loopback0 no ip mroute-cache encapsulation ppp peer default ip address pool dialin_pool dialer in-band dialer-group 1 no fair-queue no cdp enable ppp authentication chap pap dialin ppp multilink ! router eigrp 10 network 10.0..0.0 passive-interface Dialer0 no auto-summary ! ip local pool dialin_pool 10.1.2.65 10.1.2.114 ip default-gateway 10.1.1.1 ip classless ! dialer-list 1 protocol ip permit radius-server host 10.1.1.23 auth-port 1645 acct-port 1646 radius-server host 10.1.1.24 auth-port 1645 acct-port 1646 radius-server key cisco ! line con 0 login authentication console line 1 48 autoselect ppp autoselect during-login login authentication dialin modem DialIn line aux 0 login authentication console line vty 0 4 login authentication vty transport input telnet rlogin ! end Cisco Access Server #3 The following configuration runs on the Cisco access server labeled #3 in Figure 128: version xx.x service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service udp-small-servers no service tcp-small-servers ! hostname AS5200-3 ! aaa new-model aaa authentication login default local aaa authentication login console enable aaa authentication login vty local aaa authentication login dialin radius Telco and ISP Dial Scenarios and Configurations Large-Scale POPs DC-857 Cisco IOS Dial Technologies Configuration Guide aaa authentication ppp default local aaa authentication ppp dialin if-needed radius aaa authorization exec local radius aaa authorization network radius aaa accounting network start-stop radius aaa accounting exec start-stop radius enable secret cisco ! username admin password cisco username MYSTACK password STACK-SECRET sgbp group MYSTACK sgbp member AS5200-1 10.1.1.11 sgbp member AS5200-2 10.1.1.12 sgbp member 7200 10.1.1.14 async-bootp dns-server 10.1.3.1 10.1.3.2 isdn switch-type primary-5ess ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface Loopback0 ip address 10.1.2.190 255.255.255.192 ! interface Ethernet0 ip address 10.1.1.13 255.255.255.0 ip summary address eigrp 10 10.1.2.128 255.255.255.192 ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! interface Serial0:23 no ip address encapsulation ppp isdn incoming-voice modem dialer rotary-group 0 dialer-group 1 no fair-queue no cdp enable ! interface Serial1:23 no ip address encapsulation ppp isdn incoming-voice modem dialer rotary-group 0 dialer-group 1 no fair-queue no cdp enable ! Telco and ISP Dial Scenarios and Configurations Large-Scale POPs DC-858 Cisco IOS Dial Technologies Configuration Guide interface Group-Async1 ip unnumbered Loopback0 encapsulation ppp async mode interactive peer default ip address pool dialin_pool no cdp enable ppp authentication chap pap dialin group-range 1 48 ! interface Dialer0 ip unnumbered Loopback0 no ip mroute-cache encapsulation ppp peer default ip address pool dialin_pool dialer in-band dialer-group 1 no fair-queue no cdp enable ppp authentication chap pap dialin ppp multilink ! router eigrp 10 network 10.0.0.0 passive-interface Dialer0 no auto-summary ! ip local pool dialin_pool 10.1.2.129 10.1.2.178 ip default-gateway 10.1.1.1 ip classless ! dialer-list 1 protocol ip permit radius-server host 10.1.1.23 auth-port 1645 acct-port 1646 radius-server host 10.1.1.24 auth-port 1645 acct-port 1646 radius-server key cisco ! line con 0 login authentication console line 1 48 autoselect ppp autoselect during-login login authentication dialin modem DialIn line aux 0 login authentication console line vty 0 4 login authentication vty transport input telnet rlogin ! end Telco and ISP Dial Scenarios and Configurations Large-Scale POPs DC-859 Cisco IOS Dial Technologies Configuration Guide Cisco 7206 as Offload Server The following configuration runs on the Cisco 7206 router shown in Figure 128: Note Any Cisco router that has a powerful CPU can be used as an offload server, such as a Cisco 4500-M, 4700-M, or 3640. However, the router must be configured to handle the necessary processing overhead demanded by each stack member. version xx.x service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service udp-small-servers no service tcp-small-servers ! hostname 7200 ! aaa new-model aaa authentication login default local aaa authentication login console enable aaa authentication login vty local aaa authentication login dialin radius aaa authentication ppp default local aaa authentication ppp dialin if-needed radius aaa authorization exec local radius aaa authorization network radius aaa accounting network start-stop radius aaa accounting exec start-stop radius enable secret cisco ! username MYSTACK password STACK-SECRET username admin password cisco multilink virtual-template 1 sgbp group MYSTACK sgbp member AS5200-1 10.1.1.11 sgbp member AS5200-2 10.1.1.12 sgbp member AS5200-3 10.1.1.13 sgbp seed-bid offload async-bootp dns-server 10.1.3.1 10.1.3.2 ! interface Loopback0 ip address 10.1.2.254 255.255.255.192 ! interface Ethernet2/0 ip address 10.1.1.14 255.255.255.0 ip summary address eigrp 10 10.1.2.192 255.255.255.192 ! interface Ethernet2/1 no ip address shutdown ! interface Ethernet2/2 no ip address shutdown ! interface Ethernet2/3 no ip address shutdown ! Telco and ISP Dial Scenarios and Configurations Large-Scale POPs DC-860 Cisco IOS Dial Technologies Configuration Guide interface Virtual-Template1 ip unnumbered Loopback0 no ip mroute-cache peer default ip address pool dialin_pool ppp authentication chap pap dialin ppp multilink ! router eigrp 10 network 10.0.0.0 passive-interface Virtual-Template1 no auto-summary ! ip local pool dialin_pool 10.1.2.193 10.1.2.242 ip default-gateway 10.1.1.1 ip classless ! radius-server host 10.1.1.23 auth-port 1645 acct-port 1646 radius-server host 10.1.1.24 auth-port 1645 acct-port 1646 radius-server key cisco ! line con 0 login authentication console line aux 0 login authentication console line vty 0 4 login authentication vty ! end RADIUS Remote Security Examples The RADIUS examples in the following sections use the Internet Engineering Task Force (IETF) syntax for the attributes: • User Setup for PPP • User Setup for PPP and Static IP Address • Enabling Router Dial-In • User Setup for SLIP • User Setup for SLIP and Static IP Address • Using Telnet to connect to a UNIX Host • Automatic rlogin to UNIX Host Depending on how the dictionary is set up, the syntax for these configurations might differ between versions of RADIUS daemons. Note You must have the async dynamic address command enabled on the network access server if you use Framed-IP-Address to statically assign IP addresses. Telco and ISP Dial Scenarios and Configurations Large-Scale POPs DC-861 Cisco IOS Dial Technologies Configuration Guide User Setup for PPP The following example shows a user setup for PPP. The user’s IP address comes from the configured default IP address that is set up on the interface (which could be a specific default IP address, a pointer to a local pool of addresses, or a pointer to a Dynamic Host Configuration Protocol (DHCP) server). The special address that signals the default address is 255.255.255.254. pppme Password = "cisco" CHAP-Password = "cisco" Service-Type = Framed, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254 User Setup for PPP and Static IP Address The following example shows a user setup for PPP and a static IP address that stays with the user across all connections. Make sure that your router is set up to support this configuration, especially for large or multiple POPs. staticallypppme Password = "cisco" CHAP-Password = "cisco" Service-Type = Framed, Framed-Protocol = PPP, Framed-IP-Address = 10.1.1.1 Enabling Router Dial-In The following example supports a router dialing in, which requires that a static IP address and a remote Ethernet interface be added to the network access server’s routing table. The router’s WAN port is assigned the address 1.1.1.2. The remote Ethernet interface is 2.1.1.0 with a class C mask. Be sure your routing table can support this requirement. You might need to redistribute the static route with a dynamic routing protocol. routeme Password = "cisco" CHAP-Password = "cisco" Service-Type = Framed, Framed-Protocol = PPP, Framed-IP-Address = 10.1.1.1 Framed-Route = "10.2.1.0/24 10.1.1.2" User Setup for SLIP The following example shows a user setup for SLIP. Remote users are assigned to the default address on the interface. slipme Password = "cisco" Service-Type = Framed, Framed-Protocol = SLIP, Framed-IP-Address = 255.255.255.254 Telco and ISP Dial Scenarios and Configurations PPP Calls over X.25 Networks DC-862 Cisco IOS Dial Technologies Configuration Guide User Setup for SLIP and Static IP Address The following example shows a user setup for SLIP and a static IP address that stays with the user across all connections. Make sure that your routing is set up to support this configuration, especially for large or multiple POPs. staticallyslipme Password = "cisco" Service-Type = Framed, Framed-Protocol = SLIP, Framed-IP-Address = 10.1.1.13 Using Telnet to connect to a UNIX Host The following example automatically uses Telnet to connect the user to a UNIX host. This configuration is useful for registering new users, providing basic UNIX shell services, or providing a guest account. telnetme Password = "cisco" Service-Type = Login, Login-Service = Telnet, Login-IP-Host = 10.2.1.1 Automatic rlogin to UNIX Host The following example automatically uses rlogin to connect the user to a UNIX host: rloginme Password = "cisco" Service-Type = Login, Login-Service = Rlogin, Login-IP-Host =10.3.1.2 If you want to prevent a second password prompt from being brought up, you must have the following two commands enabled on the router or access server: • rlogin trusted-remoteuser-source local • rlogin trusted-localuser-source radius PPP Calls over X.25 Networks Remote PCs stationed in X.25 packet assembler-disassembler (PAD) networks can access the Internet by dialing in to Cisco routers, which support PPP. By positioning a Cisco router at the corner of an X.25 network, ISPs and telcos can provide Internet and PPP access to PAD users. All remote PAD users that dial in to X.25 networks dial in to one Cisco router that allows PPP connections. Although connection performance is not optimal, these X.25-to-PPP calls use installed bases of X.25 equipment and cost less to operate than connecting over the standard telephone network. Note This dial-in scenario can also be used as an enterprise solution. In this case, an enterprise consults with a third-party service provider that allows enterprises to leverage existing X.25 enterprise equipment to provide connections back into enterprise environments. Telco and ISP Dial Scenarios and Configurations PPP Calls over X.25 Networks DC-863 Cisco IOS Dial Technologies Configuration Guide Overview Many cities throughout the world have large installed bases of PCs that interface with older modems, PADs, and X.25 networks. These remote PCs or terminals dial in to PADs and make X.25 PAD calls or terminal connections to mainframe computers or other devices, which run the X.25 protocol. Unfortunately, the user interface is only a regular text-based screen in character mode (as opposed to packet mode). Therefore, many ISPs and telcos that have large investments in X.25 networks are upgrading their outdated equipment and creating separate networks for PPP connections. Because this upgrade process takes substantial time and money to complete, using a Cisco router to allow PPP connections over an X.25 network is a good interim solution for a dead-end dial case. Remote PC Browsing Network Topology Figure 129 shows a remote PC browsing the Internet through an X.25 PAD call and a Cisco 4500 router. This X.25 network is owned by an ISP or telco that is heavily invested in X.25 equipment, that is currently upgrading its outdated equipment, and that is creating separate networks for PPP connections. In this topology, the Cisco 4500 router performs protocol translation between the protocols X.25 and PPP. The router is configured to accept an incoming X.25 PAD call, run and unpack PPP packets over the call, and enable the remote PC to function as if it were on the IP network. Figure 129 Remote PC Browsing the Internet Through an X.25 PAD Call and a Cisco 4500 Router For more information about configuring protocol translation, see the chapter “Configuring Protocol Translation and Virtual Asynchronous Devices” in the Cisco IOS Terminal Services Configuration Guide. Cisco 4500 installed at service provider central site PC running Windows 95 and browsing the Internet Berlins PAD Warsaw PAD Modem Modem Modem Modems X.25 X.25 X.25 X.25 Service provider European X.25 network Milan PAD Modems IP network Eastern United States S6551 Telco and ISP Dial Scenarios and Configurations PPP Calls over X.25 Networks DC-864 Cisco IOS Dial Technologies Configuration Guide Protocol Translation Configuration Example In the following example, PAD callers that dial 4085551234 receive a router prompt. PAD callers that dial 4085555123401 start PPP and pick up an address from the IP pool called dialin_pool. These addresses are “borrowed” from the Ethernet interface on the Cisco 4500 router. Additionally, a loopback interface network can be created and the X.25 addresses can be set. However, a routing protocol must be run to advertise the loopback interface network if this method is used. Note Be sure to include your own IP addresses, host names, and security passwords where appropriate in the following examples. service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service udp-small-servers no service tcp-small-servers ! hostname NAS ! aaa new-model aaa authentication login console enable aaa authentication login vty tacacs+ aaa authentication login dialin tacacs+ aaa authentication ppp default tacacs+ aaa authentication ppp dialin if-needed tacacs+ enable secret cisco ! async-bootp dns-server 10.1.3.1 10.1.3.2 ! vty-async vty-async ppp authentication chap pap ! interface Loopback0 ip address 10.1.2.254 255.255.255.0 ! interface Ethernet0 ip address 10.1.1.10 255.255.255.0 ip summary address eigrp 10 10.1.2.0 255.255.255.0 ! interface Serial0 no ip address encapsulation x25 x25 address 4085551234 x25 accept-reverse x25 default pad ! router eigrp 10 network 10.0.0.0 passive-interface Dialer0 no auto-summary ! ip local pool dialin_pool 10.1.2.1 10.1.2.50 ip default-gateway 10.1.1.1 ! ip classless ! translate x25 4085555123401 ppp ip-pool scope-name dialin_pool ! dialer-list 1 protocol ip permit ! Telco and ISP Dial Scenarios and Configurations PPP Calls over X.25 Networks DC-865 Cisco IOS Dial Technologies Configuration Guide line con 0 login authentication console line aux 0 login authentication console line vty 0 150 login authentication vty transport input telnet rlogin ! end Telco and ISP Dial Scenarios and Configurations PPP Calls over X.25 Networks DC-866 Cisco IOS Dial Technologies Configuration Guide Appendixes DC-869 Cisco IOS Dial Technologies Configuration Guide Modem Initialization Strings This appendix provides tables that contain modem initialization strings and sample modem initialization scripts. Table 50 lists required settings, and error compression (EC) and compression settings for specific modem types. Use this information to create your modem scripts. Table 51 lists information for setting AUX ports. SeeTable 52 for a legend of symbols used in these two tables. Sample scripts follow the tables. For information about configuring lines to support modems, see the chapters in the part “Modem and Dial Shelf Configuration and Management” in this publication. Table 50 Required Settings and EC/Compression Settings Settings Required for All Modems Settings for EC/Compression Modem FD AA CD DTR RTS/CTS Flow LOCK DTE Speed Best Error Best Comp No Error No Comp Codex 3260 &F S0=1 &C1 &D3 *FL3 *SC1 *SM3 *DC1 *SM1 *DC0 USR Courier USR Sportster &F S0=1 &C1 &D3 &H1&R 2 &B1 &M4 &K1 &M0 &K0 Global Village Teleport Gold &F S0=1 &C1 &D3 \Q3 \J0 \N7 %C1 \N0 %C0 Telebit T1600/T3000/ WB &F1 S0=1 &C1 &D3 S58=2 S68=2 S51=6 S180=2 S181=1 S190=1 S180=0 S181=1 S190=0 Telebit T2500 (ECM) &F S0=1 &C1 &D3 S58=2 S68=2 S51=6 S95=2 S98=1 S96=1 S95=0 S98=0 S96=0 Telebit Trailblazer &F S0=1 &C1 AT&T Paradyne Dataport &F S0=1 &C1 &D3 \Q3 ---> \N7 %C1 \N0 %C0 Hayes modems Accura/ Optima &F S0=1 &C1 &D3 &K3 &Q6 &Q5 &Q9 &Q6 <--- Microcom QX4232 series &F S0=1 &C1 &D3 \Q3 \J0 \N6 %C1 \N0 %C0 DC-870 Cisco IOS Dial Technologies Configuration Guide Motorola UDS FastTalk II &F S0=1 &C1 &D3 \Q3 \J0 \N6 %C1 \N0 %C0 Multitech MT1432 MT932 &F S0=1 &C1 &D3 &E4 $BA0 &E1 &E15 &E0 &E14 Digicom Scout Plus &F S0=1 &C1 &D3 *F3 *S1 *E9 <--- *E0 <--- Digicom SoftModem &F S0=1 &C1 &D3 &K3 ---> \N5 %C1 \N0 %C0 Viva 14.4/9642c &F S0=1 &C1 &D3 &K3 ---> \N3 %M3 \N0 %M0 ZyXel U-1496E &F S0=1 &C1 &D3 &H3 &B1 &K4 <--- &K0 <--- Supra V.32bis/28.8 &F S0=1 &C1 &D3 &K3 ---> \N3 %C1 \N0 %C0 ZOOM 14.4 &F S0=1 &C1 &D3 &K3 ---> \N3 %C2 \N0 %C0 Intel External &F S0=1 &C1 &D3 \Q3 \J0 \N3 %C1"H 3 \N0 %C0 Practical Peripherals &F S0=1 &C1 &D3 &K3 ---> &Q5 &Q9 &Q6 <--- Table 50 Required Settings and EC/Compression Settings (continued) Settings Required for All Modems Settings for EC/Compression Modem FD AA CD DTR RTS/CTS Flow LOCK DTE Speed Best Error Best Comp No Error No Comp DC-871 Cisco IOS Dial Technologies Configuration Guide Table 51 AUX and Platform Specific Settings Modem Settings for Use with AUX Port Other Settings No Echo No Res CAB-MDCE Comments Write Memory Codex 3260 E0 Q1 &S1 &W USR Courieræ USR Sportster E0 Q1 *NA* &W Global Village Teleport Gold E0 Q1 *NA* &W Telebit T1600/T3000/ WB E0 Q1 &S4 &W All Telebit modems need to have the speed set explicitly. These examples use 38400 bps. Using what Telebit calls “UNATTENDED ANSWER MODE” is the best place to start a dial in only modem. Telebit T2500 (ECM) E0 Q1 &S1 &W Telebit Trailblazer E0 Q1 *NA* &W Use “ENHANCED COMMAND MODE” on the T2500. AT&T Paradyne Dataport E0 Q1 *NA* &W Almost all Microcom modems have similar configuration parameters. Hayes modems Accura/ Optima E0 Q1 *NA* &W Microcom QX4232 series E0 Q1 *NA* &W Motorola UDS FastTalk II E0 Q1 *NA* &W Multitech MT1432 MT932 E0 Q1 &S1 &W Digicom Scout Plus E0 Q2 &B2 &W Digicom SoftModem E0 Q1 &S1 &W Viva 14.4/9642c E0 Q1 &S1 &W ZyXel U-1496E E0 Q1 &S1 &W Additional information on ftp.zyxel.com Supra V.32bis/28.8 E0 Q1 &S1 &W ZOOM 14.4 E0 Q1 &S1 &W Sample Modem Scripts DC-872 Cisco IOS Dial Technologies Configuration Guide Table 52 contains a legend of symbols used in Table 50 and Table 51. Sample Modem Scripts The following are several modem command strings that are appropriate for use with your access server or router. For use with the access server, Speed=xxxxxx is a suggested value only. Set the DTE speed of the modem to its maximum capability. By making a reverse Telnet connection in the EXEC mode to the port on the access server where the modem is connected, then sending an at command followed by a carriage return. In the following example, the modem is attached to asynchronous interface 2 on the access server. The IP address indicated as the server-ip-address is the IP address of the Ethernet 0 interface. The administrator connects from the EXEC to asynchronous interface 2, which has its IP address assigned from Ethernet 0. 2511> telnet server-ip-address port-number 192.156.154.42 2002 AST Premium Exec Internal Data/Fax (MNP 5) Init=AT&F&C1&D3\G0\J0\N3\Q2S7=60S0=1&W Speed=9600 ATi 9600etc/e (V.42bis) Init=AT&FW2&B1&C1&D3&K3&Q6&U1S7=60S0=1&W Speed=38400 AT&T Paradyne KeepInTouch Card Modem (V.42bis) Init=AT&FX6&C1&D3\N7\Q2%C1S7=60S0=1&w Speed=57600 Intel External E0 Q1 *NA* &W Practical Peripherals E0 Q1 *NA* &W Based on PC288LCD. May vary. Table 51 AUX and Platform Specific Settings (continued) Modem Settings for Use with AUX Port Other Settings No Echo No Res CAB-MDCE Comments Write Memory Table 52 Legend to Symbols Used in Modem Chart Symbol Meaning *NA* This option is not available on the noted modem. --> The command noted on the right will handle that function. <-- The command noted on the left will handle that function. AUX port These parameters are only required for pre-9.21 AUX ports or any other port without modem control set. Sample Modem Scripts DC-873 Cisco IOS Dial Technologies Configuration Guide AT&T ComSphere 3800 Series (V.42bis) Init=AT&FX6&C1&D2\N5\Q2%C1"H3S7=60S0=1&W Speed=57600 AT&T DataPort Fax Modem (V.42bis) Init=AT&FX6&C1&D2\N7\Q2%C1S7=60S0=1&W Speed=38400 Boca Modem 14.4K/V.32bis (V.42bis) Init=AT&FW2&C1&D3&K3&Q5%C1\N3S7=60S36=7S46=138S95=47S0=1&W Speed=57600 CALPAK MXE-9600 Init=AT&F&C1&D3S7=60S0=1&W Speed=9600 Cardinal 2450MNP (MNP 5) Init=AT&F&C1&D3\J0\N3\Q2\V1%C1S7=60S0=1&w Speed=9600 Cardinal 9650V32 (MNP) Init=AT&F&B1&C1&D3&H1&I1&M6S7=60S0=1&W Cardinal 9600V42 (V.42bis) Init=AT&FW2&C1&D3&K3&Q5\N3%C1%M3S7=60S46=138S48=7S95=3S0=1&W Speed=38400 Cardinal 14400 (V.42bis) Init=AT&F&C1&D3&K3&Q5\N3%C1%M3S7=60S46=138S48=7S95=47S0=1&W Speed=57600 COMPAQ SpeedPAQ 144 (V.42bis) Init=AT&F&C1&D3&K3&Q5\J0\N3%C1S7=60S36=7S46=2S48=7S95=47S0=1&W Speed=57600 Data Race RediMODEM V.32/V.32bis Init=AT&F&C1&D3&K3&Q6\J0\N7\Q3\V2%C1S7=60 Speed=38400S0=1&W Dell NX20 Modem/Fax (MNP) Init=AT&F&C1&D3%C1\J0\N3\Q3\V1W2S7=60S0=1&W Speed=9600 Digicom Systems (DSI) 9624LE/9624PC (MNP 5) Init=AT&F&C1&D3*E1*F3*S1S7=60S0=1&W Digicom Systems (DSI) 9624LE+ (V.42bis) Init=AT&F&C1&D3*E9*F3*N6*S1S7=60S0=1&W Speed=38400 Everex Evercom 24+ and 24E+ (MNP 5) Init=AT&F&C1&D3\J0\N3\Q2\V1%C1S7=60S0=1&W Sample Modem Scripts DC-874 Cisco IOS Dial Technologies Configuration Guide Everex EverFax 24/96 and 24/96E (MNP 5) Init=AT&F&C1&D3\J0\N3\Q2\V1%C1S7=60S0=1&W Speed=9600 Everex Evercom 96+ and 96E+ (V.42bis) Init=AT&FW2&C1&D3\J0\N3\Q2\V2%C1S7=60S0=1&W Speed=38400 Freedom Series V.32bis Data/FAX Modem Init=AT&F&C1&D3&K3&Q6\J0\N7\Q3\V2%C1S7=60S0=1&W Speed=38400 Gateway 2000 TelePath Init=AT&FW2&C1&D3&K3&Q5\N3%C1S7=60S36=7S46=138S48=7S95=47S0=1&W Speed=38400 Gateway 2000 Nomad 9600 BPS Internal Modem Init=AT&F&C1&D3%C1\J0\N3\Q2S7=60S0=1&W Speed=38400 GVC SM-96V (V.42bis) Init=AT&F&C1&D3%C1\J0\N6\Q2\V1S7=60S0=1&W Speed=38400 GVC SM-144V (V.42bis) Init=AT&F&C1&D3%C1\J0\N6\Q2\V1S7=60S0=1&W Speed=57600 Hayes Smartmodem Optima 9600 (V.42bis) Init=AT&FW2&C1&D3&K3&Q5S7=60S46=138S48=7S95=47S0=1&W Speed=38400 Hayes Smartmodem Optima 14400 (V.42bis) Init=AT&FW2&C1&D3&K3&Q5S7=60S46=138S48=7S95=47S0=1&W Speed=57600 Hayes Optima 28800 (V.34) Init=AT&FS0=1&C1&D3&K3&Q6&Q5&Q9&W Speed=115200 Hayes V-series Smartmodem 9600/9600B (V.42) Init=AT&F&C1&D3&K3&Q5S7=60S0=1&W Speed=9600 Hayes V-series ULTRA Smartmodem 9600 (V.42bis) Init=AT&F&C1&D3&K3&Q5S7=60S46=2S48=7S95=63S0=1&W Speed=38400 Hayes V-series ULTRA Smartmodem 14400 (V.42bis) Init=AT&FW2&C1&D3&K3&Q5S7=60S38=10S46=2S48=7S95=63S0=1&W Speed=38400 Sample Modem Scripts DC-875 Cisco IOS Dial Technologies Configuration Guide Hayes ACCURA 24 EC (V.42bis) Init=AT&FW2&C1&D3&K3&Q5S7=60S36=7S46=138S48=7S95=47S0=1&W Hayes ACCURA 96 EC (V.42bis) Init=AT&FW2&C1&D3&K3&Q5S7=60S36=7S46=138S48=7S95=47S0=1&W Speed=38400 Hayes ACCURA 144 EC (V.42bis) Init=AT&FW2&C1&D3&K3&Q5S7=60S36=7S46=138S48=7S95=47S0=1&W Speed=57600 Hayes ISDN System Adapter Init=AT&FW1&C1&D3&K3&Q0S7=60S0=1&W Speed=57600 IBM 7855 Modem Model 10 (MNP) Init=AT&F&C1&D3\N3\Q2\V1%C1S7=60S0=1&W IBM Data/Fax Modem PCMCIA (V.42bis) Init=AT&F&C1&D3&K3&Q5%C3\N3S7=60S38=7S46=138S48=7S95=47S0=1&W Speed=57600 Identity ID9632E Init=AT&F&C1&D3S7=60S0=1&W Speed=9600 Infotel V.42X (V.42bis) Init=AT&F&C1&D3S7=30S36=7S0=1&W Speed=9600 Infotel V.32 turbo (V.42bis) Init=AT&FW1&C1&D3&K3&Q5S7=60S0=1&w Speed=38400 Infotel 144I (V.42bis) Init=AT&F&C1&D3&K3&Q5\N3%C1S7=60S36=7S46=138S48=7S95=47S0=1&W Speed=38400 Intel 9600 EX (V.42bis) Init=AT&F&C1&D3\J0\N3\Q2\V2%C1"H3S7=60S0=1&W Speed=38400 Intel 14400 EX (V.42bis) Init=AT&F&C1&D3\J0\N3\Q2\V2%C1"H3S7=60S0=1&W Speed=38400 Macronix MaxFax 9624LT-S Init=AT&F&C1&D3&K3&Q9\J0\N3\Q3%C1S7=60S36=7S46=138S48=7S95=47S0=1&W Speed=9600 Megahertz T3144 internal (V.42bis) Init=AT&F&C1&D3%C1\J0\N3\Q2\V2S7=60S0=1&W Speed=57600 Sample Modem Scripts DC-876 Cisco IOS Dial Technologies Configuration Guide Megahertz T324FM internal (V.42bis) Init=AT&F&C1&D3%C1\J0\N3\Q2\V1S7=60S46=138S48=7S0=1&W Speed=9600 Megahertz P2144 FAX/Modem (V.42bis) Init=AT&F&C1&D3%C1\J0\N7\Q2\V2S7=60S0=1&W Speed=38400 Megahertz T396FM internal (V.42bis) Init=AT&FW2&C1&D3%C1\J0\N7\Q2\V2S7=60S0=1&W Speed=38400 Megahertz CC3144 PCMCIA card modem (V.42bis) Init=AT&F&C1&D3&K3&Q5%C3\N3S7=60S38=7S46=138S48=7S95=47S0=1&W Speed=57600 Microcom AX/9624c (MNP 5) Init=AT&F&C1&D3\G0\J0\N3\Q2%C1S7=60S0=1&W Speed=9600 Microcom AX/9600 Plus (MNP 5) Init=AT&F&C1&D3\J0\N3\Q2S7=60S0=1&W Microcom QX/V.32c (MNP 5) Init=AT&F&C1&D3\J0%C3\N3\Q2S7=60S0=1&W Speed=38400 Microcom QX/4232hs (V.42bis) Init=AT&F&C1&D3\J0%C3\N3\Q2-K0\V2S7=60S0=1&W Speed=38400 Microcom QX/4232bis (V.42bis) Init=AT&F&C1&D3\J0%C3\N3\Q2-K0\V2W2S7=60S0=1&W Speed=38400 Microcom Deskporte 28800 (V.34) Init=AT&F&c1&q1E0S0=1&W Speed=115200 Microcom MicroPorte 542 (V.42bis) Init=AT&F&C1&D3&Q5S7=60S46=138S48=7S95=47S0=1&W Speed=9600 Microcom MicroPorte 1042 (V.42bis) Init=AT&F&C1&D3%C3\J0-M0\N6\Q2\V2S7=60S0=1&W Speed=9600 Microcom MicroPorte 4232bis (V.42bis) Init=AT&F&C1&D3%C3%G0\J0-M0\N6\Q2\V2S7=60S0=1&W Speed=38400 Sample Modem Scripts DC-877 Cisco IOS Dial Technologies Configuration Guide Microcom DeskPorte FAST Init=ATX4S7=60-M1\V4\N2L1S0=1&W Speed=57600 Motorola/Codex 3220 (MNP) Init=AT&F&C1&D3*DC1*FL3*MF0*SM3*XC2S7=60S0=1&W Motorola/Codex 3220 Plus (V.42bis) Init=AT&F&C1&D3*DC1*EC0*MF0*SM3*XC2S7=60S0=1&W Speed=38400 Motorola/Codex 326X Series (V.42bis) Init=AT&F&C1&D3*FL3*MF0*SM3*TT2*XC2S7=60S0=1&W Speed=38400 MultiTech MultiModem V32EC (V.42bis) Init=AT&FX4&C1&D3$BA0&E1&E4&E15#L0S7=60S0=1&W Speed=38400 MultiTech MultiModem V32 (no MNP or V.42) Init=AT&F&C1&D3S7=60S0=1&W Speed=9600 MultiTech MultiModem 696E (MNP) Init=AT&F&C1&D3$BA0&E1&E4&E15S7=60S0=1&W MultiTech MultiModem II MT932 (V.42bis) Init=AT&FX4&C1&D3$BA0&E1&E4&E15#L0S7=60S0=1&W Speed=38400 MultiTech MultiModem II MT1432 (V.42bis) Init=AT&FX4&C1&D3#A0$BA0&E1&E4&E15#L0S7=60S0=1&W Speed=57600 NEC UltraLite 14.4 Data/Fax Modem (V.42bis) Init=AT&F&C1&D3&K3&Q4\J0\N7\Q2W2%C1S7=60S0=1&W Speed=38400 Practical Peripherals PC28800SA (V.42bis) Init=AT&F&C1&D3&K3&Q5S7=60S36=7S46=2S48=7S95=47S0=1&W Speed=115200 Practical Peripherals PM9600SA (V.42bis) Init=AT&F&C1&D3&K3&Q5S46=138S48=7S7=60S0=1&W Speed=38400 Practical Peripherals PM14400FX (V.42bis) Init=AT&F&C1&D3&K3&Q5S7=60S36=7S46=2S48=7S95=47S0=1&W Speed=57600 Practical Peripherals PM14400SA (V.42bis) Init=AT&F&C1&D3&K3&Q5S7=60S36=7S46=2S48=7S95=47S0=1&W Speed=57600 Sample Modem Scripts DC-878 Cisco IOS Dial Technologies Configuration Guide Prometheus ProModem 9600 Plus (V.42) Init=AT&F&C1&D3*E7*F3S7=60S0=1&W Prometheus ProModem Ultima (V.42bis) Init=AT&F&C1&D3*E9*F3*N6*S1S7=60S0=1&W Speed=38400 Racal Datacomm ALM 3223 (V.42bis) Init=AT&F&C1&D3\M0\N3\P2\Q1\V1S7=60S0=1&W Speed=38400 Supra FAXModem V.32bis (V.42bis) Init=AT&FN1W2&C1&D1&K3&Q5\N3%C1S7=60S36=7S48=7S95=45S0=1&W Speed=57600 Telebit T1600 (V.42bis) Init=AT&FX2&C1&D3&R3S7=60S51=6S58=0S59=15S68=2S180=2S190=1S0=1&W Speed=38400 Telebit T2500 (V.42bis) Init=AT~&FX2S7=60S51=5S52=2S66=1S68=2S97=1S98=3S106=1S131=1S0=1&W Telebit T3000 (V.42bis) Init=AT&FX2&C1&D3S51=6S59=7S68=2S7=60S0=1&W Speed=38400 Telebit QBlazer (V.42bis) Init=AT&FX2&C1&D3S59=7S68=2S7=60S0=1&W Speed=38400 Texas Instruments V.32bis Internal Modem Init=AT&F&C1&D3%C1\J0\N7\Q2\V2S7=60S0=1&W Speed=38400 Toshiba T24/DF Internal Init=AT&F&C1&D3\J0\N3\Q2%C1S7=60S36=7S46=138S48=7S0=1&W Speed=9600 Universal Data Systems FasTalk V.32/42b (V.42bis) Init=AT&F&C1&D3\J0\M0\N7\V1\Q2%C1S7=60S0=1&W Speed=38400 Universal Data Systems V.32 (no MNP or V.42) Init=AT&F&C1&D2S7=60S0=1&W Speed=9600 Universal Data Systems V.3224 (MNP 4) Init=AT&F&C1&D2\J0\N3\Q2S7=60S0=1&W Universal Data Systems V.3225 (MNP 5) Init=AT&F&C1&D2\J0\N3\Q2%C1S7=60S0=1&W Sample Modem Scripts DC-879 Cisco IOS Dial Technologies Configuration Guide Universal Data Systems V.3227 (V.42bis) Init=AT&F&C1&D2\J0\M0\N7\Q2%C1S7=60S0=1&W Speed=38400 Universal Data Systems V.3229 (V.42bis) Init=AT&F&C1&D3\J0\M0\N7\Q2%C1S7=60S0=1&W Speed=38400 US Robotics Sportster 9600 (V.42bis) Init=AT&FX4&A3&B1&D3&H1&I0&K1&M4S7=60S0=1&W Speed=38400 US Robotics Sportster 14400 (V.42bis) Init=AT&FX4&A3&B1&D3&H1&I0&K1&M4S7=60S0=1&W Speed=57600 US Robotics Sportster 14400 (V.42bis) x Init=AT&FX4&B1&C1&D2&H1&K1&M4E0X7Q0V1S0=1&W Speed=57600 US Robotics Sportster 28800 (V.34) Init=AT&FS0=1&C1&D2&H1&R2&N14&B1&W Speed=115200 US Robotics Courier 28800 (V.34) Init=AT&FS0=1&C1&D2&H1&R2&N14&B1&W Speed=115200 US Robotics Courier V.32bis (V.42bis) Init=AT&FX4&A3&C1&D2&M4&H1&K1&B1S0=1&W Speed=38400 US Robotics Courier HST Dual Standard (V.42bis) Init=AT&FB0X4&A3&C1&D2&M4&H1&K1&B1&R2&S1S0=1&W Speed=115200 US Robotics Courier HST (V.42bis) Init=AT&FB0X4&A3&C1&D2&M1&H1&K1&B1S0=1&W Speed=115200 US Robotics WorldPort 2496 FAX/Data (V.42bis) Init=AT&FX4&C1&D3%C1"H3\J0-J1\N3\Q2\V2S7=60S0=1&W Speed=57600 US Robotics WorldPort 9696 FAX/Data (MNP 5) Init=AT&FX4&C1&D3%C1\J0\N3\Q2\V2S7=60S0=1&W US Robotics WorldPort 9600 (MNP 5) Init=AT&FX4&C1&D3%C1\J0\N3\Q2\V2S7=60S0=1&W US Robotics WorldPort 14400 (V.42bis) Init=AT&FX4&A3&B1&C1&D3&H1&K1&M4S7=60S0=1&W Speed=57600 Sample Modem Scripts DC-880 Cisco IOS Dial Technologies Configuration Guide Ven-Tel PCM 9600 Plus (MNP) Init=AT&FB0&C1&D3\N3\Q3%B0%C1%F1S7=60S0=1&W ViVa 9642e (V.42bis) Init=AT&F&C1&D3&K3&Q5\N3%C3S7=60S36=7S46=138S48=7S95=47S0=1&W Speed=38400 ViVa 14.4/FAX (V.42bis) Init=AT&F&C1&D3&K3&Q5\N3%C3S7=60S36=7S46=138S48=7S95=47S0=1&W Speed=38400 ZOOM V.32 turbo (V.42bis) Init=AT&FW1&C1&D3&K3&Q5%C1\N3S7=60S36=7S46=138S48=7S95=47S0=1&W Speed=38400 ZOOM V.32bis (V.42bis) Init=AT&FW1&C1&D3&K3&Q9%C1\N3S7=60S36=7S95=47S0=1&W Speed=38400 Zyxel U-1496 (V.42bis) Init=AT&FX6&B1&C1&D2&N0&K4&H3S7=60S0=1&W Speed=57600 Index IN-883 Cisco IOS Dial Technologies Configuration Guide INDEX Symbols xlix ? command xlviii A AAA (authentication, authorization, and accounting) large-scale dial-out network security services DC-683 preauthentication overview DC-732 virtual profiles AAA configuration (example) DC-501, DC-504 virtual template configuration (example) DC-502 VPN configuring DC-524 local tunnel authentication DC-530 local tunnel authentication (examples) DC-565 VPN per-user configuration DC-538 AAA/TACACS+ PPP authentication, enabling DC-395, DC-599 undefined list name, (caution) DC-598 aaa accounting command DC-683 aaa authentication command DC-683 aaa authentication ppp command DC-395, DC-598, DC-599 aaa authorization command DC-683 aaa authorization configuration default command DC-684 aaa new-model command DC-683, DC-684 aaa route download command DC-684 accept-dialin command DC-535 accept-dialout command DC-537 access control asynchronous interfaces (example) DC-38 legacy DDR, configuring DC-367, DC-398 to DC-399 outgoing calls, configuring DC-265, DC-367 access-list command DC-265, DC-351, DC-355 access lists DDR DECnet DC-354, DC-368 IP DC-352 packets, interesting DC-398 transparent bridging DC-351 VINES DC-354 XNS DC-355 dialer groups DC-356 dialer profiles DECnet DC-428 Ethernet type codes DC-432 IP DC-429 VINES DC-428 XNS DC-430 legacy DDR, interface assignment DC-367, DC-398 access restrictions, asynchronous interfaces DC-38 addresses asynchronous interfaces DC-33 default, configuring DC-33 dynamic, configuring DC-33 unnumbered interfaces DC-32 unnumbered interfaces, (example) DC-42 addressing Cisco Easy IP configuration (examples) DC-479 dynamic, configuring DC-42 address pooling DHCP DC-605 global default mechanism, local pooling DC-606 ANI/DNIS (automatic number identification/dialed number identification service) Index IN-884 Cisco IOS Dial Technologies Configuration Guide delimiter, configuring DC-277 ANI/DNIS Delimiter for CAS Calls on CT1 feature DC-277 AO/DI (Always On/Dynamic ISDN) BACP and BAP negotiation DC-239 BACP default settings DC-243 called number prefix DC-243 called party number formats DC-243 clients calls, starting DC-242 configuration (example) DC-245 configuring DC-242 interface configuration DC-242 PPP and BAP configuration DC-239 X.25 configuration DC-240 interfaces, configuring DC-242 link member receive only mode DC-242 MLP bundle multiple links, configuring DC-242 process description DC-238 national and subscriber number formats DC-243 overview DC-235, DC-236 PPP over X.25 DC-237 servers BACP default settings DC-244 client calls, configuring DC-243 configuring DC-243 configuring, (example) DC-246 incoming calls DC-243 MLP bundle, configuring DC-244 no outgoing option DC-243 PPP and BAP, configuring DC-240 traffic load DC-244 X.25 configuring DC-241 defaults DC-241 virtual access interface DC-237 X.25 SVC DC-236 AOC (Advice of Charge) ISDN subscription service DC-314 See also ISDN, Advice of Charge AOL (America Online), wholesale dial performance optimization DC-779 AppleTalk DDR, configuring DC-353 dialer profiles, configuring DC-428 PPP, configuring DC-580, DC-602 appletalk address command DC-609 appletalk cable-range command DC-609 appletalk client-mode command DC-580 appletalk virtual-net command DC-580 ARA (AppleTalk Remote Access) automatic sessions, starting DC-27 arap callback command DC-647 arap enable command DC-647 Ascend attributes, AV pairs (table) DC-686 async default routing command DC-31 async dynamic address command DC-34, DC-860 async dynamic routing command DC-31 asynchronous group interfaces CHAP authentication DC-20, DC-22 IP unnumbered DC-21 PAP authentication DC-20, DC-22 PPP encapsulation DC-20, DC-21 verifying DC-22 asynchronous host mobility, configuring DC-581 asynchronous host roaming (example) DC-581 asynchronous interfaces addressing methods configuring DC-31 description DC-33 bandwidths configuring optimal DC-34 broadcasts on DC-577 dedicated network mode (example) DC-38 default addresses, configuring DC-33 dynamic addresses, configuring DC-33 dynamic addressing (example) DC-42 Index IN-885 Cisco IOS Dial Technologies Configuration Guide group and member (examples) DC-39 IPX loopback interfaces DC-579 large-scale dial-out (example) DC-696 low bandwidth DC-576 modem configuration (examples) DC-77 monitoring DC-38 network interface (example) DC-43 routing configuration (example) DC-577 TCP/IP header compression (example) DC-42 configuring DC-34 troubleshooting DC-21 Asynchronous Rotary Line Queueing feature DC-25 async mode dedicated command DC-32 async mode interactive command DC-32, DC-581 AT&T latched CSU loopback, specification DC-294 ATCP (AppleTalk Control Protocol) PPP, enabling DC-580 authen before-forward command DC-539 autocommand command DC-47 autocommand telnet /stream command DC-780 autocommand telnet-faststream command DC-781 autodetect encapsulation command DC-199, DC-201, DC-265 autohangup command DC-163 autoselect arap command DC-647 autoselect command DC-27, DC-70 autoselect during-login command DC-70 Autoselect incoming protocol sensor DC-27 autoselect ppp command DC-643, DC-645 auxiliary ports asynchronous serial interfaces, configuring DC-29 AV (attribute-value) pairs AAA server attributes DC-703 Ascend attributes DC-685 Ascend attributes (table) DC-686 map class DC-685 per-user configuration attributes DC-703 RADIUS attributes DC-685 RADIUS attributes (table) DC-704 TACACS attributes (table) DC-704 B backup delay command DC-452 backup interface command DC-451 backup interfaces dialer profiles DC-455, DC-459 overview DC-449 See also dial backup, serial interfaces; serial interfaces backup load command DC-451 BACP (Bandwidth Allocation Control Protocol) active mode DC-668 BRI interface (example) DC-673 configuring DC-671 dialer interfaces only DC-668 BRI interface (example) DC-676 configuration (examples) DC-673 to DC-676 configuration options DC-668 default parameter values, configuring DC-671 default passive mode DC-670, DC-683 default settings DC-671 dialer rotary different dial-in numbers (example) DC-674 one dial-in number (example) DC-675 dialer support, legacy DDR DC-668, DC-681 interfaces monitoring DC-672 physical restrictions DC-668 serial DC-668 virtual DC-668 line speeds DC-669 link types DC-669 multilink bundle creation (example) DC-674 operating environments DC-667 outgoing calls, dialer maps used for DC-672 passive mode default DC-668 dialer rotary group (example) DC-673 Index IN-886 Cisco IOS Dial Technologies Configuration Guide virtual template interface (example) DC-674 PPP bandwidth allocation control, configuring DC-670 prerequisites DC-667 PRI (example) DC-676 temporary dialer maps DC-672 troubleshooting DC-673 bandwidth command DC-669 bandwidth on demand, load threshold DC-371, DC-401 bandwidths, configuring optimal DC-34 banners SLIP-PPP DC-587 SLIP-PPP (example) DC-589 tokens DC-587 banner slip-ppp command DC-587 binding, DNIS-plus-ISDN-subaddress DC-189 black box screening See RPM, call discriminator profiles; Cisco RPM CLID/DNIS Discriminator feature BOOTP (Bootstrap Protocol) requests DC-576 bridge group command DC-397, DC-399, DC-433 bridge protocol command DC-351, DC-431 broadcasts asynchronous interfaces DC-577 asynchronous serial traffic over UDP DC-45 buffers command DC-182, DC-206 bundles MLP Inverse Multiplexer DC-619 MMP DC-633 busyout, ISDN B channel (example) DC-298 C callback ARA chat scripts DC-647 clients DC-647 asynchronous configuring DC-643 overview DC-643 authentication DC-643 chat scripts DC-646 modem rest period, configuring DC-646 PPP clients DC-644 to DC-645 dial string DC-645 callback forced-wait command DC-645, DC-646, DC-647 calls analog modem DC-59 analog robbed-bit signaling DC-258 channel-associated signaling DC-258 circuit-switched digital DC-10 incoming V.120 asynchronous DC-198 incoming voice configuring modem for DC-266 ISDN not end-to-end DC-187 ISDN voice DC-176, DC-180, DC-195 outgoing access control DC-265, DC-367 preauthenticate incoming DC-732 prevent incoming DC-163 toll DC-644 blocking See ISDN PRI, class of restrictions Call Tracker plus ISDN and AAA Enhancements for the Cisco AS5300 and Cisco AS5800 feature DC-93, DC-269 call-type cas command DC-743 call-type cas digital command DC-756 CAPI (Common Application Programming Interface) B-channel protocols supported DC-249 features DC-248 overview DC-247 to DC-251 protocols supported DC-248 carriage return () xlix carrier wait time, dialer profiles DC-426 CAS (channel-associated signaling) (examples) DC-307 analog calls DC-258 channelized E1 DC-275 Index IN-887 Cisco IOS Dial Technologies Configuration Guide common forms of DC-277 cas-group command DC-282, DC-756 cas-group timeslots command DC-276 cause codes See ISDN, cause codes cautions undefined AAA/TACACS+ list DC-598 usage in text xlii virtual template interface erroneous routing DC-638 changed information in this release xli channelized E1 channel-associated signaling, analog calls DC-275 channel groups (example) DC-299 interface loopbacks, troubleshooting DC-293, DC-294 serial interfaces DC-293 channel uses DC-258 description DC-11 ISDN PRI configuring DC-260 D-channel number DC-260 PRI groups (example) DC-299 R2 signaling DC-275 channelized T1 ANI/DNIS delimiters on incoming T1 trunk lines DC-277 channel groups (example) DC-299 interface loopbacks, troubleshooting DC-293, DC-294 serial interfaces DC-293 channel uses DC-258 description DC-11 ISDN PRI configuring DC-261 D-channel number DC-262 PRI groups (example) DC-299 switched 56K DC-278 See also switched 56K voice channels, configuring DC-277 channels ISDN 2 B + D BRI DC-12 logical relationship DC-13 PRI DC-13 CHAP (Challenge Handshake Authentication Protocol) challenge packet DC-597 encrypted password (examples) DC-621 PAP authentication order DC-598 chat-script command DC-167, DC-645 chat scripts (examples) DC-169, DC-171 ARA (example) DC-647 asynchronous lines DC-365 escape sequences (table) DC-167 expect-send pairs (table) DC-168 large-scale dial-out DC-696 naming conventions DC-166 PPP callback, configuring DC-646 Cisco 700 and 800 series routers Combinet Proprietary Protocol DC-264, DC-321 protocols supported DC-321 Cisco 7500 MLP Inverse Multiplexer DC-618 Cisco AS5200 access servers analog calls over E1, configuring DC-276 CAS on channelized E1, configuring DC-275 channelized E1/T1, channel uses DC-258 R1 modified signaling, configuring DC-290 Cisco AS5300 access servers analog calls over E1, configuring DC-276 busyout B channel DC-269 CAS on channelized E1, configuring DC-275 CAS on T1 voice channels, configuring DC-277 R1 modified signaling, configuring DC-290 Cisco AS5800 access servers busyout B channel DC-269 CAS on channelized E1, configuring DC-275 CAS on T1 voice channels, configuring DC-277 R1 modified signaling configuration (examples) DC-312 Index IN-888 Cisco IOS Dial Technologies Configuration Guide TCP Clear performance optimization DC-780 Cisco Easy IP address strategy DC-790 async interface configuration (examples) DC-480 business applications DC-790 configuring DC-476 dialer interfaces, configuring DC-478 dial strategy DC-790 dynamic NAT translation timeout period DC-479 ISDN BRI configuration (examples) DC-479 LAN interfaces, configuring DC-477 NAT dialer interfaces, configuring DC-478 LAN interfaces, configuring DC-477 pool, configuring DC-477, DC-486 overview DC-473, DC-790 PPP/IPCP negotiation DC-478 prerequisites DC-476 WAN interfaces, configuring DC-477 Cisco IOS configuration changes, saving lii Cisco MICA Modem Dial Modifiers feature DC-76 Cisco RPM CLID/DNIS Call Discriminator feature DC-731 clear dialer command DC-376, DC-406, DC-444 clear dialer sessions command DC-690 clear dsip tracing command DC-125 clear interface virtual-access command DC-486 clear ip route download command DC-690 clear line command DC-21 clear modem at-mode command DC-77 clear port log command DC-139 clear resource-pool command DC-758 clear snapshot quiet-time command DC-444 clear spe counters command DC-139 clear spe log command DC-139 clear vpdn tunnel command DC-540 client-initiated VPNs DC-509 clns filter-set command DC-355 clock source command DC-276, DC-282 cloning virtual access interfaces DC-484 virtual profiles DC-491 Combinet See Cisco 700 and 800 series routers command modes dedicated network interfaces, configuring DC-31 interactive sessions, configuring DC-31 understanding xlvii to xlviii commands context-sensitive help for abbreviating xlviii default form, using li no form, using li command syntax conventions xli displaying (example) xlix compress command DC-602 compressions Microsoft PPP DC-601 MLP DC-195 predictor (example) DC-194 Stacker (example) DC-194 compress predictor command DC-600 compress stac command DC-601 compulsory tunneling See NAS-initiated VPNs configurations, saving lii connections dial-in DC-70, DC-71 LLC2 NetBEUI clients over PPP DC-583 PPP DC-582 printers configuration (example) DC-62 configuring DC-163 reverse modem DC-163 semipermanent ISDN BRI DC-185 Germany, Australia DC-190 semipermanent ISDN PRI DC-265 Index IN-889 Cisco IOS Dial Technologies Configuration Guide SLIP DC-583 TCP connection attempt time, configuring DC-585 controller e1 command DC-260, DC-276 controllers E1, description DC-11 T1, description DC-11 controller t1 command DC-261, DC-281 CSU loopbacks AT&T specification DC-294 latched DC-294 customer profiles See profiles, RPM D data compression, modem negotiation DC-77, DC-155 DDR (dial-on-demand routing) access lists dialer groups DC-356 routed protocols, configuring DC-352 AppleTalk, configuring DC-353 bridged protocols DC-349, DC-363 chat scripts configuring DC-165 enabling DC-171 configuration (examples) DC-356 to DC-359 decision flowchart DC-345 DECnet configuring DC-354 control packets DC-354, DC-369 dependent implementation decisions DC-348 dialer profiles virtual profile interoperation, configuring DC-490 fast switching DC-402, DC-433 independent implementation decisions DC-347 interesting packets DC-367 interfaces DC-349, DC-350, DC-364, DC-392 IP, configuring DC-352, DC-366 IPX, configuring DC-353 ISDN PRI configuration (example) DC-296 ISO CLNS, configuring DC-355 large-scale dial-out DC-679 routed protocols DC-349, DC-351, DC-363, DC-366 snapshot routing DC-441 See also snapshot routing transparent bridging DC-350 permit all packets DC-351 type code access DC-351 uninteresting packets DC-367 VINES, configuring DC-354 XNS, configuring DC-355 See also dialer profiles; legacy DDR debug aaa authorization command DC-708, DC-760, DC-767 debug aaa per-user command DC-499, DC-708, DC-738 debug async async-queue command DC-26 debug async command DC-21 debug csm command DC-763 debug dialer command DC-192, DC-272, DC-322, DC-499, DC-550 debug ip tcp transactions command DC-26 debug isdn events command DC-192, DC-272, DC-661 debug isdn q921 command DC-322 debug isdn q931 command DC-71, DC-322, DC-661, DC-762 debug modem command DC-26, DC-71 debug modem csm command DC-71, DC-762 debug ppp bap command DC-673 debug ppp chap command DC-21 debug ppp command DC-551 debug ppp error command DC-21 debug ppp multilink events command DC-673 debug ppp negotiation command DC-21 debug ppp packet command DC-21 debug q921 command DC-192, DC-272 debug q931 command DC-192, DC-272 debug rcapi events command DC-252 debug redundancy command DC-125 debug resource pool command DC-760 Index IN-890 Cisco IOS Dial Technologies Configuration Guide debug trunk cas port timeslots command DC-763 debug udptn command DC-47 debug vpdn commands DC-548 debug vpdn event command DC-549, DC-755 debug vpdn l2x command DC-755 debug vpdn l2x-events command DC-549, DC-550 debug vtemplate command DC-499 DECnet DDR access lists DC-354 configuring DC-354 control packets DC-354, DC-369 dialer profiles access lists DC-429 configuring DC-429 control packets DC-429 dedicated mode asynchronous interfaces, configuring DC-31 configuration (example) DC-38 DHCP (Dynamic Host Configuration Protocol) configuration (examples) DC-40 IP address pooling, configuring DC-605 local IP address pool (example) DC-40 dial access scenarios bidirectional dial DC-811 central site configurations DC-794 dial-in configurations DC-795 enterprise dial DC-793 to DC-832 enterprises DC-785 mixed protocol enterprise network DC-826 remote office and telecommuters DC-794 service providers DC-785 telco and ISP DC-837 to DC-865 dial backup dialer profiles DC-455 to DC-457 backup interfaces DC-456 dialer interfaces, configuring DC-456 ISDN BRI (example) DC-457 physical interfaces DC-456 ISDN channels DC-453 load threshold exceeded (examples) DC-453 load threshold reached (examples) DC-453 primary line down (examples) DC-454 serial interfaces DC-449 to DC-454 See also Dialer Watch dialer aaa command DC-684 dialer callback-secure command DC-653 dialer callback-server command DC-653 dialer caller command DC-657, DC-660 dialer command DC-486, DC-537 dialer dnis group command DC-743, DC-756 dialer dns command DC-684 dialer dtr command DC-364 dialer enable-timeout command DC-370, DC-400, DC-653, DC-659, DC-660 dialer fast-idle command DC-370, DC-400, DC-426 dialer-group command DC-185, DC-208, DC-239, DC-241, DC-265, DC-369, DC-399, DC-425, DC-431, DC-456, DC-479, DC-612, DC-613 dialer hold-queue command DC-371, DC-401, DC-478, DC-652, DC-653 dialer idle-timeout command DC-315, DC-369, DC-400, DC-479, DC-612 dialer in-band command DC-239, DC-240, DC-364, DC-611, DC-613, DC-652, DC-653 dialer interfaces See dialer profiles, dialer interfaces DC-8 dialer isdn command DC-426 dialer isdn short-hold command DC-315 dialer-list command DC-208, DC-356 dialer-list protocol (Dial) command DC-185 dialer-list protocol bridge command DC-351, DC-368, DC-431, DC-432 dialer-list protocol command DC-356, DC-425 dialer-list protocol list command DC-356 dialer load threshold MLP DC-613 idle timers DC-612 Multilink PPP async interface DC-611 Index IN-891 Cisco IOS Dial Technologies Configuration Guide BRI, configuring single DC-612 BRIs in rotary group DC-613 idle timers DC-613 dialer load threshold command DC-239, DC-241, DC-371, DC-402, DC-611, DC-612, DC-613 dialer map class DC-423, DC-442 dialer map command DC-208, DC-240, DC-365, DC-652, DC-653, DC-657, DC-659, DC-669 dialer map modem-script system-script command DC-367, DC-393, DC-397, DC-398 dialer map name command DC-395 dialer map name spc command DC-185, DC-190, DC-265 dialer map name speed command DC-185, DC-265 dialer maps, large-scale dial-out and DC-680 dialer map snapshot command DC-443 dialer pool command DC-425, DC-456, DC-479 dialer pool dialer profiles backup interfaces DC-455, DC-459 physical interfaces DC-424 priorities DC-424 dialer pool-member command DC-427, DC-478 dialer priority command DC-371, DC-401 dialer profiles AppleTalk, configuring DC-428 central site, multiple remote networks (example) DC-434 configuring DC-425 DECnet configuring DC-428, DC-429 control packets DC-429 dial backup DC-455 to DC-457 dialer interfaces configuring DC-425, DC-456 description DC-423 remote destination and map class DC-425 See also interfaces dialer map class DC-423, DC-442 dialer pool description DC-423 dialer interfaces DC-424 physical interfaces DC-424 reserved channel DC-423 dialing pool reserved channels DC-427 inbound traffic filter (example) DC-434 IP addresses, remote network node DC-423, DC-442 configuring DC-429 IPX, configuring DC-429 ISDN BRI, two leased lines (example) DC-435, DC-457 ISDN caller ID callback callback actions DC-659 configuring DC-660 map class configuring DC-426 fast idle timer DC-426 ISDN requirements DC-426 wait for carrier time DC-426 physical interfaces, configuring DC-423, DC-427, DC-444 remote sites with ISDN access only (example) DC-663 source address validation, disabling DC-348 transparent bridging access control DC-431 bridging protocols, configuring DC-431 interesting packets DC-432 interfaces, configuring DC-432 type code access DC-432 VINES, configuring DC-428 XNS, configuring DC-430 Dialer Profiles feature DC-421 dialer redial legacy DDR hubs, configuring DC-402 legacy DDR spokes, configuring DC-372 dialer remote-name command DC-456, DC-478 dialer reserved-links command DC-685, DC-696 dialer rotary, MLP DC-612 dialer rotary-group command DC-393, DC-396, DC-443, DC-611, DC-613 dialer rotary groups (example) DC-414 Index IN-892 Cisco IOS Dial Technologies Configuration Guide bandwidth on demand load threshold DC-401, DC-433 interface priority DC-370 interfaces assignment DC-396 priority DC-401 leader DC-392 dialer-string class command DC-425, DC-456 dialer string command DC-240, DC-365, DC-394, DC-397, DC-479, DC-657, DC-659 dialer wait-for-carrier-time command DC-370, DC-400, DC-426, DC-478, DC-659, DC-660, DC-671 Dialer Watch addresses, configuring DC-461 benefits DC-460 configuration (examples) DC-462 configuring DC-460 dial backup DC-450, DC-455 interfaces disable timer DC-461 primary DC-461, DC-475 secondary DC-461, DC-475 interface status DC-461 overview DC-459, DC-473 dialer watch-disable command DC-462 dialer watch-group command DC-461 dialer watch-list command DC-461 dialing DTR DC-364 configuration (example) DC-382 outgoing calls, configuring DC-364 remote interface DC-364, DC-366 remote passive interface DC-364, DC-366 X.25 encapsulation (example) DC-387 X.25 support (example) DC-419 legacy DDR outgoing calls, configuring DC-365 dialing services inbound performance optimization DC-779 outbound performance optimization DC-779 dial-peer cor custom command DC-333 dial-peer cor list command DC-333 dial peers, description DC-328 See also ISDN, dial peers dial shelves remote configuration DC-124 shelf IDs, configuring DC-117 dial-tdm-clock priority command DC-119 digital modem network modules DC-205 disconnect timers DC-329 configuration (example) DC-342 DNIS (Dialed Number Identification Service) encapsulation types based on DC-183 ISDN subaddress binding DC-189 (example) DC-196 dnis group command DC-747 DNIS groups RPM configuring DC-743 troubleshooting DC-763 verifying DC-759 documentation conventions xli feedback, providing xliii modules xxxvii to xxxix online, accessing xlii ordering xliii Documentation CD-ROM xliii documents and resources, supporting xl domain command DC-535 DoVBS (Data over Voice Bearer Services) configuring DC-748 overview DC-730 DSC (dial shelf controller) configuring DC-118 managing DC-125 redundancy DC-118 synchronizing clocks DC-119 DSIP (Dial Shelf Interconnect Protocol) Index IN-893 Cisco IOS Dial Technologies Configuration Guide architecture (figure) DC-116 overview DC-116 troubleshooting DC-125 DTR (data terminal ready), modem control and DC-159 dynamic addressing, configuring DC-42 Dynamic Multiple Encapsulations feature DC-178 E E1 R2 CAS, configuring DC-284 configure DC-285 country settings DC-285 customizing parameters DC-285 sample topology DC-284 verifying signal DC-287 ear and mouth signaling, description DC-11 encapsulation cpp command DC-321 encapsulation lapb command DC-375, DC-405 encapsulation ppp command DC-456, DC-498 AO/DI configuration DC-239 authentication, use in DC-367, DC-395, DC-398, DC-598 enabling DC-597 interfaces dialer configuration DC-456 dialer profile DC-425 physical DC-427 virtual template DC-486, DC-496, DC-637 WAN DC-478 modem over ISDN BRI configuration DC-208 encapsulations automatic detection DC-320 default serial DC-18 dynamic multiple DC-178, DC-422 ISDN LAPB-TA autodetect DC-201 L2F DC-508 V.120 dynamic detection DC-199 virtual profiles DC-507 encapsulation x25 command DC-374, DC-405 endpoint discriminator, changing MLP default DC-615 enterprise networks dial access scalability DC-794 dial access scenarios DC-793 to DC-832, DC-837 escape characters, modem chat strings DC-167 exec command DC-31 EXEC process disabling DC-30 enabling DC-30 exec-timeout command DC-31 execute-on command DC-124 exit command DC-282 F fast switching IP disabling DC-586 enabling DC-586 L2F traffic DC-508 legacy DDR IP DC-372, DC-402 IPX DC-372, DC-402 Feature Navigator See platforms, supported filtering output, show and more commands lii firmware filename location command DC-134 upgrade command DC-67, DC-133 Frame Relay DDR configuration overview DC-404 restrictions DC-404 dialup connections DC-373, DC-403 legacy DDR configuration overview DC-374 interfaces supported DC-373 restrictions DC-373 framing command DC-281, DC-756 Index IN-894 Cisco IOS Dial Technologies Configuration Guide framing crc4 command DC-260, DC-276 framing esf command DC-261 G Germany, ISDN semipermanent connection support DC-185 global configuration mode, summary of xlviii group-range command DC-39, DC-57, DC-58 H hairpinning See ISDN, dial peers hardware platforms See platforms, supported help command xlviii Hong Kong, ISDN Sending Complete information element DC-189, DC-268 hw-module command DC-125 I idle timers, MLP dialer load thresholds DC-612 dialer timeout DC-612, DC-613 IGRP (Interior Gateway Routing Protocol), dial-in router DC-44 in-band framing mode control messages, configuring DC-94 indexes, master xl initiate-to command DC-535, DC-537 interface bri command DC-183, DC-199, DC-229, DC-443 interface command DC-652 interface configuration mode, summary of xlviii interface dialer command DC-425, DC-443, DC-444, DC-456, DC-612, DC-640 interface multilink command DC-619 interfaces asynchronous configuration options DC-6, DC-57 configuring DC-5, DC-56 logical constructs DC-6, DC-57 MLP DC-611 compared to lines DC-5, DC-56 DDR priority DC-405 dial backup dialer profiles DC-455, DC-459 dialer DC-8, DC-423 configuring DC-425, DC-426 description of DC-8 downtime, enabling DC-400 logical entity DC-363, DC-392 serial address DC-394 dialer rotary group assignment DC-396 ISDN BRI, MLP DC-611 to DC-612 lines, relationship to DC-16 peer address allocation methods DC-603 physical DC-424 dialer pool, configuring DC-423 point-to-point, IP address pooling DC-603 serial encapsulation types DC-18 serial interfaces DC-18 synchronous MLP DC-610 unnumbered DC-32 virtual asynchronous DC-197 virtual templates, configuring DC-637 virtual templates, description of DC-6 interface serial command DC-199, DC-263, DC-282, DC-443, DC-444, DC-756 interface virtual-template command DC-483, DC-486, DC-496, DC-498, DC-637 inverse multiplexing MLP (example) DC-627 IP address pooling assignment method DC-604 concept DC-603 DHCP DC-605 Index IN-895 Cisco IOS Dial Technologies Configuration Guide global default mechanism DC-605 to DC-606 interfaces supported DC-604 local address pooling DC-606 peer address allocation methods DC-603 per-interface options DC-606 precedence rules DC-604, DC-640 broadcasts, asynchronous serial traffic over UDP DC-45 Cisco Easy IP configuration (examples) DC-479 configuring DC-476 dial addressing schemes Cisco Easy IP DC-789 classic IP DC-789 remote client DC-789 remote LAN DC-789 fast switching DDR DC-372 disabling DC-586 enabling DC-586 legacy DDR DC-402 IP-SLIP (example) DC-41 performance parameters, configuring DC-584 PPP, configuring over DC-578 PPP-IP (example) DC-41 route cache invalidation DC-587 ip address command DC-208, DC-477, DC-609, DC-612, DC-619 ip address negotiated command DC-478 ip address-pool command DC-605, DC-606 ip cache-invalidate-delay command DC-587 IPCP See IP–PPP ip dhcp-server command DC-605 ip-directed broadcast command DC-208 IP header compression See TCP/IP, header compression ip host command DC-152 ip local pool command DC-606, DC-607 ip local pool default command DC-637 IP multicast routing, asynchronous serial traffic over UDP DC-45 ip nat inside command DC-477 ip nat outside command DC-478 IP–PPP, enabling DC-578 ip route-cache command DC-372, DC-402, DC-586 ip route-cache distributed command DC-372, DC-402 ip route command DC-683 ip routing command DC-431 ip tcp compression-connections command DC-585 ip tcp header-compression command DC-34, DC-585 ip tcp synwait-time command DC-585 ip tos reflect command DC-539 ip unnumbered command DC-32 ip unnumbered ethernet command DC-486, DC-496, DC-498, DC-637 ip unnumbered loopback command DC-456 IPX (Internet Packet Exchange Protocol) over PPP configuring DC-578 IPX (Internetwork Packet Exchange) configuring over PPP DC-579 DDR, configuring DC-353 dialer profiles, configuring DC-429 fast switching, legacy DDR DC-402 header compression over PPP DC-585 over PPP configuring DC-578 dedicated network numbers DC-579 loopback interfaces DC-579 ipx compression enable command DC-586 IPXCP See IPX, over PPP ipx network command DC-609 ipx ppp-client loopback command DC-579 ipx route-cache command DC-430 ipx sap command DC-703, DC-726 ipx spx-idle-time command DC-353, DC-430 ipx spx-spoof command DC-353, DC-368, DC-430 Index IN-896 Cisco IOS Dial Technologies Configuration Guide ipx watchdog-spoof command DC-353, DC-430 ISDN 128 kbps leased-line service (example) DC-196 configuring DC-191 interface characteristics DC-191 Advice of Charge DC-314 to DC-315 BRI and dialer profiles (example) DC-323 call history DC-315 destination DC-314 dialer map class DC-315 dialer profiles DC-314 ISDN interface, configuring DC-314 legacy DDR DC-314 outgoing calls DC-314 overview DC-314 PRI and legacy DDR (example) DC-322 short-hold mode, configuring DC-314 switch types DC-314 B channel ascending call order (example) DC-298 call order default DC-272 outgoing call order DC-272 caller ID callback conflict DC-657 call history DC-315 cause codes DC-179, DC-188 (table) DC-179 override DC-188 channels, disabling DC-318 channel service states DC-319 dial peers inbound call leg DC-328 outbound call leg DC-328 disconnect timers See disconnect timers DNIS-plus-ISDN-subaddress binding, (example) DC-436 encapsulations automatic detection DC-320 dynamic multiple DC-436 interfaces monitoring DC-315 TEI DC-266 LAPB-TA asynchronous traffic DC-200 leased-line service in Germany and Japan DC-191 multiple switch types DC-182 configuration (example) DC-193 PRI interfaces, configuring DC-270 restrictions DC-270 Network Side PRI Signaling, Trunking, and Switching call switching, dial peers (example) DC-338 COR configuring DC-333 dial peers (example) DC-339 outgoing dial peers (example) DC-340 monitoring DC-338 special numbers (example) DC-341 switch types configuring DC-331 supported DC-327 trunk group (example) DC-339 verification procedure DC-334 NFAS DC-315 to DC-319 alternate route index DC-316 backup D-channel DC-317, DC-324, DC-325 channel interface configuring DC-317 disabling DC-318 channelized T1 controllers (example) DC-324, DC-325 DDR configuration (example) DC-325 groups, monitoring DC-319 PRI group, configuring DC-316 primary and backup D channels DC-316 primary D-channel DC-317, DC-324, DC-325 service state (example) DC-325 switch types DC-316 semipermanent connections Australia, Germany DC-190 support DC-265, DC-322 Index IN-897 Cisco IOS Dial Technologies Configuration Guide special signaling (examples) DC-322 troubleshooting DC-322 subaddress DC-366, DC-393 subaddress binding DC-189 isdn all-incoming-calls-v120 command DC-199 isdn answer1 command DC-187, DC-209 isdn answer2 command DC-187 isdn bchan-number-order command DC-272 ISDN BRI asynchronous access DC-199 called party number, verifying DC-186 caller ID screening DC-186 calling-line identification, configuring DC-186 calling number identification DC-187 compression (examples) DC-194 configuration buffers configuring DC-181 verifying DC-181 configuration self-tests DC-192 configuring DC-175 to DC-195 dialer rotary group (example) DC-194 encapsulations, configuring DC-183 fast rollover delay, configuring DC-188 global and interface switch type (example) DC-193 interfaces configuring DC-182 monitoring DC-192 leased-line service DC-190 128 kbps DC-191 normal speeds DC-191 platform support DC-191 line configuration requirements DC-176 line speed, configuring DC-187 MLP and compression (example) DC-195 modem use over BRI interface configuration (example) DC-212 complete configuration (example) DC-215 configuring DC-207 overview DC-206 verifying DC-210 MTU size DC-181 network address, configuring DC-185 network module DC-205 North American switch configuration DC-176 point-to-multipoint service DC-176 point-to-point service DC-176 semipermanent connections DC-185 Sending Complete information element Taiwan, Hong Kong DC-189 switch types (table) DC-181 configuring DC-180 North American configuration DC-176 TEI negotiation timing, configuring DC-186 troubleshooting DC-192 V.120 support, PPP on virtual terminal lines DC-199 voice calls incoming (example) DC-195 outgoing (example) DC-195 switch type configuration DC-176, DC-180 X.25 traffic, configuring DC-229, DC-236 isdn caller command DC-186, DC-209, DC-660 ISDN caller ID callback (examples) DC-661 best match system, don’t care digits DC-661 callback, local side DC-659 calling, remote side DC-660 DDR fast call rerouting for ISDN, calling side DC-659 dialer enable-timeout timer DC-659 dialer profiles callback actions DC-659 configuring DC-660, DC-671 processes DC-659 dialer rotary, configuring DC-660 dialer rotary group (example) DC-665 dialer wait-for-carrier timer DC-659 don’t care digits DC-662, DC-672 Index IN-898 Cisco IOS Dial Technologies Configuration Guide legacy DDR callback actions DC-658 configuring DC-659 overview DC-658 prerequisites dialer profiles DC-657 legacy DDR DC-657 remote side configuration note DC-659 timers, configuring DC-659 isdn calling-number command DC-187, DC-209, DC-266 isdn disconnect-cause command DC-188 isdn fast-rollover-delay command DC-209, DC-653 isdn guard-timer command DC-268 isdn incoming-voice modem command DC-209, DC-252, DC-267 ISDN LAPB-TA configuration (example) DC-203 encapsulation autodetection DC-201 overview DC-200 isdn leased-line bri 128 command DC-191 isdn leased-line bri command DC-191 isdn modem-busy-cause command DC-209 ISDN Non-Facility Associated Signaling See NFAS isdn not-end-to-end command DC-187, DC-188, DC-209 ISDN PRI (examples) DC-294 B channel ascending call order (example) DC-298 busyout DC-298 outgoing call order DC-272 calling number identification DC-266 channel groups (example) DC-299 channelized E1 controllers configuring DC-260 DDR configuration (example) DC-297 slot and port numbering DC-260 channelized T1 controllers configuring DC-261 DDR configuration (example) DC-296 slot and port numbering DC-261 class of restrictions DC-329 configuring DC-333 configuration self-tests DC-272 D-channel serial interface number DC-260, DC-262 DDR configuration requirements DC-259 encapsulations Frame Relay DC-264 X.25 DC-264 guard timer, configuring DC-268 legacy DDR interface (example) DC-325 line configuration requirements DC-259 multiple switch types (example) DC-298 configuring DC-270 restrictions DC-270 North American switch configuration DC-259 NSF call-by-call (example) DC-295 point-to-multipoint service DC-259 semipermanent connections, Australia DC-265, DC-322 Sending Complete information element Hong Kong, Taiwan DC-268 serial interfaces, configuring DC-262 Trunk Group Resource Manager DC-328 configuring DC-332 isdn protocol-emulate network command DC-331 isdn reject command DC-267 isdn sending-complete command DC-189, DC-209, DC-268 isdn service command DC-318 isdn snmp busyout b-channel command DC-269 isdn spid1 command DC-183, DC-209 isdn spid2 command DC-183, DC-209 isdn static-tei command DC-266 isdn switch-type command DC-180, DC-191, DC-260, DC-261, DC-270, DC-331 ISDN switch types See ISDN BRI; ISDN PRI; multiple switch types; switch types Index IN-899 Cisco IOS Dial Technologies Configuration Guide isdn t306 command DC-329 isdn t310 command DC-329 isdn tei command DC-186, DC-266 isdn v110 only command DC-189 isdn v110 padding command DC-190 isdn x25 dchannel command DC-229 isdn x25 static-tei command DC-229 ISO CLNS (ISO Connectionless Network Service), DDR access groups DC-355 configuring DC-355 K keepalive command DC-619 keepalives PPP, enabling LQM DC-599 L L2F (Layer 2 Forwarding) encapsulation processes DC-508 fast switching stack group environment DC-508 l2tp tunnel authentication command DC-531 l2tp tunnel password command DC-532 LAPB (Link Access Procedure, Balanced) DDR, configuring DC-405 large-scale dial-out AAA network security, configuring DC-683 AAA server access, configuring DC-684 Ascend AV pairs (table) DC-686 asynchronous dialing (example) DC-696 configuration task prerequisites DC-682 map class attributes DC-689 monitoring DC-690 network security services DC-683 overview DC-679 RADIUS attributes DC-688 remote network route, configuring DC-683 reverse DNS, configuring DC-684 scalable dial-out service DC-680 SGBP dial-out connection bidding, configuring DC-684 stack group and static route download configuration (example) DC-690 user profiles (example) DC-695 configuring DC-685 leased lines ISDN BRI (example) DC-435 NM-8AM and NM-16AM analog modem support DC-78 configuring DC-79 Leased Line Support for Cisco 2600/3600 Series Analog Modems feature DC-78 legacy DDR (dial-on-demand routing) dial backup asynchronous interfaces (example) DC-452 ISDN (example) DC-453 hubs (examples) DC-406 to DC-419 (figure) DC-397 access lists DC-398 AppleTalk (example) DC-408 asynchronous interfaces (example) DC-410 authentication DC-395 Banyan VINES (example) DC-409 bridging access control DC-398 configuration task flow DC-390 configuring DC-389 to DC-419 connections, monitoring DC-406 DECnet (example) DC-409 dialer group interface assignment DC-399 dialer hold queue DC-401 dialer interfaces (figure) DC-394 dialer rotary group DC-393, DC-396, DC-401, DC-426 dialing configuration (example) DC-413 Frame Relay DC-403 to DC-404 Frame Relay (examples) DC-417 interface diagnostics DC-406 Index IN-900 Cisco IOS Dial Technologies Configuration Guide ISDN interfaces, enabling DC-425 ISO CLNS (example) DC-381, DC-410 LAPB (example) DC-419 LAPB, configuring DC-405 load threshold DC-401 multiple destinations DC-397, DC-428 multiple destinations (example) DC-413 PPP (example) DC-415 protocol access control DC-398 routing access control DC-399 timers, enabling DC-399 transparent bridging (example) DC-407 X.25 DC-405 X.25 encapsulation (example) DC-419 XNS (example) DC-410 ISDN caller ID callback DC-658 actions DC-658 BRI interface (example) DC-664 configuring DC-659 ISDN NFAS primary D-channel DC-325 non-V.25bis modems DC-364 PPP DDR with authentication (example) DC-358 without authentication (example) DC-356 spokes 2-way client/server (examples) DC-378, DC-385 access lists DC-367 AppleTalk configuration (example) DC-380 bandwidth on demand DC-371 bridging access control DC-367 carrier wait time DC-370 configuring DC-361 connections, monitoring DC-375 DDR inbound traffic (example) DC-376 DECnet configuration (example) DC-380 dialer group assignment DC-369 dialer hold queue DC-371 DTR calls DC-364, DC-366 dialing (example) DC-382 Frame Relay DC-373, DC-374 Frame Relay (example) DC-386, DC-387 interface diagnostics DC-375 idle timer DC-370 priority in dialer rotary group DC-370 IP, configuring DC-378 ISDN interfaces, enabling DC-364 line down time DC-370 multiple calls to single destination DC-371 passive interface DC-364, DC-366 protocol access control DC-367 single site calls DC-365 spoke configuration (examples) DC-376 to DC-388 transparent bridging DC-368 transparent bridging (example) DC-377 X.25 DTR dialing (example) DC-387 encapsulation DC-374 XNS configuration (example) DC-381 V.120 incoming calls (example) DC-200 virtual profiles interoperability DC-490 limit base-size command DC-748 limit command DC-747 limit overflow-size command DC-748 line aux command DC-29 linecode b8zs command DC-262 linecode command DC-281, DC-756 linecode hdb3 command DC-260, DC-276 lines asynchronous rotary line queueing configuring DC-26 automatic disconnect, configuring DC-163 compared to interfaces DC-5, DC-56 DDR asynchronous downtime, enabling DC-370 individual connections, configuring DC-61 interfaces, relationship to DC-16 Index IN-901 Cisco IOS Dial Technologies Configuration Guide leased serial (example) DC-435 looped-back DC-596 modem chat scripts, activating for DC-168 modems, disabling DC-104 NM-8AM and NM-16AM analog modem leased line support DC-78 timeout interval, configuring DC-161 tty DC-16 types, description of DC-16 load threshold, dialer rotary DC-401, DC-433 local name command DC-532, DC-537 logical constructs group asynchronous interfaces DC-6, DC-57 virtual template interfaces DC-6, DC-484 logical interfaces dialer DC-8 virtual access DC-9 virtual asynchronous DC-10, DC-197 login authentication dialin command DC-70 login local command DC-649 loopback remote (interface) command DC-294 loopbacks channelized E1 interface local DC-293 channelized T1, interface local DC-293 CSU/DSU, remote DC-294 LQM (Link Quality Monitoring) keepalives, enabling LQRs DC-599 M Managing Port Services on the Cisco AS5800 Universal Access Server feature DC-127 map class dialer profiles, configuring DC-426 map class attributes, large-scale dial-out (table) DC-689 map-class dialer command DC-315, DC-426, DC-653 max-calls command DC-332 MIB, descriptions online xl MICA In-Band Framing Mode Control Messages feature DC-94 MLP (Multilink Point-to-Point Protocol) (example) DC-626 bandwidth allocation DC-667 See also BACP bundles DC-619 caller ID authentication DC-612 configuration (example) DC-193 dialer rotary, configuring DC-612 Distributed MLP configuration (example) DC-631 configuring DC-618 overview DC-617 T3 configuration (example) DC-631 topology DC-617 interfaces asynchronous DC-611 BRI (examples) DC-628, DC-629 BRI multiple interfaces DC-612 BRI single interface DC-611 dialer rotary DC-612 synchronous DC-610 (example) DC-626 interleaving, weighted fair queuing DC-615 Inverse Multiplexer configuration (example) DC-631 configuring DC-618 overview DC-617 T3 configuration (example) DC-631 topology DC-617 multiple BRI DC-612 overview DC-610 real-time traffic (example) DC-630 interleaving DC-615, DC-616 interleaving (example) DC-630 rotary group BRI members, configuring DC-613 Index IN-902 Cisco IOS Dial Technologies Configuration Guide Stacker compression DC-195 virtual profiles cloning sequence (table) DC-491 interoperability DC-491 weighted fair queuing DC-615 MMP (Multichassis Multilink PPP) bundle DC-633 call handling and bidding DC-634 configuration requirements DC-635 dialer explicitly defined (example) DC-639 dialer not explicitly defined (example) DC-640 dialer not used (example) DC-638 digital and analog traffic DC-633 interfaces supported DC-636, DC-644 offload server (example) DC-640 overview DC-633 platforms supported DC-636, DC-644 PRI (example) DC-638 stack group members call ownership DC-634 calls, answering DC-634 configuring DC-636 stack groups DC-634 typical configuration (example) DC-635 virtual interfaces, monitoring DC-637 virtual template interfaces (caution) DC-638 configuring DC-637 virtual profiles configuring DC-496 specifying DC-498 modem answer-timeout command DC-161, DC-163 modem at-mode command DC-77 modem attention (AT) commands DC-76, DC-77 2-wire leased-line support DC-78 modem autoconfigure command DC-146 modem bad command DC-102 modem buffer-size command DC-96 modem busyout command DC-104 modem busyout threshold command DC-104 modem callin command DC-149 modem callout command DC-163 modem connections See modems, connections modem country mica command DC-69 modem country microcom_hdms command DC-69 modem cts-required command DC-162 modem dialin command DC-70, DC-159, DC-160, DC-166 modem dtr-active command DC-159 modem hold-reset command DC-102 modem inout command DC-160 modem link-info poll time command DC-93 modem management AT commands DC-77 busy out modem card DC-104 Call Tracker, configuring DC-91 connection speed, verifying DC-111 diagnostics DC-96 incoming V.110 modem calls DC-189, DC-190 inoperable modems DC-102 MIB traps DC-104 (example) DC-107 modem activity, monitoring DC-84 modem control function event buffer DC-102 NAS health, monitoring DC-104 reject incoming call DC-267 statistics connected AT sessions DC-96 event polling DC-96 modem-mgmt csm debug-rbs command DC-763 modem poll retry command DC-96 modem poll time command DC-96 modem pooling benefits DC-83 description DC-82 monitoring DC-84 physical partitioning description DC-85 Index IN-903 Cisco IOS Dial Technologies Configuration Guide dial-in (example) DC-86 dial-in and dial-out (example) DC-88 network topology DC-86 restrictions DC-83 virtual partitioning description DC-90 dial-in (example) DC-90 network topology DC-90 modem recovery-time command DC-102 modems AUX (table) DC-871 busyout cards in Cisco AS5800 DC-104 chat scripts DC-171, DC-869 close connection DC-162 communication, starting DC-152 configuring using modem commands DC-76 connections stopping DC-162 testing DC-151 troubleshooting DC-154 data compression DC-77, DC-155 DCD operation DC-149 dial-in DC-149, DC-160 dial-out DC-160 digital network module DC-205 direct Telnet sessions DC-152 displaying statistics DC-95 DTR interpretation DC-149 EC/compression DC-869 (table) DC-869 error correction DC-155 external, configuring DC-145, DC-146 features list DC-63 flowcontrol, configuring DC-149 high-speed (figure) DC-160 configuring DC-159 incoming calls DC-149 rejecting by type DC-267 rejecting by type (example) DC-299 initialization strings DC-872 inoperable DC-102 integrated, configuring DC-63, DC-76 ISDN, use over DC-205 See also ISDN BRI line configuration continuous CTS (figure) DC-162 incoming and outgoing calls (figure) DC-161 modem call-in (figure) DC-150 modem call-out (figure) DC-164 line timing, configuring DC-161 log event, clearing DC-139 MICA command summary DC-73 in-band framing mode control messages DC-94 link statistics, configuring DC-93 modem attention commands DC-76 PIAFS, enabling DC-319 Microcom, clearing DC-99 modem commands, integrated modems DC-77 NextPort SPE, command summary DC-73 non-V.25bis DTR DC-364, DC-392 overview DC-58 physical partitioning DC-85 platform-specific (table) DC-871 protocols, enabling DC-136 remote IP users, enabling DC-136 reverse connections DC-163 scripts (examples) DC-872 show line command DC-138 troubleshooting DC-71, DC-154 V.110 bit rate padding DC-190 screening incoming calls DC-189 V.120 asynchronous access DC-199 V.90 portware DC-206 V.90 standard DC-64 virtual partitioning DC-90 Index IN-904 Cisco IOS Dial Technologies Configuration Guide modem shutdown command DC-102, DC-104 modem status-poll command DC-96 modes See command modes Monitoring Resource Availability on Cisco AS5300, AS5400, and AS5800 Universal Access Servers feature DC-104 MPPC (Microsoft Point-to-Point Compression) compression scheme DC-601 protocol field compression flag DC-603 MPPE encryption DC-510 MS Callback DC-653 configuring DC-654 LCP callback option DC-654 Microsoft Callback Control protocol (MSCB) DC-653 multicasts, asynchronous serial traffic over UDP DC-45 multilink command DC-755 multilink virtual-template command DC-483, DC-489, DC-637 multiple switch types BRI interface, configuring DC-182 PRI interface configuration (example) DC-298 configuring DC-270 restrictions DC-270 N NAS (network access server) call type matching DC-731 Cisco RPMS DC-733 definition DC-508 RPM standalone DC-733 See also VPN, NAS NAS-initiated VPNs DC-509 NAT (Network Address Translation) (example) DC-479 automatic timeout DC-479 dialer interface, defining DC-478 Easy IP DC-475 LAN interface, defining DC-477 NAT pool, defining DC-477 NetBEUI (NetBIOS Extended User Interface) connection information DC-584 remote clients over PPP DC-584 new information in this release xli NFAS (Non-Facility Associated Signaling) alternate route index DC-316 configuration (example) DC-324 configuring DC-316 groups, monitoring DC-319 NTT PRI configuring DC-317 verifying DC-317 prerequisites DC-316 PRI groups, configuring DC-315, DC-316 switch types DC-316 no flush-at-activation command DC-94 notes, usage in text xlii NSF (Network-Specific Facilities) call-by-call support configuring DC-269 restriction DC-269 number command DC-743 O Outbound Circuit-Switched X.25 Support feature DC-228 P packets, interesting DC-398 PAD (packet assembler/disassembler) PPP over X.25 (example) DC-863 overview DC-862 Index IN-905 Cisco IOS Dial Technologies Configuration Guide PAP (Password Authentication Protocol) authentication request DC-598 CHAP authentication order DC-598 peer default ip address command DC-33, DC-607 peer default ip address pool command DC-607 peer default ip address pool dhcp command DC-607 peer neighbor-route command DC-608 per-user configuration AAA RADIUS server, configuring DC-707, DC-735 server storage location DC-699, DC-721 TACACS server user profile (example) DC-488 authentication and authorization phases DC-701 AV pairs (table) DC-703 debugging commands (table) DC-708 dial-in features DC-699 IP TACACS (example) DC-709 virtual profiles (example) DC-709, DC-712 IP address pooling (example) DC-702, DC-723 operational process DC-701 IPXWAN, virtual profiles serial interface (example) DC-711, DC-718, DC-742 large-scale dial-out DC-701 monitoring DC-708 overview DC-699, DC-700, DC-721 RADIUS IP (example) DC-712 IPX (example) DC-718 TACACS server CiscoSecure, configuring DC-706 freeware DC-706 freeware (example) DC-711, DC-742 virtual access interfaces creation DC-701 duration and resources DC-701 selective creation DC-485 selective creation (example) DC-487 VPN DC-538 PIAFS (Personal-Handyphone-System Internet Access Forum Standard) configuring DC-320 description DC-319 PIAFS Wireless Data Protocol for MICA Modems feature DC-319 platforms, supported Feature Navigator, identify using liii release notes, identify using liii pool-member command DC-536 POP (point of presence) large-scale dial configuration (examples) DC-852 scaling DC-847 stacking overview DC-848 remote DC-581 small-to-medium-scale dial configuration (examples) DC-837 port modem autotest command DC-139 ports UPC, configuring DC-137 PPP AppleTalk over, configuring DC-580, DC-602 asynchronous access, ISDN lines DC-199 automatic sessions, starting DC-27 callback DC-653 (example) DC-654 authentication DC-651 client, configuring DC-652 client-server application DC-651 DDR DC-651 to DC-655 outgoing lines DC-645 retries DC-652, DC-658 server, configuring DC-653 support required DC-651 CHAP and PAP, authentication order DC-598 compressions hardware-dependent DC-600 Index IN-906 Cisco IOS Dial Technologies Configuration Guide lossless data DC-600 Microsoft DC-601 platform support DC-601 software DC-600 connections DC-582 encapsulations enabling DC-598 interfaces, configuring DC-367, DC-398 legacy DDR DC-395 half-bridging (figure) DC-609 configuring DC-608 IP address negotiation DC-603 address pooling DC-603 configuring over DC-578 IPX asynchronous interfaces DC-579 configuring DC-578 header compression DC-585 Magic Number support DC-634 MMP DC-633 to DC-637 MPPC compression scheme DC-601 protocol field compression flag DC-603 MS Callback LCP callback option DC-654 Microsoft Callback Control Protocol (MSCB) DC-653 network-layer protocols, configuring DC-578 peer neighbor routes dialer interface effect DC-608 disabling DC-608 group-async interface effect DC-608 PPP-IP asynchronous interfaces, configuring DC-41 reliable link DC-607 SLIP banner DC-587 (example) DC-589 tokens DC-587 SLIP BOOTP requests DC-576 telecommuting configuration (example) DC-576, DC-596 virtual terminal lines DC-575, DC-595 ppp authentication chap command DC-367, DC-395, DC-398, DC-427, DC-486, DC-613, DC-637, DC-652 ppp authentication command DC-598 ppp authentication pap command DC-395, DC-612, DC-652 ppp bap call accept command DC-241 ppp bap callback accept command DC-239, DC-671 ppp bap callback request command DC-241 ppp bap call request command DC-240, DC-671 ppp bap call timer command DC-672 ppp bap drop after-retries command DC-672 ppp bap link types analog command DC-671, DC-672 ppp bap link types isdn analog command DC-672 ppp bap max dial-attempts command DC-671, DC-672 ppp bap max dialers command DC-671, DC-672 ppp bap max ind-retries command DC-671, DC-672 ppp bap max req-retries command DC-671, DC-672 ppp bap monitor load command DC-671 ppp bap number command DC-244 ppp bap number default command DC-671, DC-672 ppp bap number prefix command DC-243 ppp bap number secondary command DC-671, DC-672 ppp bap timeout response command DC-671, DC-672 ppp bridge appletalk command DC-609 ppp bridge ip command DC-609 ppp bridge ipx command DC-609 ppp callback accept command DC-653 ppp callback initiate command DC-645 ppp callback request command DC-652 ppp command DC-582 ppp multilink bap command DC-238, DC-239, DC-240, DC-670 ppp multilink bap required command DC-670, DC-683 ppp multilink command DC-610, DC-611, DC-612, DC-619, DC-637 ppp multilink endpoint command DC-615 ppp multilink fragment delay command DC-616 ppp multilink fragment disable command DC-620 Index IN-907 Cisco IOS Dial Technologies Configuration Guide ppp multilink group command DC-619 ppp multilink idle-link command DC-238, DC-242, DC-244 ppp quality command DC-600 ppp reliable-link command DC-608 ppp use-tacacs command DC-395, DC-599 pptp flow-control receive-window command DC-534 pptp flow-control static-rtt command DC-534 pptp tunnel echo command DC-534 Preauthentication with ISDN PRI and Channel-Associated Signaling feature DC-732 Preauthentication with ISDN PRI feature DC-268 pri-group command DC-260, DC-262 pri-group timeslots nfas d command DC-317 printer connections See connections, printers privileged EXEC mode, summary of xlviii profiles dialer DC-660 large-scale dial-out user DC-685 RPM backup customer DC-724, DC-747 call discriminator DC-728, DC-731 customer DC-723 default customer DC-724 template DC-724 virtual DC-491, DC-501 prompts, system xlviii protocols, Combinet Proprietary Protocol DC-264, DC-321 Q QoS (quality of service), preserving over VPNs DC-539 question mark (?) command xlviii queueing fancy, ISDN traffic shaping DC-426 queues, dialer hold DC-371, DC-401 R R1 modified signaling, configuring DC-290 R2 signaling DC-285 system requirements DC-275 RADIUS attributes large-scale dial-out, (table) DC-688 server AV pair DC-704 servers DC-700 radius-server host command DC-702 radius-server key command DC-683, DC-702 RCAPI (Remote Common Application Programming Interface) B-channel protocols supported DC-249 configuration (examples) DC-252 maintaining DC-252 overview DC-247 rcapi number command DC-251 rcapi server port command DC-251 redial legacy DDR hubs, configuring DC-402 legacy DDR spokes, configuring DC-372 redistribute static command DC-378, DC-412 Redundant Dial Shelf Controller feature DC-118 release notes See platforms, supported reload components command DC-117 Remote Common Application Programming Interface for Cisco 800 Series Routers feature DC-247 remote loopback, remote DDS CSU/DSU DC-294 remote office routers, configuring DC-796, DC-799 remote offices enterprise dial DC-788 service provider dial DC-788 remote PCs large-scale dial DC-788 PPP over X.25 DC-788 small-scale dial DC-788 Index IN-908 Cisco IOS Dial Technologies Configuration Guide VPDN dial DC-788 request dialin command DC-534 request-dialout command DC-536 resource command DC-747 resource-pool aaa protocol command DC-742 resource-pool aaa protocol group local command DC-747 resource-pool call treatment profile command DC-742 resource-pool call treatment resource command DC-742 resource-pool enable command DC-742 resource-pool profile customer command DC-747, DC-750, DC-754 resource-pool profile vpdn command DC-754 Return key modem chat script, adding code for DC-167 reverse Telnet See Telnet, direct sessions RFC full text, obtaining xl RFC 1055, SLIP DC-575 RFC 1144, TCP/IP header compression DC-34, DC-583 RFC 1331, PPP DC-575 RFC 1332, IPCP DC-575 RFC 1334, CHAP and PAP protocols DC-597, DC-636 RFC 1570, PPP callback DC-651 RFC 1661, PPP encapsulation DC-595 RFC 1663, PPP Reliable Transmission DC-607 RFC 1989, PPP link quality monitoring DC-599 RFC 1994, CHAP protocol DC-597, DC-636 rlogin trusted-localuser-source radius command DC-862 rlogin trusted-remoteuser-source local command DC-862 RMP (Resource Manager Protocol), communication protocol for RPMS DC-739 robbed-bit signaling (examples) DC-300 analog calls DC-258 configuring DC-274 ROM monitor mode, summary of xlviii rotary command DC-26 rotary-group command DC-536 rotary groups configuring DC-25 dialer DC-363 route cache invalidation, configuring DC-587 routers dedicated dial-in (example) DC-43 IGRP dial-in (example) DC-44 routing asynchronous DC-31 default DC-31 DDR, supported protocols DC-351, DC-366 unnumbered interfaces (example) DC-42 RPM (Resource Pool Management) AAA accounting records DC-730 AAA components DC-763 AAA server groups DC-751 backup customer profiles DC-747 call discrimination, configuring DC-744 call discriminator profiles DC-728, DC-731 call processes DC-728 call treatments (table) DC-728 call types DC-725 CLID DC-725 CLID/DNIS screening DC-731 configuration (examples) DC-768 to DC-777 configuring DC-756 customer profiles DC-747 default DC-747 templates DC-724 to DC-750 types DC-723 dialer components DC-762 direct remote services (example) DC-774 DNIS groups DC-725 configuring DC-743 troubleshooting DC-763 verifying DC-759 incoming call management DC-722, DC-729 outgoing call management DC-722, DC-729 overview DC-721 Index IN-909 Cisco IOS Dial Technologies Configuration Guide profiles backup customer DC-724 default customer DC-724 resource group manager DC-762 resource groups DC-726, DC-746, DC-758 configuring DC-746 resource pooling states DC-761 resource services DC-726 service profiles, configuring DC-746 session limits DC-735 signaling stack DC-762 standalone NAS DC-733 supported call types DC-725 troubleshooting DC-760 verifying DC-757 VPDN groups configuring DC-752 description DC-727 responsibility DC-763 verifying DC-759 VPDN profiles DC-727, DC-752, DC-763 RPMS (Resource Pool Manager Servers) resource groups and DC-744 RMP, relationship to DC-739 troubleshooting DC-767 S script arap-callback command DC-647 script callback command DC-645, DC-646 script dialer command DC-696 Semipermanent Circuit Support on ISDN PRI feature DC-265, DC-322 serial interfaces dial backup DC-449 to DC-454 (examples) DC-452 asynchronous interfaces (example) DC-452 configuring DC-450 ISDN interfaces (example) DC-453 line delay DC-452 traffic load threshold DC-451 See also interfaces server connections PPP DC-582, DC-583 SLIP DC-583 servers RADIUS DC-700 AV pairs DC-704 TACACS DC-700 AV pairs DC-704 service exec-callback command DC-646 service internal command DC-762 service providers large-scale dial DC-847 PPP over X.25 dial DC-862 small-to-medium-scale dial DC-837 set 1 number command DC-803 set 2 number command DC-803 set bridging command DC-803 set bridging off command DC-799 set callerid command DC-800 set default command DC-799 set dhcp dns primary command DC-803 set dhcp domain command DC-803 set dhcp server command DC-803 set dhcp wins command DC-803 set encapsulation ppp command DC-799, DC-803 set ip address command DC-799 set ip command DC-799 set ip framing command DC-803 set ip pat command DC-803 set ip route destination command DC-799, DC-803 set ip routing command DC-799, DC-803 set localaccess protected command DC-800 set password system command DC-800 set ppp authentication incoming chap command DC-800 set ppp multilink command DC-799, DC-803 set ppp secret client command DC-799, DC-803 Index IN-910 Cisco IOS Dial Technologies Configuration Guide set remoteaccess protected command DC-800 set systemname command DC-799, DC-803 set timeout command DC-799 set user nas command DC-799, DC-803 sgbp dial-bids command DC-685 sgbp group command DC-636, DC-682 sgbp member command DC-636 sgbp seed-bid command DC-640 sgbp seed-bid default command DC-640 sgbp seed-bid offload command DC-640 shelf-id command DC-117 show appletalk traffic command DC-376, DC-406, DC-433 show async bootp command DC-21 show async status command DC-21 show buffers command DC-181, DC-206 show busyout command DC-104 show caller command DC-546 show controllers bri command DC-192, DC-273, DC-338 show controllers e1 command DC-272, DC-337 show controllers t1 command DC-272 show debugging command DC-549 show decnet traffic command DC-376, DC-406, DC-433 show diag command DC-205 show dialer command DC-192, DC-272, DC-273, DC-375, DC-406, DC-444, DC-661, DC-672, DC-745 show dialer dnis command DC-756, DC-759 show dialer map command DC-672 show dialer sessions command DC-690 show dial-shelf clocks command DC-120 show dsi command DC-126 show dsip clients command DC-125 show dsip command DC-125 show dsip nodes command DC-125 show dsip ports command DC-125 show dsip queue command DC-125 show dsip tracing command DC-125 show dsip transport command DC-126 show dsip version command DC-126 show interface async command DC-22 show interfaces bri command DC-181, DC-192, DC-206, DC-375, DC-406, DC-433 show interfaces serial bchannel command DC-273 show interfaces serial command DC-337 show interfaces virtual-access command DC-486 show interface virtual-access command DC-546 show ip access-list command DC-708 show ip interface command DC-708 show ip local pool command DC-708 show ip protocols command DC-708 show ip route command DC-684, DC-690, DC-708 show ip socket command DC-48 show ipx access-list command DC-708, DC-736 show ipx interface command DC-375, DC-406, DC-433, DC-708 show ipx route command DC-708 show ipx servers command DC-708 show isdn command DC-192, DC-272, DC-273, DC-315, DC-337 show isdn nfas group command DC-319 show isdn service command DC-319 show line async-queue command DC-26 show line command DC-21, DC-26, DC-138 show modem call-stats command DC-99 show modem command DC-111 show modem connect-speeds command DC-111 show port config command DC-141 show port digital log command DC-141 show port modem log command DC-142 show port modem test command DC-142 show port operational-status command DC-142 show ppp bap group command DC-672 show ppp bap queues command DC-672 show ppp multilink command DC-637, DC-672 show process cpu command DC-600, DC-601 show rcapi status command DC-252 show redundancy command DC-125 show resource-pool call command DC-757 show resource-pool customer command DC-750, DC-757 show resource-pool discriminator command DC-758 show resource-pool resource command DC-758 Index IN-911 Cisco IOS Dial Technologies Configuration Guide show resource-pool vpdn group command DC-754 show resource-pool vpdn profile command DC-754 show run command DC-106 show running-config command DC-210, DC-759 show sgbp command DC-637 show sgbp queries command DC-637 show snapshot command DC-444 show spe command DC-141 show spe digital active command DC-142 show spe digital command DC-142 show spe digital csr command DC-142 show spe digital disconnect-reason command DC-142 show spe digital summary command DC-142 show spe log command DC-141 show spe modem active command DC-125, DC-126, DC-143 show spe modem command DC-144 show spe modem csr command DC-143 show spe modem disconnect-reason command DC-143 show spe modem speed command DC-144 show spe version command DC-141 show version command DC-118 show vines traffic command DC-376, DC-406, DC-433 show vpdn command DC-547 show vpdn multilink command DC-755 show vpdn tunnel command DC-547 show xns traffic command DC-376, DC-406, DC-433 shutdown command DC-486 signaling channel-associated analog calls DC-258 E1 R2 configuration (example) DC-308 configuring DC-285 countries supported DC-283 country settings DC-285 overview DC-282 parameters DC-285 sample topology DC-283 troubleshooting DC-288 in-band DC-258 out-of-band DC-258 R1 modified DC-289 R2 DC-285 clock source DC-291, DC-292 encoding options DC-291, DC-292 framing options DC-291, DC-292 robbed-bit DC-258 SLIP (Serial Line Internet Protocol) (examples) DC-588 automatic sessions, starting DC-27 defined DC-583 IP, configuring over DC-578 IP-SLIP (example) DC-41 PPP banner DC-587 (example) DC-589 tokens DC-587 PPP BOOTP requests DC-576 server connections DC-583 telecommuting configuration (example) DC-576 snapshot client command DC-443, DC-445 snapshot routing DC-441 to DC-445 client router, configuring DC-443 interface diagnostics DC-444 monitoring DC-444 overview DC-441 periods active DC-442 quiet DC-442 quiet periods, stopping DC-444 routed protocols supported DC-442 routing information exchange DC-441 server configuration (example) DC-445 server router, configuring DC-444 snapshot server command DC-444 snmp-server enable traps ds0-busyout command DC-105 snmp-server enable traps isdn chan-not-avail command DC-106 snmp-server enable traps modem-health command DC-106 Index IN-912 Cisco IOS Dial Technologies Configuration Guide source template command DC-724, DC-750 SPE (Service Processing Element) country code DC-132 digital statistics DC-142 download maintenance DC-140 firmware DC-67, DC-128, DC-133 country name, specifying DC-132 firmware statistics DC-141 lines and ports configuring DC-136 verifying DC-138 log events DC-139 modem statistics DC-143 performance statistics configuring DC-138 viewing DC-141 port statistics DC-141 reboot DC-135 recovery DC-140 shutdown DC-135 troubleshooting DC-139 verifying DC-138 spe call-record modem command DC-138 spe country command DC-69 speeds modem, verifying DC-111 spe log-event-size command DC-138 stack groups large-scale dial-out DC-681 MMP DC-634 PRI hunt groups DC-634 switched 56K analog calls DC-279 benefits DC-278 BRI bearer capability DC-280 call processing components DC-280 configuring DC-281 ISDN BRI traffic DC-281 overview DC-279 prerequisites DC-278 switched 56K over CT1 RBS 56K and modem calls (example) DC-301 call processing components DC-280 configuration (example) DC-301 description DC-280 ISDN BRI solution DC-281 prerequisites DC-278 restrictions DC-278 sample topology DC-279 startup configuration (example) DC-302 T1 CAS line provisioning DC-302 switch types ISDN BRI (table) DC-181 ISDN NFAS DC-316 ISDN PRI (table) DC-261 North American ISDN DC-176, DC-259 voice systems DC-180 T T1 voice channels, configuring DC-277 T3 controllers, MLP configuration (example) DC-631 Tab key, command completion xlviii TACACS AV pairs DC-704 servers DC-700 tacacs-server host command DC-683 tacacs-server key command DC-683 Taiwan, ISDN Sending Complete information element DC-189, DC-268 TCP connection attempt time, configuring DC-585 TCP/IP header compression (example) DC-42 configuring DC-34, DC-584 EXEC-level DC-35 Van Jacobsen DC-34 TCP Clear Performance Optimization feature DC-779 Index IN-913 Cisco IOS Dial Technologies Configuration Guide tcpdump DC-107 TCP header compression See TCP/IP, header compression TEI (terminal endpoint identifier), ISDN interfaces configuring DC-186 (example) DC-295 configuring static DC-266 (example) DC-299 defaults DC-186, DC-266 telecommuting configuration (example) DC-576 Telnet automatic rotary line queueing DC-25 connection, queued request DC-25 direct sessions (example) DC-153 starting DC-152 stopping DC-153 verifying DC-153 TCP Clear performance optimization DC-779, DC-780 terminal EXEC process DC-30 V.120 asynchronous DC-198 terminate-from command DC-535 test modem back-to-back command DC-96 test port modem back-to-back command DC-139 timers, dialer carrier wait time, enabling DC-400 disconnect DC-329 configuration (example) DC-342 enable-timeout DC-659, DC-660 fast idle, enabling DC-370 idle reset, enabling DC-367 line down-time, enabling DC-370 line idle, enabling DC-400 wait for carrier DC-659 enabling DC-370 ToS (type of service), preserving over VPNs DC-539 transparent bridging dialer profiles interfaces, configuring DC-432 legacy DDR, access (example) DC-377, DC-407 transport command DC-70 transport input command DC-201 transport output command DC-46 traps modem MIB DC-104 (example) DC-107 trunkgroup (dial-peer) command DC-332 trunk group (global) command DC-332 trunk-group (interface) command DC-332 tty lines configuring DC-16 numbering scheme (table) DC-61 relationship to interfaces DC-15 tunnel command DC-582 tunneling packet, asynchronous host roaming DC-581 VPN authorization search order DC-518 local tunnel authentication DC-530 local tunnel authentication (examples) DC-565 U UDPTN (User Datagram Protocol Telnet) configuring DC-46 overview DC-45 udptn command DC-47 user EXEC mode, summary of xlviii username callback-dialstring command DC-645, DC-646, DC-647 username callback-line command DC-645, DC-646, DC-647 username callback-rotary command DC-645, DC-647 username command DC-396, DC-599, DC-645, DC-808 username nocallback-verify command DC-646 usernames, maximum links (example) DC-621 Index IN-914 Cisco IOS Dial Technologies Configuration Guide V V.110 modem calls, selective filtering of incoming DC-189 V.120 Modem Standard DC-66 V.120 standard dynamic detection DC-199 dynamic detection (example) DC-200 ISDN asynchronous communications DC-198 on virtual asynchronous interface DC-198 V.90 modem standard DC-64 VINES DDR, configuring DC-354 dialer profiles DC-428 vines access-list command DC-354, DC-428 virtual access interfaces configuration information sources DC-484 configuration rules DC-490 creation criteria DC-485 description DC-9 dynamic DC-489, DC-699 monitoring DC-486 selective creation DC-485 (example) DC-487 two configuration sources (example) DC-484 virtual asynchronous interfaces description DC-10 ISDN traffic over DC-197 V.120 support DC-198 virtual-profile aaa command DC-497, DC-498 virtual-profile if-needed command DC-486 virtual profiles AAA configuration (example) DC-494, DC-501, DC-504 configuring DC-493, DC-495, DC-497 per-user configuration TACACS+ user profile (example) DC-488 configured by virtual template on PPP (example) DC-487 interoperations, legacy DDR DC-490 MLP cloning sequence (table) DC-491 configuration requirements DC-491 interoperations DC-491 per-user configuration DC-700, DC-701 physical interface interoperation, configuring DC-490 user-specific interface configuration DC-492 virtual access interfaces cloning sequence (table) DC-491 selective creation DC-485 selective creation (example) DC-487 virtual template and AAA configuration (example) DC-494, DC-495, DC-502, DC-515 configuring DC-497 virtual template interfaces configuration (example) DC-499 configuring DC-492, DC-493 information, defining DC-492 physical interface overrides DC-492 See also virtual template interfaces virtual templates configuring DC-496 interoperability DC-491 virtual-profile virtual-template command DC-483, DC-498 virtual-template command DC-535 virtual template interfaces configuration (examples) DC-486 to DC-488 configuration commands contained in DC-493 configuration service (example) DC-487, DC-493 configuring DC-486, DC-496, DC-498, DC-637 features DC-485 IP unnumbered DC-486, DC-496, DC-498 limitations DC-483 monitoring DC-486 overview DC-484, DC-489 per-user configuration DC-699 stack groups, configuring DC-637 virtual profiles on PPP (example) DC-487 Index IN-915 Cisco IOS Dial Technologies Configuration Guide VPN, configuring DC-535 Virtual Template Interface Service feature DC-484 voluntary tunneling See client-initiated VPNs VPDN (virtual private dialup network) See VPDN groups; VPDN profiles; VPN vpdn enable command DC-530 vpdn-group command DC-534, DC-754, DC-755 VPDN groups, description DC-727 vpdn history failure table-size command DC-542 vpdn logging command DC-542 vpdn logging history failure command DC-542 vpdn profile command DC-754 VPDN profiles, description DC-727 vpdn search-order command DC-535 vpdn session-limit command DC-540 vpdn softshut command DC-541 VPN (Virtual Private Network) AAA component interface DC-763 configuring DC-524 negotiation, troubleshooting DC-560 client-initiated architecture DC-509 configuration (examples) DC-563 to DC-569, DC-775 configuration modes DC-521 control packet problem, troubleshooting DC-557 debug commands DC-548 debug output, verifying DC-549 dial-in configuring DC-534 configuring, (example) DC-566 to DC-568 L2F DC-511 protocol negotiation DC-512 tunnel authentication DC-514 verifying DC-542 L2TP AAA tunnel definition lookup DC-519 call sequence DC-517 debug output DC-549 PPTP DC-509 flow control alarm DC-510 protocol negotiation DC-510 topology DC-545 virtual template, configuring DC-535 dial-out configuration (example) DC-568 dialers, configuring DC-529 L2TP DC-520 to DC-521 L2TP debug output DC-550 hardware terminology DC-508 technology-specific terms DC-509 IP ToS preservation DC-539 load sharing (example) DC-776 monitoring and maintaining DC-547 NAS debug output DC-549, DC-550 definition DC-508, DC-577 dial-in, configuring DC-534 (example) DC-566 dial-out, configuration (example) DC-568 dial-out, configuring DC-537 outgoing connections DC-519 tunnel authorization search order DC-518 NAS-initiated architecture DC-509 per-user configuration DC-538 PPP negotiation, troubleshooting DC-559 prerequisites DC-523 QoS preservation DC-539 topology DC-545 troubleshooting DC-548, DC-764 to DC-767 tunnel authentication configuration (examples) DC-565 configuring DC-530 tunnel lookup DNIS DC-519 host name DC-519 tunnel secret, troubleshooting DC-555 tunnel server debug output DC-550, DC-551 Index IN-916 Cisco IOS Dial Technologies Configuration Guide definition DC-508 dial-in, configuring DC-535 (example) DC-567 dial-out, configuring DC-536 (example) DC-569 tunnel session limit, configuring DC-540 tunnel shutdown DC-540 tunnel soft shutdown, configuring DC-541 verifying DC-542 virtual template, configuring DC-535 VPDN MIB and Syslog Facility event logging, configuring DC-542 supported objects DC-508 table history size, configuring DC-542 VPN group commands (table) DC-523 VPN subgroup commands (table) DC-522 vty-arap command DC-643 vty-async command DC-200 vty-async dynamic-routing command DC-580 vty-async ipx ppp-client loopback command DC-580 vty-async virtual-template command DC-201 W where command DC-153 X X.25 address mapping DC-405 DTR dialing (example) DC-419 dynamic circuit-switched client DC-228 ISDN D channel DC-228 configuration (example) DC-229 configuring DC-229, DC-236 overview DC-227 legacy DDR dialers supported DC-374, DC-405 DTR dialing (example) DC-387, DC-419 mapping protocol address to remote host DC-375 networks, PPP calls over DC-862 See also AO/DI, clients, X.25; AO/DI, servers, X.25 x25 address command DC-240, DC-241, DC-375, DC-405 x25 aodi command DC-242 x25 htc command DC-240 x25 map command DC-375, DC-405 x25 map ppp command DC-237, DC-242, DC-243 x25 win command DC-240 x25 wout command DC-240 XNS (Xerox Network Systems) DDR, configuring DC-355 dialer profiles, configuring DC-430 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 User Guide for the Cisco Application Networking Manager 5.2 February 2012 Text Part Number: OL-26572-01 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. User Guide for the Cisco Application Networking Manager 5.2 © 2011 Cisco Systems, Inc. All rights reserved. iii User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 CONTENTS Preface ix Audience ix Organization ix Conventions xi Open-Source Software Included in the Cisco Application Networking Manager xi Obtaining Documentation and Submitting a Service Request xii CHAPTER 1 Overview 1-1 ANM Overview 1-1 IPv6 Considerations 1-3 Logging In To the Cisco Application Networking Manager 1-5 Changing Your Account Password 1-6 ANM Licenses 1-7 ANM Interface Components 1-8 ANM Windows and Menus 1-9 ANM Buttons 1-11 Table Conventions 1-14 Filtering Entries 1-14 Customizing Tables 1-15 Using the Advanced Editing Option 1-16 ANM Screen Conventions 1-17 CHAPTER 2 Using Homepage 2-1 Information About Homepage 2-1 Customizing the Default ANM Page 2-4 CHAPTER 3 Using ANM Guided Setup 3-1 Information About Guided Setup 3-1 Guidelines and Limitations 3-4 Using Import Devices 3-4 Using ACE Hardware Setup 3-5 Using Virtual Context Setup 3-10 Using Application Setup 3-12 Contents iv User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 ACE Network Topology Overview 3-12 Using Application Setup 3-14 CHAPTER 4 Using Application Template Definitions 4-1 Information About Application Template Definitions and Instances 4-1 Managing Application Template Instances 4-3 Creating an Application Template Instance 4-4 Deploying a Staged Application Template Instance 4-7 Editing an Application Template Instance 4-9 Duplicating an Application Template Instance 4-10 Viewing and Editing Application Template Instance Details 4-12 Deleting an Application Template Instance 4-13 Managing Application Template Definitions 4-15 Editing an Application Template Definition 4-15 Editing an Application Template Definition Using the ANM Template Editor 4-18 Editing an Application Template Definition Using an External Editor 4-19 Creating an Application Template Definition 4-20 Creating an Application Template Definition Using the ANM Template Editor 4-21 Creating an Application Template Definition Using an External XML Editor 4-23 Exporting an Application Template Definition 4-26 Importing an Application Template Definition 4-26 Testing an Application Template Definition 4-28 Deleting an Application Template Definition 4-29 Using the ANM Template Editor 4-29 CHAPTER 5 Importing and Managing Devices 5-1 Information About Device Management 5-2 Information About Importing Devices 5-4 Preparing Devices for Import 5-4 Enabling SSH or Telnet Access on Catalyst 6500 Series Switches and Cisco 7600 Series Routers 5-5 Enabling SSH Access and the HTTPS Interface on the ACE Module and Appliance 5-6 Enabling SNMP Polling from ANM 5-7 ANM Requirements for ACE High Availability 5-8 Modifying the ANM Timeout Setting to Compensate for Network Latency 5-9 Importing Network Devices into ANM 5-10 Importing Cisco IOS Host Chassis and Chassis Modules 5-11 Importing Cisco IOS Devices with Installed Modules 5-12 Importing ACE Modules after the Host Chassis has been Imported 5-16 Importing CSM Devices after the Host Chassis has been Imported 5-19 Contents v User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Importing VSS 1440 Devices after the Host Chassis has been Imported 5-20 Importing ACE Appliances 5-21 Importing CSS Devices 5-22 Importing GSS Devices 5-23 Importing VMware vCenter Servers 5-24 Enabling a Setup Syslog for Autosync for Use With an ACE 5-27 Discovering Large Numbers of Devices Using IP Discovery 5-27 Preparing Devices for IP Discovery 5-28 Configuring Device Access Credentials 5-29 Modifying Credential Pools 5-30 Running IP Discovery to Identify Devices 5-31 Monitoring IP Discovery Status 5-33 Configuring Devices 5-34 Configuring Device System Attributes 5-34 Configuring CSM Primary Attributes 5-34 Configuring CSS Primary Attributes 5-35 Configuring GSS Primary Attributes 5-36 Configuring Catalyst 6500 VSS 1440 Primary Attributes 5-38 Configuring Catalyst 6500 Series Chassis and Cisco 7600 Series Router Primary Attributes 5-38 Configuring Catalyst 6500 Series Chassis, Catalyst 6500 Virtual Switching System 1440 Devices, and Cisco 7600 Series Routers Static Routes 5-39 Configuring VMware vCenter Server Primary Attributes 5-41 Configuring Catalyst 6500 Series Chassis or Cisco 7600 Series Router Interfaces 5-41 Displaying Chassis Interfaces and Configuring High-Level Interface Attributes 5-42 Configuring Access Ports 5-43 Configuring Trunk Ports 5-44 Configuring Switch Virtual Interfaces 5-45 Configuring Routed Ports 5-46 Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs 5-48 Adding Device VLANs 5-48 Displaying All Device VLANs 5-49 Configuring Device Layer 2 VLANs 5-50 Configuring Device Layer 3 VLANs 5-51 Modifying Device VLANs 5-51 Creating VLAN Groups 5-52 Configuring ACE Module and Appliance Role-Based Access Controls 5-53 Configuring Device RBAC Users 5-53 Guidelines for Managing Users 5-53 Displaying a List of Device Users 5-54 Configuring Device User Accounts 5-54 Contents vi User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Modifying Device User Accounts 5-55 Deleting Device User Accounts 5-56 Configuring Device RBAC Roles 5-56 Guidelines for Managing User Roles 5-57 Role Mapping in Device RBAC 5-57 Configuring Device User Roles 5-58 Modifying Device User Roles 5-60 Deleting Device User Roles 5-60 Adding, Editing, or Deleting Rules 5-61 Configuring Device RBAC Domains 5-61 Guidelines for Managing Domains 5-62 Displaying Domains for a Device 5-62 Configuring Device Domains 5-63 Modifying Device Domains 5-65 Deleting Device Domains 5-65 Managing Devices 5-66 Synchronizing Device Configurations 5-66 Synchronizing Chassis Configurations 5-67 Synchronizing Module Configurations 5-67 Mapping Real Servers to VMware Virtual Machines 5-68 Instructing ANM to Recognize an ACE Module Software Upgrade 5-71 Configuring User-Defined Groups 5-72 Adding a User-Defined Group 5-72 Modifying a User-Defined Group 5-73 Duplicating a User-Defined Group 5-74 Deleting a User-Defined Group 5-75 Changing Device Credentials 5-75 Changing ACE Module Passwords 5-77 Restarting Device Polling 5-78 Displaying All Devices 5-78 Displaying Modules by Chassis 5-79 Removing Modules from the ANM Database 5-80 Replacing an ACE Module Managed by ANM 5-82 Using the Preferred Method to Replace an ACE Module 5-82 Using the Alternate Method to Replace an ACE Module 5-84 CHAPTER 6 Configuring Virtual Contexts 6-1 Information About Virtual Contexts 6-2 Creating Virtual Contexts 6-2 Contents vii User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Configuring Virtual Contexts 6-8 Configuring Virtual Context System Attributes 6-13 Configuring Virtual Context Primary Attributes 6-14 Configuring Virtual Context Syslog Settings 6-19 Configuring Syslog Log Hosts 6-23 Configuring Syslog Log Messages 6-24 Configuring Syslog Log Rate Limits 6-26 Configuring SNMP for Virtual Contexts 6-27 Configuring Basic SNMP Attributes 6-27 Configuring SNMPv2c Communities 6-28 Configuring SNMPv3 Users 6-29 Configuring SNMP Trap Destination Hosts 6-32 Configuring SNMP Notification 6-33 Applying a Policy Map Globally to All VLAN Interfaces 6-35 Managing ACE Licenses 6-36 Viewing ACE Licenses 6-36 Installing ACE Licenses 6-37 Uninstalling ACE Licenses 6-39 Updating ACE Licenses 6-40 Displaying the File Contents of a License 6-42 Using Resource Classes 6-43 Global and Local Resource Classes 6-44 Resource Allocation Constraints 6-44 Using Global Resource Classes 6-46 Configuring Global Resource Classes 6-46 Deploying Global Resource Classes 6-48 Auditing Resource Classes 6-49 Modifying Global Resource Classes 6-50 Deleting Global Resource Classes 6-51 Using Local Resource Classes 6-51 Configuring Local Resource Classes 6-52 Deleting Local Resource Classes 6-53 Displaying Local Resource Class Use on Virtual Contexts 6-54 Using the Configuration Checkpoint and Rollback Service 6-54 Creating a Configuration Checkpoint 6-55 Deleting a Configuration Checkpoint 6-56 Rolling Back a Running Configuration 6-56 Displaying Checkpoint Information 6-57 Comparing a Checkpoint to the Running Configuration 6-58 Contents viii User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Performing Device Backup and Restore Functions 6-59 Backing Up Device Configuration and Dependencies 6-62 Restoring Device Configuration and Dependencies 6-66 Performing Global Device Backup and Copy Functions 6-68 Backing Up Multiple Device Configuration and SSL Files 6-69 Associating a Global Backup Schedule with a Device 6-71 Managing Global Backup Schedules 6-73 Creating a Backup Schedule 6-73 Updating an Existing Backup Schedule 6-76 Deleting a Backup Schedule 6-76 Copying Existing Tarred Backup Files to a Remote Server 6-77 Configuring Security with ACLs 6-78 Creating ACLs 6-79 Setting Extended ACL Attributes 6-82 Resequencing Extended ACLs 6-87 Setting EtherType ACL Attributes 6-87 Displaying ACL Information and Statistics 6-89 Configuring Object Groups 6-89 Creating or Editing an Object Group 6-90 Configuring IP Addresses for Object Groups 6-91 Configuring Subnet Objects for Object Groups 6-92 Configuring Protocols for Object Groups 6-93 Configuring TCP/UDP Service Parameters for Object Groups 6-94 Configuring ICMP Service Parameters for an Object Group 6-97 Managing ACLs 6-99 Viewing All ACLs by Context 6-99 Editing or Deleting ACLs 6-100 Configuring Virtual Context Expert Options 6-101 Comparing Context and Building Block Configurations 6-101 Managing Virtual Contexts 6-103 Displaying All Virtual Contexts 6-103 Synchronizing Virtual Context Configurations 6-105 Managing Syslog Settings for Autosynchronization 6-105 Editing Virtual Contexts 6-106 Deleting Virtual Contexts 6-107 Upgrading Virtual Contexts 6-107 Restarting Virtual Context Polling 6-108 Contents ix User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 CHAPTER 7 Configuring Virtual Servers 7-1 Information About Load Balancing 7-1 Configuring Virtual Servers 7-2 Virtual Server Configuration and ANM 7-2 Information About Using ANM to Configure Virtual Servers 7-4 Virtual Server Usage Guidelines 7-5 Virtual Server Testing and Troubleshooting 7-6 Virtual Server Configuration Procedure 7-7 Shared Objects and Virtual Servers 7-9 Virtual Server Protocols by Device Type 7-11 Configuring Virtual Server Properties 7-11 Configuring Virtual Server SSL Termination 7-17 Configuring Virtual Server Protocol Inspection 7-18 Configuring Virtual Server Layer 7 Load Balancing 7-30 Configuring Virtual Server Default Layer 7 Load Balancing 7-50 Configuring Application Acceleration and Optimization 7-53 Configuring Virtual Server NAT 7-63 Displaying Virtual Servers by Context 7-65 Displaying Virtual Server Statistics and Status Information 7-65 Managing Virtual Servers 7-66 Managing Virtual Server Groups 7-67 Creating a Virtual Server Group 7-68 Editing or Copying a Virtual Server Group 7-69 Displaying a Virtual Server Group 7-70 Deleting a Virtual Server Group 7-70 Activating Virtual Servers 7-71 Suspending Virtual Servers 7-72 Managing GSS VIP Answers 7-73 Activating and Suspending DNS Rules Governing GSS Load Balancing 7-75 Managing GSS VIP Answer and DNS Rule Groups 7-76 Creating a VIP Answer or DNS Rule Group 7-77 Editing or Copying a VIP Answer or DNS Rule Group 7-78 Displaying a VIP Answer or DNS Rule Group 7-79 Deleting a VIP Answer or DNS Rule Group 7-80 Displaying Detailed Virtual Server Information 7-81 Displaying Virtual Servers 7-81 Using the Virtual Server Connection Statistics Graph 7-84 Using the Virtual Server Topology Map 7-85 Understanding CLI Commands Sent from Virtual Server Table 7-86 Contents x User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Deploying Virtual Servers 7-86 Deploying a Virtual Server 7-87 Displaying All Staged Virtual Servers 7-87 Modifying Deployed Virtual Servers 7-88 Modifying Staged Virtual Servers 7-88 CHAPTER 8 Configuring Real Servers and Server Farms 8-1 Information About Server Load Balancing 8-1 Load-Balancing Predictors 8-2 Real Servers 8-3 Dynamic Workload Scaling Overview 8-4 Server Farms 8-5 Configuring Real Servers 8-5 Configuring Load Balancing on Real Servers 8-6 Displaying Real Server Statistics and Status Information 8-9 Managing Real Servers 8-9 Managing Real Server Groups 8-10 Creating a Real Server Group 8-11 Editing or Copying a Real Server Group 8-12 Displaying a Real Server Group 8-13 Deleting a Real Server Group 8-13 Activating Real Servers 8-14 Suspending Real Servers 8-15 Modifying Real Server Weight Value 8-17 Displaying Real Servers 8-18 Using the Real Server Connection Statistics Graph 8-22 Using the Real Server Topology Map 8-23 CLI Commands Sent from the Real Server Table 8-23 Server Weight Ranges 8-25 Configuring Dynamic Workload Scaling 8-26 Configuring and Verifying a Cisco Nexus 7000 Series Switch Connection 8-27 Configuring and Verifying a VM Controller Connection 8-29 Configuring Server Farms 8-30 Configuring Load Balancing Using Server Farms 8-31 Adding Real Servers to a Server Farm 8-37 Configuring the Predictor Method for Server Farms 8-39 Configuring Server Farm HTTP Return Error-Code Checking 8-46 Displaying All Server Farms 8-48 Displaying Server Farm Statistics and Status Information 8-48 Contents xi User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Configuring Health Monitoring 8-49 TCL Scripts 8-50 Configuring Health Monitoring for Real Servers 8-51 Configuring Probe Attributes 8-56 DNS Probe Attributes 8-57 Echo-TCP Probe Attributes 8-58 Echo-UDP Probe Attributes 8-58 Finger Probe Attributes 8-58 FTP Probe Attributes 8-59 HTTP Probe Attributes 8-60 HTTPS Probe Attributes 8-61 IMAP Probe Attributes 8-63 POP Probe Attributes 8-64 RADIUS Probe Attributes 8-65 RTSP Probe Attributes 8-65 Scripted Probe Attributes 8-66 SIP-TCP Probe Attributes 8-67 SIP-UDP Probe Attributes 8-68 SMTP Probe Attributes 8-69 SNMP Probe Attributes 8-69 TCP Probe Attributes 8-70 Telnet Probe Attributes 8-70 UDP Probe Attributes 8-71 VM Probe Attributes 8-72 Configuring DNS Probe Expect Addresses 8-73 Configuring Headers for HTTP and HTTPS Probes 8-74 Configuring Health Monitoring Expect Status 8-74 Configuring an OID for SNMP Probes 8-76 Displaying Health Monitoring Statistics and Status Information 8-77 Configuring Secure KAL-AP 8-77 CHAPTER 9 Configuring Stickiness 9-1 Information About Stickiness 9-1 Sticky Types 9-2 HTTP Content Stickiness 9-3 HTTP Cookie Stickiness 9-3 HTTP Header Stickiness 9-4 IP Netmask and IPv6 Prefix Stickiness 9-4 Layer 4 Payload Stickiness 9-4 Contents xii User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 RADIUS Stickiness 9-5 RTSP Header Stickiness 9-5 SIP Header Stickiness 9-5 Sticky Groups 9-6 Sticky Table 9-6 Configuring Sticky Groups 9-7 Sticky Group Attribute Tables 9-11 HTTP Content Sticky Group Attributes 9-11 HTTP Cookie Sticky Group Attributes 9-12 HTTP Header Sticky Group Attributes 9-13 IP Netmask Sticky Group Attributes 9-13 V6 Prefix Sticky Group Attributes 9-13 Layer 4 Payload Sticky Group Attributes 9-14 RADIUS Sticky Group Attributes 9-14 RTSP Header Sticky Group Attributes 9-15 Displaying All Sticky Groups by Context 9-15 Configuring Sticky Statics 9-15 CHAPTER 10 Configuring Parameter Maps 10-1 Information About Parameter Maps 10-1 Configuring Connection Parameter Maps 10-3 Configuring Generic Parameter Maps 10-8 Configuring HTTP Parameter Maps 10-9 Configuring Optimization Parameter Maps 10-12 Configuring RTSP Parameter Maps 10-20 Configuring SIP Parameter Maps 10-21 Configuring Skinny Parameter Maps 10-23 Configuring DNS Parameter Maps 10-25 Supported MIME Types 10-26 CHAPTER 11 Configuring SSL 11-1 SSL Overview 11-2 SSL Configuration Prerequisites 11-2 Summary of SSL Configuration Tasks 11-3 SSL Setup Sequence 11-4 Using SSL Certificates 11-5 Importing SSL Certificates 11-7 Contents xiii User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Using SSL Keys 11-10 Importing SSL Key Pairs 11-11 Generating SSL Key Pairs 11-14 Exporting SSL Certificates 11-15 Exporting SSL Key Pairs 11-16 Configuring SSL Parameter Maps 11-18 Configuring SSL Chain Group Parameters 11-23 Configuring SSL CSR Parameters 11-24 Generating CSRs 11-26 Configuring SSL Proxy Service 11-27 Configuring SSL OCSP Service 11-29 Enabling Client Authentication 11-31 Configuring SSL Authentication Groups 11-31 Configuring CRLs for Client Authentication 11-33 CHAPTER 12 Configuring Network Access 12-1 Information About VLANs 12-2 ACE Module VLANs 12-2 ACE Appliance VLANs 12-2 Configuring VLANs Using Cisco IOS Software (ACE Module) 12-3 Creating VLAN Groups Using Cisco IOS Software 12-3 Assigning VLAN Groups to the ACE Module Through Cisco IOS Software 12-4 Adding Switched Virtual Interfaces to the MSFC 12-5 Configuring Virtual Context VLAN Interfaces 12-6 Displaying All VLAN Interfaces 12-18 Displaying VLAN Interface Statistics and Status Information 12-18 Configuring Virtual Context BVI Interfaces 12-19 Configuring BVI Interfaces for a Virtual Context 12-19 Displaying All BVI Interfaces by Context 12-25 Displaying BVI Interface Statistics and Status Information 12-26 Configuring VLAN Interface NAT Pools 12-26 Configuring Virtual Context Static Routes 12-28 Configuring Global IP DHCP 12-29 Configuring Static VLANs for Over 8000 Static NAT Configurations 12-31 Configuring Gigabit Ethernet Interfaces on the ACE Appliance 12-32 Configuring Gigabit Ethernet Interfaces 12-32 Displaying Gigabit Ethernet Interface Statistics and Status Information 12-35 Configuring Port-Channel Interfaces for the ACE Appliance 12-35 Contents xiv User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Why Use Port Channels? 12-35 Configuring a Port-Channel Interface 12-36 Configuring a Catalyst 6500 Series Switch for an ACE Appliance Port-Channel Interface Connection 12-38 Creating the Port Channel Interface on the Catalyst 6500 12-38 Adding Interfaces to the Port Channel 12-39 Displaying Port Channel Interface Statistics and Status Information 12-40 CHAPTER 13 Configuring High Availability 13-1 Understanding ANM High Availability 13-2 Understanding ANM High Availability Processes 13-3 Configuring ANM High Availability Overview 13-3 CLI Commands for ANM High Availability Processes 13-4 Recovering From an HA Database Replication Failure 13-6 Understanding ACE Redundancy 13-6 ACE High Availability Polling 13-7 ACE Redundancy Protocol 13-8 ACE Stateful Failover 13-9 ACE Fault-Tolerant VLAN 13-10 ACE Configuration Synchronization 13-11 ACE Redundancy Configuration Requirements and Restrictions 13-12 ACE High Availability Troubleshooting Guidelines 13-12 Configuring ACE High Availability 13-14 Configuring ACE High Availability Peers 13-15 Clearing ACE High Availability Pairs 13-17 Configuring ACE High Availability Groups 13-17 Editing High Availability Groups 13-19 Taking a High Availability Group Out of Service 13-20 Enabling a High Availability Group 13-21 Displaying High Availability Group Statistics and Status 13-21 Switching Over an ACE High Availability Group 13-22 Deleting ACE High Availability Groups 13-23 ACE High Availability Tracking and Failure Detection Overview 13-23 Tracking ACE VLAN Interfaces for High Availability 13-24 Tracking Hosts for High Availability 13-25 Configuring Host Tracking Probes 13-26 Deleting Host Tracking Probes 13-27 Configuring ACE Peer Host Tracking Probes 13-28 Contents xv User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Deleting Peer Host Tracking Probes 13-29 Configuring ACE HSRP Groups 13-29 Synchronizing ACE High Availability Configurations 13-30 Synchronizing Virtual Context Configurations in High Availability Mode 13-31 Synchronizing SSL Certificate and Key Pairs on Both ACE Peers 13-32 CHAPTER 14 Configuring Traffic Policies 14-1 Traffic Policy Overview 14-1 Class Map and Policy Map Overview 14-2 Class Maps 14-3 Policy Maps 14-4 Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps 14-5 Protocol Inspection Overview 14-6 Configuring Virtual Context Class Maps 14-6 Deleting Class Maps 14-8 Setting Match Conditions for Class Maps 14-8 Setting Match Conditions for Layer 3/Layer 4 Network Traffic Class Maps 14-9 Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps 14-12 Setting Match Conditions for Layer 7 Server Load Balancing Class Maps 14-14 Setting Match Conditions for Layer 7 HTTP Deep Packet Inspection Class Maps 14-17 Setting Match Conditions for Layer 7 FTP Command Inspection Class Maps 14-22 Setting Match Conditions for Generic Server Load Balancing Class Maps 14-23 Setting Match Conditions for RADIUS Server Load Balancing Class Maps 14-25 Setting Match Conditions for RTSP Server Load Balancing Class Maps 14-26 Setting Match Conditions for SIP Server Load Balancing Class Maps 14-27 Setting Match Conditions for Layer 7 SIP Deep Packet Inspection Class Maps 14-30 Configuring Virtual Context Policy Maps 14-32 Configuring Rules and Actions for Policy Maps 14-34 Setting Policy Map Rules and Actions for Generic Server Load Balancing 14-35 Setting Policy Map Rules and Actions for Layer 3/Layer 4 Management Traffic 14-39 Setting Policy Map Rules and Actions for Layer 3/Layer 4 Network Traffic 14-41 Setting Policy Map Rules and Actions for Layer 7 FTP Command Inspection 14-48 Setting Policy Map Rules and Actions for Layer 7 HTTP Deep Packet Inspection 14-51 Setting Policy Map Rules and Actions for Layer 7 HTTP Optimization 14-57 Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic 14-61 Setting Policy Map Rules and Actions for Layer 7 SIP Deep Packet Inspection 14-68 Setting Policy Map Rules and Actions for Layer 7 Skinny Deep Packet Inspection 14-71 Setting Policy Map Rules and Actions for RADIUS Server Load Balancing 14-73 Setting Policy Map Rules and Actions for RDP Server Load Balancing 14-75 Contents xvi User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Setting Policy Map Rules and Actions for RTSP Server Load Balancing 14-76 Setting Policy Map Rules and Actions for SIP Server Load Balancing 14-79 Special Characters for Matching String Expressions 14-84 Configuring Actions Lists 14-85 Configuring an HTTP Header Modify Action List 14-85 Configuring HTTP Header Insertion, Deletion, and Rewrite 14-85 Configuring SSL URL Rewrite 14-88 Configuring SSL Header Insertion 14-89 CHAPTER 15 Configuring Application Acceleration and Optimization 15-1 Optimization Overview 15-2 Optimization Traffic Policies and Typical Configuration Flow 15-2 Configuring an HTTP Optimization Action List 15-3 Configuring Optimization Parameter Maps 15-6 Configuring Traffic Policies for HTTP Optimization 15-6 Enabling HTTP Optimization Using Virtual Servers 15-9 Configuring Global Application Acceleration and Optimization 15-9 CHAPTER 16 Using Configuration Building Blocks 16-1 Information About Building Block Versions and Tagging 16-4 Enabling the Building Block Feature 16-5 Creating Building Blocks 16-5 Extracting Building Blocks from Virtual Contexts 16-6 Configuring Building Blocks 16-7 Configuring Building Block Primary Attributes 16-8 Tagging Building Blocks 16-9 Applying Building Blocks 16-9 Applying a Building Block to a Single Virtual Context 16-10 Applying a Building Block to Multiple Virtual Contexts 16-10 Displaying Building Block Use 16-11 CHAPTER 17 Monitoring Your Network 17-1 Setting Up Devices for Monitoring 17-2 Device Monitoring Features 17-3 Using Dashboards to Monitor Devices and Virtual Contexts 17-4 ACE Dashboard 17-5 Device Information Table 17-6 Contents xvii User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 License Status Table 17-6 High Availability Table 17-7 ACE Device Configuration Summary Table 17-7 Context With Denied Resource Usage Detected Table 17-8 Device Resource Usage Graph 17-9 Top 10 Current Resources Table 17-10 Control Plane CPU/Memory Graphs 17-11 ACE Virtual Context Dashboard 17-12 ACE Virtual Context Device Configuration Summary Table 17-13 Context With Denied Resource Usage Detected Table 17-14 Context Resource Usage Graph 17-15 Load Balancing Servers Performance Graphs 17-15 ANM Group Dashboard 17-16 Managed Devices Table 17-17 Context With Denied Resource Usage Detected Table 17-18 ANM Group Device Configuration Summary Table 17-18 Top 10 Current Resources Table 17-20 Latest 5 Alarms Notifications Table 17-21 Latest 5 Critical Events Table 17-21 Contexts Performance Overview Graph 17-22 Monitoring Device Groups 17-23 Monitoring Devices 17-24 Monitoring the System 17-25 Monitoring Resource Usage 17-26 Monitoring Virtual Context Resource Usage 17-26 Monitoring System Traffic Resource Usage 17-27 Monitoring System Non-Connection Based Resource Usage 17-29 Monitoring Traffic 17-30 Displaying Device-Specific Traffic Data 17-31 Monitoring Load Balancing 17-33 Monitoring Load Balancing on Virtual Servers 17-33 Monitoring Load Balancing on Real Servers 17-37 Monitoring Load Balancing on Probes 17-40 Monitoring Load Balancing Statistics 17-41 Monitoring Application Acceleration 17-43 Displaying the Polling Status of All Managed Objects 17-44 Setting Polling Parameters 17-46 Enabling Polling on Specific Devices 17-46 Disabling Polling on Specific Devices 17-47 Contents xviii User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Enabling Polling on All Devices 17-47 Disabling Polling on All Devices 17-48 Configuring Historical Trend and Real Time Graphs for Devices 17-48 Exporting Historical Data 17-52 Monitoring Events 17-55 Configuring Alarm Notifications on ANM 17-57 Displaying Alarm Notifications 17-65 Displaying Alarms in ANM 17-65 Displaying Email Notifications 17-66 Displaying Traps 17-67 Configuring SMTP for Email Notifications 17-68 Displaying Network Topology Maps 17-68 Testing Connectivity 17-71 CHAPTER 18 Administering the Cisco Application Networking Manager 18-1 Overview of the Admin Function 18-2 Controlling Access to Cisco ANM 18-3 Types of Users 18-5 Understanding Roles 18-6 Understanding Operations Privileges 18-6 Understanding Domains 18-7 Understanding Organizations 18-7 How ANM Handles Role-Based Access Control 18-8 Configuring User Authentication and Authorization 18-9 Adding a New Organization 18-10 Changing Authentication Server Passwords 18-14 Changing the Admin Password 18-14 Modifying Organizations 18-14 Duplicating an Organization 18-15 Displaying Authentication Server Organizations 18-16 Deleting Organizations 18-16 Managing User Accounts 18-17 Guidelines for Managing User Accounts 18-17 Displaying a List of Users 18-18 Creating User Accounts 18-19 Duplicating a User Account 18-20 Modifying User Accounts 18-21 Resetting Another User’s Password 18-22 Contents xix User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Deleting User Accounts 18-23 Displaying or Terminating Current User Sessions 18-24 Managing User Roles 18-25 Guidelines for Managing User Roles 18-25 Understanding Predefined Roles 18-26 Displaying User Role Relationships 18-27 Displaying User Roles and Associated Tasks and ANM Menu Privileges 18-28 Creating User Roles 18-29 Duplicating a User Role 18-31 Modifying User Roles 18-31 Deleting User Roles 18-32 Managing Domains 18-32 Guidelines for Managing Domains 18-33 Displaying Network Domains 18-33 Creating a Domain 18-34 Duplicating a Domain 18-35 Modifying a Domain 18-36 Deleting a Domain 18-37 Using an AAA Server for Remote User Authentication and Authorization 18-38 Information About Using AD/LDAPS for Remote User Authentication 18-38 Configuring Remote User Authentication Using a TACACS+ Server 18-39 Configuring Remote User Authorization Using a TACACS+ Server 18-45 Configuring Remote User Authorization Using Cisco Secure ACS Version 5.1 18-46 Configuring Remote User Authorization Using Cisco Secure ACS Version 4.2 18-48 Disabling the ANM Login Window Change Password Feature 18-50 Managing ANM 18-51 Checking the Status of the ANM Server 18-52 Using ANM License Manager to Manage ANM Server or Demo Licenses 18-54 Displaying and Adding ANM Licenses to License Management 18-54 Removing an ANM License File 18-55 Displaying ANM Server Statistics 18-56 Configuring ANM Statistics Collection 18-57 Configuring Audit Log Settings 18-58 Performing Device Audit Trail Logging 18-59 Displaying Change Audit Logs 18-61 Configuring Auto Sync Settings 18-61 Configuring Advanced Settings 18-62 Configuring the Overwrite ACE Logging device-id for the Syslog Option 18-62 Configuring the Enable Write Mem on the Config > Operations Option 18-63 Contents xx User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Enabling the ACE Real Server Details Popup Window Option 18-64 Enabling the ACE Server Farm Details Popup Window Option for Virtual Servers 18-65 Enable Mobile Notifications from ANM 18-66 Managing the Syslog Buffer Display in the All Devices Dashboard 18-66 Managing the Display of Virtual Servers in the Operations and Monitoring Windows 18-66 Administering the ANM Mobile Feature 18-67 Configuring ANM with a Proxy Server for ANM Mobile Push Notifications 18-67 Enabling Mobile Device Notifications for Remotely Authorized Users 18-69 Globally Enabling or Disabling Mobile Device Notifications 18-69 Displaying Mobile Device Notifications and Testing the Notification Channel 18-70 Lifeline Management 18-72 CHAPTER 19 Using ANM Mobile 19-1 Information About ANM Mobile 19-2 ANM Mobile Prerequisites and Supported Devices 19-4 Guidelines and Restrictions 19-5 Using ANM Mobile 19-5 Logging In and Out of ANM Mobile 19-6 Using the Favorites Feature 19-6 Monitoring Managed Object Status 19-7 Modifying an Object’s Operating State or Weight 19-10 Displaying Real Time Charts 19-12 Using the ANM Mobile Setting Feature 19-12 Setting Up and Viewing Mobile Device Alarm Notifications 19-13 Enabling Alarm Notifications on ANM Mobile 19-15 Viewing Alarm Notifications from ANM Mobile 19-15 Managing iPod Alarm Notification Sound and Alerts 19-16 CHAPTER 20 Troubleshooting Cisco Application Networking Manager Problems 20-1 Changing ANM Software Configuration Attributes 20-1 Changing ANM Configuration Properties 20-2 Example ANM Standalone Configuration 20-4 Example ANM HA Configuration 20-5 Example ANM Advanced Options Configuration Session 20-6 Discovering and Adding a Device Does Not Work 20-7 Cisco License Manager Server Not Receiving Syslog Messages 20-7 Using Lifeline 20-7 Guidelines for Using Lifeline 20-8 Contents xxi User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Creating a Lifeline Package 20-8 Downloading a Lifeline Package 20-9 Adding a Lifeline Package 20-10 Deleting a Lifeline Package 20-11 Backing Up and Restoring Your ANM Configuration 20-11 APPENDIX A ANM Ports Reference A-1 APPENDIX B Using the ANM Plug-In With Virtual Data Centers B-1 Information About Using ANM With VMware vCenter Server B-2 Information About the Cisco ACE SLB Tab in vSphere Client B-3 Prerequisites for Using ANM With VMware vSphere Client B-4 Guidelines and Restrictions B-5 Registering or Unregistering the ANM Plug-in B-5 Logging In To ANM from VMware vSphere Client B-7 Using the Cisco ACE SLB Tab B-8 Managing ACE Real Servers From vSphere Client B-12 Adding a Real Server B-13 Deleting a Real Server Using vSphere Client B-14 Activating Real Servers Using vSphere Client B-15 Suspending Real Servers Using vSphere Client B-16 Modifying Real Server Weight Value Using vSphere Client B-18 Monitoring Real Server Details Using vSphere Client B-19 Refreshing the Displayed Real Server Information B-20 Using the VMware vSphere Plug-in Manager B-22 GLOSSARY I NDEX Contents xxii User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 ix User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Preface Date: 3/28/12 This guide describes the Cisco Application Networking Manager and explains how to use it to manage your network. This preface provides information about using this guide and includes the following topics: • Audience, page ix • Organization, page ix • Conventions, page xi • Open-Source Software Included in the Cisco Application Networking Manager, page xi • Obtaining Documentation and Submitting a Service Request, page xii Audience This guide is intended for experienced system and network administrators. Depending on the configuration required, readers should have specific knowledge in the following areas: • Networking and data communications • Network security • Router configuration Organization This documentation contains the following sections: • Chapter 1, “Overview” summaries key features and provides an look into some general topics such as the interface. • Chapter 2, “Using Homepage” describes ANM Homepage, a launching point for quick access to selected areas within ANM. • Chapter 3, “Using ANM Guided Setup” describes how to use the guided setup pages to simplify configuration of ANM. • Chapter 4, “Using Application Template Definitions” describes how to use the application templates to simplify configuration of ACE devices (or virtual contexts). x User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Preface • Chapter 5, “Importing and Managing Devices” describes how to add and manage your supported network devices. • Chapter 6, “Configuring Virtual Contexts” describes how to configure virtual contexts on the ACE so that you can effectively and efficiently manage and allocate resources, users, and services. • Chapter 7, “Configuring Virtual Servers” contains procedures for configuring virtual servers for load balancing on the ACE. • Chapter 8, “Configuring Real Servers and Server Farms” provides an overview of server load balancing and procedures for configuring real servers and server farms for load balancing on the ACE. • Chapter 9, “Configuring Stickiness” provides information about sticky behavior and procedures for configuring stickiness with the ANM. • Chapter 10, “Configuring Parameter Maps” describes how to configure parameter maps so that the ACE can perform actions on incoming traffic based on certain criteria, such as protocol or connection attributes. • Chapter 11, “Configuring SSL” describes how to configure your ACE (both the ACE module and the ACE appliance) as a virtual Secure Sockets Layer (SSL) server for SSL initiation or termination. • Chapter 12, “Configuring Network Access” describes how to configure network access using ANM. • Chapter 13, “Configuring High Availability” describes how to configure redundancy to ensure that your network remains operational even if one of the ACE devices becomes unresponsive. • Chapter 14, “Configuring Traffic Policies” describes how to configure class maps and policy maps to provide a global level of filtering traffic received by or passing through the ACE. • Chapter 15, “Configuring Application Acceleration and Optimization” describes how to configure application acceleration and optimization options on the ACE. • Chapter 16, “Using Configuration Building Blocks” provides an overview of configuration building blocks and describes how to configure them, tag them for version control, and apply them to virtual contexts. • Chapter 17, “Monitoring Your Network” describes the ANM monitoring functions, including the various ANM dashboards, and explains how to configure thresholds and configure alarm notifications. • Chapter 18, “Administering the Cisco Application Networking Manager” describes how to administer, maintain, and manage the ANM management system. • Chapter 19, “Using ANM Mobile” describes how to use the Cisco ANM Mobile app to access your ANM server to remotely manage your network from your mobile device. • Chapter 20, “Troubleshooting Cisco Application Networking Manager Problems” describes some procedures and tips on common troubleshooting scenarios. • Appendix A, “ANM Ports Reference” identifies the TCP and UDP ports used by the ANM as well as well-known TCP and UDP port numbers and key words. • Appendix B, “Using the ANM Plug-In With Virtual Data Centers” describes how to integrate ANM with VMware vCenter Server and VMware vSphere Client. xi User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Preface Conventions This document uses the following conventions: Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the publication. Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data. Open-Source Software Included in the Cisco Application Networking Manager • The Cisco Application Networking Manager includes the following open-source software, which is covered by the Apache 2.0 license (http://www.apache.org/): Ant, Avalon Logkit, Commons, Ehcache, Jetty, Log4J, Oro, Commons_Logging, Xmlrpc. • The Cisco Application Networking Manager includes the following open-source software, which is covered by The Legion of the Bouncy Castle (http://www.bouncycastle.org/licence.html) license: BouncyCastle. • The Cisco Application Networking Manager includes the following open-source software, which is covered by the GNU Lesser General Public License Version 2.1 (http://www.gnu.org/licenses/lgpl.html): c3p0-0.9.0.2.jar, Enterprise DT, Jasperreports 1.2, Jcommon 1.2, Jfreechart 1.0.1 • The Cisco Application Networking Manager includes the following open-source software, which is covered by the Mozilla Public License Version 1.1 (http://www.mozilla.org/MPL/MPL-1.1.html): Itext 1.4. Item Convention Commands and keywords boldface font Variables for which you supply values italic font Displayed session and system information screen font Information you enter boldface screen font Variables you enter italic screen font Menu items and button names boldface font Choosing a menu item in paragraphs Option > Network Preferences Choosing a menu item in tables Option > Network Preferences xii User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Preface Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0. CHAPTER 1-1 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 1 Overview Date: 3/28/12 This chapter provides an overview of Cisco Application Networking Manager (ANM), which is a networking management application. This chapter includes the following sections: • ANM Overview, page 1-1 • IPv6 Considerations, page 1-3 • Logging In To the Cisco Application Networking Manager, page 1-5 • Changing Your Account Password, page 1-6 • ANM Licenses, page 1-7 • ANM Interface Components, page 1-8 ANM Overview ANM is a client server application that enables you to perform the following functions: • Configure, monitor, and troubleshoot the functions of supported data center devices. • Create policies for operations, applications owners, and server administration staff to activate and suspend network-based services without knowledge of, or ability to, change network configuration or topology. • Manage the following product types: – Cisco Application Control Engine (ACE) module or appliance – Cisco Global Site Selector (GSS) – Cisco Content Services Switch (CSS) – Cisco Catalyst 6500 Virtual Switching System (VSS) 1440 – Cisco Catalyst 6500 series switch – Cisco 7600 series router – Cisco Content Switching Module (CSM) – Cisco Content Switching Module with SSL (CSM-S) – VMware vCenter Server 1-2 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 1 Overview ANM Overview You can install the ANM server software on a standalone server or on a VMware virtual machine as shown in Figure 1-1. The capabilities and functions of the ANM software are the same regardless of which application you use. This guide uses the following terms to reference the two ANM applications: ANM server Dedicated server with ANM server software and Red Hat Enterprise Linux (RHEL) operating system installed on it. For information about installing this type of ANM application, see the Installation Guide for the Cisco Application Networking Manager 5.2. ANM Virtual Appliance VMware virtual appliance with ANM server software and Cisco Application Delivery Engine Operating System (ADE OS) installed on it. Cisco distributes ANM Virtual Appliance (ANM VA) in Open Virtual Appliance (.OVA) format. For information about installing this type of ANM application, see the Installation Guide for the Cisco Application Networking Manager 5.2 Virtual Appliance. Figure 1-1 Sample ANM Network Deployment The sample network application in Figure 1-1 illustrates the following ANM and ACE features: • VMware integration—Feature that enables ANM and the ACE to be integrated with VMware, allowing you to create and manage server farms for application delivery that consist of real servers that are a combination of physical servers and VMware virtual machines (VMs). VM VM VM VMware ESX (i) Host VM VM VM VMware ESX (i) Host VMware vCenter VMware vSphere Client Cisco ACE Virtual Machines Virtual Machines Physical Servers OTV/DCI Link (Dynamic Workload Scaling) Cisco Nexus 7000 Client Client Client Local Data Center Remote Data Center Cisco ANM Standalone Server or Virtual Appliance 330796 VM VM VM VMware ESX (i) Host Cisco Nexus 7000 ANM Mobile 1-3 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 1 Overview IPv6 Considerations • Dynamic Workload Scaling—ACE feature that permits on-demand access to remote resources, such as VMs, that you own or lease from an Internet service provider (or cloud service provider). This feature uses Cisco’s Nexus 7000 series switches with Cisco’s Overlay Transport Virtualization (OTV), which is a Data Center Interconnect (DCI) technology used to create a Layer 2 link over an existing IP network between geographically distributed data centers. For more information, see the “Dynamic Workload Scaling Overview” section on page 8-4. Note Dynamic Workload Scaling requires ACE module or appliance software Version A4(2.0) or later and the Cisco Nexus 7000 Series switch. • ANM plug-in for vCenter Server—Enabling the plug-in on an ANM server or ANM Virtual Appliance permits access to ANM’s ACE server load-balancing functions from a VMware vSphere Client. For more information, see Appendix B, “Using the ANM Plug-In With Virtual Data Centers.” • ANM Mobile—Feature that enables supported mobile devices to access to your ANM server or ANM Virtual Appliance, allowing you to manage the network objects in much the same way you do from an ANM client. Using a mobile device, you can run ANM Mobile as a native application or inside the mobile device’s browser. For more information, see Chapter 19, “Using ANM Mobile.” IPv6 Considerations Beginning with ACE software Version 5.1, the ACE supports IPv6 configurations, which you can configure using ANM beginning with ANM software Version 5.1. The ACE supports IPv6 configurations with the following considerations: • All the management traffic used by ANM is required to send over IPv4 protocol. IPv6 is not supported. • By default, IPv6 is disabled on an interface. You must enable IPv6 on the interface to enable its configured IPv6 addresses. The interface cannot be in bridged mode. The interface may or may not have IPv4 addresses configured on it. • When you enable IPv6 or configure a global IPv6 address on an interface, the ACE automatically does the following: – Configures a link-local address (if it is not already configured) – Performs duplicate address detection (DAD) on both addresses You must enable IPv6 on the interface to enable global IPv6 address. • IPv6 on interface can be individually enabled or disabled. IPv6 cannot be enabled or disabled globally. • A link-local address is an IPv6 unicast address that has a scope of the local link only and is required on every interface. Every link-local address has a predefined prefix of FE80::/10. You can configure a link-local address manually. If you do not configure a link-local address before enabling an IPV6 address on the interface, the ACE automatically generates a link-local address with a prefix of FE80::/64. Only one IPv6 link-local address can be configured on an interface. In a redundant configuration, you can configure an IPv6 peer link-local address for the standby ACE. You can configure only one peer link-local address on an interface. 1-4 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 1 Overview IPv6 Considerations • A unique-local address is an optional IPv6 unicast address that is used for local communication within an organization and it is similar to a private IPv4 address (for example, 10.10.2.1). unique-local addresses have a global scope, but they are not routable on the Internet, and they are assigned by a central authority. All unique-local addresses have a predefined prefix of FC00::/7. You can configure only one IPv6 unique-local address on an interface. In a redundant configuration, you can configure an IPv6 peer unique-local address on the active that is synchronized to the standby ACE. You can configure only one peer unique-local IPv6 address on an interface. • A global address is an IPv6 unicast address that is used for general IPv6 communication. Each global address is unique across the entire Internet. Therefore, its scope is global. The low order 64 bits can be assigned in several ways, including autoconfiguration using the EUI-64 format. You can configure only one globally unique IPv6 address on an interface. In a redundant configuration, you can configure an IPv6 peer global address that is synchronized to the standby ACE. When you configure redundancy with active and standby ACEs, you can configure a VLAN interface that has an alias global IPv6 address that is shared between the active and standby ACEs. The alias IPv6 address serves as a shared gateway for the two ACEs in a redundant configuration. You can configure only one alias global IPv6 address on an interface. • A multicast address is used for communications from one source to many destinations. IPv6 multicast addresses function in a manner that is similar to IPv4 multicast addresses. All multicast addresses have a predefined prefix of FF00::/8. • The ACE supports abbreviated IPv6 addresses. When using double colons (::) for leading zeros in a contiguous block, they can only be used once in an address. Leading zeros can be omitted. Trailing zeros cannot be omitted. The DM will abbreviate an IPv6 address after you finish typing it. If you enter the entire address with a block of contiguous zeros, the DM collapses it into the double colons. For example: FF01:0000:0000:0000:0000:0000:0000:101 becomes FF01::101. • The ACE uses the Neighbor Discovery (ND) protocol to manage and learn the mapping of IPv6 to Media Access Control (MAC) addresses of nodes attached to the local link. The ACE uses this information to forward and transmit IPv6 packets. The neighbor discovery protocol enables IPv6 nodes and routers to: – Determine the link-layer address of a neighbor on the same link – Find neighboring routers – Keep track of neighbors The IPv6 neighbor discovery process uses ICMPv6 messages and solicited-node multicast addresses to determine the link-layer address of a neighbor on the same network (local link), verify the reachability of a neighbor, and keep track of neighbor routers. The IPv6 neighbor discovery process uses the following mechanisms for its operation: – Neighbor Solicitation – Neighbor Advertisement – Router Solicitation – Router Advertisement – Duplicate Address Detection • The ACE supports IPv6-to-IPv6 L4/L7 SLB, including support for IPv6 VIP, predictor, probe, serverfarm, sticky, access-list, object-group, interface, source NAT, OCSP, and CRL. 1-5 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 1 Overview Logging In To the Cisco Application Networking Manager • The probe must have the same IP address type (IPv6 or IPv4) as the real server. For example, you cannot configure an IPv6 probe to an IPv4 real server. • A server farm can support a mix of IPv6 and IPv4 real servers, and can be associated with both IPv6 and IPv4 probes. • Only the following Layer 7 protocols support IPv6: – Layer 7 HTTP/HTTPS/DNS – Layer 4 TCP/UDP • The ACE supports the following: – IPv6-to-IPv4 SLB and IPv4-to-IPv6 SLB for L7 HTTP/HTTP/TCP/UDP – Source NAT support of IPv6 – IPv6 access-list and object group – DHCPv6 relay • ICMPv6 traffic is not automatically allowed. You must configure the corresponding management traffic policy to allow the ping request to ACE. However, the necessary Neighbor Discovery (ND) messages for ARP, duplication address detection are automatically permitted. • Copying files over IPv6 to or from devices are not supported. • The ACE supports IPv6 HA: – All the FT transport (ft vlan) is still on IPv4. – Track IPv6 host /peer will be supported Logging In To the Cisco Application Networking Manager You access ANM features and functions through a web-based interface. The following sections describe logging in, the interface, and terms used in ANM. The ANM login window allows you to do the following tasks: • Log into the ANM server. • Change the password for your account (see the “Changing Your Account Password” section on page 1-6). • Obtain online help by clicking Help. Procedure Step 1 Choose one the following: • To log in after a new install, which uses the default web ports of 443 and 80, enter https://host. Note You do not have to explicitly enter the default ports 443 and 80. Caution If you log in using HTTP, you must change the properties file. See the “Changing ANM Software Configuration Attributes” section on page 20-1 for details. If you enable HTTP, you make your connection to ANM less secure. 1-6 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 1 Overview Changing Your Account Password • To log in after an upgrade, enter https://:10443 or https://:10080. Note You must explicitly enter the nondefault ports 10443 and 10080. Note All browsers require that cookies, Javascript/scripting, and popup windows are enabled. If you reinstall a subsequent ANM release, you must delete the cookies and clear the browser cache. For example, enter https://192.168.10.10:10443. The login window appears. Step 2 In the User Name field, enter admin, which is the predefined user account that comes with a new installation. Note If you are logging in using ACS authentication (TACACS or RADIUS), you must add '@ to the username on the login page, or you will not be able to log in. Once you are logged in using this account, you can create additional user accounts. For information on changing account passwords, see the “Modifying User Accounts” section on page 18-21. Step 3 In the Password field, enter the password that you configured the admin account with when installing ANM. Step 4 Press Enter or click Login. When you log in, the default page that appears is the ANM Homepage (see the “ANM Windows and Menus” section on page 1-9). You can change your default page by making a different selection from the Homepage. See the “Customizing the Default ANM Page” section on page 2-4 for details. For a description of the user interface, see Figure 1-2 on page 1-8. The interface will not contain data until you add devices by one of the methods described in the “Importing Network Devices into ANM” section on page 5-10. . Related Topics • Changing Your Account Password, page 1-6 • ANM Interface Components, page 1-8 Changing Your Account Password You can change your account password when you log into ANM. Guidelines and Restrictions By default, the feature that allows you to change your password when logging into ANM is enabled; however, this feature can be disabled. When disabled, the ANM login window no longer displays the Change Password hyperlink. For more information, see the “Disabling the ANM Login Window Change Password Feature” section on page 18-50. 1-7 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 1 Overview ANM Licenses Procedure Step 1 Using a web browser, navigate to the ANM login window by typing the IP address or hostname where ANM is installed. For example, enter https://192.168.10.10. The login window appears. Step 2 In the User Name field, enter your account username. Step 3 Click Change Password. The Change password configuration window appears. Step 4 In the User Name field, enter the username of the account that you want to modify. Step 5 In the Old Password field, enter the current password for this account. Step 6 In the New Password field, enter the new password for this account. Password attributes such as minimum and maximum length or accepted characters are defined at the organizational level. For more information on configuring passwords, see the “Configuring User Authentication and Authorization” section on page 18-9. Step 7 In the Confirm New Password field, reenter the new password for this account. Step 8 Do one of the following: • Click OK to save your entries and to return to the login window. • Click Cancel to exit this procedure without saving your entries and to return to the login window. Related Topics • Logging In To the Cisco Application Networking Manager, page 1-5 • ANM Interface Components, page 1-8 • Disabling the ANM Login Window Change Password Feature, page 18-50 ANM Licenses Beginning with ANM software Version 5.2, ANM includes a 90-day evaluation period that begins when you install the software image. During this time, you can use all the functions of ANM without installing a license, including managing any number of supported devices and any number of ACE virtual contexts. However, to continue using ANM beyond the evaluation period, you must install the ANM server license, which is available at no charge. The ANM demo license is also available, which allows ANM to perform all the functions associated with the ANM server license; however, the demo license has an expiration date associated with it. You can order a demo license if you do not know the PAK number required to order the ANM server license. For more information about the 90-day evaluation period, available ANM licenses, and installing a license, see the “Using ANM License Manager to Manage ANM Server or Demo Licenses” section on page 18-54 Related Topics Using ANM License Manager to Manage ANM Server or Demo Licenses, page 18-54 1-8 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 1 Overview ANM Interface Components ANM Interface Components This section includes the following topics: • ANM Windows and Menus, page 1-9 • ANM Buttons, page 1-11 • Table Conventions, page 1-14 • ANM Screen Conventions, page 1-17 When you log in to ANM, the default window that appears is the Homepage from which you can access the operational and monitoring features of ANM. For details about using Homepage, see the “Information About Homepage” section on page 2-1). Figure 1-2 shows the Devices window (Config > Devices), which is an example ANM work window where you view the network device tree and perform network management tasks. Table 1-1 describes the numbered fields. Note The ANM software version that displays across the top of the window varies depending on your version of ANM. Figure 1-2 ANM Interface Components 1-9 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 1 Overview ANM Interface Components Related Topics • ANM Windows and Menus, page 1-9 • ANM Interface Components, page 1-8 • Using Homepage, page 2-1 ANM Windows and Menus Figure 1-3 contains many common window elements found in ANM and described in Table 1-2. Not all windows contain all buttons. Note The ANM software version that displays across the top of the window varies depending on your version of ANM. Table 1-1 ANM Interface Components Descriptions Field Description 1 Navigation pane, which contains the following components: • High-level navigation path within the ANM interface, which includes Config, Monitor, and Admin. You can click an item in the navigation path to view that window. • Logout hyperlink. • About hyperlink that provides ANM version information. • Feedback hyperlink that opens a new browser window containing the ANM user feedback form hosted on www.ciscofeedback.vovici.com. • Help hyperlink that provides context-sensitive help and a PDF version of the ANM user guide. 2 Second-level Navigation pane, which contains another level of navigation. Clicking an option in this pane displays the associated window in the content area. 3 Content area, which contains the display and input area of the window. It can include tables, configuration items, buttons, or combinations of these items. 4 Status bar, which indicates the date and time of the ANM server machine. ANM frequently updates the status bar. 1-10 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 1 Overview ANM Interface Components Figure 1-3 Example ANM Window Table 1-2 Example ANM Window Descriptions Number Description 1 Device tree that appears when you click Config or Monitor. The device tree includes All Devices and Groups folders: • The All Devices folder expands to show the names of imported Cisco devices and their associated modules or virtual contexts. When you click the plus sign (+) in front of a chassis icon, you can see a list of the modules in the chassis. When you expand an ACE appliance or ACE module, you can see the list of existing virtual contexts for that device. For more information about adding devices, see the “Importing Network Devices into ANM” section on page 5-10. • The Groups folder contains the list of user-defined groups. For more information about user-defined groups, see the “Configuring User-Defined Groups” section on page 5-72. The Organization tree displays when you click Admin > Role-Based Access Control. The organization tree includes all organizations in ANM. Choosing an organization name displays its details. To expand folders in the device tree, click the plus sign (+) to the right of an option. To collapse the structure, click the minus sign (-). At the top of the tree are the following buttons: • Refresh—Refreshes the device tree after you have imported devices or made changes to the User Groups. • Plus sign (+) —Allows you to add an item to the selected option in the device tree. • Garbage can—Deletes the selected entry. Note Menus are based on device types. Although menu labels are the same for different device types, the actual menu definition is different. For example, you cannot preserve the menu state while traversing back an forth from a module to a virtual context in the device tree. 2 Option menus, which appear in Config windows. Click the icon on the bar to show or hide the options. 1-11 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 1 Overview ANM Interface Components Related Topics • ANM Buttons, page 1-11 • ANM Screen Conventions, page 1-17 ANM Buttons Table 1-3 describes the buttons that appear in some of the Config, Monitor, and Admin windows. 3 Object selector. Use this field to choose a device, context, building block, or other object that you want to view information on or configure. 4 Command buttons. Use these buttons to perform the action identified by the button label. 5 Input fields. Use these fields to make selections and provide information. When there are more than three choices for any field, the field displays as a drop-down list. Otherwise, selections display with radio buttons. 6 Feature panel that contains functions that correspond to what is selected in the device or organization tree. Click on a command to expand the list of options that correspond to that command. Table 1-2 Example ANM Window Descriptions Number Description Table 1-3 Button Descriptions Button Name Description ACL table (expand) Allows you to expand all ACL table entries. ACL table (collapse) Allows you to collapse all ACL table entries. ACL table (resequence) Allows you to open the resequence popup window that allows you to reorder the ACL table entries. Add Allows you to add an entry to the displayed table. Add another Saves the current entries and refreshes the window so that you can add another entry. Advanced editing mode Allows you to view or enter advanced arguments for the chosen display. 1-12 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 1 Overview ANM Interface Components Auto refresh (pause) Allows you to interrupt the table data autorefresh process. Auto refresh (resume) Indicates that the table data autorefresh process is on pause and allows you to resume. Customize Allows you to customize the table to suit your needs. (See the “Customizing Tables” section on page 1-15.) Delete Deletes the chosen entry in the table. Duplicate Duplicates the chosen entry in the table. Edit Opens the configuration window of a chosen entry in the table. Groups Allows you to create groups of the following objects: • Real servers (see the “Managing Real Server Groups” section on page 8-10) • Virtual servers (see the “Managing Virtual Server Groups” section on page 7-67) • GSS VIP answers or DVS rules (see the “Creating a VIP Answer or DNS Rule Group” section on page 7-77) Filter Filters the displayed list of items according to the criteria that you specify. (See the “Filtering Entries” section on page 1-14.) Also displays a filter text box where strings can be entered. Go Appears when filtering is enabled; updates the table with the filtering criteria. Key Indicates that the associated field is a foreign key field. This field takes its values from another table. Plus Displays a table with information related to the field where Plus appears. For example, if Plus appears next to the field label VLAN Group, clicking Plus displays a list of all VLAN groups in a separate window. Table 1-3 Button Descriptions (continued) Button Name Description 1-13 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 1 Overview ANM Interface Components Refresh Refreshes the content area. Save Displays the current information in a new window in either raw data or Microsoft Excel format so you can save it to a file or print it. Full window view Allows you to adopt a larger (full) window view for a table or dashboard window. Reduced window view (normal) Allows you to adopt a smaller window view for a table or dashboard window. Sort Sorts a column alphabetically up or down. Stop Stops the current process. If a process is only partially complete, it will finish its current operation and exit. For example, when stop is used during the import of two modules, it will complete only the first of two module imports. Switch between configure and browse modes Displays the subtables for those items that have additional sets of parameters that can be configured, such as Config > Devices > Network > VLAN Interfaces. Note This button is not available on single-row tables such as Config > Devices > System > Syslog or Config > Devices > System > SNMP. To switch between these modes, navigate to another window where the button appears (for example, Config > Devices > Load Balancing > Server Farms), click the button to enter desired mode, then return to the window on which the button was missing. You will remain in the mode you chose. View Excel Displays the raw data in Microsoft Excel format in a separate browser window. View raw data Displays the raw data in table format. Show as image Displays the historical data object graph in a separate browser window. Table 1-3 Button Descriptions (continued) Button Name Description 1-14 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 1 Overview ANM Interface Components Related Topics • ANM Windows and Menus, page 1-9 • ANM Screen Conventions, page 1-17 Table Conventions This section describes the ANM GUI table conventions, including how to filter the information displayed and how to customize a table’s appearance. This section includes the following topics: • Filtering Entries, page 1-14 • Customizing Tables, page 1-15 • Using the Advanced Editing Option, page 1-16 Filtering Entries You can filter the information that a table displays. Click Filter to view table entries using the criteria that you chose. When filtering is enabled, a filter row appears above the first table entry that allows you to filter entries in the following ways: • In fields with drop-down lists, choose one of the ANM-identified categories (see Figure 1-4). The table refreshes automatically with the entries that match the chosen criterion. • In fields without drop-down lists, enter the string that you want to match, and then click Go above the first table entry. The table refreshes with the entries that match your input. • Enter the string in the filter box. For example, by entering the string gold and clicking Go, only the gold Resource Class virtual contexts appear (see Figure 1-4). Figure 1-4 Example Table with Filtering Enabled View as chart Toggles the display of a historical data object as a graph in the monitoring window. View as grid Toggles the display of a historical data object as a numerical grid in the monitoring window. From this display, you can export the data in Microsoft Excel format. Table 1-3 Button Descriptions (continued) Button Name Description 1-15 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 1 Overview ANM Interface Components Related Topics • ANM Interface Components, page 1-8 • Customizing Tables, page 1-15 • Using the Advanced Editing Option, page 1-16 Customizing Tables You can customize a table for your use. Click Customize in a table to configure the table to suit your needs. When you place the cursor over Customize, the following items appear: • Default—When chosen with a check mark, this item indicates that the ANM default table format is being used by the current table. • Configure—When chosen, this item opens a dialog box that allows you to create a new customized table format or to modify the table format currently in use. Procedure Step 1 When viewing a table, choose Customize > Configure. The List Configuration dialog box appears. Step 2 In the List Configuration dialog box, enter the information in Table 1-4. Note Depending on the table that you chose, the available fields in the configuration table differ. Table 1-4 includes sample fields that might appear. Note You can be as inclusive or as restrictive as you like when setting table configuration options. Table 1-4 Table Configuration Attributes Field Description List Customization Name Unique name for a new table configuration. Fields Fields that you can include in the table, choose the fields from the Available Items list, and click Add. To remove fields from the table, choose the fields from the Selected Items list, and then click Remove. Up/Down Location of a column in the table that you can change. Choose its name in the column on the right, then click Up or Down to place it in the desired location. Group By Field that you want to group entries by. When you choose a field for grouping, one or more entries appears in the table with + at the beginning of the entry, the name of the field, the grouping criteria, and the number of items in the group. Click + to view all entries in the group. Descending Descending check box to sort the groups in reverse order. Clear the Descending check box to sort the groups in ascending order. 1-16 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 1 Overview ANM Interface Components Step 3 Do one of the following: • Click Save to save your entries under a new name and to close the List Configuration dialog box. If a table using this format is displayed, the table is updated automatically. • Click Cancel to exit the procedure without saving your entries and to close the List Configuration dialog box. • Click Apply to apply your current entries to the table that you are viewing, to save your entries, and to close the List Configuration dialog box. • Click Delete to delete the currently selected customized table format. It no longer appears as an option when you click Customize. Related Topics • ANM Interface Components, page 1-8 • Filtering Entries, page 1-14 • Using the Advanced Editing Option, page 1-16 Using the Advanced Editing Option By default, tables include columns that contain configured attributes or a subset of columns related to a key field. To view all configurable attributes in table format, click Advanced Editing Mode (the highlighted button in Figure 1-5). When advanced editing mode is enabled, all columns appear for your review (see Figure 1-5). Sort By Field that you want to sort entries by. When you choose a field for sorting, all entries in the table are sorted according to the values in the selected field. Name Filter Name that represents the name of each field in the table. Enter the string or value that you want to filter the results by. You can enter complete or partial strings or values to be matched. Do not include wildcard characters. Version Filter Version that represents the name of each field in the table. Enter the string or value that you want to filter the results by. You can enter complete or partial strings or values to be matched. Do not include wildcard characters. Table 1-4 Table Configuration Attributes (continued) Field Description 1-17 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 1 Overview ANM Interface Components Figure 1-5 Advanced Editing Enabled Window Related Topics • ANM Interface Components, page 1-8 • Filtering Entries, page 1-14 • Customizing Tables, page 1-15 ANM Screen Conventions Table 1-5 describes other conventions used in ANM screens. Related Topics • Table Conventions, page 1-14 Table 1-5 ANM Window Conventions Convention Example Description Dimmed field If no items are selected, buttons are dimmed. If an item is selected, only operational buttons appear. Red asterisk A red asterisk indicates a required field. Yellow field with red font Incorrect, invalid, or incomplete entries appear as red font against a yellow background with the reason for that error. In the example, an IP address cannot begin with four digits, which results in this display. Drop-down lists When there are more than three choices for any field, the field displays as a drop-down list. Otherwise, selections display with radio buttons. 1-18 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 1 Overview ANM Interface Components • ANM Interface Components, page 1-8 CHAPTER 2-1 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 2 Using Homepage This section describes how to use Homepage, which is a launching point for quick access to selected areas within Cisco Application Networking Manager (ANM). This chapter includes the following sections: • Information About Homepage, page 2-1 • Customizing the Default ANM Page, page 2-4 Information About Homepage Homepage allows you to have quick access to the following operations and guided setup tasks in ANM: • Operational tasks that you can access: – The Real Servers table to view information for each configured real server, activate or suspend real servers listed in the table, or modify server weight and connection limits. – The Virtual Servers table to view information for each configured virtual server and to activate or suspend virtual servers listed in the table. – The Cisco Global Site Selector (GSS) Answer table to manage GSS VIP answers (resources that respond to content queries) by specifying virtual IP (VIP) addresses associated with a server load balancer (SLB) such as the Cisco Content Services Switch (CSS), Cisco Content Switching Module (CSM), Cisco IOS-compliant SLB, LocalDirector, or a web server. – The DNS Rules table to specify actions in the DNS rules table for the GSS to take when it receives a request from a known source (a member of a source address list) for a known hosted domain (a member of a domain list). • Monitoring—Connect to the central Device Dashboard where you can quickly view device and virtual context monitoring results and track potential issues; view detailed context-level resource usage information; and monitor load balancing statistics for virtual servers. • Guided setup tasks that you can launch: – The Import Devices guided setup task to establish communication between ANM and hardware devices. – The Cisco Application Control Engine (ACE) Hardware Setup task to configure ACE devices that are new to the network by establishing network connectivity in either standalone or high-availability (HA) deployments. – The Virtual Context Setup task to create and connect an ACE virtual context. – The Application Setup task to configure end-to-end load-balancing for your application. 2-2 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 2 Using Homepage Information About Homepage • Configuration—Tasks that allow you to configure system attributes for a virtual context, control a user’s access to ANM, and display configuration and deployment changes logged in the ANM database. • Documentation—Quick links to ANM, ACE module, and ACE appliance user documentation on www.cisco.com. • System Summary—Tasks that allow you to display critical alarm notifications when the value for a specific statistic rises above the specified setting or display all critical events received from an ACE device for syslog and SNMP traps from all virtual contexts. By default, the ANM Homepage (see Figure 2-1) is the first page that appears in ANM after you log in. To access the Homepage from other locations within ANM, click the Home menu option at the top of the window. From the Homepage, you can customize which page you want to display for subsequent logins into ANM. See the “Customizing the Default ANM Page” section on page 2-4 for details. Note All menu options on the Homepage are under Role-Based Access Control (RBAC). Menu options will be grayed if proper permission has not been granted to the logged in user by the administrator. See the “How ANM Handles Role-Based Access Control” section on page 18-8 for more information about RBAC in ANM. Note The ANM software version that displays across the top of the window varies depending on your version of ANM. Figure 2-1 Homepage Window 2-3 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 2 Using Homepage Information About Homepage Table 2-1 identifies the Homepage links, associated pages in ANM, and related topics that can be found in this document. Table 2-1 Homepage Links Homepage Link ANM Page Related Topics Operational Tasks Manage Real Servers Config > Operations > Real Servers Managing Real Servers, page 8-9 Manage Virtual Servers Config > Operations > Virtual Servers Managing Virtual Servers, page 7-66 Manage GSS VIP Answers Config > Operations > GSS VIP Answers Managing GSS VIP Answers, page 7-73 Manage GSS DNS Rules Config > Operations > DNS Rules Activating and Suspending DNS Rules Governing GSS Load Balancing, page 7-75 Monitoring Dashboard Monitor > Devices > Dashboard Using Dashboards to Monitor Devices and Virtual Contexts, page 17-4 Resource Usage Summary Monitor > Devices > Resource Usage > Connections Monitoring System Traffic Resource Usage, page 17-27 Application Performance Summary Monitor > Devices > Load Balancing > Virtual Servers Monitoring Load Balancing, page 17-33 Guided Setup Import a Device Config > Guided Setup > Import Devices Using Import Devices, page 3-4 Configure ACE Hardware Config > Guided Setup > ACE Hardware Setup Using ACE Hardware Setup, page 3-5 Create a Virtual Context Config > Guided Setup > Virtual Context Setup Using Virtual Context Setup, page 3-10 Provision an Application Config > Guided Setup > Application Setup Using Application Setup, page 3-12 Configuration Configure Devices Config > Devices > System > Primary Attributes Configuring Virtual Context Primary Attributes, page 6-14 ANM Role-Based Access Control Admin > Role-Based Access Control > Users Managing User Accounts, page 18-17 Device Audit Config > Device Audit Performing Device Audit Trail Logging, page 18-59 Application Configs Config > Global > Application Configs Managing Application Template Instances, page 4-3 Application Config Templates Config > Global > Application Config Templates Managing Application Template Definitions, page 4-15 System Summary Critical Alarms Monitor > Alarm Notifications > Alarms Displaying Alarms in ANM, page 17-65 High Priority Syslogs Monitor > Events > Events Monitoring Events, page 17-55 Documentation 2-4 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 2 Using Homepage Customizing the Default ANM Page Note For information about the navigational tabs and hyperlinks located at the top of the Homepage window, see the “ANM Interface Components” section on page 1-8. Customizing the Default ANM Page You can choose the default page that you access after logging in to ANM. By default, the ANM Homepage is the first page that appears after you log in. From the ANM Homepage, you can specify a different page that appears as the default page after you log in. Procedure Step 1 If the Homepage is not active in ANM, click the Home tab. The Homepage appears. Step 2 From the Default Login Page drop-down list, choose one of the following pages that you want to appear after you log in to ANM: • Home > Welcome • Config > Guided Setup • Config > Devices • Config > Operations > Real Servers • Config > Operations > Virtual Servers • Config > Operations > GSS VIP Answers • Config > Operations > GSS DNS Rules Cisco ANM Documentation (link to documentation set on www.cisco.com) N/A N/A Cisco ACE Appliance Documentation (link to documentation set on www.cisco.com) N/A N/A Cisco ACE Module Documentation (link to documentation set on www.cisco.com) N/A N/A Cisco ACE Troubleshooting Guide (link to DocWiki) N/A N/A What is New in this ANM Release (link to release notes on www.cisco.com) Table 2-1 Homepage Links (continued) Homepage Link ANM Page Related Topics Operational Tasks 2-5 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 2 Using Homepage Customizing the Default ANM Page • Config > Deploy • Config > Device Audit • Monitor > Devices > Dashboard • Monitor > Devices > Resource Usage • Monitor > Devices > Traffic Summary • Monitor > Devices > Load Balancing > Real Servers • Monitor > Devices > Load Balancing > Probes • Monitor > Devices > Load Balancing > Statistics • Monitor > Devices > Load Balancing > Application Acceleration (ACE appliance only) • Monitor > Events • Monitor > Alarm Notifications > Alarms Step 3 Click Save to save your new selection as the default page the next time that you log in to ANM. 2-6 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 2 Using Homepage Customizing the Default ANM Page CHAPTER 3-1 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 3 Using ANM Guided Setup Date: 3/28/12 This chapter describes how to use Cisco Application Networking Manager (ANM) Guided Setup. Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed. If you are using ANM with an ACE module or ACE appliance and you configure a named object at the ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows you to use when configuring a named object. If you use special characters that ANM does not support, you may not be able to import or manage the ACE using ANM. This chapter includes the following sections: • Information About Guided Setup, page 3-1 • Guidelines and Limitations, page 3-4 • Using Import Devices, page 3-4 • Using ACE Hardware Setup, page 3-5 • Using Virtual Context Setup, page 3-10 • Using Application Setup, page 3-12 Information About Guided Setup ANM Guided Setup provides a series of setup sequences that offer GUI window guidance and networking diagrams to simplify the configuration of ANM and the network devices that it mananges. Guided Setup allows you to quickly perform the following tasks: • Establish communication between ANM and Application Control Engine (ACE) hardware devices. • Configure ACE devices that are new to the network by establishing network connectivity in either standalone or high-availability (HA) deployments. • Create and connect to an ACE virtual context. • Set up load balancing application from an ACE to a group of back-end servers. To access Guided Setup, click the Config tab located at the top of the window, then click Guided Setup. 3-2 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 3 Using ANM Guided Setup Information About Guided Setup Note The available menu and button options on the Guided Setup tasks are under Role-Based Access Control (RBAC). Menu and button options will be grayed if proper permission has not been granted to the logged in user by the administrator. See the “How ANM Handles Role-Based Access Control” section on page 18-8 for more information about RBAC in ANM. Table 3-1 identifies the individual guided setup tasks and related topics. Table 3-1 Guided Setup Tasks and Related Topics Guided Setup Tasks Purpose Related Topics Import devices Launch the Import Devices setup task to establish communication between ANM and hardware devices. Imported devices can include: ACE modules, ACE appliances, Catalyst 6500 series chassis, Catalyst 6500 Virtual Switching System (VSS) 1440, Cisco 7600 series routers, Content Services Switches (CSS) devices, Content Switching Module (CSM) devices, or Global Site Selector (GSS) devices. • Using Import Devices, page 3-4 • Information About Importing Devices, page 5-4 • Preparing Devices for Import, page 5-4 • Importing Network Devices into ANM, page 5-10 • Discovering Large Numbers of Devices Using IP Discovery, page 5-27 ACE hardware setup Launch the ACE Hardware Setup task to help you configure ACE devices that are new to the network by establishing network connectivity in either standalone or high-availability (HA) deployments. • Using ACE Hardware Setup, page 3-5 • Configuring Devices, page 5-34 • Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53 • Managing Devices, page 5-66 • Configuring ACE High Availability Peers, page 13-15 3-3 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 3 Using ANM Guided Setup Information About Guided Setup Virtual context setup Launch the Virtual Context Setup task to create and connect an ACE virtual context. • Using Virtual Context Setup, page 3-10 • Using Resource Classes, page 6-43 • Creating Virtual Contexts, page 6-2 • Configuring Virtual Contexts, page 6-8 • Configuring VLANs Using Cisco IOS Software (ACE Module), page 12-3 Application setup Launch the Application Setup task to configure load balancing for your application. This task guides you through a complete end-to-end configuration of the ACE for many common server load-balancing situations. • Using Application Setup, page 3-12 • Creating an Application Template Instance, page 4-4 • Configuring Virtual Context VLAN Interfaces, page 12-6 • Configuring Virtual Context BVI Interfaces, page 12-19 • Configuring Virtual Context Static Routes, page 12-28 • Configuring Virtual Context BVI Interfaces, page 12-19 • Configuring Security with ACLs, page 6-78 • SSL Setup Sequence, page 11-4 Table 3-1 Guided Setup Tasks and Related Topics Guided Setup Tasks Purpose Related Topics 3-4 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 3 Using ANM Guided Setup Guidelines and Limitations Guidelines and Limitations As you perform a Guided Setup task, use the following operating conventions: • To move between steps, click the name of the step in the menu to the left. • The steps for each task are listed in an order that is designed to prevent problems during later steps; however, you can skip steps if you know they are not applicable to your application. • Depending on your user privileges, ANM may prevent you from making changes on certain steps. • You must save and deploy any changes you want to keep before leaving each page. • Each task can be run as many times as you like. Using Import Devices You can use the Import Device task to import ACE modules, ACE appliances, Catalyst 6500 series chassis, Catalyst 6500 Virtual Switching System (VSS) 1440, Cisco 7600 series routers, CSS devices, CSM devices, or GSS devices into ANM. You must import the hardware devices before ANM can manage them. Before You Begin • Because ANM communicates with network devices through Secure Shell (SSH) and other protocols, you must set up your devices to allow ANM to collect data from them. See the “Preparing Devices for Import” section on page 5-4. • Before ANM can import a device, you must ensure that the device has a management interface that ANM can access. Also, you need the IP address and credentials for the device's management interface in order to import it. • If the ACE module is new and retains its factory settings, you can configure basic management during the import process by using the Bare Blade option. Procedure Step 1 Choose Config > Guided Setup > Import Devices. The Import Devices window appears, which includes the All Devices table. Step 2 At the top of the All Devices table, click Add (+) to import a new device. The New Device window appears. Step 3 Enter the information for the specific device and complete the import devices procedure as described in “Importing Network Devices into ANM” section on page 5-10. Note To manage modules inside a Catalyst 6500 series switch, you must first import the Catalyst into the All Devices table. To import modules from a Catalyst that is already imported, choose the Catalyst switch from the All Devices table and click Modules below the All Devices table. 3-5 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 3 Using ANM Guided Setup Using ACE Hardware Setup Note The time required to import depends on the size of the existing configuration on each device. The process can range from a few minutes to 30 minutes or more for a very large configuration. Step 4 After you finish importing the ACE devices (module or appliance) into ANM, continue to the ACE Hardware Setup task to guide you through the basic device setup and network configuration. See the “Using ACE Hardware Setup” section on page 3-5. Related Topics • Information About Importing Devices, page 5-4 • Preparing Devices for Import, page 5-4 • Importing Network Devices into ANM, page 5-10 • Discovering Large Numbers of Devices Using IP Discovery, page 5-27 • Using ACE Hardware Setup, page 3-5 Using ACE Hardware Setup You can use the ACE Hardware Setup task to configure ACE devices that are new to the network by establishing network connectivity in either standalone or high-availability (HA) deployments. Before You Begin Before you can set up the ACE hardware using ANM, you must use the Import Devices task to import the ACE into ANM if you have not already. See the “Using Import Devices” section on page 3-4. Assumptions • You can extend the functionality of the ACE by installing licenses. If you plan to extend the ACE functionality, ensure that you have received the proper software license key for the ACE, that ACE licenses are available on a remote server for importing to the ACE, or you have received the software license key and have copied the license file to the disk0: file system on the ACE using the copy path/]filename1 disk0: CLI command. Note See either the Cisco Application Control Engine Module Administration Guide or Cisco 4700 Series Application Control Engine Appliance Administration Guide for details on the copy path/]filename1 disk0: CLI command. • You must be in the Admin virtual context on an ACE device (ACE module or ACE appliance) to configure ACE devices that are new to the network. • When importing an ACE HA pair into ANM, you should follow one of the following configuration requirements so that ANM can uniquely identify the ACE HA pair: – Use a unique combination of FT interface VLAN and FT IP address/peer IP address for every ACE HA pair imported into ANM. For HA, it is critical that the combination of FT interface VLAN and IP address/peer IP address is always unique across every pair of ACE peer devices. 3-6 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 3 Using ANM Guided Setup Using ACE Hardware Setup – Define a peer IP address in the management interface using the management IP address of the peer ACE (module or appliance). The management IP address and management peer IP address used for this definition should be the management IP address used to import both ACE devices into ANM. Note For more information about the use of HA pairs imported into ANM, see the “ANM Requirements for ACE High Availability” section on page 5-8. • When you are configuring the ACE, changes to the physical interfaces (including Gigabit Ethernet ports or port channels) can result in a loss of connectivity between ANM and the ACE. Use caution when following the ACE Hardware Setup task if you are modifying the interface that management traffic is traversing. Procedure Step 1 Choose Config > Guided Setup > ACE Hardware Setup. The ACE Hardware Setup window appears, which includes the ACE Device and Configuration Type drop-down lists. Step 2 From the ACE Device drop-down list, choose an ACE device (module or appliance). Step 3 From the Configuration Type drop-down list, choose whether to set up the ACE as a standalone device or as a member of a high-availability (HA) ACE pair: • Standalone—The ACE is not to be used in an HA configuration. • HA Secondary—The ACE is to be the secondary peer in an HA configuration. • HA Primary—The ACE is to be the primary peer in an HA configuration. Note Ensure that you complete the ACE hardware setup task for the secondary device before you set up the primary device. Step 4 Click Start Setup. The License window appears (Config > Guided Setup > ACE Hardware Setup > Licenses). Cisco offers licenses for ACE modules and appliances that allows you to increase the number of default contexts, bandwidth, and SSL TPS (transactions per second). For more information, see either the Cisco Application Control Engine Module Administration Guide or the Cisco 4700 Series Application Control Engine Appliance Administration Guide on cisco.com. If you need to install licenses at this point, go to Step 5. If you do not need to install licenses at this point, go to Step 6. Step 5 Install one or more ACE licenses (see the “Managing ACE Licenses” section on page 6-36). Note For an ACE primary and secondary HA pair, because each ACE license is only valid on a single hardware device, licenses are not synchronized between HA peer devices. You must install an appropriate version of each license independently on both the primary and secondary ACE devices. 3-7 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 3 Using ANM Guided Setup Using ACE Hardware Setup Step 6 Click SNMP v2c Read-Only Community String under ACE Hardware Setup (Config > Guided Setup > ACE Hardware Setup > SNMP v2c Read-Only Community String). The SNMP v2c Read-Only Community String window appears. Perform the following actions to configure an SNMP community string (a requirement for an ACE to be monitored by ANM): a. Click Add (+) at the top of the SNMP v2c Read-Only Community String table to create an SNMP community string. The New SNMP v2c Community window appears. Note For ANM to monitor an ACE, you must configure an SNMPv2c community string in the Admin virtual context. b. In the Read-Only Community field, enter the SNMP read-only community string name. Valid entries are unquoted text strings with no spaces and a maximum of 32 characters. Additional SNMP configuration selections are available under Config > Devices > context > System > SNMP. See the “Configuring SNMP for Virtual Contexts” section on page 6-27. Step 7 If you are configuring an ACE appliance, to group physical ports together on the ACE appliance to form a logical Layer 2 interface called the port-channel (sometimes known as EtherChannels), click Port Channel Interfaces under ACE Hardware Setup. The Port Channel Interfaces window appears (Config > Guided Setup > ACE Hardware Setup > Port Channel Interfaces). Note You must configure port channels on both the ACE appliance and the switch that the ACE is connected to. Perform the following actions to configure a port channel interface: a. If you want to poll the devices and display the current values, click Poll Now, and then OK when prompted if you want to poll the devices for data now. b. At the top of the Port Channel Interfaces table, click Add (+) to add a port channel interface, or choose an existing port channel interface and click Edit to modify it. The New Port Channel Interface window appears. Note If you click Edit, not all of the fields can be modified. c. Enter the port channel interface attributes as described in the “Configuring Port-Channel Interfaces for the ACE Appliance” section on page 12-35. d. Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. e. To display statistics and status information for a port-channel interface, choose the interface from the Port Channel Interfaces table and click Details. The show interface port-channel CLI command output appears. See the “Displaying Port Channel Interface Statistics and Status Information” section on page 12-40 for details. 3-8 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 3 Using ANM Guided Setup Using ACE Hardware Setup Step 8 If you are configuring an ACE appliance, to configure one or more of the Gigabit Ethernet ports on the appliance, click GigabitEthernet Interfaces under ACE Hardware Setup. The GigabitEthernet Interfaces window appears (Config > Guided Setup > ACE Hardware Setup > GigabitEthernet Interfaces). a. If you want to poll the devices and display the current values, click Poll Now, and then OK when prompted if you want to poll the devices for data now. b. Choose an existing Gigabit Ethernet interface and click Edit to modify it. c. Enter the Gigabit Ethernet physical interface attributes as described in the “Configuring Gigabit Ethernet Interfaces on the ACE Appliance” section on page 12-32. d. Click Deploy Now when completed to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. e. Repeat Steps a through c for each Gigabit Ethernet interface that you want to configure. f. To display statistics and status information for a particular Gigabit Ethernet interface, choose the interface from the GigabitEthernet Interfaces table, then click Details. The show interface gigabitEthernet CLI command output appears. See the “Displaying Gigabit Ethernet Interface Statistics and Status Information” section on page 12-35 for details. Step 9 If the ACE is a member of an HA ACE pair, click VLAN Interfaces under ACE Hardware Setup. The VLAN Interfaces window appears (Config > Guided Setup > ACE Hardware Setup > VLAN Interfaces). Note To prevent loss of management connectivity during an HA configuration, you must configure the IP addresses of the management VLAN interface correctly for your HA setup. During this procedure, choose the management VLAN interface (and click the Edit button) and make sure its IP address, alias IP address, and peer IP address are all set correctly. You can repeat this process for any VLAN interfaces that you want. If the management VLAN is properly configured before establishing HA, you will be able to return later to reconfigure other VLANs. a. If you want to poll the devices and display the current values, click Poll Now, and then OK when prompted if you want to poll the devices for data now. b. Click Add to add a new VLAN interface, or choose an existing VLAN interface and click Edit to modify it. Note If you click Edit, not all of the fields can be modified. c. Enter the VLAN interface attributes as described in the “Configuring Virtual Context VLAN Interfaces” section on page 12-6. Click More Settings to access the additional VLAN interface attributes. By default, ANM hides the default VLAN interface attributes and the VLAN interface attributes which are not commonly used. d. Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. e. To display statistics and status information for a VLAN interface, choose the VLAN interface from the VLAN Interface table, then click Details. The output of the show interface vlan, show ipv6 interface vlan, and show ipv6 neighbor CLI commands appears. The IPv6 commands require ACE module and ACE appliance software Version A5(1.0) or later. See the “Displaying VLAN Interface Statistics and Status Information” section on page 12-18 for details. 3-9 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 3 Using ANM Guided Setup Using ACE Hardware Setup Step 10 If the ACE is the primary peer in a high availability (HA) configuration, click HA Peering under ACE Hardware Setup (Config > Guided Setup > ACE Hardware Setup > HA Peering). a. Click Edit below the HA Management section to configure the primary ACE and the secondary ACE as described in the “Configuring ACE High Availability Peers” section on page 13-15. There are two columns, one for the selected ACE and another for a peer ACE. You can specify the following information: – Identify the two members of a HA pair. – Assign IP addresses to the peer ACEs. – Assign an HA VLAN to HA peers and bind a physical Gigabit Ethernet interface to the FT VLAN. – Configure the heartbeat frequency and count on the peer ACEs in a fault-tolerant VLAN. When completed, click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. Note For ACE modules, the HA VLAN specified for ACE HA Groups must also be set up on the Catalyst 6500 series switch using the svclc command. See the “Configuring VLANs Using Cisco IOS Software (ACE Module)” section on page 12-3 for details. b. Click Add below the ACE HA group table to add a new high availability group. Enter the information in the configurable fields as described in the “Configuring ACE High Availability Peers” section on page 13-15. When completed, click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The HA State field displays FT VLAN Compatible once HA setup has been successfully completed. Note To display statistics and status information for a particular HA group, choose the group from the ACE HA Groups table and click Details. The show ft group group_id detail CLI command output appears. See the “Displaying High Availability Group Statistics and Status” section on page 13-21 for details. Step 11 Once the HA State field in the ACE HA Groups table shows a successful state, the ACE is ready for further configuration as follows: • To set up additional virtual contexts, continue to the Virtual Context Setup task to create and connect an ACE virtual context. See the “Using Virtual Context Setup” section on page 3-10. • To set up an application in an existing virtual context, continue to the Application Setup task to set up load-balancing for an application from an ACE to a group of back-end servers. See the “Using Application Setup” section on page 3-12. Related Topics • Using Import Devices, page 3-4 • Configuring Devices, page 5-34 • Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53 • Managing Devices, page 5-66 3-10 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 3 Using ANM Guided Setup Using Virtual Context Setup Using Virtual Context Setup You can use the Virtual Context Setup task to create and connect an ACE virtual context. Virtual contexts use virtualization to partition your ACE appliance or module into multiple virtual devices, or contexts. Each context contains its own set of policies, interfaces, resources, and administrators. Before You Begin You must be in the Admin context on the ACE to create a new user context. Procedure Step 1 Choose Config > Guided Setup > Virtual Context Setup. The Virtual Context Setup window appears. Step 2 From the ACE Device drop-down list, choose an ACE. Step 3 Click Start Setup. The Resource Classes window appears (Config > Guided Setup > Virtual Context Setup > Resource Classes). Perform the following tasks to create or modify a resource class: a. If you want to create a resource class, click Add (+). The New Resource Class configuration window appears. Enter the resource information as described in the “Configuring Global Resource Classes” section on page 6-46. b. If you want to modify an existing resource, choose the resource class that you want to modify, then click Edit. The Edit Resource Class configuration window appears. Enter the resource information as described in the “Modifying Global Resource Classes” section on page 6-50. c. Click OK to save your entries and to return to the Resource Classes table. Make note of the resource class that you want to use because you will need it in Step 5. Step 4 Click Virtual Context Management under Virtual Context Setup. The Virtual Context window appears (Config > Guided Setup > Virtual Context Setup > Virtual Context Management). Perform the following actions to create or modify a virtual context: a. If you want to create a virtual context, click Add (+). The New Virtual Context window appears. Configure the virtual context as described in the “Configuring Virtual Contexts” section on page 6-8. b. If you want to modify an existing virtual context, choose the virtual context that you want to modify and click Edit. The Edit Resource Class configuration window appears. Enter the resource information as described in the “Modifying Global Resource Classes” section on page 6-50. Step 5 To create or modify the attributes of a virtual context, configure the virtual context as described in the “Configuring Virtual Contexts” section on page 6-8. When completed, click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. Follow these guidelines when creating or modifying the virtual context: • To connect the virtual context to the available VLANs, specify one or more VLANs in the Allocated VLANs field. You can specify multiple VLAN values and ranges (for example, “10, 14, 70-79”). • For virtual contexts configured for an ACE, do the following: 3-11 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 3 Using ANM Guided Setup Using Virtual Context Setup – For an ACE appliance, you must set up all VLANs used in this step as trunk or access VLANs on the port channel or Gigabit Ethernet interfaces. If you did not set up these VLANs during the ACE Hardware Setup task, you can return to the ACE Hardware Setup window to configure the required VLANs. See the “Using ACE Hardware Setup” section on page 3-5. – For an ACE module, you must set up all VLANs used in this step as trunk or access VLANs on the Catalyst 6500 series switch using the svclc command. See the “Configuring VLANs Using Cisco IOS Software (ACE Module)” section on page 12-3 for details. • When specifying the resource class for the virtual context, choose the resource class that you created or specified in Step 3. Note If you are unsure of the resource class to use for this virtual context, choose default. You can change the resource class setting at a later time. • If HA has been correctly configured for this ACE device, the High Availability checkbox will be checked. If the checkbox is unchecked, check it to instruct ANM to automatically configure synchronization for this virtual context. Note The High Availability checkbox is available only if HA Peering has previously been completed for the ACE hardware. • If you want to set up a separate management VLAN interface for the virtual context, under Management Settings, configure the management interface for this virtual context and create an admin user. Each context also has its own management VLAN that you can access using the ANM GUI. In this case, you would assign an independent VLAN and IP address for management traffic to access the virtual context. Step 6 To edit the load-balancing configuration for a virtual context, continue to the Application Setup task. See the “Using Application Setup” section on page 3-12. Related Topics • Using Import Devices, page 3-4 • Using ACE Hardware Setup, page 3-5 • Information About Virtual Contexts, page 6-2 • Using Resource Classes, page 6-43 • Creating Virtual Contexts, page 6-2 • Configuring Virtual Contexts, page 6-8 • Configuring VLANs Using Cisco IOS Software (ACE Module), page 12-3 • Using Application Setup, page 3-12 3-12 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 3 Using ANM Guided Setup Using Application Setup Using Application Setup This section includes the following topics on application setup: • ACE Network Topology Overview, page 3-12 • Using Application Setup, page 3-14 ACE Network Topology Overview With respect to ACE configuration, the network topology describes where—which VLAN or subnet—client traffic comes into the ACE and where this traffic is sent to real servers. Network configuration for ACE load balancing depends on the surrounding topology. By specifying to ANM the topology that is appropriate for your networking application, ANM can present more relevant options and guidance. The network topology is often determined solely by your existing network; however, the goals for your ACE deployment can also play a role. For example, when ACE acts as a router between clients and servers, it provides a level of protection by effectively hiding the servers from the clients. On the other hand, for a routed topology to work, each of those servers must be configured to route back through the ACE, which can be a significant change to the network routing. The ACE is also capable of bridging the client and server VLANs, which does not affect server routing. However, it does require the network to have VLANs set up appropriately. If you are not sure what topology to use, or do not want to make topology decisions immediately, use the “one-armed” topology. The one-armed topology does not typically require any changes to an existing network and can be set up with minimal knowledge of the network. You can then expand your ACE network topology to routed mode or bridged mode to better suit your networking requirements. Figure 3-1 illustrates the one-armed network topology. Figure 3-1 Example of a One-Armed Network Topology 247750 ACE Virtual Context Real Servers Router/ Switch Client to ACE Request Client IP (src): VIP (dst): 172.16.5.10 Client to ACE Request Nat Pool IP (src): 172.16.5.101 Server IP (dst): 192.168.1.11 ACE VLAN e.g. 172.16.5.0/16 Server VLAN e.g. 192.168.1.0/16 Client Network 3-13 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 3 Using ANM Guided Setup Using Application Setup Figure 3-2 illustrates the routed mode network topology. Figure 3-2 Example of a Routed Mode Network Topology Figure 3-3 illustrates the bridged mode network topology. Figure 3-3 Example of a Bridged Mode Network Topology 247751 ACE Virtual Context Real Servers Router/ Switch Real Server Default Routes Client VLAN e.g. 172.16.5.0/16 Server VLAN e.g. 192.168.1.0/16 Client Network 247752 ACE Virtual Context Real Servers Router/ Switch Real Server Default Routes Client VLAN Server VLAN BVI e.g. 192.168.1.0/16 Client Network 3-14 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 3 Using ANM Guided Setup Using Application Setup Using Application Setup You use the Application Setup task to set up load balancing for an application in which you choose an application type, virtual context to configure, and network topology (see Figure 3-4). ANM Guided Setup displays a list of configuration attributes to define that is based on your choice of application type and network topology. Figure 3-4 Guided Setup: Application Setup Guidelines and Restrictions The Application Type drop down list (see Figure 3-4) includes both non-template and template-based options. The template-based options are application definition templates that allow you to quickly configure one or more ACE virtual contexts (or devices) with a complex configuration for well known or custom in-house applications. A template can be a Cisco-defined system template or it can be user-defined. The number of system templates that display in the drop-down list increases as more of these templates become available during ANM upgrades or you import them into ANM from the Cisco Developers Network. For more information, see the “Information About Application Template Definitions and Instances” section on page 4-1. By default, all system templates display in the Application Type drop down list. You can edit a template so that it does not display in this list. For more information, see the “Editing an Application Template Definition” section on page 4-15. Procedure Step 1 Choose Config > Guided Setup > Application Setup. The Application Setup window appears. Step 2 From the Application Type drop-down list, choose an application as follows: 3-15 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 3 Using ANM Guided Setup Using Application Setup • Non-template options—Choose one of the following application types if you do not want to create an application that is not based on a system or user-defined template: – Generic-SSL-HTTP—Choose this application type if your ACE is to use HTTPS when communicating with either the client or with real servers. – Generic-Non-SSL—Choose this application type if your ACE is to use HTTP when communicating with either the client or with real servers. These applications allow you to create an application that is more granular in terms of the number of attributes that you can configure using Guided Setup compared to an application based on a system or user template. • Template-based options—Choose one of the application types that are based on a system template provided with ANM or a user-defined template. Examples of system templates include the following: – Microsoft Exchange – Microsoft SharePoint For more informtion, see “Guidelines and Restrictions.” Step 3 From the Select Virtual Context drop-down list, choose an existing ACE virtual context. Step 4 Choose the network topology that reflects the relationship of the selected ACE virtual context to the real servers in the network. Topology choices include one-armed, routed, or bridged. See the “ACE Network Topology Overview” section on page 3-12 for background details on networking topology. Step 5 Click Start Setup. Step 6 Configure the attributes that are associated with the selected application type and topology and listed under Application Setup (see Figure 3-5) and described in Table 3-2, which includes all possible attributes. Figure 3-5 Navigating Application Setup Configuration Attributes 3-16 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 3 Using ANM Guided Setup Using Application Setup Note As you complete and deploy an attribute configuration, go to the next one by clicking on the attribute listed under Application Setup (see Figure 3-5). Table 3-2 Guide Setup Configuration Attributes Attribute Description VLAN Interfaces To communicate with the client and real servers, a VLAN interface must be specified for client and server traffic to be sent and received. Perform the following actions to configure a VLAN interface: a. If you want to poll the devices and display the current values, click Poll Now, and then click OK when prompted to poll the devices for data. b. Click Add to add a new VLAN interface, or choose an existing VLAN interface and click Edit to modify it. c. Enter the VLAN interface attributes. Click More Settings to access the additional VLAN interface attributes. By default, ANM hides the default VLAN interface attributes and the VLAN interface attributes that are not commonly used. For configuration details, see the “Configuring Virtual Context VLAN Interfaces” section on page 12-6. Note After you define the VLAN, write down the VLAN number. You need this number when configuring the ACLs and Virtual Server attributes. d. Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. e. To display statistics and status information for a VLAN interface, choose the VLAN interface from the VLAN Interface table, then click Details. The output of the show interface vlan, show ipv6 interface vlan, and show ipv6 neighbor CLI commands appears. The IPv6 commands require ACE module and ACE appliance software Version A5(1.0) or later. See the “Displaying VLAN Interface Statistics and Status Information” section on page 12-18 for details. 3-17 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 3 Using ANM Guided Setup Using Application Setup BVI Interfaces Perform the following actions to configure a BVI interface: a. If you want to poll the devices and display the current values, click Poll Now, and then OK when prompted if you want to poll the devices for data now. b. Click Add to add a new BVI interface, or choose an existing BVI interface, then click Edit to modify it. c. Enter the BVI interface attributes. For configuration details, see the “Configuring Virtual Context BVI Interfaces” section on page 12-19. Note After you define the BVI, write down the client-side VLAN number. You need this number when configuring the ACLs and Virtual Server attributes. d. Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. e. To display statistics and status information for a BVI interface, choose the BVI interface from the BVI Interface table, then click Details. The show interface bvi, show ipv6 interface bvi, and show ipv6 neighbors CLI commands output appears. The IPv6 commands require ACE module and ACE appliance software Version A5(1.0) or later. See the “Displaying BVI Interface Statistics and Status Information” section on page 12-26 for details. NAT Pools To set up a one-armed topology, you need a NAT pool to provide the set of IP addresses that ACE can use as source addresses when sending requests to the real servers. Note You must configure the NAT pool on the same VLAN interface that you configured in Step 6. Perform the following actions to create or modify a NAT pool for a VLAN: a. Click Add to add a new NAT pool entry, or choose an existing NAT pool entry and click Edit to modify it. The NAT Pool configuration window appears. b. Configure the NAT pool attributes. For configuration details, see the “Configuring VLAN Interface NAT Pools” section on page 12-26. Note After you define the NAT pool, write down the NAT pool ID. You specify the NAT pool ID when configuring the Virtual Server attributes. c. Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. Table 3-2 Guide Setup Configuration Attributes (continued) Attribute Description 3-18 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 3 Using ANM Guided Setup Using Application Setup ACLs An ACL applies to one or more VLAN interfaces. Each ACL consists of a list of entries, each of which defines a source, a destination, and whether to permit or deny traffic between those locations. Perform the following actions to create or modify an ACL: a. Click Add to add a new ACL entry, or choose an existing ACL entry and click Edit to modify it. The Access List configuration window appears. b. Add or edit the required fields. For configuration details, see the “Configuring Security with ACLs” section on page 6-78. c. Click Deploy to save this configuration. d. To display statistics and status information for an ACL, choose an ACL from the ACLs table, then click Details. The show access-list access-list detail CLI command output appears. See the “Displaying ACL Information and Statistics” section on page 6-89 for details. SSL Proxy Note To terminate or initiate HTTPS connections with ACE, the virtual context must have at least one SSL proxy service. An SSL proxy contains the certificate and key information needed to terminate HTTPS connections from the client or initiate them to the servers. Perform the following actions to create or modify an SSL proxy service: a. To create an SSL proxy service, click SSL Proxy Setup. Note To edit an existing SSL proxy service, choose it from the SSL Proxy table, and click Edit to modify the SSL proxy service. The SSL Proxy Service configuration window appears. Edit the required fields as described in the “Configuring SSL Proxy Service” section on page 11-27. b. Add required fields. For configuration details, see the “Configuring SSL Proxy Service” section on page 11-27. c. Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. Table 3-2 Guide Setup Configuration Attributes (continued) Attribute Description 3-19 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 3 Using ANM Guided Setup Using Application Setup Virtual Server The virtual server defines the load-balancing configuration for an application. Perform the following actions to create or modify a virtual server: a. If you want to poll the devices and display the current values, click Poll Now, and then OK when prompted if you want to poll the devices for data now. b. Click Add to add a new virtual server, or choose an existing virtual server, and click Edit to modify it. The Virtual Server configuration window appears with a number of configuration subsets. The subsets that you see depend on whether you use the Basic View or the Advanced View and entries you make in the Properties subset. Change views by using the View object selector at the top of the configuration pane. c. Add or edit required fields. For configuration details, see the “Virtual Server Configuration Procedure” section on page 7-7. Table 7-1 identifies and describes virtual server configuration subsets with links to related topics for configuration information. Virtual servers have many configuration options. At a minimum, you need to configure the following attributes: – Set the VIP, port number (TCP or UDP), and application protocol for your application. Note If the ACE is to terminate the client HTTPS connections, choose HTTPS as the Application Protocol. – (One-Armed Topology) For VLAN, choose the VLAN defined in VLAN Interfaces. – (Routed Topology) For VLAN, choose the client-side VLAN defined VLAN Interfaces. – (Bridged Topology) For VLAN, choose the client-side VLAN defined in VLAN Interfaces. – If the ACE is to terminate client HTTPS connections, then under the SSL Termination header, specify the SSL proxy defined in SSL Proxy. – Under the Default L7 Loadbalancing Action, set Primary Action to Loadbalance. – Create a server farm that contains one or more real servers for this application (see Table 7-13 in the “Configuring Virtual Server Layer 7 Load Balancing” section for details on setting server farm attributes). – If the ACE is to initiate HTTPS connections to the real servers, choose the desired SSL proxy for initiation to this application from the menu next to SSL Initiation. – (One-Armed Topology) Under NAT, enter the NAT pool ID from Step 8. After you set up a base virtual server, you can test it to validate your configuration and isolate any issues in your networking application. You can then add these more advanced load balancing options to your networking application: – Additional real servers to a server farm. See Table 7-13 in the “Configuring Virtual Server Layer 7 Load Balancing” section for details. – Health monitoring probes and attributes for the specific probe type. See Table 7-14 in the “Configuring Virtual Server Layer 7 Load Balancing” section for details. – Stickiness, where client requests for content are to be handled by a sticky group when match conditions are met. See Table 7-15 in the “Configuring Virtual Server Layer 7 Load Balancing” section for details. Table 3-2 Guide Setup Configuration Attributes (continued) Attribute Description 3-20 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 3 Using ANM Guided Setup Using Application Setup Related Topics • Using Import Devices, page 3-4 • Using ACE Hardware Setup, page 3-5 • Using Virtual Context Setup, page 3-10 • Configuring Virtual Context VLAN Interfaces, page 12-6 • Configuring Virtual Context BVI Interfaces, page 12-19 • Configuring Virtual Context Static Routes, page 12-28 • Configuring Virtual Context BVI Interfaces, page 12-19 • Configuring Security with ACLs, page 6-78 • SSL Setup Sequence, page 11-4 Virtual Server (continued) – Application protocol inspection, where the ACE allows the virtual server to verify protocol behavior and identify unwanted or malicious traffic passing through the ACE. See the “Configuring Virtual Server Protocol Inspection” section for details. d. Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. e. To display statistics and status information for an existing virtual server, choose a virtual server from the Virtual Servers table, then click Details. The show service-policy global detail CLI command output appears. See the “Displaying Virtual Server Statistics and Status Information” section on page 7-65 for details. Application Config You can create an application configuration or modify one that is staged (not deployed). Perform the following actions to create or modify an application configuration: a. Click Add to add a new application config, or choose an existing application config with a Type of Staged, and click Edit to modify it. The Application Configuration window appears. b. Configure or edit the required fields. For configuration details, see the “Creating an Application Template Instance” section on page 4-4. c. Do one of the following: - Click Deploy Now to deploy this application config on the ACE and save your entries to the running-configuration and startup-configuration files. - Click Save to save the information but not deploy the application config to the ACE. Use this option if you want to deploy or complete the configuration at a later time. Table 3-2 Guide Setup Configuration Attributes (continued) Attribute Description CHAPTER 4-1 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 4 Using Application Template Definitions Date: 3/28/12 This chapter describes how to use Cisco Application Networking Manager (ANM) application template definitions for configuring ACE virtual contexts. Note This chapter uses the terms “virtual context” and “device” interchangeably. Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed. If you are using ANM with an ACE module or ACE appliance and you configure a named object at the ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows you to use when configuring a named object. If you use special characters that ANM does not support, you may not be able to import or manage the ACE using ANM. This chapter includes the following sections: • Information About Application Template Definitions and Instances, page 4-1 • Managing Application Template Instances, page 4-3 • Managing Application Template Definitions, page 4-15 Information About Application Template Definitions and Instances The ANM application template definitions allow you to quickly configure one or more ACE virtual contexts (or devices) with a complex configuration for well-known or custom in-house applications. A template is defined by an XML template definition file, which contains the configuration that is deployed to a device with place holders for variable replacement. The template variables are presented to the user in the ANM GUI. The two types of application template definitions are as follows: • System templates—Defined by Cisco and included in ANM for major applications. You can edit a system file to customize it if needed. 4-2 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Information About Application Template Definitions and Instances Examples of system templates are as follows: – Basic HTTP – DNS – DWS with Cisco Nexus 7000 OTV – FTP – Java Application Server – Layer 3 LB – Layer 4 LB – Microsoft Exchange 2010 – Microsoft SharePoint 2010 – RDP – Secure Webserver • User-defined templates—User defined for custom applications. You can create a user-defined template that is based on an existing template or you can create a template using the base code provided in this chapter. The template file follows a specific schema that is defined by ANM. All user-defined templates must follow this schema before ANM can deploy it to an ACE. You can create or edit a template using the internal ANM template editor or you can use the template export and import feature that allows you to use an external XML editor. Using application template definitions, you create application template instances, which are based on the template that you choose. You can display and manage application template instances on a global or device-specific level. Guidelines and Restrictions The variable fields of an application template definition are role-based access controlled (RBAC), which means that when you use a template to create an application template instance, your user account must be configured with the required roles that will allow you to enter the variable information. ANM does not allow you to enter variable information for those fields that you are not permitted to fill in. If you are not permitted to enter all the variable information, you can save the incomplete template instance with the information that you are allowed to input, and then have a user with the required roles complete the template instance so that it can be deployed. Related Topics • Managing Application Template Instances, page 4-3 • Managing Application Template Definitions, page 4-15 4-3 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Instances Managing Application Template Instances Application template instances are ACE configurations that you create based on a specific application template definition. ANM maintains a table of the template instances that you create using ANM, which you can view by doing one of the following: • To display the template instances of all devices, display the global view by doing one of the following: – Choose Home and from the Configuration category, choose Application Template Instances. – Choose Config > Global > Application Template Instances. • To display only the template instances associated with a specific device, choose Config > Devices > context > Load Balancing > Application Template Instances. The Application Template Instances window appears, displaying the information described in Table 4-1. From the Application Template Instances window, you can perform such tasks as creating, editing, deploying, or deleting a template instance. Note ANM tracks only application template instances that you create and deploy using ANM. It does not discover template instances that may reside on an ACE. For example, if you use the CLI to configure an ACE with a configuration that matches an installed application template configuration, you will not see this configuration listed as a template instance in the ANM GUI (Config > Global > Application Template Instances). This section includes the following topics: • Creating an Application Template Instance, page 4-4 • Deploying a Staged Application Template Instance, page 4-7 Table 4-1 Application Template Instances Window Field Description Name Application template instance name. Application Type Name of the application template definition used to create the template instance. Device Virtual context associated with the template instance. Type Template instance type as follows: • Staged—Template instance is saved but has not been deployed. • Deployed—Template instance is saved and deployed to the device. Status Current status of the template instance as follows: • Complete—Template instance attributes have all been defined and the template instance can be deployed if the Type field displays Staged (see the “Deploying a Staged Application Template Instance” section on page 4-7). • Incomplete—Template instance attributes have not all been defined so it cannot be deployed. This status is possible only when the Type field displays Staged. Last Updated Time Last time that ANM retrieved the status information. 4-4 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Instances • Editing an Application Template Instance, page 4-9 • Duplicating an Application Template Instance, page 4-10 • Viewing and Editing Application Template Instance Details, page 4-12 • Deleting an Application Template Instance, page 4-13 Creating an Application Template Instance You can create an application template instance by configuring a virtual context using an application template definition. Prerequisites You must have a user account with the following RBAC tasks assigned to it: ace_interface=modify, ace_access-list=modify, ace_ssl=modify, ace_vip=modify Procedure Step 1 Display the Application Template Instances window by doing one of the following: • Choose Home and from the Configuration category, choose Application Template Instances. • Choose Config > Devices > context > Load Balancing > Application Template Instances. • Choose Config > Global > Application Template Instances. For information about the information that is displayed, see Table 4-1. Note You can also create a template instance using Application Setup (see the “Using Application Setup” section on page 3-12). Step 2 From the Application Template Instances window, click the Add icon (+). The New Application Template Instance dialog box appears. Step 3 In the dialog box, do the following: a. From the Application Type drop-down list, choose one of the system templates provided with ANM or a user-defined template. The number of system templates that display in the drop-down list will increase as more templates become available and you import them into ANM. b. Click OK. The dialog box closes and the template configuration attributes appear in the Application Template Instances window. Step 4 (Optional) From the Application Template Instances window, choose one of the following view settings from the drop-down list located at the top of the window: • Basic View—Displays only the variable fields that require user input. Variable fields that are optional or are configured with default values are hidden. • Advanced View—Displays all available variable fields. 4-5 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Instances Note The Basic/Advanced display option appears only when a variable field in the application template definition file uses the “advanced” attribute (see the “Creating an Application Template Definition Using the ANM Template Editor” section on page 4-21). The DWS with Nexus 7000 OTV system template is an example of a template that uses the advanced attribute. Step 5 From the Application Template Instances window, configure the variable attributes. Table 4-2 describes some variable attributes that are associated with the system templates included with ANM. Use the information provided here to define the variables. Table 4-2 System Template Attributes Field Description Application Configuration Visual grouping of application-specific options. Application Config Name Name of the application that is used as a base name for many ACE objects, such as class maps, policy maps, stickies, or server farms. VIP Address/Exchange VIP Address Application server VIP address, which is generally the IP address that appears in DNS for the application. You can enter an IPv4 or IPv6 formatted address here; however, IPv6 requires ACE software Version A5(1.0) or later. Optionally, an IPv4 can include a prefix of /32 or less, and an IPv6 address can include a prefix of /128 or less. Real Server IP/ Client Access Servers (CAS)/ SharePoint Web Front End Servers Addresses IP addresses of the servers that are being load balanced. You can enter an IPv4 or IPv6 formatted address here; however, IPv6 requires ACE software Version A5(1.0) or later. Relative Probe URL File location that the ACE health check probes. FQDN Fully qualified domain name that is used for web host redirection. The %H string redirects based on the hostname in the header of the client HTTP requests. Web Front End Port Real server port on which the service is running. Secure communications between Load Balancers and Servers Check box option that when checked, instructs the ACE to use SSL to encrypt the traffic between it and the real servers. Key Type SSL key type. Choose one of the following from the drop-down list: • PKCS12 • DER • PEM SSL Key URL Field that appears only when the Key Type field is set to PKCS12 or DER. The TFTP, FTP, or SFTP URL including a key server IP address. You must use two forward slashes (//) to do absolute references; otherwise, the user home directory is used as the base path. Key Server Username Field that appears only when the Key Type field is set to PKCS12 or DER. The username to use for SFTP or FTP with the SSL key URL. Key Server Password Field that appears only when the Key Type field is set to PKCS12 or DER. The password to use for SFTP or FTP with the SSL key URL. SSL Key Field that appears only when the Key Type field is set to PEM. The SSL key that the ACE uses to decrypt and encrypt traffic from the client. 4-6 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Instances Step 6 Do one of the following: • Click Deploy to deploy the template instance to the device. The deployment verification popup window appears. Go to Step 7. Note The Deploy option requires a user account with the following RBAC task assigned to it: ace_virtualcontext=create. • Click Stage to save the template instance without deploying it to the specified virtual context. • Click Cancel to exit the configuration window without saving your changes. Step 7 From the popup window, do one of the following: • Click OK to deploy the template instance. The Deploy dialog box appears, which displays the list of configuration attributes to be deployed. Go to Step 8. • Click Cancel to exit this procedure without deploying the template instance. Step 8 In the dialog box, do the following: a. (Optional) Check the Create Named Checkpoint check box to create a checkpoint that ANM does not delete after a successful deployment. This check box works as follows: SSL Certificate Field that appears only when the Key Type field is set to PEM. The SSL certificate that the ACE presents to the client. Cert/Key Passphrase Optional passphrase that the key and certificate are encrypted. Session Persistence Check box option that when checked, enables session persistence. Depending on the type of template, the persistence type is generally either IP Netmask or HTTP Cookie. Redirect from 80 to 443 Check box option that when checked, configures an automatic HTTP redirect. Note When you enable this option, you must specify a FQDN. Network Configuration Visual grouping of network-specific options. Load Balancer (Device: Virtual Context) Virtual context to which the template is deployed. When you access the Application Template Instances window through device configurations (Config > Devices > context > Load Balancing > Application Template Instances), this field is already populated with the specified virtual context. When you access the Application Template Instances window through the Home page or global configuration, choose the virtual context from the drop-down device tree. Client VLANs VLANs on which client traffic originates. Enable Source NAT Check box option that when checked, specifies that traffic from the servers must have source NAT applied in order to return to the ACE. In general, you do not want to enable this feature if your ACE is installed in a one-armed network topology (see the “ACE Network Topology Overview” section on page 3-12). Note You must define NAT pools on the server interfaces before you select this option. Table 4-2 System Template Attributes (continued) Field Description 4-7 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Instances – Unchecked—ANM creates a checkpoint that you can revert back to if the deployment of the staged application template is unsuccessful. ANM assigns a random name to the checkpoint and deletes the checkpoint after a successful deployment. – Checked—ANM creates a checkpoint that you name and can revert back to at any time because ANM does not delete it even after a successful deployment. Note ACE virtual contexts have a limit of 10 checkpoints. If you attempt to exceed this limit, ANM does not deploy the template instance. b. Do one of the following: – Click Deploy Now. The template instance is applied to the device running-configuration and startup-configuration files. The Results window appears with the deployment status as follows: - Deployment Successful - Error in deploying template: error_details – Click Cancel to cancel the deployment. Related Topics • Information About Application Template Definitions and Instances, page 4-1 • Managing Application Template Instances, page 4-3 • Deploying a Staged Application Template Instance, page 4-7 • Editing an Application Template Instance, page 4-9 • Duplicating an Application Template Instance, page 4-10 • Viewing and Editing Application Template Instance Details, page 4-12 • Deleting an Application Template Instance, page 4-13 Deploying a Staged Application Template Instance You can deploy an application template instance that has been saved (or staged) but not yet deployed to the device. Prerequisites You must have a user account with the following RBAC task assigned to it: ace_virtualcontext=create. Procedure Step 1 Display the Application Template Instances window by doing one of the following: • Choose Home and from the Configuration category, choose Application Template Instances. • Choose Config > Devices > context > Load Balancing > Application Template Instances. • Choose Config > Global > Application Template Instances. For information about the information that is displayed, see Table 4-1. 4-8 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Instances Step 2 From the Application Template Instances window, choose the staged template instance to deploy and click Deploy. The deployment verification popup window appears. Step 3 From the popup window, do one of the following: • Click OK to deploy the template instance. One of the following popups appear depending on the template instance status: – Complete template instance—The Deploy dialog box appears, which displays the list of configuration attributes to be deployed. Go to Step 4. – Incomplete template instance—A popup window appears with the following message: The selected instance is not completely filled. Do you want to proceed to edit screen? Do one of the following: - Click OK to proceed to the edit window where you can complete the template instance as described in the “Editing an Application Template Instance” section on page 4-9. - Click Cancel to return to the Application Template Instances window. • Click Cancel to exit this procedure without deploying the template instance. Step 4 In the dialog box, do the following: a. (Optional) Check the Create Named Checkpoint check box to create a checkpoint that ANM does not delete after a successful deployment. This check box works as follows: – Unchecked—ANM creates a checkpoint that you can revert back to if the deployment of the staged application template is unsuccessful. ANM assigns a random name to the checkpoint and deletes the checkpoint after a successful deployment. – Checked—ANM creates a checkpoint that you name and can revert back to at any time because ANM does not delete it even after a successful deployment. Note ACE virtual contexts have a limit of 10 checkpoints. If you attempt to exceed this limit, ANM does not deploy the template instance. b. Do one of the following: – Click Deploy Now. The template instance is applied to the device running-configuration and startup-configuration files. The Results window appears with the deployment status as follows: - Deployment Successful - Error in deploying template: error_details – Click Cancel to cancel the deployment. Related Topics • Information About Application Template Definitions and Instances, page 4-1 • Managing Application Template Instances, page 4-3 • Creating an Application Template Instance, page 4-4 • Editing an Application Template Instance, page 4-9 4-9 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Instances • Duplicating an Application Template Instance, page 4-10 • Viewing and Editing Application Template Instance Details, page 4-12 • Deleting an Application Template Instance, page 4-13 Editing an Application Template Instance You can edit a staged application template instance. Guidelines and Restrictions This topic includes the following guidelines and restrictions: • To edit an application template instance, it must display as the type Staged. You cannot edit a template instance that displays as the type Deployed. • To retain the original template instance and make changes to a copy of it, go to the “Duplicating an Application Template Instance” section on page 4-10. Prerequisites You must have a user account with the following RBAC tasks assigned to it: ace_interface=modify, ace_access-list=modify, ace_ssl=modify, ace_vip=modify Procedure Step 1 View the list of application template instances by doing one of the following: • To display the template instances of all devices, display the global view by doing one of the following: – Choose Home and from the Configuration category, choose Application Template Instances. – Choose Config > Global > Application Template Instances. • To display only the template instances associated with a specific device, choose Config > Devices > context > Load Balancing > Application Template Instances. The Application Template Instances window appears, displaying the information described in Table 4-2. Step 2 From the Application Template Instances window, choose a staged template instance to edit and click the Edit icon ( ). The Application Configuration window appears, displaying the configured variable attributes. Step 3 From the Application Configuration window, edit the configuration as needed. For information about configuring the attributes, see Table 4-2. Step 4 When your edits are complete, do one of the following: • Click Deploy to deploy the template instance to the device. The deployment verification popup window appears. Go to Step 5. • Click Stage to save the template instance without deploying it to the specified virtual context. • Click Cancel to exit the configuration window without saving your changes. Step 5 From the popup window, do one of the following: • Click OK to deploy the template instance. The Deploy dialog box appears, which displays the list of configuration attributes to be deployed. Go to Step 6. 4-10 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Instances • Click Cancel to exit this procedure without deploying the template instance. Step 6 From the Deploy dialog box, do the following: a. (Optional) Check the Create Named Checkpoint check box to create a checkpoint that ANM does not delete after a successful deployment. This check box works as follows: – Unchecked—ANM creates a checkpoint that you can revert back to if the deployment of the staged application template is unsuccessful. ANM assigns a random name to the checkpoint and deletes the checkpoint after a successful deployment. – Checked—ANM creates a checkpoint that you name and can revert back to at any time because ANM does not delete it even after a successful deployment. Note ACE virtual contexts have a limit of 10 checkpoints. If you attempt to exceed this limit, ANM does not deploy the template instance. b. Do one of the following: – Click Deploy Now. The template instance is applied to the device running-configuration and startup-configuration files. The Results window appears with the deployment status as follows: - Deployment Successful - Error in deploying template: error_details – Click Cancel to cancel the deployment. Related Topics • Information About Application Template Definitions and Instances, page 4-1 • Managing Application Template Instances, page 4-3 • Creating an Application Template Instance, page 4-4 • Deploying a Staged Application Template Instance, page 4-7 • Duplicating an Application Template Instance, page 4-10 • Viewing and Editing Application Template Instance Details, page 4-12 • Deleting an Application Template Instance, page 4-13 Duplicating an Application Template Instance You can duplicate an existing application template instance, which allows you to create a new template instance based on the original one. Procedure Step 1 View the list of application template instances by doing one of the following: • To display the template instances of all devices, display the global view by doing one of the following: – Choose Home and from the Configuration category, choose Application Template Instances. 4-11 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Instances – Choose Config > Global > Application Template Instances. • To display only the application configurations associated with a specific device, choose Config > Devices > context > Load Balancing > Application Template Instances. The Application Template Instances window appears, displaying the information described in Table 4-1. Step 2 From the Application Template Instances window, choose the template instance to duplicate and click the Duplicate icon ( ). The Duplicate Application Config dialog box appears. Step 3 In the dialog box, enter the prefix to use for the duplicate and click OK. The dialog box closes and the Application Template Instances window appears, displaying the configuration attributes of the original template instance. Step 4 (Optional) From the Application Template Instances window, edit the variable attributes if needed. For information about configuring the attributes, see Table 4-2. Step 5 Do one of the following: • Click Deploy to deploy the template instance to the device. The deployment verification popup window appears. Go to Step 6. • Click Stage to save the template instance without deploying it to the specified virtual context. • Click Cancel to exit the configuration window without saving your changes. Step 6 From the popup window, do one of the following: • Click OK to deploy the template instance. The Deploy dialog box appears, which displays the list of configuration attributes to be deployed. Go to Step 6. • Click Cancel to exit this procedure without deploying the template instance. Step 7 In the dialog box, do the following: a. (Optional) Check the Create Named Checkpoint check box to create a checkpoint that ANM does not delete after a successful deployment. This check box works as follows: – Unchecked—ANM creates a checkpoint that you can revert back to if the deployment of the staged application template is unsuccessful. ANM assigns a random name to the checkpoint and deletes the checkpoint after a successful deployment. – Checked—ANM creates a checkpoint that you name and can revert back to at any time because ANM does not delete it even after a successful deployment. Note ACE virtual contexts have a limit of 10 checkpoints. If you attempt to exceed this limit, ANM does not deploy the template instance. b. Do one of the following: – Click Deploy Now. The template instance is applied to the device running-configuration and startup-configuration files. The Results window appears with the deployment status as follows: - Deployment Successful - Error in deploying template: error_details – Click Cancel to cancel the deployment. 4-12 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Instances Related Topics • Information About Application Template Definitions and Instances, page 4-1 • Creating an Application Template Instance, page 4-4 • Deploying a Staged Application Template Instance, page 4-7 • Editing an Application Template Instance, page 4-9 • Viewing and Editing Application Template Instance Details, page 4-12 • Deleting an Application Template Instance, page 4-13 Viewing and Editing Application Template Instance Details You can view the configuration details of an application template instance, such as the real servers and server farms associated with the template instance. The view details feature also allows you to open the configuration window of a specific attribute to make changes if needed. Guidelines and Restrictions This topic includes the following guidelines and restrictions: • You can view the details of deployed template instance but you cannot view the details of a staged template instance. • ANM tracks only application template instances that you create and deploy using ANM. It does not discover template instances that may reside on an ACE. For example, if you use the CLI to configure an ACE with a configuration that matches an installed application template configuration, you will not see this configuration listed as a template instance in the ANM GUI (Config > Global > Application Template Instances). Procedure Step 1 View the list of application template instances by doing one of the following: • To display the template instances of all devices, display the global view by doing one of the following: – Choose Home and from the Configuration category, choose Application Template Instances. – Choose Config > Global > Application Template Instances. • To display only the application template instances associated with a specific device, choose Config > Devices > context > Load Balancing > Application Template Instances. The Application Template Instances window appears, displaying the information described in Table 4-1. Step 2 From the Application Template Instances window, view the details of a configuration by choosing a template instance name and clicking Details. The Application Template Instance - Detail window appears, displaying details about the configuration objects. The information that displays varies depending on the template instance and user input. Configuration objects that can appear include the following: 4-13 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Instances Step 3 To view and edit one of the objects, click the Go To Config Page link. The associated attribute window opens, such as the Virtual Server, Real Server, or Server Farm window, where all the objects associated with the attribute display. For example, if you click the Go To Config Page link associated with a real server, the Real Servers window appears, displaying the complete table of real servers. You must locate the real server in the table to view its details and make changes to it if needed. Related Topics • Information About Application Template Definitions and Instances, page 4-1 • Managing Application Template Instances, page 4-3 • Creating an Application Template Instance, page 4-4 • Deploying a Staged Application Template Instance, page 4-7 • Editing an Application Template Instance, page 4-9 • Duplicating an Application Template Instance, page 4-10 • Deleting an Application Template Instance, page 4-13 Deleting an Application Template Instance You can delete an application template instance. Guidelines and Restrictions When you delete a deployed template instance, the virtual context configuration attributes that were added or modified as a result of deploying the application configuration are changed back to what they were prior to deploying the template instance, which means that if the virtual context was configured and operating prior to deploying the template instance, it reverts to operating with the previous configuration after you delete the template instance. • Virtual Servers • Probe • SSL Chain Group Parameters • Server Farms • SSL Proxy Service • SSL Parameter Maps • Real Servers • SSL Keys • HTTP Parameter Maps • Redirect Real Servers • SSL Certificates • TCP Parameter Maps • Sticky • SSL Auth Group Parameters • HTTP Header Modify Action Lists 4-14 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Instances Prerequisites You must have a user account with the following RBAC task assigned to it: ace_virtualcontext=create. Procedure Step 1 View the list of application configurations by doing one of the following: • To display the template instances of all devices, display the global view by doing one of the following: – Choose Home and from the Configuration category, choose Application Template Instances. – Choose Config > Global > Application Template Instances. • To display only the application template instances associated with a specific device, choose Config > Devices > context > Load Balancing > Application Template Instances. The Application Template Instances window appears, displaying the information described in Table 4-1. Step 2 From the Application Template Instances window, choose the template instance to delete and click the Delete icon ( ). ANM removes the template instance from the table. If the template instance was of the type Saved, no virtual context operations are affected. If the template instance was of the type Deployed, the associated virtual context operations are affected as described in “Guidelines and Restrictions” section on page 4-13. Related Topics • Information About Application Template Definitions and Instances, page 4-1 • Managing Application Template Instances, page 4-3 • Creating an Application Template Instance, page 4-4 • Deploying a Staged Application Template Instance, page 4-7 • Editing an Application Template Instance, page 4-9 • Duplicating an Application Template Instance, page 4-10 • Viewing and Editing Application Template Instance Details, page 4-12 4-15 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Definitions Managing Application Template Definitions ANM maintains a table of the application template definitions, which you can view by choosing Config > Global > Application Template Definitions. The Application Template Definitions window appears, displaying the information described in Table 4-3. From the Application Template Definitions window, you can create, edit, export, import, and test application template definitions. This section includes the following topics: • Editing an Application Template Definition, page 4-15 • Creating an Application Template Definition, page 4-20 • Exporting an Application Template Definition, page 4-26 • Importing an Application Template Definition, page 4-26 • Testing an Application Template Definition, page 4-28 • Deleting an Application Template Definition, page 4-29 • Using the ANM Template Editor, page 4-29 Editing an Application Template Definition You can edit the XML code of an application template definition file from within ANM using the template editor that comes with ANM, or you can export the template definition file and edit it outside of ANM using an XML editor or text editor such as WordPad. To help you understand how a template can be edited to suit your particular requirements, this section includes an example that involves editing the probe information in the Basic HTTP system template. In the code editing example, the probe interval value is changed from a set value of 60 seconds to a variable with a default of 60 seconds. This change allows you to configure the interval value when you use the template to create an application template instance (see the “Creating an Application Template Instance” section on page 4-4). Table 4-3 Application Template Definitions Window Fields Field Description Application Type Template name. Version Template version. Template Type Template type: User-defined or System (Cisco defined). Description Template description that indicates the type of network application in which the template configures the ACE. Validity Icons that indicate the validity of a template as follows: • Check mark—Template conforms to the XML schema and can be deployed to an ACE. • Error icon (!)—Template does not conform to the XML schema and cannot be deployed to an ACE. 4-16 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Definitions Figure 4-1 highlights the XML code for the probe URI variable and its set interval value. The figure also shows the GUI window that the code produces, including the variable field for inputting the relative probe URI. Figure 4-1 Basic HTTP Template: Probe with Set Interval Value You can modify a template to fit your particular requirements. Figure 4-2 highlights the probe code that was added or modified to produce a variable field in the GUI that allows you to set the probe interval if you do not want to use the default value of 60 seconds. 4-17 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Definitions Figure 4-2 Modified Basic HTTP Template: Probe with Variable Interval Setting Table 4-4 describes the XML code and ANM GUI changes called out in Figure 4-2. Table 4-4 Example XML Code and ANM GUI Changes Item Description Code Changes 1 Modified code that changes the template version number from 1 to 1.1. 2 New code that defines a probe interval variable (probe_interval) that has a default value of 60. 3 Modified code that changes the set probe interval value (60) to a variable ($probe_interval). GUI Changes 4 Modified template identification bar that includes the new version number (1.1). 5 New user field that allows the user to specify a probe interval other than the default of 60. 4-18 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Definitions Guidelines and Restrictions This topic includes the following guidelines and restrictions: • You can edit the template definition within ANM using the ANM template editor or you can export the template file, edit the code using a text editor such as WordPad, and then import the modified template file. • When editing a system template file, in the XML code you must change the template type or version number (or both). • By default, templates that you created using the ANM template editor display as options when using Application Setup in Guided Setup (see the “Using Application Setup” section on page 3-14). To configure a template not to display in Application Setup, either change the following code in the template root element from true to false or remove this piece of code from the root element: showsInGuidedSetup=”false” This section includes the following topics: • Editing an Application Template Definition Using the ANM Template Editor, page 4-18 • Editing an Application Template Definition Using an External Editor, page 4-19 Editing an Application Template Definition Using the ANM Template Editor You can use the template editor that comes with ANM to modify an application template definition from within ANM. Procedure Step 1 Choose Config > Global > Application Template Definitions. The Application Template Definitions window appears, displaying the information described in Table 4-3. Step 2 From the Application Template Definitions window, choose the template to edit and click the Edit icon ( ). The template editor window appears, displaying the template code. Step 3 Edit the code as needed. For information about using the ANM template editor to make your edits, see the “Using the ANM Template Editor” section on page 4-29. Step 4 When your edits are complete, do one of the following: • Click Validate to have ANM validate the application template definition file, which means that ANM checks to see that it is a well-formed XML document that follows the rules defined by the ANM Template XML schema. ANM highlights any errors in the code. • Click Save to save your changes using the same filename. This button is not available when you edit a system template (you must use the Save As option). • Click Save As to open the Save As New Template Definition popup window and save your changes under a new application type or version. The popup window text fields are populated with the attributes of the original file opened with the exception of the Version field, which ANM increments by one. If the version is not a number, the “-next” suffix is added to the version. From the popup window, modify the file attributes if needed and click Save. 4-19 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Definitions Note When using the Save As feature, ANM does not allow you to save a template using the same application type and version number as the original template file. You must change either the application type or the version number. • Click Exit to exit the template editor and return to the Application Template Definitions window. Related Topics • Information About Application Template Definitions and Instances, page 4-1 • Editing an Application Template Instance, page 4-9 • Managing Application Template Definitions, page 4-15 • Editing an Application Template Definition Using an External Editor, page 4-19 • Testing an Application Template Definition, page 4-28 • Deleting an Application Template Definition, page 4-29 • Using the ANM Template Editor, page 4-29 Editing an Application Template Definition Using an External Editor You can export an application template definition file, modify it using a text editor, and then import it back into ANM. Prerequisites You must have a text editor (minimum) such as WordPad or an XML editor (preferred). Procedure Step 1 Choose Config > Global > Application Template Definitions and export the template to edit from the list of available templates. For details, see the “Exporting an Application Template Definition” section on page 4-26. Step 2 Using a text editor such as WordPad, open the template XML file that you exported in Step 1. Step 3 Modify the template identification by doing one or both of the following in the header code: • Assign a new value to the applicationType attribute. • Change the version number attribute. In the example (see Figure 4-2), the template version number is changed from 1 to 1.1. version=”1.1” Note When you change the template name or version number and import the template, ANM displays the template as a new line item in the Application Template Definitions window even if you save the file under the same name (see Step 5). Step 4 Modify the operation of the template as needed. In the example (see Figure 4-2), the following changes are made: 4-20 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Definitions • The template version number is changed from 1 to 1.1. version=”1.1” • The input variable name probe_interval is added and defined as having a default value of 60 (seconds). • The slb code for the probe interval is changed from the set value of 60 to the {$probe_interval} variable. – To hide a variable array in Basic view, add the advanced attribute to the variable array as follows: 4-22 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Definitions Note ANM does not display the drop-down list for Basic and Advanced viewing options when the advanced attribute is not used in the XML code. Procedure Step 1 Choose Config > Global > Application Template Definitions. The Application Template Definitions window appears, displaying the list of existing templates. Step 2 Click Add (+) to begin creating a new template. The Create New Template Definition dialog box appears. Step 3 From the dialog box, do the following: a. In the Application Type field, enter a brief description of the intended application. b. In the Version field, enter the template version number. By default, this field is set to 1.0. c. In the Description field, describe the intended use of the template. d. Check the Load Balance check box if the configuration is to perform load balancing (it is checked by default). If you uncheck the check box, go to Step e. If you check the check box, do the following: – From the vserver type drop-down list, choose the virtual server type: http, dns, ftp, rdp, terminated-https, or other. – Check the Sticky check box to enable sticky (it is unchecked by default). If you check the check box, choose one of the following from the sticky type drop-down list: ip-sticky, http-cookie-sticky, or http-header-sticky. – Check the SSL check box to include in the template a configuration block with an SSL termination proxy (it is unchecked by default). e. Do one of the following: – Click Go to Editor to open the template editor and the template base code, which is configured with the information that you provided. Go to Step 4. – Click Cancel to return to the The Application Template Definitions window. Step 4 Edit the code as needed. For information about using the ANM template editor to make your edits, see the “Using the ANM Template Editor” section on page 4-29. Step 5 (Optional) Tag specific variable fields or variable arrays with the advanced attribute, which enables the Basic/Advanced display feature when creating a template instance that uses this application template definition. When creating an application template instance, the Basic/Advanced display feature allows the user to set the view to Basic, which displays only the variable fields that require their input. For more information about configuring this feature, see the “Guidelines and Restrictions” section on page 4-21. 4-23 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Definitions Step 6 When your edits are complete, do one of the following: • Click Validate to have ANM validate the application template definition file, which means that ANM checks to see that it is a well-formed XML document that follows the rules defined by the ANM Template XML schema. ANM highlights any errors in the code. • Click Save to save your changes. Related Topics • Managing Application Template Definitions, page 4-15 • Editing an Application Template Definition, page 4-15 • Creating an Application Template Definition, page 4-20 • Using the ANM Template Editor, page 4-29 • Testing an Application Template Definition, page 4-28 • Deleting an Application Template Definition, page 4-29 • Creating an Application Template Instance, page 4-4 Creating an Application Template Definition Using an External XML Editor You can create a basic ACE application template definition using an external XML editor rather than the template editor that comes with ANM. The procedure shows how to create a base XML file with which to base your template on and then use the free form XML tag to encapsulate ACE CLI commands that you copy from a known working configuration and paste into the template. The example template that you create during the procedure will initialize a virtual context by doing the following: • Specify a variable message of the day (MOTD) field. • Enable logging. • Specify a number of SNMP attributes, some of which are variables. Guidelines and Restrictions The ability to create a complex template requires a knowledge of XML programming and the ACE CLI and is beyond the scope of this guide. For information about creating complex templates for configuring your ACEs, go to the Cisco Developer Network (CDN) site at the following URL: http://developer.cisco.com/web/anm/application-templates Prerequisites This topic has the following requirements: • Basic knowledge of XML programming and the ACE CLI. • Text editor (minimum), such as WordPad, or an XML editor (preferred). • The application template definition XML schema. You can obtain a copy of this file from the CDN site at the following URL: http://developer.cisco.com/web/anm/docs From this site, use the schemas hyperlink located under the “Application Template Schemas” heading to download the XML schema. 4-24 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Definitions • Access to an ACE CLI and the output of the show running config command from which you copy the commands that you need and paste them into the template. Procedure Step 1 From the ACE CLI, enter the show running config command. Step 2 Create a folder in which to work while creating a template and place the application template definition XML schema file in it. Step 3 Using a text editor or XML editor, create an XML template file, save it to your work folder, and copy in the following base code: Step 4 Do the following (shown in bold text in the example): a. Assign values to the application type and provide a brief description. b. Within the input tags, add the required variable tags. c. Within the free form tags, paste the required ACE CLI commands that you copy from the show running config command output. In the following example, the modified code is shown in bold text: d. (Optional) Tag specific variable fields or variable arrays with the advanced attribute, which enables the Basic/Advanced display feature when creating a template instance that uses this application template definition. When creating an application template instance, the Basic/Advanced display feature allows the user to set the view to Basic, which displays only the variable fields that require their input. For more information about configuring this feature, see the “Guidelines and Restrictions” section on page 4-21. e. To configure a template not to display in Application Setup, change the following code in the template root element from true to false: showsInGuidedSetup=”false” By default, templates that you create using the base code in Step 3 display as options when using Application Setup in Guided Setup (see the “Using Application Setup” section on page 3-14). Step 5 Save the template file as an .xml file. Step 6 (Optional) Do the following: a. Import the template into ANM (see the “Importing an Application Template Definition” section on page 4-26). b. From ANM, test the template (see the “Testing an Application Template Definition” section on page 4-28). c. From ANM, create an application template instance using the new template and deploy it (see the “Creating an Application Template Instance” section on page 4-4). Related Topics • Managing Application Template Definitions, page 4-15 • Editing an Application Template Definition, page 4-15 • Creating an Application Template Definition, page 4-20 • Exporting an Application Template Definition, page 4-26 • Importing an Application Template Definition, page 4-26 • Testing an Application Template Definition, page 4-28 • Deleting an Application Template Definition, page 4-29 • Creating an Application Template Instance, page 4-4 4-26 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Definitions Exporting an Application Template Definition You can export an application template definition for editing or to create a backup that you can import into another ANM server. Procedure Step 1 Choose Config > Global > Application Template Definitions. The Application Template Definitions window appears, displaying the information described in Table 4-3. Step 2 From the Application Template Definitions window, choose the template to export and click Export. The File Download dialog box opens. Step 3 From the File Download dialog box, click Save. The Save As dialog box window appears. Step 4 From the Save As dialog box, navigate to where you want to save the template definitions file. Rename the file if you want. Step 5 Click Save. The template definitions file is saved to the specified location. Related Topics • Information About Application Template Definitions and Instances, page 4-1 • Managing Application Template Definitions, page 4-15 • Editing an Application Template Definition, page 4-15 • Creating an Application Template Definition, page 4-20 • Importing an Application Template Definition, page 4-26 • Testing an Application Template Definition, page 4-28 • Deleting an Application Template Definition, page 4-29 Importing an Application Template Definition You can import an application template definition. The import process checks the file to ensure that the XML conforms to the application template schema, using valid tags and attributes. Guidelines and Restrictions This topic includes the following guidelines and restrictions: • ANM allows you to import files that do not conform to the XML schema and does the following: – Issues an error message when importing the file that indicates the detected issues. – Places an error icon in the Validity column of the template listing in the Application Template Definitions window (Config > Global > Application Template Definitions). 4-27 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Definitions This feature allows you import a template file that is not complete and that you may want to edit further using the ANM template editor (see the “Editing an Application Template Definition Using the ANM Template Editor” section on page 4-18). • The import process does not check the file to ensure that the ACE configuration attributes are structured correctly. To test the ACE configuration attributes, use the template test feature (see the “Testing an Application Template Definition” section on page 4-28). • You can import application template definitions that you created for use with ANM 5.1, which used an earlier version of the XML schema. When you import the template, ANM modifies the template root element as required by the current version of the XML schema. This modification does not affect the ACE configuration. Procedure Step 1 Choose Config > Global > Application Template Definitions. The Application Template Definitions window appears, displaying the information described in Table 4-3. Step 2 From the Application Template Definitions window, click Import. The Select a Template Definition File to Upload dialog box appears. Step 3 In the dialog box, click Browse to navigate to and choose the template file to upload. Step 4 Click Upload. The upload status box appears and displays one of the following messages: • “Template is imported”—The template definition conforms to the XML schema. Click OK to close the popup window and complete the upload process. • “Template is not imported because its XML structure is not valid”—ANM detected that the file does not contain properly structured XML code and cannot import the file. • “Template is not imported because upload error was found”—A system or network error has occurred that prevented the upload. This message is not an indication that a problem exists with the template. • “Template is imported, but the following errors were found”—The template contains properly structure XML code; however, the code does not conform to the XML schema. The message includes the errors found in the code. ANM displays the template in the Application Template Definitions window. Related Topics • Information About Application Template Definitions and Instances, page 4-1 • Managing Application Template Definitions, page 4-15 • Editing an Application Template Definition, page 4-15 • Creating an Application Template Definition, page 4-20 • Exporting an Application Template Definition, page 4-26 • Testing an Application Template Definition, page 4-28 • Deleting an Application Template Definition, page 4-29 4-28 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Definitions Testing an Application Template Definition You can test an application template definition. The test performs the following tasks: • Displays the application configuration window to verify that the variable information the user is expected to fill in displays correctly. • Performs a test deployment and displays the configuration attributes that will be deployed for a live application configuration deployment. If there is a problem with the template definition, an error message displays that indicates what the problem is with the source code. Note The test deployment is done locally on ANM only. No commands are sent to an ACE. Procedure Step 1 Choose Config > Global > Application Template Definitions. The Application Template Definitions window appears, displaying the information described in Table 4-3. Step 2 From the Application Template Definitions window, choose a template to test and click Test. The Application Configuration window appears. Step 3 From the Application Configuration window, enter the required variable information and click Test Deploy. The Test popup window appears displaying the application configuration attributes that the template generates. Note If the template contains a boolean statement that allows you to choose one of two values, be sure to test both values. For example, if the template includes the Secure Backend Servers checkbox option, test the template with the check box checked (enabled) and unchecked (disabled). Step 4 Click Cancel to close the Test popup window and return to the Application Template Definitions window. Related Topics • Information About Application Template Definitions and Instances, page 4-1 • Managing Application Template Definitions, page 4-15 • Editing an Application Template Definition, page 4-15 • Creating an Application Template Definition, page 4-20 • Exporting an Application Template Definition, page 4-26 • Importing an Application Template Definition, page 4-26 • Deleting an Application Template Definition, page 4-29 4-29 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Definitions Deleting an Application Template Definition You can delete a user-defined application template definition. Guidelines and Restrictions You cannot delete a system template. Caution When you delete an application template definition and you have staged application template instances that were created using the template, you cannot edit or deploy the template instances. Procedure Step 1 Choose Config > Global > Application Template Definitions. The Application Template Definitions window appears, displaying the information described in Table 4-3. Step 2 From the Application Template Definitions window, choose a user-defined template to delete and click the Delete icon ( ). The Delete Verification popup window appears. Step 3 From the popup window, do one of the following: • Click OK to delete the template. • Click Cancel to ignore the template delete request. Related Topics • Information About Application Template Definitions and Instances, page 4-1 • Managing Application Template Definitions, page 4-15 • Editing an Application Template Definition, page 4-15 • Creating an Application Template Definition, page 4-20 • Importing an Application Template Definition, page 4-26 • Exporting an Application Template Definition, page 4-26 • Testing an Application Template Definition, page 4-28 Using the ANM Template Editor ANM includes a template editor that you can use to create or edit application template definitions from within the ANM GUI. This section describes the editor components and how to use them. You access the ANM template editor by doing one of the following: • Create a new template (see the “Creating an Application Template Definition Using the ANM Template Editor” section on page 4-21). • Edit an existing template (see the “Editing an Application Template Definition Using the ANM Template Editor” section on page 4-18). 4-30 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Definitions Figure 4-3 shows a sample view of the ANM template editor. The sample code includes invalid code in line 6 to show how the editor highlights problem code. Figure 4-3 ANM Template Editor Components Table 4-5 describes the editor GUI components called out in Figure 4-3. Table 4-5 ANM Template Editor Component Descriptions Item Description 1 Template Identifier Template type and version number. ANM displays an asterisk (*) next to the template type to indicate that a change to the template has been made but not saved. 4-31 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Definitions 2 Tool Bar Editing tools that work as follows: • Undo button—With each click, undoes the changes that you made but did not save, beginning with the most recent change made. • Redo button—With each click, redoes the changes reversed by the Undo button, beginning with the most recent undo operation. • Fix Indentation button—Corrects any indentation errors in the code. • Wrap with: – If button—Wraps the code that you highlight with the “if” opening and closing tags to create an if block. – For button—Wraps the code that you highlight with the “foreach” opening and closing tags to create a foreach block. If you do not highlight the code to wrap, ANM places the If or For block at the location of the cursor. • Toggle Comments button—Makes the code that you highlighted a comment. You can use this feature to add description comments to sections of the code. You can also tag incomplete code as a comment until you are ready to complete it. At that time, you would highlight the commented code and click Toggle Comments again. • Search text box—String to locate in the code. The template editor highlights all instances of the string. Use the following associated tools: – Up button—Moves to the next instance of the search string above the currently highlighted instance. – Down button—Moves to the next instance of the search string below the currently highlighted instance. • Replace text box—String that is to replace the search string as follows: – Replace button—Replaces only the currently highlighted occurrence of the search string. – Replace All button—Replaces all occurrences of the search string. 3 Work Area Area where the code is displayed and modified. The work area includes the following editing tools: • Code folding—Allows you to expand or collapse sections of code as follows: – —Collapses code group. – —Expands code group. ANM hides these icons and expands the code when an error exists. • Code auto complete—ANM completes the code tag being entered or displays a list of possible options that match what has been entered so far. This feature works for a predefined set of elements only and is not available with every element type. To use this feature, begin entering the start-tag and then press Ctrl + Space. Enter at least one character after the open character (<) before pressing Ctrl + Space. For example: Press Ctrl + Space Table 4-5 ANM Template Editor Component Descriptions (continued) Item Description 4-32 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 4 Using Application Template Definitions Managing Application Template Definitions 4 Error and Warning Indicators Icons that appear when the code that does not conform to the XML schema as follows: • —Warning indicator: Error exists; however, the error will not prevent deployment of the template. • —Error indicator: Error exists that will prevent deployment of the template. For details about the indicated error, see the Error Description Pane located at the bottom of the window or hover over the icon to open the popup error message display. 5 Error Description Pane Descriptions of the detected errors in the code, which are also highlighted with Error and Warning Indicators. Because the error description text does not wrap, it can extend beyond the display. To view the entire description, hover over the message to open the popup error message display. Displayed errors remain in this pane until you fix the issue and validate the fix by clicking Validate. 6 Function Buttons Buttons that work as follows: • Validate—ANM validates the application template definition file, which means that ANM checks to see that it is a well-formed XML document that follows the rules defined by the ANM Template XML schema. When ANM detects errors in the code, it highlights the errors with Error and Warning Indicators and displays the Error Description Pane. If you correct the code and click Validate again, ANM removes the error indicators and closes the error description pane if no other errors exist. • Save—Saves your changes using the same filename. Note the following when using this button: – If any errors exist in the code, ANM displays a verification popup window, asking you to verify that you want to save the information regardless of the detected errors. – If the code is not properly structured, ANM displays an error message stating that the template cannot be saved because the XML structure is not valid. For example, if you enter a tag and do not close it, this error occurs. You must correct the code error before ANM allows you to save the template. – The Save button is not available when editing a system template, which requires that you use the Save As button. • Save As—Saves the file to a different filename. This option opens the Save As New Template Definition popup window to save your changes under a new application type name or version. From the popup window, modify the file attributes if needed and click Save. Note the following when using this button: – ANM populates the popup window text fields with the attributes of the original file opened with the exception of the Version field, which ANM increments by one. If the version is not a number, ANM adds the “-next” suffix to the version. – ANM does not allow you to save a template using the same application type and version number as the original template file. You must change either the application type or version number (or both). • Exit—Exits the editor without saving your changes. Table 4-5 ANM Template Editor Component Descriptions (continued) Item Description CHAPTER 5-1 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 5 Importing and Managing Devices Date: 3/28/12 This chapter describes how to import and manage Cisco Application Networking Manager (ANM) devices. You can import the following Cisco devices to ANM: • Application Control Engine (ACE) module or appliance • Global Site Selector (GSS) • Content Services Switch (CSS) • Catalyst 6500 Virtual Switching System (VSS) 1440 • Catalyst 6500 series switch • Cisco 7600 series router • Cisco Content Switching Module (CSM) • Cisco Content Switching Module with SSL (CSM-S) • VMware vCenter Server Note The terms add and import are interchangeable in this document. Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed. If you are using ANM with an ACE module or ACE appliance and you configure a named object at the ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows you to use when configuring a named object. If you use special characters that ANM does not support, you may not be able to import or manage the ACE using ANM. This chapter includes the following sections: • Information About Device Management, page 5-2 • Information About Importing Devices, page 5-4 • Preparing Devices for Import, page 5-4 • Modifying the ANM Timeout Setting to Compensate for Network Latency, page 5-9 • Importing Network Devices into ANM, page 5-10 5-2 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Information About Device Management • Discovering Large Numbers of Devices Using IP Discovery, page 5-27 • Configuring Devices, page 5-34 • Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53 • Managing Devices, page 5-66 • Replacing an ACE Module Managed by ANM, page 5-82 Information About Device Management ANM includes many device management features. You can import devices and then configure them for use in your network. In addition to configuring ports, VLANs, and routes, you can modify device configurations, and manage them. Table 5-1 identifies common management categories and related topics. Table 5-1 Device Management Options Device Management Activities Related Topics Importing devices • Information About Importing Devices, page 5-4 • Preparing Devices for Import, page 5-4 • Enabling SSH or Telnet Access on Catalyst 6500 Series Switches and Cisco 7600 Series Routers, page 5-5 • Modifying the ANM Timeout Setting to Compensate for Network Latency, page 5-9 • Importing Network Devices into ANM, page 5-10 • Importing Cisco IOS Host Chassis and Chassis Modules, page 5-11 • Importing ACE Appliances, page 5-21 • Importing CSS Devices, page 5-22 • Importing GSS Devices, page 5-23 • Importing VMware vCenter Servers, page 5-24 • Discovering Large Numbers of Devices Using IP Discovery, page 5-27 5-3 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Information About Device Management Configuring device attributes • Configuring Devices, page 5-34 • Configuring CSM Primary Attributes, page 5-34 • Configuring CSS Primary Attributes, page 5-35 • Configuring GSS Primary Attributes, page 5-36 • Configuring Catalyst 6500 Series Chassis and Cisco 7600 Series Router Primary Attributes, page 5-38 • Configuring Catalyst 6500 Series Chassis, Catalyst 6500 Virtual Switching System 1440 Devices, and Cisco 7600 Series Routers Static Routes, page 5-39 • Configuring VMware vCenter Server Primary Attributes, page 5-41 • Displaying Chassis Interfaces and Configuring High-Level Interface Attributes, page 5-42 • Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48 • Creating VLAN Groups, page 5-52 Configuring device role-based access control (RBAC) • Configuring Device RBAC Users, page 5-53 • Configuring Device RBAC Roles, page 5-56 • Configuring Device RBAC Domains, page 5-61 Managing devices • Synchronizing Device Configurations, page 5-66 • Mapping Real Servers to VMware Virtual Machines, page 5-68 • Instructing ANM to Recognize an ACE Module Software Upgrade, page 5-71 • Configuring User-Defined Groups, page 5-72 • Changing Device Credentials, page 5-75 • Changing ACE Module Passwords, page 5-77 • Restarting Device Polling, page 5-78 • Displaying All Devices, page 5-78 • Displaying Modules by Chassis, page 5-79 • Removing Modules from the ANM Database, page 5-80 Table 5-1 Device Management Options (continued) Device Management Activities Related Topics 5-4 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Information About Importing Devices Information About Importing Devices The quickest and easiest way to add devices to ANM is to import them individually using the Add function available at Config > Devices. If you already know the device IP address, you can use this procedure to add your devices to ANM. Before you begin importing, you need to set up your network devices so that ANM can communicate and monitor them. In the sections that follow, you will perform the following steps to prepare and import devices: 1. Enable SSH access (see the “Preparing Devices for Import” section on page 5-4). 2. Modifying the ANM timeout setting (see the “Modifying the ANM Timeout Setting to Compensate for Network Latency” section on page 5-9). Note This step is required only when network latency is causing a timeout issue that prevents ANM from establishing a communication link with the device to be imported. 3. Import devices (see the “Importing Network Devices into ANM” section on page 5-10). To add large numbers of devices, you can use IP Discovery before you import your devices. This process is not as efficient as using the Add function. IP Discovery shows where devices are but does not add the devices to ANM. We recommend that you use the Config > Devices > Device Management > Add function. For details on IP Discovery, see the “Discovering Large Numbers of Devices Using IP Discovery” section on page 5-27. Note Before importing a device, the ANM server pings the IP address of the device. If you have a firewall between the ANM server and the device that you want to import, your network administrator needs to modify the firewall to allow the ping traffic to reach the device or ACE. Preparing Devices for Import This section describes how to set up your devices to allow ANM to communicate with them and also describes the requirements for adding ACE devices that are high availability peers. ANM uses the following protocols for communication: • For communication to an ACE module or appliance: – XML over HTTPS – SSHv2 (read and write) – SNMP V2C (read-only) – Syslog over User Datagram Protocol (UDP) (inbound notifications only) • For communication to the Catalyst 6500 Virtual Switching System (VSS) 1440: – SSHv2 and Telnet (read and write) – SNMP V2C (read-only) – Syslog over UDP (inbound notifications only) • For communication to a Catalyst 6500 series switch, Cisco 7600 series router, CSM, or CSM-S: – SSHv2 and Telnet (read and write) 5-5 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Preparing Devices for Import – SNMP V2C (read-only) – Syslog over UDP (inbound notifications only) • For communication to the CSS: – Telnet (read and write) – SNMP V2C (read-only) – Syslog over UDP (inbound notifications only) • For communication to the GSS: – SSHv2 – Remote Method Invocation (RMI) over SSL Note Before you import a GSS device into ANM, you need to set the GSS communication on the GSS Ethernet interface that will be used to import the GSS into ANM. See the Cisco Global Site Selector Command Reference on Cisco.com for instructions on using the gss-communications command. • For communication to a VMware vCenter Server, HTTPS is used. Note For more information about communication between ANM and a VMware vCenter Server, see the “Prerequisites for Using ANM With VMware vSphere Client” section on page B-4 and “Guidelines and Restrictions” section on page B-5. This section includes the following topics: • Enabling SSH or Telnet Access on Catalyst 6500 Series Switches and Cisco 7600 Series Routers, page 5-5 • Enabling SSH Access and the HTTPS Interface on the ACE Module and Appliance, page 5-6 • Enabling SNMP Polling from ANM, page 5-7 • ANM Requirements for ACE High Availability, page 5-8 Enabling SSH or Telnet Access on Catalyst 6500 Series Switches and Cisco 7600 Series Routers You can choose to use Telnet or SSH to import a Catalyst 6500 series switch or Cisco 7600 series router in ANM. Telnet is enabled by default on the Catalyst 6500 series chassis. If you have disabled Telnet on the device, you need to enable it to perform the initial setup and import of an ACE module. If you plan to directly import an ACE module into ANM, Telnet is not mandatory on a Catalyst 6500 series switch. Note If you choose Telnet, the Use Telnet checkbox will be checked in the Primary Attributes window (see the “Configuring Catalyst 6500 Series Chassis and Cisco 7600 Series Router Primary Attributes” section on page 5-38). If you use SSH to communicate with the device, you must do the following: • SSHv2 must be enabled on the chassis, as well as the ACE, in order for ANM to add device information about the chassis. 5-6 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Preparing Devices for Import • Ensure that the chassis has a K9 (Triple Data Encryption Standard [3DES]) software image in order to enable the SSH server. The ANM requires SSHv2 to be enabled on the chassis. To enable SSH or Telnet access on Catalyst 6500 series switches or Cisco 7600 series routers, use the following commands: Enabling SSH Access and the HTTPS Interface on the ACE Module and Appliance You can enable SSH access and the HTTPS interface on the ACE modules and appliances. ANM uses SSH and XML over HTTPS to communicate with the ACE devices. You need to enable both SSH access and HTTPS as explained in this section. These settings can be enabled during device import as described in the “Importing Network Devices into ANM” section on page 5-10 or in the CLI. Note If the ACE module or appliance is new and still has its factory settings, you do not need to perform the procedure in this section because SSH is enabled by default. Note Ensure that the management policy applied on the management interface permits SSH. To enable SSH access and the HTTPS interface on an ACE module or appliance, enter the following commands in config mode in the Admin context: Command Purpose Step 1 ip ssh version 2 Enables SSHv2. Step 2 ip domain-name abc.com Step 3 crypto key generate rsa general-keys modulus 1024 Generates the key. Step 4 username username password password Enters the username and password. Step 5 line vty 0 4 Step 6 session-timeout 60 Step 7 login local This is an example only. This commands works for Cisco IOS 12.2.18SXF(10), but not for 12.2.18SXF(8). Step 8 transport input telnet ssh Allows SSH and Telnet to the chassis. Step 9 transport output telnet ssh Allows SSH and Telnet from the chassis to the ACE module. Command Purpose Step 1 ssh key rsa 1024 force Configures SSH access on the ACE. Step 2 access-list acl line 10 extended permit ip any any 5-7 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Preparing Devices for Import For more information about configuring SSH access on the ACE, see either the Cisco Application Control Engine Module Administration Guide or the Cisco 4700 Series Appliance Administration Guide on Cisco.com. Enabling SNMP Polling from ANM You can enable SNMP polling from ANM, which uses SNMPv2 for polling ACE, CSS, CSM, or CSM-S devices. To receive traps from these devices, ANM supports use of SNMPv2 traps. Note To send SNMP traps to ANM, configure the SNMP trap host to the ANM server so that it can receive traps from ANM. For alarm condition notifications, ANM uses SNMPv1 EPM-Notificaton-MIB based SNMP traps. For the ACE, in order for ANM to successfully perform SNMP polling, you must configure the ACE Admin context with a management IP with a suitable management policy that permits SNMP traffic. All other contexts can be polled using this Admin context management IP. For each device type (ACE, CSS, CSM, or CSM-S), see the corresponding configuration guide to configure the device to permit SNMP traffic. Step 3 class-map type management match-any ANM_management 2 match protocol ssh any 3 match protocol telnet any 4 match protocol https any 5 match protocol snmp any 6 match protocol icmp any 7 match protocol xml-https Configures discovery for ANM. The following comments apply to the line number specified before the command text in the left column: • Line 2 classifies the SSH traffic. • Line 4 is needed by ANM for making configuration changes on the ACE. • Line 5 is needed by ANM for periodic statistics. • Line 6 is not mandatory but useful for network and route validation. • Line 7 is needed only for ACE 4710 devices. Step 4 policy-map type management first-match ANM_management class ANM_management permit Allows protocols matched in the management class map. Step 5 interface vlan 30 ip address 192.168.65.131 255.255.255.0 access-group input acl service-policy input ANM_management no shutdown Configures a management interface with the ACL and specifies the management service policy. This configuration is not recommended for a client or server interface. Step 6 username admin password 5 $1$faXJEFBj$TJR1Nx7sLPTi5BZ97v08c/ role Admin domain default-domain Defined by the administrator. Step 7 ip route 0.0.0.0 0.0.0.0 192.168.0.1 Specifies the default route (or appropriate route) for traffic to reach ANM using the management interface if ANM is not on the same subnet. Command Purpose 5-8 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Preparing Devices for Import ANM Requirements for ACE High Availability ANM automatically identifies ACE high availability (HA) peers if both peers are imported into ANM. For ANM to identify two ACE devices (ACE modules or ACE appliances) as high availability peers, ANM looks for two ACE devices with the same fault-tolerant (FT) interface VLAN configuration and whose peer IP addresses are reversed. For example, ANM would consider Peer 1 with the following configuration: ft interface vlan 4000 ip address 10.10.10.1 255.255.255.0 peer ip address 10.10.10.4 255.255.255.0 and Peer 2 with the following configuration: ft interface vlan 4000 ip address 10.10.10.4 255.255.255.0 peer ip address 10.10.10.1 255.255.255.0 as HA peers because they both use FT interface VLAN 4000 and their IP and peer IP addresses are reversed. However, it is possible that multiple ACE devices imported into ANM have the same FT interface VLAN and IP address/peer IP address combinations. In this case, ANM is not able to identify the ACE HA pair correctly. To resolve this issue, ANM uses the following logic to determine that two ACE devices are an HA pair: 1. Two ACE devices could be identified as a HA pair if their FT interface VLAN IDs match and their FT interface IP and peer IP addresses are reversed. 2. If the Admin context management interface peer IP address is already defined, ANM will conclusively identify its HA peer if the other Admin context management interface reversely matches the management IP and peer IP addresses. 3. If both ACE Admin context management interface peer IP addresses are not defined, and their FT interface configuration combination is unique across all ACE devices, ANM will then identify them as an HA pair. 4. An ACE HA peer is identified as Inconclusive if there is a non unique FT interface configuration combination across all ACE devices and its Admin context management interface peer IP is not defined. When importing an ACE HA pair into ANM, you should follow one of the following configuration requirements so that ANM can uniquely identify the ACE HA pair: • Use a unique combination of FT interface VLAN and FT IP address/peer IP address for every ACE HA pair imported into ANM. For HA, it is critical that the combination of FT interface VLAN and IP address/peer IP address is always unique across every pair of ACE peer devices. • Define a peer IP address in the management interface using the management IP address of the peer ACE (module or appliance). The management IP address and management peer IP address used for this definition should be the management IP address used to import both ACE devices into ANM. An example is as follows: • ACE1 is imported into ANM with management IP 10.10.10.10. • ACE2 is imported into ANM with management IP 10.10.10.12. In this case, you would perform the following actions for both ACE1 and ACE2: • Update the management interface on ACE1 with IP address 10.10.10.10. to have 10.10.10.12 as the peer IP address. 5-9 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Modifying the ANM Timeout Setting to Compensate for Network Latency • Update the management interface on ACE2 with IP address 10.10.10.12 to have 10.10.10.10 as the peer IP address. An ACE module or appliance may have many other management interfaces defined, but ANM is particularly interested only in the management interface whose IP address is used for importing into ANM. When ANM is unable to determine a unique ACE HA peer pair, it displays an Inconclusive state in the ACE HA State column of the All Virtual Contexts table (Config > Devices > Virtual Context Management) or the Virtual Contexts listing page. The Inconclusive state indicates that ANM was able to determine that the given ACE was configured in HA; however, ANM was able to find more than one ACE module or ACE appliance that appeared to be a peer. In this case, ANM was unable to conclusively find a unique HA peer for the given ACE module or ACE appliance. You must then perform the actions outlined in this section to fix the ACE that is in this state. More information will appear in the tooltip for the Inconclusive state to specify whether this state was reached because the FT interface VLAN and the IP address/peer IP address was not unique, or because the peer IP address on the management interface was not unique. Based on the information provided to you in the tooltip for the Inconclusive state, you must update the ACE configuration as described in the configuration requirements outlined above. After you make these configuration changes, resynchronize the affected ACE devices in ANM to update the configuration and HA mapping. For more information about synchronizing virtual contexts, see the “Creating Virtual Contexts” procedure on page 6-2. Modifying the ANM Timeout Setting to Compensate for Network Latency You can adjust the amount of time that ANM waits for a response from a device that you want ANM to import. You may need to adjust the timeout value when network latency prevents ANM from establishing a communication link with the device to be imported. To establish communications between ANM and the device during the device import process, the device sends requests to ANM for the required device username and password information. After ANM provides the device username, it waits two seconds for the device to make the next request for the password. If network latency prevents the password request from arriving within two seconds of providing the username, the connection times out, preventing ANM from importing the device. This type of issue can occur when importing devices that are Telnet-managed or require remote user authentication. To compensate for the resulting network latency, you can modify the default two-second timeout value by editing the ANM cs-config.properties file. Procedure Step 1 Modify the timeout value to 20000 milliseconds (20 seconds) as follows: • ANM Server—Open the /opt/CSCOanm/etc/cs-config.properties file in a text editor and add the following line to the end of the file: telnet.transport.login.timeout=20000 • ANM Virtual Appliance—Enter the following command: anm-property set telnet.transport.login.timeout 20000 5-10 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Importing Network Devices into ANM Step 2 Restart ANM as follows: • ANM Server—Enter the following command: /opt/CSCOanm/bin/anm-tool restart • ANM Virtual Appliance—Enter the following command: anm-tool restart Step 3 Import the device. See one of the following sections: • Importing Network Devices into ANM, page 5-10 • Discovering Large Numbers of Devices Using IP Discovery, page 5-27 Step 4 (Optional) If the timeout issue persists, slowly increase the timeout value by repeating this procedure. Do not increase the timeout value beyond 60000 milliseconds. Related Topics • Importing Network Devices into ANM, page 5-10 • Discovering Large Numbers of Devices Using IP Discovery, page 5-27 Importing Network Devices into ANM ANM allows you to add the following devices individually to its database: • ACE appliances • ACE modules • Catalyst 6500 series chassis • Catalyst 6500 Virtual Switching System (VSS) 1440 • Cisco 7600 series routers • Cisco Content Services Switch (CSS) devices • Cisco Content Switching Module (CSM) devices • Cisco Global Site Selector (GSS) devices • VMware vCenter Servers We recommend that you use the procedures in this section to add your devices to ANM because they are faster and more efficient than running IP Discovery (see the “Discovering Large Numbers of Devices Using IP Discovery” section on page 5-27). Guidelines and Restrictions This topic includes the following guidelines and restrictions: • When adding a module device, such as an ACE module or a CSM, you must first import the host chassis device, such as a Cisco Catalyst 6500 series switch chassis, and then you add the installed modules. The chassis device is referred to as a Cisco IOS device during the device import process. 5-11 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Importing Network Devices into ANM • The time required to import devices depends on the number of appliances, chassis, modules, and contexts that you are importing. For example, an ACE appliance with 20 virtual contexts takes longer than an ACE appliance with 5 contexts. While ANM imports devices, you cannot perform other activities in the same session. You can, however, establish a new session with the ANM server and perform activities on other appliances, chassis, modules, or virtual contexts. • Network latency can prevent ANM from establishing a communication link with a device that you want to import. When ANM is providing the device with the device credentials (username and password), by default it waits two seconds after providing the device username for the password prompt to appear. The link times out when it takes longer than two seconds for the next prompt to appear. For information about possible causes of network latency that can create this issue and how to adjust the ANM timeout value, see the “Modifying the ANM Timeout Setting to Compensate for Network Latency” section on page 5-9. Prerequisites This topic includes the following prerequisites: • Before adding a device or ACE module, the ANM server pings the IP address of the device or ACE module. If you have a firewall between the ANM server and the device you want to import, your network administrator needs to modify the firewall to allow the ping traffic to reach the device or ACE module. • To import your devices successfully, ensure the following: – The ACE module or CSM has booted successfully and is in the OK/Pass state (enter the show module supervisor Cisco IOS CLI command to verify this action). – The ACE appliance or the CSS state is up and running. There is no command to validate whether these devices are up and running. This section includes the following topics: • Importing Cisco IOS Host Chassis and Chassis Modules, page 5-11 • Importing ACE Appliances, page 5-21 • Importing CSS Devices, page 5-22 • Importing GSS Devices, page 5-23 • Importing VMware vCenter Servers, page 5-24 Importing Cisco IOS Host Chassis and Chassis Modules This section shows how to import a Cisco IOS host chassis into ANM, such as the Catalyst 6500 series chassis or the Cisco 7600 series router. After you define the Cisco IOS device during the import process, you import the ACE or CSM modules that currently reside in the chassis and are detected by ANM. When you add additional modules to the Cisco IOS device, you import the new modules into ANM without having to redefine the host chassis. This section includes the following topics: • Importing Cisco IOS Devices with Installed Modules, page 5-12 • Importing ACE Modules after the Host Chassis has been Imported, page 5-16 • Importing CSM Devices after the Host Chassis has been Imported, page 5-19 • Importing VSS 1440 Devices after the Host Chassis has been Imported, page 5-20‘ 5-12 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Importing Network Devices into ANM Importing Cisco IOS Devices with Installed Modules This section shows how to import the following Cisco IOS chassis devices into ANM along with any installed ACE modules or CSMs that ANM detects in the chassis: • Catalyst 6500 series chassis • Catalyst 6500 Virtual Switching System (VSS) 1440 • Cisco 7600 series routers Procedure Step 1 Choose Config > Devices > All Devices. The Device Management window appears. Step 2 In the device tree or in the All Devices table, click Add. The New Device window appears. Step 3 Enter the information for the device using the information in Table 5-2. Table 5-2 New Device Attributes Field Description Name Unique name for the device. Valid entries are unquoted text strings with no spaces and a maximum of 26 alphanumeric characters. Model Type of device to import. From the Model drop-down list, choose Cisco IOS Device. Primary IP IP address for the device in dotted-decimal format. Access Protocol Protocol to use for communication with the device. Choose Secure/SSH2 (default setting) or Telnet as the protocol that ANM uses to access the Cisco IOS devices. User Name Account name for device access. Note If you did not configure an account on the chassis before starting this procedure, you can enter an alphanumeric string with no spaces to complete this procedure. However, we recommend that you configure an account on the device to prevent unauthorized access. Password Password for the account. Enable Password Provides an extra level of security. SNMP v2c Enabled Check the SNMP v2c Enabled checkbox to configure SNMP access. Description Field that appears if you check the SNMP v2c Enabled checkbox. Enter the community string for the device. Note If you are adding a Catalyst 6500 series chassis, in the Community field, enter the SNMP community string already configured on the Catalyst 6500 series chassis. ANM uses this string to query device status information such as VLAN and interface status. This SNMP community string is also used for any CSM devices contained in the specified Catalyst 6500 series chassis. For Catalyst 6500 series chassis, CSS, and CSM devices, the SNMP community string already configured on the device is used by ANM for polling. For ACE modules and ACE appliances, the SNMP community string entered into ANM is configured on the ACE module/appliance and is used for polling the devices. Custom Prompt Settings 5-13 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Importing Network Devices into ANM Step 4 Do one of the following: • Click Next to save your entries and import device information. A progress bar displays while ANM establishes a session with the chassis and collects information about the installed modules. When the information has been collected, ANM displays one of the following windows: – If no CSM devices or ACE or modules are associated with the chassis device, the All Devices table refreshes with the chassis information. – If CSM devices or ACE modules are associated with the chassis device, the Modules configuration window appears and displays information about the first detected module. To view the detected modules, continue to Step 5. • Click Cancel to exit the procedure without saving your entries and to return to the All Devices table. Clicking Cancel prevents device information from being imported and prevents ACE module discovery. Step 5 In the Modules window, verify the information of the first detected chassis module as described in Table 5-3 and use the Next and Previous buttons to navigate through the list of detected chassis modules. Custom Username Prompt Optional field for use with the Cisco Catalyst 6500 series switch and Cisco 7600 series router only. With either device, if you have it configured to use a TACACS+ server for remote authentication, you can also configure it to display a custom username prompt during the login process rather than the default username prompt. If you have the device configured to use a custom username prompt, enter the custom prompt in this field. Custom Password Prompt Optional field for use with the Cisco Catalyst 6500 series switch and Cisco 7600 series router only. With either device, if you have it configured to use a TACACS+ server for remote authentication, you can also configure it to display a custom password prompt during the login process rather than the default password prompt. If you have the device configured to use a custom password prompt, enter the custom prompt in this field. Table 5-2 New Device Attributes (continued) Field Description Table 5-3 Detected Modules in Imported Chassis Device Item Description Card Slot Chassis IP address, detected module type, and chassis slot number. For example, 10.10.10.1:ACE:2. Card Type Version information about the detected module. For example, ACE v2.3. This field displays major release information only. For example, 8.2x might be supported by a module, but only 8.2 displays. Module Has Been Imported Into ANM Read only information to indicate that the module has already been imported (checked) or that it has not been imported (unchecked). Operation To Perform Drop down list to specify the action to take as follows: • Do Not Import (default setting) • Import • Perform Initial Setup and Import 5-14 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Importing Network Devices into ANM Step 6 To import a displayed module, in the Operation to Perform field, choose one of the following: • Import—ANM is to import the CSM device or ACE module. For the ACE module, ANM displays additional configuration fields when the Import option is selected. For both modules types, skip to Step 7 after selecting Import. • Perform Initial Setup And Import—(ACE module only) Allows you to perform initial setup manually required for ANM to communicate with the ACE module and imports ACE module configuration. Skip to Step 8. Note We recommend that you choose this option for ACE modules that are configured only with factory defaults. Step 7 If you chose Import for a CSM device or ACE module, do one of the following: • To import a CSM device, no further device information is required. Click Next or Previous to navigate to the next module to specify to import or click Finish to import the specified modules. • To import an ACE module, perform the following steps: a. In the Admin Context IP field, enter the module IP address. b. In the User Name field, enter the username for accessing this module. Valid entries are unquoted text strings with a maximum of 24 characters. The default admin credentials are admin/admin. Note For security reasons, we recommend that you change the username and password on your ACE device (and modules) after you import them. The security on your ACE module can be compromised because the administrative username and password are configured to be the same for every ACE module shipped from Cisco. See the “Changing ACE Module Passwords” procedure on page 5-77. c. In the Password field, enter the password for accessing this module. Reenter the password in the Confirm field. Valid entries are unquoted text strings with a maximum of 64 characters. The default admin credentials are admin/admin. d. Click Next or Previous to navigate to the next module to specify to import or click Finish to import the specified modules. Skip to Step 10. Step 8 If you chose Perform Initial Setup And Import for an ACE module, perform the following steps: a. In the Host Name field, enter a unique name for this ACE module. Valid entries are alphanumeric strings with no spaces and a maximum of 32 characters. b. In the Admin Context IP field, enter the IP address for this ACE module. c. In the Netmask field, from the drop-down list, choose the subnet mask to apply to this IP address. d. In the Gateway field, enter the IP address of the gateway router to use. e. In the VLAN field, choose the VLAN to which this module belongs. f. Check the Blade Is Configured With Factory Default Admin Credentials check box if the ACE module is currently configured with the default admin credentials (admin/admin). g. In the User Name field, enter the username for accessing this module. Valid entries are unquoted text strings with a maximum of 24 characters. The default admin credentials are admin/admin. 5-15 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Importing Network Devices into ANM Note For security reasons, we recommend that you change the username and password on your ACE after you import it. The security on your ACE module can be compromised because the administrative username and password are configured to be the same for every ACE shipped from Cisco. See the “Changing ACE Module Passwords” procedure on page 5-77. h. In the Password field, enter the password for accessing this module. Reenter the password in the Confirm field. Valid entries are unquoted text strings with a maximum of 64 characters. The default admin credentials are admin/admin. Step 9 Do one of the following: • Click OK to save your entries and to continue with the device configuration. A progress bar reports status and the Device configuration window appears. • Click Cancel to exit the procedure without importing ACE modules and to return to the All Devices table. Note Clicking Cancel in this window does not cancel the chassis importing process. Step 10 (Optional) To confirm that the virtual contexts on the ACE module were successfully imported into ANM, do the following: a. Choose Config > Devices. The device tree appears. b. In the device tree, choose the chassis device and ACE module that you just imported. The Virtual Contexts table appears, listing the contexts for that device. c. Confirm that the contexts imported successfully: – If OK appears in the Config Status column, it means that the context imported successfully. – If Import Failed appears in the Config Status column, it means that the context did not import successfully. d. To synchronize the configurations for the context import that failed, choose the context, and then click Sync. ANM will synchronize the context by uploading it from the ACE device. For more information on synchronizing virtual contexts, see the “Creating Virtual Contexts” procedure on page 6-2. Note If you receive authentication errors or incorrect username/password errors when trying to import ACE devices, refer to the ACE documentation regarding username and password settings and limitations. Tip After you add an ACE module, see the “Enabling a Setup Syslog for Autosync for Use With an ACE” section on page 5-27 to enable auto sync, which allows ANM to synchronization with the ACE CLI when ANM receives a syslog message from the ACE rather wait the default polling period. Relate Topics • Importing ACE Modules after the Host Chassis has been Imported, page 5-16 • Importing CSM Devices after the Host Chassis has been Imported, page 5-19 5-16 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Importing Network Devices into ANM • Importing ACE Appliances, page 5-21 • Importing CSS Devices, page 5-22 • Importing GSS Devices, page 5-23 • Importing VMware vCenter Servers, page 5-24 • Removing Modules from the ANM Database, page 5-80 • Synchronizing Module Configurations, page 5-67 Importing ACE Modules after the Host Chassis has been Imported You can add ACE modules into the ANM database at any time after the host chassis been added. Before You Begin • Ensure that the module to be imported has booted successfully and is in OK/Pass state. To check the module state, enter the show module supervisor Cisco IOS CLI command. • Note that time needed to import ACE modules depends on the number of modules and contexts that you are importing. For example, an ACE module with 20 virtual contexts takes longer than an ACE module with 5 contexts. While ANM imports the module, you cannot perform other activities in the same session. You can, however, establish a new session with the ANM server and perform activities on other devices, modules, or virtual contexts. • If you receive authentication errors or incorrect username/password errors when you try to import an ACE module, see the ACE documentation regarding username and password settings and limitations. • If you physically replace an ACE module in a chassis, you need to synchronize the chassis in ANM. We recommend you start by adjusting syslog settings to facilitate the ANM auto synchronization process as described in the “Enabling a Setup Syslog for Autosync for Use With an ACE” section on page 5-27. Guidelines and Restrictions ANM 3.0 and greater releases do not support the importing of an ACE module that contains an A1(6.x) software release or an ACE appliance that contains an A1(7.x) or A1(8.x) software release. If you attempt to import an ACE that supports one of these releases, ANM displays a message to instruct you that it failed to import the unrecognized ACE configuration and that device discovery failed. However, if you perform an ANM upgrade (for example, from ANM 2.2 to ANM 3.0), and the earlier ANM release contained an inventory with an ACE module that supported the A1(6x) software release or an ACE appliance that supported the A1(7.x) or A1(8.x) software release, ANM 3.0 (and greater) allows the A1(x) software release to reside in the ANM database and will support operations for the release. ANM prevents a new import of an ACE module or ACE appliance that contains the unsupported software version. We strongly recommend that you upgrade your ACE module or ACE appliance to a supported ACE software release, and that you instruct ANM to recognize the updated release. See the “Instructing ANM to Recognize an ACE Module Software Upgrade” section on page 5-71. See the Supported Device Tables for the Cisco Application Networking Manager for a complete list of supported ACE module and ACE appliance software releases. Prerequisites The host chassis of the ACE module that you are adding has been imported (see the “Importing Cisco IOS Host Chassis and Chassis Modules” section on page 5-11). 5-17 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Importing Network Devices into ANM Procedure Step 1 Choose Config > Devices > All Devices. The All Devices table appears. Step 2 In the All Devices table, choose the host device that contains the ACE module you want to import and click Modules. The Modules table appears, which displays a list of the installed modules. Step 3 In the Modules table, choose the module that you want to import and click Import. The Modules configuration window appears. Step 4 In the Modules window, verify the information of the selected module as described in Table 5-4. Step 5 To import a displayed module, in the Operation to Perform field, choose one of the following: • Import—ANM is to import the ACE module. ANM displays additional configuration fields when the Import option is selected. For both modules types, skip to Step 6 after selecting Import. • Perform Initial Setup And Import—Allows you to perform initial setup manually required for ANM to communicate with the ACE module and imports ACE module configuration. Skip to Step 7. Note We recommend that you choose this option for ACE modules that are configured only with factory defaults. Step 6 If you chose Import, perform the following steps: a. In the Admin Context IP field, enter the module IP address. b. In the User Name field, enter the username for accessing this module. Valid entries are unquoted text strings with a maximum of 24 characters. The default admin credentials are admin/admin. Table 5-4 Importing ACE Modules Item Description Card Slot Chassis IP address, detected module type, and chassis slot number. For example, 10.10.10.1:ACE:2. Card Type Version information about the detected module. For example, ACE v2.3. This field displays major release information only. For example, 8.2x might be supported by a module, but only 8.2 displays. Module Has Been Imported Into ANM Read only information to indicate that the module has already been imported (checked) or that it has not been imported (unchecked). Operation To Perform Drop down list to specify the action to take as follows: • Do Not Import (default setting) • Import • Perform Initial Setup and Import 5-18 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Importing Network Devices into ANM Note For security reasons, we recommend that you change the username and password on your ACE device (and modules) after you import them. The security on your ACE module can be compromised because the administrative username and password are configured to be the same for every ACE module shipped from Cisco. See the “Changing ACE Module Passwords” procedure on page 5-77. c. In the Password field, enter the password for accessing this module. Reenter the password in the Confirm field. Valid entries are unquoted text strings with a maximum of 64 characters. The default admin credentials are admin/admin. d. Click Next or Previous to navigate to the next module to specify to import or click Finish to import the specified modules. Skip to Step 9. Step 7 If you chose Perform Initial Setup And Import, perform the following steps: a. In the Host Name field, enter a unique name for this ACE module. Valid entries are alphanumeric strings with no spaces and a maximum of 32 characters. b. In the Admin Context IP field, enter the IP address for this ACE module. c. In the Netmask field, from the drop-down list, choose the subnet mask to apply to this IP address. d. In the Gateway field, enter the IP address of the gateway router to use. e. In the VLAN field, choose the VLAN to which this module belongs. f. Check the Blade Is Configured With Factory Default Admin Credentials check box if the ACE module is currently configured with the default admin credentials (admin/admin). g. In the User Name field, enter the username for accessing this module. Valid entries are unquoted text strings with a maximum of 24 characters. The default admin credentials are admin/admin. Note For security reasons, we recommend that you change the username and password on your ACE after you import it. The security on your ACE module can be compromised because the administrative username and password are configured to be the same for every ACE shipped from Cisco. See the “Changing ACE Module Passwords” procedure on page 5-77. h. In the Password field, enter the password for accessing this module. Reenter the password in the Confirm field. Valid entries are unquoted text strings with a maximum of 64 characters. The default admin credentials are admin/admin. Step 8 Do one of the following: • Click OK to save your entries and to continue with the device configuration. A progress bar reports status and the Device configuration window appears. • Click Cancel to exit the procedure without importing ACE modules and to return to the All Devices table. Note Clicking Cancel in this window does not cancel the chassis importing process. Step 9 (Optional) To confirm that the virtual contexts on the ACE module were successfully imported into ANM, do the following: a. Choose Config > Devices. The device tree appears. 5-19 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Importing Network Devices into ANM b. In the device tree, choose the chassis device and ACE module that you just imported. The Virtual Contexts table appears, listing the contexts for that device. c. Confirm that the contexts imported successfully: – If OK appears in the Config Status column, it means that the context imported successfully. – If Import Failed appears in the Config Status column, it means that the context did not import successfully. d. To synchronize the configurations for the context import that failed, choose the context, and then click Sync. ANM will synchronize the context by uploading it from the ACE device. For more information on synchronizing virtual contexts, see the “Creating Virtual Contexts” procedure on page 6-2. Note If you receive authentication errors or incorrect username/password errors when trying to import ACE devices, refer to the ACE documentation regarding username and password settings and limitations. Tip After you add ACE devices, see the “Enabling a Setup Syslog for Autosync for Use With an ACE” section on page 5-27 to enable auto sync, which allows ANM to synchronization with the ACE CLI when ANM receives a syslog message from the ACE rather wait the default polling period. Related Topics • Importing Cisco IOS Host Chassis and Chassis Modules, page 5-11 • Importing ACE Appliances, page 5-21 • Importing CSS Devices, page 5-22 • Importing GSS Devices, page 5-23 • Importing VMware vCenter Servers, page 5-24 • Removing Modules from the ANM Database, page 5-80 • Synchronizing Module Configurations, page 5-67 Importing CSM Devices after the Host Chassis has been Imported You can import CSM devices into the ANM database at any time after the host chassis or router has been imported. Note ANM assigns the device type CSM to both CSM and CSM-S devices. This assignment has to do with how ANM collects and assigns the information that it receives from the device and does not affect functionality. To differentiate between these devices, see the description information in the user interface. Prerequisites The host chassis of the CSM that you are adding has been imported (see the “Importing Cisco IOS Host Chassis and Chassis Modules” section on page 5-11). 5-20 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Importing Network Devices into ANM Procedure Step 1 Choose Config > Devices > All Devices. The All Devices table appears. Step 2 In the All Devices table, choose the host device that contains the CSM that you want to import, and then click Modules. The Modules table appears. Step 3 In the Modules table, choose the CSM that you want to import, and then click Import. The Modules configuration window appears. Step 4 Verify that the information is correct in the following read-only fields: • Card Slot—The slot in the chassis in which the module resides. • Card Type—The device type; in this instance, CSM. • Module Has Been Imported Into ANM—The checkbox is checked to indicate that the module has already been imported or cleared to indicate that it has not been imported. Step 5 In the Operation to Perform field, choose Import. Step 6 Do one of the following: • Click OK to save your entries. A progress bar reports status and the Modules table refreshes with updated information. • Click Cancel to exit the procedure without importing the device and to return to the Modules table. Related Topics • Importing Cisco IOS Host Chassis and Chassis Modules, page 5-11 • Importing ACE Appliances, page 5-21 • Importing CSS Devices, page 5-22 • Importing GSS Devices, page 5-23 • Importing VMware vCenter Servers, page 5-24 • Removing Modules from the ANM Database, page 5-80 • Synchronizing Module Configurations, page 5-67 Importing VSS 1440 Devices after the Host Chassis has been Imported Catalyst 6500 Virtual Switching Systems (VSS) 1440 devices allow for the combination of two switches into a single, logical network entity from the network control plane and management perspectives. To the neighboring devices, the Cisco Virtual Switching System appears as a single, logical switch or router. VSS devices will be discovered as normal Cisco IOS devices in ANM if the devices are already converted to virtual switch mode. 5-21 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Importing Network Devices into ANM Note ANM does not recognize failure scenarios as discussed in the “Configuring Virtual Switching System” section of the “Catalyst 6500 Release 12.2SXH and Later Software Configuration Guide” on Cisco.com at http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vss.html# wp1062314. Related Topics Importing Cisco IOS Host Chassis and Chassis Modules, page 5-11 Importing ACE Appliances This section shows how to import an ACE appliance into ANM. Procedure Step 1 Choose Config > Devices > All Devices. The All Devices table appears. Step 2 In the All Devices table, choose the Add button. The New Device window appears. Step 3 In New Device window, define the ACE appliance to import using the information in Table 5-5. Step 4 Do one of the following: • Click OK to save your entries. After ANM adds the specified device, the Primary Attributes window for the device appears. • Click Cancel to exit the procedure without importing the device and to return to the Modules table. Related Topics • Importing Network Devices into ANM, page 5-10 • Importing Cisco IOS Host Chassis and Chassis Modules, page 5-11 Table 5-5 ACE Appliance Configuration Options Field Description Name Name assigned to the ACE appliance. Model Drop-down list to specify the device type. From the Model drop-down list, choose ACE 4710 (appliance). Primary IP ACE appliance IP address. User Name Username that has the administrator role. Password Password that corresponds to the username. Confirm Confirmation of the password. Description Brief device description. 5-22 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Importing Network Devices into ANM • Importing CSS Devices, page 5-22 • Importing GSS Devices, page 5-23 • Importing VMware vCenter Servers, page 5-24 Importing CSS Devices This section shows how to import CSS devices into ANM. Procedure Step 1 Choose Config > Devices > All Devices. The All Devices table appears. Step 2 In the All Devices table, choose the Add button. The New Device window appears. Step 3 In New Device window, define the CSS device to import using the information in Table 5-6. Step 4 Do one of the following: • Click OK to save your entries. After ANM adds the specified device, the Primary Attributes window for the device appears (see the “Configuring CSS Primary Attributes” section on page 5-35). • Click Cancel to exit the procedure without importing the device and to return to the Modules table. Related Topics • Importing Network Devices into ANM, page 5-10 • Importing Cisco IOS Host Chassis and Chassis Modules, page 5-11 • Importing ACE Appliances, page 5-21 Table 5-6 CSS Configuration Options Field Description Name Name assigned to the device. Model Drop-down list to specify the device type. From the Model drop-down list, choose CSS. Primary IP Device IP address. Access Protocol Protocol that ANM is to use when communicating with the CSS. Choose one of the following: • Secure/SSH (default setting) • Telnet User Name Username that has the administrator role. Password Password that corresponds to the username. Confirm Confirmation of the password. SNMP v2c Enabled Checkbox to enable SNMP v2c. Description Brief device description. 5-23 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Importing Network Devices into ANM • Importing GSS Devices, page 5-23 • Importing VMware vCenter Servers, page 5-24 Importing GSS Devices This section shows how to import GSS devices into ANM. Guidelines and Restrictions Follow these guidelines for importing GSS devices into ANM: • You only need to import the primary GSSM into ANM—You are not required or permitted to add either the standby GSSM or GSS device. ANM communicates only with the primary GSSM for activation and suspension of DNS rules and virtual IP (VIP) answers and for collecting statistics. • GSS graphical user interface (GUI) and CLI must have matching passwords—The username that you configure while adding a GSS device to ANM must be the same on both the GSS GUI and GSS CLI. • Communication between ANM and the primary GSSM is accomplished using the GSS Communication Ethernet Interface—This interface is used for internal communication between the primary GSSM and the other GSS devices in the GSS cluster. Beginning with ANM 4.3, ANM uses Java Remote Method Invocation (RMI) only to communicate with GSS devices using software Version 3.3 or later versions. If the GSS device is using an earlier version of software and ANM cannot communicate with it using RMI, ANM uses Secure Shell (SSH). Table 5-7 lists the TCP ports that ANM uses to communicate with GSS devices. Note When ANM uses SSH for GSS communication, terminal length settings are set to 0 during import, synchronization, and background polling. The previous terminal length settings that you had before import, synchronization, and background polling is performed are not preserved. Procedure Step 1 Choose Config > Devices > All Devices. The All Devices table appears. Step 2 In the All Devices table, choose the Add button. The New Device window appears. Step 3 In New Device window, define the GSS device to import using the information in Table 5-8. Table 5-7 TCP Ports Used by ANM for GSS Port Description 22 SSH 2001 Java RMI 3009 Secure RMI 5-24 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Importing Network Devices into ANM Step 4 Do one of the following: • Click OK to save your entries. After ANM adds the specified device, the Primary Attributes window for the device appears (see the “Configuring GSS Primary Attributes” section on page 5-36). • Click Cancel to exit the procedure without importing the device and to return to the Modules table. Related Topics • Importing Network Devices into ANM, page 5-10 • Importing Cisco IOS Host Chassis and Chassis Modules, page 5-11 • Importing ACE Appliances, page 5-21 • Importing CSS Devices, page 5-22 • Importing VMware vCenter Servers, page 5-24 Importing VMware vCenter Servers This section shows how to import VMware vCenter Servers that are part of a VMware virtual datacenter containing virtual machines (VM). When you import a VMware vCenter Server, ANM discovers the following network entities associated with the server: datacenters, VMs, and hosts (VMware ESX servers). During the VMware vCenter Server import process, you can enable the ANM plug-in that allows you to access ANM ACE real server functionality from a VMware vSphere Client. Registering the plug-in provides the client with a URL to access ANM and retrieve the required XML definition file. ANM uses HTTPS for communication with VMware vCenter Server. Guidelines and Restrictions This topic includes the following guidelines and restrictions: Table 5-8 GSS Configuration Options Field Description Name Name assigned to the device. Model Drop-down list to specify the device type. From the Model drop-down list, choose GSS. Primary IP Device IP address. User Name Username that has the administrator role. Password Password that corresponds to the username. Confirm Confirmation of the password. Enable Password Password for remote authorization. When the GSS is configured for remote authorization with the enable command in the user privilege, then the enable password is not used. Confirm Confirmation of the enable password. Description Brief description for this device. 5-25 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Importing Network Devices into ANM • ANM does not recognize all the special characters that VMware allows you to use in a VM name. If you import a VMware vCenter Server containing VM names that use certain special characters, ANM encounters issues that affect the VM Mappings window (Config > Devices > vCenter > System > VM Mappings). This window shows how VMs map to real servers. The issues associated with certain special characters in VM names are as follows: – When a VM name contains a double quote (“), ANM is not able to display the VM Mappings window (a blank window displays). – When a VM name contains a percent sign (%), backslash (\), or forward slash (/), ANM displays the VM name in the VM Mappings window; however, these special characters display as hex values (%25 for %, %5c for \, and %2f for /). To avoid these issues, remove these special characters from the VM name before you use the following procedure to import the VMware vCenter Server in to ANM. • ANM supports importing a VMware vCenter Server operating in standard mode only. You cannot import a vCenter Server operating in linked mode. Procedure Step 1 Choose Config > Devices > All Devices. The All Devices table appears. Step 2 In the All Devices table, choose the Add button. The New Device window appears. Step 3 In New Device window, configure the VMware vCenter Server using the information in Table 5-9. Table 5-9 VMware vCenter Server Configuration Options Field Description Name Name assigned to the device. Model Drop-down list of available device types. From the Model drop-down list, choose vCenter. Primary IP VMware vCenter Server IP address. HTTPS Port Port that the VMware vCenter Server uses to communicate with ANM using HTTPS. User Name VMware vCenter Server username that has the administrator role or an equivalent role that has privilege on “Extension,” “Global->Manage custom attribute,” and “Global->Set custom attribute.” Password Password that corresponds to the VMware vCenter Server username. 5-26 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Importing Network Devices into ANM Step 4 Do one of the following: • Click OK to save your entries. After ANM adds the VMware vCenter Server, the Primary Attributes window for the VMware vCenter Server appears (see the “Configuring VMware vCenter Server Primary Attributes” section on page 5-41). • Click Cancel to exit the procedure without importing the device and to return to the Modules table. Related Topics • Configuring VMware vCenter Server Primary Attributes, page 5-41 • Using the ANM Plug-In With Virtual Data Centers, page B-1 • Mapping Real Servers to VMware Virtual Machines, page 5-68 • Importing Network Devices into ANM, page 5-10 • Importing Cisco IOS Host Chassis and Chassis Modules, page 5-11 • Importing ACE Appliances, page 5-21 • Importing CSS Devices, page 5-22 • Importing GSS Devices, page 5-23 ANM vCenter Plug-in Registers the ANM plug-in when adding the VMware vCenter Server. Registering the plug-in provides the VMware vCenter Server and associated VMware vSphere Clients with a URL to access ANM and retrieve the required XML definition file. ANM uses HTTPS for communication with the VMware vCenter Server and vSphere Clients. When the plug-in is registered, you can access ANM ACE real server functionality from a VMware vSphere Client. Choose one of the following options: • Import vCenter and register plug-in • Import vCenter and but do not register plug-in (default setting) To register or unregister the ANM plug-in at a later time, see the “Registering or Unregistering the ANM Plug-in” section on page B-5. ANM Server DNS name or IP address of the ANM server that will be used by the VMware vCenter Server and vSphere Client. By default, ANM populates this field with the virtual IP address or hostname or all of the available IP addresses. If you enter a DNS name, make sure that the name can be resolved on the VMware vSphere Client side of the network. Note For ANM servers operating in an HA configuration, choose the shared alias IP address or VIP address for the HA pair so that the plug-in can still be used after an HA failover occurs. Table 5-9 VMware vCenter Server Configuration Options (continued) Field Description 5-27 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Discovering Large Numbers of Devices Using IP Discovery Enabling a Setup Syslog for Autosync for Use With an ACE You can set up auto synchronization to occur when ANM receives a syslog message from ACE devices. This feature allows a faster, more streamlined synchronization process between ANM and any out-of-band configuration changes. Rather than wait the default polling period, ANM will synchronize when a syslog message is received if you enable the Autosync feature. Note ANM does not support Autosync for GSS devices. Procedure Step 1 Choose Config > Devices. From the device tree, select either an ACE module or an ACE appliance. Step 2 Choose Setup Syslog for Autosync. The Setup Syslog for Autosync window appears. Step 3 Choose one or more virtual contexts for which you want to receive Autosync syslog messages. Step 4 Click the Setup Syslog button. A progress bar window appears. The following CLI commands are sent to the enabled ACE devices: logging enable logging trap 2 logging device-id string /Admin logging host udp/514 logging message 111008 level 2 Step 5 If the setup is successful, a checkbox with check mark will appear in the Setup Syslog for Autosync? column for each virtual context that you selected. If there are any errors, the errors will be shown in a popup window. Discovering Large Numbers of Devices Using IP Discovery The IP Discovery feature allows you to discover and import Cisco chassis and ACEs into the ANM database as follows: 1. Preparing devices for discovery. This process involves enabling SSH and XML over HTTPS and adding device credentials. See the “Preparing Devices for IP Discovery” section on page 5-28. 2. Discovering devices residing on your network. The ANM uses SSH, XML over HTTPS, and Telnet to discover its supported devices. When you run IP Discovery, you locate IP addresses of ACE chassis and appliances. See the “Running IP Discovery to Identify Devices” section on page 5-31. After discovery, devices do not appear in the Devices table until device import is completed. To import a specific chassis into the ANM database, you need to enter IP and credentials information for the chassis and then import it and any associated modules. While this discovery method requires you to add more information initially, it provides more control over the discovery process. 5-28 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Discovering Large Numbers of Devices Using IP Discovery 3. Importing the device information into the ANM database to add the device into the Devices table. See the “Importing Network Devices into ANM” section on page 5-10. 4. After importing a module host device, such as a Catalyst 6500 series chassis, you can add ACE modules and CSMs into the ANM database. See the “Importing ACE Modules after the Host Chassis has been Imported” section on page 5-16 or the “Importing CSM Devices after the Host Chassis has been Imported” section on page 5-19. 5. After you start a discovery job, you can monitor its status. See the “Monitoring IP Discovery Status” section on page 5-33. ANM offers multiple ways to accomplish some of these steps. For example, you can either run a discovery job to identify the available chassis, and then choose the ones to import, or you can import a specific chassis into the ANM database. To add a chassis without running discovery, see the “Importing Cisco IOS Host Chassis and Chassis Modules” section on page 5-11. See the Supported Devices Table for Cisco Application Networking Manager for more information about the devices that ANM supports. This section includes the following topics: • Preparing Devices for IP Discovery, page 5-28 • Running IP Discovery to Identify Devices, page 5-31 • Monitoring IP Discovery Status, page 5-33 Preparing Devices for IP Discovery This section describes how to prepare your Cisco devices for IP Discovery by enabling SSH and Telnet on each device and by configuring device SSH and Telnet credentials though ANM. These tasks enable ANM to communicate with the devices and collect data from them. Caution IP Discovery sends unencrpyted credentials (Telnet and SNMP) to all devices on the specified subnet who respond to the associated ports. This is a potential security risk because credentials are broadcast out to one or more networks. IP Discovery may also find devices that cannot be imported or may not be able to locate devices that could be imported. Guidelines and Restrictions Network latency can prevent ANM from establishing a communication link with a device that you want to import. When ANM is providing the device with the device credentials (username and password), by default it waits two seconds after providing the device username for the password prompt to appear. The link times out when it takes longer than two seconds for the next prompt to appear. For information about possible causes of network latency that can create this issue and how to adjust the ANM timeout value, see the “Modifying the ANM Timeout Setting to Compensate for Network Latency” section on page 5-9. Before You Begin Ensure that you have enabled SSH and Telnet in your Cisco network devices by performing the tasks described in the following sections: • Enabling SSH or Telnet Access on Catalyst 6500 Series Switches and Cisco 7600 Series Routers, page 5-5 • Enabling SSH Access and the HTTPS Interface on the ACE Module and Appliance, page 5-6 5-29 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Discovering Large Numbers of Devices Using IP Discovery This section includes the following topics: • Configuring Device Access Credentials, page 5-29 • Modifying Credential Pools, page 5-30 Configuring Device Access Credentials You can add device credentials to ANM before running IP Discovery. Procedure Step 1 Choose Config > Tools > Credential Pool Management. The New Credential Pool window appears. Step 2 In the Name field, enter the name of the new credential pool. Step 3 Click Save to save this entry and to proceed with credentials configuration. The configuration window appears. Step 4 Set the Telnet credentials as follows: a. Choose Configuration > Telnet Credentials. The Telnet Credentials table appears. b. In the table, click Add to add a set of credentials to this credential pool, or choose an existing set of credentials, and click Edit to modify it. c. Enter the credentials (see Table 5-10). d. Do one of the following: – Click OK to save your entries and to return to the Telnet Credentials table. – Click Cancel to exit this procedure without saving your entries and to return to the Telnet Credentials table. – Click Next to deploy your entries and to add another set of Telnet credentials. Step 5 Set the SNMP credentials as follows: a. Choose Configuration > SNMP Credentials. The SNMP Credentials table appears. b. Click Add to add a set of credentials to this credential pool, or choose an existing set of credentials, and click Edit to modify it. Table 5-10 Telnet Credentials Field Description IP Address Specific IP address in dotted-decimal notation or use an asterisk (*) as a wildcard character to identify a number of devices, such as 192.168.11.*. User Name Telnet username for the specified devices. Password Telnet password for the specified devices. Confirm Telnet password that you reenter. Enable Password Telnet enable password for the specified devices. ANM uses this password during the Catalyst 6500 series chassis and Catalyst 6500 Virtual Switching System (VSS) 1440 import process. Confirm Telnet enable password that you reeenter. 5-30 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Discovering Large Numbers of Devices Using IP Discovery c. Enter the SNMP credentials (see Table 5-11). Step 6 Do one of the following: • Click OK to save your entries and to return to the SNMP Credentials table. • Click Cancel to exit without saving your entries and to return to the SNMP Credentials table. • Click Next to deploy your entries and to configure another set of SNMP credentials. After establishing the Telnet and SNMP credentials, you are ready to run IP Discovery. See the “Running IP Discovery to Identify Devices” section on page 5-31. Related Topics • Running IP Discovery to Identify Devices, page 5-31 • Configuring Device Access Credentials, page 5-29 • Discovering Large Numbers of Devices Using IP Discovery, page 5-27 Modifying Credential Pools You can modify existing Telnet or SNMP credentials. Procedure Step 1 Choose Config > Tools > Credential Pool Management. The Credential Pools configuration window appears. Step 2 Choose the credential pool that you want to modify. The Edit Credential Pool configuration window appears. Step 3 Click Edit. Step 4 To modify the existing Telnet credentials, do the following: a. Choose Configuration > Telnet Credentials. The Telnet Credentials table appears. b. In the table, click Add to add a set of credentials to this credential pool, or choose an existing set of credentials, and click Edit to modify it. Table 5-11 SNMP Credentials Field Description IP Address Specific IP address in dotted-decimal notation is used or an asterisk (*) is used as a wildcard character to identify a number of devices, such as 192.168.11.*. Mode Default version of SNMP is selected for this credential pool. Snmpv2 indicates that SNMP version 2 is to be used for this credential pool for the specified devices. RO Community SNMP read-only string for the specified devices. This entry is case sensitive. Timeout Time, in seconds, that the ANM is to wait for response from a device before performing the first retry. Retries Number of times that the ANM is to attempt to communicate with a device before declaring that the device has timed out. 5-31 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Discovering Large Numbers of Devices Using IP Discovery c. Enter the Telnet credentials (see Table 5-10). d. Do one of the following: – Click OK to save your entries and to return to the Telnet Credentials table. – Click Cancel to exit this procedure without saving your entries and to return to the Telnet Credentials table. – Click Next to deploy your entries and to add another set of Telnet credentials. Step 5 To modify the existing SNMP credentials, do the following: a. Choose Configuration > SNMP Credentials. The SNMP Credentials table appears. b. Click Add to add a set of credentials to this credential pool, or choose an existing set of credentials, and click Edit to modify it. c. Enter the SNMP credentials (see Table 5-11). d. Do one of the following: – Click OK to save your entries and to return to the SNMP Credentials table. – Click Cancel to exit without saving your entries and to return to the SNMP Credentials table. – Click Next to deploy your entries and to configure another set of SNMP credentials. Related Topics • Running IP Discovery to Identify Devices, page 5-31 • Configuring Device Access Credentials, page 5-29 • Discovering Large Numbers of Devices Using IP Discovery, page 5-27 Running IP Discovery to Identify Devices You can run IP Discovery to locate IP addresses of the Catalyst 6500 series chassis (hosting the ACE module), ACE appliance, and Catalyst 6500 Virtual Switching System (VSS) devices. After establishing Telnet and SNMP credentials (see the “Configuring Device Access Credentials” section on page 5-29), use this procedure to identify chassis and ACEs on your network. Caution IP Discovery sends unencrpyted credentials (Telnet and SNMP) to all devices on the specified subnet that respond to the associated ports. This is a potential security risk because credentials are broadcast out to one or more networks. IP Discovery may also find devices that cannot be imported or be unable to find devices that could be imported. Before You Begin For this procedure, you need the follow items: • IP address for the discovery process. • Applicable subnet mask. • Valid credentials for this discovery (see the “Configuring Device Access Credentials” section on page 5-29). 5-32 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Discovering Large Numbers of Devices Using IP Discovery • Verification that the devices have SSH enabled (see the “Preparing Devices for IP Discovery” section on page 5-28). Procedure Step 1 Choose Config > Tools > IP Discovery. The Discovery Jobs table appears. Tip If you already know the IP address of your devices, use the Config > Devices > Add function. See the “Importing Network Devices into ANM” section on page 5-10. Step 2 To create a discovery job, click Add. The Discovery Jobs window appears. Step 3 In the IP Address field, enter the IP address of a specific device in dotted-decimal notation such as 192.168.11.1. Step 4 In the Netmask field, choose the subnet mask to be used. When you specify a subnet mask, the discovery process discovers all devices in the range of the IP address and its subnet mask. The default netmask is 255.255.255.0. Note Choose a higher subnet mask only if you are certain that it is appropriate for your network and you understand the impact. If you choose the subnet mask for a class A or class B network, the discovery process becomes extensive and can take a substantial amount of time to complete. Step 5 In the Credential Pool field, choose the credential pool to be used for this discovery. Step 6 Click Discover to run discovery now or Cancel to exit this procedure without running discovery. When you run IP Discovery, the Discovery Jobs table reflects the state of the discovery as it runs. The amount of time to finish a discovery job depends on the size of your network and network activity. If necessary, click Stop to stop the discovery process. When the process has stopped, the Discovery Jobs table appears with the discovery job in the table with the state Aborted. Tip Click Refresh during IP Discovery to see the number of devices found as the discovery process progresses. Step 7 (Optional) View the discovery process status (see the “Monitoring IP Discovery Status” section on page 5-33). Step 8 (Optional) Import ACE devices into the ANM when the discovery process is complete (see the “Importing Network Devices into ANM” section on page 5-10). Related Topics • Creating Virtual Contexts, page 6-2 • Importing Network Devices into ANM, page 5-10 • Using Configuration Building Blocks, page 16-1 5-33 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Discovering Large Numbers of Devices Using IP Discovery Monitoring IP Discovery Status You can monitor device discovery status after starting a discovery job. Procedure Step 1 Click Config > Tools > IP Discovery. The Discovery Jobs table appears with the following information for each discovery job: • IP address • Subnet mask • Start Time in the format hh:mm:ss.nnn • End Time, if available, in the format hh:mm:ss.nnn • Credential Pool being used • State of the discovery job, such as Running or Completed • Number of devices found Step 2 Locate your discovery job to see its current status. If necessary, click Stop to stop the discovery process. When the process has stopped, the Discovery Jobs table appears with the discovery job in the table with the state Aborted. Step 3 When discovery is complete, choose the discovery job in the table. A list of the discovered devices appears below the Discovery Jobs table. You can now populate the ANM with chassis and ACEs. See the “Importing Network Devices into ANM” section on page 5-10. Related Topics • Importing Network Devices into ANM, page 5-10 • Running IP Discovery to Identify Devices, page 5-31 • Information About Importing Devices, page 5-4 5-34 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring Devices Configuring Devices This section describes how to configure the devices that you add to ANM and includes the following topics: • Configuring Device System Attributes, page 5-34 • Configuring Catalyst 6500 Series Chassis or Cisco 7600 Series Router Interfaces, page 5-41 • Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48 Note The ANM does not detect changes made to a chassis device though the CLI. Be sure to synchronize chassis configurations whenever chassis configuration has been modified via the CLI. Configuring Device System Attributes This section shows how to configure the device system attributes. For the CSM, CSS, and GSS devices, the system attributes consist of the primary attributes only. For the Catalyst 6500 series chassis, Catalyst 6500 Virtual Switching System (VSS) 1440 devices, and Cisco 7600 series routers, the system attributes also include the static route attributes. This section includes the following topics: • Configuring CSM Primary Attributes • Configuring CSS Primary Attributes • Configuring GSS Primary Attributes • Configuring Catalyst 6500 VSS 1440 Primary Attributes • Configuring Catalyst 6500 Series Chassis and Cisco 7600 Series Router Primary Attributes • Configuring Catalyst 6500 Series Chassis, Catalyst 6500 Virtual Switching System 1440 Devices, and Cisco 7600 Series Routers Static Routes • Configuring VMware vCenter Server Primary Attributes Configuring CSM Primary Attributes You can configure primary attributes for CSM devices. Procedure Step 1 Choose Config > Devices > All Devices. The device tree appears. Step 2 In the device tree, choose the CSM that you want to configure, and then choose System > Primary Attributes. The Primary Attributes window appears. Step 3 In the Description field, enter a brief description of the module. Step 4 Choose another CSM for high availability pairing from the Redundant Device field, which displays any other CSM devices that have been imported into ANM. 5-35 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring Devices Step 5 Click Deploy Now to deploy this configuration on the CSM and save your entries to the running-configuration and startup-configuration files. To exit this procedure without deploying your entries, choose another device in the device tree or in the object selector above the configuration pane. Related Topics • Configuring Devices, page 5-34 • Importing ACE Modules after the Host Chassis has been Imported, page 5-16 Configuring CSS Primary Attributes You can configure primary attributes for CSS devices. Procedure Step 1 Choose Config > Devices > All Devices. The All Devices table appears. Step 2 In the All Devices table, choose the CSS that you want to configure, and then choose System > Primary Attributes. The Primary Attributes window appears with information about the device. Step 3 Configure the CSS using the information in Table 5-12. Note Most of the information is read directly from the device during the import process and cannot be changed using the ANM interface. Table 5-12 CSS Primary Attributes Configuration Options Field Description Description Brief description for this device. Device Type Read-only field that has the device type in gray. Use Telnet Read-only field that will be checked if the device was imported using Telnet. IP Address Read-only field with the device IP address. Redundant Device Field that displays any other CSS devices that have been imported into the ANM database. Choose another CSS for high availability pairing. 5-36 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring Devices Step 4 Click Deploy Now to deploy this configuration on the CSS and to save your entries to the running-configuration and startup-configuration files. To exit this procedure without deploying your entries, choose another device in the device tree or in the object selector above the configuration pane. Related Topics • Configuring Devices, page 5-34 • Importing Network Devices into ANM, page 5-10 Configuring GSS Primary Attributes You can configure primary attributes for Cisco Global Site Selector devices. Procedure Step 1 Choose Config > Devices > All Devices. The All Devices table appears. Step 2 In the All Devices table, choose the GSS that you want to configure, and then choose System > Primary Attributes. The Primary Attributes window appears with information about the device. Step 3 Configure the GSS using the information in Table 5-13. SNMP v2c Enabled Checkbox to enable SNMP version 2c access. Uncheck the checkbox to disable this feature. If you enable this feature, in the SNMP Trap Community string field, enter the SNMP community string. SNMP v3 Enabled Checkbox to enable SNMP Version 3 access. Uncheck the checkbox to disable this feature. If you enable this feature, do the following: 1. In the SNMP V3 User Name field, enter the SNMP username. 2. In the SNMP V3 Mode field, choose the level of security to be used when accessing the chassis: • NoAuthNoPriv—SNMP uses neither authentication nor encryption in its communications. • AuthNoPriv—SNMP uses authentication, but the data is not encrypted. 3. If you choose AuthNoPriv, do the following: a. In the SNMP V3 Auth Proto field, choose MD5 or DES to specify the authentication mechanism. b. In the SNMP V3 Auth Pass field, enter the user authentication password. Valid entries are unquoted text strings with no spaces and a maximum of 130 characters. c. In the Confirm field, reenter the user authentication password. Table 5-12 CSS Primary Attributes Configuration Options (continued) Field Description 5-37 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring Devices Step 4 (Optional) To update the IP address and/or password for the GSS on the ANM server only, click Update IP Address/Password. The Update IP Address/Password window appears. Note The password changes are for the ANM server only. The Password/Enable password on the device will not be changed. Enter new credentials in the Update IP Address/Password window using the information in Table 5-14. Step 5 Do one of the following: • Click OK to save any changes made to GSS server IP address or password to the ANM server. • Click Cancel. You return to the Primary Attributes Page. Step 6 Click Deploy Now to deploy this configuration save your entries to the gslb-configuration file. To exit this procedure without deploying your entries, choose another device in the device tree or in the object selector above the configuration pane. Table 5-13 GSS Primary Attributes Configuration Options Field Description Description Brief description for this device. Device Type Read-only field that has the device type, in this case GSS, in gray. IP Address Device IP address. Table 5-14 GSS Change IP Address and Password Options Field Description Old Primary IP Address Read-only field displaying the device IP address. New Primary IP Address IP address that you wish to have GSS associated with on the server. Update Available password update choices are as follows: • Both—Update both the password and enable passwords. • Enable Password Only—Update only the enable password. • Password Only—Update only the password. New Password New password. Confirm New Password New password that you reenter. New Enable Password New enable password. Confirm New Enable Password New enable password that you reenter. 5-38 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring Devices Related Topics • Configuring Devices, page 5-34 • Importing ACE Appliances, page 5-21 Configuring Catalyst 6500 VSS 1440 Primary Attributes You can configure primary attributes for VSS devices. Procedure Step 1 Choose Config > Devices > All Devices. The device tree appears. Step 2 In the device tree, choose the device you want to configure, then choose System > Primary Attributes. The Primary Attributes window appears with information about the chassis. Most of the information is read directly from the device during the import process and cannot be changed using the ANM interface. For example, a VSS-enabled checkbox will display as a read-only field. You can, however, add a description and configure the device for SNMPv2 or SNMPv3 access. Note For the ACE devices in VSS, the slot number is represented in the format switch number/slot number. Step 3 In the Description field, enter a brief description for the device. Step 4 To enable SNMPv2c access, do the following: a. Check the SNMPv2c Enabled checkbox. b. In the SNMP Trap Community string field, enter the SNMP community string. Step 5 Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. You return to the All Devices table. Related Topics • Displaying Chassis Interfaces and Configuring High-Level Interface Attributes, page 5-42 • Displaying Modules by Chassis, page 5-79 • Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48 Configuring Catalyst 6500 Series Chassis and Cisco 7600 Series Router Primary Attributes You can configure primary attributes for Catalyst 6500 series chassis and Cisco 7600 series routers. Procedure Step 1 Choose Config > Devices > All Devices. The device tree appears. Step 2 In the device tree, choose the device that you want to configure, and choose System > Primary Attributes. 5-39 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring Devices The Primary Attributes window appears. Most of the information is read directly from the device during the import process and cannot be changed using the ANM interface. However, you can add a description and configure the device for SNMPv2 or SNMPv3 access. Step 3 In the Description field, enter a brief description for the device. Step 4 To enable SNMPv2c access, do the following: a. Check the SNMPv2c Enabled checkbox. b. In the SNMP Trap Community string field, enter the SNMP community string. Step 5 Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. You return to the All Devices table. Related Topics • Displaying Chassis Interfaces and Configuring High-Level Interface Attributes, page 5-42 • Displaying Modules by Chassis, page 5-79 • Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48 Configuring Catalyst 6500 Series Chassis, Catalyst 6500 Virtual Switching System 1440 Devices, and Cisco 7600 Series Routers Static Routes You can configure static routes for the Catalyst 6500 Series Chassis, Catalyst 6500 Virtual Switching System 1440 Devices, and Cisco 7600 Series Routers. Though interfaces can be shared across contexts, the ACE supports only static routes for virtual contexts. You can configure static routes for Catalyst 6500 series chassis, Catalyst 6500 Virtual Switching System (VSS) 1440 devices, and Cisco 7600 series routers. Note After a device static route has been created, you can modify only its administrative distance. Procedure Step 1 Choose Config > Devices > All Devices. The device tree appears. Step 2 In the device tree, choose the device that you want to configure, and choose Network > Static Routes. The Static Routes table appears. Step 3 In the Static Routes table, click Add to configure a new static route for the device, or choose an existing static route, and click Edit to modify it. The Static Routes configuration window appears. Step 4 In the Destination Prefix field, enter the IP address for the route. The address that you specify for the static route is the address that is in the packet before entering the ACE and performing network address translation. Step 5 In the Destination Prefix Mask field, choose the subnet for the static route. Step 6 In the Next Hop field, enter the IP address of the gateway router for the route. 5-40 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring Devices The gateway address must be on the same network as a VLAN interface for the device. Step 7 In the Admin Distance field, enter the administrative distance value of the route. The administrative distance is the first criterion that a router uses to determine which routing protocol to use if two protocols provide route information for the same destination. The administrative distance is a measure of the trustworthiness of the source of the routing information. A lower administrative distance value indicates that the protocol is more reliable. Valid entries are from 0 to 255, with lower numbers indicating greater reliability. For example, a static route has an administrative distance value of 1 while an unknown protocol has an administrative distance value of 255. Table 5-15 lists default distance values of the protocols that Cisco supports. Step 8 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. You return to the Static Route table. • Click Cancel to exit the procedure without saving your entries and to return to the Static Route table. • Click Next to deploy your entries and to add another static route. Related Topics • Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48 • Displaying All Device VLANs, page 5-49 • Importing Network Devices into ANM, page 5-10 Table 5-15 Cisco Default Distance Value Table Route Source Administrative Distance Value Connected interface 0 Static route 1 Enhanced Interior Gateway Routing Protocol (EIGRP) summary route 5 External Border Gateway Protocol (BGP) 20 Internal EIGRP 90 IGRP 100 OSPF (Open Shortest Path First) 110 Intermediate System-to-Intermediate System (IS-IS) 115 Routing Information Protocol (RIP) 120 Exterior Gateway Protocol (EGP) 140 On-Demand Routing (ODR) 160 External EIGRP 170 Internal BGP 200 Unknown 255 5-41 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring Devices Configuring VMware vCenter Server Primary Attributes You can configure the primary attributes for a selected VMware vCenter Server. Procedure Step 1 Choose Config > Devices > All Devices. The device tree appears. Step 2 In the device tree, choose the VMware vCenter Server that you want to configure, and choose System > Primary Attributes. The Primary Attributes window appears. Step 3 In the Primary Attributes window, configure the VMware vCenter Server primary attributes as described in Table 5-16. Step 4 Click Deploy Now to deploy this configuration on the VMware vCenter Server and return to the All Devices table. Related Topics • Importing VMware vCenter Servers, page 5-24 Configuring Catalyst 6500 Series Chassis or Cisco 7600 Series Router Interfaces This section shows how to configure the interface attributes for the Catalyst 6500 series chassis or Cisco 7600 series router. This section includes the following topics: • Displaying Chassis Interfaces and Configuring High-Level Interface Attributes, page 5-42 • Configuring Access Ports, page 5-43 Table 5-16 VMware vCenter Server Primary Attributes Item Description Description Brief description for the VMware vCenter Server. Version VMware vCenter Server version number. IP Address IP address of the VMware vCenter Server. HTTPS Port Port number used by the VMware vCenter Server. ANM vCenter Plug-in Registration Status Current status of the ANM plug-in: • Registered • Not Registered For more information about ANM plug-in registration or to change the plug-in registration status, see the “Registering or Unregistering the ANM Plug-in” section on page B-5. ANM IP Address IP address of the ANM server. 5-42 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring Devices • Configuring Trunk Ports, page 5-44 • Configuring Switch Virtual Interfaces, page 5-45 • Configuring Routed Ports, page 5-46 Displaying Chassis Interfaces and Configuring High-Level Interface Attributes You can display a complete list of interfaces on a selected Catalyst 6500 series chassis or Cisco 7600 series router. From this display, you can configure the following high-level attributes for a specified interface: interface description, operating mode, and administrative state. Procedure Step 1 Choose Config > Devices > All Devices. The device tree appears. Step 2 In the device tree, choose the device, and choose Interfaces > Summary. The Interfaces table appears, listing all interfaces on the device and related information as follows: • Interface name • Description, if available • Configured state, such as Up or Down • Current operational state, if known • Mode of operation, such as Access, Routed, or Trunk • Interface hardware type Step 3 Choose the interface to configure, and click Edit. The configuration window appears. Step 4 Enter the following: a. In the Description field, enter a brief description of the interface. b. In the Administrative State field, choose Up or Down to indicate whether the port should be up or down. c. In the Mode field, choose the operational mode of the interface: Trunk, Access, or Routed. d. Click Apply to save your changes or Cancel to exit the procedure without saving your changes. The Interfaces table appears. Related Topics • Configuring Access Ports, page 5-43 • Configuring Trunk Ports, page 5-44 • Configuring Routed Ports, page 5-46 • Configuring Switch Virtual Interfaces, page 5-45 • Creating VLAN Groups, page 5-52 • Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48 5-43 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring Devices Configuring Access Ports You can configure access port attributes for a selected device. An access port receives and sends traffic in native formats with no VLAN tagging. Traffic that arrives on an access port is assumed to belong to the VLAN assigned to the port. If an access port receives a tagged packet (Inter-Switch Link [ISL] or 802.1Q tagged), the packet is dropped, and the source address is not learned. Procedure Step 1 Choose Config > Devices > All Devices. The device tree appears. Step 2 In the device tree, choose the device that you want to configure an access port for, and choose Interfaces > Access Ports. The Interfaces table appears. Step 3 From the Interfaces table, choose the port that you want to configure, and click Edit. The Access Ports configuration window appears. Step 4 In the Description field, enter a description for the port. Valid entries are unquoted text strings with a maximum of 240 characters including spaces. Step 5 In the Administrative State field, choose Up or Down to indicate whether the port should be up or down. Step 6 In the Speed field, either specify the speed at which the interface is to operate or that the interface is to automatically negotiate its speed: • Auto—The interface is to automatically negotiate speed with the connected device. • 10 Mbps—The interface is to operate at 10 Mbps. • 100 Mbps—The interface is to operate at 100 Mbps. • 1000 Mbps—The interface is to operate at 1000 Mbps. Step 7 In the Duplex Mode field, specify whether the interface is to automatically negotiate its duplex mode or use full- or half-duplex mode: • Auto—The interface is to automatically negotiate duplex mode with the connected device. • Full—The interface is to operate in full-duplex mode. In this mode, two connected devices can send and receive traffic at the same time. • Half—The interface is to operate in half-duplex mode. In this mode, two connected devices can either send or receive traffic. Step 8 In the VLANs field, enter individual names for each VLAN to which the interface belongs. The allowable range is 1 to 4094. Step 9 Do one of the following: • Click Apply to save your entries and to return to the Interfaces table. • Click Cancel to exit the procedure without saving your entries and to return to the Interfaces table. Related Topics • Configuring Trunk Ports, page 5-44 • Configuring Switch Virtual Interfaces, page 5-45 5-44 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring Devices • Configuring Routed Ports, page 5-46 • Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48 Configuring Trunk Ports You can configure trunk ports for a selected device. A trunk port carries the traffic of multiple VLANs and by default is a member of all VLANs in the VLAN database. Two types of trunk ports are as follows: • In an Inter-Switch Link (ISL) trunk port, all received packets are expected to be encapsulated with an ISL header, and all transmitted packets are sent with an ISL header. Native (nontagged) frames received from an ISL trunk port are dropped. • An IEEE 802.1Q trunk port supports simultaneous tagged and untagged traffic. An 802.1Q trunk port is assigned a default port VLAN ID or native VLAN, and all untagged traffic travels on the native VLAN. All untagged traffic and tagged traffic with a NULL VLAN ID are assumed to belong to the native VLAN. A packet with a VLAN ID that is equal to the outgoing port native VLAN is sent untagged. All other traffic is sent with a VLAN tag. Procedure Step 1 Choose Config > Devices > All Devices. The device tree appears. Step 2 In the device tree, choose the device that you want to configure, and choose Interfaces > Trunk Ports. The Interfaces table appears. Step 3 In the Interfaces table, choose the port that you want to configure, and click Edit. The Trunk Port configuration window appears. Step 4 Configure the port using the information in Table 5-17. Table 5-17 Trunk Port Configuration Attributes Field Description Description Description for the port. Valid entries are unquoted text strings with a maximum of 240 characters including spaces. Administrative State Up or Down to indicate whether the port should be up or down. Speed Speed at which the interface is to operate or that the interface is to automatically negotiate its speed: • Auto—The interface is to automatically negotiate speed with the connected device. • 10 Mbps—The interface is to operate at 10 Mbps. • 100 Mbps—The interface is to operate at 100 Mbps. • 1000 Mbps—The interface is to operate at 1000 Mbps. Duplex Mode Whether the interface is to automatically negotiate its duplex mode or use full-duplex or half-duplex mode: • Auto—The interface is to automatically negotiate duplex mode with the connected device. • Full—The interface is to operate in full-duplex mode. In this mode, two connected devices can send and receive traffic at the same time. • Half—The interface is to operate in half-duplex mode. In this mode, two connected devices can either send or receive traffic. 5-45 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring Devices Step 5 Do one of the following: • Click Apply to save your entries and to return to the Interfaces table. • Click Cancel to exit the procedure without saving your entries and to return to the Interfaces table. Related Topics • Configuring Access Ports, page 5-43 • Configuring Switch Virtual Interfaces, page 5-45 • Configuring Routed Ports, page 5-46 • Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48 Configuring Switch Virtual Interfaces You can configure a switch virtual interface on a Multilayer Switch Feature Card. A VLAN defined on the Multilayer Switch Feature Card (MSFC) is called a switch virtual interface (SVI). If you assign the VLAN used for the SVI to an ACE, then the MSFC routes between the ACE and other Layer 3 VLANs. By default, only one SVI can exist between an MSFC and an ACE. However, for multiple contexts, you might need to configure multiple SVIs for unique VLANs on each context. Trunk Mode How the interface is to interact with neighboring interfaces: • Dynamic—The interface is to convert a link to a trunk link if the neighboring interface is set to trunk or desirable mode. • Dynamic Desirable—The interface is to actively attempt to convert a link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk, desirable, or auto mode. • Static—The interface is to enter permanent trunking mode and to negotiate converting a link into a trunk link. The interface becomes a trunk interface even if the neighboring interface does not change. Desired Encapsulation Type of encapsulation to be used on the trunk port: • Dot1Q—The interface is to use 802.1Q encapsulation. • Negotiate—The interface is to negotiate with the neighboring interface to use ISL (Inter-Switch Link) (preferred) or 802.1Q encapsulation, depending on the configuration and capabilities of the neighboring interface. • ISL—The interface is to use ISL encapsulation. Native VLAN VLAN to use as the native VLAN for the trunk in 802.1Q trunking mode. VLAN 1 (1) is the default native VLAN. VLANs VLANs to which the interface belongs (allowable range is 1-4094). You can also enter ranges of VLANs, such as 101-120, 130. Prune VLANs VLANs that can be pruned (allowable range is 1-4094). VTP pruning blocks unneeded flooded traffic to VLANs on trunk ports that are included in this field. Only VLANs included in this field can be pruned. You can also specify ranges of VLANs that can be pruned, such as 75, 121-250, 351. Table 5-17 Trunk Port Configuration Attributes (continued) Field Description 5-46 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring Devices Procedure Step 1 Choose Config > Devices > All Devices. The device tree appears. Step 2 In the device tree, choose the device that you want to configure, and choose Interfaces > Switched Virtual Interfaces. The Interfaces table appears. Step 3 In the Interfaces table, click Add to add a new SVI, or choose the interface you want to configure, and click Edit. The Switched Virtual Interfaces configuration window appears. Step 4 In the VLANs field, specify the VLAN to use in one of the following ways: • To specify a new VLAN, choose the first radio button, and then enter a new VLAN. • To choose an existing VLAN, choose the second radio button, and choose one of the existing VLANs. Note You cannot modify a VLAN for an existing SVI. Step 5 In the Description field, enter a description for the SVI. Valid entries are unquoted text strings with a maximum of 240 characters including spaces. Step 6 In the Administrative State field, choose Up or Down to indicate whether the SVI should be up or down. Step 7 In the IP Address field, enter the IP address to be used for the interface on the MSFC in dotted-decimal format. Step 8 In the Netmask field, choose the subnet mask to be used for the IP address. Step 9 Do one of the following: • Click Apply to save your entries and to return to the Interfaces table. • Click Cancel to exit the procedure without saving your entries and to return to the Interfaces table. Related Topics • Configuring Access Ports, page 5-43 • Configuring Trunk Ports, page 5-44 • Configuring Routed Ports, page 5-46 • Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48 Configuring Routed Ports You can configure routed ports on a specified device. A routed port is a physical port that acts like a port on a router; however, it does not have to be connected to a router. A routed port is not associated with a particular VLAN, as is an access port. A routed port behaves like a regular router interface, except that it does not support VLAN subinterfaces. Routed ports can be configured with a Layer 3 routing protocol. A routed port is a Layer 3 interface only and does not support Layer 2 protocols, such as Dynamic Trunking Protocol (DTP) and Spanning Tree Protocol (STP). 5-47 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring Devices Procedure Step 1 Choose Config > Devices > All Devices. The device tree appears. Step 2 In the device tree, choose the device that you want to configure, and choose Interfaces > Routed Ports. The Interfaces table appears. Step 3 In the Interfaces table, choose the interface that you want to configure, and click Edit. The Routed Ports configuration window appears. Step 4 In the Description field, enter a description for the interface. Valid entries are unquoted text strings with a maximum of 240 characters including spaces. Step 5 In the Administrative State field, choose Up or Down to indicate whether the interface should be up or down. Step 6 In the Speed field, either specify the speed at which the interface is to operate or that the interface is to automatically negotiate its speed: • Auto—The interface is to automatically negotiate speed with the connected device. • 10 Mbps—The interface is to operate at 10 Mbps. • 100 Mbps—The interface is to operate at 100 Mbps. • 1000 Mbps—The interface is to operate at 1000 Mbps. Step 7 In the Duplex Mode field, specify whether the interface is to automatically negotiate its duplex mode, or use full- or half-duplex mode: • Auto—The interface is to automatically negotiate duplex mode with the connected device. • Full—The interface is to operate in full-duplex mode. In this mode, two connected devices can send and receive traffic at the same time. • Half—The interface is to operate in half-duplex mode. In this mode, two connected devices can either send or receive traffic. Step 8 In the IP Address field, enter the IP address to be used for the interface in dotted-decimal format. Step 9 In the Netmask field, choose the subnet mask to be used for the IP address. Step 10 Do one of the following: • Click Apply to apply your entries and to return to the Interfaces table. • Click Cancel to exit the procedure without saving your entries and to return to the Interfaces table. Related Topics • Configuring Trunk Ports, page 5-44 • Configuring Switch Virtual Interfaces, page 5-45 • Configuring Access Ports, page 5-43 • Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48 5-48 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring Devices Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs You can add a VLANs and VLAN groups to a Catalyst 6500 series chassis or Cisco 7600 series router that you use when configuring the interfaces for an installed ACE module, which does not have any external physical interfaces. Instead, the ACE module uses internal VLAN interfaces. For information about configuring VLANs for use with virtual contexts, see the “Configuring Virtual Context VLAN Interfaces” section on page 12-6. For more information about VLANs and their use with ACE modules, see the Cisco Application Control Engine Module Routing and Bridging Configuration Guide. This section includes the following topics: • Adding Device VLANs, page 5-48 • Displaying All Device VLANs, page 5-49 • Configuring Device Layer 3 VLANs, page 5-51 • Configuring Device Layer 2 VLANs, page 5-50 • Displaying All Device VLANs, page 5-49 • Creating VLAN Groups, page 5-52 Adding Device VLANs You can add a VLAN to a Catalyst 6500 series chassis or Cisco 7600 series router. Procedure Step 1 Choose Config > Devices > All Devices. The device tree appears. Step 2 In the device tree, choose the device that you want to configure, and choose VLANs > Layer 2 or VLANs > Layer 3. The VLANs table appears. Step 3 From the VLANs table, click Add. The VLAN configuration window appears. Step 4 Configure the VLAN using the information in Table 5-18. Table 5-18 Device VLAN Configuration Attributes Field Description VLAN Unique identifier for the VLAN. Valid entries are from 1 to 4094. Name Name for the VLAN. Description Description for the VLAN. Valid entries are unquoted text strings with a maximum of 240 characters including spaces. Access Ports Access ports. From the Available Items list, click Add.To remove a port that you do not want to use, choose the port from the Selected Items list, and click Remove. Trunk Ports Trunk ports. From the Available Items list, click Add.To remove a port that you do not want to use, choose the port from the Selected Items list, and click Remove. 5-49 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring Devices Step 5 Do one of the following: • Click Apply to apply your entries and to return to the VLAN Management table. • Click Cancel to exit the procedure without saving your entries and to return to the VLAN Management table. Related Topics • Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48 • Configuring Device Layer 2 VLANs, page 5-50 • Configuring Device Layer 3 VLANs, page 5-51 • Displaying All Device VLANs, page 5-49 • Creating VLAN Groups, page 5-52 Displaying All Device VLANs You can display all configured VLANs on a Catalyst 6500 series chassis or Cisco 7600 series router. Procedure Step 1 Choose Config > Devices > All Devices. The device tree appears. Step 2 In the device tree, choose the device with VLANs that you want to display, and choose VLANs > Summary. The VLANs table appears, listing all VLANs on the selected chassis and related information: • VLAN number • Name given to the VLAN • VLAN type, such as Layer 2 or Layer 3 • Number of access ports • Number of trunk ports VTP Domain Name of the VTP domain to which the VLAN belongs. A VTP domain is made up of one or more interconnected network devices that share the same VTP domain name. A network device can be configured to be in one and only one VTP domain. IP Address Field that appears for Layer 3 VLANs only. Enter the IP address to be used for the VLAN interface. Enter the IP address in dotted-decimal notation, such as 192.168.1.1. Mask Field that appears for Layer 3 VLANs only. Choose the subnet mask to apply to the IP address. Table 5-18 Device VLAN Configuration Attributes (continued) Field Description 5-50 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring Devices • VLAN Trunking Protocol (VTP) domain to which the VLAN belongs Related Topics • Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48 • Configuring Device Layer 2 VLANs, page 5-50 • Configuring Device Layer 3 VLANs, page 5-51 • Displaying All Device VLANs, page 5-49 • Creating VLAN Groups, page 5-52 Configuring Device Layer 2 VLANs You can add or modify a Layer 2 VLAN on a Catalyst 6500 series chassis or Cisco 7600 series router. Procedure Step 1 Choose Config > Devices > All Devices. The device tree appears. Step 2 In the device tree, choose the device that you want to configure a Layer 2 VLAN for, and choose VLANs > Layer 2. The VLANs table appears, listing all Layer 2 VLANs associated with the chassis. Step 3 Click Add to add a new VLAN, or choose an existing VLAN, and then click Edit to modify it. The VLAN configuration window appears. Step 4 Configure the VLAN using the information in Table 5-18. Step 5 Do one of the following: • Click Apply to apply your entries and to return to the VLAN Management table. • Click Cancel to exit the procedure without saving your entries and to return to the VLAN Management table. Related Topics • Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48 • Adding Device VLANs, page 5-48 • Configuring Device Layer 3 VLANs, page 5-51 • Displaying All Device VLANs, page 5-49 • Creating VLAN Groups, page 5-52 5-51 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring Devices Configuring Device Layer 3 VLANs You can add or modify a Layer 3 VLAN on a Catalyst 6500 series chassis or Cisco 7600 series router. Procedure Step 1 Choose Config > Devices > All Devices. The device tree appears. Step 2 In the device tree, choose the device that you want to configure a Layer 3 VLAN for, and choose VLANs > Layer 3. The VLANs table appears, listing all Layer 3 VLANs associated with the chassis. Step 3 In the VLANs table, click Add to add a new VLAN, or choose an existing VLAN, and click Edit to modify it. The VLAN configuration window appears. Step 4 Configure the VLAN using the information in Table 5-18. Step 5 Do one of the following: • Click Apply to apply your entries and to return to the VLAN Management table. • Click Cancel to exit the procedure without saving your entries and to return to the VLAN Management table. Related Topics • Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48 • Information About Virtual Contexts, page 6-2 Modifying Device VLANs You can modify VLANs for a specific device. Procedure Step 1 Choose Config > Devices > All Devices. The device tree appears. Step 2 In the device tree, choose the device with the VLAN that you want to modify, and choose VLANs > Layer 2 or VLANs > Layer 3. The VLANs table appears. Step 3 Choose the VLAN you want to modify, and then click Edit. The VLAN configuration window appears. Step 4 Modify the VLAN configuration using the information in Table 5-18. Step 5 Do one of the following: • Click Apply to save your entries and to return to the VLANs table. 5-52 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring Devices • Click Cancel to exit the procedure without saving your entries and to return to the VLANs table. Related Topics • Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48 • Displaying All Device VLANs, page 5-49 • Adding Device VLANs, page 5-48 • Creating VLAN Groups, page 5-52 Creating VLAN Groups You can create VLAN groups on a Catalyst 6500 series chassis or Cisco 7600 series router and assign each group an ACE module. For an ACE module to receive traffic from the Catalyst supervisor module and VSS devices, you must create VLAN groups on the supervisor module, and then assign the groups to the ACE module. When the VLANs are configured on the supervisor module to the ACE module, you can configure the VLANs on the ACE module. You cannot assign the same VLAN to multiple groups; however, you can assign multiple groups to an ACE module. VLANs that you want to assign to multiple ACE modules, for example, can reside in a separate group from VLANs that are unique to each ACE module. Procedure Step 1 Choose Config > Devices > All Devices. The device tree appears. Step 2 In the device tree, choose the device that you want to create a VLAN group for, and choose VLANs > Groups. The Groups table appears. Step 3 Click Add to add a new VLAN group, or choose an existing VLAN group, and click Edit to modify it. The Groups configuration window appears. Step 4 In the VLAN Group Id field, enter a unique numerical identifier for the VLAN group. Valid entries are unquoted number strings with any value between 1-65535. Available Module Slot numbers will appear underneath this field. Step 5 In the Module Slot Numbers field, select the ACE module(s) that you want to associate with the VLAN group. Step 6 Double click or the number, or single click the arrow to the right of the Available Modules field for the slot numbers to the Selected field. Step 7 In the VLANs field, enter the VLANs to be included in the VLAN group. Valid entries are individual names for each VLAN or ranges of VLANs (allowable range is 1-4094), such as 10, 50-110. Step 8 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. You return to the Groups table. • Click Cancel to exit the procedure without saving your entries and to return to the Groups table. 5-53 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring ACE Module and Appliance Role-Based Access Controls • Click Next to deploy your entries and to add another VLAN group. Related Topics • Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48 • Configuring Device Layer 3 VLANs, page 5-51 • Configuring Device Layer 2 VLANs, page 5-50 • Displaying All Device VLANs, page 5-49 Configuring ACE Module and Appliance Role-Based Access Controls ANM provides an interface to allow you to configure device Role-Based Access Control (RBAC) on the device only. The RBAC feature applies to ACE modules and appliances only and is applicable only on the device and is not enforced by ANM. If you want to set up authorization in ANM, go to Admin > Role-Based Access Control. This section includes the following topics: • Configuring Device RBAC Users, page 5-53 • Configuring Device RBAC Roles, page 5-56 • Configuring Device RBAC Domains, page 5-61 Configuring Device RBAC Users ANM provides an interface that allows you to configure user access to your device through role-based access controls on the device only. This configuration is applicable only on the device and will not be enforced by ANM. Use the Role-Based Access Control feature to specify the people that are allowed to log onto a device. This section includes the following topics: • Guidelines for Managing Users, page 5-53 • Displaying a List of Device Users, page 5-54 • Configuring Device User Accounts, page 5-54 • Modifying Device User Accounts, page 5-55 • Deleting Device User Accounts, page 5-56 Guidelines for Managing Users Follow these guidelines for managing users: • For users that you create in the Admin context, the default scope of access is for the entire ACE. • If you do not assign a role to a new user, the default user role is Network-Monitor. For users that you create in other contexts, the default scope of access is the entire context. • Users cannot log in until they are associated with a domain and a user role. 5-54 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring ACE Module and Appliance Role-Based Access Controls • You cannot delete roles and domains that are associated with an existing user. Related Topics • Configuring Device RBAC Users, page 5-53 • Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53 Displaying a List of Device Users You can display of list of users that can access an ACE context. Procedure Step 1 Choose Config > Devices > context > Role-Based Access Control > Users. The Users table appears with the following fields: • User Name • Expiry Date • Role • Domains Step 2 (Optional) You can use the options in this window to create a new user or modify or delete any existing user to which you have access (see Table 5-19). Related Topics • Configuring Device RBAC Users, page 5-53 • Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53 Configuring Device User Accounts You can add or modify a user account in a selected ACE context. Note This configuration is applicable only on the device or building block and is not enforced by ANM. To manipulate ANM RBAC, go to Admin > Role-Based Access Control. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > Device RBAC > Users. • To configure a configuration building block, choose Config > Global > Building Blocks > building_block > Role-Based Access Control > Users. A list of users appears. Step 2 In the Users table, click Add to add a new user, or choose the user that you want to configure and click Edit. The Users configuration window appears. 5-55 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring ACE Module and Appliance Role-Based Access Controls Step 3 Configure the user attributes using the information in Table 5-19. Step 4 Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The Users table appears. Related Topics • Configuring Device RBAC Users, page 5-53 • Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53 Modifying Device User Accounts You can modify an existing user account in a selected ACE context. Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC, go to Admin > Role-Based Access Control. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > Device RBAC > Users. • To configure a configuration building block, choose Config > Global > Building Blocks > building_block > Role-Based Access Control > Users. A table of users, expiration dates, roles, and domains appears. Step 2 Choose the user account that you want to modify. Step 3 Click Edit. Step 4 Modify any of the attributes in the table (see Table 5-19). Table 5-19 User Attributes Field Description User Name Name by which the user is to be identified (up to 24 characters). Only letters, numbers, and an underscore can be used. The field is case sensitive. Expiry Date Date that user account expires (optional). Password Entered As Password for this user account. You can choose Clear Text or Encrypted Text. Password Password for the user account. Confirm Password Password for this account that you reenter. Encryption Password in either clear or encrypted text. Role Role that you customize or accept as an existing role. To enter the Role for this user, see the “Configuring Device User Roles” section on page 5-58. See Table 5-20 for details about setting up new roles. Domains Domains to which this user belongs. Use the Add and Remove buttons. 5-56 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring ACE Module and Appliance Role-Based Access Controls Step 5 Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The Users table appears. Related Topics • Configuring Device RBAC Users, page 5-53 • Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53 Deleting Device User Accounts You can delete an existing device RBAC user account in a selected ACE context. Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC, go to Admin > Role-Based Access Control. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > Device RBAC > Users. • To configure a configuration building block, choose Config > Global > Building Blocks > building_block > Role-Based Access Control > Users. A table of users, roles, and domains appears. Step 2 In the table, choose the user account to delete, and click Delete. A confirmation window appears. Step 3 In the confirmation window, do one of the following: • Click OK to remove the user account from the ANM database and return to the Users table. • Click Cancel to return to the Users table without deleting the user account. Related Topics • Configuring Device RBAC Users, page 5-53 • Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53 Configuring Device RBAC Roles This section shows how to configure RBAC roles and includes the following topics: • Guidelines for Managing User Roles, page 5-57 • Role Mapping in Device RBAC, page 5-57 • Configuring Device User Roles, page 5-58 • Modifying Device User Roles, page 5-60 5-57 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring ACE Module and Appliance Role-Based Access Controls • Deleting Device User Roles, page 5-60 Guidelines for Managing User Roles Follow these guidelines to manage user roles: • Administrators can view and modify all roles. • Other users can view only the roles assigned to them. • You cannot change the default roles. • Role permissions are different based on whether they were created in either an Admin context or in a user context. If you want to allow users to switch between contexts, ensure that they have a predefined role. If you want to restrict a user to only their home context, assign them a customized user role. • Certain role features are available only to default roles, for example, an Admin role in the Admin context would have changeto and system permissions to perform tasks such as license management, resource class management, HA setup, and so on. User-created roles cannot use these features. Related Topics • Role Mapping in Device RBAC, page 5-57 • Controlling Access to Cisco ANM, page 18-3 • Configuring Device RBAC Users, page 5-53 • Configuring Device RBAC Roles, page 5-56 • Configuring Device RBAC Domains, page 5-61 • How ANM Handles Role-Based Access Control, page 18-8 Role Mapping in Device RBAC When you are logged into a specific device RBAC, you see the tasks that you have been given permission to access. Features and menus that are not applicable for your role will not display. Since the predefined roles encompass all the role types you may need, we encourage you to use them. If you choose to define your own roles, be aware that rules features are not a one-to-one mapping from a CLI feature to ANM menu task. Defining the proper rules for your user-defined role will require you to create a mapping between the features in Device RBAC and the ANM menu tasks. For example, in order to manage virtual servers, you must choose the following six menu features (Real Servers, Server Farms, VIP, Probes, Loadbalance, NAT, and Interface) in your role. Note Certain features in ANM do not have a corresponding feature mapping on the CLI. For example, class maps and SNMP do not have a corresponding feature mapping. To modify these features, you need to choose a predefined role that a contains at least one feature with the Modify permission on it. Related Topics • How ANM Handles Role-Based Access Control, page 18-8 • Understanding Roles, page 18-6 5-58 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring ACE Module and Appliance Role-Based Access Controls Configuring Device User Roles You can edit the predefined roles, or you can create or edit user-defined roles. When you create a new role, you specify a name and description of the new role, and then choose the operations privileges for each task. You can also assign this role to one or more users. Note This configuration is applicable only on the device or building block and will not be enforced by the ANM. To manipulate the ANM RBAC, go to Admin > Role-Based Access Control. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > Device RBAC > Roles. • To configure a configuration building block, choose Config > Global > Building Blocks > building_block > Role-Based Access Control > Roles. A table of the defined roles and their settings appears. Step 2 In the table, choose the type of configuration that you want to perform as follows: • To add a new role, click Add, enter the attributes described in Table 5-20, and then click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • To edit an existing role, choose the role, and click Edit. The Roles configuration window appears. Step 3 Click Edit. The Rule table appears. Step 4 In the Rule table, click Add to create rules for this role, or choose the rule that you want to configure, and click Edit. See Table 5-21 for rule attribute descriptions. Table 5-20 Role Attributes Attribute Description Name Name of the role. Description Brief description of the role. 5-59 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring ACE Module and Appliance Role-Based Access Controls Step 5 Click Deploy Now to update the rule for this role or click Next to deploy this rule and move to another rule. Step 6 Click Deploy Now to update this role and save this configuration to the running-configuration and startup-configuration files. Related Topics • Configuring Device RBAC Roles, page 5-56 • Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53 Table 5-21 Rule Attributes Attribute Description Rule Number Number assigned to this rule. Permission Permit or deny the specified operation. Operation Create, debug, modify1 , and monitor the specified feature. 1. Certain features are not available for certain operations. For modify, the following features cannot be used: Changeto, config-copy, DHCP, Exec-commands, NAT, real-inservice, routing, and syslog. Feature AAA, Access List, Change To Context, Config Copy, Connection, DHCP, Exec-Commands, Fault Tolerant, Inspect, Interface, Load Balance, NAT, PKI, Probe, Real Inservice, Routing, Real Server, Server Farm, SSL2 , Sticky, Syslog, and VIP. The Changeto feature allows you to move from the Admin context to another virtual context and maintain the same role with the same privileges in the new context that you had in the Admin context. This feature applies only to the Admin context and to the following ACE software versions: • ACE module software Version A2(1.3) and later releases. • ACE appliance software Version A3(2.2) and later releases. The Exec-commands feature enables all default custom role commands in the ACE. The default custom role commands are capture, debug, gunzip, mkdir, move, rmkdir, tac-pac, untar, write, and undebug. This feature applies to both Admin and user contexts and to the following ACE software versions: • ACE module software Version A2(1.3) and later releases. • ACE appliance software Version A3(2.2) and later releases. 2. For all SSL-related operations, a user with a custom role should include the following two rules: A rule that includes the SSL feature, and a rule that includes the PKI feature. 5-60 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring ACE Module and Appliance Role-Based Access Controls Modifying Device User Roles You can modify any user-defined role. Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC, go to Admin > Role-Based Access Control. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > Device RBAC > Roles. • To configure a configuration building block, choose Config > Global > Building Blocks > building_block > Role-Based Access Control > Roles. A table of the defined roles and their settings appears. Step 2 In the table, choose the role that you want to modify. Step 3 Click Edit. For details on updating role rules, see Table 5-21. Step 4 Make the changes. For details on updating role rules, see the “Adding, Editing, or Deleting Rules” section on page 5-61. Step 5 Click Deploy Now to update the rules for this role and save this configuration to the running-configuration and startup-configuration files. Related Topics • Configuring Device RBAC Roles, page 5-56 • Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53 Deleting Device User Roles You can delete any user-defined roles. Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC, go to Admin > Role-Based Access Control. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > Device RBAC > Roles. • To configure a configuration building block, choose Config > Global > Building Blocks > building_block > Role-Based Access Control > Roles. The Roles table appears. Step 2 In the Roles table, choose the role to delete, and click Delete. 5-61 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring ACE Module and Appliance Role-Based Access Controls Step 3 Click OK to confirm the deletion. Users that have the deleted role no longer have that access. Related Topics • Configuring Device RBAC Roles, page 5-56 • Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53 Adding, Editing, or Deleting Rules You can change or delete rules to redefine what feature access a specific role contains. Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC, go to Admin > Role-Based Access Control. Procedure Step 1 After selecting the user-defined role, click Edit. The Rule window appears. Step 2 Do one of the following: • To create a new rule, click Add. Enter the rule information (see Table 5-21 on page 5-59), and then click Deploy Now to add the rule or Next to deploy this rule and add another rule. • To change an existing rule, choose a rule and click Edit. Click Deploy Now to save this rule to the running-configuration and startup-configuration files. • To remove rules from a role, choose the rules to remove, and click Delete. Click OK to confirm its deletion. Step 3 Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. Related Topics • Configuring Device RBAC Roles, page 5-56 • Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53 Configuring Device RBAC Domains You can configure device RBAC domains. This section includes the following topics: • Guidelines for Managing Domains, page 5-62 • Displaying Domains for a Device, page 5-62 • Configuring Device Domains, page 5-63 • Modifying Device Domains, page 5-65 5-62 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring ACE Module and Appliance Role-Based Access Controls • Deleting Device Domains, page 5-65 Related Topics • Information About Device Management, page 5-2 • How ANM Handles Role-Based Access Control, page 18-8 • Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53 Guidelines for Managing Domains Follow these guidelines for managing domains: • Devices and their components must already be configured in order for them to be added to a domain. • Domains are logical concepts. You do not delete a member of a domain when you delete the domain. • The predefined default domain cannot be modified or deleted. • Normally, a user is associated with the default domain, which allows the user to see all configurations within the context. When a user is configured with a customized domain, then the user can see only what is in the domain. Related Topics • Configuring Device RBAC Domains, page 5-61 • Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53 Displaying Domains for a Device You can display domains for a device. Note Your user role determines whether you can use this option. Procedure Step 1 Choose the item to view: • To view a domain for the device’s virtual context, choose Config > Devices > context > Device RBAC > Domains. • To view a domain for a configuration building block, choose Config > Global > Building Blocks > building block > Role-Based Access Control > Domains. The Domains table appears. Step 2 Expand the Domains table until you can see all the network domains. Step 3 Choose a domain to display the settings for that domain. You can also perform these tasks from this window: • Configuring Device Domains, page 5-63 • Modifying Device Domains, page 5-65 • Deleting Device Domains, page 5-65 5-63 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring ACE Module and Appliance Role-Based Access Controls Related Topics • Configuring Device RBAC Domains, page 5-61 • Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53 Configuring Device Domains You can add or modify domains on a selected device, such as a Catalyst 6500 series chassis. Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC, go to Admin > Role-Based Access Control. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > Device RBAC > Domains. • To configure a configuration building block, choose Config > Global > Building Blocks > building_block > Role-Based Access Control > Domains. The Domains table appears. Step 2 In the Domains table, choose the type of configuration that you want to perform: • To add a new domain, click Add, enter the Domain Name, and then click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • To edit a domain, choose the domain that you want to configure, and then click Edit. The Domain Object field appears below the Domain Name in the content area. Step 3 Click Edit to enter the Domain Object table. 5-64 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring ACE Module and Appliance Role-Based Access Controls Step 4 In the Domain Object table, choose the type of configuration that you want to perform: • Click Add to create domain objects for this domain. See Table 5-22 for Domain Object attributes. • To remove an object, choose the object that you want to remove, and then click Delete. Step 5 Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The Domains Edit window updates and displays the total object number next to the object name. Related Topics • Configuring Device RBAC Domains, page 5-61 • Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53 Table 5-22 Domain Attributes Field Description Name Field that appears when any specific object type is selected. Name of an existing object defined. All Objects Collection of objects in this domain. The following options may be available depending on your virtual context: • All • Access List EtherType • Access List Extended • Class Map • Interface VLAN • Interface BVI • Parameter Map • Policy Map • Probe • Real Server • Script • Server Farm • Sticky 5-65 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Configuring ACE Module and Appliance Role-Based Access Controls Modifying Device Domains You can change the settings in a domain. Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC, go to Admin > Role-Based Access Control. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > Device RBAC > Domains. • To configure a configuration building block, choose Config > Global > Building Blocks > building_block > Role-Based Access Control > Domains. Step 2 Choose the domain that you want to edit. Step 3 Click Edit. The Edit Domain window appears. Step 4 Edit the object fields (see Table 5-22). Step 5 Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. Related Topics • Configuring Device RBAC Domains, page 5-61 • Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53 Deleting Device Domains You can delete a network domain from ANM, and all the devices and subdomains that it contains. Note This configuration is applicable only on the device or building block and will not be enforced by ANM. To manipulate ANM RBAC, go to Admin > Role-Based Access Control. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > Device RBAC > Domains. • To configure a configuration building block, choose Config > Global > Building Blocks > building_block > Role-Based Access Control > Domains. The Domains table appears. Step 2 In the Domains table, choose the domain that you want to delete. Step 3 Click Delete. A prompt asks you to confirm this action. 5-66 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Managing Devices Step 4 Click OK. The domain is removed from the ANM database. Related Topics • Configuring Device RBAC Domains, page 5-61 • Configuring ACE Module and Appliance Role-Based Access Controls, page 5-53 Managing Devices This section describes how to manage devices. This section includes the following topics: • Synchronizing Device Configurations, page 5-66 • Mapping Real Servers to VMware Virtual Machines, page 5-68 • Instructing ANM to Recognize an ACE Module Software Upgrade, page 5-71 • Configuring User-Defined Groups, page 5-72 • Changing Device Credentials, page 5-75 • Changing ACE Module Passwords, page 5-77 • Restarting Device Polling, page 5-78 • Displaying All Devices, page 5-78 • Displaying Modules by Chassis, page 5-79 • Removing Modules from the ANM Database, page 5-80 Synchronizing Device Configurations ANM provides three levels of synchronization. You can choose to synchronize from the device to ANM as follows: • From the chassis level—Use this level when you want to synchronize Catalyst 6500 series chassis and module updates. See the “Synchronizing Chassis Configurations” section on page 5-67. • From the ACE module level—Use this level when you want to synchronize changes to your ACE or CSM modules, such as new virtual contexts. See the “Synchronizing Module Configurations” section on page 5-67. • From the virtual context level —Use this level in the Admin context to synchronize all current and new virtual contexts or at the user context level to synchronize a specific user context. See the “Synchronizing Virtual Context Configurations” section on page 6-105. Caution If you see a difference in device information between what ANM displays and what you see by directly accessing the device through the CLI, ANM displays the data that is the least accurate. This condition can occur when the device is modified outside of ANM by using the CLI. We recommend that you synchronize the network devices up to the ANM using the synchronization option, which makes the ANM data more accurate. 5-67 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Managing Devices Synchronizing Chassis Configurations You can manually synchronize the configuration for Catalyst 6500 series switches, CSS devices, GSS devices and ACE appliances when there have been changes to a device that are not tracked in ANM. Note ANM does not support auto synchronization for the Catalyst 6500 series switches, Cisco 7600 series routers, CSM, CSS, GSS, or VSS devices. Be sure to synchronize configurations on these devices after import, and whenever their configurations have been modified through the CLI. The following require synchronization: • Upgrading chassis hardware or software • Adding new modules to the chassis • Removing a module from a chassis • Rearranging modules within the chassis • Upgrading module software • Changing the chassis configuration using the CLI instead of the ANM Procedure Step 1 Choose Config > Devices > All Devices. The All Devices table appears. Step 2 In the All Devices table, choose the device with the configuration that you want to synchronize, and click CLI Sync. A popup confirmation window appears asking you to confirm the synchronization. Step 3 In the confirmation window, click OK to synchronize the configuration or Cancel to cancel the synchronization. ANM displays the status while synchronization is in progress and returns to the All Devices table when synchronization is complete. Related Topics • Configuring Devices, page 5-34 • Synchronizing Module Configurations, page 5-67 • Restarting Device Polling, page 5-78 Synchronizing Module Configurations You can synchronize configurations for ACE modules or CSM modules when changes are made that have not been tracked in ANM. The following module changes require synchronization: • Upgrading module software • Changing the module configuration using the CLI instead of the ANM 5-68 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Managing Devices Procedure Step 1 Choose Config > Devices > All Devices. The All Devices table appears. Step 2 In the All Devices table, choose the chassis that contains the module with the configuration that you want to synchronize, and click Modules. The Modules table appears. Step 3 In the Modules table, choose the module with the configuration you want to synchronize, and click Sync. A popup confirmation window appears asking you to confirm the synchronization. Step 4 In the confirmation window, click OK to synchronize the configuration or Cancel to cancel the synchronization. ANM displays the status while synchronization is in progress and returns to the Modules table when synchronization is complete. Related Topics • Configuring Devices, page 5-34 • Managing Devices, page 5-66 • Synchronizing Device Configurations, page 5-66 Mapping Real Servers to VMware Virtual Machines This section describes how ANM maps ACE, CSS, CSM, or CSM-S real servers to VMware vCenter Server VMs when you integrate ANM with a VMware virtual data center. This section also shows how you can display and manage the mappings associated with a VMware vCenter Server. Note To map a real server to a VM, the real server must be associated with a server farm (see the “Configuring Server Farms” section on page 8-30). ANM uses the following methods to map a real server to a VM: • IP Match—ANM matching the real server IP addresses to the VM IP address. This is the default mapping method that ANM uses and requires the following items: – Before you import a VMware vCenter Server into ANM along with its associated VMs, configure a real server in ANM for each VM about to be imported with the vCenter Server. Configure each real server with the IP address of a VM. For more information, see the “Configuring Real Servers” section on page 8-5 and the “Importing VMware vCenter Servers” section on page 5-24. – ANM must be able to determine the IP address of a VM, which is accomplished by installing VMware Tools on the guest operating system (OS) of the VM. • Name Match—ANM matches the real server name to the VM name. This is the backup mapping method that ANM uses if it cannot match any IP address for the VM. This method requires consistent use of the device names throughout the network. 5-69 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Managing Devices Note For the CSM and CSM-S, the VM name must be in uppercase because the CSM and CSM-S real server names are always in upper case and the mapping is case sensitive though the CSM and CSM-S is case insensitive. From vSphere Client, you can change a VM name to uppercase by right-clicking on the VM in the VM tree and choosing Rename. • Override—You specify the real server-to-VM mapping. • Ignore—ANM ignores any mapping method. ANM can detect when VMs are added or deleted to a VMware vCenter Server by listening to the server events or by polling the server. When a new VM is detected, ANM uses the IP match method to try and match the new VM with a real server. Prerequisites This topic includes the following prerequisites: • Import the VMware vCenter Server into ANM (see the “Importing VMware vCenter Servers” section on page 5-24). • Register the ANM plug-in with the VMware vCenter Servers that you want to view and manage. Procedure Step 1 Choose Config > Devices > All Devices. The All Devices table appears. Step 2 In the All Devices table, choose the VMware vCenter Server that contains the VMs that you want to display and map. The Primary Attribute table appears. Step 3 Click VM Mappings. The VM Mappings table appears. Table 5-3 describes the information that displays in the VM Mappings table. Table 5-23 VM Mappings Table Item Description VM Name Name of the VM associated with the selected VMware vCenter Server. IP Address(es) IP address of the VM. Full Path Path of the VM on the VMware vCenter Server. Rule Currently Applied Mapping rule applied: IP Match, Name Match, Override, or Ignore. This field is blank if ANM is unable to find a real server match for the VM. You can manually map a real server to the VM using the Edit Mapping feature (see Step 5). 5-70 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Managing Devices Note If the VM Mappings window does not display or a VM name contains hex values rather than certain special characters, these conditions indicate that VM names associated with a vCenter Server that you imported in to ANM contain special characters that ANM does not recognize. For example, a VM name that contains a double quote (“) prevents ANM from displaying the VM Mappings window. If a VM name contains a percent sign (%), backslash (\), or forward slash (/), ANM displays the VM name in the VM Mappings window; however, these special characters display as hex values (%25 for %, %5c for \, and %2f for /). To correct these issues, remove the special characters from the VM names and then manually perform a CLI synchronization (see Step 4). Step 4 (Optional) To update the displayed real server to VM mapping information, manually perform a CLI synchronization with the vCenter Server as follows: a. Choose Config > Devices > All Devices. The All Devices table appears. b. From the All Devices table, click the radio button associated with the desired vCenter Server. c. Click CLI Sync. Note You must perform this step to update the display if you import a Cisco device after you import an associated vCenter Server. Step 5 (Optional) To change the mapping rule applied to a VM, in the VM Mappings window, check the checkbox next to the VM names to edit and click Edit Mappings. The VM Mappings edit window appears, providing a list of the selected VMs and the mapping rule options. Step 6 From the VM Mappings edit window, choose one of the following options from the Mapping Rule drop-down list: • IP Match—Map the VMs to ACE real servers based on matching IP addresses. Skip to Step 8. • Name Match—Map the VMs to ACE real servers based on matching device names. Skip to Step 8. • Ignore—Ignore any mapping rule and do not map the VM to an ACE real server. Skip to Step 8. ACE Real Server(s) ACE real server that the VM maps to on ANM. Note the following: • This field is blank if ANM is unable to find a real server match for the VM. You can manually map a real server to the VM using the Edit Mapping feature (see Step 5). • If the VM has been deleted in the vCenter Server but ANM still has the mapping, a delete icon (red circle with an “x”) appears at the end of the real server ID. Click the icon to remove the mapping from the table. Last Updated Time Timestamp when the mapping information was obtained. Table 5-23 VM Mappings Table (continued) Item Description 5-71 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Managing Devices • Override—Map the VMs the specified ACE real servers. This option is available only when you have one VM selected from the All Devices table (see Step 2). When you choose Override, ANM displays the Select Real Server(s) table of available ACE real servers that includes the device information, real server name, IP address, port number, and server farm to which the real server belongs. Step 7 If you chose the Override mapping rule, do one or both of the following: • Check the checkbox next to the real servers to map the selected real servers to the VM. To select all of the available real servers, check the Device checkbox located at the top of the table. • Click Add to add a new real server. The Add a Real Server popup window appears. Define the new real server as described in Table 5-24 and click Deploy Now. Step 8 In the VM Mappings window, click OK to save the new mapping rule or Cancel to cancel the change. Related Topics • Configuring Real Servers, page 8-5 • Importing VMware vCenter Servers, page 5-24 • Configuring VMware vCenter Server Primary Attributes, page 5-41 Instructing ANM to Recognize an ACE Module Software Upgrade When you upgrade the software of an ACE module that has been imported to the ANM database, perform the procedure outlined in this section to enable ANM to recognize the updated release and display features and functions in the ANM GUI that are appropriate for the ACE module software upgrade. For example, if an imported ACE module contains software Version A2(2.1), and you wish to upgrade to software Version A2(3.0) to take advantage of features such as backup and restore, you must perform the steps outlined below to instruct ANM to recognize the upgraded ACE module software version and Table 5-24 Adding a Real Server for VM Mapping Item Description Real Server Name Unique name for this server or accept the automatically incremented value in this field. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters. Real Server IP Address Unique IP address in dotted-decimal format (such as 192.168.11.1). The IP address cannot be an existing virtual IP address (VIP). Real Server Port Port used for communication with the real server. Real Server Weight Weight to be assigned to this real server in a server farm. Valid entries are from 1 to 100, and the default is 8. Real Server State State of the real server when deployed: • In Service—The real server is in service. • Out Of Service—The real server is out of service. ACE Virtual Context Virtual context that is associated with the real server. Serverfarm Server farm to which the real server belongs. Virtual Servers Virtual server that is associated with the real server. 5-72 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Managing Devices display the features and functions associated with this release. If you do not instruct ANM to recognize an ACE module software upgrade, the ACE module import will occur without issue but the new features and functions associated a specific ACE module software release will not appear in the ANM GUI. Procedure Step 1 After you upgrade an ACE module software image, perform a CLI sync on the module’s host device (see the “Synchronizing Chassis Configurations” section on page 5-67). Step 2 After you complete the CLI sync, whenever ANM detects an upgrade on an imported ACE module, ANM issues a warning to instruct you to perform a CLI sync on the ACE module to recognize the upgrade. Perform the procedure described in the “Synchronizing Module Configurations” section on page 5-67. The ACE software upgrade sequence is completed. Configuring User-Defined Groups You can create logical groupings of virtual contexts or chassis for ease of management. These logical groups are known as user-defined groups and appear in the device tree (Config > Devices) in the folder named Groups for quick access. Users can create their own groups, add and remove members, and assign group names that suit their environment and are meaningful to them. This section includes the following topics: • Adding a User-Defined Group, page 5-72 • Modifying a User-Defined Group, page 5-73 • Duplicating a User-Defined Group, page 5-74 • Deleting a User-Defined Group, page 5-75 Note Device groups continue to display device information even after you remove that device from ANM, which allows the device group information to be easily reassociated if you reimport the device. The device name must remain the same. Adding a User-Defined Group You can add a user-defined group. Procedure Step 1 Choose Config > Devices > All Devices. The device tree appears. Step 2 In the device tree, choose Groups. The Groups table appears. Step 3 Click Add to add a new group, or choose an existing group, and click Edit to modify it. 5-73 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Managing Devices The Group configuration window appears. Step 4 In the Name field of the Group configuration window, enter a unique name for this group. Valid entries are unquoted text strings with no spaces and a maximum of 26 alphanumeric characters. The window identifies the objects by type and provides a search field for each: • Virtual Context Members • Device Members • Module Members • CSM Members Step 5 To add objects to the group, for each object type, choose the object in the Available Items list, and click Add. The selected objects appear in the Selected Items list. To remove objects that you do not want to include, choose the objects in the Selected Items list, and click Remove. The items then appear in the Available Items list. To search for specific objects, enter a search string that contains the object name or part of the object name in the Search field, and then click Search. The Available Items list refreshes with the objects that meet the search criteria. Step 6 In the Description field, enter a description for this group. Step 7 Do one of the following: • Click Save to accept your entries and to return to the Groups table. • Click Cancel to exit this procedure without saving your entries and to return to the Groups table. Related Topics • Configuring User-Defined Groups, page 5-72 • Modifying a User-Defined Group, page 5-73 • Duplicating a User-Defined Group, page 5-74 • Deleting a User-Defined Group, page 5-75 Modifying a User-Defined Group You can change the members or the description of a user-defined group. You cannot change the name of an existing user-defined group. Procedure Step 1 Choose Config > Devices > All Devices. The device tree appears. Step 2 In the device tree, click Groups. The Groups table appears. Step 3 In the Groups table, choose the group that you want to modify, and click Edit. The Group configuration window appears. 5-74 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Managing Devices Step 4 In each Members field of the Group configuration window, add or remove group members as follows: • Choose the items that you want to add to this group in the Available Items list, and click Add. • Choose the items that you want to remove from this group in the Selected Items list, and click Remove. Step 5 In the Description field, modify the description as needed. Step 6 Do one of the following: • Click Save to accept your entries and to return to the Groups table. • Click Cancel to exit this procedure without saving your entries and to return to the Groups table. Related Topics • Configuring User-Defined Groups, page 5-72 • Adding a User-Defined Group, page 5-72 • Duplicating a User-Defined Group, page 5-74 • Deleting a User-Defined Group, page 5-75 Duplicating a User-Defined Group You can duplicate a user-defined group. Procedure Step 1 Choose Config > Devices > All Devices. The device tree appears. Step 2 In the device tree, click Groups. The Groups table appears. Step 3 In the Groups table, choose the user-defined group that you want to duplicate, and click Duplicate. A popup window appears asking you to enter a new name. Step 4 In the popup window, type the new group name, and click OK. The Groups table refreshes and the duplicated group name appears in the list. Related Topics • Configuring User-Defined Groups, page 5-72 • Adding a User-Defined Group, page 5-72 • Modifying a User-Defined Group, page 5-73 • Deleting a User-Defined Group, page 5-75 5-75 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Managing Devices Deleting a User-Defined Group You can delete a user-defined group. Procedure Step 1 Choose Config > Devices > All Devices. The device tree appears. Step 2 In the device tree, click Groups. The Groups table appears. Step 3 In the Groups table, choose the user-defined group that you want to remove, and click Delete. A popup confirmation window appears asking you to confirm the deletion. Step 4 In the popup confirmation window, do one of the following: • Click OK to delete the selected user-defined group. The Groups table refreshes and the deleted group no longer appears. • Click Cancel to exit this procedure without deleting the group. The Groups table refreshes. Related Topics • Configuring User-Defined Groups, page 5-72 • Adding a User-Defined Group, page 5-72 • Modifying a User-Defined Group, page 5-73 • Duplicating a User-Defined Group, page 5-74 Changing Device Credentials You can change the credentials associated with a device managed by ANM. Each device that you import into ANM has a device username and password associated with it that ANM uses to access the device. Some device types, such as the GSS, also have a device enable password associated with them. From ANM, you can change the device credentials in the ANM database to match a change made to the credentials on a device using the CLI. This feature allows you to change the device credentials without having to rediscover or reimport the device. This procedure applies to the following device types that have been imported into ANM: • ACE appliance • Global Site Selector (GSS) • Content Services Switch (CSS) • Catalyst 6500 Virtual Switching System (VSS) 1440 • Catalyst 6500 series switch • Cisco 7600 series router • VMware vCenter Server 5-76 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Managing Devices Note To change the credentials of an ACE module, see the “Changing ACE Module Passwords” section on page 5-77. Guidelines and Restrictions This topic includes the following guidelines and restrictions: • You can change a device username, password, or both. • We recommend changing the device credentials on the device before changing the credentials on ANM. Caution To maintain communication between ANM and the device, it is important that whatever device credential change you make on the device, you make the same change on ANM. Procedure Step 1 Choose Config > Devices > All Devices. The All Devices table appears. Step 2 In the All Devices table, choose the device with the passwords that you want to update in ANM, and click Update Credentials. The Update Credentials popup window appears. Step 3 From the popup window, update the device credential using the information in Table 5-25. Note All credential fields are mandatory, so even if you are updating the device password only, you must enter the current device username. Step 4 Do one of the following: • Click OK to save your changes to ANM. Do the following: a. If you have not already made a similar change to the device credentials on the device, use the device CLI to make the changes now. b. Perform a CLI synchronization to test communications between ANM and the device with the new credentials (see the “Synchronizing Device Configurations” section on page 5-66). Table 5-25 Update Device Credentials Field Description Username Existing or new device username. New Password Existing or new device password. Confirm New Password Confirmation of the device password. New Enable Password1 1. GSS and Catalyst 6500 series switch only. Existing or new device enable password. Confirm Enable Password1 Confirmation of the device enable password. 5-77 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Managing Devices • Click Cancel to ignore any changes that you made and close the popup window. Related Topics • Configuring Devices, page 5-34 • Managing Devices, page 5-66 • Changing ACE Module Passwords, page 5-77 Changing ACE Module Passwords You can change the ACE module username and password. All ACE modules shipped from Cisco are configured with the same administrative username and password. Because changing the module credentials can compromise network security, we recommend that you change the username and passwords after you import the module into the ANM database. Note This functionality is available only in Admin contexts. Before You Begin Import the ACE module into ANM and ensure that it is operational (see the “Importing ACE Modules after the Host Chassis has been Imported” section on page 5-16). Procedure Step 1 Choose Config > Devices > All Devices. The device tree appears. Step 2 In the device tree, choose the chassis device containing the ACE module with the password that you want to change. The Primary Attributes window appears. Step 3 From the side menu, choose System > Module/Slots. The Modules table appears. Step 4 In the Modules table, choose the module with the password that you want to change and click Update Credentials. The Modules configuration window appears. Step 5 In the Card Slot field, confirm that the correct module is selected. Step 6 In the Card Type field, confirm that the correct version appears. Step 7 In the Module Has Been Imported Into ANM field, confirm that the checkbox is checked to indicate that the module has been imported. This is a read-only field. Step 8 From the Operation To Perform drop-down list, choose Update Credentials. Step 9 In the User Name field, enter the existing module username or enter a new username. Step 10 In the New Password field, enter the existing device password or enter a new password. Valid passwords are unquoted text strings with a maximum of 64 characters. Step 11 In the Confirm field, verify the password that you entered in the New Password field. 5-78 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Managing Devices Step 12 Do one of the following: • Click OK to save your changes to ANM. Do the following: a. If you have not already made a similar change to the device credentials on the device, use the device CLI to make the changes now. b. Perform a CLI synchronization to test communications between ANM and the device with the new credentials (see the “Synchronizing Device Configurations” section on page 5-66). • Click Cancel to exit the procedure without saving your entries and to return to the Modules table. Related Topics • Importing ACE Modules after the Host Chassis has been Imported, page 5-16 • Configuring Devices, page 5-34 • Managing Devices, page 5-66 • Changing Device Credentials, page 5-75 Restarting Device Polling You can restart monitoring on a device that has stopped or failed to start. Procedure Step 1 Choose Config > Devices > All Devices. The All Devices table appears. Step 2 In the All Devices table, choose the device whose monitoring has stopped or failed, and click Restart Polling. The All Devices table refreshes with updated polling status. For a description of the various polling status variables, see Table 5-26 on page 5-79. If ANM cannot monitor the selected device, it displays an error message stating the reason. Related Topics • Configuring Devices, page 5-34 Displaying All Devices You can display all devices that have been imported into the ANM database. Procedure Step 1 Choose Config > Devices. The device tree appears. 5-79 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Managing Devices Step 2 In the device tree, choose All Devices. The All Devices table displays information for the devices being managed by the ANM (see Table 5-26). Related Topics • Importing Network Devices into ANM, page 5-10 • Configuring Catalyst 6500 Series Chassis and Cisco 7600 Series Router Primary Attributes, page 5-38 • Displaying Chassis Interfaces and Configuring High-Level Interface Attributes, page 5-42 Displaying Modules by Chassis You can display all modules on a specific chassis. Procedure Step 1 Choose Config > Devices > All Devices. The All Devices table appears. Table 5-26 All Devices Table Attributes Field Description Name Name assigned to the device. Type Type of the device, such as Chassis, ACE 4710, or CSS. Version Version of the software running on the device, if available. IP Address Device IP address. Polling Status Current polling status of the device: • Missing SNMP Credentials—SNMP credentials are not configured for this device; therefore, statistics are not collected. Add SNMPv2C credentials to fix this error. • Not Polled—SNMP polling has not started. Add SNMP V2C credentials to fix this error. • Monitoring Not Supported—This status appears at the device level only and applies to Catalyst 6500 series chassis, Cisco 7600 series routers, and ACE appliances. • Polling Failed—SNMP polling failed due to some internal error. Try enabling the SNMP collection again. • Polling Started—No action is required; everything is working properly. Polling states will display the activity. • Polling Timed Out—SNMP polling has timed out. This situation might occur if the wrong credentials were configured or an internal error exists, such as the SNMP protocol is configured incorrectly or the destination is not reachable. Verify that SNMP credentials are correct. If the problem persists, enable SNMP collection again. • Unknown—SNMP polling is not working due to one of the above-mentioned conditions. Check the SNMPv2C credential configuration. 5-80 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Managing Devices Step 2 In the All Devices table, choose the chassis containing the modules that you want to view, and click Modules. The Modules table appears, listing all modules on that chassis with the following information: • Slot number • Service module model • Module type, such as Cisco Content Switching Module (CSM), ACE module and version, or other modules, such as supervisor modules • Serial number • Module operational state, such as Up, Powered Off, or Not Imported • Version of software the module is running • Brief description • For ACE modules, the number of virtual contexts configured on the module • For VSS devices, a Virtual Switch number column indicating the switch, slot, and port number. For example, command interface 1/5/4 specifies port 4 of the switching module in slot 5 of switch 1. Depending on the type of module selected, such as CSM or ACE modules, the following options are available from this window: • Import—Imports a CSM or ACE module that resides in the selected chassis but has not been imported into the ANM database. For more information, see the “Importing ACE Modules after the Host Chassis has been Imported” section on page 5-16 or the “Importing CSM Devices after the Host Chassis has been Imported” section on page 5-19. • Change Card Password—Changes the administrative password on an ACE module that has been imported into the ANM database. For more information, see the “Changing ACE Module Passwords” section on page 5-77. • Do Not Manage—Removes a selected ACE module from the ANM database. For more information, see the “Removing Modules from the ANM Database” section on page 5-80. Step 3 (Optional) To display the modules of another chassis, choose another chassis in the device tree or use the chassis selector field at the top of the window. Related Topics • Importing ACE Modules after the Host Chassis has been Imported, page 5-16 • Importing CSM Devices after the Host Chassis has been Imported, page 5-19 • Displaying Chassis Interfaces and Configuring High-Level Interface Attributes, page 5-42 • Managing Catalyst 6500 Series Chassis or Cisco 7600 Series Router VLANs, page 5-48 Removing Modules from the ANM Database You can remove a module from the ANM database. Note If you physically replace an ACE module in a chassis, you need to synchronize the chassis in the ANM. See the “Synchronizing Chassis Configurations” section on page 5-67 for more information. 5-81 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Managing Devices Procedure Step 1 Choose Config > Devices > All Devices. The All Devices table appears. Step 2 In the All Devices table, choose the device containing the module that you want to remove, and click Modules. The Modules table appears. Step 3 In the Modules table, choose the module that you want to remove from ANM management, and click Do Not Manage. The Modules configuration window appears. Step 4 In the Modules configuration window, confirm the information in the following fields: • Card Slot • Card Type • Module Has Been Imported Into ANM Step 5 In the Operation To Perform field, choose Do Not Manage. Step 6 Do one of the following: • Click OK to confirm removal of the module. The Modules table refreshes and the removed module appears with the state Not Imported. You can import the module again when desired (see the “Importing ACE Modules after the Host Chassis has been Imported” section on page 5-16). • Click Cancel to exit the procedure without removing the ACE module and to return to the Modules table. Related Topics • Importing Network Devices into ANM, page 5-10 • Changing ACE Module Passwords, page 5-77 5-82 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Replacing an ACE Module Managed by ANM Replacing an ACE Module Managed by ANM This section describes the process that you must follow when replacing an ACE module that is currently managed by ANM.You may need to replace an ACE module to perform a hardware upgrade or replace a device associated with a Return Materials Authorization (RMA). The procedures in this section show how to replace an ACE module using either the preferred method, which uses the ANM GUI, or the alternate method, which uses a combination of the ACE CLI and the ANM GUI. Guidelines and Restrictions This topic includes the following guidelines and restrictions: • The replacement process includes creating a backup of the ACE module being removed and installing the backup on the replacement module. The final step is to run a script that maps the domain attributes that were mapped to the old ACE module serial number to the new module serial number. These domain attributes include items such as real servers, virtual servers, user groups, custom groups, mobile favorites, and so forth. Caution When replacing your ACE module, it is important that you complete the entire replacement procedure before attempting to edit the properties of any domain. Editing the domains before running the script that remaps existing domain attributes to the new ACE module serial number can result in the attributes being removed. • If you currently use an ACE10 or ACE20 module, you must upgrade to the ACE30 module with ACE software Version A5(1.0) to use the new features associated with the A5(1.0) release in ANM 5.1. For more information about a module upgrade, see the Cisco Application Control Engine (ACE30) Module Installation Note. Caution When replacing an ACE module that is part of a redundant pair providing high availability, be sure that the ACE module being replaced is operating in the standby state and not in the active state. Replacing an active redundant ACE module is a service-affecting operation. The state information is displayed in the HA State and HA Autosync fields when you choose Config > Devices > virtual_context. Force a switchover if needed to place the ACE module in the standby state before you replace it. Prerequisites To perform the procedures in this section, you need a copy of the Cisco Application Control Engine (ACE30) Module Installation Note which you can obtain on Cisco.com. This section includes the following topics: • Using the Preferred Method to Replace an ACE Module, page 5-82 • Using the Alternate Method to Replace an ACE Module, page 5-84 Using the Preferred Method to Replace an ACE Module You can replace an ACE module currently managed by ANM by using the ANM GUI-based method. 5-83 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Replacing an ACE Module Managed by ANM Note For details about any of the ANM GUI functions discussed in the following procedure, click Help to display the context-sensitive help associated with the current GUI window. Procedure Step 1 From the ANM GUI, create a backup the ACE module that you are replacing using one of the following methods: • Choose Config > Devices > context > System > Backup / Restore. The Backup/Restore window appears. • Choose Config > Global > All Backups. The Backup window appears. Note The Backup/Restore feature requires ACE module software Version A2(3.0) or later. Save or copy the backup to a network location. Step 2 Record the module serial number of the ACE module being replaced, which you will need in Step 11. To obtain the module serial number, choose Config > Devices > All Devices, click the chassis that contains the module being replaced, and click Modules. Step 3 From the Cisco IOS host chassis, remove the ACE module that you want to replace (see the Cisco Application Control Engine (ACE30) Module Installation Note). Step 4 From the ANM GUI, perform a CLI synchronization with the Cisco IOS host chassis. Note When you perform the CLI synchronization, all the threshold groups associated with the removed ACE module are deleted. Do the following: a. Choose Config > Devices > All Devices. The Device Management window appears. b. From the Device Management window, click the radio button associated with the host chassis. c. Click CLI Sync. A message similar to the following appears: Warning: The module has been removed: serial#=SAL1413E2YK Step 5 From the Cisco IOS host chassis, insert the replacement (new) ACE module into the chassis (see the Cisco Application Control Engine (ACE30) Module Installation Note). Step 6 Using the CLI, verify that the software on the replacement ACE is equal to or greater than the software version used in the original ACE. Upgrade the ACE software on the new device if needed. After the upgrade, reboot the ACE module and verify that it is running with the correct software image to ensure that ANM can recognize it. Step 7 From the ANM GUI, do the following to perform a CLI synchronization with the Cisco IOS host chassis by doing the following: a. Choose Config > Devices > All Devices. The Device Management window appears. b. From the Device Management window, click the radio button associated with the host chassis. 5-84 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Replacing an ACE Module Managed by ANM c. Click CLI Sync. A message similar to the following appears: The module has been added: serial#=SAD140102XR Record the new ACE module serial number, which you will need for Step 11. Step 8 From the Device Management window, import the replacement module in to ANM as follows: a. Click the radio button associated with the host chassis and click Modules. The Modules window appears. b. From the Modules window, click the radio button associated with the replacement module and click Import. The Module configuration window appears. c. From the configuration window, choose Perform Initial Setup and Import from the Operation To Perform drop-down list and enter the module configuration information that you recorded in Step 2. d. Click OK to save the module configuration information. Step 9 Install a license in the replacement module that is consistent with the removed module by choosing Config > Devices > chassis > module > Admin > System > Licenses. The Licenses window appears. Step 10 Copy and restore the saved ACE configuration to the replacement module by choosing Config > Devices > chassis > module > Admin > System > Backup / Restore. Note The Backup/Restore feature requires ACE module software Version A2(3.0) or later. Step 11 Remap the ANM objects mapped to the old ACE module serial number to the new ACE module serial number as follows: a. Enter the following command to list the module serial numbers that are unassociated with a device in ANM: anm-RMA-helper-query Verify that the list includes the serial number of the old ACE module that you recorded in Step 2. b. Enter the following command to map the objects to the new ACE module serial number: anm-RMA-helper-replace c. Follow the prompts that appear to log in to ANM and specify the old ACE module serial number recorded in Step 2 and the new module serial number recorded in Step 7. t Related Topics • Importing ACE Modules after the Host Chassis has been Imported, page 5-16 Using the Alternate Method to Replace an ACE Module This procedure describes the alternate method for replacing an ACE module currently managed by ANM. This method uses a combination of the ACE CLI and ANM GUI during the replacement process. To see the preferred method for replacing an ACE module, see the “Using the Preferred Method to Replace an ACE Module” section on page 5-82. 5-85 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Replacing an ACE Module Managed by ANM Note For details about using the ACE CLI to perform the procedures discussed in the following procedure, see the Cisco Application Control Engine (ACE30) Module Installation Note). For details about any ANM GUI function discussed in the following procedure, click Help to display the context-sensitive help associated with the current GUI window. Procedure Step 1 Referring to the Cisco Application Control Engine (ACE30) Module Installation Note, do the following: a. SSH in to the ACE and backup all contexts from the Admin context (requires ACE module software Version A2(3.0) or later). b. Copy the backup to a network location (requires ACE module software Version A2(3.0) or later). c. Obtain and record the old module serial number using the show hardware command. You will need the serial number in Step 4. d. From the Cisco IOS host chassis, remove the ACE module that you want to replace. e. From the Cisco IOS host chassis, insert the replacement ACE module into the chassis. f. Verify that the software on the replacement ACE is equal to or greater than the software version used in the original ACE. Upgrade the ACE software on the new device if needed. g. SSH in to the chassis and session in to the new ACE module. h. Configure basic ACE module connectivity. i. Obtain and record the new module serial number using the show hardware command. j. Copy and install necessary licenses. k. Copy and restore the ACE backup. Step 2 From the ANM GUI, delete the Cisco IOS host chassis that hosts the replacement ACE module as follows: a. Choose Config > Devices > All Devices. The Device Management window appears. b. Click the radio button associated with the chassis in which the module was replaced. c. Click Delete. Step 3 From the Device Management window, import the Cisco IOS host chassis and associated chassis modules, including the replacement ACE module by clicking Add. The Add New Device window appears; complete the required chassis and module information. Step 4 Remap the ANM objects mapped to the old ACE module serial number to the new ACE module serial number as follows: a. Enter the following command to list the module serial numbers that are unassociated with a device in ANM: anm-RMA-helper-query Verify that the list includes the serial number of the old ACE module that you recorded in Step 1c. b. Enter the following command to map the objects to the new ACE module serial number: anm-RMA-helper-replace 5-86 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 5 Importing and Managing Devices Replacing an ACE Module Managed by ANM c. Follow the prompts that appear to log in to ANM and specify the old ACE module serial number recorded in Step 1c and the new module serial number. Related Topics • Importing ACE Modules after the Host Chassis has been Imported, page 5-16 CHAPTER 6-1 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 6 Configuring Virtual Contexts Date: 3/28/12 This chapter describes how to configure and manage the Cisco Application Control Engine (ACE) using Cisco Application Networking Manager (ANM). Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed. If you are using ANM with an ACE module or ACE appliance and you configure a named object at the ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows you to use when configuring a named object. If you use special characters that ANM does not support, you may not be able to import or manage the ACE using ANM. This chapter includes the following sections: • Information About Virtual Contexts, page 6-2 • Creating Virtual Contexts, page 6-2 • Configuring Virtual Contexts, page 6-8 • Configuring Virtual Context System Attributes, page 6-13 • Configuring Virtual Context Primary Attributes, page 6-14 • Configuring Virtual Context Syslog Settings, page 6-19 • Configuring SNMP for Virtual Contexts, page 6-27 • Applying a Policy Map Globally to All VLAN Interfaces, page 6-35 • Managing ACE Licenses, page 6-36 • Using Resource Classes, page 6-43 • Using Global Resource Classes, page 6-46 • Using Local Resource Classes, page 6-51 • Using the Configuration Checkpoint and Rollback Service, page 6-54 • Performing Device Backup and Restore Functions, page 6-59 • Performing Global Device Backup and Copy Functions, page 6-68 • Configuring Security with ACLs, page 6-78 6-2 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Information About Virtual Contexts • Configuring Object Groups, page 6-89 • Managing ACLs, page 6-99 • Configuring Virtual Context Expert Options, page 6-101 • Comparing Context and Building Block Configurations, page 6-101 • Managing Virtual Contexts, page 6-103 Information About Virtual Contexts Virtual contexts use the concept of virtualization to partition your ACE into multiple virtual devices or contexts. Each context contains its own set of policies, interfaces, resources, and administrators. This feature enables you to more closely and efficiently manage resources, users, and the services you provide to your customers. There are two types of virtual contexts; the admin context and the user context. The ACE comes preconfigured with the default Admin context, which you can modify but you cannot delete. From the Admin context, you can create user contexts. You also use the Admin context to configure High Availability (HA or fault tolerance between ACE devices), configure resource classes, and manage ACE licenses. Note If you restore the ANM database from a backup repository and if a virtual context that is in the repository has been removed from the device, ANM removes that context from the database and the context does not appear in the ANM interface. Related Topics • Creating Virtual Contexts, page 6-2 • Configuring Virtual Contexts, page 6-8 • Deleting Virtual Contexts, page 6-107 • Comparing Context and Building Block Configurations, page 6-101 • Restarting Virtual Context Polling, page 6-108 • Managing Virtual Contexts, page 6-103 Creating Virtual Contexts You can create virtual contexts. Note You must have the ability to create virtual contexts in your role and an Admin context in your domain before you can create virtual contexts. For more information about configuring roles and domains, see the “Managing User Roles” section on page 18-25 and the “Managing Domains” section on page 18-32. Procedure Step 1 Choose Config > Devices, and choose the ACE to which you want to add a virtual context. The Virtual Contexts table appears. 6-3 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Creating Virtual Contexts Step 2 In the Virtual Contexts table, click Add. The New Virtual Context window appears. Step 3 Configure the virtual context using the information in Table 6-1. Click Basic Settings, Management Settings, or More Setting to access the additional configuration attributes. By default, ANM hides the Management Settings and More Settings groups of configuration attributes until you specify a VLAN identifier in the Management Settings group. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Table 6-1 Virtual Context Configuration Attributes Field Description Basic Settings Name Unique name for the virtual context. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. This field is read-only for existing contexts. Device Device to associate with this context. This field appears for new contexts only. Description Brief description of the virtual context. Enter a description as an unquoted text string with a maximum of 240 alphanumeric characters. Module Field that appears when a chassis contains multiple ACE modules and for new contexts only. Choose the module to associate with this context. Resource Class Resource class that this virtual context is to use. Allocated VLANs Number of a VLAN or a range of VLANs used by the traffic that the context is to receive. You can specify VLANs in any of the following ways: • For a single VLAN, enter an integer from 2 to 4096. • For multiple, nonsequential VLANs, use comma-separated entries, such as 101, 201, 302. • For a range of VLANs, use the format -, such as 101-150. Note VLANs cannot be modified in an Admin context. Default Gateway IP for IPv4 IPv4 address of the default gateway. Use a comma-separated list to specify multiple IP addresses, such as 192.168.65.1, 192.168.64.2. Default static routes with a netmask and IP address of 0.0.0.0 previously configured on the ACE appear in this field. 6-4 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Creating Virtual Contexts Default Gateway IP for IPv6 Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later. IPv6 address of the default gateway or choose the forward VLAN interface or BVI, as follows: • IPv6 Address field—Enter the address of the gateway router (the next-hop address for this route). Then, use the right arrow to move it to the Selected field. You can enter a maximum of eight addresses including a selected VLAN or BVI through the Outgoing Interfaces setting. Default static routes with a prefix and IP address of ::0 previously configured on the ACE appear in the Selected field. • Outgoing Interfaces—Select either VLAN or BVI used for the link-local address only. And then select the Interface Number for the VLAN or BVI. Enable High Availability Context to be used in a high availability (HA) group. Note This field is unavailable if the associated FT interface is not configured or if the ACE peer is not known. See Chapter 13, “Configuring High Availability” for details on ACE HA groups. Management Settings VLAN Id VLAN number that you want to assign to the management interface. Valid values are from 2 to 4094. The VLAN ID should be available in the allocated VLAN interface list. By default, all devices are assigned to VLAN1, known as the default VLAN. Note You must enter a VLAN ID before the other Management Settings attribute fields are enabled for configuring. VLAN Description Description for the management interface. Enter an unquoted text string that contains a maximum of 240 alphanumeric characters including spaces. Interface Mode Topology that reflects the relationship of the selected ACE virtual context to the real servers in the network: • Routed—The ACE virtual context acts as a router between the client-side network and the server-side network. In this topology, every real server for the application must be routed through the ACE virtual context, either by setting the default gateway on each real server to the virtual context server-side VLAN interface address, or by using a separate router with appropriate routes configured between the ACE virtual context and the real servers. • Bridged—The virtual ACE bridges two VLANs—a client-side VLAN and a real-server VLAN—on the same subnet using a bridged virtual interface (BVI). The real server routing does not change to accommodate the ACE virtual context. Instead the virtual ACE transparently handles traffic to and from the real servers. Management IP IPv4 address that is to be used for remote management of the context. Note ANM considers an interface as a management interface if it has a management policy map associated with the VLAN interface. See the “Configuring Virtual Context VLAN Interfaces” section on page 12-6. Management Netmask Subnet mask to apply to this IP address. Alias IP Address IP address of the alias this interface is associated with. Peer IP Address IP address of the remote peer. Table 6-1 Virtual Context Configuration Attributes (continued) Field Description 6-5 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Creating Virtual Contexts Access Permission List of source IP addresses that are allowed on the management interface: • Allow All—Allows all configured client source IP addresses on the management interface as the network traffic matching criteria. • Deny All—Denies all configured client source IP addresses on the management interface as the network traffic matching criteria. • Match—Displays the Match Conditions table, where you specify the match criteria that the ACE is to use for traffic on the management interface. Table 6-1 Virtual Context Configuration Attributes (continued) Field Description 6-6 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Creating Virtual Contexts Match Conditions Match Conditions table that appears when you choose Match as the Access Permission selection. To add or modify the protocols allowed on this management VLAN, do the following: 1. Click Add to choose a protocol for the management interface, or choose an existing protocol entry listed in the Match Conditions table and click Edit to modify it. 2. In the Protocol drop-down list, choose a protocol: – HTTP—Specifies the Hypertext Transfer Protocol (HTTP). – HTTPS—Specifies the secure (SSL) Hypertext Transfer Protocol (HTTP) for connectivity with the ANM interface using port 443. – ICMP— Specifies the Internet Control Message Protocol (ICMP) for Internet Protocol version 4 (IPv4). – ICMPv6—Option that appears only for ACE module and ACE appliance software Version A5(1.0) or later. Specifies the Internet Control Message Protocol version 6 (ICMPv6) for Internet Protocol version 6 (IPv6). – – KALAP-UDP—Specifies the Keepalive Appliance Protocol over UDP. – SNMP—Specifies the Simple Network Management Protocol (SNMP). Note If SNMP is not selected, ANM will not be able to poll the context. – SSH—Specifies a Secure Shell (SSH) connection to the ACE. – TELNET—Specifies a Telnet connection to the ACE. – XML-HTTPS—Specifies HTTPS as the transfer protocol for sending and receiving XML documents between the ACE appliance and a Network Management System (NMS) using port 10443. This option is available for ACE appliances only. 3. In the Allowed From field, specify the matching criteria for the client source IP address: – Any—Specifies any client source address for the management traffic classification. – Source Address—Specifies a client source host IP address and subnet mask as the network traffic matching criteria. An ICMPv6 source address only accepts an IPv6 address. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. – Source Netmask—Select a subnet mask. This field is not applicable for ICMPv6. – Source Prefix Length—(ICMPv6 only) Enter the prefix length, a value from 1 to 128. 4. Click OK to accept the protocol selection (or click Cancel to exit without accepting your entries). Note To remove a protocol from the management VLAN, choose the entry in the Match Conditions table, and click Delete. Enable SNMP Get Check box that you can check to add an SNMP Get community string to enable SNMP polling on this context. Table 6-1 Virtual Context Configuration Attributes (continued) Field Description 6-7 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Creating Virtual Contexts Step 4 Do one of the following: • Click Deploy Now to deploy this context and save this configuration to the running-configuration and startup-configuration files. The window refreshes and you can continue with virtual context configuration (see the “Configuring Virtual Contexts” section on page 6-8). • Click Cancel to exit this procedure without saving your entries. The Virtual Contexts table appears. SNMP v2c Read-Only Community String Field that appears when you check the Enable SNMP Get check box. Enter the SNMPv2c read-only community string to be used as the SNMP Get community string. Enable SNMP Trap Check box that you can check to add an SNMP community string for ANM to receive traps from this context. SNMP Community Field that appears when you check the Enable SNMP Trap check box. Enter the SNMP version 1 or 2c read-only community string or the SNMP version 3 user name that is to be used as the SNMP trap. Enable Syslog Notification Check box that you can check to enable syslog logging or uncheck to disable syslog logging. Add Admin User Check box that you can check to add a user with an administrator role and default-domain access. User Name Field that appears when you check the Add Admin User check box. Specifies the name by which the user is to be identified (up to 24 characters). Only letters, numbers, and underscore can be used. The field is case sensitive. Password Field that appears when you check the Add Admin User check box. Enter the password for the Admin user account. Confirm Password Field that appears when you check the Add Admin User check box. Renter the password for the Admin user account. More Settings Switch Mode Feature that applies only to the ACE module A2(1.1), ACE appliance A4(1.0), or later releases of either device type. Choose Switch Mode to change the way that the ACE processes TCP connections that are not destined to a VIP or that do not have any policies associated with their traffic. For such traffic, the ACE still creates connection objects, but processes the connections as stateless connections, which means that they do not undergo any TCP normalization checks. With this option enabled, the ACE also creates stateless connections for non-SYN TCP packets if they satisfy all other configured requirements. This process ensures that a long-lived persistent connection passes through the ACE successfully (even if it times out) by being reestablished by any incoming packet related to the connection. By default, these stateless connections time out after 2 hours and 15 minutes unless you configure the inactivity timeout otherwise in a parameter map. When a stateless connection times out, the ACE does not send a TCP RST packet but silently closes the connection. Even though these connections are stateless, the TCP RST and FIN-ACK flags are honored and the connections are closed when the ACE sees these flags in the received packets. Building Block To Apply Configuration building block to apply to this context. Table 6-1 Virtual Context Configuration Attributes (continued) Field Description 6-8 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Virtual Contexts Related Topics • Information About Virtual Contexts, page 6-2 • Configuring Virtual Contexts, page 6-8 Configuring Virtual Contexts After creating a virtual context, you can configure it. Configuring a virtual context involves configuring a number of attributes, grouped into configuration subsets. The options that appear when you choose Config > Devices > context depend on the following: • Type of ACE device associated with the context: ACE module or ACE appliance. • Role associated with your account, such as Admin, Network-Admin, or SSL-Admin. • Context that you are configuring; an Admin context or a user context. Table 6-2 describes configuration options for Admin contexts for ACE modules and ACE appliances although not all options are available for both types of devices. Table 6-3 identifies the configuration options that are available for each ACE device type. Note You cannot modify a virtual context when its CLI Sync Status is in the Import Failed state. You must synchronize the context before you can make changes to it. You can view CLI Sync Status and synchronize contexts from the Virtual Contexts table (Config > Devices > ACE). 6-9 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Virtual Contexts Table 6-2 Virtual Context Configuration Options Configuration Subset Description Related Topics System The System configuration subset includes the following: • Primary attributes such as building block, resource class, and VLAN options • Syslog attributes that allow you to identify the type and severity of syslog messages that are to be logged, the syslog log host, log messages, and log rate limits • SNMP attributes • Global policy maps for all VLANs on a virtual context • ACE license attributes that allow you to view, install, remove, update, and copy licenses for ACE hardware • Resource classes that allow you to manage virtual context access to individual ACE devices • Checkpoint (snapshot in time) of a known stable running configuration • Back up or restore the configuration and dependencies of an entire ACE or of a particular virtual context Note ACE licenses and resource classes can be configured in an Admin context only. • Configuring Virtual Context Primary Attributes, page 6-14 • Configuring Virtual Context Syslog Settings, page 6-19 • Configuring SNMP for Virtual Contexts, page 6-27 • Applying a Policy Map Globally to All VLAN Interfaces, page 6-35 • Managing ACE Licenses, page 6-36 • Using Resource Classes, page 6-43 • Using the Configuration Checkpoint and Rollback Service, page 6-54 • Performing Device Backup and Restore Functions, page 6-59 • Performing Global Device Backup and Copy Functions, page 6-68 Load Balancing Load-balancing attributes allow you to do the following: • Configure virtual servers, real servers, and server farms for load balancing • Establish the predictor method and return code checking • Implement sticky groups for session persistence • Configure parameter maps to combine related actions for policy maps • Configure NAT so that only one address for the entire network to the outside world is advertised • Configure a secure keepalive-appliance protocol (KAL-AP) associated with a virtual context to enable communication between the ACE and a Global Site Selector (GSS) • Information About Load Balancing, page 7-1 • Configuring Virtual Servers, page 7-2 • Configuring Server Farms, page 8-30 • Configuring Health Monitoring for Real Servers, page 8-51 • Configuring Sticky Groups, page 9-7 • Configuring Parameter Maps, page 10-1 • Configuring VLAN Interface NAT Pools, page 12-26 • Configuring Secure KAL-AP, page 8-77 6-10 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Virtual Contexts SSL Secure Sockets Layer (SSL) configuration options allow you to import and export SSL certificates and keys, set up SSL parameter maps and chain group parameters, generate certificate signing requests for submission to a certificate authority, authenticate peer certificates, and configure certificate revocation lists for use during client authentication. Note You cannot configure all SSL options in a building block. Instead, configure them in an Admin virtual context. • Configuring SSL, page 11-1 • Using SSL Certificates, page 11-5 • Using SSL Keys, page 11-10 • Generating CSRs, page 11-26 • Configuring SSL Parameter Maps, page 11-18 • Configuring SSL Chain Group Parameters, page 11-23 • Configuring SSL Proxy Service, page 11-27 • Configuring SSL Authentication Groups, page 11-31 • Configuring CRLs for Client Authentication, page 11-33 Security Security configuration options enable you to create access control lists, set access control list (ACL) attributes, resequence ACLs, delete ACLs, and configure object groups. • Configuring Security with ACLs, page 6-78 • Creating ACLs, page 6-79 • Configuring Object Groups, page 6-89 Network Network configuration options allow you to configure the following: • VLAN interfaces • Bridged-group virtual interfaces (BVI) • Network Address Translation (NAT) pools for a VLAN interface • Static routes • Dynamic host configuration protocol (DHCP) relay agents • Port channel interfaces • Gigabit Ethernet interfaces • Over 8,000 static network address translation (NAT) configurations • Configuring Virtual Context VLAN Interfaces, page 12-6 • Configuring Virtual Context BVI Interfaces, page 12-19 • Configuring VLAN Interface NAT Pools, page 12-26 • Configuring Virtual Context Static Routes, page 12-28 • Configuring Virtual Context BVI Interfaces, page 12-19 • Configuring Port-Channel Interfaces for the ACE Appliance, page 12-35 • Configuring Gigabit Ethernet Interfaces on the ACE Appliance, page 12-32 • Configuring Static VLANs for Over 8000 Static NAT Configurations, page 12-31 High Availability High availability (HA) attributes allow you to configure two ACE devices for fault-tolerant redundancy and the tracking and detection of failures for timely switchover. Note You can set up high availability in an Admin context only. • Configuring ACE High Availability, page 13-14 • Configuring ACE High Availability Peers, page 13-15 • Configuring ACE High Availability Groups, page 13-17 Table 6-2 Virtual Context Configuration Options (continued) Configuration Subset Description Related Topics 6-11 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Virtual Contexts HA Tracking and Failure Detection HA tracking and failure detection attributes allow you to configure tracking processes that can help ensure reliable fault tolerance. • ACE High Availability Tracking and Failure Detection Overview, page 13-23 • Tracking ACE VLAN Interfaces for High Availability, page 13-24 • Tracking Hosts for High Availability, page 13-25 • Configuring ACE HSRP Groups, page 13-29 Role-Based Access Control Role-based access control (RBAC) attributes allow you to configure RBAC for individual virtual contexts. Note Virtual context RBAC is separate from ANM RBAC. For information about ANM RBAC, see the “How ANM Handles Role-Based Access Control” section on page 18-8. • Configuring Device RBAC Users, page 5-53 • Configuring Device RBAC Roles, page 5-56 • Configuring Device RBAC Domains, page 5-61 Expert Expert attributes allow you to configure traffic policies and configure optimization action lists. • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 • Configuring an HTTP Optimization Action List, page 15-3 Table 6-3 Configuration Options by Device Type Menu Option ACE Device Type Related Topic ACE Module ACE 4710 Appliance System Primary Attributes X X Configuring Virtual Context Primary Attributes, page 6-14 Syslog X X Configuring Virtual Context Syslog Settings, page 6-19 SNMP X X Configuring SNMP for Virtual Contexts, page 6-27 Global Policies X X Applying a Policy Map Globally to All VLAN Interfaces, page 6-35 Licenses X X Managing ACE Licenses, page 6-36 Application Acceleration and Optimization – X Configuring Global Application Acceleration and Optimization, page 15-9 Resource Classes X X Using Resource Classes, page 6-43 Checkpoints X X Using the Configuration Checkpoint and Rollback Service, page 6-54 Backup/Restore X X Performing Device Backup and Restore Functions, page 6-59 Table 6-2 Virtual Context Configuration Options (continued) Configuration Subset Description Related Topics 6-12 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Virtual Contexts Load Balancing Virtual Servers X X Configuring Virtual Servers, page 7-2 Real Servers X X Configuring Real Servers, page 8-5 Server Farms X X Configuring Server Farms, page 8-30 Health Monitoring X X Configuring Health Monitoring for Real Servers, page 8-51 Stickiness X X Configuring Sticky Groups, page 9-7 HTTP Parameter Maps X X Configuring HTTP Parameter Maps, page 10-9 Connection Parameter Maps X X Configuring Connection Parameter Maps, page 10-3 Optimization Parameter Maps – X Configuring Optimization Parameter Maps, page 10-12 Generic Parameter Maps X X Configuring Generic Parameter Maps, page 10-8 RTSP Parameter Maps X X Configuring RTSP Parameter Maps, page 10-20 SIP Parameter Maps X X Configuring SIP Parameter Maps, page 10-21 Skinny Parameter Maps X X Configuring Skinny Parameter Maps, page 10-23 Secure KAL-AP X X Configuring Secure KAL-AP, page 8-77 SSL Setup Sequence X X SSL Setup Sequence, page 11-4 Certificates X X Using SSL Certificates, page 11-5 Keys X X Using SSL Keys, page 11-10 Parameter Map X X Configuring SSL Parameter Maps, page 11-18 Chain Group Parameters X X Configuring SSL Chain Group Parameters, page 11-23 CSR Parameters X X Configuring SSL CSR Parameters, page 11-24 Proxy Service X X Configuring SSL Proxy Service, page 11-27 Auth Group Parameters X X Configuring SSL Authentication Groups, page 11-31 Certificate Revocation Lists (CRLs) X X Configuring CRLs for Client Authentication, page 11-33 Security ACLs X X Creating ACLs, page 6-79 Object Groups X X Configuring Object Groups, page 6-89 Network Port Channel Interfaces – X Configuring Port-Channel Interfaces for the ACE Appliance, page 12-35 Gigabit Ethernet Interfaces – X Configuring Gigabit Ethernet Interfaces on the ACE Appliance, page 12-32 VLAN Interfaces X X Configuring Virtual Context VLAN Interfaces, page 12-6 BVI Interfaces X X Configuring Virtual Context BVI Interfaces, page 12-19 Table 6-3 Configuration Options by Device Type (continued) Menu Option ACE Device Type Related Topic ACE Module ACE 4710 Appliance 6-13 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Virtual Context System Attributes Configuring Virtual Context System Attributes This section shows how to configure the ACE virtual context system attributes, which are as follows: • Virtual context primary attributes—See Configuring Virtual Context Primary Attributes, page 6-14. • Syslog – Configuring Virtual Context Syslog Settings, page 6-19 – Configuring Syslog Log Hosts, page 6-23 – Configuring Syslog Log Messages, page 6-24 – Configuring Syslog Log Rate Limits, page 6-26 • SNMP – Configuring SNMP for Virtual Contexts, page 6-27 – Configuring SNMPv2c Communities, page 6-28 NAT Pools X X Configuring VLAN Interface NAT Pools, page 12-26 Static Routes X X Configuring Virtual Context Static Routes, page 12-28 Global IP DHCP X X Configuring Global IP DHCP, page 12-29 Static NAT Overwrite X – Configuring Static VLANs for Over 8000 Static NAT Configurations, page 12-31 NAT Pools X X Configuring VLAN Interface NAT Pools, page 12-26 High Availability Setup X X Configuring ACE High Availability Peers, page 13-15 HA Tracking And Failure Detection Interfaces X X Tracking ACE VLAN Interfaces for High Availability, page 13-24 Hosts X X Tracking Hosts for High Availability, page 13-25 HSRP Groups X X Configuring ACE HSRP Groups, page 13-29 Role-Based Access Control Users X X Configuring Device RBAC Users, page 5-53 Roles X X Configuring Device RBAC Roles, page 5-56 Domains X X Configuring Device RBAC Domains, page 5-61 Expert Class Maps X X Configuring Virtual Context Class Maps, page 14-6 Policy Maps X X Configuring Virtual Context Policy Maps, page 14-32 Action List X X Configuring an HTTP Header Modify Action List, page 14-85 Configuring an HTTP Optimization Action List, page 15-3 Table 6-3 Configuration Options by Device Type (continued) Menu Option ACE Device Type Related Topic ACE Module ACE 4710 Appliance 6-14 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Virtual Context Primary Attributes – Configuring SNMPv3 Users, page 6-29 – Configuring SNMP Trap Destination Hosts, page 6-32 – Configuring SNMP Notification, page 6-33 • Global policy maps for all VLANs on a virtual context—See Applying a Policy Map Globally to All VLAN Interfaces, page 6-35. • ACE licenses—See Managing ACE Licenses, page 6-36. • ACE resource classes—See Using Resource Classes, page 6-43. For ACE appliances, you can also configure global application acceleration and optimization. See the “Configuring Global Application Acceleration and Optimization” section on page 15-9. Configuring Virtual Context Primary Attributes Primary attributes allow you to configure essential information for each virtual context including a name, VLANs, a management IP address, and allowed protocols. After providing this information, you can configure other attributes, such as interfaces, load-balancing, or SSL. For a complete list of the configurable items, see the “Configuring Virtual Contexts” section on page 6-8. Procedure Step 1 Choose Config > Devices > context > System > Primary Attributes. The Primary Attributes configuration window appears. Step 2 In the Primary Attributes configuration window, enter the primary attributes for this virtual context using the information in Table 6-4. Certain attribute fields are read-only for existing contexts. Click Basic Settings, Management Settings, or More Setting to access the additional configuration attributes. By default, ANM hides these groups of configuration attributes. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Table 6-4 Primary Attributes Configuration Attributes Field Description Basic Settings Name Unique name for the virtual context. This field is read-only for existing contexts. Description Brief description of the virtual context. Enter a description as an unquoted text string with a maximum of 240 alphanumeric characters. Resource Class Resource class that this virtual context is to use. Click View to see the details of the selected resource class (Resource, Minimum, and Maximum). 6-15 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Virtual Context Primary Attributes Allocated VLANs Number of a VLAN or a range of VLANs that contain traffic for the context to receive. You can specify VLANs in any of the following ways: • For a single VLAN, enter an integer from 2 to 4096. • For multiple, nonsequential VLANs, use comma-separated entries, such as 101, 201, 302. • For a range of VLANs, use the format -, such as 101-150. Note VLANs cannot be modified in an Admin context. This field is read-only if configured for existing contexts. Default Gateway IP for IPv4 IPv4 address of the default gateway. Use a comma-separated list to specify multiple IP addresses, such as192.168.65.1, 192.168.64.2. Default static routes with a netmask and IP address of 0.0.0.0 previously configured on the ACE appear in this field. Default Gateway IP for IPv6 Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later. IPv6 address of the default gateway or choose the forward VLAN interface or BVI, as follows: • IPv6 Address field—Enter the address of the gateway router (the next-hop address for this route). Then, use the right arrow to move it to the Selected field. You can enter a maximum of eight addresses including a selected VLAN or BVI through the Outgoing Interfaces setting. Default static routes with a prefix and IP address of ::0 previously configured on the ACE appear in the Selected field. • Outgoing Interfaces—Select either VLAN or BVI used for the link-local address only. And then select the Interface Number for the VLAN or BVI. Enable High Availability Context for use in a high availability (HA) group. Note This field is unavailable if the associated FT interface is not configured or if the ACE peer is not known. See Chapter 13, “Configuring High Availability” for details on ACE HA groups. Management Settings VLAN Id VLAN number that you want to assign to the management interface. Valid values are from 2 to 4094. By default, all devices are assigned to VLAN1, known as the default VLAN. ANM identifies the management class maps and policy maps associated with the selected VLAN ID assigned to the management interface. This field is read-only if configured for existing contexts. VLAN Description Description for the management interface. Enter an unquoted text string that contains a maximum of 240 alphanumeric characters including spaces. Table 6-4 Primary Attributes Configuration Attributes (continued) Field Description 6-16 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Virtual Context Primary Attributes Interface Mode Topology that reflects the relationship of the selected ACE virtual context to the real servers in the network: • Routed—The ACE virtual context acts as a router between the client-side network and the server-side network. In this topology, every real server for the application must be routed through the ACE virtual context, either by setting the default gateway on each real server to the virtual context server-side VLAN interface address, or by using a separate router with appropriate routes configured between the ACE virtual context and the real servers. • Bridged—The virtual ACE bridges two VLANs—a client-side VLAN and a real-server VLAN—on the same subnet using a bridged virtual interface (BVI). In this case, the real server routing does not change to accommodate the ACE virtual context. Instead, the virtual ACE transparently handles traffic to and from the real servers. This field is read-only if configured for existing contexts. Management IP IPv4 address that is to be used for remote management of the context. Note ANM considers an interface as a management interface if it has a management policy map associated with the VLAN interface. See the “Configuring Virtual Context VLAN Interfaces” section on page 12-6. Management Netmask Subnet mask to apply to this IP address. Alias IP Address IP address of the alias this interface is associated with. Peer IP Address IP address of the remote peer. Access Permission List of source IP addresses that are allowed on the management interface: • Allow All—Allows all configured client source IP addresses on the management interface as the network traffic matching criteria. • Deny All—Denies all configured client source IP addresses on the management interface as the network traffic matching criteria. • Match—Displays the Match Conditions table, where you specify the match criteria that the ACE is to use for traffic on the management interface. Table 6-4 Primary Attributes Configuration Attributes (continued) Field Description 6-17 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Virtual Context Primary Attributes Match Conditions Match Conditions table that appears when you choose Match as the Access Permission selection. To add or modify the protocols allowed on this management VLAN, do the following: 1. Click Add to choose a protocol for the management interface, or choose an existing protocol entry listed in the Match Conditions table and click Edit to modify it. 2. In the Protocol drop-down list, choose a protocol: – HTTP—Specifies the Hypertext Transfer Protocol (HTTP). – HTTPS—Specifies the secure (SSL) Hypertext Transfer Protocol (HTTP) for connectivity with the ANM interface using port 443. – ICMP—Specifies the Internet Control Message Protocol (ICMP) for Internet Protocol version 4 (IPv4) – ICMPv6—Option that appears only for ACE module and ACE appliance software Version A5(1.0) or later. Specifies the Internet Control Message Protocol version 6 (ICMPv6) for Internet Protocol version 6 (IPv6). – KALAP-UDP—Specifies the Keepalive Appliance Protocol over UDP. – SNMP—Specifies the Simple Network Management Protocol (SNMP). Note If SNMP is not selected, ANM cannot poll the context. – SSH—Specifies a Secure Shell (SSH) connection to the ACE. – TELNET—Specifies a Telnet connection to the ACE. – XML-HTTPS—Specifies HTTPS as the transfer protocol for sending and receiving XML documents between the ACE appliance and a Network Management System (NMS) using port 10443. This option is available for ACE appliances only. 3. In the Allowed From field, specify the matching criteria for the client source IP address: – Any—Specifies any client source address for the management traffic classification. – Source Address—Specifies a client source host IP address and subnet mask as the network traffic matching criteria. 4. Click OK to accept the protocol selection (or click Cancel to exit without accepting your entries). Note To remove a protocol from the management VLAN, choose the entry in the Match Conditions table, and click Delete. Enable SNMP Get Check box to add an SNMP Get community string to enable SNMP polling on this context. This field is read-only if configured for existing contexts. SNMP v2c Read-Only Community String Field that appears when you check the Enable SNMP Get check box. Enter the SNMPv2c read-only community string to be used as the SNMP Get community string. This field is read-only if configured for existing contexts. Table 6-4 Primary Attributes Configuration Attributes (continued) Field Description 6-18 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Virtual Context Primary Attributes Step 3 Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. You return to the Virtual Contexts table. Related Topics • Information About Virtual Contexts, page 6-2 • Configuring Virtual Context VLAN Interfaces, page 12-6 • Configuring Virtual Context BVI Interfaces, page 12-19 • Configuring Virtual Context Syslog Settings, page 6-19 • Configuring Traffic Policies, page 14-1 Enable SNMP Trap Check box to add an SNMP community string for ANM to receive traps from this context. This field is read-only if configured for existing contexts. SNMP Community Field that appears when you check the Enable SNMP Trap check box. Enter the SNMPv1 or SNMPv2c read-only community string or the SNMPv3 user name that is to be used as the SNMP trap. This field is read-only if configured for existing contexts. Enable Syslog Notification Check box to either enable or disable syslog logging. More Settings Switch Mode Feature that applies only to the ACE module A2(1.1), ACE appliance A4(1.0), or later releases of either device type. Choose Switch Mode to change the way that the ACE processes TCP connections that are not destined to a VIP or that do not have any policies associated with their traffic. For such traffic, the ACE still creates connection objects but processes the connections as stateless connections, which means that they do not undergo any TCP normalization checks. With this option enabled, the ACE also creates stateless connections for non-SYN TCP packets if they satisfy all other configured requirements. This process ensures that a long-lived persistent connection passes through the ACE successfully (even if it times out) by being reestablished by any incoming packet related to the connection. By default, these stateless connections time out after 2 hours and 15 minutes unless you configure the inactivity timeout otherwise in a parameter map. When a stateless connection times out, the ACE does not send a TCP RST packet but silently closes the connection. Even though these connections are stateless, the TCP RST and FIN-ACK flags are honored and the connections are closed when the ACE sees these flags in the received packets. Shared VLAN Host Id Field that is available in the Admin context only.Specific bank of MAC addresses that the ACE uses. Enter a number from 1 to 16. Be sure to configure different bank numbers for multiple ACEs. Regex Compilation Timeout (minutes) Timeout setting for regular expression (regex) compilation. When you configure a regex and its compilation is longer than the configured timeout, the ACE stops the regex compilation.Enter a value from 1 to 500 minutes. The default timeout is 60 minutes. This option is available only in the Admin context. Building Block To Apply Configuration building block to apply to this context. For information about building blocks, see Chapter 16, “Using Configuration Building Blocks.” Table 6-4 Primary Attributes Configuration Attributes (continued) Field Description 6-19 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Virtual Context Syslog Settings Configuring Virtual Context Syslog Settings ANM uses syslog logging to send log messages to a process that logs messages to designated locations asynchronously to the processes that generated the messages. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > System > Syslog. • To configure a configuration building block, choose Config > Global > All Building Blocks > building_block > System > Syslog. The Syslog configuration window appears. Step 2 In the Syslog configuration window, enter the syslog logging attributes in the displayed fields (see Table 6-6). All fields that require you to choose syslog severity levels use the values in Table 6-5. The severity level that you specify indicates that you want syslog messages at that level and the more severe levels. For example, if you specify Error, syslog displays Error, Critical, Alert, and Emergency messages. Note Setting all syslog levels to Debug during normal operations can degrade overall performance. Table 6-5 Syslog Logging Levels Severity Description 0-Emergency Unusable system 1-Critical Critical condition 2-Warning Warning condition 3-Alert Immediate action required 4-Error Error condition 5-Notification Normal but significant condition 6-Information Informational message only 7-Debug Appears only during debugging 6-20 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Virtual Context Syslog Settings Table 6-6 Virtual Context Syslog Configuration Attributes Field Description Action Enable Syslog Option that determines whether syslog logging is enabled or disabled. Check the check box to enable syslog logging or clear the check box to disable syslog logging. Facility Syslog daemon that uses the specified syslog facility to determine how to process the messages it receives. Syslog servers file or direct messages based on the facility number in the message. For more information on the syslog daemon and facility levels, see your syslog daemon documentation. Enter the facility appropriate for your network. Valid entries are 0 (LOCAL0) through 23 (LOCAL7). The default for ACE is 20 (LOCAL4). Buffered Level Option that enables system logging to a local buffer and limits the messages sent to the buffer based on severity. Choose the desired level for sending system log messages to a local buffer. By default, logging to a buffer is disabled on the ACE. Console Level Option that specifies the maximum level for system log messages sent to the console. Choose the desired level for sending system log messages to the console. By default, ACE does not display syslog messages during console sessions. Note Logging to the console can degrade system performance. We recommend that you log messages to the console only when you are testing or debugging problems. Do not use this option when the network is busy, because it can reduce ACE performance. History Level Option that specifies the maximum level for system log messages sent as traps to an SNMP network management station. Choose the desired level for sending system log messages as traps to an SNMP network management station. By default, the ACE does not send traps and inform requests to an SNMP network management station. Monitor Level Option that specifies the maximum level for system log messages sent to a remote connection using Secure Shell (SSH) or Telnet on the ACE. Choose the desired level for sending system log messages to a remote connection using SSH or Telnet on the ACE. By default, logging to a remote connection using SSH or Telnet is disabled on the ACE. Note You must enable remote access on the ACE and establish a remote connection using the SSH or Telnet protocol from a PC for this option to work. 6-21 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Virtual Context Syslog Settings Persistence Level Option that specifies the maximum level for system log messages sent to Flash memory. Choose the desired level for sending system log messages to Flash memory. By default, logging to Flash memory is disabled on the ACE. Note We recommend that you use a lower severity level, such as 3, because logging at a high rate to Flash memory on the ACE might impact performance. Trap Level Option that specifies the maximum level for system log messages sent to a syslog server. Choose the desired level for sending system log messages to a syslog server. By default, logging to a syslog server is disabled on the ACE. Supervisor Level Option that specifies the maximum level for system log messages sent to the supervisor module on the Catalyst 6500 series chassis. Note This option does not appear for ACE appliances or ACE 4710-type configuration building blocks. Choose the desired level for sending system log messages to the supervisor module on the Catalyst 6500 series chassis. Note We recommend that you use a lower severity level, such as 3, because logging at a high rate to the supervisor module might impact performance of the Catalyst 6500 series chassis. Queue Size Option that specifies the size of the queue for storing syslog messages in the message queue while they await processing. Enter the desired queue size. Valid entries are from 0 to 8192 messages. The default is 80 messages. Enable Timestamp Option that determines whether syslog messages should include the date and time that the message was generated. Choose the check box to enable time stamps on syslog messages or clear the check box to disable time stamps on syslog messages. By default, time stamps are not included on syslog messages. Enable Standby Option that determines whether or not logging is enabled or disabled on the failover standby ACE. When enabled: • This feature causes twice the message traffic on the syslog server. • The standby ACE syslog messages remain synchronized if failover occurs. Choose the check box to enable logging on the failover standby ACE or clear the check box to disable logging on the failover standby ACE. Enable Fastpath Logging Option that determines whether or not connection setup and teardown messages are logged. Check the check box to enable the logging of setup and teardown messages or clear the check box to disable the logging of setup and teardown messages. By default, the ACE does not log connection startup and teardown messages. Table 6-6 Virtual Context Syslog Configuration Attributes (continued) Field Description Action 6-22 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Virtual Context Syslog Settings Reject New Connection When TCP Queue Full Option that indicates whether or not the ACE rejects new connections when the TCP queue is full. This option is not applicable to ACE 4710 appliances running image A3(x.x). Check the check box to reject new connections when the syslog daemon can no longer reach the TCP syslog server. Clear the check box to disable this feature. This option is enabled by default. Reject New Connection When Rate Limit Reached Option that indicates whether or not the ACE rejects new connections when the syslog message rate is reached. This option is not applicable to ACE 4710 appliances running image A3(x.x). Check the check box to reject new connections when the syslog message rate is reached. Clear the check box to disable this feature. This option is disabled by default. Reject New Connection When Control Plane Buffer Full Option that indicates whether or not the ACE rejects new connections when the syslog daemon buffer is full. This option is not applicable to ACE 4710 appliances running image A3(x.x). Check the check box to reject new connections when the syslog daemon buffer is full. This option is disabled by default. Device Id Type Option that specifies the type of unique device identifier to be included in syslog messages sent to the syslog server. The device identifier does not appear in EMBLEM-formatted messages, SNMP traps, or on the ACE console, management session, or buffer. Choose the type of device identifier to use: • Any String—Text string that you specify to uniquely identify the syslog messages sent from the ACE. If you choose this option, enter the text string to use in the Logging Device Id field. • Context Name—Name of the current virtual context used to uniquely identify the syslog messages sent from the ACE. • Host Name—Hostname of the ACE used to uniquely identify the syslog messages sent from the ACE. • Interface—IP address of the interface used to uniquely identify the syslog messages sent from the ACE. If you choose this option, enter the name of the interface in the Device Interface Name field. • Undefined—No identifier is used. Table 6-6 Virtual Context Syslog Configuration Attributes (continued) Field Description Action 6-23 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Virtual Context Syslog Settings Step 3 Do the following: • For virtual contexts, click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files, or choose another option to exit the procedure without saving your entries. • For configuration building blocks, click Save to save your entries or Cancel to exit the procedure without saving your entries. Related Topics • Configuring Syslog Log Hosts, page 6-23 • Configuring Syslog Log Messages, page 6-24 • Configuring Syslog Log Rate Limits, page 6-26 Configuring Syslog Log Hosts You can configure syslog log hosts. After configuring basic syslog characteristics (see the “Configuring Virtual Context Syslog Settings” section on page 6-19), you can configure the log host, log messages, and log rate limits. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > System > Syslog. • To configure a configuration building block, choose Config > Global > All Building Blocks > building_block > System > Syslog. The Syslog configuration window appears. Step 2 In the Syslog configuration window, click the Log Host tab. The Log Host table appears. Device Interface Name Field that appears when the Device ID Type is Interface. This option specifies the interface to be used to uniquely identify syslog messages sent from the ACE. Enter the device interface name to use to uniquely identify syslog messages sent from the ACE. Valid entries are 1 to 64 characters with no spaces. Syslog messages sent to an external server contain the IP address of the interface specified, regardless of which interface that the ACE uses to send the log data to the external server. Logging Device Id Field that appears when the Device ID Type is Any String. This option specifies the text string to use to uniquely identify syslog messages sent from the ACE. Enter a text string that uniquely identifies the syslog messages sent from the ACE. The maximum string length is 64 characters without spaces. Do not use the following characters: & (ampersand), ‘ (single quote), “ (double quote), < (less than), > (greater than), or ? (question mark). Table 6-6 Virtual Context Syslog Configuration Attributes (continued) Field Description Action 6-24 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Virtual Context Syslog Settings Step 3 In the Log Host table, click Add to add a new log host, or choose an existing log host, and click Edit to modify it. The New Log Host configuration window appears. Step 4 In the New Log Host configuration window IP Address field, enter the IP address of the host to use as the syslog server. Step 5 In the Protocol field, choose TCP or UDP as the protocol to use. Step 6 In the Protocol Port field, enter the number of the port that the syslog server listens to for syslog messages. Valid entries are from 1 to 65535. The default port for TCP is 1470 and for UDP it is 514. Step 7 Check the Default UDP check box, which appears if TCP is selected in the Protocol field (Step 5), to specify that the ACE is to default to UDP if the TCP transport fails to communicate with the syslog server. Uncheck this check box to prevent the ACE from defaulting to UDP if the TCP transport fails. Step 8 In the Format field, choose one of the following: • N/A if you do not want to use EMBLEM-format logging. • Emblem to enable EMBLEM-format logging for each syslog server. If you use Cisco Resource Manager Essentials (RME) software to collect and process syslog messages on your network, enable EMBLEM-format logging so that RME can handle them. Similarly, UDP needs to be enabled because the Cisco Resource Manager Essentials (RME) syslog analyzer supports only UDP syslog messages. Step 9 Do one of the following: • Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. This option appears for virtual contexts. • OK to save your entry. This option appears for configuration building blocks. • Cancel to exit the procedure without saving your entries and to return to the Log Host table. • Next to configure another syslog host. Related Topics • Configuring Virtual Context Syslog Settings, page 6-19 • Configuring Syslog Log Messages, page 6-24 • Configuring Syslog Log Rate Limits, page 6-26 Configuring Syslog Log Messages You can configure syslog log messages. After configuring basic syslog characteristics (see the “Configuring Virtual Context Syslog Settings” section on page 6-19), you can configure the log host, log messages, and log rate limits. Procedure Step 1 Choose the item to configure: 6-25 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Virtual Context Syslog Settings • To configure a virtual context, choose Config > Devices > context > System > Syslog. • To configure a configuration building block, choose Config > Global > All Building Blocks > building_block > System > Syslog. The Syslog configuration window appears. Step 2 In the Syslog configuration window, click the Log Message tab. The Log Message table appears. Step 3 In the Log Message table, click Add to add a new entry to this table, or choose an existing entry, and click Edit to modify it. The Log Message configuration window appears. Step 4 In the Message Id field, choose the system log message ID of the syslog messages that are to be sent to the syslog server or that are not to be sent to the syslog server. Step 5 Check the Enable State check box to enable logging for the specified message ID or uncheck it to disable logging for the specified message ID. If you check the Enable State check box, the Log Level field appears. Step 6 In the Log Level field, choose the desired level of syslog messages to be sent to the syslog server, using the levels identified in Table 6-5. Step 7 Do one of the following: • Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. This option appears for virtual contexts. • Click OK to save your entry. This option appears for configuration building blocks. • Click Cancel to exit the procedure without saving your entries and to return to the Log Message table. • Click Next to deploy your entries and to configure additional syslog message entries for this virtual context. Related Topics • Configuring Virtual Contexts, page 6-8 • Configuring Virtual Context Syslog Settings, page 6-19 • Configuring Syslog Log Hosts, page 6-23 • Configuring Syslog Log Rate Limits, page 6-26 6-26 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Virtual Context Syslog Settings Configuring Syslog Log Rate Limits You can configure syslog log rate limits after configuring basic syslog characteristics (see the “Configuring Virtual Context Syslog Settings” section on page 6-19). Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > System > Syslog. • To configure a configuration building block, choose Config > Global > All Building Blocks > building_block > System > Syslog. The Syslog configuration window appears. Step 2 Click the Log Rate Limit tab. The Log Rate Limit table appears. Step 3 In the Log Rate Limit table, click Add to add a new entry to this table, or choose an existing entry, and click Edit to modify it. The Log Rate Limit configuration window appears. Step 4 In the Type field of the Log Rate Limit configuration window, choose the method by which syslog messages are to be limited: • Level—Syslog messages are limited by syslog level. In the Level field, choose the level of syslog messages to be sent to the syslog server, using the levels identified in Table 6-5. • Message—Syslog messages are limited by message identification number. In the Message Id field, choose the syslog message ID for those messages you want to suppress reporting. Step 5 Check the Unlimited check box to apply no limits to system message logging or uncheck it to apply limits to system message logging. If you uncheck the Unlimited check box, the Rate and Time Interval fields appear. Step 6 (Optional) If you uncheck the Unlimited check box, specify the limits to apply to system message logging as follows: a. In the Rate field, enter the number at which the system log messages are to be limited. When this limit is reached, the ACE rejects new syslog messages. Valid entries are from 0 to 2147483647. b. In the Time Interval (Seconds) field, enter the length of time (in seconds) over which the system message logs are to be limited. For example, if you enter 42 in the Rate field and 60 in the Time Interval field, the ACE rejects any syslog messages that arrive after the first 42 messages in that 60-second period. Valid entries are from 0 to 2147483647 seconds. Step 7 Do one of the following: • Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. This option appears for virtual contexts. • Click OK to save your entry. This option appears for configuration building blocks. • Click Cancel to exit the procedure without saving your entries and to return to the Log Rate Limit table. • Click Next to deploy your entries and to add another entry to the Log Rate Limit table. 6-27 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring SNMP for Virtual Contexts Related Topics • Configuring Virtual Contexts, page 6-8 • Configuring Virtual Context Syslog Settings, page 6-19 • Configuring Syslog Log Hosts, page 6-23 • Configuring Syslog Log Messages, page 6-24 Configuring SNMP for Virtual Contexts This section describes how to configure the SNMP attributes for a virtual context and contains the following topics: • Configuring Basic SNMP Attributes, page 6-27 • Configuring SNMPv2c Communities, page 6-28 • Configuring SNMPv3 Users, page 6-29 • Configuring SNMP Trap Destination Hosts, page 6-32 • Configuring SNMP Notification, page 6-33 Configuring Basic SNMP Attributes You can configure the basic SNMP attributes for use with a virtual context. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > System > SNMP. • To configure a configuration building block, choose Config > Global > All Building Blocks > building_block > System > SNMP. The SNMP configuration window appears. Step 2 In the SNMP configuration window, configure the basic SNMP attributes using the information in Table 6-7. Table 6-7 SNMP Attributes Field Description Contact Information Contact information for the SNMP server as a text string with a maximum of 240 characters including spaces. In addition to a name, you might want to include a phone number or email address. If spaces are included, add quotation marks at the beginning and end of the entry. Location Physical location of the system as a text string with a maximum of 240 characters including spaces. If spaces are included, add quotation marks at the beginning and end of the entry. Unmask Community Checkbox that allows you to unmask the snmpCommunityName and snmpCommunitySecurityName OIDs of the SNMP-COMMUNITY-MIB. By default, they are masked (check box is unchecked). Check the checkbox to unmask them. 6-28 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring SNMP for Virtual Contexts Step 3 Do one of the following: • For virtual contexts, click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files, or choose another configuration option to exit the procedure without saving your entries. • For configuration building blocks, click OK to save your entries or choose another configuration option to exit the procedure without saving your entries. Step 4 If you chose Deploy Now in Step 3, configure the SNMP device access credentials as described in the “Configuring Device Access Credentials” section on page 5-29. Related Topics • Configuring Virtual Contexts, page 6-8 • Configuring SNMPv2c Communities, page 6-28 • Configuring SNMPv3 Users, page 6-29 • Configuring SNMP Trap Destination Hosts, page 6-32 • Configuring SNMP Notification, page 6-33 Configuring SNMPv2c Communities You can configure SNMP communities for a virtual context or configuration building block after configuring basic SNMP information for a virtual context (see the “Configuring Basic SNMP Attributes” section on page 6-27). Note All SNMP communities in ANM are read-only communities and all communities belong to the group network monitors. Assumption You have configured at least one SNMP contact (see the “Configuring Basic SNMP Attributes” section on page 6-27). Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > System > SNMP. Trap Source Interface VLAN that identifies the interface from which SNMP traps originate. IETF Trap Check box to enable the ACE to send linkUp and linkDown traps with the IETF standard IF-MIB (RFC 2863) variable bindings, consisting of ifIndex, ifAdminStatus, and ifOperStatus. Uncheck the check box to not allow the ACE to send linkUp and linkDown traps with the IETF standard IF-MIB (RFC 2863) variable bindings. Instead, the ACE sends Cisco var-binds by default. Table 6-7 SNMP Attributes (continued) Field Description 6-29 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring SNMP for Virtual Contexts • To configure a configuration building block, choose Config > Global > All Building Blocks > building_block > System > SNMP. The SNMP configuration window appears. Step 2 In the SNMP configuration window, click the SNMPv2c Configuration tab. The SNMPv2c Configuration table appears. Step 3 From the SNMPv2c Configuration table, configure a read-only community string as follows: • To make “public” the read-only community string, click the associated radio button and click Deploy Now. By default, this radio button is selected. • To create a read-only community string, do the following: a. In the SNMPv2c Configuration table, click Add to add an SNMPv2c read-only community string. The New SNMPv2c Configuration window appears. Note You cannot modify an existing SNMPv2c community string. Instead, delete the existing SNMP v2c community string, and then add a new one. b. In the Read-Only Community field of the New SNMPv2c Configuration window, enter the SNMPv2c read-only community name. Valid entries are unquoted text strings with no spaces and a maximum of 32 characters. c. Do one of the following: – Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. This option appears for virtual contexts. – Click OK to save your entry. This option appears for configuration building blocks. – Click Cancel to exit this procedure without saving your entry and to return to the SNMP v2c Community String table. – Click Next to deploy your entry and to configure another SNMP community string. The window refreshes and you can enter another community string. Related Topics • Configuring Virtual Contexts, page 6-8 • Configuring Basic SNMP Attributes, page 6-27 • Configuring SNMPv3 Users, page 6-29 • Configuring SNMP Trap Destination Hosts, page 6-32 • Configuring SNMP Notification, page 6-33 Configuring SNMPv3 Users You can configure SNMP version 3 users for a virtual context or configuration building block after configuring basic SNMP information for a virtual context (see the “Configuring Basic SNMP Attributes” section on page 6-27). 6-30 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring SNMP for Virtual Contexts Assumption You have configured at least one SNMP contact (see the “Configuring Basic SNMP Attributes” section on page 6-27). Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > System > SNMP. • To configure a configuration building block, choose Config > Global > All Building Blocks > building_block > System > SNMP. The SNMP configuration window appears. Step 2 In the SNMP configuration window, click the SNMPv3 Configuration tab. The SNMP v3 Configuration table appears. Step 3 In the SNMP v3 Configuration table, click Add to add users, or choose an existing entry in the SNMPv3 Configuration table, and click Edit to modify it. The SNMP v3 Configuration window appears. Step 4 In the SNMP v3 Configuration window, enter SNMP user attributes using the information in Table 6-8. Table 6-8 SNMP User Configuration Attributes Field Description User Name SNMP username. Valid entries are unquoted text strings with no spaces and a maximum of 24 characters. Authentication Algorithm Authentication algorithm to be used for this user: • N/A—No authentication algorithm is used. • Message Digest 5 (MD5)—Message Digest 5 is used as the authentication mechanism. • Secure Hash Algorithm (SHA)—Secure Hash Algorithm is used as the authentication mechanism. Authentication Password Field that appears if you choose an authentication algorithm. Enter the authentication password for this user. Valid entries are unquoted text strings with no spaces. This password can have a minimum of 8 characters. If use of a localized key is disabled or N/A, you can enter a maximum of 64 characters. If use of a localized key is enabled, you can enter a maximum of 130 characters. The ACE automatically updates the password for the CLI user with the SNMP authentication password. Confirm Field that appears if you choose an authentication algorithm. Reenter the authentication password. Localized Field that appears if you choose an authentication algorithm. Specify whether or not the password is in localized key format for security encryption: • N/A—This option is not configured. • False—The password is not in localized key format for encryption. • True—The password is in localized key format for encryption. 6-31 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring SNMP for Virtual Contexts Step 5 Do one of the following: • Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. This option appears for virtual contexts. • Click OK to save your entries. This option appears for configuration building blocks. • Click Cancel to exit this procedure without saving your entries and to return to the SNMP v3 Configuration table. • Click Next to deploy your entries and to add another entry to the SNMP v3 Configuration table. The window refreshes and you can enter another SNMP v3 user. Related Topics • Configuring Virtual Contexts, page 6-8 • Configuring Basic SNMP Attributes, page 6-27 • Configuring SNMPv2c Communities, page 6-28 • Configuring SNMP Trap Destination Hosts, page 6-32 • Configuring SNMP Notification, page 6-33 Privacy Field that appears if you choose an authentication algorithm. Specify whether or not encryption attributes are to be configured for this user: • N/A—This option is not configured. • False—Encryption parameters are not to be configured for this user. • True—Encryption parameters are to be configured for this user. AES 128 Field that appears if you set Privacy to True. Indicate whether the 128-byte Advanced Encryption standard (AES) algorithm is to be used for privacy. AES is a symmetric cipher algorithm and is one of the privacy protocols for SNMP message encryption. Choices are as follows: • N/A—This option is not configured. • False—AES 128 is not used for privacy. • True—AES 128 is used for privacy. Privacy Password Field that appears if you set Privacy to True. Enter the user encryption password. This password can have a minimum of 8 characters. If the passphrases are specified in clear text, you can enter a maximum of 64 characters. If use of a localized key is enabled, you can enter a maximum of 130 characters. Spaces are not allowed. Confirm Field that appears if you set Privacy to True. Reenter the privacy password. Table 6-8 SNMP User Configuration Attributes (continued) Field Description 6-32 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring SNMP for Virtual Contexts Configuring SNMP Trap Destination Hosts You can configure SNMP trap destination hosts for a virtual context after configuring basic SNMP information for a virtual context (see the “Configuring Basic SNMP Attributes” section on page 6-27). To receive SNMP notifications you must configure the following attributes: • At least one SNMP trap destination host. • At least one type of notification (see the “Configuring SNMP Notification” section on page 6-33). Assumption You have configured at least one SNMP contact (see the “Configuring Basic SNMP Attributes” section on page 6-27). Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > System > SNMP. • To configure a configuration building block, choose Config > Global > All Building Blocks > building_block > System > SNMP. The SNMP configuration window appears. Step 2 In the SNMP configuration window, click the Trap Destination Host tab. The Trap Destination Host table appears. Step 3 In the Trap Destination Host table, click Add to add a host, or choose an existing entry in the table, and Edit to modify it. The Trap Destination Host configuration window appears. Step 4 In the IP Address field of the Trap Destination Host configuration window, enter the IP address of the server that is to receive SNMP notifications. Enter the address in dotted-decimal format, such as 192.168.11.1. Step 5 In the Port field, enter the port to use. The default port is 162. Step 6 In the Version field, choose the version of SNMP used to send traps: • V1—SNMPv1 is used to send traps. This option is not available for use with SNMP inform requests. • V2c—SNMPv2c is used to send traps. • V3—SNMPv3 is used to send traps. This version is the most secure model because it allows packet encryption. Step 7 In the Community field, enter the SNMP community string or username to be sent with the notification operation. Valid entries are unquoted text strings with no spaces and a maximum of 32 characters. Step 8 Do one of the following: • Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. This option appears for virtual contexts. • Click OK to save your entries. This option appears for configuration building blocks. 6-33 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring SNMP for Virtual Contexts • Click Cancel to exit this procedure without saving your entries and to return to the Trap Destination Host table. • Click Next to deploy your entries and to add another entry to the Trap Destination Host table. The window refreshes and you can add another trap destination host. Related Topics • Configuring Virtual Contexts, page 6-8 • Configuring Basic SNMP Attributes, page 6-27 • Configuring SNMPv2c Communities, page 6-28 • Configuring SNMPv3 Users, page 6-29 • Configuring SNMP Notification, page 6-33 Configuring SNMP Notification You can configure SNMP notification for a virtual context after configuring basic SNMP information for a virtual context (see the “Configuring Basic SNMP Attributes” section on page 6-27). To receive SNMP notifications you must configure the following attributes: • At least one SNMP trap destination host (see the “Configuring SNMP Trap Destination Hosts” section on page 6-32). • At least one type of notification. Assumptions • You have configured at least one SNMP contact (see the “Configuring Basic SNMP Attributes” section on page 6-27). • At least one SNMP server host has been configured (see the “Configuring SNMP Trap Destination Hosts” section on page 6-32). Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > System > SNMP. • To configure a configuration building block, choose Config > Global > All Building Blocks > building_block > System > SNMP. The SNMP configuration window appears. Step 2 In the SNMP configuration window, click the SNMP Notification tab. The SNMP Notification table appears. Step 3 In the SNMP Notification table, click Add to add a new entry, or choose an existing entry in the table, and click Edit to modify it. The SNMP Notification configuration window appears. 6-34 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring SNMP for Virtual Contexts Step 4 In the Options field of the SNMP Notification configuration window, choose the type of notifications to be sent to the SNMP host. Some options are available only in the Admin context. Note When configuring SNMP notification for ACE appliances, we recommend that you choose the more specific options. For example, choose Slb real or Slb vserver instead of Slb to ensure that the correct commands are issued on the ACE appliance. Choices are as follows: • License—SNMP license notifications are to be sent. This option is available only in the Admin context. • SLB—Server load-balancing notifications are to be sent. • SLB Real Server—Notifications of real server state changes are to sent. • SLB Virtual Server—Notifications of virtual server state changes are to be sent. • SNMP—SNMP notifications are to be sent. • SNMP Authentication—Notifications of incorrect community strings in SNMP requests are to be sent. • SNMP Cold-Start—SNMP agent restart notifications are to be sent after a cold restart (full power cycle) of the ACE. This option is available only in the Admin context. • SNMP Link-Down—Notifications are to be sent when a VLAN interface is down. • SNMP Link-Up—Notifications are to be sent when a VLAN interface is up. • Syslog—Error message notifications (Cisco Syslog MIB) are to be sent. • Virtual Context—Virtual context notifications are to be sent. Step 5 Do one of the following: • Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. This option appears for virtual contexts. • Click OK to save your entries. This option appears for configuration building blocks. • Click Cancel to exit this procedure without saving your selection and to return to the SNMP Notification table. • Click Next to deploy your entries and to add another entry to the SNMP Notification table. The window refreshes and you can choose another SNMP notification option. Related Topics • Configuring Virtual Contexts, page 6-8 • Configuring Basic SNMP Attributes, page 6-27 • Configuring SNMPv2c Communities, page 6-28 • Configuring SNMPv3 Users, page 6-29 • Configuring SNMP Trap Destination Hosts, page 6-32 6-35 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Applying a Policy Map Globally to All VLAN Interfaces Applying a Policy Map Globally to All VLAN Interfaces You can apply a policy map globally to all VLAN interfaces in a selected context or configuration building block. To apply a policy map to a specific context VLAN interface only, see the Input Policies attribute in the “Configuring Virtual Context VLAN Interfaces” section on page 12-6. Note You cannot modify a policy map that is currently applied to an interface. To modify an applied policy map, you must first remove (delete) it from the interface, make the required modifications, and then apply it to the interface again. Assumption A Layer 3/Layer 4 or Management policy map has been configured for the selected context or building block. For more information, see the “Configuring Virtual Context Policy Maps” section on page 14-32. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > System > Global Policies. • To configure a configuration building block, choose Config > Global > All Building Blocks > building_block > System > Global Policies. The Global Policies table appears. Step 2 In the Global Policies table, click Add to add a new global policy. The New Global Policy window appears. Step 3 In the Policy Map field of the New Global Policy window, choose an existing policy map that you want to apply to all VLANs in this context. Note The Direction field displays the value “input” and cannot be modified. Step 4 Do one of the following: • Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. This option appears for virtual contexts. • Click OK to save your entries. This option appears for configuration building blocks. • Click Cancel to exit the procedure without saving your entries and to return to the Global Policies table. • Click Next to deploy your entries and to configure another global policy. Related Topics • Information About Virtual Contexts, page 6-2 • Configuring Virtual Context Primary Attributes, page 6-14 • Configuring Virtual Context VLAN Interfaces, page 12-6 6-36 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Managing ACE Licenses • Configuring Virtual Context Syslog Settings, page 6-19 • Configuring Traffic Policies, page 14-1 Managing ACE Licenses Note This functionality is available for only Admin contexts. Cisco offers licenses for ACE modules and appliances that allow you to increase the number of default contexts, bandwidth, and SSL transactions per second (TPS). For more information about these licenses, see the Cisco Application Control Engine documentation on Cisco.com. If you install ACE licenses to increase the number of virtual contexts that you can create and manage on a device, you need to ensure that the installed ANM licenses support the increased number of virtual contexts. For example, if you install an upgrade ACE device license that allows you to create and manage 20 virtual contexts on the device, you must purchase and install the appropriate ANM license before you can manage the additional contexts using ANM. For more information about using and managing ANM licenses, see the “Using ANM License Manager to Manage ANM Server or Demo Licenses” section on page 18-54. You can view, install, remove, or update ACE device licenses using ANM. This section includes the following topics: • Viewing ACE Licenses, page 6-36 • Installing ACE Licenses, page 6-37 • Uninstalling ACE Licenses, page 6-39 • Updating ACE Licenses, page 6-40 • Displaying the File Contents of a License, page 6-42 Viewing ACE Licenses Note This functionality is available for only Admin contexts. You can view the licenses that are currently installed on an ACE. Procedure Step 1 Choose Config > Devices. The device tree appears. Step 2 In the device tree, choose the Admin context with the ACE licenses that you want to view, and click System > Licenses. The following license tables appear: • License Status Table—Provides a summary of the license status for the ACE, including: – SSL transactions per second 6-37 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Managing ACE Licenses – Number of supported virtual contexts – ACE bandwidth in gigabits per second For ACE appliances (all versions) and ACE module version A4(1.0) and later, it also displays the following: – Compression performance in megabits or gigabits per second – Web optimization in the number of connections per second • Installed License Files Table—Lists all installed licenses with their filenames, vendors, and expiration dates. Related Topics • Managing ACE Licenses, page 6-36 • Installing ACE Licenses, page 6-37 • Uninstalling ACE Licenses, page 6-39 • Updating ACE Licenses, page 6-40 • Displaying the File Contents of a License, page 6-42 Installing ACE Licenses Note This functionality is available for only Admin contexts. You can install an ACE license on the device after you copy the license from a remote network server to the disk0: file system in Flash memory on the ACE. You can use the ANM to perform both processes from a single dialog box. If you previously copied the license to disk0: on the ACE by using the copy disk0: CLI command, you can use this dialog box to install the new license or upgrade license on your ACE. Assumption This topic assumes the following: • You have received the proper software license key for the ACE. • ACE licenses are available on a remote server for importing to the ACE, or you have received the software license key and have copied the license file to the disk0: filesystem on the ACE using the copy disk0: CLI command. See either the Cisco Application Control Engine Module Administration Guide or Cisco 4700 Series Application Control Engine Appliance Administration Guide for details. Procedure Step 1 Choose Config > Devices. The device tree appears. Step 2 In the device tree, choose the Admin context that you want to import and install a license for, and click System > Licenses. The following license tables appear: 6-38 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Managing ACE Licenses • License Status Table—Provides a summary of the license status for the ACE, including: – SSL transactions per second – Number of supported virtual contexts – ACE bandwidth in gigabits per second For ACE appliances (all versions) and ACE module version A4(1.0) and later, it also displays the following: – Compression performance in megabits or gigabits per second – Web optimization in the number of connections per second • Installed License Files Table—Lists all installed licenses with their filenames, vendors, and expiration dates. Step 3 Click Install. The Install an ACE License dialog box appears. Step 4 (Optional) If the license currently exists on the ACE disk0: file system in Flash memory, do the following: a. In the Select an Option to Locate a License File section of the dialog box, click the Select a license file on the ACE option. b. In the Select a License File on the Device (disk0) section of the dialog box, from the drop-down list, choose the name of the license file. c. Go to Step 10. Step 5 (Optional) If the license must be copied to the disk0: file system in Flash memory, in the Select an Option to Locate a License File section of the dialog box, click the Import a license file from remote system option. Go to Step 6. Step 6 In the Protocol To Connect To Remote System field, choose the protocol to be used to import the license file from the remote server to the ACE as follows: • If you choose FTP, the User Name and Password fields appear. Go to Step 7. • If you choose SFTP, the User Name and Password fields appear. Go to Step 7. • If you choose TFTP, go to Step 8. Step 7 (Optional) If you choose FTP or SFTP, do the following: a. In the User Name field, enter the username of the account on the network server. b. In the Password field, enter the password for the user account. Step 8 In the Remote System IP Address field, enter the host IP address of the remote server. For example, your entry might be 192.168.11.2. Step 9 In the License Path In Remote System field, enter the host path and filename of the license file on the remote server in the format /path/filename where: • path represents the directory path of the license file on the remote server. • filename represents the filename of the license file on the remote server. For example, your entry might resemble /usr/bin/ACE-VIRT-020.lic. Step 10 Do one of the following: • Click Install to accept your entries and to install the license file. 6-39 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Managing ACE Licenses • Click Cancel to exit this procedure without installing the license file and to return to the Licenses table. Step 11 (Optional) After installing an ACE license, we recommend that you manually synchronize the ACE Admin context with the CLI to ensure that ANM accurately displays the monitored resource usage information (Monitor > Devices > ACE > Resource Usage > Connections). For information about synchronizing the Admin context, see the “Synchronizing Virtual Context Configurations” section on page 6-105. Related Topics • Managing ACE Licenses, page 6-36 • Viewing ACE Licenses, page 6-36 • Uninstalling ACE Licenses, page 6-39 • Updating ACE Licenses, page 6-40 • Displaying the File Contents of a License, page 6-42 Uninstalling ACE Licenses Note This functionality is available for Admin contexts only. You can remove ACE licenses. Caution Removing licenses can affect the ACE bandwidth or performance. For detailed information on the effect of license removal on the ACE, see the Cisco Application Control Engine documentation on Cisco.com. Procedure Step 1 Choose Config > Devices. The device tree appears. Step 2 In the device tree, choose the Admin context with the license that you want to remove, and click System > Licenses. Step 3 In the Installed License Files table, choose the license to be removed. Step 4 Click Uninstall. A dialog box appears, asking you to confirm the license removal process. Note Before continuing, confirm that you have selected the correct license to be removed. When you click OK in the confirmation window, you cannot stop the removal process. Note Removing licenses can affect the number of contexts, ACE bandwidth, or SSL TPS (transactions per second). Be sure you understand the effect on your environment before removing the license. 6-40 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Managing ACE Licenses Step 5 Click OK to confirm the removal or Cancel to stop the removal process. If you click OK, a status window appears with the status of license removal. When the license has been removed, the License table refreshes without the deleted license. Step 6 (Optional) After uninstalling an ACE license, we recommend that you manually synchronize the ACE Admin context with the CLI to ensure that ANM accurately displays the monitored resource usage information (Monitor > Devices > ACE > Resource Usage > Connections). For information about synchronizing the Admin context, see the “Synchronizing Virtual Context Configurations” section on page 6-105. Related Topics • Managing ACE Licenses, page 6-36 • Installing ACE Licenses, page 6-37 • Viewing ACE Licenses, page 6-36 • Updating ACE Licenses, page 6-40 • Displaying the File Contents of a License, page 6-42 Updating ACE Licenses Note This functionality is available for Admin contexts only. You can convert demonstration licenses to permanent licenses and to upgrade permanent licenses to increase the number of virtual contexts. Assumption This topic assumes the following: • You have received the updated software license key for the ACE. • ACE licenses are available on a remote server for importing to the ACE, or you have received the updated software license key and have copied the license file to the disk0: filesystem on the ACE using the copy disk0: CLI command. See either the Cisco Application Control Engine Module Administration Guide or Cisco 4700 Series Application Control Engine Appliance Administration Guide for details. Procedure Step 1 Choose Config > Devices. The device tree appears. Step 2 In the device tree, choose the Admin context with the license that you want to update, and click System > Licenses. The following license tables appear: • License Status Table—Provides a summary of the license status for the ACE, including: – SSL transactions per second 6-41 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Managing ACE Licenses – Number of supported virtual contexts – ACE bandwidth in gigabits per second For ACE appliances (all versions) and ACE module version A4(1.0) and later, it also displays the following: – Compression performance in megabits or gigabits per second – Web optimization in the number of connections per second • Installed License Files Table—Lists all installed licenses with their filenames, vendors, and expiration dates. Step 3 Choose the license to be updated, and click Update. The Update License dialog box appears. Step 4 (Optional) If the update license currently exists on the ACE disk0: file system in Flash memory, do the following: a. In the Select an Option to Locate a License File section of the dialog box, click the Select a license file on the ACE option. b. In the Select a License File on the Device (disk0) section of the dialog box, choose the name of the update license file from the drop-down list. c. Go to Step 10. Step 5 (Optional) If the update license must be copied to the disk0: file system in Flash memory, in the Select an Option to Locate a License File section of the dialog box, click the Import a license file from remote system option. Go to Step 6. Step 6 In the Protocol To Connect To Remote System field, choose the protocol to be used to import the update license file from the remote server to the ACE as follows: • If you choose FTP, the User Name and Password fields appear. Go to Step 7. • If you choose SFTP, the User Name and Password fields appear. Go to Step 7. • If you choose TFTP, go to Step 8. Step 7 (Optional) If you choose FTP or SFTP, do the following: a. In the User Name field, enter the username of the account on the network server. b. In the Password field, enter the password for the user account. Step 8 In the Remote System IP Address field, enter the host IP address of the remote server. For example, your entry might be 192.168.11.2. Step 9 In the Licence Path In Remote System field, enter the host path and filename of the license file on the remote server in the format /path/filename where: • path represents the directory path of the license file on the remote server. • filename represents the filename of the license file on the remote server. For example, your entry might be /usr/bin/ACE-VIRT-020.lic. Step 10 Do one of the following: • Click Update to update the license and to return to the License table. The License table displays the updated information. • Click Cancel to exit this procedure without updating the license and to return to the License table. 6-42 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Managing ACE Licenses Step 11 (Optional) After updating an ACE license, recommend that you manually synchronize the ACE Admin context with the CLI to ensure that ANM accurately displays the monitored resource usage information (Monitor > Devices > ACE > Resource Usage > Connections). For information about synchronizing the Admin context, see the “Synchronizing Virtual Context Configurations” section on page 6-105. Related Topics • Managing ACE Licenses, page 6-36 • Installing ACE Licenses, page 6-37 • Viewing ACE Licenses, page 6-36 • Uninstalling ACE Licenses, page 6-39 • Displaying the File Contents of a License, page 6-42 Displaying the File Contents of a License Note This functionality is available for only Admin contexts. You can display file content information about ACE licenses. Procedure Step 1 Choose Config > Devices. The device tree appears. Step 2 Choose the Admin context with the license information that you want to view, and choose System > Licenses. The following two license tables appear: • License Status Table—Provides a summary of the license status for the ACE, including the supported features and capabilities. • Installed License Files Table—Lists all installed licenses with their filenames, vendors, and expiration dates. Step 3 Choose the installed license file with the information that you want to display, and click View. ANM displays the output of the show license file CLI command. For example: SERVER this_host ANY VENDOR cisco INCREMENT ACE-AP-C-2000-LIC cisco 1.0 permanent 1 \ NOTICE="lic.conf0 \ dummyPak" SIGN=BBBDC344EAE8 Step 4 Click Close when you finish viewing the license file information. 6-43 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Using Resource Classes Related Topics • Managing ACE Licenses, page 6-36 • Installing ACE Licenses, page 6-37 • Viewing ACE Licenses, page 6-36 • Uninstalling ACE Licenses, page 6-39 Using Resource Classes Resource classes are the means by which you manage virtual context access to ACE resources, such as concurrent connections or bandwidth rate. ACE devices are preconfigured with a default resource class that is applied to the Admin context and any user context upon creation. The default resource class is configured to allow a context to operate within a range that can vary from no resource access (0%) to complete resource access (100%). When you use the default resource class with multiple contexts, you run the risk of oversubscribing ACE resources. This means that the ACE permits all contexts to have full access to all resources on a first-come, first-served basis. When a resource is utilized to its maximum limit, the ACE denies additional requests made by any context for that resource. To avoid oversubscribing resources and to help guarantee access to a resource by any context, you can create customized resource classes that you associate with one or more contexts. A context becomes a member of the resource class when you make the association. Creating a resource class allows you to set limits on the minimum and maximum amounts of each ACE resource that a member context is entitled to use. You define the minimum and maximum values as a percentage of the whole. For example, you can create a resource class that allows its member contexts access to no less that 25% of the total number of SSL connections that the ACE supports. You can limit and manage the allocation of the following ACE resources: • ACL memory • Buffers for syslog messages and TCP out-of-order (OOO) segments • Concurrent connections (through-the-ACE traffic) • Management connections (to-the-ACE traffic) • Proxy connections • Set resource limit as a rate (number per second) • Regular expression (regexp) memory • SSL connections • Sticky entries • Static or dynamic network address translations (Xlates) When you discover ACE devices, the ANM detects the resource class information and imports it with other device information. If an ACE is not configured for a resource class, it inherits the resource class configuration of the virtual context it is associated with. If an ACE does have a resource class configuration but it differs from one configured in the ANM, the discrepancy is logged as an anomaly but otherwise has no impact on the import process or the ACE. Table 6-9 on page 6-45 identifies and defines the resources that you can establish for resource classes. Related Topics • Global and Local Resource Classes, page 6-44 6-44 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Using Resource Classes • Resource Allocation Constraints, page 6-44 • Using Global Resource Classes, page 6-46 • Displaying Local Resource Class Use on Virtual Contexts, page 6-54 Global and Local Resource Classes ANM provides two levels of resource classes for ACE devices that operate independently of each other: • Local or device-specific resource classes • Global resource classes Local resource classes are initially imported from the ACE during the import process and appear in the ANM interface in the Admin virtual context where they can be managed, modified, or deleted by an Admin user. An Admin user can also create new, local resources classes by using ANM. Choose Config > Devices > Admin_context > System > Resource Classes to add, view, or modify local resource classes. Global resource classes are managed separately from local resource classes and require manual deployment to a specific ACE using the Admin virtual context before they take effect. If you deploy a global resource class to an ACE that does not have a resource class with the same name, ANM creates a new local resource class with the same name and properties as the global resource class. If you deploy a global resource class to an ACE that already has a resource class with the same name, ANM replaces the properties of the local resource class with the properties from the global resource class. Choose Config > Global > All Resource Classes to add, view, modify, audit, or delete global resource classes. Related Topics • Using Resource Classes, page 6-43 • Resource Allocation Constraints, page 6-44 • Using Global Resource Classes, page 6-46 • Using Local Resource Classes, page 6-51 • Auditing Resource Classes, page 6-49 Resource Allocation Constraints The following resources are critical for maintaining connectivity to the Admin context: • Rate Bandwidth • Rate Management Traffic • Rate SSL Connections • Rate Connections • Management Connections • Concurrent Connections Caution If you allocate 100 percent of these resources to a resource class and then apply the resource class to virtual contexts, connectivity to the Admin context can be lost. 6-45 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Using Resource Classes We recommend that you create a resource class specifically for the Admin context and apply it to the context so that you can maintain IP connectivity. Table 6-9 Resource Class Attributes Resource Definition Default Default percentage used for any resource parameter not explicitly set. Acceleration Connections Option that is available ACE appliances only. Percentage of application acceleration connections. ACL Memory Percentage of memory allocated for ACLs. Concurrent Connections Percentage of simultaneous connections. Note If you consume all Concurrent Connections by allocating 100 percent to virtual contexts, IP connectivity to the Admin context can be lost. HTTP Compression Percentage of compression for HTTP data. Note This option appears for ACE appliances (all versions) and ACE module version A4(1.0) and later only. Management Connections Percentage of management connections. Note If you consume all Management Connections by allocating 100 percent to virtual contexts, IP connectivity to the Admin context can be lost. Proxy Connections Percentage of proxy connections. Regular Expression Percentage of regular expression memory. Sticky Percentage of entries in the sticky table. Note (Pre ACE version A4(1.0) module or appliance only) You must configure a minimum value for sticky to allocate resources for sticky entries; the sticky software receives no resources under the unlimited setting. Xlates Percentage of network and port address translations entries. Buffer Syslog Percentage of the syslog buffer. Rate Inspect Connection Percentage of application protocol inspection connections. Rate Bandwidth Percentage of context throughput. This attribute limits the total ACE throughput in bytes per second for one or more contexts. Note If you consume all Rate Bandwidth by allocating 100 percent to virtual contexts, IP connectivity to the Admin context can be lost. The maximum bandwidth rate per context is determined by your ACE bandwidth license. Rate Connections Percentage of connections of any kind. Note If you consume all Rate Connections by allocating 100 percent to virtual contexts, IP connectivity to the Admin context can be lost. Rate Management Traffic Percentage of management traffic connections. Note If you consume all Rate Management Traffic by allocating 100 percent to virtual contexts, IP connectivity to the Admin context can be lost. 6-46 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Using Global Resource Classes Related Topics • Using Global Resource Classes, page 6-46 • Configuring Global Resource Classes, page 6-46 • Configuring Local Resource Classes, page 6-52 • Auditing Resource Classes, page 6-49 • Deploying Global Resource Classes, page 6-48 Using Global Resource Classes Resource classes are used when provisioning services, establishing virtual contexts, managing devices, and monitoring virtual context resource consumption. Defining a new global resource class does not automatically update all configurations. A global resource class is applied only when the resource class is deployed to a specific Admin virtual context on an ACE. This section includes the following topics: • Configuring Global Resource Classes, page 6-46 • Deploying Global Resource Classes, page 6-48 • Auditing Resource Classes, page 6-49 • Modifying Global Resource Classes, page 6-50 • Deleting Global Resource Classes, page 6-51 Configuring Global Resource Classes You can create a new global resource class and optionally deploy it on an ACE by using the Admin virtual context. Caution If you allocate 100 percent of these resources to a resource class and then apply the resource class to virtual contexts, connectivity to the Admin context can be lost. For more information, see the “Resource Allocation Constraints” section on page 6-44. Rate SSL Connections Percentage of SSL connections. Note If you consume all Rate SSL Connections by allocating 100percent to virtual contexts, IP connectivity to the Admin context can be lost. Rate Syslog Percentage of syslog messages per second. Rate MAC Miss Percentage of messages destined for the ACE that are sent to the control plane when the encapsulation is not correct in packets. Table 6-9 Resource Class Attributes (continued) Resource Definition 6-47 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Using Global Resource Classes Procedure Step 1 Choose Config > Global > All Resource Classes. The Resource Classes table appears. Step 2 In the Resource Classes table, click Add to create a new resource class. The New Resource Class configuration window appears. Step 3 In the Name field of the New Resource Class configuration window, enter a unique name for this resource class. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters. Step 4 In the Description field, enter a brief description for this resource class. Valid entries are unquoted text strings with a maximum of 240 alphanumeric characters. Step 5 To use the same values for each resource, in the All row, enter the following information (see Table 6-9 for a description of the resources): a. In the Min. field, enter the minimum percentage of each resource that you want to allocate to this resource class. Valid entries are numbers from 0 to 100 including those numbers with decimals. b. In the Max. field, choose the maximum percentage of each resource that you want to allocate to this resource class as follows: – Equal To Min—The maximum percentage allocated for each resource is equal to the minimum specified in the Min. field. – Unlimited—There is no upper limit on the percentage of each resource that can be allocated for this resource class. Step 6 To use different values for the resources, for each resource, choose the method for allocating resources: • Choose Default to use the values specified in Step 5. • Choose Min to enter a specific minimum value for the resource. Step 7 If you chose Min, do the following: a. In the Min. field, enter the minimum percentage of this resource you want to allocate to this resource class. For example, for ACL memory, enter 10 in the Min. field to indicate that you want to allocate a minimum of 10 percent of the available ACL memory to this resource class. b. In the Max. field, choose the maximum percentage of the resource that you want to allocate to this resource class: – Equal To Min—The maximum percentage allocated for this resource is equal to the minimum specified in the Min. field. – Unlimited—There is no upper limit on the percentage of the resource that can be allocated for this resource class. Step 8 To deploy the resource class to an Admin context, do the following: a. Click Admin VCs To Deploy To to expand the configuration subset. b. In the Available Items list, choose the desired Admin context, and click Add. The items appear in the Selected Items list. In the Selected Items list, choose a context to remove and click Remove. The items appear in the Available Items list. Step 9 Do one of the following: • Click OK to save your entries and to return to the Resource Classes table. 6-48 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Using Global Resource Classes • Click Cancel to exit this procedure without saving your entries and to return to the Resource Classes table. Related Topics • Using Resource Classes, page 6-43 • Modifying Global Resource Classes, page 6-50 • Deleting Global Resource Classes, page 6-51 • Auditing Resource Classes, page 6-49 Deploying Global Resource Classes You can apply a global resource class to Admin contexts on selected ACE devices. If you deploy a global resource class to an ACE that already has a resource class with the same name, ANM replaces the properties of the local resource class with the properties from the global resource class. If you deploy a global resource class to an ACE that does not have a resource class with the same name, ANM creates a new local resource class with the same name and properties as the global resource class. Assumptions This topic assumes the following: • At least one global resource class exists. • At least one ACE has been imported into the ANM. Procedure Step 1 Choose Config > Global > All Resource Classes. The Resource Classes table appears. Step 2 In the Resource Classes table, choose the global resource class that you want to apply to an ACE, and click Edit. The Edit Resource Class configuration window appears. Step 3 In the Available Items list of the Edit Resource Class configuration window, choose the context that you want to apply this global resource class to, and click Add. The item appears in the Selected Items list. To remove contexts, choose them in the Selected Items list, and click Remove. The items appear in the Available Items list. Step 4 Do one of the following: • Click OK to save your entries and to return to the Resource Classes table. The context is updated with the resource class configuration. • Click Cancel to exit this procedure without saving your entries and to return to the Resource Classes table. 6-49 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Using Global Resource Classes Related Topics • Using Resource Classes, page 6-43 • Modifying Global Resource Classes, page 6-50 • Using Local Resource Classes, page 6-51 • Configuring Local Resource Classes, page 6-52 Auditing Resource Classes You can display any discrepancies that exist between the global resource class and the local resource class on the context after you apply a global resource class to an Admin context. Discrepancies occur when either global or context resource class attributes are modified independently of one another after the global resource class has been applied. Procedure Step 1 Choose Config > Global > All Resource Classes. The Resource Classes table appears. Step 2 In the Resource Classes table, choose the resource class that you want to audit, and click Audit. ANM identifies the differences between the selected resource class and the Admin contexts being managed by ANM and displays the results in the Audit Differences table in a separate window. The table uses the following conventions: • If the selected resource class has not been applied to an Admin context, the Admin context is listed with the comment “Resource class not defined.” • If the selected resource class has been applied to an Admin context, but there are no differences between the global and local resource classes, the context does not appear in the table. • If the selected resource class has been applied to an Admin context and there are differences between the global and local resource classes, the context appears in the table with the following information: – The resource attribute that has different values in the global and local resource classes. – The settings for the resource attribute in the local resource class. – The settings for the resource attribute in the global resource class. The values displayed use the format min - max where min represents the minimum percentage configured for this attribute and max represents the maximum percentage configured for this attribute, such as 8% - 8% or 5% - 100%. Step 3 Do one of the following: • Click Close to close this window and return to the Resource Classes table. • Click Refresh to update the information in the Audit Differences table. Related Topics • Using Global Resource Classes, page 6-46 • Using Local Resource Classes, page 6-51 • Configuring Global Resource Classes, page 6-46 6-50 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Using Global Resource Classes • Configuring Local Resource Classes, page 6-52 Modifying Global Resource Classes You can modify an existing global resource class. The changes are not applied to virtual contexts previously associated with the resource class. ANM only applies updated resource class properties to virtual contexts that are associated with the resource class going forward. Caution If you allocate 100 percent of these resources to a resource class and then apply the resource class to virtual contexts, connectivity to the Admin context can be lost. For more information, see the “Resource Allocation Constraints” section on page 6-44. Procedure Step 1 Choose Config > Global > All Resource Classes. The Resource Classes table appears. Step 2 Choose the resource class that you want to modify, and click Edit. The Edit Resource Class configuration window appears. Step 3 In the Edit Resource Class configuration window, modify the values as desired. For details on setting values, see the “Configuring Global Resource Classes” section on page 6-46. For descriptions of the resources, see Table 6-9. Step 4 To deploy the modified resource class to an Admin context, do the following: a. Click Admin VCs To Deploy To to expand the configuration subset. b. Choose the desired context in the Available Items list, and click Add. The item appears in the Selected Items list. Note ANM only applies the updated resource class to contexts that you choose and add to the Selected Items list. It does not apply the modified resource class to contexts previously associated with the resource class. Step 5 Do one of the following: • Click OK to save your entries, apply them to the selected contexts, and return to the Resource Classes table. • Click Cancel to exit this procedure without saving your entries and to return to the Resource Classes table. Related Topics • Using Resource Classes, page 6-43 • Using Global Resource Classes, page 6-46 • Modifying Global Resource Classes, page 6-50 • Auditing Resource Classes, page 6-49 6-51 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Using Local Resource Classes • Deleting Global Resource Classes, page 6-51 Deleting Global Resource Classes You can remove global resource classes from the ANM database. Because global resource classes are managed separately from local resource classes, deleting a global resource class does not affect local resource classes deployed on individual contexts. Procedure Step 1 Choose Config > Global > All Resource Classes. The Resource Classes table appears. Step 2 In the Resource Classes table, choose the resource class that you want to remove, and click Delete. A confirmation popup window appears, asking you to confirm the deletion. Step 3 Click OK to delete the resource class or Cancel to retain the resource class. The Resource Classes table refreshes with the updated information. Related Topics • Using Resource Classes, page 6-43 • Using Global Resource Classes, page 6-46 • Modifying Global Resource Classes, page 6-50 • Auditing Resource Classes, page 6-49 Using Local Resource Classes You can create local resource classes in ANM as follows: • During the import process, from any ACE with a previously configured resource class. These resource classes appear in the ANM in the Admin virtual context associated with the imported ACE. • By an Admin user in ANM using the local Resource Class configuration option (Config > Devices > Admin_context > System > Resource Classes). • By creating a global resource class (Config > Global > All Resource Classes) and applying it to an Admin context. Note Local resource class configuration options are available in Admin contexts only. This section includes the following topics: • Configuring Local Resource Classes, page 6-52 • Deleting Local Resource Classes, page 6-53 • Displaying Local Resource Class Use on Virtual Contexts, page 6-54 6-52 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Using Local Resource Classes Configuring Local Resource Classes Note This functionality is available in Admin contexts only. You can create or modify a local resource class for use within the selected Admin context. Procedure Step 1 Choose Config > Devices > Admin_context > System > Resource Classes. The Resource Classes table appears. Step 2 In the Resource Classes table, click Add to create a new local resource class or choose an existing resource class, and click Edit to modify it. The Resource Class configuration window appears. Step 3 In the Name field of the Resource Class configuration window, enter a unique name for this resource class. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters. Step 4 To use the same values for each resource, in the All row, enter the following information (see Table 6-9 for a description of the resources): a. In the Min. field, enter the minimum percentage of each resource that you want to allocate to this resource class. Valid entries are numbers from 0 to 100 including those numbers with decimals. b. In the Max. field, choose the maximum percentage of each resource that you want to allocate to this resource class: – Equal To Min—The maximum percentage allocated for each resource is equal to the minimum specified in the Min. field. – Unlimited—There is no upper limit on the percentage of each resource that can be allocated for this resource class. Step 5 To use different values for the resources, for each resource, choose one of the following methods for allocating resources: • Choose Default to use the values specified in Step 5. • Choose Min to enter a specific minimum value for the resource. Step 6 (Optional) If you chose Min, do the following: a. In the Min. field, enter the minimum percentage of this resource you want to allocate to this resource class. For example, for ACL memory, enter 10 in the Min. field to indicate that you want to allocate a minimum of 10 percent of the available ACL memory to this resource class. b. In the Max. field, choose the maximum percentage of the resource that you want to allocate to this resource class: – Equal To Min—The maximum percentage allocated for this resource is equal to the minimum specified in the Min. field. – Unlimited—There is no upper limit on the percentage of the resource that can be allocated for this resource class. 6-53 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Using Local Resource Classes Step 7 When you finish allocating resources for this resource class, do one of the following: • Click OK to save your entries and to return to the Resource Classes table. The resource class can now be applied to other virtual contexts on the same ACE. • Click Cancel to exit this procedure without saving your entries and to return to the Resource Classes table. Related Topics • Using Resource Classes, page 6-43 • Using Local Resource Classes, page 6-51 • Displaying Local Resource Class Use on Virtual Contexts, page 6-54 • Deleting Local Resource Classes, page 6-53 Deleting Local Resource Classes You can delete a local resource class. Because of the possible impact on virtual contexts of deleting a local resource class, you cannot delete a resource class that is associated with a virtual context. To display a resource class’s current deployment, see the “Displaying Local Resource Class Use on Virtual Contexts” section on page 6-54. Procedure Step 1 Choose Config > Devices > Admin_context > System > Resource Classes. The Resource Classes table lists all local resource classes and the number of virtual contexts using each resource class. Step 2 Confirm that the resource class that you want to delete is not deployed on any virtual contexts. You cannot delete a resource class that is deployed on a context. To identify the contexts using a specific resource class, see the “Displaying Local Resource Class Use on Virtual Contexts” section on page 6-54. Step 3 Choose the resource class that you want to remove, and click Delete. A confirmation popup window appears, asking you to confirm the deletion. Step 4 Click OK to delete the resource class or Cancel to retain the resource class. The Resource Classes table refreshes with the updated information. Related Topics • Using Resource Classes, page 6-43 • Configuring Local Resource Classes, page 6-52 • Displaying Local Resource Class Use on Virtual Contexts, page 6-54 6-54 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Using the Configuration Checkpoint and Rollback Service Displaying Local Resource Class Use on Virtual Contexts You can display local resource class usage on all virtual contexts on an ACE. Procedure Step 1 Choose Config > Devices. The device tree appears. Step 2 In the device tree, choose the ACE with the resource class usage that you want to display. The Virtual Contexts table appears, listing all contexts on the selected ACE and the resource class in use for each context. Step 3 (Optional) In the Virtual Contexts table, click the Resource Class column heading to sort the table by resource class. Related Topics • Using Resource Classes, page 6-43 • Configuring Local Resource Classes, page 6-52 • Deleting Local Resource Classes, page 6-53 Using the Configuration Checkpoint and Rollback Service At some point, you may want to modify your ACE running configuration. If you run into a problem with the modified configuration, you may need to reboot your ACE. To prevent having to reboot your ACE after unsuccessfully modifying a running configuration, you can create a checkpoint (a snapshot in time) of a known stable running configuration before you begin to modify it. If you encounter a problem with the modifications to the running configuration, you can roll back the configuration to the previous stable configuration checkpoint. Note Before you upgrade your ACE software, we strongly recommend that you create a checkpoint in your running configuration. For ACE module A2(3.0) and later releases only, use the backup function to create a backup of the running configuration (see the “Performing Device Backup and Restore Functions” section on page 6-59). The ACE allows you to make a checkpoint configuration at the context level. The ACE stores the checkpoint for each context in a hidden directory in Flash memory. If, after you make configuration changes that modify the current running configuration, when you roll back the checkpoint, the ACE causes the running configuration to revert to the checkpointed configuration. This section includes the following topics: • Creating a Configuration Checkpoint, page 6-55 • Deleting a Configuration Checkpoint, page 6-56 • Rolling Back a Running Configuration, page 6-56 • Displaying Checkpoint Information, page 6-57 6-55 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Using the Configuration Checkpoint and Rollback Service • Comparing a Checkpoint to the Running Configuration, page 6-58 Creating a Configuration Checkpoint You can create a configuration checkpoint for a specific context. The ACE supports a maximum of 10 checkpoints for each context. Assumption This topic assumes the following: • Make sure that the current running configuration is stable and is the configuration that you want to make as a checkpoint. If you change your mind after creating the checkpoint, you can delete it (see the “Deleting a Configuration Checkpoint” section on page 6-56). • The ACE-Admin, ANM-Admin, and Org-Admin predefined roles have access to the configuration checkpoint function. • A custom role defined with the task ANM Inventory > Virtual Context/Create or ANM Inventory > Virtual Context/Modify has the required privileges to create a configuration checkpoint. • A checkpoint will not include the SSL keys/certificates, probe scripts, and licenses. • Adding a checkpoint from an ACE context directly will not trigger an autosynchronzation on ANM for that context. Procedure Step 1 Choose Config > Devices > context > System > Checkpoints. The Checkpoints table appears. For descriptions of the checkpoints, see Table 6-10. Step 2 In the Checkpoints table, click the Create Checkpoint button. The Create Checkpoint dialog box appears. Step 3 In the Checkpoint Name field of the Create Checkpoint dialog box, specify a unique identifier for the checkpoint. Enter a text string with no spaces and a maximum of 25 alphanumeric characters. If the checkpoint already exists, you are prompted to use a different name. Step 4 Do one of the following: • Click OK to save your configuration checkpoint. You return to the Checkpoints table and the new checkpoint appears in the table. Table 6-10 Checkpoints Table Field Description Name Unique identifier of the checkpoint. Size (In Bytes) Size of the configuration checkpoint, shown in bytes. Date (Created On) Date that the configuration checkpoint was created. 6-56 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Using the Configuration Checkpoint and Rollback Service • Click Cancel to exit the procedure without saving the configuration checkpoint and to return to the Checkpoints table. Related Topics • Using the Configuration Checkpoint and Rollback Service, page 6-54 • Deleting a Configuration Checkpoint, page 6-56 • Rolling Back a Running Configuration, page 6-56 • Displaying Checkpoint Information, page 6-57 • Comparing a Checkpoint to the Running Configuration, page 6-58 Deleting a Configuration Checkpoint You can delete a checkpoint. Deleting a checkpoint from an ACE context directly will not trigger an autosynchronzation to occur on ANM for that context. Prerequisite Before you perform this procedure, make sure that you want to delete the checkpoint. Once you click the Trash icon, the ACE removes the checkpoint from Flash memory. Procedure Step 1 To choose a virtual context that you want to create a configuration checkpoint, choose Config > Devices > context > System > Checkpoints. The Checkpoints table appears. Step 2 In the Checkpoints table, choose the radio button to the left of any table entry, and click the Trash icon to delete the checkpoint. Related Topics • Using the Configuration Checkpoint and Rollback Service, page 6-54 • Creating a Configuration Checkpoint, page 6-55 • Rolling Back a Running Configuration, page 6-56 • Displaying Checkpoint Information, page 6-57 • Comparing a Checkpoint to the Running Configuration, page 6-58 Rolling Back a Running Configuration You can roll back the current running configuration of a context to the previously checkpointed running configuration. 6-57 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Using the Configuration Checkpoint and Rollback Service Procedure Step 1 Choose Config > Devices > context > System > Checkpoints. The Checkpoints table appears. Step 2 Choose the radio button to the left of the checkpoint that you wish to roll back, and click Rollback. ANM displays a confirmation popup window to warn you about this change and to instruct you that the rollback operation may take longer depending on the differences detected between the two configurations. Note ANM synchronizes the device after performing a rollback. This synchronzation may take some time. Related Topics • Using the Configuration Checkpoint and Rollback Service, page 6-54 • Creating a Configuration Checkpoint, page 6-55 • Deleting a Configuration Checkpoint, page 6-56 • Displaying Checkpoint Information, page 6-57 • Comparing a Checkpoint to the Running Configuration, page 6-58 Displaying Checkpoint Information You can display checkpoint configuration information. Procedure Step 1 Choose Config > Devices > context > System > Checkpoints. The Checkpoints table appears. Step 2 In the Checkpoints table, choose the radio button of the checkpoint that you want to display, and click Details. A popup window appears in which ANM uses the ACE s how checkpoint detail name CLI command to display the configuration of the specified checkpoint (see Figure 6-1). 6-58 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Using the Configuration Checkpoint and Rollback Service Figure 6-1 show checkpoint detail CLI Command Dialog Box Step 3 From the popup window, click Close to exit the window and return to the Checkpoints table. Related Topics • Using the Configuration Checkpoint and Rollback Service, page 6-54 • Creating a Configuration Checkpoint, page 6-55 • Deleting a Configuration Checkpoint, page 6-56 • Rolling Back a Running Configuration, page 6-56 • Comparing a Checkpoint to the Running Configuration, page 6-58 Comparing a Checkpoint to the Running Configuration Note This feature requires ACE module and ACE appliance software Version A4(1.0) or later. You can have ANM compare and display the differences between a specified checkpoint and the ACE’s current running configuration. Procedure Step 1 Choose Config > Devices > context > System > Checkpoints. The Checkpoints table appears. Step 2 In the Checkpoints table, choose the radio button of the checkpoint that you want to compare to the current running configuration, and click Compare. 6-59 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Performing Device Backup and Restore Functions A popup window appears in which ANM uses the ACE compare name CLI command to display the differences between the running configuration and the specified checkpoint. The items that display in red are in the current running configuration and will be removed if you roll back to the checkpoint. The items that display in green are not in the current running configuration and will be added during the rollback. Step 3 From the popup window, click Close to the window and return to the Checkpoints table. Related Topics • Using the Configuration Checkpoint and Rollback Service, page 6-54 • Creating a Configuration Checkpoint, page 6-55 • Deleting a Configuration Checkpoint, page 6-56 • Rolling Back a Running Configuration, page 6-56 • Displaying Checkpoint Information, page 6-57 Performing Device Backup and Restore Functions Note The backup and restore functions are available only for the ACE module A2(3.0), ACE appliance 4(1.0), and later releases of either device type. The backup and restore functions allow you to back up or restore the configuration and dependencies of an entire ACE or of a particular virtual context. Configuration dependencies are those files that are required to exist on the ACE so that a configuration can be applied to it. Such files include health-monitoring scripts, SSL certificates, SSL keys, and so on.This feature allows you to back up and restore the following configuration files and dependencies: • Running-configuration files • Startup-configuration files • Checkpoints • SSL files (SSL certificates and keys) • Health-monitoring scripts • Licenses Note The backup feature does not back up the sample SSL certificate and key pair files. Typical uses for this feature are as follows: • Back up a configuration for later use • Recover a configuration that was lost because of a software failure or user error • Restore configuration files to a new ACE when a hardware failure resulted in a Return Merchandise Authorization (RMA) of the old ACE • Transfer the configuration files to a different ACE 6-60 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Performing Device Backup and Restore Functions The backup and restore functions are supported in both the Admin and virtual contexts. If you perform these functions in the Admin context, you can back up or restore the configuration files for either the Admin context only or for all contexts in the ACE. If you perform these functions in a virtual context, you can back up or restore the configuration files only for that context. Both the backup and the restore functions run asynchronously (in the background). Note To perform the back up or copy functions on multiple ACEs simultaneously, see the “Performing Global Device Backup and Copy Functions” section on page 6-68 Archive Naming Conventions Context archive files have the following naming convention format: Hostname_ctxname_timestamp.tgz The filename fields are as follows: – Hostname—Name of the ACE. If the hostname contains special characters, the ACE uses the default hostname “switch” in the filename. For example, if the hostname is Active@~!#$%^, then the ACE assigns the following filename: switch_Admin_2009_08_30_15_45_17.tgz – ctxname—Name of the context. If the context name contains special characters, the ACE uses the default context name “context” in the filename. For example, if the context name is Test!123*, then the ACE assigns the following filename: switch_context_2009_08_30_15_45_17.tgz – timestamp—Date and time that the ACE created the file. The time stamp has the following 24 hour format: YYYY_MM_DD_hh_mm_ss An example is as follows: ACE-1_ctx1_2009_05_06_15_24_57.tgz If you back up the entire ACE, the archive filename does not include the ctxname field. So, the format is as follows: Hostname_timestamp.tgz An example is as follows: ACE-1_2009_05_06_15_24_57.tgz Archive Directory Structure and Filenames The ACE uses a flat directory structure for the backup archive. The ACE provides file extensions for the individual files that it backs up so that you can identify the types of files easily when restoring an archive. All files are stored in a single directory that is tarred and GZIPed as follows: ACE-1_Ctx1_2009_05_06_07_24_57.tgz ACE-1_Ctx1_2009_05_06_07_24_57\ context_name-running context_name-startup context_name-chkpt_name.chkpt context_name-cert_name.cert context_name-key_name.key context_name-script_name.tcl context_name-license_name.lic Guidelines and Limitations The backup and restore functions have the following configuration guidelines and limitations: 6-61 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Performing Device Backup and Restore Functions • Store the backup archive on disk0: in the context of the ACE where you intend to restore the files. Use the Admin context for a full backup and the corresponding context for user contexts. • When you back up the running-configuration file, the ACE uses the output of the show running-configuration CLI command as the basis for the archive file. • The ACE backs up only exportable certificates and keys. • License files are backed up only when you back up the Admin context. • Use a pass phrase to back up SSL keys in encrypted form. Remember the pass phrase or write it down and store it in a safe location. When you restore the encrypted keys, the ACE prompts you for the pass phrase to decrypt the keys. If you do not use a pass phrase when you back up the SSL keys, the ACE restores the keys with AES-256 encryption using OpenSSL software. • Only probe scripts that reside in disk0: need to be backed up. The prepackaged probe scripts in the probe: directory are always available. When you perform a backup, the ACE automatically identifies and backs up the scripts in disk0: that are required by the configuration. • The ACE does not resolve any other dependencies required by the configuration during a backup except for scripts that reside in disk0:. For example, if you configured SSL certificates in an SSL proxy in the running-configuration file, but you later deleted the certificates, the backup proceeds anyway as if the certificates still existed. • To perform a restore operation, you must have the admin RBAC feature in your user role. ANM-admin and ORG-admin have access to this feature by default. Custom roles with the ANM Inventory and Virtual Context role tasks set to create or modify can also access this feature. • When you instruct the ACE to restore the archive for the entire ACE, it restores the Admin context completely first, and then it restores the other contexts. The ACE restores all dependencies before it restores the running configuration. The order in which the ACE restores dependencies is as follows: – License files – SSL certificates and key files – Health-monitoring scripts – Checkpoints – Startup-configuration file – Running-configuration file • When you restore the ACE, previously installed license files are uninstalled and the license files in the backup file are installed in their place. • In a redundant configuration, if the archive that you want to restore is different from the peer configurations in the FT group, redundancy may not operate properly after the restore. • You can restore a single context from a full backup archive provided that: – You execute the restore operation in the context that you want to restore – All files dependencies for the context exist in the full backup archive • To enable ANM to synchronize the CLI after a successful restore, do not navigate from the Backup / Restore page until the Latest Restore status changes from In Progress to Success. If you navigate to another page before the restore process is complete, the CLI will not synchronize until you return to the Backup / Restore page. Defaults Table 6-11 lists the default settings for the backup and restore function parameters. 6-62 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Performing Device Backup and Restore Functions This section includes the following topics: • Backing Up Device Configuration and Dependencies, page 6-62 • Restoring Device Configuration and Dependencies, page 6-66 Backing Up Device Configuration and Dependencies You can create a backup of an ACE configuration and its dependencies. Note When you perform the backup process from the Admin context, you can either back up the Admin context files only or you can back up the Admin context and all user contexts. When you back up from a user context, you back up the current context files only and cannot back up the ACE licenses. Note If your web browser supports the Remember Passwords option and you enable this option, the web browser may fill in the Username and Password fields for user authentication. By default, these fields should be empty. You can change the username and password fields from whatever the web browser inserts into the two fields. Procedure Step 1 Choose Config > Devices > context > System > Backup / Restore. The Backup / Restore table appears and displays the latest backup and restore statistics. Note To refresh the table content at any time, click Poll Now. Table 6-11 Default Backup and Restore Parameters Parameter Default Backed up files By default the ACE backs up the following files in the current context: • Running-configuration file • Startup-configuration file • Checkpoints • SSL certificates • SSL keys • Health-monitoring scripts • Licenses SSL key restore encryption None 6-63 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Performing Device Backup and Restore Functions Note When you choose the Backup / Restore operation, ANM must poll a context if that context has not been accessed previously for this operation. The polling operation, which is necessary to obtain the latest backup and restore information, can cause a delay in the display time of the Backup / Restore table. The Backup / Restore fields are described in Table 6-12. Step 2 Click Backup. The Backup window appears. Step 3 In the Backup window, click the radio button of the location where the ACE is to save the backup files: • Backup config on ACE (disk0:)—This is the default. Go to Step 9. • Backup config on ACE (disk0:) and then copy to remote system—The Remote System attributes step appears. Go to Step 4. Table 6-12 Backup / Restore Fields Field Description Latest Backup Backup Archive Name of the last *.tgz file created that contains the backup files. Type Type of backup: Context or Full (all contexts). Start-time Date and time that the last backup began. Finished-time Date and time that the last backup ended. Status Status of the last context to be backed up: Success, In Progress, or Failed. Click the status link to view status details. Current vc Name of the last context in the backup process. Completed Number of context backups completed compared to the total number of context backup requests. For example: • 2/2 = Two context backups completed/Two context backups requested • 0/1 = No context backup completed/One context backup requested Latest Restore Backup Archive Name of the *.tgz file used in during the restore process. Type Type of restore: Context or Full (all contexts). Start-time Date and time that the last restore began. Finished-time Date and time that the last restore ended. Status Status of the last restore: Success, In Progress, or Failed. Click the status to view status details. Current vc Name of the last context in the restore process. Completed Number of context restores completed compared to the total number of context restore requests. For example: • 2/2 = Two context restores completed/Two context restores requested • 0/1 = No context restore completed/One context restore requested 6-64 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Performing Device Backup and Restore Functions Step 4 Click the radio button of the transfer protocol to use: • FTP—File Transfer Protocol • SFTP—Secure File Transfer Protocol • TFTP—Trivial File Transfer Protocol Step 5 In the Username field, enter the username that the remote server requires for user authentication. This field appears for FTP and SFTP only. Step 6 In the Password field, enter the password that the remote server requires for user authentication. This field appears for FTP and SFTP only. Step 7 In the IP Address field, enter the IP address of the remote server. Step 8 In the Backup File Path in Remote System field, enter the full path for the remote server. Step 9 Check the Backup All Contexts checkbox if you want the ACE to create a backup that contains the files of the Admin context and every user context or uncheck the check box to create a backup of the Admin context files only. This field appears for the Admin context only. Step 10 Indicate the components to exclude from the backup process: Checkpoints or SSL Files. To exclude a component, double-click on it in the Available box to move it to the Selected box. You can also use the right and left arrows to move selected items between the two boxes. Caution If you exclude the SSL Files component and then restore the ACE using this archived backup, these files are removed from the ACE. To save these files prior to performing a restore with this backup, use the crypto export CLI command to export the keys to a remote server and use the copy CLI command to copy the license files to disk0: as .tar files. Step 11 In the Pass Phrase field, enter the pass phrase that you specify to encrypt the backed up SSL keys. Enter the pass phrase as an unquoted text string with no spaces and a maximum of 40 alphanumeric characters. If you enter a pass phrase but exclude the SSL files from the archive, the ACE does not use the pass phrase. Step 12 Click OK to begin the backup process. The following actions occur depending on where ANM saves the files: • disk0: only—ANM permits continued GUI functionality during the backup process and polls the ACE for the backup status, which it displays on the Backup / Restore page. • disk0: and a remote server— ANM suspends GUI operation and displays a “Please Wait” message in the Backup dialog box until the process is complete. During this process, ANM instructs the ACE to create and save the backup file locally to disk0: and then place a copy of the file on the specified remote server. Step 13 In the Backup / Restore page, click Poll Now or click the browser refresh button to ensure that the latest backup statistics are displayed, and then click on the Status link (Success, In Progress, or Failed) located in the Latest Backup column to view details of the backup operation. If the backup status is either Success or In Progress, then the Show Backup Status Detail popup window appears and displays a list of the files successfully backed up. When the backup status is In Progress, ANM polls the ACE every 2 minutes to retrieve the latest status information and then it automatically 6-65 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Performing Device Backup and Restore Functions updates the status information displayed. The polling continues until ANM receives a status of either Success or Failed. If the backup status is Failed, then the Show Backup Errors popup window appears, displaying the reason for the failed backup attempt. Related Topics • Performing Device Backup and Restore Functions, page 6-59 • Restoring Device Configuration and Dependencies, page 6-66 • Performing Global Device Backup and Copy Functions, page 6-68 6-66 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Performing Device Backup and Restore Functions Restoring Device Configuration and Dependencies You can restore an ACE configuration and its dependencies using a backup file. Caution The restore operation clears any existing SSL certificate and key-pair files, license files, and checkpoints in a context before it restores the backup archive file. If your configuration includes SSL files or checkpoints and you excluded them when you created the backup archive, those files will no longer exist in the context after you restore the backup archive. To preserve any existing exportable SSL certificate and key files in the context, before you execute the restore operation, export the certificates and keys that you want to keep to an FTP, SFTP, or TFTP server by using the CLI and the crypto export command. After you restore the archive, import the SSL files into the context. For details on exporting and importing SSL certificate and key pair files using the CLI, see the Cisco Application Control Engine Module SSL Configuration Guide. You can also use the exclude option of the restore command to instruct the ACE not to clear the SSL files in disk0: and to ignore the SSL files in the backup archive when the ACE restores the backup. Note If your web browser supports the Remember Passwords option and you enable this option, the web browser may fill in the Username and Password fields for user authentication. By default, these fields should be empty. You can change the username and password fields from whatever the web browser inserts into the two fields. Prerequisites If you are going to restore the Admin context files plus all user context files, use a backup file that was created from the Admin context with the Backup All Contexts checkbox checked (see the “Backing Up Device Configuration and Dependencies” section on page 6-62). Procedure Step 1 Choose Config > Devices > context > System > Backup / Restore. The Backup / Restore table appears. Note To refresh the table content at any time, click Poll Now. Note When you perform the restore process from the Admin context, you can either restore the Admin context files only or you can restore the Admin context files plus all user context files. When you perform the restore process from a user context, you can restore the current context files only. The Backup / Restore fields are described in Table 6-12. Step 2 Click Restore. The Restore window appears. 6-67 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Performing Device Backup and Restore Functions Step 3 In the Restore window, click the desired radio button to specify the location where the backup files are located saved: • Choose a backup file on the ACE (disk0:)—This is the default. Go to Step 9. • Choose a backup file from remote system—The Remote System attributes step appears. Go to Step 4. Step 4 Click the radio button of the transfer protocol to use: • FTP—File Transfer Protocol • SFTP—Secure File Transfer Protocol • TFTP—Trivial File Transfer Protocol Step 5 In the Username field, enter the username that the remote file system requires for user authentication. This field appears for FTP and SFTP only. Step 6 In the Password field, enter the password that the remote file system requires for user authentication. This field appears for FTP and SFTP only. Step 7 In the IP Address field, enter the IP address of the remote server. Step 8 In the Backup File Path in Remote System field, enter the full path of the backup file, including the backup filename, to be copied from the remote server. Step 9 Check the Restore All Contexts checkbox if you want the ACE to restore the files for every context or uncheck the checkbox to restore the Admin context files only. This field appears for the Admin context only. Step 10 Check the Exclude SSL Files checkbox if you want to preserver the SSL files currently loaded on the ACE and not use the backup file’s SSL files. Caution The restore function deletes all SSL files currently loaded on the ACE unless you check the Exclude SSL Files option. If you do not check this option, the restore functions loads the SSL files included in the backup file. If the backup files does not include SSL files, the ACE will not have any SSL files loaded on it when the restore process is complete. You will then need to import copies of the SSL files from a remote server. Step 11 In the Pass Phrase field, enter the pass phrase that is used to encrypt the backed up SSL keys in the archive. Enter the pass phrase as an unquoted text string with no spaces and a maximum of 40 alphanumeric characters. The Pass Phrase field does not appear when you check the Exclude SSL Files checkbox. Step 12 Click OK to begin the restore process. The following actions occur depending on where ANM retrieves the backup files: • disk0: only—ANM permits continued GUI functionality during the restore process and polls the ACE for the backup status, which it displays on the Backup / Restore page. Note To enable ANM to synchronize the CLI after a successful restore, do not navigate from the Backup / Restore window until the Latest Restore status changes from In Progress to Success. If you navigate to another window before the restore process is complete, the CLI will not synchronize until you return to the Backup / Restore window. 6-68 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Performing Global Device Backup and Copy Functions • disk0: and a remote server— ANM suspends GUI operation and displays a “Please Wait” message in the Restore dialog box until the process is complete. During this process, ANM instructs the ACE to copy the backup file from the specified remote server to disk0: on the ACE and then apply the backup file to the context. Step 13 In the Backup / Restore page, click Poll Now or click the browser refresh button to ensure that the latest restore statistics are displayed, then click on the Status link (Success, In Progress, or Failed) located in the Latest Backup column to view details of the restore operation. If the restore status is either Success or In Progress, then the Show Restore Status Detail popup window appears and displays a list of the files successfully restored. When the restore status is In Progress, ANM polls the ACE every 2 minutes to retrieve the latest status information and then it automatically updates the status information displayed. The polling continues until ANM receives a status of either Success or Failed. If the restored status is Failed, then the Show Restored Errors popup window appears, displaying the reason for the failed restore attempt. Related Topics • Performing Device Backup and Restore Functions, page 6-59 • Backing Up Device Configuration and Dependencies, page 6-62 • Performing Global Device Backup and Copy Functions, page 6-68 Performing Global Device Backup and Copy Functions Note The global backup and copy functions are available for the ACE module A2(3.0), ACE appliance A4(1.0), and later releases of either device type. The global backup and copy functions allow you to either back up the configuration and dependencies of multiple ACEs simultaneously or copy existing backup configuration files from disk0: of multiple ACEs to a remote server. Configuration dependencies are those files that are required to exist on the ACE so that a configuration can be applied to it. Such files include health-monitoring scripts, SSL certificates, SSL keys, and so on. This feature allows you to back up and restore the following configuration files and dependencies: • License files • Running-configuration files • Startup-configuration files • Checkpoints • SSL files (SSL certificates and keys) • Health-monitoring scripts During the backup, each ACE saves its configuration files locally to disk0: in a single directory that is tarred and GZIPed. For more information about the backup function, including guidelines and restrictions, see the “Performing Device Backup and Restore Functions” section on page 6-59. This section includes the following topics: • Backing Up Multiple Device Configuration and SSL Files, page 6-69 • Associating a Global Backup Schedule with a Device, page 6-71 6-69 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Performing Global Device Backup and Copy Functions • Managing Global Backup Schedules, page 6-73 • Copying Existing Tarred Backup Files to a Remote Server, page 6-77 Backing Up Multiple Device Configuration and SSL Files You can back up the configuration and SSL files for multiple ACEs simultaneously. Note If your web browser supports the Remember Passwords option and you enable this option, the web browser may fill in the Username and Password fields for user authentication. By default, these fields should be empty. You can change the username and password fields from whatever the web browser inserts into the two fields. Procedure Step 1 Choose Config > Global > All Backups. The Backups table appears and displays a list of the available ACEs. Note To refresh the table content at any time, click Poll Now. Note When you choose the All Backups operation, ANM must poll all Admin contexts that have not been accessed previously for this operation. The polling operation, which is necessary to obtain the latest backup and restore information, can cause a delay in the display time of the Backups table. The Backups fields are described in Table 6-13. Table 6-13 Backups Fields Field Description Name Name of the ACE. Management IPs Management interface IP addresses. When there are multiple IP addresses, they display as shown in the following example: 10.77.241.18/10.77.241.28/10.77.241.38 Latest Backup Time Date and time that the last backup occurred. Latest Backup Status Status of the last backup attempt: Success, In Progress, or Failed. Click the status link to view status details. Latest Restore Time Date and time that the last restore occurred. Latest Restore Status Status of the last restore attempt: Success, In Progress, or Failed. Click the status link to view status details. Last Poll Time Date and time that ANM last polled the device for backup statistics. Schedules Backup schedule associated with the ACE. 6-70 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Performing Global Device Backup and Copy Functions Step 2 In the Backups table, check the checkbox of the ACE or ACEs to back up. Note To choose all of the ACEs, check the Name checkbox. Step 3 Click Backup. The Backup on devices dialog box appears. Step 4 In the Backup on devices dialog box, check the Backup All Contexts checkbox if you want each ACE to create a backup that contains the files of its Admin context and every user context or uncheck the check box to create a backup of the Admin context files only. Step 5 Indicate the components that you want to exclude from the backup process: Checkpoints or SSL Files. To exclude a component, click on it in the Available box and then click Add (right arrow) to move it to the Selected box. Use Remove (left arrow) to move items from the Selected box back to the Available box if needed. Caution If you exclude the SSL Files component and then restore the ACE using this archived backup, these files are removed from the ACE. To save these files prior to performing a restore with this backup, use the crypto export CLI command to export the keys to a remote server and use the copy CLI command to copy the license files to disk0: as .tar files. Step 6 In the Pass Phrase field, enter the pass phrase that you specify to encrypt the backed up SSL keys. Enter the pass phrase as an unquoted text string with no spaces and a maximum of 40 alphanumeric characters. If you enter a pass phrase but excluded the SSL files from the archive, the ACE does not use the pass phrase. Step 7 Click OK to begin the backup. Step 8 In the Backups page, click Poll Now or click the browser refresh button to ensure that the latest statistics are displayed, and then click on the Status link (Success, In Progress, or Failed) located in the Latest Backup Status column to view details of the backup. If the backup status is either Success or In Progress, then the Show Backup Status Detail popup window appears and displays a list of the files successfully backed up. When the backup status is In Progress, ANM polls each ACE every 2 minutes to retrieve the latest status information and then it automatically updates the status information displayed. The polling continues until ANM receives a status of either Success or Failed. If the backup status is Failed, then the Show Backup Errors popup window appears, displaying the reason for the failed backup attempt. Related Topics • Associating a Global Backup Schedule with a Device, page 6-71 • Managing Global Backup Schedules, page 6-73 • Copying Existing Tarred Backup Files to a Remote Server, page 6-77 • Performing Device Backup and Restore Functions, page 6-59 6-71 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Performing Global Device Backup and Copy Functions Associating a Global Backup Schedule with a Device You can schedule ANM to perform a global backup either as a one-time operation at some future time or on a regular basis. You do this by creating a backup schedule and then associating the schedule with one or more ACE devices. Procedure Step 1 Choose Config > Global > All Backups. The Backups table appears and displays a list of the available ACEs (see Table 6-13). Step 2 In the Backups table, check the checkbox of the ACEs that you want to schedule for backups. When you choose multiple devices to schedule a backup, ANM checks to ensure that the following attributes match between the devices: • Schedules currently associated with the devices • Remote location details • Protocol used to connect to the remote location • Pass phrase used to encrypt the backed up SSL keys • Specified components to exclude If these attributes do not match between the selected devices, ANM displays an error message and does not allow you to continue scheduling a global backup. For example, if the attributes of the selected devices do not match, ANM displays an error message such as: One or more field values do not match in the selected devices. Select only devices that have matching field values. Step 3 Click Schedule Backup. The Scheduled Backup popup window appears, which includes a list of the devices that you selected and backup schedule parameters that you must configure. Step 4 From the Scheduled Backup popup window, configure the scheduled backup parameters as shown in Table 6-14. 6-72 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Performing Global Device Backup and Copy Functions Step 5 From the Scheduled Backup popup window, do one of the following: Table 6-14 Scheduling a Backup Item Description Schedule Associate one or more backup schedule with the devices by performing one or both of the following: • To associate an existing schedule listed in the Available box, double-click the schedule to move it to the Selected box. You can also use the arrow buttons to move selected schedules between the Available and Selected boxes. • To create a backup schedule for the devices, click Create. The fields for creating a new schedule appear in the Schedule section. Assign a unique name to the schedule, define the schedule’s operating parameters, and click OK. The new schedule is added to the Selected box. For more information about creating a schedule, see the “Creating a Backup Schedule” section on page 6-73. To display the current settings of schedule in the Selected box, choose the schedule and click View. The schedule details display in the Schedules section. You cannot modify the settings. Click Cancel to close the details display. Backup a file on ACE (disk0:) and then copy to remote system Configure where the backup is to be saved remotely as follows: a. Specify the file transfer protocol to use by clicking one of the following radio buttons: • FTP • SFTP • TFTP b. In the Username text box, enter the username associated with the remote server. c. In the Password text box, enter the password associated with the username. d. In the IP Address text box, enter the remote server IP address. e. In the Backup File Path in Remote System text box, enter the full path for the backup file on the remote server. Backup on devices Define the items to back up as follows: a. Indicate the components that you want to exclude from the backup process: Checkpoints or SSL Files. Double-click an item to move it to the Selected box. You can also use the arrow buttons to move an item between the Available and Selected boxes. b. Enter the pass phrase that you specify to encrypt the backed up SSL keys. Enter the pass phrase as an unquoted text string with no spaces and a maximum of 40 alphanumeric characters. If you enter a pass phrase but excluded the SSL files from the archive, the ACE does not use the pass phrase. Note The Backup All Contexts checkbox is checked by default to create a backup that contains the files of the Admin context and every user context on the ACE. You cannot change this setting. 6-73 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Performing Global Device Backup and Copy Functions • Click OK to save the scheduled backup configuration, close the popup window, and return to the Backups window, which now displays the associated backup schedule with the ACE. • Click Cancel to ignore the scheduled backup information, close the popup window, and return to the Backups window. Related Topics • Managing Global Backup Schedules, page 6-73 • Creating a Backup Schedule, page 6-73 • Updating an Existing Backup Schedule, page 6-76 • Backing Up Multiple Device Configuration and SSL Files, page 6-69 Managing Global Backup Schedules You can create multiple schedules that allow ANM to perform a global backup at the time specified in a particular schedule. You assign each schedule a name and then configure it with a set of parameters that specify when ANM is to perform the backup. For example, you can create a schedule that has ANM create a weekly backup every Tuesday at 1:00AM. After you create the schedule, you can apply it to one or more devices. If you change the schedule’s configuration, such as the day of the week when the backup is made, the change is applied the devices that use the schedule. This section includes the following topics: • Creating a Backup Schedule, page 6-73 • Updating an Existing Backup Schedule, page 6-76 • Deleting a Backup Schedule, page 6-76 Creating a Backup Schedule You can create a backup schedule that you can apply to one or more devices. Procedure Step 1 Choose Config > Global > All Schedules. The Schedules table appears and displays the information described in Table 6-15. Table 6-15 All Schedules Fields Item Description Name Schedule name. Type Schedule type: Once, Daily, Weekly, or Monthly. Date Date that ANM performs a backup. This column applies the schedule type of the type Once. Time Time of day when ANM performs the backup. 6-74 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Performing Global Device Backup and Copy Functions Step 2 From the Schedules table window, click Create Schedule. The Create Schedule popup window appears. Step 3 From the Create Schedule popup window, create and configure the new backup schedule as described in Table 6-16. Daily Recurrence Indicates the following depending on schedule type: • Daily schedule—Number of days between backups. For example, a value of 4 in this field indicates that ANM performs one backup every 4 days. When N/A appears in this field for the type Daily, the schedule is configured to perform a daily backup everyday (Monday–Sunday). In this case, the days are listed in the Week Days column. • Monthly schedule—Day of the month when the backup is to occur. For example, a value of 3 indicates that the backup occurs on the third day of each month. When N/A appears in this field for the type Monthly, the schedule is configured to perform a monthly backup on the occurrence of a particular day of the week. For example, you can schedule the backup for the second Sunday of each month, in which case, Sun appears in the Week Days column. Weekly Recurrence Indicates the following depending on schedule type: • Weekly schedule—This value is always 1 for any configured weekly schedule and indicates that a backup will occur every week on the indicated days (see Week Days). • Monthly schedule—Week of the month when the backup is to occur. For example, a value of 3 indicates that the backup occurs on the third week of each month. Monthly Recurrence Number of times the monthly schedule occurs. Week Days Indicates the days of the week when ANM performs a backup depending on the schedule type: • Weekly schedule—Days of the week when the backup occurs. • Monthly schedule—Day of the week when the backup occurs. The Weekly Recurrence value indicates which monthly occurrence of the specified week day that the backup occurs. For example, if Weekly Recurrence value is 3 and the Week Days value is Sunday, then the monthly backup occurs every third Sunday of the month. Devices Name of the ACEs associated with the schedule. ANM adds devices to this field after you associate the schedule with an ACE backup (see the “Backing Up Multiple Device Configuration and SSL Files” section on page 6-69). Table 6-15 All Schedules Fields Item Description 6-75 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Performing Global Device Backup and Copy Functions Step 4 Do one of the following: • Click OK to save the backup schedule, close the popup window, and return to the Schedules window. The Schedules window displays the new schedule. • Click Cancel to close the popup window without saving your information and return to the Schedules window. Related Topics • Managing Global Backup Schedules, page 6-73 • Updating an Existing Backup Schedule, page 6-76 • Deleting a Backup Schedule, page 6-76 • Associating a Global Backup Schedule with a Device, page 6-71 Table 6-16 Create Schedule Fields Item Description Name Unique schedule name. Schedule types Schedule types that you can create to specify when a backup is to occur. Choose one of the following: • Once: Specifies a one-time backup as follows: – Date: Date that ANM performs a backup. Use the calendar tool to select the date – Time: Time of day when ANM performs the backup. • Daily: Specifies a daily schedule as follows: – Time: Time of day when ANM performs the backup. – Repeat: Specifies how often the schedule is repeated as follows: - Every: Specifies the number of days between backups. - Everyday (Mon-Sun): Specifies that a backup is performed each day. • Weekly: Specifies a weekly schedule as follows: – Time: Time of day when ANM performs the backup. – Repeat Every week on: Specifies the days of the week that the backup is performed. • Monthly: Specifies a monthly schedule as follows: – Time: Time of day when ANM performs the backup. – Repeat: - Day (number) of every month: Specifies the day of the month when the backup is to occur. For example, you can schedule a backup for 15th day of the month. - Occurrence of the day (name) of every month: Specifies the occurrence of a weekday during the month when the backup is performed. For example, you can schedule a backup to occur every second Saturday of the month. 6-76 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Performing Global Device Backup and Copy Functions Updating an Existing Backup Schedule You can update an existing backup schedule. When you update a schedule that is currently associated with devices, the changes that you make to the schedule affect the associated devices. Caution Modifying an existing schedule affects the backup schedule of any device currently associated with the schedule. Procedure Step 1 Choose Config > Global > All Schedules. The Schedules window appears and displays the information described in Table 6-15. Step 2 From the Schedules window, click the radio button of the backup schedule to update and click Update Schedule. The Update Schedule popup window appears. Step 3 From the Update Schedule popup window, update backup schedule as described in Table 6-16. Note You cannot modify the schedule name. Step 4 From the Update Schedule popup window, do one of the following: • Click OK to save your changes, close the popup window, and return to the Schedules window. • Click Cancel to close the po-up window without saving your changes and return to the Schedules window. Related Topics • Managing Global Backup Schedules, page 6-73 • Creating a Backup Schedule, page 6-73 • Deleting a Backup Schedule, page 6-76 • Associating a Global Backup Schedule with a Device, page 6-71 Deleting a Backup Schedule You can delete an existing global backup schedule. Caution Deleting a backup schedule removes the schedule from any device currently associated with it. Procedure Step 1 Choose Config > Global > All Schedules. The Schedules window appears and displays the information described in Table 6-15. 6-77 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Performing Global Device Backup and Copy Functions Step 2 From the Schedules window, click the radio button of the backup schedule to delete and click Delete. The Delete Confirmation popup window appears. Step 3 From the Delete Confirmation popup window, do one of the following: • Click OK to delete the schedule, close the popup window, and return to the Schedules window. The schedule is removed from the list of schedules. • Click Cancel to ignore the delete request, close the popup window, and return to the Schedules window. Related Topics • Managing Global Backup Schedules, page 6-73 • Creating a Backup Schedule, page 6-73 • Associating a Global Backup Schedule with a Device, page 6-71 Copying Existing Tarred Backup Files to a Remote Server You can copy an existing back up file from disk0: to a remote server. During the global backup process, each ACE creates a tarred file containing its backup files and saves it locally on disk0:. You can use ANM to simultaneously copy these tarred files from multiple ACEs to a remote server. Note If your web browser supports the Remember Passwords option and you enable this option, the web browser may fill in the Username and Password fields for user authentication. By default, these fields should be empty. You can change the username and password fields from whatever the web browser inserts into the two fields. Procedure Step 1 Choose Config > Global > All Backups. The Backups table appears and displays a list of the available ACEs. Note To refresh the table content at any time, click Poll Now. The Backups fields are described in Table 6-13. Step 2 In the Backups table, check the checkbox of the ACE or ACEs to perform the copy function. Note To choose all of the ACEs, check the Name checkbox. Step 3 Click Copy. The Copy backup files to a remote system dialog box appears. Step 4 In the Copy backup files to a remote system dialog box, choose the backup file to copy from the selected device. 6-78 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Security with ACLs This option appears only when you have selected a specific device for the copy operation in Step 2. If you selected multiple devices in Step 2, then each device copies its latest successful backup file to the remote server. Step 5 Click the radio button of the transfer protocol to use. • FTP—File Transfer Protocol • SFTP—Secure File Transfer Protocol • TFTP—Trivial File Transfer Protocol Step 6 In the Username field, enter the username that the remote server requires for user authentication. This field appears for FTP and SFTP only. Step 7 In the Password field, enter the password that the remote server requires for user authentication. This field appears for FTP and SFTP only. Step 8 In the IP Address field, enter the IP address of the remote server. Step 9 In the Backup File Path in Remote System field, enter the full path for the remote server. Step 10 Click OK to begin the copy process. ANM copies the backup files from each device to the remote server. A popup message displays to indicate whether a copy operation was successful or failed. Related Topics • Backing Up Multiple Device Configuration and SSL Files, page 6-69 • Performing Device Backup and Restore Functions, page 6-59 Configuring Security with ACLs An access control list (ACL) consists of a series of statements called ACL entries that collectively define the network traffic profile. Each entry permits or denies network traffic (inbound and outbound) to the parts of your network specified in the entry. In addition to an action element (permit or deny), each entry also contains a filter element based on criteria such as the source address, the destination address, the protocol, or the protocol-specific parameters. An implicit “deny all” entry exists at the end of every ACL, so you must configure an ACL on every interface where you want to permit connections; otherwise, the ACE denies all traffic on the interface. ACLs provide basic security for your network by allowing you to control network connection setups rather than processing each packet. Such ACLs are commonly referred to as security ACLs. You can configure ACLs as parts of other features; for example, security, network address translation (NAT), or server load balancing (SLB). The ACE merges these individual ACLs into one large ACL called a merged ACL. The ACL compiler then parses the merged ACL and generates the ACL lookup mechanisms. A match on this merged ACL can result in multiple actions. You can add, modify, or delete entries to an ACL already in the summary table, or add a new ACL to the list. When you use ACLs, you may want to permit all email traffic on a circuit, but block FTP traffic. You can also use ACLs to allow one client to access a part of the network and prevent another client from accessing that same area. When configuring ACLs, you must apply an ACL to an interface to control traffic on that interface. Applying an ACL on an interface assigns the ACL and its entries to that interface. 6-79 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Security with ACLs You can apply only one extended ACL to each direction (inbound or outbound) of an interface. You can also apply the same ACL on multiple interfaces.You can apply EtherType ACLs in only the inbound direction and on only Layer 2 interfaces. Note By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly allowed in an ACL can pass. All other traffic is denied. This section includes the following topics: • Creating ACLs, page 6-79 • Setting Extended ACL Attributes, page 6-82 • Resequencing Extended ACLs, page 6-87 • Setting EtherType ACL Attributes, page 6-87 • Displaying ACL Information and Statistics, page 6-89 Creating ACLs You can create an ACL. Note By default, the ACE denies all traffic unless explicitly allowed. Only traffic that is explicitly allowed in an ACL can pass. All other traffic is denied. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > Security > ACLs. • To configure a configuration building block, choose Config > Global > All Building Blocks > building_block > Security > ACLs. The ACLs table appears listing the existing ACLs. The ACL fields are described in Table 6-17. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. 6-80 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Security with ACLs Step 2 In the ACLs table, do one of the following: • To view full details of an ACL inline, click the plus sign to the left of any table entry. • To create an ACL, click Add. • To modify an ACL, choose the radio button to the left of any table entry, and click Edit. • To delete an ACL, choose the radio button to the left of any table entry, and click Trash. If you choose create, the New Access List window appears. If you choose modify, the Edit ACL or Edit ACL entry window appears based on the selected radio button to the left of any table entry. Table 6-17 ACLs Table Field Description Name Unique identifier for the ACL. Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters. Type Identifies the following ACL attributes: • ACL type: – Extended—Allows you to specify both the source and the destination IP addresses of traffic and the protocol and the action to be taken. For more information see the “Setting Extended ACL Attributes” section on page 6-82. – EtherType—This ACL controls network access for non-IP traffic based on its EtherType. An EtherType is a subprotocol identifier. For more information, see the “Setting EtherType ACL Attributes” section on page 6-87. • (ACE module and ACE appliance software Version A5(1.0) or later only) IP address type: – IPv4—This ACL controls network access for IPv4 traffic. – IPv6—This ACL controls network access for IPv6 traffic. # ACL line number for extended type ACL entries. Action Action to be taken (permit/deny). Protocol Protocol number or service object group to apply to this ACL entry. Source Source IPv6 or IPv4 address (and source netmask with port number if configured for extended type ACL) or source network object group (if configured) that is being applied to this ACL entry. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. Destination Destination IPv6 or IPv4 address (and destination netmask with port number if configured for extended type ACL) or destination network object group (if configured) that is applied to this ACL entry. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. ICMP Whether or not this ACL uses ICMP (Internet Control Message Protocol). For more information, see Table 6-20. Interface VLAN interfaces associated with this ACL. For example in24,4033:24out where “in” denotes the input direction and “out” denotes the output direction. Remark Comments for this ACL. Valid entries are unquoted text strings with a maximum of 100 characters. You can enter leading spaces at the beginning of the text or special characters. Trailing spaces are ignored. 6-81 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Security with ACLs Step 3 Add or edit required fields as described in Table 6-18. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Table 6-18 ACL Configuration Attributes Field Description ACL Properties Name Unique identifier for the ACL. Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters. Type Type of ACL: • Extended—Allows you to specify both the source and the destination IP addresses of traffic, the protocol, and the action to be taken. For more information see the “Setting Extended ACL Attributes” section on page 6-82. • EtherType—This ACL controls network access for non-IP traffic based on its EtherType. An EtherType is a subprotocol identifier. For more information see the “Setting EtherType ACL Attributes” section on page 6-87. IP Address Type Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. Type of IP address: IPv4 or IPv6. Remark Comments that you want to include for this ACL. Valid entries are unquoted text strings with a maximum of 100 characters. You can enter leading spaces at the beginning of the text or special characters. Trailing spaces are ignored. ACL Entries Entry Attributes Line number, action and protocol/service object group drop-down list. For information about setting these attributes, see the “Setting Extended ACL Attributes” section on page 6-82 or the “Setting EtherType ACL Attributes” section on page 6-87. Source This field contains the following information for Extended ACLs only: Source IPv6 address and prefix length, IPv4 address with port number (if configured) and netmask, or source network object group (if configured) that is being applied to this ACL entry. For information about setting this attribute, see the “Setting Extended ACL Attributes” section on page 6-82. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. Destination This field contains the following information for Extended ACLs only: Destination IPv6 address and prefix length, IPv4 address with port number (if configured) and netmask, or destination network object group (if configured) that is being applied to this ACL entry. For information about setting this attribute, see the “Setting Extended ACL Attributes” section on page 6-82. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. Add To Table button Button to add multiple ACL entries, one at a time before clicking Deploy. Remove From Table button Button to remove multiple ACL entries, one at a time before clicking Deploy. • Input/Output Direction • Currently Assigned (ACL:Direction) Field that allows you to associate the ACL with one or more interfaces allowing only one input and one output ACL for each interface. The top left checkbox under the Interfaces section allows you to choose and apply to all interfaces “access-group input.” 6-82 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Security with ACLs Note To add, modify, or delete Object Groups go to the “Configuring Object Groups” section on page 6-89. Step 4 Do one of the following: • Click Deploy to deploy this newly created ACL entries along with VLAN interface assignments that were configured. • Click Cancel to exit this procedure without saving your entries and to return to the ACLs table. Related Topics • Configuring Security with ACLs, page 6-78 • Setting EtherType ACL Attributes, page 6-87 • Setting Extended ACL Attributes, page 6-82 • Resequencing Extended ACLs, page 6-87 • Editing or Deleting ACLs, page 6-100 • Displaying ACL Information and Statistics, page 6-89 Setting Extended ACL Attributes You can configure extended ACL attributes that allows you to specify both the source and the destination IP addresses of traffic and the protocol and the action to be taken. For TCP, UDP, and ICMP connections, you do not need to also apply an ACL on the destination interface to allow returning traffic, because the ACE allows all returning traffic for established connections. Note By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly allowed in an ACL can pass. All other traffic is denied. Note The ACE does not explicitly support standard ACLs. To configure a standard ACL, specify the destination address as any and do not specify the ports in an extended ACL. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > Security > ACLs. • To configure a configuration building block, choose Config > Global > All Building Blocks > building_block > Security > ACLs. The ACLs table appears, listing the existing ACLs. Step 2 In the ACLs table, click Add. The New Access List configuration window appears. Step 3 Click Add to add an entry to the table, or choose an existing entry and click Edit to modify it. 6-83 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Security with ACLs Step 4 In the ACL Properties pane, do the following: a. Enter the ACL name. b. For the ACL type, choose Extended. c. For the IP address type, choose either IPv4 or IPv6. This field appears only for ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. d. (Optional) In the Remark text box, enter comments that you want to include for this ACL. Valid entries are unquoted text strings with a maximum of 100 characters. You can enter leading spaces at the beginning of the text or special characters. Trailing spaces are ignored. Step 5 Configure extended ACL entries using the information in Table 6-19. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Table 6-19 Extended ACL Configuration Options Field Description Entry Attributes Line Number Number that specifies the position of this entry in the ACL. The position of an entry affects the lookup order of the entries in an ACL. To change the sequence of existing extended ACLs, see the “Resequencing Extended ACLs” section on page 6-87. Action Action to be taken: Permit or Deny. Service Object Group Option that is not applicable to ACE modules running 3.0(0)A1(x) and ACE 4710 appliances running image A1(x). Choose a service object group to apply to this ACL. Protocol Protocol or protocol number to apply to this ACL entry. Table 6-20 lists common protocol names and numbers. ICMP Type This field appears only when the selected protocol type is ICMP. Choose the ICMP type. Table 6-23 lists common ICMP types and numbers. Table 6-24 lists common ICMPv6 types and numbers. ICMP Message Code Operator This field appears only when the selected protocol type is ICMP. Choose one of the following operands to use when comparing message codes for this service object: • Equal To—The message code must be the same as the number in the Message Code field. • Greater Than—The message code must be greater than the number in the Message Code field. • Less Than—The message code must be less than the number in the Message Code field. • Not Equal To—The message code must not equal the number in the Message Code field. • Range—The message code must be within the range of codes specified by the Min. Message Code field and the Max. Message Code field. ICMP Message Code This field appears only when the selected protocol type is ICMP and the ICMP Message Code Operator is set to one of the following: Equal To, Greater Than, Less Than, or Not Equal To. Enter the ICMP message code for this service object. 6-84 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Security with ACLs ICMP Min. Message Code These fields appear only when the selected protocol type is ICMP and the ICMP Message Code Operator is set to Range. Enter the beginning and ending value for a range of services for this service object. Valid entries are integers from 0 to 255. The minimum value must be less that the maximum value. ICMP Max. Message Code Source Source Network Network traffic being received from the source network to the ACE: • Any—Choose the Any radio button to indicate that network traffic from any source is allowed. • IP/Netmask—(IPv4 address type) Use this field to limit access to a specific source IP address. Enter the source IP address that is allowed for this ACL. Enter a specific source IP address and choose its subnet mask. • IP/Prefix-length—(IPv6 address type) Use this field to limit access to a specific source IP address. Enter the source IPv6 address that is allowed for this ACL and its prefix length. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. • Network Object Group—Choose a source network object group to apply to this ACL. Note This option is not applicable to ACE modules running release 3.0(0)A1(x) and ACE 4710 appliances running release A1(x). Source Port Operator Field that appears if you choose TCP or UPD in the Protocol field. Choose the operand to use to compare source port numbers: • Equal To—The source port must be the same as the number in the Source Port Number field. • Greater Than—The source port must be greater than the number in the Source Port Number field. • Less Than—The source port must be less than the number in the Source Port Number field. • Not Equal To—The source port must not equal the number in the Source Port Number field. • Range—The source port must be within the range of ports specified by the Lower Source Port Number field and the Upper Source Port Number field. Source Port Number Field that appears if you choose one of the following the Source Port Operator field: Equal To, Greater Than, Less Than, or Not Equal To. Enter the port name or number from which you want to permit or deny access. For a list of ports, see the “ANM Ports Reference” section on page A-1. Lower Source Port Number Field that appears if you choose Range in the Source Port Operator field. Enter the number of the lowest port from which you want to permit or deny access. Valid entries are from 0 to 65535. The number in this field must be less than the number entered in the Upper Source Port Number field. Upper Source Port Number Field that appears if you choose Range in the Source Port Operator field. Enter the port number of the upper port from which you want to permit or deny access. Valid entries are from 0 to 65535. The number in this field must be greater than the number entered in the Lower Source Port Number field. Table 6-19 Extended ACL Configuration Options (continued) Field Description 6-85 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Security with ACLs Destination Destination Network Network traffic being transmitted to the destination network from the ACE: • Any—Choose the Any radio button to indicate that network traffic to any destination is allowed. • IP/Netmask—(IPv4 address type) Use this field to limit access to a specific destination IP address. Enter the source IP address that is allowed for this ACL. Enter a specific destination IP address and choose its subnet mask. • IP/Prefix-length—(IPv6 address type) Use this field to limit access to a specific destination IP address. Enter the destination IPv6 address that is allowed for this ACL and its prefix length. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. • Network Object Group—Choose a destination network object group to apply to this ACL. Note This option is not applicable to ACE modules running release 3.0(0)A1(x) and ACE 4710 appliances running release A1(x). Destination Port Operator Field that appears if you choose TCP or UPD in the Protocol field. Choose the operand to use to compare destination port numbers: • Equal To—The destination port must be the same as the number in the Destination Port Number field. • Greater Than—The destination port must be greater than the number in the Destination Port Number field. • Less Than—The destination port must be less than the number in the Destination Port Number field. • Not Equal To—The destination port must not equal the number in the Destination Port Number field. • Range—The destination port must be within the range of ports specified by the Lower Destination Port Number field and the Upper Destination Port Number field. Destination Port Number Field that appears if you choose one of the following in the Destination Port Operator field: Equal To, Greater Than, Less Than, or Not Equal To. Enter the port name or number from which you want to permit or deny access. For a list of ports and keywords, see the “ANM Ports Reference” section on page A-1. Lower Destination Port Number Field that appears if you choose Range in the Destination Port Operator field. Enter the number of the lowest port to which you want to permit or deny access. Valid entries are from 0 to 65535. The number in this field must be less than the number entered in the Upper Destination Port Number field. Upper Destination Port Number Field that appears if you choose Range in the Destination Port Operator field. Enter the port number of the upper port to which you want to permit or deny access. Valid entries are from 0 to 65535. The number in this field must be greater than the number entered in the Lower Destination Port Number field. Table 6-19 Extended ACL Configuration Options (continued) Field Description 6-86 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Security with ACLs Step 6 In the Extended configuration pane, do one of the following: • Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. This option appears for virtual contexts. • Click OK to save your entries. This option appears for configuration building blocks. • Click Cancel to exit without saving your entries and to return to the Extended table. • Click Next to deploy your entries and to add another entry to the Extended table. Step 7 (Optional) Associate any VLAN interface to this ACL if required and do one of the following: • Click Deploy to immediately deploy this configuration. • Click Cancel to exit without saving your entries and to return to the ACL Summary table. Related Topics • Configuring Security with ACLs, page 6-78 • Creating ACLs, page 6-79 • Setting EtherType ACL Attributes, page 6-87 • Resequencing Extended ACLs, page 6-87 • Editing or Deleting ACLs, page 6-100 • Displaying ACL Information and Statistics, page 6-89 Table 6-20 Protocol Names and Numbers Protocol Name1 1. For a complete list of all protocols and their numbers, see the Internet Assigned Numbers Authority available at www.iana.org/numbers/ Protocol Number Description AH 51 Authentication Header EIGRP 88 Enhanced IGRP ESP 50 Encapsulated Security Payload GRE 47 Generic Routing Encapsulation ICMP 1 Internet Control Message Protocol ICMPv62 2. ICMPv6 is not available for an IPv4 service object group. 58 Internet Control Message Protocol version 6 IGMP 2 Internet Group Management Protocol IP 0 Internet Protocol IP-In-IP 4 IP-In-IP Layer 3 Tunneling Protocol OSPF 89 Open Shortest Path First PIM 103 Protocol Independent Multicast TCP 6 Transmission Control Protocol UDP 17 User Datagram Protocol 6-87 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Security with ACLs Resequencing Extended ACLs You can change the sequence of entries in an Extended ACL. Note EtherType ACL entries cannot be resequenced. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > Security > ACLs. • To configure a configuration building block, choose Config > Global > All Building Blocks > building_block > Security > ACLs. The ACLs table appears, listing the existing ACLs. Step 2 In the ACLs table, choose the Extended ACL that you want to renumber, and click the Resequence icon that appears to the left of the filter field. The ACL Line Number Resequence window appears. Step 3 In the Start field of the ACL Line Number Resequence window, enter the number that is to be assigned to the first entry in the ACL. Valid entries are from 1 to 2147483647. Step 4 In the Increment field, enter the number that is to be added to each entry in the ACL after the first entry. Valid entries are from 1 to 2147483647. Step 5 Do one of the following: • Click Resequence to save your entries and to return to the ACLs table. • Click Cancel to exit this procedure without saving your entries and to return to the ACLs table. Related Topics • Configuring Security with ACLs, page 6-78 • Creating ACLs, page 6-79 • Setting EtherType ACL Attributes, page 6-87 • Setting Extended ACL Attributes, page 6-82 • Editing or Deleting ACLs, page 6-100 • Displaying ACL Information and Statistics, page 6-89 Setting EtherType ACL Attributes You can configure an ACL that controls traffic based on its EtherType, which is a subprotocol identifier. EtherType ACLs support Ethernet V2 frames. EtherType ACLs do not support 802.3-formatted frames because they use a length field instead of a type field. The only exception is a bridge protocol data units (BPDU), which is SNAP encapsulated. The ACE is designed to handle BPDUs. 6-88 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Security with ACLs Note By default, all traffic is denied by the ACE unless explicitly allowed. Only traffic that is explicitly allowed in an ACL can pass. All other traffic is denied. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > Security > ACLs. • To configure a configuration building block, choose Config > Global > All Building Blocks > building_block > Security > ACLs. The ACLs table appears, listing the existing ACLs. Step 2 In the ACLs table, click Add. The New Access List configuration window appears. Step 3 In the ACL Properties pane, do the following: a. In the Name text box, enter the ACL name. b. For the Type, choose Ethertype. c. For the IP Address Type, choose IPv4. This field appears only for ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. Note You cannot use IPv6 with an Ethertype ACL. Step 4 Choose one of the following radio buttons: • Deny to indicate that the ACE is to block connections. • Permit to indicate that the ACE is to allow connections. Step 5 In the Protocol field, choose one of the following the drop-down list for this ACL: • Any—Specifies any EtherType. • BPDU—Specifies bridge protocol data units. The ACE receives trunk port (Cisco proprietary) BPDUs because ACE ports are trunk ports. Trunk BPDUs have VLAN information inside the payload, so the ACE modifies the payload with the outgoing VLAN if you allow BPDUs. If you configure redundancy, you must allow BPDUs on both interfaces with an EtherType ACL to avoid bridging loops. For information about configuring redundancy, see the “Understanding ACE Redundancy” section on page 13-6. • IPv6—Specifies Internet Protocol version 6. • MPLS—Specifies Multi-Protocol Label Switching. The MPLS selection applies to both MPLS unicast and MPLS multicast traffic. If you allow MPLS, ensure that Label Distribution Protocol (LDP) and Tag Distribution Protocol (TDP) TCP connections are established through the ACE by configuring both MPLS routers connected to the ACE to use the IP address on the ACE interface as the router-id for LDP or TDP sessions. LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets. Step 6 Click Add to Table and add one or more ACL entries if required repeating Steps 4 and 5 as needed. Step 7 (Optional) Associate any VLAN interface to this ACL if required and do one of the following: • Click Deploy to immediately deploy this configuration. This option appears for virtual contexts. 6-89 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Object Groups • Click Cancel to exit without saving your entries and to return to the ACL Summary table. Related Topics • Configuring Security with ACLs, page 6-78 • Creating ACLs, page 6-79 • Setting Extended ACL Attributes, page 6-82 • Resequencing Extended ACLs, page 6-87 • Editing or Deleting ACLs, page 6-100 • Displaying ACL Information and Statistics, page 6-89 Displaying ACL Information and Statistics You can display information and statistics for a particular ACL by using the Details button. Procedure Step 1 Choose Config > Devices > context > Security > ACLs. The ACLs table appears listing the existing ACLs. Step 2 In the ACLs table, choose an ACL, and click Details. The show access-list access-list detail CLI command output appears. For details about the displayed output fields, see either the Cisco ACE Module Security Configuration Guide or the Cisco ACE 4700 Series Appliance Security Configuration Guide, Chapter 1, “Configuring Security Access Control Lists.” Step 3 Click Update Details to refresh the output for the show access-list access-list detail CLI command. Step 4 Click Close to return to the ACLs table. Related Topics • Configuring Security with ACLs, page 6-78 • Creating ACLs, page 6-79 • Setting Extended ACL Attributes, page 6-82 • Resequencing Extended ACLs, page 6-87 • Editing or Deleting ACLs, page 6-100 Configuring Object Groups You can configure object groups that you can associate with ACLs. An object group is a logical grouping of objects such as hosts (servers and clients), services, and networks. When you create an object group, you choose a type, such as network or service, and then specify the objects that belong to the groups. In all, there are four types of object groups: Network, protocol, service, and ICMP-type. After you configure an object group, you can include it in ACLs, thereby including all objects within that group and reducing overall configuration size. 6-90 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Object Groups This section includes the following topics: • Creating or Editing an Object Group, page 6-90 • Configuring IP Addresses for Object Groups, page 6-91 • Configuring Subnet Objects for Object Groups, page 6-92 • Configuring Protocols for Object Groups, page 6-93 • Configuring TCP/UDP Service Parameters for Object Groups, page 6-94 • Configuring ICMP Service Parameters for an Object Group, page 6-97 Creating or Editing an Object Group You can create a object group or edit an existing one. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > Security > Object Groups. • To configure a configuration building block, choose Config > Global > All Building Blocks > building_block > Security > Object Groups. Note Object groups are available for only ACE modules and ACE module configuration building blocks. The Object Groups table appears, listing existing object groups. Step 2 In the Object Groups table, click Add to create a new object group, or choose an existing object group, and click Edit to modify it. The Object Groups configuration window appears. Note The object group definition attributes for Protocol Selection and Service Parameter cannot be edited once defined for an object group. To edit these values, delete the object group definition and then add it again with the desired settings. Step 3 In the Name field of the Object Groups configuration window, enter a unique name for this object group. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. Step 4 In the Description field, enter a brief description for the object group. Step 5 In the Type field, choose the type of object group that you are creating: • Network—The object group is based on a group of hosts or subnet IP addresses. • Service—The object group is based on TCP or UDP protocols and ports, or ICMP types, such as echo or echo-reply. Step 6 Do one of the following: • Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. This option appears for virtual contexts. • Click OK to save your entries. This option appears for configuration building blocks. 6-91 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Object Groups • Click Cancel to exit without saving your entries and to return to the Object Groups table. • Click Next to deploy your entries and to add another entry to the Object Groups table. If you click Deploy Now or OK, the window refreshes with tables additional configuration options. Step 7 Configure objects for the object group as follows: • For network-type object groups, options include: – Configuring IP Addresses for Object Groups, page 6-91 – Configuring Subnet Objects for Object Groups, page 6-92 • For service-type object groups, options include: – Configuring Protocols for Object Groups, page 6-93 – Configuring TCP/UDP Service Parameters for Object Groups, page 6-94 – Configuring ICMP Service Parameters for an Object Group, page 6-97 Configuring IP Addresses for Object Groups You can specify host IP addresses for network-type object groups. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > Security > Object Groups. • To configure a configuration building block, choose Config > Global > All Building Blocks > building_block > Security > Object Groups. The Object Groups table appears, listing the existing object groups. Step 2 In the Object Groups table, choose the object group that you want to configure host IP addresses for, and click the Host Setting For Object Group tab. The Host Setting for Object Group table appears. Step 3 In the Host Setting for Object Group table, click Add to add an entry to this table. Step 4 Enter the host IP address as follows: • For ACE module sand ACE appliances using a software version earlier than A5(1.0), enter the IPv4 address of a host to include in this group. • For ACE module sand ACE appliances using software Version A5(1.0) or later, choose either of the following IP address types: – IPv4—A host with an IPv4 IP address. In the IPv4 Address field, enter the IP address of a host to include in this group. – IPv6—A host with an IPv6 IP address. In the IPv6 Address field, enter the IP address of a host to include in this group. 6-92 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Object Groups Step 5 Do one of the following: • Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. This option appears for virtual contexts. • Click OK to save your entries. This option appears for configuration building blocks. • Click Cancel to exit this procedure without saving your entries. • Click Next to deploy your entries and to add another entry to the Host Setting table. Related Topics • Configuring Object Groups, page 6-89 • Configuring Subnet Objects for Object Groups, page 6-92 • Configuring Protocols for Object Groups, page 6-93 • Configuring TCP/UDP Service Parameters for Object Groups, page 6-94 • Configuring ICMP Service Parameters for an Object Group, page 6-97 Configuring Subnet Objects for Object Groups You can specify subnet objects for a network-type object group. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > Security > Object Groups. • To configure a configuration building block, choose Config > Global > All Building Blocks > building_block > Security > Object Groups. The Object Groups table appears, listing the existing object groups. Step 2 In the Object Groups table, choose the object group that you want to configure subnet objects for, and click the Network Setting For Object Group tab. The Network Setting for Object Group table appears. Step 3 Click Add to add an entry to this table. Step 4 Enter the subnet object IP address as follows: • For ACE module sand ACE appliances using a software version earlier than A5(1.0), enter an IPv4 address that, with the subnet mask, defines the subnet object. • For ACE module sand ACE appliances using software Version A5(1.0) or later, in the IP Address Type field, choose one of the following: – IPv4—A subnet object with an IPv4 IP address. – IPv6—A object with an IPv6 IP address. In the IPv6 Address field, enter the IP address. Step 5 Depending on the IP address type that you chose, do one of the following: 6-93 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Object Groups • For IPv4, in the IPv4 Address field, enter the IP address. In the Netmask field, select the subnet mask for this subnet object. • For IPv6, in the IPv6 Address field, enter the IP address. In the Network Prefix Length field, enter the prefix length for this object. Step 6 Do one of the following: • Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. This option appears for virtual contexts. • Click OK to save your entries. This option appears for configuration building blocks. • Click Cancel to exit this procedure without saving your entries. • Click Next to deploy your entries and to add another entry to the Network Setting table. Related Topics • Configuring Object Groups, page 6-89 • Configuring IP Addresses for Object Groups, page 6-91 • Configuring Protocols for Object Groups, page 6-93 • Configuring TCP/UDP Service Parameters for Object Groups, page 6-94 • Configuring ICMP Service Parameters for an Object Group, page 6-97 Configuring Protocols for Object Groups You can specify protocols for a service-type object group. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > Security > Object Groups. • To configure a configuration building block, choose Config > Global > All Building Blocks > building_block > Security > Object Groups. The Object Groups table appears, listing the existing object groups. Step 2 In the Object Groups table, choose an existing service-type object group, and click the Protocol Selection tab. The Protocol Selection table appears. Step 3 In the Protocol Selection table, click Add to add an entry to this table. Step 4 In the Protocol Number field, choose the protocol or protocol number to add to this object group. See Table 6-20 for common protocols and their numbers. Step 5 Do one of the following: • Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. This option appears for virtual contexts. • Click OK to save your entries. This option appears for configuration building blocks. • Click Cancel to exit this procedure without saving your entries. 6-94 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Object Groups • Click Next to deploy your entries and to add another entry to the Protocol Selection table. Related Topics • Configuring Object Groups, page 6-89 • Configuring IP Addresses for Object Groups, page 6-91 • Configuring Subnet Objects for Object Groups, page 6-92 • Configuring TCP/UDP Service Parameters for Object Groups, page 6-94 • Configuring ICMP Service Parameters for an Object Group, page 6-97 Configuring TCP/UDP Service Parameters for Object Groups You can add TCP or UDP service objects to a service-type object group. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > Security > Object Groups. • To configure a configuration building block, choose Config > Global > All Building Blocks > building_block > Security > Object Groups. The Object Groups table appears, listing the existing object groups. Step 2 In the Object Groups table, choose an existing service-type object group, and click the TCP/UDP Service Parameters tab. The TCP/UDP Service Parameters table appears. Step 3 Click Add to add an entry to this table. Step 4 Configure TCP or UDP service objects using the information in Table 6-21. Table 6-21 TCP and UDP Service Parameters Field Description Protocol Protocol for this service object: • TCP—TCP is the protocol for this service object. • TCP And UDP—Both TCP and UDP are the protocols for this service object. • UDP—UDP is the protocol for this service object. Source Port Operator Operand to use when comparing source port numbers for this service object: • Equal To—The source port must be the same as the number in the Source Port field. • Greater Than—The source port must be greater than the number in the Source Port field. • Less Than—The source port must be less than the number in the Source Port field. • Not Equal To—The source port must not equal the number in the Source Port field. • Range—The source port must be within the range of ports specified by the Lower Source Port field and the Upper Source Port field. 6-95 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Object Groups Step 5 Do one of the following: • Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. This option appears for virtual contexts. • Click OK to save your entries. This option appears for configuration building blocks. • Click Cancel to exit this procedure without saving your entries. • Click Next to deploy your entries and to add another entry to the TCP/UDP Service Parameters table. Source Port Field that appears if you choose Equal To, Greater Than, Less Than, or Not Equal To in the Source Port Operator field. Enter the source port name or number for this service object. Lower Source Port Field that appears if you choose Range in the Source Port Operator field. Enter the number that is the beginning value for a range of services for this service object. Valid entries are from 0 to 65535. The number in this field must be less than the number entered in the Upper Source Port field. Upper Source Port Field that appears if you choose Range in the Source Port Operator field. Enter the number that is the ending value for a range of services for this service object. Valid entries are from 0 to 65535. The number in this field must be greater than the number entered in the Lower Source Port field. Destination Port Operator Operand to use when comparing destination port numbers: • Equal To—The destination port must be the same as the number in the Destination Port field. • Greater Than—The destination port must be greater than the number in the Destination Port field. • Less Than—The destination port must be less than the number in the Destination Port field. • Not Equal To—The destination port must not equal the number in the Destination Port field. • Range—The destination port must be within the range of ports specified by the Lower Destination Port field and the Upper Destination Port field. Destination Port Field that appears if you choose Equal To, Greater Than, Less Than, or Not Equal To in the Destination Port Operator field. Enter the destination port name or number for this service object. Lower Destination Port Field that appears if you choose Range in the Destination Port Operator field. Enter the number that is the beginning value for a range of services for this service object. Valid entries are from 0 to 65535. The number in this field must be less than the number entered in the Upper Destination Port field. Upper Destination Port Field that appears if you choose Range in the Destination Port Operator field. Enter the number that is the ending value for a range of services for this service object. Valid entries are from 0 to 65535. The number in this field must be greater than the number entered in the Lower Destination Port field. Table 6-21 TCP and UDP Service Parameters (continued) Field Description 6-96 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Object Groups Related Topics • Configuring Object Groups, page 6-89 • Configuring IP Addresses for Object Groups, page 6-91 • Configuring Subnet Objects for Object Groups, page 6-92 • Configuring Protocols for Object Groups, page 6-93 • Configuring ICMP Service Parameters for an Object Group, page 6-97 6-97 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Object Groups Configuring ICMP Service Parameters for an Object Group You can add ICMP service parameters to a service-type object group. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > Security > Object Groups. • To configure a configuration building block, choose Config > Global > All Building Blocks > building_block > Security > Object Groups. The Object Groups table appears, listing the existing object groups. Step 2 In the Object Groups table, choose an existing service-type object group, and click the ICMP Service Parameters tab. The ICMP Service Parameters table appears. Step 3 Click Add to add an entry to this table. Step 4 Configure ICMP type objects using the information in Table 6-22. Table 6-22 ICMP Type Service Parameters Field Description ICMP Version Field that appears for ACE module and ACE appliance software Version A5(1.0) or later. Internet Control Message Protocol (ICMP) version. Choose one of the following radio buttons: • ICMP—ICMP for Internet Protocol version 4 (IPv4). • ICMPv6—ICMP version 6 (ICMPv6) for Internet Protocol version 6 (IPv6). ICMP Type ICMP type or number for this service object. Table 6-23 lists common ICMP types and numbers. Table 6-24 lists the ICMPv6 types and numbers. Message Code Operator Operand to use when comparing message codes for this service object: • Equal To—The message code must be the same as the number in the Message Code field. • Greater Than—The message code must be greater than the number in the Message Code field. • Less Than—The message code must be less than the number in the Message Code field. • Not Equal To—The message code must not equal the number in the Message Code field. • Range—The message code must be within the range of codes specified by the Min Message Code field and the Max. Message Code field. Message Code Field that appears if you choose one of the following in the Message Code Operator field: Equal To, Greater Than, Less Than, or Not Equal To. Enter the ICMP message code for this service object. 6-98 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Object Groups Min. Message Code Field that appears if you choose Range in the Message Code Operator field. Enter the number that is the beginning value for a range of services for this service object. Valid entries are from 0 to 255. The number in this field must be less than the number entered in the Max Message Code field. Max. Message Code Field that appears if you choose Range in the Message Code Operator field. Enter the number that is the ending value for a range of services for this service object. Valid entries are from 0 to 255. The number in this field must be greater than the number entered in the Min. Message Code field. Table 6-23 ICMP Type Numbers and Names Number ICMP Type Name 0 Echo-Reply 3 Unreachable 4 Source-Quench 5 Redirect 6 Alternate-Address 8 Echo 9 Router-Advertisement 10 Router-Solicitation 11 Time-Exceeded 12 Parameter-Problem 13 Timestamp-Request 14 Timestamp-Reply 15 Information-Request 16 Information-Reply 17 Address-Mask-Request 18 Address-Mask-Reply 31 Conversion-Error 32 Mobile-Redirect Table 6-24 ICMPv6 Type Numbers and Names Number ICMPv6 Type Name 128 Echo 129 Echo-Reply 140 Information-Reply 139 Information-Request Table 6-22 ICMP Type Service Parameters (continued) Field Description 6-99 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Managing ACLs Step 5 Do one of the following: • Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. This option appears for virtual contexts. • Click OK to save your entries. This option appears for configuration building blocks. • Click Cancel to exit this procedure without saving your entries. • Click Next to deploy your entries and to add another entry to the ICMP Service Parameters table. Related Topics • Configuring Object Groups, page 6-89 • Configuring IP Addresses for Object Groups, page 6-91 • Configuring Subnet Objects for Object Groups, page 6-92 • Configuring Protocols for Object Groups, page 6-93 • Configuring TCP/UDP Service Parameters for Object Groups, page 6-94 Managing ACLs This section describes how to manage ACLs. This section includes the following topics: • Viewing All ACLs by Context, page 6-99. • Editing or Deleting ACLs, page 6-100. Viewing All ACLs by Context You can display ACLs that have been configured. Procedure Step 1 Choose Config > Devices. The device tree appears. Step 2 In the device tree, choose the virtual context with the ACLs that you want to view, and choose Security > ACLs. 4 Parameter-Problem 137 Redirect 3 Time-Exceeded 30 Traceroute 1 Unreachable Table 6-24 ICMPv6 Type Numbers and Names (continued) Number ICMPv6 Type Name 6-100 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Managing ACLs The ACLs table appears, listing the existing ACLs in that context with their name, their type (Extended or EtherType), and all details (such as Action, Protocol, Interface information). Step 3 To display all of the ACLs for a given table entry, click the plus sign to the left of that entry. Step 4 To display all of the ACLs for all of the entries, click Expand All on the Add/Edit/Delete row. Step 5 To collapse all of the ACLs for all of the entries, click Collapse All on the Add/Edit/Delete row. Related Topics • Configuring Security with ACLs, page 6-78 • Creating ACLs, page 6-79 • Setting EtherType ACL Attributes, page 6-87 • Setting Extended ACL Attributes, page 6-82 • Editing or Deleting ACLs, page 6-100 Editing or Deleting ACLs You can delete or edit an ACL or any of its subentries. Considerations • You cannot mix IPv6 and IPv4 access-list entries in the same ACL. Note IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. • Before you change the IP address type (IPv4/IPv6) for an existing ACL, you must remove the entries that are not applicable to the new IP address type. • If you change the ACL protocol, the ACE removes all of the existing settings for the ACL. Procedure Step 1 Choose the item to edit or delete as follows: • Choose Config > Devices > context > Security > ACLs. • Choose Config > Global > All Building Blocks > building_block > Security > ACLs. The ACLs table appears, listing the existing ACLs. Step 2 In the ACLs table, choose the radio button to the left of the ACL that you want to Edit or Delete. Expand entries if necessary by clicking the plus sign to the left of any ACL entry until you see the subentry ACL for which you are looking, or click the Expand All icon to view all ACLs and subentries. Step 3 Do one of the following: • If you are editing an ACL or one of its entries, click Edit and go to Step 4. • If you are deleting an ACL or one of its entries, click Delete and go to Step 5. Step 4 Edit the entry using the summary information listed in Table 6-18 if needed, and click Deploy when done. 6-101 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Configuring Virtual Context Expert Options Step 5 Click Delete. A confirmation popup window appears asking you to confirm the deletion. If you click OK, the ACLs table refreshes without the deleted ACL. Related Topics • Creating ACLs, page 6-79 • Setting EtherType ACL Attributes, page 6-87 • Setting Extended ACL Attributes, page 6-82 • Resequencing Extended ACLs, page 6-87 Configuring Virtual Context Expert Options The ANM virtual context Expert configuration options allow you to do the following: • Establish traffic policies for virtual servers by classifying types of network traffic and then applying the appropriate rules and actions for handling the traffic. See the “Configuring Traffic Policies” section on page 14-1. • Compare a virtual context configuration with a tagged configuration building block that has been applied to the context. See the “Comparing Context and Building Block Configurations” section on page 6-101. • For ACE modules and ACE appliances, configure HTTP header modify action lists. See the “Configuring an HTTP Header Modify Action List” section on page 14-85. • For ACE appliances, configure optimization action lists. See the “Configuring an HTTP Optimization Action List” section on page 15-3. Comparing Context and Building Block Configurations ANM allows you to compare the current configuration of a virtual context that has had a tagged configuration building block applied to it with the settings of the applied building block. Discrepancies between these configurations can occur when you configure the virtual context after applying the building block instead of modifying and tagging the building block, then applying the updated building block to the virtual context. The ANM auditing process identifies the discrepancies by configuration category (such as policy maps or SNMP) and groups them accordingly. You can identify discrepancies between an ANM tagged building block and a virtual context that previously had the building block applied to it. Assumption The virtual context has had a tagged building block applied to it. Procedure Step 1 Choose Config > Devices > context > Expert > Building Block Audit. 6-102 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Comparing Context and Building Block Configurations The Building Block Audit window appears with the Comparison Results table, listing any discrepancies between the configurations. Step 2 In the Building Block Audit window, identify the discrepancies as follows: • Click All at the top of the results tree. The Comparison Results table displays all discrepancies. The values that follow the word All, such as 2c 5d 3a, indicate differences between the virtual context configuration and the building block configuration. These values use the format n where n represents the number of differences between the configurations and represents the type of difference. The possible results are as follows: – nc (changed) indicates the number of items with settings that have changed or differ from the settings in the building block. For example, 2c indicates that two configuration options in the context currently have different settings or values than those settings or values in the applied building block. – nd (deleted) indicates the number of items that were in the applied building block that do not exist in the current context configuration. For example, 5d indicates that five configuration options that were in the applied building block do not exist in the current context configuration. – na (added) indicates the number of items that are in the current context configuration that were not in the applied building block. For example, 3a indicates that three configuration options that were not in the applied building block have been added to the context configuration. • Click a folder in the results tree. The Comparison Results table displays the discrepancies for that configuration category, such as SNMP or class maps. • Click an item within a folder. The Comparison Results table displays the differences for that specific attribute. Step 3 In the Comparison Results table, when viewing results, you can do one of the following: • Filter the results by entering a complete or partial string in one or more of the input fields at the top of the columns, then clicking Go. • Sort the results in ascending or descending order by clicking a column heading. Related Topics • Configuring Virtual Contexts, page 6-8 • Managing Virtual Contexts, page 6-103 • Using Configuration Building Blocks, page 16-1 6-103 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Managing Virtual Contexts Managing Virtual Contexts You can perform the following administrative actions on virtual contexts. This section includes the following topics: • Displaying All Virtual Contexts, page 6-103 • Synchronizing Virtual Context Configurations, page 6-105 • Managing Syslog Settings for Autosynchronization, page 6-105 • Editing Virtual Contexts, page 6-106 • Deleting Virtual Contexts, page 6-107 • Upgrading Virtual Contexts, page 6-107 • Restarting Virtual Context Polling, page 6-108 • Comparing Context and Building Block Configurations, page 6-101 Displaying All Virtual Contexts You can display some or all virtual contexts being managed by ANM. Procedure Step 1 Choose Config > Devices > All VC. The All Virtual Contexts table appears with the information described in Table 6-25. Table 6-25 All Virtual Contexts Table Field Description Name Context name including chassis and slot. Resource Class Resource class applied to the context. Management IPs List of IP addresses used for remote management of the context. Building Block Configuration building block applied to the context. CLI Sync Status Administrative configuration status of the context as follows: • Import Failed—The context did not import successfully. This problem could have occurred when the device was added to ANM or when the context was synchronized. Synchronize the context so that you can manage it (Config > Devices > ACE > context > Sync). • OK—The context is synchronized with the ACE CLI. • Out of Sync—The context is managed by the ANM but the configuration for the context on the device differs from the configuration managed by the ANM. For information on synchronizing contexts, see the “Synchronizing Virtual Context Configurations” section on page 6-105. • Unprovisioned—The context has been removed from the ACE using the CLI but has not been removed from ANM. To remove unprovisioned contexts, synchronize the associated Admin context. Last CLI Sync Status Change Time stamp of the last CLI synchronization with ANM. 6-104 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Managing Virtual Contexts Step 2 Use the object selector to view all virtual contexts or only those contexts on a specific device. Related Topics • Restarting Virtual Context Polling, page 6-108 • Enabling Polling on All Devices, page 17-47 • Synchronizing Virtual Context Configurations, page 6-105 ACE HA State High availability state of the context. If the context is configured for high availability, the current state of the context with regard to high availability: • Active—The context is actively processing flows for the HA pair. • Standby Cold—Either the fault-tolerant VLAN is down, but the peer ACE is still alive, or the configuration or application state synchronization failed. • Standby Bulk—The context is waiting to receive information from its active peer context. • Standby Hot—The context has all the state information that it needs to statefully assume the active state if a switchover occurs. • Standby Warm—Allows the configuration and state synchronization process to continue on a best-effort basis when you upgrade or downgrade the ACE software. ACE HA Peer Identifier of the ACE high availability peer. ACE HA Peer State Current state of the context with regard to high availability on the ACE peer. See the states listed for the ACE HA State field. Polling Status Current polling status of the context: • Missing SNMP Credentials—SNMP credentials are not configured for this virtual context; statistics are not collected. Add SNMPv2c credentials to fix this error. • Not Polled—SNMP polling has not started. This problem might occur when the virtual context is first created from ANM and the SNMP credentials are not configured. Add SNMPv2c credentials to fix this error. • Not Supported—This status appears at the device level only and applies to Catalyst 6500 series chassis, Cisco 7600 series routers, and ACE appliances. • Polling Failed—SNMP polling failed due to some internal error. Try restarting polling to enable SNMP collection again. • Polling Started—No action is required. Everything is working properly. Polling states will display activity. • Polling Timed Out—SNMP polling has timed out. This problem might occur if the wrong credentials were configured or might be caused by an internal error (such as SNMP was configured incorrectly or the destination is not reachable). Verify that SNMP credentials are correct. If the problem persists, restart polling to enable SNMP collection again. • Unknown—SNMP polling is not working due to one of the above-mentioned conditions. Check the SNMPv2c credential configuration. Table 6-25 All Virtual Contexts Table (continued) Field Description 6-105 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Managing Virtual Contexts Synchronizing Virtual Context Configurations You can synchronize the configurations for a virtual context. ANM allows you to synchronize the configuration information residing on an ACE with the configuration information maintained by the ANM server for the same device. When ANM synchronizes a context, it uploads the configuration from the device to the ANM server. In accordance with your role-based permission level, the ANM Status bar displays the number of virtual contexts that are not synchronized with the ACE CLI against the total number of virtual contexts and the number of failed synchronization attempts. You should synchronize contexts for the following reasons: • You configure the ACE directly via the CLI instead of using the ANM interface. The CLI Sync Status is Out of Sync in the Virtual Contexts table (Config > Devices > ACE) if the configurations for a virtual context differ. • A context has been removed from the ACE using the CLI, reflected by the CLI Sync Status Unprovisioned in the Virtual Contexts table. In this situation, you need to synchronize the Admin context to remove the unprovisioned context. • A context has not successfully been imported into ANM during discovery or a Sync operation, reflected by the CLI Sync Status Import Failed in the Virtual Contexts table. In this situation, you need to synchronize the context before you can modify its configuration. • You recently installed or uninstalled a license on an ACE using either ANM or the CLI. Synchronize the Admin context of the ACE with the CLI. Procedure Step 1 Choose Config > Devices. The device tree appears. Step 2 In the device tree, choose either All VC or the ACE with the virtual context configuration that you want to synchronize. The Virtual Contexts table appears. Step 3 In the Virtual Contexts table, choose the virtual context with the configuration that you want to synchronize, and click CLI Sync. The verification popup window appears, asking you to verify the synchronization request. Step 4 In the verification popup window, click Yes. Synchronization begins and the Virtual Contexts table refreshes when synchronization is complete. Related Topics • Configuring Auto Sync Settings, page 18-61 • Editing Virtual Contexts, page 6-106 • Restarting Virtual Context Polling, page 6-108 • Comparing Context and Building Block Configurations, page 6-101 Managing Syslog Settings for Autosynchronization You can configure ANM to receive syslog messages for a virtual context. 6-106 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Managing Virtual Contexts Setting autosynchronization to occur upon receipt of a device syslog message allows a faster, more streamlined synchronization process between ANM and any out-of-band configuration changes. Instead of waiting the default polling period, ANM will synchronize when a syslog message is received if Setup Syslog for Autosync is enabled. Procedure Step 1 Choose Config > Devices > Virtual Context Management> Setup Syslog for Autosync. The Setup Syslog for Autosync window appears. Step 2 In the Setup Syslog for Autosync window, choose either All VC or the ACE with the virtual context configuration that you want to receive Autosync syslog messages Step 3 Click Setup Syslog. A progress bar window appears. A checkbox with a checkmark appears in the Setup Syslog for Autosync? column for each virtual context and ACE device you checked. Step 4 Click the Setup Syslog button. The following CLI commands are sent to the enabled devices: logging enable logging trap 2 logging device-id string /Admin logging host udp/514 logging message 111008 level 2 Related Topics • Synchronizing Virtual Context Configurations, page 6-105 • Restarting Virtual Context Polling, page 6-108 Editing Virtual Contexts You can modify the configuration of an existing virtual context. Procedure Step 1 Choose Config > Devices. The device tree appears. Step 2 In the device tree, choose the virtual context, then choose the configuration attributes that you want to modify. For information on configuration options, see the “Configuring Virtual Contexts” section on page 6-8. Step 3 Do one of the following: • Click OK to save your entries. • Click Cancel to exit the procedure without saving your entries. 6-107 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Managing Virtual Contexts Related Topics • Information About Virtual Contexts, page 6-2 • Configuring Virtual Contexts, page 6-8 Deleting Virtual Contexts You can remove an existing virtual context. Note If you remove a virtual context using the CLI, the CLI Sync Status for the virtual context appears as Unprovisioned in the Virtual Contexts table (Config > Devices > ACE). To remove the unprovisioned virtual context from the ANM, either synchronize the Admin virtual context (see the “Synchronizing Virtual Context Configurations” section on page 6-105) or delete the virtual context by selecting the virtual context, then clicking Delete. Procedure Step 1 Choose Config > Devices. The device tree appears. Step 2 In the device tree, choose the virtual context that you want to configure, and click Delete in either the device pane or the configuration pane. A confirmation popup window appears, asking you to confirm the deletion. Step 3 Do one of the following: • Click OK to delete the selected context. The device tree refreshes and the deleted context no longer appears. • Click Cancel to exit this procedure and to retain the selected context. Related Topics • Configuring Virtual Contexts, page 6-8 • Comparing Context and Building Block Configurations, page 6-101 Upgrading Virtual Contexts You can apply a different resource class, configuration building block, or VLAN to a virtual context. Procedure Step 1 Choose Config > Devices. The device tree appears. Step 2 In the device tree, choose the virtual context that you want to upgrade, and choose System > Primary Attributes. The Edit Virtual Context window appears. 6-108 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Managing Virtual Contexts Step 3 In the Resource Class field of the Edit Virtual Context window, choose the resource class that you want to apply to the context. Note If you attempt to apply a resource class that could consume the resources required to maintain IP connectivity to the Admin context, you will see an error message and the resource class will not be applied. We recommend that you first apply a resource class to the Admin context that will prevent its resources from being allocated to other contexts. For more information, see the “Resource Allocation Constraints” section on page 6-44. Step 4 In the Tagged Building Block To Apply field, choose the building block to apply to this virtual context. Step 5 In the Allocate-Interface VLANs field, enter the number of a VLAN or a range of VLANs so that the context can receive the associated traffic. You can specify VLANs as follows: • For a single VLAN, enter an integer from 2 to 4096. • For multiple, nonsequential VLANs, use comma-separated entries, such as 101,201,302. • For a range of VLANs, use the format -, such as 101-150. Note You cannot modify VLANs in an Admin context. Step 6 In the Description field, enter a brief description for this context. Step 7 Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The window refreshes with updated information. To exit this procedure without saving your entries, choose another item in the menu bar or device tree. A popup window appears, confirming that you have not saved your entries. Related Topics • Information About Virtual Contexts, page 6-2 • Configuring Virtual Contexts, page 6-8 Restarting Virtual Context Polling You can restart monitoring and enable SNMP collection on a single context that has stopped or failed to start. Note To restart polling and enable SNMP collection on all virtual contexts, choose Monitor > Settings > Global Polling Configuration, and configure global polling attributes using the information in the “Enabling Polling on All Devices” section on page 17-47. Procedure Step 1 Choose Config > Devices. 6-109 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Managing Virtual Contexts The device tree appears. Step 2 In the device tree, choose the ACE associated with the virtual context with stopped or failed polling. The Virtual Contexts table appears. Step 3 In the Virtual Contexts table, choose the context with the stopped or failed polling, and click Restart Polling. If the ANM cannot monitor the selected context, it displays an error message stating the reason. Related Topics • Information About Virtual Contexts, page 6-2 • Configuring Virtual Contexts, page 6-8 • Enabling Polling on All Devices, page 17-47 6-110 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 6 Configuring Virtual Contexts Managing Virtual Contexts CHAPTER 7-1 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 7 Configuring Virtual Servers Date: 3/28/12 This chapter describes how to configure virtual servers for load balancing on the Cisco Application Control Engine (ACE) using Cisco Application Networking Manager (ANM). Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed. If you are using ANM with an ACE module or ACE appliance and you configure a named object at the ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows you to use when configuring a named object. If you use special characters that ANM does not support, you may not be able to import or manage the ACE using ANM. This chapter includes the following sections: • Information About Load Balancing, page 7-1 • Configuring Virtual Servers, page 7-2 • Managing Virtual Servers, page 7-66 • Deploying Virtual Servers, page 7-86 Information About Load Balancing Server load balancing (SLB) is the process of deciding to which server a load balancer should send a client request for service. For example, a client request can consist of an HTTP GET for a web page or an FTP GET to download a file. The load balancer selects the server that can successfully fulfill the client request and in the shortest amount of time without overloading either the server or the server farm as a whole. Depending on the load-balancing algorithm or predictor that you configure, the ACE performs a series of checks and calculations to determine the server that can best service each client request. The ACE bases server selection on several factors, including the server with the fewest connections with respect to load, source or destination address, cookies, URLs, or HTTP headers. ANM allows you to configure load balancing using: • Virtual servers—See Configuring Virtual Servers, page 7-2. 7-2 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers • Real servers—See Configuring Real Servers, page 8-5. • Server farms—See Configuring Server Farms, page 8-30. • Predictor methods—See Configuring the Predictor Method for Server Farms, page 8-39 • Health probes—See Configuring Health Monitoring for Real Servers, page 8-51 • Sticky groups—See Configuring Sticky Groups, page 9-7. • Parameter maps—See Configuring Parameter Maps, page 10-1. Configuring Virtual Servers In a load-balancing environment, a virtual server is a construct that allows multiple physical servers to appear as one for load-balancing purposes. A virtual server is bound to physical services running on real servers in a server farm and uses IP address and port information to distribute incoming client requests to the servers in the server farm according to a specified load-balancing algorithm. You use class maps to configure a virtual server address and definition. The load-balancing predictor algorithms (for example, round-robin, least connections, and so on) determine the servers to which the ACE sends connection requests. This section includes the following topics: • Virtual Server Configuration and ANM, page 7-2 • Information About Using ANM to Configure Virtual Servers, page 7-4 • Virtual Server Usage Guidelines, page 7-5 • Virtual Server Testing and Troubleshooting, page 7-6 • Virtual Server Configuration Procedure, page 7-7 Virtual Server Configuration and ANM This section identifies the constraints and framework used by ANM for virtual server configuration. In ANM, a virtual server has the following attributes: • A single Layer 3/Layer 4 match condition You can specify only a single IP address (or single IP address range if an IPv4 netmask or IPv6 prefix length is used), with only a single port (or port range). A single match condition greatly simplifies and aids virtual server configuration. Note IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. • A default Layer 7 action • A Layer 7 policy map • A Layer 3/Layer 4 class map • A single multimatch policy map, a class-map match, and an action Virtual server attributes also include the following: • The virtual server multimatch policy map is associated with an interface or is global. 7-3 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers • The name of the virtual server is derived from the name of the Layer 3/Layer 4 class map. Example 7-1 shows the minimum configuration statements required for a virtual server. Example 7-1 Minimum Configuration Required for a Virtual Server IPv4 Configuration class-map match-all Example_VIP 2 match virtual-address 10.10.10.10 tcp eq www policy-map type loadbalance first-match Example_VIP-l7slb class class-default forward policy-map multi-match int10 class Example_VIP loadbalance policy Example_VIP-l7slb interface vlan 10 ip address 192.168.65.37 255.255.255.0 service-policy input int10 no shutdown IPv6 Configuration (Requires ACE module and ACE appliance software Version A5(1.0) or later) class-map match-all Example2_VIP 2 match virtual-address 2001:DB8:10::5 tcp eq www policy-map type loadbalance first-match Example2_VIP-l7slb class class-default f orward policy-map multi-match int11 class Example2_VIP loadbalance policy Example2_VIP-l7slb interface vlan 10 ip address 2001:DB8:10::21/64 service-policy input int11 no shutdown Note the following items regarding the ANM and virtual servers: • Additional configuration options The Virtual Server configuration window allows you to configure additional items for a functional VIP. These items include server farms, sticky groups, real servers, probes, parameter maps, inspection, class maps, and inline match conditions. Because too many items on a window can be overwhelming, not all configuration options appear on the Virtual Server configuration window, such as sticky statics or backup real servers. These options are available elsewhere in the ANM interface instead of on the Virtual Server configuration window. • Configuration options and roles To support and maintain the separation of roles, some objects cannot be configured using the Virtual Server configuration window. These objects include SSL certificates, SSL keys, NAT pools, interface IP addresses, and ACLs. Providing these options as separate configuration options in the ANM interface ensures that a user who can view or modify virtual servers or aspects of virtual servers cannot create or delete virtual servers. • Changes to virtual servers using the CLI or Expert options can prevent further modifications in the Virtual Server configuration window 7-4 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers If you create a virtual server using the Virtual Server configuration window, modify it using the CLI or Expert options (Config > Devices > Expert), and then attempt to modify it again using the Virtual Server configuration window, error messages will be displayed and you will not be able to modify the virtual server. • Changes to virtual server IP address type is not allowed When creating a virtual server, you choose whether to use the IPv4 or IPv6 address type. You cannot change the IP address type of an existing virtual server. If you need to change the IP address type, you must create a new virtual server. Note IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. Related Topics • Configuring Virtual Servers, page 7-2 • Information About Using ANM to Configure Virtual Servers, page 7-4 • Virtual Server Usage Guidelines, page 7-5 • Virtual Server Testing and Troubleshooting, page 7-6 • Virtual Server Configuration Procedure, page 7-7 Information About Using ANM to Configure Virtual Servers Follow these guidelines when using ANM to configure virtual servers: • Virtual server configuration windows The ANM Virtual Server configuration windows are designed to aid you in configuring virtual servers by presenting configuration options that are relevant to your choices. For example, the protocols that you select in the Properties configuration subset determine the other configuration subsets that appear. • Use the virtual server configuration method that suits you The ANM Virtual Server configuration windows simplify the process of creating, modifying, and deploying virtual servers by displaying those options that you are most likely to use. In addition, as you specify attributes for a virtual server, such as protocols, the interface refreshes with related configuration options, such as Protocol Inspection or Application Acceleration and Optimization, which speeds virtual server configuration and deployment. While Virtual Server configuration windows remove some configuration complexities, they have a few constraints that the Expert configuration options do not. If you are comfortable using the CLI, you can use the Expert options (such as Config > Devices > context > Expert > Class Maps or Policy or Config > Devices > context > Load Balancing > Parameter Maps to configure more complex attributes of virtual servers, traffic policies, and parameter maps. • Synchronizing virtual server configurations If you configure a virtual server using the CLI and then use the Sync option (Config > Devices > ACE > Sync) to synchronize configurations, the configuration that appears in ANM for the virtual server might not display all configuration options for that virtual server. The configuration that appears in ANM depends on a number of items, such as the protocols configured in class maps or the rules defined for policy maps. 7-5 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers For example, if you configure a virtual server on the CLI that includes a class map that can match any protocol, you will not see the virtual server Application Acceleration and Optimization configuration subset in ANM. • Modifying shared objects Modifying an object that is used by multiple virtual servers, such as a server farm, real server, or parameter map, could impact the other virtual servers. See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about modifying objects used by multiple virtual servers. Related Topics • Configuring Virtual Servers, page 7-2 • Virtual Server Configuration and ANM, page 7-2 • Virtual Server Usage Guidelines, page 7-5 • Virtual Server Testing and Troubleshooting, page 7-6 • Virtual Server Configuration Procedure, page 7-7 Virtual Server Usage Guidelines The Virtual Server configuration window provides you with numerous configuration options. However, instead of setting every option in one pass, configure your virtual server in stages. The first stage should always be to establish basic “pass through” connectivity with simple load balancing and include minimal additional features. This level of setup should verify that ports, VLANs, interfaces, SSL termination (if applicable), and real servers have been set up properly, enabling basic connectivity. After you establish this level of connectivity, additional virtual server features will be easier to configure and troubleshoot. Common features to add to a working basic virtual server include: • Health monitoring probes • Session persistence (sticky) • Additional real servers to a server farm • Application protocol inspection • Application acceleration and optimization (ACE appliance only) Table 7-1 identifies and describes virtual server configuration subsets with links to related topics for configuration information. Related Topics • Configuring Virtual Servers, page 7-2 • Virtual Server Configuration and ANM, page 7-2 • Virtual Server Testing and Troubleshooting, page 7-6 • Virtual Server Configuration Procedure, page 7-7 7-6 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Virtual Server Testing and Troubleshooting As outlined in the “Virtual Server Usage Guidelines” section on page 7-5, first set up a basic virtual server that only enables connectivity and simple load balancing, such as round-robin between two real servers. Next, use a client, such as a web browser, to send a request from the client network to the virtual server's VIP address. If the request is successful, you can now make changes or add virtual server features. If the request is not successful, begin virtual server troubleshooting as outlined in the following sequence: 1. Wait and retry your request after a minute or two, especially if the existing ACE configuration is large. It can take seconds or even minutes for configuration changes to affect how traffic is handled by ACE. 2. Click the Details button in the lower right of the Virtual Server page. The Details button displays the output of the show service-policy CLI command. 3. Verify that the VIP State in the show service-policy CLI command output is INSERVICE. If the VIP state is not INSERVICE, this may indicate the following: – The virtual server has been manually disabled in the configuration. – The real servers are all unreachable from ACE or manually disabled. If all of a virtual server's real servers are out of service due to one of those reasons, the virtual server itself will be marked Out Of Service. 4. Verify the Hit Count in the show service-policy CLI command output. Hit Count shows the number of requests received by ACE. This value should increase for each request attempted by your client. If the hit count does not increase with each request, this indicates that the request is not reaching your virtual server configuration. This could be a problem with: – A physical connection. – VLAN or VLAN interface configuration. – Missing or incorrect ACL applied to the client interface. – Incorrect IP address (that is, a VIP that is not valid on the selected VLANs for the virtual server, or a VIP that is not accessible to your client). If the Hit Count value increases but no response is received (Server Pkt Count does not increases), the problem is more likely to be in the connectivity between the ACE and the backend real servers. This issue is typically caused by one or more of the following problems: – You are working on a one-armed configuration (that is, do not plan to change routing for your real servers) and have not selected an appropriate NAT pool for your virtual server to use with source NAT. – A different routing problem (for example, server traffic does not know how to get back to the ACE). – Addressing problem (for example, you have an incorrect real server address, or the real server is not accessible to ACE due to network topology). Note Hit count can increase by more than one, even if you make only a single request from your web browser, because retrieving a typical web page makes many requests from the client to the server. 7-7 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Related Topics • Configuring Virtual Servers, page 7-2 • Virtual Server Configuration and ANM, page 7-2 • Virtual Server Usage Guidelines, page 7-5 • Virtual Server Configuration Procedure, page 7-7 Virtual Server Configuration Procedure You can add virtual servers to the ANM for load-balancing purposes. Assumptions This topic assumes the following: • Depending on the protocol to be used for the virtual server, parameter maps need to be defined. • For SSL service, SSL certificates, keys, and chain groups, parameter maps must be configured. Guidelines and Restrictions ANM does not support CSM DNS virtual servers. If you create this type of virtual server, ANM issues an error message if you attempt to use ANM to activate or suspend it. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers. The Virtual Servers table appears. For details about the information that displays, see “Displaying Virtual Servers by Context” section on page 7-65. Step 2 In the Virtual Servers table, click Poll Now to instruct ANM to poll the devices and display the current values. Step 3 Click OK when prompted if you want to poll the devices for data now. Step 4 Click Add to add a new virtual server, or choose an existing virtual server and click Edit to modify it. The Virtual Server configuration window appears with a number of configuration subsets. The subsets that you see depend on whether you use the Basic View or the Advanced View and entries that you make in the Properties subset. Change views by using the View object selector at the top of the configuration pane. Table 7-1 identifies and describes virtual server configuration subsets with links to related topics for configuration information. Note The protocols that are available depend on the ACE device that you are configuring. For a list of the protocols available for each ACE device type, see Table 7-2. 7-8 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Table 7-1 Virtual Server Configuration Subsets Configuration Subset Description Related Topics Properties Subset that allows you to specify basic virtual server characteristics, such as the virtual server name, IP address, protocol, port, and VLANs. Configuring Virtual Server Properties, page 7-11 SSL Termination Subset that appears when TCP is the selected protocol and Other or HTTPS is the application protocol. This subset allows you to configure the virtual server to act as an SSL proxy server and terminate SSL sessions between it and its clients. Configuring Virtual Server SSL Termination, page 7-17 Protocol Inspection Subset that appears in the Advanced View for: • TCP with FTP, HTTP, HTTPS, Real Time Streaming Protocol (RTSP), or Session Initiated Protocol (SIP) • UDP with Domain Name System (DNS) or SIP This subset appears in the Basic view for TCP with FTP. This subset allows you to configure the virtual server so that it can verify protocol behavior and identify unwanted or malicious traffic passing through the ACE on selected application protocols. Configuring Virtual Server Protocol Inspection, page 7-18 Application Acceleration And Optimization Subset that appears only for ACE appliances. It appears in the Advanced View when HTTP or HTTPS is the selected application protocol. This subset allows you to configure application acceleration and optimization options for HTTP or HTTPS traffic. Configuring Application Acceleration and Optimization, page 7-53 L7 Load-Balancing Subset that appears only in the Advanced View for these protocols: • TCP with Generic, HTTP, HTTPS, RTSP, or SIP • UDP with Generic, RADIUS, or SIP This subset allows you to configure Layer 7 load-balancing options, such as: • Server farms/real servers • Health monitoring probes • Stickiness • SSL initiation Configuring Virtual Server Layer 7 Load Balancing, page 7-30 Default L7 Load-Balancing Action Subset that allows you to establish the default Layer 7 load-balancing actions for all network traffic that does not meet previously specified match conditions including the SSL initiation configuration. Configuring Virtual Server Default Layer 7 Load Balancing, page 7-50 NAT Subset that allows you to set up Name Address Translation (NAT) for the virtual server. Configuring Virtual Server NAT, page 7-63 7-9 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Step 5 Do one of the following: • Click Deploy Now to deploy the configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit the procedure without saving your entries and to return to the Virtual Servers table. • Click Deploy Later to save your entries and apply them at a later time. Step 6 (Optional) To display statistics and status information for an existing virtual server, from the Virtual Servers table, choose a virtual server and click Details. A popup window appears that displays the detailed virtual server information (see the “Displaying Virtual Server Statistics and Status Information” section on page 7-65 for details). Note This feature requires ACE module software Version A2(1.2), ACE appliance software Version A3(2.1), or later versions of either software. An error displays with earlier software versions. Related Topics • Configuring Virtual Servers, page 7-2 • Virtual Server Configuration and ANM, page 7-2 • Virtual Server Usage Guidelines, page 7-5 • Information About Using ANM to Configure Virtual Servers, page 7-4 • Shared Objects and Virtual Servers, page 7-9 • Displaying Virtual Servers by Context, page 7-65 • Displaying Virtual Server Statistics and Status Information, page 7-65 • Managing Virtual Servers, page 7-66 • Deploying Virtual Servers, page 7-86 • Understanding Roles, page 18-6 Shared Objects and Virtual Servers A shared object is one that is used by multiple virtual servers. The following examples are shared objects: • Action lists • Class maps • Parameter maps • Real servers • Server farms • SSL services • Sticky groups 7-10 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Because these objects are shared, modifying an object’s configuration in one virtual server can impact other virtual servers that use the same object. Configuring Shared Objects ANM offers the following options for shared objects in virtual server configuration windows (Config > Devices > context > Load Balancing > Virtual Servers): • View—Displays the object’s configuration. The window refreshes with read-only fields and the following three buttons. • Cancel—Closes the read-only view and to return to the previous window. • Edit—Enables you to modify the selected object’s configuration. The window refreshes with fields that can be modified, except for the Name field which remains read-only. Note Before changing a shared object’s configuration, make sure that you understand the effect of the changes on other virtual servers using the same object. As an alternative, consider using the Duplicate option instead. • Duplicate—Enables you to create a new object with the same configuration as the selected object. The window refreshes with configurable fields. In the Name field, enter a unique name for the new object, and then modify the configuration as desired. This option allows you to create a new object without impacting other virtual servers using the same object. Deleting Virtual Servers with Shared Objects If you create a virtual server and include shared objects in its configuration, deleting the virtual server does not delete the associated shared objects. This action ensures that other virtual servers using the same shared objects are not impacted. Related Topics • Managing Virtual Servers, page 7-66 • Virtual Server Protocols by Device Type, page 7-11 • Configuring Virtual Server Properties, page 7-11 • Configuring Virtual Server SSL Termination, page 7-17 • Configuring Virtual Server Protocol Inspection, page 7-18 • Configuring Virtual Server Layer 7 Load Balancing, page 7-30 • Configuring Virtual Server Default Layer 7 Load Balancing, page 7-50 • Configuring Application Acceleration and Optimization, page 7-53 • Configuring Virtual Server NAT, page 7-63 7-11 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Virtual Server Protocols by Device Type The protocols that are available for a virtual server depend on the ACE device that you are configuring. Table 7-2 lists the protocols available for each device type. Related Topics • Configuring Virtual Servers, page 7-2 • Configuring Virtual Server Properties, page 7-11 • Managing Virtual Servers, page 7-66 Configuring Virtual Server Properties You can configure virtual server properties. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers. The Virtual Servers table appears. Step 2 In the Virtual Servers table, click Poll Now to instruct ANM to poll the devices and display the current values, and click OK when prompted if you want to poll the devices for data now. Step 3 Click Add to add a new virtual server, or choose an existing virtual server and click Edit to modify it. Table 7-2 Virtual Server Protocols for ACE Modules and Devices Protocol ACE Modules ACE Appliance Any X X TCP FTP X X Generic X X HTTP X X HTTPS X X Other X X RTSP X X RDP X X SIP X X UDP DNS X X Generic X X Other X X RADIUS X X SIP X X 7-12 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers The Virtual Server configuration window appears. The Properties configuration subset is open by default. The fields that you see in the Properties configuration subset depend on whether you are using Advanced View or Basic View: • To configure Advanced View properties, go to Step 4. • To configure Basic View properties, go to Step 5. Step 4 In the Advanced View, configure the virtual server properties by entering the information in Table 7-3. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Table 7-3 Virtual Server Properties – Advanced View Field Description Virtual Server Name Name for the virtual server. IP Address Type Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. Choose the address type of the virtual server: IPv4 or IPv6. Virtual IP Address IP address for the virtual server. Virtual IP Mask (IPv4 address type only) Subnet mask to apply to the virtual server IP address. Virtual IP Prefix Length (IPv6 address type only) Enter the prefix length to apply to the virtual server IP address. The default length for the prefix is 128. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. Transport Protocol Protocol that the virtual server supports: • Any—The virtual server is to accept connections using any IP protocol. • TCP—The virtual server is to accept connections that use TCP. • UDP—The virtual server is to accept connections that use UDP. Application Protocol Field that appears if TCP or UDP is selected. The application protocols that are available depend on the type of ACE being configured. Choose the application protocol to be supported by the virtual server. Table 7-2 identifies the available protocols for each ACE device type. Note This field is read-only if you are editing an existing virtual server. ANM does not allow changes between protocols that require a change to the Layer 7 server load-balancing policy map. You need to delete the virtual server and create a new one with the desired application protocol. Port Field that appears for any TCP or UDP protocol. Enter the port to be used for the specified protocol. Valid entries are from 0 to 65535 or a range of integers, such as 10-20. Enter 0 (zero) to indicate all ports. For a complete list of protocols and ports, see the Internet Assigned Numbers Authority available at www.iana.org/numbers/ All VLANs Check box that enables support of incoming traffic from all VLANs. Uncheck the check box to support incoming traffic from specific VLANs only. 7-13 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers VLAN Field appears if the All VLANs check box is unchecked. In the Available Items list, choose the VLANs to use for incoming traffic, and click Add. The items appear in the Selected Items list. To remove VLANs, choose them in the Selected Items lists, and click Remove. The items appear in the Available Items list. Note You cannot change the VLAN for a virtual server once it is specified. Instead, delete the virtual server and create a new one with the desired VLAN. Connection Parameter Maps Field that appears if TCP is the selected protocol. Choose an existing connection parameter map or click *New* to create a new one as follows: • If you chose an existing parameter map, you can view, modify, or duplicate the existing configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about modifying shared objects. • If you click *New*, the Connection Parameter Maps configuration pane appears. Configure the connection parameter map as described in Table 10-2. Note Click More Settings to access the additional Connection Parameter Maps configuration attributes. By default, ANM hides the default Connection Parameter Maps configuration attributes and the attributes which are not commonly used. DNS Parameter Maps Field that appears if DNS is the selected protocol over UDP. Choose an existing DNS parameter map or click *New* to create a new one as follows: • If you chose an existing parameter map, you can view, modify, or duplicate the existing configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about modifying shared objects. • If you click *New*, the DNS Parameter Maps configuration pane appears. Configure the DNS parameter map as described in Table 10-11. Generic Parameter Maps Field that appears if Generic is the selected application protocol over TCP or UDP. Choose an existing Generic parameter map or click *New* to create a new one as follows: • If you chose an existing parameter map, you can view, modify, or duplicate the existing configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about modifying shared objects. • If you click *New*, the Generic Parameter Maps configuration pane appears. Configure the Generic parameter map as described in Table 10-4. HTTP Parameter Maps Field appears if HTTP or HTTPS is the selected application protocol. Choose an existing HTTP parameter map or click *New* to create a new one as follows: • If you chose an existing parameter map, you can view, modify, or duplicate the existing configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about modifying shared objects. • If you click *New*, the HTTP Parameter Maps configuration pane appears. Configure the HTTP parameter map as described in Table 10-5. Table 7-3 Virtual Server Properties – Advanced View (continued) Field Description 7-14 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers RTSP Parameter Maps Field that appears if RTSP is the selected application protocol over TCP. Choose an existing RTSP parameter map or click *New* to create a new one as follows: • If you chose an existing parameter map, you can view, modify, or duplicate the existing configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about modifying shared objects. • If you click *New*, the RTSP Parameter Maps configuration pane appears. Configure the RTSP parameter map as described in Table 10-8. KAL-AP-TAG Name Feature that is supported only for the ACE module software Version A2(2.0), ACE appliance software Version A4(1.0), and later versions for both device types. The KAL-AP-TAG feature allows the Cisco Global Site Selector (GSS) proprietary KAL-AP protocol to extract load and availability information from the ACE when a firewall is positioned between the GSS and the ACE. This feature allows you to configure a tag (name) per VIP for a maximum of 4096 tags on an ACE. This feature does not replace the tag per domain feature. For more information about this feature, see the Release Note for the Cisco Application Control Engine Module (Software Version A2(2.0)) or the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide (Software Version A2(3.0)), the Configuring Health Monitoring chapter. In the KAL-AP-TAG Name field, enter the name as an unquoted text string with no spaces and a maximum of 76 alphanumeric characters. The following scenarios are not supported and will result in an error: • You cannot configure a tag name for a VIP that already has a tag configuration as part of a different policy configuration. • You cannot associate the same tag name with more than one VIP. • You cannot associate the same tag name with a domain and a VIP. • You cannot assign two different tags to two different Layer 3 class maps that have the same VIP, but different port numbers. The KAL-AP protocol considers these class maps to have the same VIP and calculates the load for both Layer 3 rules together when the GSS queries the VIP. KAL-AP-Primary-Out-OfService Feature that is supported only for ACE module software Version A2(3.1), ACE appliance software Version A4(1.0), and later versions of either device type. Check the checkbox to enable the ACE to notify a Global Site Selector (GSS) that the primary server farm is down when the backup server farm is in use. Uncheck the checkbox to disable this feature. By default, when you configure a redirect server farm as a backup server farm on the ACE and the primary server farm fails, the backup server farm redirects client requests to another data center; however, the VIP remains in the INSERVICE state. When you configure the ACE to communicate with a GSS, it provides information for server availability. When a backup server is in use after the primary server farm is down, this feature enables the ACE to inform the GSS that the VIP for the primary server farm is out of service by returning a load value of 255. The GSS recognizes that the primary server farm is down and sends future DNS requests with the IP address of the other data center. Table 7-3 Virtual Server Properties – Advanced View (continued) Field Description 7-15 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Step 5 In the Basic View, configure virtual server properties by entering the information in Table 7-4. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. ICMP Reply Virtual server response to ICMP ECHO requests as follows: • None—The virtual server is not to send ICMP ECHO-REPLY responses to ICMP requests. • Active—The virtual server is to send ICMP ECHO-REPLY responses only if the configured VIP is active. • Always—The virtual server is always to send ICMP ECHO-REPLY responses to ICMP requests. • Primary Inservice—The virtual server is to reply to an ICMP ping only if the primary server farm state is UP, regardless of the state of the backup server farm. If this option is selected and the primary server farm state is DOWN, the ACE discards the ICMP request and the request times out. VIP Advertise Field that appears for ACE modules only. This option allows the ACE to advertise the IP address of the virtual server as the host route. Choose the desired VIP advertise option as follows: • None—The ACE does not advertise the IP address of the virtual server as the host route. • Active—The ACE advertises the IP address of the virtual server as the host route only if there is at least one active real server in the server farm. • Always—The ACE always advertises the IP address of the virtual server as the host route. • Active-Metric—The ACE advertises the IP address of the virtual server as the host route if the following occurs: • There is at least one active real server in the server farm. • A distance metric is specified for the route in the Distance field. • Always-Metric—The ACE advertises the IP address of the virtual server as the host route, using the distance metric in the Distance field. Distance Field that appears for ACE modules only. This field appears if you chose Active-Metric or Always-Metric in the VIP Advertise field. Enter the administrative distance to be included in the routing table. Valid entries are integers from 1 to 254. Status Operating state of the virtual server as follows: • In Service—Enables the virtual server for load-balancing operations. • Out Of Service—Disables the virtual server for load-balancing operations. Table 7-3 Virtual Server Properties – Advanced View (continued) Field Description 7-16 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Step 6 Do one of the following: • Click Deploy Now to deploy the configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit the procedure without saving your entries. • Click Deploy Later to save your entries and apply them at a later time. Related Topics • Configuring Virtual Servers, page 7-2 Table 7-4 Virtual Server Properties – Basic View Field Description Virtual Server Name Name for the virtual server. IP Address Type Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. Choose the address type of the virtual server: IPv4 or IPv6. Virtual IP Address IP address for the virtual server. Transport Protocol Protocol that the virtual server supports as follows: • Any—The virtual server accepts connections using any IP protocol. • TCP—The virtual server accepts connections that use TCP. • UDP—The virtual server accepts connections that use UDP. Application Protocol Field that appears if TCP or UDP is selected. The application protocols that are available depend on the type of ACE being configured. Choose the application protocol to be supported by the virtual server. Table 7-2 identifies the available protocols for each ACE device type. Note This field is read-only if you are editing an existing virtual server. ANM does not allow changes between protocols that require a change to the Layer 7 server load-balancing policy map. You need to delete the virtual server and create a new one with the desired application protocol. Port Field that appears for any specific TCP or UDP protocol. Enter the port to be used for the specified protocol. Valid entries are from 0 to 65535 or a range of integers, such as 10-20. Enter 0 (zero) to indicate all ports. For a complete list of all protocols and ports, see the Internet Assigned Numbers Authority available at www.iana.org/numbers/ All VLANs Check box that enables support of incoming traffic from all VLANs. Uncheck the check box to support incoming traffic from specific VLANs only. VLAN Field that appears if the All VLANs check box is unchecked. In the Available Items list, choose the VLANs to use for incoming traffic, and click Add. The items appear in the Selected Items list. To remove VLANs, choose them in the Selected Items lists, and click Remove. The items appear in the Available Items list. Note You cannot change the VLAN for a virtual server once it is specified. Instead, delete the virtual server and create a new one with the desired VLAN. 7-17 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers • Configuring Virtual Server SSL Termination, page 7-17 Configuring Virtual Server SSL Termination You can configure virtual server SSL termination service, which allows the virtual server to act as an SSL proxy server and terminate SSL sessions between it and its clients. Assumption Make sure that a virtual server has been configured for HTTPS over TCP or Other over TCP in the Properties configuration subset. For more information, see the “Configuring Virtual Server Properties” section on page 7-11. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers. The Virtual Servers table appears. Step 2 In the Virtual Servers table, choose the virtual server that you want to configure for SSL termination, and click Edit. The Virtual Server configuration window appears. Step 3 In the Virtual Server configuration window, click SSL Termination. The Proxy Service Name field appears. Step 4 In the Proxy Service Name field, choose an existing SSL termination service, or choose *New* to create a new SSL proxy service, and do one of the following: • If you chose an existing SSL service, the window refreshes and allows you to view, modify, or duplicate the existing configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about modifying shared objects. • If you chose *New*, the Proxy Service configuration subset appears. Step 5 Configure the SSL service using the information in Table 7-5. For more information about SSL, see the “Configuring SSL” section on page 11-1. Table 7-5 Virtual Server SSL Attributes Field Description Name Name for this SSL proxy service. Valid entries are alphanumeric strings with a maximum of 26 characters. Keys SSL key pair to use during the SSL handshake for data encryption. Certificates SSL certificate to use during the SSL handshake. Chain Groups Chain group to use during the SSL handshake. Auth Groups SSL authentication group to associate with this proxy server service. CRL Best-Effort Option that appears if you chose an authentication group in the Auth Groups field. Check the check box to allow the ANM to search client certificates for the service to determine if it contains a CRL in the extension and retrieve the value, if it exists. Uncheck the check box to disable this feature. 7-18 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Step 6 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries. • Click Deploy Later to save your entries and apply them at a later time. Related Topics • Configuring Virtual Servers, page 7-2 • Configuring Virtual Server Properties, page 7-11 Configuring Virtual Server Protocol Inspection You can configure protocol inspection on a virtual server, which allows the virtual server to verify protocol behavior and identify unwanted or malicious traffic passing through the ACE. In the Advanced View, protocol inspection configuration is available for the following virtual server protocol configurations: • TCP with FTP, HTTP, HTTPS, RTSP, or SIP • UDP with DNS or SIP In the Basic View, protocol inspection configuration is available for TCP with FTP. See Table 7-2 for a list of protocols by ACE device type. Assumption Make sure that a virtual server has been configured to use one of the protocols that supports protocol inspection in the Properties configuration subset. See the “Configuring Virtual Server Properties” section on page 7-11 for information on configuring these protocols. Procedure Step 1 Choose the item to configure: • To configure a virtual server, choose Config > Devices > context > Load Balancing > Virtual Servers. • To configure a configuration building block, choose Config > Global > All Building Blocks > building_block > Load Balancing > Virtual Servers. The Virtual Servers table appears. CRL Name Option that appears if the CRL Best-Effort check box is clear. Choose the Certificate Revocation List the ANM is to use for this proxy service. Parameter Maps SSL parameter map to associate with this proxy server service. Table 7-5 Virtual Server SSL Attributes (continued) Field Description 7-19 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Step 2 In the Virtual Servers table, choose the virtual server that you want to configure for protocol inspection, and click Edit. The Virtual Server configuration window appears. Step 3 Click Protocol Inspection. The Enable Inspect check box appears. Step 4 Check the Enable Inspect check box to enable inspection on the specified traffic or uncheck it to disable inspection on this traffic. By default, the ACE allows all request methods. Step 5 (Optional) If you checked the Enable Inspect check box, configure additional inspection options using the information in Table 7-6. Table 7-6 Protocol Inspection Configuration Options Protocol Action DNS In the length field, enter the maximum length of the DNS packet in bytes as defined in the Length field. If you do not enter a value in this field, the DNS packet size is not checked. FTP a. Check the Use Strict check box to specify that the virtual server is to perform enhanced inspection of FTP traffic and enforce compliance with RFC standards. Uncheck the check box to specify that the virtual server is not to perform enhanced FTP inspection. b. (Optional) If you checked the Use Strict check box, in the Blocked FTP Commands field, identify the commands that are to be denied by the virtual server. See Table 14-8 for more information about the FTP commands. • Choose the commands that are to be blocked by the virtual server in the Available Items list, and click Add. The commands appear in the Selected Items list. • To remove commands that you do not want to be blocked, choose them in the Selected Items list, and click Remove. The commands appear in the Available Items list. 7-20 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers HTTP or HTTPS a. Check the Logging Enabled check box to enable monitoring of Layer 3 and Layer 4 traffic. When enabled, this feature logs every URL request that is sent in the specified class of traffic, including the source or destination IP address and the URL that is accessed. Uncheck the check box to disable monitoring of Layer 3 and Layer 4 traffic. b. In the Policy subset, click Add to add a new match condition and action, or choose an existing match condition and action and click Edit to modify it. The Policy configuration pane appears. c. In the Matches field, choose an existing class map or *New* or *Inline Match* to configure new match criteria for protocol inspection. If you chose an existing class map, the window refreshes and allows you to view, modify, or duplicate the selected class map. See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about modifying shared objects. d. Configure match criteria and related actions using the information in Table 7-7. e. Do one of the following: • Click OK to save your entries. The Conditions table refreshes with the new entry. • Click Cancel to exit the Policy subset without saving your entries. f. In the Default Action field, choose the default action that the virtual server is to take when specified match conditions for protocol inspection are not met: • Permit—The specified HTTP traffic is to be received by the virtual server. • Reset—The specified HTTP traffic is to be denied by the virtual server. Table 7-6 Protocol Inspection Configuration Options (continued) Protocol Action 7-21 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers RTSP There are no protocol-specific inspection options for RTSP. SIP a. In the Actions subset, click Add to add a new match condition and action, or choose an existing match condition and action, and click Edit to modify it. The Actions configuration pane appears. b. In the Matches field, choose an existing class map or *New* or *Inline Match* to configure new match criteria for protocol inspection. If you chose an existing class map, the window refreshes and allows you to view, modify, or duplicate the selected class map. See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about modifying shared objects. c. Configure match criteria and related actions using the information in Table 7-9. d. In the Action field, choose the action that the virtual server is to take when the specified match conditions are met: – Drop—The specified SIP traffic is discarded by the virtual server. – Permit—The specified SIP traffic is received by the virtual server. – Reset—The specified SIP traffic is denied by the virtual server. e. Do one of the following: – Click OK to save your entries. The Conditions table refreshes with the new entry. – Click Cancel to exit the Conditions subset without saving your entries and to return to the Conditions table. f. In the SIP Parameter Map field, choose an existing parameter map or choose *New* to configure a new one. If you chose an existing parameter map, the window refreshes and allows you to view, modify, or delete the selected parameter map. See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about modifying shared objects. g. Configure SIP parameter map options using the information in Table 10-9. h. In the Secondary Connection Parameter Map field, choose an existing parameter map or choose *New* to configure a new one. If you chose an existing parameter map, the window refreshes and allows you to view, modify, or delete the selected parameter map. See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about modifying shared objects. i. Configure secondary connection parameter map options using the information in Table 10-2. j. In the Default Action field, choose the default action that the virtual server is to take when specified match conditions for SIP protocol inspection are not met: – Drop—The specified SIP traffic is discarded by the virtual server. – Permit—The specified SIP traffic is received by the virtual server. – Reset—The specified SIP traffic is denied by the virtual server. k. Check the Logging Enabled check box to enable monitoring of Layer 3 and Layer 4 traffic. When enabled, this feature logs every URL request that is sent in the specified class of traffic, including the source or destination IP address and the URL that is accessed. Uncheck the check box to disable monitoring of Layer 3 and Layer 4 traffic. Table 7-6 Protocol Inspection Configuration Options (continued) Protocol Action 7-22 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Table 7-7 HTTP and HTTPS Protocol Inspection Match Criteria Configuration Selection Action Existing class map a. Click View to review the match condition information for the selected class map. b. Do one of the following: – Click Cancel to continue without making changes and to return to the previous window. – Click Edit to modify the existing configuration. – Click Duplicate to create a new class map with the same attributes without affecting other virtual servers using the same class map. See the “Shared Objects and Virtual Servers” section on page 7-9 for information about modifying shared objects. c. In the Action field, choose the action that the virtual server is to perform on the traffic if it matches the specified match criteria: – Permit—The specified traffic is received by the virtual server if it meets the specified deep inspection match criteria. – Reset—The specified traffic is denied by the virtual server, which then sends a TCP reset message to the client or server to close the connection. *New* a. In the Name field, specify a unique name for this class map. b. In the Match field, choose the method to be used to evaluate multiple match statements when multiple match conditions exist: – Any—A match exists if at least one of the match conditions is satisfied. – All—A match exists only if all match conditions are satisfied. c. In the Conditions table, click Add to add a new set of conditions, or choose an existing entry, and click Edit to modify it. The Type field appears. d. In the Type field, choose the type of condition that is to be met for protocol inspection. e. Provide condition-specific criteria using the information in Table 7-8. f. In the Action field, choose the action that the virtual server is to perform on the traffic if it matches the specified match criteria: – Permit—The specified traffic is received by the virtual server if it meets the specified deep inspection match criteria. – Reset—The specified traffic is denied by the virtual server, which then sends a TCP reset message to the client or server to close the connection. *Inline Match* a. In the Conditions Type field, choose the type of inline match condition that is to be met for protocol inspection. b. Provide condition-specific criteria using the information in Table 7-8. c. In the Action field, choose the action that the virtual server is to perform on the traffic if it matches the specified match criteria: – Permit—The specified traffic is received by the virtual server if it meets the specified deep inspection match criteria. – Reset—The specified traffic is denied by the virtual server, which then sends a TCP reset message to the client or server to close the connection. 7-23 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Table 7-8 HTTP and HTTPS Protocol Inspection Conditions and Options Condition Description Content Specific content contained within the HTTP entity-body to be used for application inspection decisions. a. In the Content Expression field, enter the content that is to be matched. Valid entries are alphanumeric strings from 1 to 255 characters. b. In the Content Offset field, enter the number of bytes to be ignored starting with the first byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and the body of the message. Valid entries are from 1 to 255 bytes. Content Length Content parse length is used for application inspection decisions. a. In the Content Length Operator field, choose the operand to use to compare content length: – Equal To—The content length must equal the number in the Content Length Value field. – Greater Than—The content length must be greater than the number in the Content Length Value field. – Less Than—The content length must be less than the number in the Content Length Value field. – Range—The content length must be within the range specified in the Content Length Lower Value field and the Content Length Higher Value field. b. Enter values to apply for content length comparison: – If you chose Equal To, Greater Than, or Less Than in the Content Length Operator field, the Content Length Value field appears. In the Content Length Value field, enter the number of bytes for comparison. Valid entries are from 0 to 4294967295. – If you chose Range in the Content Length Operator field, the Content Length Lower Value and the Content Length Higher Value fields appear: 1. In the Content Length Lower Value field, enter the lowest number of bytes to be used for this match condition. Valid entries are from 0 to 4294967295. The number in this field must be less than the number entered in the Content Length Higher Value field. 2. In the Content Length Higher Value field, enter the highest number of bytes to be used for this match condition. Valid entries are from 0 to 4294967295. The number in this field must be greater than the number entered in the Content Length Lower Value field. Content Type Verification Verification of MIME-type messages with the header MIME-type is to be used for application inspection decisions. This option verifies that the header MIME-type value is in the internal list of supported MIME-types and that the header MIME-type matches the content in the data or body portion of the message. 7-24 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Header Name and value in an HTTP header are used for application inspection decisions. a. In the Header field, choose one of the predefined HTTP headers to match, or choose HTTP Header to specify a different HTTP header. b. If you chose HTTP Header, in the Header Name field, enter the name of the HTTP header to match. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. c. In the Header Value field, enter the header-value expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching. Header expressions allow spaces, provided that the spaces are escaped or quoted. All headers in the header map must be matched. See Table 14-33 for a list of the supported characters that you can use in regular expressions. Header Length Length of the header in the HTTP message used for application inspection decisions. a. In the Header Length Type field, specify whether HTTP header request or response messages are to be used for application inspection decisions: – Request—HTTP header request messages are to be checked for header length. – Response—HTTP header response messages are to be checked for header length. b. In the Header Length Operator field, choose the operand to be used to compare header length: – Equal To—The header length must equal the number in the Header Length Value field. – Greater Than—The header length must be greater than the number in the Header Length Value field. – Less Than—The header length must be less than the number in the Header Length Value field. – Range—The header length must be within the range specified in the Header Length Lower Value field and the Header Length Higher Value field. c. Enter values to apply for header length comparison: – If you chose Equal To, Greater Than, or Less Than in the Header Length Operator field, the Header Length Value field appears. In the Header Length Value field, enter the number of bytes for comparison. Valid entries are from 0 to 255. – If you chose Range in the Header Length Operator field, the Header Length Lower Value and the Header Length Higher Value fields appear: 1. In the Header Length Lower Value field, enter the lowest number of bytes to be used for this match condition. Valid entries are from 0 to 255. The number in this field must be less than the number entered in the Header Length Higher Value field. 2. In the Header Length Higher Value field, enter the highest number of bytes to be used for this match condition. Valid entries are from 1 to 255. The number in this field must be greater than the number entered in the Header Length Lower Value field. Header MIME Type Multipurpose Internet Mail Extension (MIME) message types are used for application inspection decisions. In the Header MIME Type field, choose the MIME message type to use for this match condition. Table 7-8 HTTP and HTTPS Protocol Inspection Conditions and Options (continued) Condition Description 7-25 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Port Misuse Misuse of port 80 (or any other port running HTTP) to be used for application inspection decisions. Choose the application category to use for this match condition as follows: • IM—Instant messaging applications are to be checked. • P2P—Peer-to-peer applications are to be checked. • Tunneling—Tunneling applications are to be checked. Request Method A request method is to be used for protocol inspection decisions. By default, ACEs allow all request and extension methods. This option allows you to configure protocol inspection decisions based on compliance to request methods defined in RFC 2616 and by HTTP extension methods. a. Choose the type of request method to use for this match condition: – Ext—An HTTP extension method is to be used. Note The list of available HTTP extension methods from which to choose varies depending on the version of software installed in the ACE. – RFC—The request method defined in RFC 2616 is to be used. b. In the Request Method field, choose the request method that is to be inspected. Strict HTTP Compliance with HTTP RFC 2616 to be used for application inspection decisions. Transfer Encoding An HTTP transfer-encoding type to be used for application inspection decisions. The transfer-encoding general-header field indicates the type of transformation, if any, that has been applied to the HTTP message body to safely transfer it between the sender and the recipient. In the Transfer Encoding field, choose the type of encoding that is to be checked: • Chunked—The message body is transferred as a series of chunks. • Compress—The encoding format that is produced by the UNIX file compression program compress. • Deflate—The .zlib format that is defined in RFC 1950 in combination with the DEFLATE compression mechanism described in RFC 1951. • Gzip—The encoding format that is produced by the file compression program GZIP (GNU zip) as described in RFC 1952. • Identity—The default (identity) encoding which does not require the use of transformation. Table 7-8 HTTP and HTTPS Protocol Inspection Conditions and Options (continued) Condition Description 7-26 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers URL URL names to be used for application inspection decisions. In the URL field, enter a URL or a portion of a URL to match. Valid entries are URL strings from 1 to 255 alphanumeric characters and include only the portion of the URL following www.hostname.domain. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. URL Length URL length to be used for application inspection decisions. a. In the URL Length Operator field, choose the operand to use to compare URL length: – Equal To—The URL length must equal the number in the URL Length Value field. – Greater Than—The URL length must be greater than the number in the URL Length Value field. – Less Than—The URL length must be less than the number in the URL Length Value field. – Range—The URL length must be within the range specified in the URL Length Lower Value field and the URL Length Higher Value field. b. Enter values to apply for URL length comparison: – If you chose Equal To, Greater Than, or Less Than in the URL Length Operator field, the URL Length Value field appears. In the URL Length Value field, enter the value for comparison. Valid entries are from 1 to 65535 bytes. – If you chose Range in the URL Length Operator field, the URL Length Lower Value and the URL Length Higher Value fields appear: 1. In the URL Length Lower Value field, enter the lowest number of bytes to be used for this match condition. Valid entries are from 1 to 65535. The number in this field must be less than the number entered in the URL Length Higher Value field. 2. In the URL Length Higher Value field, enter the highest number of bytes to be used for this match condition. Valid entries are from 1 to 65535. The number in this field must be greater than the number entered in the URL Length Lower Value field. Table 7-8 HTTP and HTTPS Protocol Inspection Conditions and Options (continued) Condition Description 7-27 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Table 7-9 SIP Protocol Inspection Match Criteria Configuration Selection Action Existing class map a. Click View to review the match condition information for the selected class map. b. Do one of the following: – Click Cancel to continue without making changes and to return to the previous window. – Click Edit to modify the existing configuration. – Click Duplicate to create a new class map with the same attributes without affecting other virtual servers using the same class map. See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about modifying shared objects. c. In the Action field, choose the action that the virtual server is to perform on the traffic if it matches the specified match criteria: – Drop—The specified traffic is to be dropped by the virtual server. – Permit—The specified traffic is to be received by the virtual server. – Reset—The specified traffic is to be denied by the virtual server, which then sends a TCP reset message to the client or server to close the connection. *New* a. In the Name field, specify a unique name for this class map. b. In the Conditions table, click Add to add a new set of conditions, or choose an existing entry, and click Edit to modify it. The Type field appears. c. In the Type field, choose the type of condition that is to be met for protocol inspection. d. Provide condition-specific criteria using the information in Table 7-10. e. In the Action field, choose the action that the virtual server is to perform on the traffic if it matches the specified match criteria: – Drop—The specified traffic is to be dropped by the virtual server. – Permit—The specified traffic is to be received by the virtual server. – Reset—The specified traffic is to be denied by the virtual server, which then sends a TCP reset message to the client or server to close the connection. *Inline Match* a. In the Conditions Type field, choose the type of inline match condition that is to be met for protocol inspection. Table 7-10 describes the types of conditions and their related configuration options. b. Provide condition-specific criteria using the information in Table 7-10. c. In the Action field, choose the action that the virtual server is to perform on the traffic if it matches the specified match criteria: – Drop—The specified traffic is to be dropped by the virtual server. – Permit—The specified traffic is to be received by the virtual server. – Reset—The specified traffic is to be denied by the virtual server, which then sends a TCP reset message to the client or server to close the connection. 7-28 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Table 7-10 SIP Protocol Inspection Conditions and Options Condition Description Called Party Destination or called party specified in the URI of the SIP To header used for SIP protocol inspection decisions. In the Called Party field, enter a regular expression that identifies the called party in the URI of the SIP To header for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. Calling Party Source or caller specified in the URI of the SIP From header used for SIP protocol inspection decisions. In the Calling Party field, enter a regular expression that identifies the calling party in the URI of the SIP From header for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. IM Subscriber IM (instant messaging) subscriber used for application inspection decisions. In the IP Subscriber field, enter a regular expression that identifies the IM subscriber for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. Message Path SIP inspection that allows you to filter messages coming from or transiting through certain SIP proxy servers. The ACE maintains a list of the unauthorized SIP proxy IP addresses or URLs in the form of regular expressions and checks this list against the VIA header field in each SIP packet. In the Message Path field, enter a regular expression that identifies the SIP proxy server for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. SIP Content Length SIP message body content length used for SIP protocol inspection decisions. To specify SIP traffic based on SIP message body length: a. In the Content Operator field, confirm that Greater Than is selected. b. In the Content Length field, enter the maximum size of a SIP message body in bytes that the ACE is to allow without performing SIP protocol inspection. If a SIP message exceeds the specified value, the ACE performs SIP protocol inspection as defined in an associated policy map. Valid entries are from 0 to 65534 bytes. SIP Content Type Content type in the SIP message body used for SIP protocol inspection decisions. In the Content Type field, enter a regular expression that identifies the content type in the SIP message body to use for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. SIP Request Method SIP request method used for application inspection decisions. In the Request Method field, choose the request method that is to be inspected. 7-29 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Step 6 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries. • Click Deploy Later to save your entries and deploy the configuration at a later time. Related Topics • Configuring Virtual Server Properties, page 7-11 • Configuring Virtual Server SSL Termination, page 7-17 • Configuring Virtual Server Layer 7 Load Balancing, page 7-30 • Managing Virtual Servers, page 7-66 Third Party Condition that indicates that the SIP is to allow users to register other users on their behalf by sending REGISTER messages with different values in the From and To header fields. This process can pose a security threat if the REGISTER message is actually a DEREGISTER message. A malicious user could cause a DoS (denial-of-service) attack by deregistering all users on their behalf. To prevent this security threat, you can specify a list of privileged users who can register or unregister someone else on their behalf. The ACE maintains the list as a regex table. If you configure this policy, the ACE drops REGISTER messages with mismatched From and To headers and a From header value that does not match any of the privileged user IDs. In the Third Party Registration Entities field, enter a regular expression that identifies a privileged user who is authorized for third-party registrations. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. URI Length Condition that indicates that the ACE is to validate the length of SIP URIs or Tel URIs. A SIP URI is a user identifier that a calling party (source) uses to contact the called party (destination). A Tel URI is a telephone number that identifies the endpoint of a SIP connection. For more information about SIP URIs and Tel URIs, see RFC 2534 and RFC 3966, respectively. To filter SIP traffic based on URIs, do the following: a. In the URI Type field, choose the type of URI to be used: – SIP URI—The calling party URI is to be used for this match condition. – Tel URI—A telephone number is to be used for this match condition. b. In the URI Operator field, confirm that Greater Than is selected. c. In the URI Length field, enter the maximum length of the SIP URI or Tel URI in bytes. Valid entries are from 0 to 254 bytes. Table 7-10 SIP Protocol Inspection Conditions and Options (continued) Condition Description 7-30 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Configuring Virtual Server Layer 7 Load Balancing You can configure Layer 7 load balancing on a virtual server. In the Advanced View, Layer 7 load balancing is available for virtual servers configured with one of the following protocol combinations: • TCP with Generic, FTP, HTTP, HTTPS, RDP, RTSP, or SIP • UDP with Generic, DNS, RADIUS, or SIP See the “Configuring Virtual Server Properties” section on page 7-11 for information about configuring these protocols. Table 7-2 identifies the protocols that are available for each type of ACE device. Assumption Make sure that a virtual server has been configured with one of the following protocol combinations: • TCP with Generic, FTP, HTTP, HTTPS, RDP, RTSP, or SIP • UDP with Generic, DNS, RADIUS, or SIP For more information, see the “Configuring Virtual Server Properties” section on page 7-11. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers. The Virtual Servers table appears. Step 2 In the Virtual Servers table, choose the virtual server that you want to configure for Layer 7 load balancing, and click Edit. The Virtual Server configuration window appears. Step 3 In the Virtual Server configuration window, click L7 Load-Balancing. The Layer 7 Load-Balancing Rule Match table appears. Step 4 In the Rule Match table, click Add to add a new match condition and action, or choose an existing match condition and action, and click Edit to modify it. The Rule Match configuration pane appears. Step 5 In the Rule Match field of the Rule Match configuration pane, choose an existing class map or *New* or *Inline Match* to configure new match criteria for Layer 7 load balancing, and do one of the following: • If you chose an existing class map, click View to review, modify, or duplicate the existing configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about modifying shared objects. • If you click *New* or *Inline Match*, the Rule Match configuration pane appears. 7-31 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Step 6 Configure match criteria using the information in Table 7-11. Table 7-11 Layer 7 Load-Balancing Match Criteria Configuration Selection Action Existing class map a. Click View to review the match condition information for the selected class map. b. Do one of the following: – Click Cancel to continue without making changes and to return to the previous window. – Click Edit to modify the existing configuration. – Click Duplicate to create a new class map with the same attributes without affecting other virtual servers using the same class map. See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about modifying shared objects. *New* a. In the Name field, enter a unique name for this class map. b. In the Match field, choose the method to be used to evaluate multiple match statements when multiple match conditions exist: – match-any—A match exists if at least one of the match conditions is satisfied. – match-all—A match exists only if all match conditions are satisfied. c. In the Conditions table, click Add to add a new set of conditions, or choose an existing entry and click Edit to modify it. d. In the Type field, choose the match condition and configure any of these protocol-specific options: – For Generic protocol options, see Table 14-9. – For HTTP and HTTPS protocol options, see Table 7-12. – For RADIUS protocol options, see Table 14-10. – For RTSP protocol options, see Table 14-11. – For SIP protocol options, see Table 14-12. e. Do one of the following: – Click OK to accept your entries and to return to the Conditions table. – Click Cancel to exit this procedure without saving your entries and to return to the Conditions table. *Inline Match* In the Conditions Type field, choose the type of inline match condition and configure any protocol-specific options: • For Generic protocol options, see Table 14-9. • For HTTP and HTTPS protocol options, see Table 7-12. • For RADIUS protocol options, see Table 14-10. • For RTSP protocol options, see Table 14-11. • For SIP protocol options, see Table 14-12. 7-32 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Table 7-12 Layer 7 HTTP/HTTPS Load-Balancing Conditions and Options Match Condition Action Class Map Existing class map used for the match condition. In the Class Map field, choose the class map to be used. HTTP Content Specific content contained within the HTTP entity-body used to establish a match condition. a. In the Content Expression field, enter the content that is to be matched. Valid entries are alphanumeric strings from 1 to 255 characters. b. In the Content Offset field, enter the number of bytes to be ignored starting with the first byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and the body of the message. Valid entries are from 1 to 255. HTTP Cookie HTTP cookies used for the match condition. a. In the Cookie Name field, enter a unique cookie name. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. b. In the Cookie Value field, enter a unique cookie value expression. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. c. Check the Secondary Cookie Matching check box to indicate that the ACE is to use both the cookie name and the cookie value to satisfy this match condition. Clear this check box to indicate that the ACE is to use either the cookie name or the cookie value to satisfy this match condition. HTTP Header HTTP header and corresponding value used to establish match conditions. a. In the Header Name field, specify the header in one of the following ways: – To specify an HTTP header that is not one of the standard HTTP headers, click the first radio button and enter the HTTP header name in the Header Name field. Enter an unquoted text string with no spaces and a maximum of 64 characters. – To specify one of the standard HTTP headers, click the second radio button and choose the desired HTTP header from the list. b. In the Header Value field, enter the header-value expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching. Header expressions allow spaces, provided that the spaces are escaped or quoted. All headers in the header map must be matched. Table 14-33 lists the supported characters that you can use in regular expressions. 7-33 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Step 7 In the Primary Action field, choose the action that the virtual server is to perform on the traffic if it matches the specified match criteria: • Drop—Client requests for content are to be discarded when match conditions are met. Continue with Step 12. • Forward—Client requests for content are to be forwarded without performing load balancing on the requests when match conditions are met. Continue with Step 12. • Load Balance—Client requests for content are to be directed to a server farm when match conditions are met. Continue with Step 9. • Sticky—Client requests for content are to be handled by a sticky group when match conditions are met. Continue with Step 10. Step 8 (Optional) From the HTTP Header Modify Action List drop-down list, choose an existing Action List or choose New to display the Action List configuration table and create a new one. For more information, see the “Configuring an HTTP Header Modify Action List” section on page 14-85. Step 9 (Optional) If you chose Load Balance as the primary action, do the following: a. In the Server Farm field, choose the primary server farm to use for load balancing, or choose *New* to configure a new server farm (see Table 7-13). If you chose an existing object in this field, you can view, modify, or duplicate the selected object’s existing configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about modifying shared objects in virtual servers. HTTP URL Condition that indicates that the ACE is to perform regular expression matching against the received packet data from a particular connection based on the HTTP URL string. a. In the URL Expression field, enter a URL, or portion of a URL, to match. Valid entries are URL strings from 1 to 255 alphanumeric characters. Include only the portion of the URL following www.hostname.domain in the match statement. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. To match the www.anydomain.com portion, the URL string can take the form of a URL regular expression. The ACE supports regular expressions for matching URL strings. Table 14-33 lists the supported characters that you can use in regular expressions. b. In the Method Expression field, enter the HTTP method to match. Valid entries are unquoted text strings with no spaces and a maximum of 15 alphanumeric characters. The method can either be one of the standard HTTP 1.1 method names (OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT) or a text string that must be matched exactly (for example, CORVETTE). Source Address Client source IP address used for the match condition. a. In the Source Address field, enter the source IP address of the client. Enter the IP address in dotted-decimal notation (for example, 192.168.11.2). b. In the Source Netmask field, choose the subnet mask to apply to the source IP address. Table 7-12 Layer 7 HTTP/HTTPS Load-Balancing Conditions and Options (continued) Match Condition Action 7-34 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Note To display statistics and status information for an existing server farm, choose a server farm in the list, and click Details. ANM accesses the show serverfarm name detail CLI command to display detailed server farm information. See the “Displaying Server Farm Statistics and Status Information” section on page 8-48. b. In the Backup Server Farm field, choose the server farm to act as the backup server farm for load balancing if the primary server farm is unavailable, or choose *New* to configure a new backup server farm (see Table 7-13). Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. If you chose an existing object in this field, you can view, modify, or duplicate the selected object’s existing configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about modifying shared objects in virtual servers. Table 7-13 New Server Farm Attributes Field Description Name Unique name for the server farm. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters. Type Type of server farm: • Host—A typical server farm that consists of real servers that provide content and services to clients. By default, if you configure a backup server farm and all real servers in the primary server farm go down, the primary server farm fails over to the backup server farm. Use the following options to specify thresholds for failover and returning to service. 1. In the Partial-Threshold Percentage field, enter the minimum percentage of real servers in the primary server farm that must remain active for the server farm to stay up. If the percentage of active real servers falls below this threshold, the ACE takes the server farm out of service. Valid entries are from 0 to 99. 2. In the Back Inservice field, enter the percentage of real servers in the primary server farm that must be active again for the ACE to place the server farm back into service. Valid entries are from 0 to 99. The value in this field should be larger than the value in the Partial Threshold Percentage field. • Redirect—A server farm that consists only of real servers that redirect client requests to alternate locations specified in the real server configuration. Fail Action Action that the ACE takes if any real server in the server farm fails: • N/A—Indicates that the ACE is to take no action if any server in the server farm fails. • Purge—Indicates that the ACE is to remove connections to a real server if that real server in the server farm fails. The ACE sends a reset command to both the client and the server that failed. • Reassign—Indicates that the ACE reassign the existing server connections to the backup real server (if configured) if the real server fails after you enter this command. If a backup real server has not been configured for the failing server, this selection leaves the existing connections untouched in the failing real server. 7-35 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Failaction Reassign Across Vlans Option that is available only for the ACE module A2(3.0), ACE appliance A4(1.0), and later releases of either device type. This field appears only when the L7 Load-Balancing Action parameters are set as follows: Primary Action: LoadBalance; ServerFarm: New; Fail Action: Reassign. Check the check box to specify that the ACE reassigns the existing server connections to the backup real server on a different VLAN interface (commonly referred to as a bypass VLAN) if the real server fails. If a backup real server has not been configured for the failing server, this option has no effect and leaves the existing connections untouched in the failing real server. Note the following configuration requirements and restrictions when you enable this option: • Enable the Transparent option (see the next Field) to instruct the ACE not to use NAT to translate the ACE VIP address to the server IP address. The Failaction Reassign Across Vlans option is intended for use in stateful firewall load balancing (FWLB) on your ACE, where the destination IP address for the connection coming in to the ACE is for the end-point real server, and the ACE reassigns the connection so that it is transmitted through a different next hop. • Enable the MAC Sticky option on all server-side interfaces to ensure that packets that are going to and coming from the same server in a flow will traverse the same firewalls or stateful devices (see the “Configuring Virtual Context VLAN Interfaces” section on page 12-6). • Configure the Predictor Hash Address option. See Table 7-14 for the supported predictor methods and configurable attributes for each predictor method. • You must configure identical policies on the primary interface and the backup-server interface. The backup interface must have the same feature configurations as the primary interface. • If you configure a policy on the backup-server interface that is different from the policies on the primary-server interface, that policy will be effective only for new connections. The reassigned connection will always have only the primary-server interface policies. • Interface-specific features (for example, NAT, application protocol inspection, outbound ACLs, or SYN cookie) are not supported. • You cannot reassign connections to the failed real server after it comes back up. This restriction also applies to same-VLAN backup servers. • Real servers must be directly connected to the ACE. This requirement also applies to same-VLAN backup server. • You must disable sequence number randomization on the firewall (see the “Configuring Connection Parameter Maps” section on page 10-3). • Probe configurations should be similar on both ACEs and the interval values should be low. For example, if you configure a high interval value on ACE-1 and a low interval value on ACE-2, the reassigned connections may become stuck because of the probe configuration mismatch. ACE-2 with the low interval value will detect the primary server failure first and will reassign all its incoming connections to the backup-server interface VLAN. ACE-1 with the high interval value may not detect the failure before the primary server comes back up and will still point to the primary server. To minimize packet loss, we recommend the following probe parameter values on both ACEs: Interval: 2, Faildetect: 2, Passdetect interval: 2, and Passdetect count: 5. Table 7-13 New Server Farm Attributes (continued) Field Description 7-36 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Transparent Field that appears only for real servers identified as host servers. Specify whether network address translation from the VIP address to the server IP is to occur. Check the check box to specify that network address translation from the VIP address to the server IP address is to occur. Uncheck the check box to specify that network address translation from the VIP address to the server IP address is not to occur. Dynamic Workload Scaling Option that is available only with ACE software Version A4(2.0) or later release on either device type (appliance or module). Field that appears only for host server farms. Allows the ACE to burst traffic to remote VMs when the average CPU usage, memory usage, or both of the local VMs has reached it’s specified maximum threshold value. The ACE stops bursting traffic to the remote VMs when the average CPU and/or memory usage of the local VMs has dropped to it’s specified minimum threshold value. This option requires that you have the ACE configured for Dynamic Workload Scaling using a Nexus 7000, VM Controller, and VM probe (see the “Configuring Dynamic Workload Scaling” section on page 8-26). Click one of the following radio button options: • N/A—Not applicable (default). • Local—The ACE can use the VM Controller local VMs only for load balancing (bursting is not allowed). • Burst—Enables the ACE to burst traffic to a remote VMs when needed. When you choose Burst, the VM Probe Name field displays along with a list of available VM probes. Choose an available VM probe or click Add to display the Health Monitoring popup window and create a new VM probe or edit an existing one (see the “Configuring Health Monitoring” section on page 8-49). Fail-On-All Field that appears for host server farms only. By default, real servers that you configure in a server farm inherit the probes that you configure directly on that server farm. When you configure multiple probes on a server farm, the real servers in the server farm use an OR logic with respect to the probes, which means that if one of the probes configured on the server farm fails, all the real servers in that server farm fail and enter the PROBE-FAILED state. With AND logic, if one server farm probe fails, the real servers in the server farm remain in the OPERATIONAL state. If all the probes associated with the server farm fail, then all the real servers in that server farm fail and enter the PROBE-FAILED state. You can also configure AND logic for probes that you configure directly on real servers in a server farm. For more information, see the command in server farm host real server configuration mode. Check this check box to configure the real servers in a server farm to use AND logic with respect to multiple server farm probes. The Fail On All function is applicable to all probe types. Table 7-13 New Server Farm Attributes (continued) Field Description 7-37 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Inband-Health Check Option that is available only for the ACE module A4(1.0), ACE appliance A4(1.0), and later releases of either device type. Field that appears only for host server farms. By default, the ACE monitors the health of all real servers in a configuration through the use of ARPs and health probes. However, there is latency period between when the real server goes down and when the ACE becomes aware of the state. The inband health monitoring feature allows the ACE to monitor the health of the real servers in the server farm through the following connection failures: • For TCP, resets (RSTs) from the server or SYN timeouts. • For UDP, ICMP Host, Network, Port, Protocol, and Source Route unreachable messages. When you configure the failure-count threshold and the number of these failures exceeds the threshold within the reset-time interval, the ACE immediately marks the server as failed, takes it out of service, and removes it from load balancing. The server is not considered for load balancing until the optional resume-service interval expires. The Inband-Health Check attributes are as follows: • Count—Tracks the total number of TCP or UDP failures, and increments the counters. • Log—Logs a syslog error message when the number of events reaches the threshold value that you set for the Connection Failure Threshold Count attribute. • Remove—Logs a syslog error message when the number of events reaches the configured threshold and removes the real server from service. Connection Failure Threshold Count This field appears only when the Inband-Health Check is set to Log or Remove. Enter the maximum number of connection failures that a real server can exhibit in the reset-time interval before ACE marks the real server as failed. Valid entries are as follows: • ACE appliance—Integers from 1 to 4294967295 • ACE module—Integers from 4 to 4294967295 Reset Timeout (Milliseconds) This field appears only when the Inband-Health Check is set to Log or Remove. Enter the number of milliseconds for the reset-time interval. Valid entries are integers from 100 to 300000. The default interval is 100. This interval starts when the ACE detects a connection failure. If the connection failure threshold is reached during this interval, the ACE generates a syslog message. If you configure the Remove attribute, the ACE also removes the real server from service. Changing the setting of this option affects the behavior of the real server, as follows: • When the real server is in the OPERATIONAL state, even if several connection failures have occurred, the new reset-time interval takes effect the next time that a connection error occurs. • When the real server in the INBAND-HM-FAILED state, the new reset-time interval takes effect the next time that a connection error occurs after the server transitions to the OPERATIONAL state. Table 7-13 New Server Farm Attributes (continued) Field Description 7-38 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Resume Service (Seconds) Field that appears only when the Inband-Health Check is set to Remove. Enter the number of seconds after a server has been marked as failed to reconsider it for sending live connections. Valid entries are integers from 30 to 3600. The default setting is 0. The setting of this option affects the behavior of the real server in the inband failed state, as follows: • When this field is not configured and has the default setting of 0, the real server remains in the failed state until you manually suspend and then reactivate it. • When this field is not configured and has the default setting of 0 and then you configure this option with an integer between 30 and 3,600, the failed real server immediately transitions to the Operational state. • When you configure this field and then increase the value, the real server remains in the failed state for the duration of the previously-configured value. The new value takes effect the next time the real server transitions to the failed state. • When you configure this field and then decrease the value, the failed real server immediately transitions to the Operational state. • When you configure this field with an integer between 30 and 3,600 and then reset it to the default of 0, the real server remains in the failed state for the duration of the previously-configured value. The default setting takes effect the next time the real server transitions to the failed state. Then the real server remains in the failed state until you manually suspend and then reactivate it. • When you change this field within the reset-time interval the real server in the OPERATIONAL with several connection failures, the new threshold interval takes effect the next time that a connection error occurs, even if it occurs within the current reset-time interval. Predictor Method for selecting the next server in the server farm to respond to client requests. Round Robin is the default predictor method for a server farm. See Table 7-14 for the supported predictor methods and configurable attributes for each predictor method. Table 7-13 New Server Farm Attributes (continued) Field Description 7-39 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Probes Health monitoring probes to use: • To include a probe that you want to use for health monitoring, choose it in the Available list, and click Add. The probe appears in the Selected list. The redirect real server probe list contains only configured probes of the type Is Routed, which means that the ACE routes the probe address according to the ACE internal routing table (see the “Configuring Health Monitoring” section on page 8-49. Note You can associate both IPv6 and IPv4 probes to a server farm. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. Note The list of available probes does not include VM health monitoring probes. To choose a VM probe for monitoring local VM usage, see the Dynamic Workload Scaling field. • To remove a probe that you do not want to use for health monitoring, choose it in the Selected list, and click Remove. The probe appears in the Available list. • To specify a sequence for probe use, choose probes in the Selected list, and click Up or Down until you have the desired sequence. • To view the configuration for an existing probe, choose a probe in the list on the right, and click View to review its configuration. • To display statistics and status information for an existing probe, choose a probe in the list on the right, and click Details. ANM accesses the show probe name detail CLI command to display detailed probe information. See the “Displaying Health Monitoring Statistics and Status Information” section on page 8-77. To add a new probe, click Create. See the “Configuring Health Monitoring for Real Servers” section on page 8-51 for details on adding a new health monitoring probe and defining attributes for the specific probe type. In addition to the probe attributes that you set as described in the “Configuring Health Monitoring for Real Servers” section on page 8-51, set the following probe configuration parameters in the Probes section under Server Farm as described as follows: • Expect Addresses—To configure expect addresses for a DNS probe, in the IPv4/IPv6 Address field, enter the IP address that the ACE is to expect as a server response to a DNS request. You can enter multiple addresses in this field; however, you cannot mix IPv4 and IPv6 addresses. Note IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. • Probe Headers—To configure probe headers for either an HTTP or HTTPS probe, in the Probe Headers field enter the name of the HTTP header and the value to be matched using the format header_name=header_value where: • header_name represents the HTTP header name the probe is to use. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. You can specify predefined header or any custom header name provided that it does not exceed the maximum length limit. • header_value represents the string to assign to the header field. Valid entries are text strings with a maximum of 255 characters. If the string includes spaces, enclose the string with quotes. Table 7-13 New Server Farm Attributes (continued) Field Description 7-40 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Probes (continued) • Probe Expect Status—To configure probe expect status for an FTP, HTTP, HTTPS, RTSP, SIP-TCP, SIP-UDP, or SMTP probe, in the Probe Expect Status field enter the following information: • To configure a single expect status code, enter the minimum expect status code for this probe followed by the same expect status code that you entered as the minimum. Valid entries are from 0 to 999. • To configure a range of expect status codes, enter the lower limit of the range of status codes followed by the upper limit of the range of status codes. The maximum expect status code must be greater than or equal to the value specified for the minimum expect status code. Valid entries are from 0 to 999. • SNMP OID Table—To configure the SNMP OID for an SNMP probe, see the “Configuring an OID for SNMP Probes” section on page 8-76. After you add a probe, you can modify the attributes for a health probe from the Health Monitoring table (Config > Virtual Contexts > context > Load Balancing > Health Monitoring) as described in the “Configuring Health Monitoring for Real Servers” section on page 8-51. You can also delete an existing health probe from the Health Monitoring table. Table 7-13 New Server Farm Attributes (continued) Field Description 7-41 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Real Servers Table that allows you to add, modify, remove, or change the order of real servers. a. Choose an existing server, or click Add to add a server to the server farm and do one of the following: – If you chose an existing server, you can view, modify, or duplicate the server’s existing configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about modifying shared objects. – If you click Add, the window refreshes so you can enter server information. b. In the Name field, specify the name of the real server in one of the following ways: – To identify a new real server, click the first radio button, and then enter the name of the real server in the adjoining field. – To specify an existing real server, click the second radio button, and then choose one of the real servers listed. c. In the IP Address Type field, choose IPv4 or IPv6. This field appears only for ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. d. In the IP Address field, enter the IP address of the real server. e. In the Port field, enter the port number to be used for server port address translation (PAT). Valid entries are from 1 to 65535. f. In the Weight field, enter the weight to assign to this server in the server farm. Valid entries are from 1 to 100, and the default is 8. g. In the Redirection Code field, choose the appropriate redirection code. This field appears only for real servers identified as redirect servers. – N/A—Indicates that the webhost redirection code is not defined. – 301—Indicates that the requested resource has been moved permanently. For future references to this resource, the client should use one of the returned URIs. – 302—Indicates that the requested resource has been found, but has been moved temporarily to another location. For future references to this resource, the client should use the request URI because the resource may be moved to other locations from time to time. h. In the Web Host Redirection field, enter the URL string used to redirect requests to another server. This field appears only for real servers identified as redirect servers. Enter the URL and port used to redirect requests to another server. Valid entries are in the form http://host.com:port where host is the name of the server and port is the port to be used. Valid host entries are unquoted text strings with no spaces and a maximum of 255 characters. Valid port numbers are from 1 to 65535. The relocation string supports the following special characters: – %h—Inserts the hostname from the request Host header – %p—Inserts the URL path string from the request i. In the Rate Bandwidth field, enter the real server bandwidth limit in bytes per second. Valid entries are from 1 to 300000000 bytes. j. In the Rate Connection field, enter the limit for connections per second (valid entries are from 1 to 350000) and do one of the following: – Click OK to accept your entries and add this real server to the server farm. The table refreshes with updated information. – Click Cancel to exit this procedure without saving your entries and to return to the Real Servers table. Table 7-13 New Server Farm Attributes (continued) Field Description 7-42 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers k. In the State field, choose the administrative state of this server as follows: – In Service—The server is to be placed in use as a destination for server load balancing. – In Service Standby—The server is a backup server and remains inactive unless the primary server fails. If the primary server fails, the backup server becomes active and starts accepting connections. – Out Of Service—The server is not to be placed in use by a server load balancer as a destination for client connections. l. In the Fail-On-All field, check this check box to configure a real server to remain in the OPERATIONAL state unless all probes associated with it fail (AND logic). The Fail-On-All function is applicable to all probe types. Fail-On-All is applicable only for host real servers. m. Do one of the following: – Click OK to accept your entries and add this real server to the server farm. The table refreshes with updated information. – Click Cancel to exit this procedure without saving your entries and to return to the Real Servers table. To display statistics and status information for an existing real server, choose a real server in the list, and then click Details. ANM accesses the show rserver name detail CLI command to display detailed real server information. See the “Displaying Real Server Statistics and Status Information” section on page 8-9. Table 7-14 Predictor Methods and Attributes Predictor Method Description / Action Hash Address Method that indicates that the ACE is to select the server using a hash value based on the source or destination IP address. To configure the hash address predictor method, do the following: a. In the Mask Type field, indicate whether server selection is based on the source IP address or the destination IP address: – N/A—Indicates that this option is not defined. – Destination—Indicates that the server is selected based on the destination IP address. – Source—Indicates that the server is selected based on the source IP address. b. In the IP Netmask field, choose the subnet mask to apply to the address. If none is specified, the default is 255.255.255.255. Table 7-13 New Server Farm Attributes (continued) Field Description 7-43 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Hash Content Method that indicates that the ACE is to select the server by using a hash value based on the specified content string of the HTTP packet body. a. In the Begin Pattern field, enter the beginning pattern of the content string and the pattern string to match before hashing. If you do not specify a beginning pattern, the ACE starts parsing the HTTP body immediate following the offset byte. You cannot configure different beginning and ending patterns for different server farms that are part of the same traffic classification. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. b. In the End Pattern field, enter the pattern that marks the end of hashing. If you do not specify either a length or an end pattern, the ACE continues to parse the data until it reaches the end of the field or the end of the packet, or until it reaches the maximum body parse length. You cannot configure different beginning and ending patterns for different server farms that are part of the same traffic classification. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. c. In the Length (Bytes) field, enter the length in bytes of the portion of the content (starting with the byte after the offset value) that the ACE uses for sticking the client to the server. Valid entries are from 1 to 1000 bytes. The offset and length can vary from 0 to 1000 bytes. If the payload is longer than the offset but shorter than the offset plus the length of the payload, the ACE sticks the connection based on that portion of the payload starting with the byte after the offset value and ending with the byte specified by the offset plus the length. The total of the offset and the length cannot exceed 1000. Note You cannot specify both the length and the end-pattern options for a Hash Content predictor. d. In the HTTP Content Offset (Bytes) field, enter the portion of the content that the ACE uses to stick the client on a particular server by indicating the bytes to ignore starting with the first byte of the payload. Valid entries are from 0 to 999 bytes. The default is 0, which indicates that the ACE does not exclude any portion of the content. Hash Cookie Method that indicates that the ACE is to select the server by using a hash value based on the cookie name. In the Cookie Name field, enter a cookie name in the form of an unquoted text string with no spaces and a maximum of 64 characters. Hash Header Method that indicates that the ACE is to select the server by using a hash value based on the header name. In the Header Name field, choose the HTTP header to be used for server selection as follows: • To specify an HTTP header that is not one of the standard HTTP headers, click the first radio button and enter the HTTP header name in the Header Name field. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters. • To specify one of the standard HTTP headers, click the second radio button, and then choose one of the HTTP headers from the list. Table 7-14 Predictor Methods and Attributes (continued) 7-44 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Hash Layer 4 Method that indicates that the ACE is to select the server by using a Layer 4 generic protocol load-balancing method. Use this predictor to load balance packets from protocols that are not explicitly supported by the ACE. a. In the Begin Pattern field, enter the beginning pattern of the Layer 4 payload and the pattern string to match before hashing. If you do not specify a beginning pattern, the ACE starts parsing the HTTP body immediate following the offset byte. You cannot configure different beginning and ending patterns for different server farms that are part of the same traffic classification. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. b. In the End Pattern field, enter the pattern that marks the end of hashing. If you do not specify either a length or an end pattern, the ACE continues to parse the data until it reaches the end of the field or the end of the packet, or until it reaches the maximum body parse length. You cannot configure different beginning and ending patterns for different server farms that are part of the same traffic classification. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. c. In the Length (Bytes) field, enter the length in bytes of the portion of the payload (starting with the byte after the offset value) that the ACE uses for sticking the client to the server. Valid entries are from 1 to 1000 bytes. The offset and length can vary from 0 to 1000 bytes. If the payload is longer than the offset but shorter than the offset plus the length of the payload, the ACE sticks the connection based on that portion of the payload starting with the byte after the offset value and ending with the byte specified by the offset plus the length. The total of the offset and the length cannot exceed 1000. Note You cannot specify both the length and end-pattern options for a Hash Layer 4 predictor. d. In the HTTP Content Offset (Bytes) field, enter the portion of the content that the ACE uses to stick the client on a particular server by indicating the bytes to ignore starting with the first byte of the payload. Valid entries are from 0 to 999 bytes. The default is 0, which indicates that the ACE does not exclude any portion of the content. Hash URL Method that indicates that the ACE is to select the server using a hash value based on the URL. Use this method to load balance firewalls. Enter values in one or both of the pattern fields: • In the URL Begin Pattern field, enter the beginning pattern of the URL and the pattern string to parse. • In the URL End Pattern field, enter the ending pattern of the URL and the pattern string to parse. Valid entries for these fields are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters for each pattern you configure. Table 7-14 Predictor Methods and Attributes (continued) 7-45 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Least Bandwidth Method that indicates that the ACE is to select the server with the least amount of network traffic over a specified sampling period. a. In the Assess Time field, enter the number of seconds for which the ACE is to collect traffic information. Valid entries are from 1 to 10 seconds. b. In the Least Bandwidth Samples field, enter the number of samples over which you want to weight and average the results of the probe query to calculate the final load value. Valid entries are 1, 2, 4, 8, and 16 (values from 1 to 16 that are also a power of 2). Least Connections Method that indicates that the ACE is to select the server with the fewest number of connections. In the Slowstart Duration field, enter the slow-start value to be applied to this predictor method. Valid entries are from 1 to 65535, where 1 is the slowest ramp-up value. The slow-start mechanism is used to avoid sending a high rate of new connections to servers that you have just put into service. Least Loaded Method that indicates that the ACE is to select the server with the lowest load based on information from SNMP probes. a. In the SNMP Probe Name field, choose the name of the SNMP probe to use. b. In the Auto Adjust field, configure the autoadjust feature to assign a maximum load value of 16000 to that server to prevent it from being flooded with new incoming connections. The ACE periodically adjusts this load value based on feedback from the server's SNMP probe and other configured options. Options include: – Average—Instructs the ACE to apply the average load of the server farm to a real server whose load reaches zero. The average load is the running average of the load values across all real servers in the server farm. This is the default setting. – Maxload—Instructs the ACE to apply the maximum load of the server farm to a real server whose load reaches zero. The maxload option requires the following ACE software versions: - ACE appliance—A3(2.7) or A4(1.0) or later - ACE module—A2(2.4), A2(3.2), or A4(1.0) or later If you choose the maxload option and the ACE does not support the option, ANM issues a command parse error message. – Off—Instructs the ACE to send all new connections to the server that has a load of zero until the next load update arrives from the SNMP probe for this server. There may be times when you want the ACE to send all new connections to a real server whose load is zero. c. In the Weight Connection field, check the check box to instruct the ACE to use the current connection count in the final load calculation for a real server. When you configure this option, the ACE includes the current connection count in the total load calculation for each real server in a server farm. Uncheck the check box to reset the behavior of the ACE to the default of excluding the current connection count from the load calculation. Table 7-14 Predictor Methods and Attributes (continued) 7-46 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Step 10 (Optional) If you chose Sticky as the primary action, in the Sticky Group field, choose an existing sticky group or click *New* to add a new sticky group (Table 7-15). Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Note If you chose an existing sticky group, you can view, modify, or duplicate the selected object’s existing configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about modifying shared objects in virtual servers. Response Method that indicates that the ACE is to select the server with the lowest response time for a requested response-time measurement. a. In the Response Type field, choose the type of measurement to use: – App-Req-To-Resp—The response time from when the ACE sends an HTTP request to a server to the time that the ACE receives a response from the server for that request. – Syn-To-Close—The response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server. – Syn-To-Synack—The response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a SYN-ACK from the server. b. In the Response Samples field, enter the number of samples over which you want to average the results of the response-time measurement. Valid entries are 1, 2, 4, 8, and 16 (values from 1 to 16 that are also a power of 2). c. In the Weight Connection field, check the check box to instruct the ACE to use the current connection count in the final load calculation for a real server. When you configure this option, the ACE includes the current connection count in the total load calculation for each real server in a server farm. Uncheck the check box to reset the behavior of the ACE to the default of excluding the current connection count from the load calculation. Round Robin Method that indicates that the ACE is to select the next server in the list of servers based on server weight. This is the default predictor method. Table 7-14 Predictor Methods and Attributes (continued) 7-47 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Table 7-15 Sticky Group Attributes Field Description Group Name Unique identifier for the sticky group. You can either accept the automatically incremented entry that was provided or you can enter your own. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. Type Method to be used when establishing sticky connections and configure any type-specific attributes: Note The available selections listed in the Type drop-down list will vary depending on your selection for Application Protocol in the Properties configuration subset (see Table 7-2). For example, if you chose HTTP or HTTPS as the application protocol, only IP Netmask, HTTP Cookie, HTTP Header, and HTTP Content appear as selections in the Type drop-down list. • HTTP Content—The virtual server is to stick client connections to the same real server based on a string in the data portion of the HTTP packet. See Table 9-2 for additional configuration options. • HTTP Cookie—The virtual server is either to learn a cookie from the HTTP header of a client request or to insert a cookie in the Set-Cookie header of the response from the server to the client, and then use the learned cookie to provide stickiness between the client and server for the duration of the transaction. See Table 9-3 for additional configuration options. • HTTP Header—The virtual server is to stick client connections to the same real server based on HTTP headers. See Table 9-4 for additional configuration options. • IP Netmask—The virtual server is to stick a client to the same server for multiple subsequent connections as needed to complete a transaction using the client source IPv4 address, the destination IPv4 address, or both. See Table 9-5 for additional configuration options. Note If an organization uses a megaproxy to load balance client requests across multiple proxy servers when a client connects to the Internet, the source IP address is no longer a reliable indicator of the true source of the request. In this situation, you can use cookies or another sticky method to ensure session persistence. • V6 Prefix—(Requires ACE module and ACE appliance software Version A5(1.0) or later) Indicates that the virtual server is to stick a client to the same server for multiple subsequent connections as needed to complete a transaction using the client source IPv6 address, the destination IPv6 address, or both. See Table 9-6 for additional configuration options. • Layer 4 Payload—The virtual server is to stick client connections to the same real server based on a string in the payload portion of the Layer 4 protocol packet. See Table 9-7 for additional configuration options. • RADIUS—The virtual server is to stick client connections to the same real server based on a RADIUS attribute. • RTSP Header—The virtual server is to stick client connections to the same real server based on the RTSP Session header field. Table 9-9 for additional configuration options. • SIP Header—The virtual server is to stick client connections to the same real server based on the SIP Call-ID header field. Sticky Server Farm Existing server farm that is to act as the primary server farm for this sticky group. You can choose *New* to create a new server farm. If you chose *New*, configure the server farm using the information in Table 7-13. Backup Server Farm Existing server farm that is to act as the backup server farm this sticky group. You can choose *New* to create a new server farm. If you chose *New*, configure the server farm using the information in Table 7-13. 7-48 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Step 11 (Optional) If you are using the ACE appliance (all versions) or ACE module version A4(1.0) and later, in the Compression Method field, choose the HTTP compression method to indicate how the ACE appliance is to compress packets when a client request indicates that the client browser is capable of packet compression. By default, HTTP compression is disabled in the ACE. When you configure HTTP compression using the ACE, the appliance compresses data in the HTTP GET responses from the real servers. The ACE does not compress HTTP requests from clients or the HTTP headers in the server responses. Note By default, the ACE appliance supports HTTP compression at rates of 100 megabits per second (Mbps). Installing an optional HTTP compression license allows you to increase this value to a maximum of 2 Gbps. See the Cisco 4700 Series Application Control Engine Appliance Administration Guide for information on ACE licensing options. Options are as follows: • Gzip—Specifies the gzip compression format as the method to use when the client browser supports both the deflate and gzip compression methods. Gzip is the file format for compression described in RFC1952. • Deflate—Specifies the deflate compression format as the method to use when the client browser supports both the deflate and gzip compression methods. Deflate is the data format for compression described in RFC1951. • N/A—HTTP compression is disabled. Aggregate State Check box to indicate that the state of the primary server farm is to be tied to the state of all real servers in the server farm and in the backup server farm, if configured. The ACE declares the primary server farm down if all real servers in the primary server farm and all real servers in the backup server farm are down. Uncheck the check box if the state of the primary server farm is not to be tied to all real servers in the server farm and in the backup server farm. Sticky Enabled On Backup Server Farm Check box to indicate that the backup server farm is sticky. Uncheck the check box if the backup server farm is not sticky. Replicate On HA Peer Check box to indicate that the virtual server is to replicate sticky table entries on the backup server farm. If a failover occurs and this option is selected, the new active server farm can maintain the existing sticky connections. Uncheck the check box to indicate that the virtual server is not to replicate sticky table entries on the backup server farm. Timeout (Minutes) Number of minutes that the virtual server keeps the sticky information for a client connection in the sticky table after the latest client connection terminates. Valid entries are from 1 to 65535; the default is 1440 minutes (24 hours). Timeout Active Connections Check box to specify that the virtual server is to time out sticky table entries even if active connections exist after the sticky timer expires. Uncheck the check box to specify that the virtual is not to time out sticky table entries even if active connections exist after the sticky timer expires. This behavior is the default. Table 7-15 Sticky Group Attributes (continued) Field Description 7-49 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers When configuring HTTP compression, we recommend that you exclude the following MIME types from HTTP compression: “.*gif”, “.*css”, “.*js”, “.*class”, “.*jar”, “.*cab”, “.*txt”, “.*ps”, “.*vbs”, “.*xsl”, “.*xml”, “.*pdf”, “.*swf”, “.*jpg”, “.*jpeg”, “.*jpe”, or “.*png”. When you enable HTTP compression, the ACE compresses the packets using the following default compression parameter values: • Mime type—All text formats (text/*). • Minimum size—512 bytes. • User agent—None. Step 12 In the SSL Initiation field, choose an existing service or choose *New* to create a new service, and do one of the following: • If you chose an existing SSL service, you can view, modify, or duplicate the existing configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about modifying shared objects. • If you chose *New*, configure the service using the information in Table 7-5. For more information about SSL, see the “Configuring SSL” section on page 11-1. Step 13 In the Insert HTTP Headers field, enter the name of the HTTP header and the value to be matched using the header_name=header_value format where: • header_name represents the name of the HTTP header to insert in the client HTTP request. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. You can specify predefined header or any custom header name provided that it does not exceed the maximum length limit. • header_value represents the expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching. Header expressions allow spaces, provided that the spaces are escaped or quoted. All headers in the header map must be matched. Table 14-33 lists the supported characters that you can use in regular expressions. For example, you might enter Host=www.cisco.com. Step 14 Do one of the following: • Click OK to save your entries and to return to the Rule Match table. • Click Cancel to exit this procedure without saving your entries and to return to the Rule Match table. Step 15 If you are adding Rule Match entries for a new virtual server and you want to modify the sequence of rules in the L7 Load Balancing section of the Virtual Server configuration page, click Up or Down to change the order of the entries in the Rule Match table. Note The Up and Down buttons are not available for an existing virtual server, only for a new virtual server. To reorder the entries in the Rule Match table for an existing virtual server, go to Config > Expert > Policy Maps and choose the Layer 7 load balancing policy map, delete the rule entry that you want to reorder, and then add it again by using the Insert Before option to put it in the correct order. See the “Configuring Rules and Actions for Policy Maps” section on page 14-34 for details. Step 16 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries. 7-50 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers • Click Deploy Later to save your entries and apply them at a later time. Related Topics • Configuring Virtual Servers, page 7-2 • Configuring Virtual Server Properties, page 7-11 • Configuring Virtual Server SSL Termination, page 7-17 • Configuring Virtual Server Protocol Inspection, page 7-18 Configuring Virtual Server Default Layer 7 Load Balancing You can configure default Layer 7 load-balancing actions for all network traffic that does not meet previously specified match conditions. Assumption Make sure that a virtual server has been configured in the Properties configuration subset. For more information, see the “Configuring Virtual Server Properties” section on page 7-11. See the “Configuring Virtual Servers” section on page 7-2 for information on configuring a virtual server. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers. The Virtual Servers table appears. Step 2 In the Virtual Servers table, choose the virtual server that you want to configure for default Layer 7 load balancing, and click Edit. The Virtual Server configuration window appears. Step 3 In the Virtual Server configuration window, click Default L7 Load-Balancing Action. The Default L7 Load-Balancing Action configuration pane appears. Step 4 In the Primary Action field of the Default L7 Load-Balancing Action configuration pane, choose the default action that the virtual server is to take in response to client requests for content when specified match conditions are not met: • Drop—Client requests that do not meet specified match conditions are to be discarded. Continue with Step 9. • Forward—Client requests that do not meet specified match conditions are to be forwarded without performing load balancing on the requests. Continue with Step 9. • Load Balance—Client requests for content are to be directed to a server farm. Continue with Step 6. • Sticky—Client requests for content are to be handled by a sticky group when match conditions are met. Continue with Step 7. Step 5 (Optional) From the HTTP Header Modify Action List drop-down list, choose an existing Action List or choose New to display the Action List configuration table and create a new one. For more information, see the “Configuring an HTTP Header Modify Action List” section on page 14-85. 7-51 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Step 6 (Optional) If you chose Load Balance as the primary action, do the following: a. In the Server Farm field, choose the primary server farm to use for load balancing, or choose *New* to configure a new server farm (see Table 7-13). Note To display statistics and status information for an existing server farm, choose a server farm in the list, and then click Details. ANM accesses the show serverfarm name detail CLI command to display detailed server farm information. See the “Displaying Server Farm Statistics and Status Information” section on page 8-48. b. In the Backup Server Farm field, choose the server farm to act as the backup server farm for load balancing if the primary server farm is unavailable, or choose *New* to configure a new backup server farm (see Table 7-13). Note If you chose an existing object in either field, you can view, modify, or duplicate the selected object’s existing configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about modifying shared objects in virtual servers. Step 7 (Optional) If you chose Sticky as the primary action, in the Sticky Group field, choose an existing sticky group or click *New* to add a new sticky group (see Table 7-15). Note If you chose an existing sticky group, you can view, modify, or duplicate the selected object’s existing configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about modifying shared objects in virtual servers. Step 8 (Optional) If you are using the ACE appliance (all versions) or ACE module version A4(1.0) and later, in the Compression Method field, choose the HTTP compression method to indicate how the ACE appliance is to compress packets when a client request indicates that the client browser is capable of packet compression. By default, HTTP compression is disabled in the ACE. When you configure HTTP compression using the ACE, the appliance compresses data in the HTTP GET responses from the real servers. The ACE does not compress HTTP requests from clients or the HTTP headers in the server responses. Note By default, the ACE appliance supports HTTP compression at rates of 100 megabits per second (Mbps). Installing an optional HTTP compression license allows you to increase this value to a maximum of 2 Gbps. See the Cisco 4700 Series Application Control Engine Appliance Administration Guide for information on ACE licensing options. Options are as follows: • Deflate—Specifies the deflate compression format as the method to use when the client browser supports both the deflate and gzip compression methods. deflate, the data format for compression described in RFC1951. • Gzip—Specifies the gzip compression format as the method to use when the client browser supports both the deflate and gzip compression methods. Gzip is the file format for compression described in RFC1952. • N/A—HTTP compression is disabled. 7-52 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Note If you enable the Gzip or Deflate compression format, ANM automatically inserts a L7 Load Balance Primary Action to exclude the MIME types listed above. However, if you disable HTTP compression later on, you will need to remove the auto-inserted Load Balance Primary Action. When you enable HTTP compression, the ACE compresses the packets using the following default compression parameter values: • Mime type—All text formats (text/*). • Minimum size—512 bytes. • User agent—None. Step 9 In the SSL Initiation field, choose an existing service or choose *New* to create a new service: • If you chose an existing SSL service, you can view, modify, or duplicate the existing configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about modifying shared objects. • If you chose *New*, configure the service using the information in Table 7-5. For more information about SSL, see the “Configuring SSL” section on page 11-1. Step 10 In the Insert HTTP Headers field, enter the name of the HTTP header and the value to be matched using the header_name=header_value format where: • header_name represents the name of the HTTP header to insert in the client HTTP request. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. You can specify predefined header or any custom header name provided that it does not exceed the maximum length limit. • header_value represents the expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching. Header expressions allow spaces, provided that the spaces are escaped or quoted. All headers in the header map must be matched. Table 14-33 lists the supported characters that you can use in regular expressions. For example, you might enter Host=www.cisco.com. Step 11 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries and to return to the Virtual Servers table. • Click Deploy Later to save your entries and apply the configuration at a later time. Related Topics • Configuring Virtual Server Properties, page 7-11 • Configuring Virtual Server SSL Termination, page 7-17 • Configuring Virtual Server Protocol Inspection, page 7-18 • Configuring Virtual Server Layer 7 Load Balancing, page 7-30 7-53 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Configuring Application Acceleration and Optimization Note This option is available only for ACE appliances and only in the Advanced View. You can configure acceleration and optimization on virtual servers that are configured on ACE appliances. The ACE appliance includes configuration options that allow you to accelerate enterprise applications, resulting in increased employee productivity, enhanced customer retention, and increased online revenues. The application acceleration functions of the ACE appliance apply several optimization technologies to accelerate Web application performance. This application acceleration functionality enables enterprises to optimize network performance and improve access to critical business information. It also accelerates the performance of Web applications, including customer relationship management (CRM), portals, and online collaboration by up to 10 times. See the “Configuring Application Acceleration and Optimization” section on page 15-1 or the Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide for more information about application acceleration and optimization. Assumption Make sure that a virtual server has been configured on an ACE appliance with HTTP or HTTPS as the application protocol. See the “Configuring Virtual Servers” section on page 7-2 for information about configuring a virtual server. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers. The Virtual Servers table appears. Step 2 In the Virtual Servers table, choose the virtual server that you want to configure for optimization, and click Edit. The Virtual Server configuration window appears. Step 3 In the Virtual Server configuration window, click Application Acceleration And Optimization. The Application Acceleration And Optimization configuration pane appears. Step 4 In the Configuration field of the Application Acceleration And Optimization configuration pane, choose the method that you want to use to configure application acceleration and optimization: • EZ—Use standard acceleration and optimization options. Continue with Step 5. • Custom—Associate specific match criteria, actions, and parameter maps for application acceleration and optimization for the virtual server. If you choose this option, continue with Step 6 through Step 14. Step 5 (Optional) If you chose EZ, the Latency Optimization (FlashForward) and Bandwidth Optimization (Delta) fields appear. Do the following: a. Check the Latency Optimization (FlashForward) check box to specify that the ACE appliance is to use bandwidth reduction and download acceleration techniques to objects embedded within HTML pages. Uncheck the check box to specify that the ACE appliance is not to employ these techniques to objects embedded within HTML pages. Latency optimization corresponds to FlashForward functionality. For more information about FlashForward functionality, see the “Optimization Overview” section on page 15-2. 7-54 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers b. Check the Bandwidth Optimization (Delta) check box to specify that the ACE appliance is to dynamically update client browser caches with content differences, or deltas. Uncheck the check box to specify that the ACE appliance is not to dynamically update client browser caches. Bandwidth optimization corresponds to action list Delta optimization. For more information about configuring Delta optimization, see the “Optimization Overview” section on page 15-2 and the “Configuring an HTTP Optimization Action List” section on page 15-3. c. Continue with Step 14. Step 6 (Optional) If you chose Custom, the Actions configuration pane appears with a table listing match criteria and actions. Click Add to add an entry to this table or choose an existing entry, and click Edit to modify it. The configuration pane refreshes with the available configuration options. Step 7 In the Apply Building Block field, choose one of these configuration building blocks for the type of optimization that you want to configure, or leave the field blank to configure optimization without a building block: • Bandwidth Optimization—Maximizes bandwidth for Web-based traffic. • Latency Optimization for Embedded Objects—Reduces the latency associated with embedded objects in Web-based traffic. • Latency Optimization for Embedded Images—Reduces the latency associated with embedded images in Web-based traffic. • Latency Optimization for Containers—Reduces the latency associated with Web containers. If you chose one of the building blocks, the Rule Match configuration subset displays the configuration options with selections based on the building block chosen. You can accept the entries as they are or modify them. If you do not choose a building block, additional configuration options appear depending on the features you enable. Step 8 In the Rule Match field, choose an existing class map or click *New* to specify new match criteria, and do one of the following: • If you chose an existing class map, you can view, modify, or duplicate the existing configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about modifying shared objects. • If you click *New*, the window refreshes so that you can enter new match criteria. Step 9 Configure match criteria using the information in Table 7-16. Table 7-16 Optimization Match Criteria Configuration Field Description/Action Name Unique name for this match criteria rule. 7-55 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Step 10 In the Actions field, choose an existing action list to use for optimization or click *New* to create a new action list, and do one of the following: • If you chose an existing action list, you can view, modify, or duplicate the existing configuration. See the “Shared Objects and Virtual Servers” section on page 7-9 for more information about modifying shared objects. • If you click *New*, the window refreshes so you can configure an action list. Step 11 Configure the action list using the information in Table 7-17. Match Method to be used to evaluate multiple match statements when multiple match conditions exist: • match-any—A match exists if at least one of the match conditions is satisfied. • match-all—A match exists only if all match conditions are satisfied. Conditions Field that allows you to add a new set of conditions or choose an existing entry. Click Add to add a new set of conditions, or choose an existing entry and click Edit to modify it: a. In the Type field, choose the match condition to be used, then configure any condition-specific options using the information in Table 7-12. b. Click OK to save your entries, or Cancel to exit this procedure without saving your entries. Table 7-16 Optimization Match Criteria Configuration (continued) Field Description/Action Table 7-17 Optimization Action List Configuration Options Field Description Action List Name Unique name for the action list. Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters. Enable Delta Check box that enables delta optimization for the specified URLs. Delta optimization that dynamically updates client browser caches directly with content differences, or deltas, resulting in faster page downloads. Uncheck the check box to disable this feature. If you are configuring optimization without a building block, additional options appear. Configure these options using the information in Table 7-18. Enable AppScope Check box that enables AppScope performance monitoring for use with the ACE appliance. AppScope runs on the Management Console of the optional Cisco AVS 3180A Management Station and measures end-to-end application performance. Uncheck the check box to disable this feature. If you are configuring optimization without a building block, additional options appear. Configure these options using the information in Table 7-18. 7-56 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Flash Forward Feature that reduces bandwidth usage and accelerates embedded object downloading by combining local object storage with dynamic renaming of embedded objects, which enforces object freshness within the parent HTML page. Choose how the ACE appliance is to implement FlashForward: • N/A—This feature is not enabled. • Flash Forward—FlashForward is to be enabled for the specified URLs and embedded objects are to be transformed. • Flash Forward Object—FlashForward static caching is to be enabled for the objects that the corresponding URLs refer to, such as Cascading Style Sheets (CSS), JPEG, and GIF files. If you are configuring without a building block and chose either FlashForward or FlashForward Object, an addition option appears. Configure this option using the information in Table 7-18. Cache Dynamic Check box that enables Adaptive Dynamic Caching for the specified URLs even if the expiration settings in the response indicate that the content is dynamic. The expiration of cache objects is controlled by the cache expiration settings based on time or server load. Uncheck the check box to disable this feature. Cache Forward Field that specifies how the ACE appliance is to implement cache forwarding: • N/A—This feature is not enabled. • With Wait—Cache forwarding is enabled with the wait option for the specified URLs. If the object has expired but the maximum cache TTL time period has not yet expired, the ACE appliance sends a request to the origin server for the object. Users requesting this page continue to receive content from the cache during this time but must wait for the object to be updated before their request is satisfied. When the fresh object is returned, it is sent to the requesting user and the cache is updated. • Without Wait—Cache forwarding is enabled without the wait option. Dynamic Entity Tag Check box that specifies that the ACE appliance is to implement just-in-time object acceleration for embedded objects not able to be cached. This feature enables the acceleration of embedded objects not able to be cached, which results in improved application response time. When enabled, this feature eliminates the need for users to download objects not able to be cached on each request. Uncheck the check box to disable this feature. Table 7-17 Optimization Action List Configuration Options (continued) Field Description 7-57 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Step 12 (Optional) If you are configuring optimization without a building block, additional options appear when you enable specific features. Configure the additional options using the information in Table 7-18. Table 7-18 Application Acceleration and Optimization Additional Configuration Options Field Description Response Codes To Ignore (Comma Separated) Comma-separated list of HTTP response codes for which the response body must not be read. For example, an entry of 302 indicates that the ACE is to ignore the response body of a 302 (redirect) response from the origin server. Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters. Set Browse Freshness Period Method that the ACE is to use to determine the freshness of objects in the client’s browser: • N/A—This option is not configured. • Disable Browser Object Freshness Control—Browser freshness control is not to be used. • Set Freshness Similar To Flash Forward Objects—The ACE is to set freshness similar to that used for FlashForwarded objects, and to use the values specified in the Maximum Time for Cache Time-To-Live and Minimum Time For Cache Time-To-Live fields. Duration For Browser Freshness (Seconds) Field that appears if the Set Browser Freshness Period option is not configured. Enter the number of seconds that objects in the client’s browser are considered fresh. Valid entries are 0 to 2147483647 seconds. Enable Delta Options Max. For Post Data To Scan For Logging (kBytes) Maximum number of kilobytes of POST data the ACE is to scan for parameters for the purpose of logging transaction parameters in the statistics log. Valid entries are 0 to 1000 KB. Base File Anonymous Level Feature that enables the ACE to create and deliver condensed base files that contain only information that is common to a large set of users. No information unique to a particular user, or across a very small subset of users, is included in anonymous base files. Information that is common to a large set of users is generally not confidential or user-specific. Conversely, information that is unique to a specific user or a small set of users is generally confidential or user-specific. Enter the value for base file anonymity for the all-user condensation method. Valid entries are from 0 to 50; the default value of 0 disables the base file anonymity feature. Cache-Key Modifier Expression Unique identifier that is used to identify a cached object to be served to a client, replacing a trip to the origin server. The cache key modifier feature allows you to modify the canonical form of a URL; that is, the portion before “?” in a URL. For example, the canonical URL of http://www.xyz.com/somepage.asp?action=browse&level=2 is http://www.xyz.com/somepage.asp. Enter a regular expression containing embedded variables as described in Table 7-19. The ACE transforms URLs specified in class maps for this virtual server with the expression and variable entered here. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. If the string includes spaces, enclose the string with quotation marks (“). 7-58 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Min. Time For Cache Time-To-Live (Seconds) Minimum number of seconds that an object without an explicit expiration time should be considered fresh in the ACE cache. This value specifies the minimum time that content can be cached. If the ACE is configured for FlashForward optimization, this value should normally be 0. If the ACE is configured for dynamic caching, this value should indicate how long the ACE should cache the page. (See Table 7-17 for information about these configuration options.) Valid entries are 0 to 2147483647 seconds. Max. Time For Cache Time-To-Live (Seconds) Maximum number of seconds that an object without an explicit expiration time should be considered fresh in the ACE cache. Valid entries are 0 to 2147483647 seconds. Cache Time-To-Live Duration (%) Percent of an object’s age at which an embedded object without an explicit expiration time is considered fresh. Valid entries are 0 to 100 percent. Expression To Modify Cache Key Query Parameter Feature that allows you to modify the query parameter of a URL; that is, the portion after “?” in a URL. For example, the query parameter portion of http://www.xyz.com/somepage.asp?action=browse&level=2 is action=browse&level=2. Enter a regular expression containing embedded variables as described in Table 7-19. The ACE transforms URLs specified in class maps for this virtual server with the expression and variable entered here. If no string is specified, the query parameter portion of the URL is used as the default value for this portion of the cache key. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. Canonical URL Expressions Canonical URL feature to eliminate the “?” and any characters that follow to identify the general part of the URL. This general URL is then used to create the base file. In this way, the ACE maps multiple URLs to a single canonical URL. Enter a comma-separated list of parameter expander functions as defined in Table 7-19 to identify the URLs to associate with this parameter map. Valid entries are unquoted text strings with a maximum of 255 alphanumeric characters. Enable Cacheable Content Optimization Check box that enables delta optimization of content that can be cached. This feature allows the ACE to detect content that can be cached and perform delta optimization on it. Uncheck the check box to disable this feature. Enable Delta Optimization On First Visit To Web Page Check box that enables condensation on the first visit to a Web page. Uncheck the check box to disable this feature. Min. Page Size For Delta Optimization (Bytes) Minimum page size, in bytes, that can be condensed. Valid entries are from 1 to 250000 bytes. Max. Page Size For Delta Optimization (Bytes) Maximum page size, in bytes, that can be condensed. Valid entries are from 1 to 250000 bytes. Table 7-18 Application Acceleration and Optimization Additional Configuration Options (continued) Field Description 7-59 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Set Default Client Script Scripting language that the ACE is to recognize on condensed content pages: • N/A—Indicates that this option is not configured. • Javascript—Indicates that the default scripting language is JavaScript. • Visual Basic Script—Indicates that the default scripting language is Visual Basic. Exclude Iframes From Delta Optimization Check box to specify that delta optimization is not to be applied to IFrames (inline frames). Uncheck the check box to indicate that delta optimization is to be applied to IFrames. Exclude Non-ASCII Data From Delta Optimization Check box to specify that delta optimization is not to be applied to non-ASCII data. Uncheck the check box to indicate that delta optimization is to be applied to non-ASCII data. Exclude JavaScripts From Delta Optimization Check box to specify that delta optimization is not to be applied to JavaScript. Uncheck the check box to indicate that delta optimization is to be applied to JavaScript. MIME Types To Exclude From Delta Optimization a. In the first field, enter a comma-separated list of the MIME (Multipurpose Internet Mail Extension) type messages that are not to have delta optimization applied, such as image/Jpeg, text/html, application/msword, or audio/mpeg. See the “Supported MIME Types” section on page 10-26 for a list of supported MIME types. b. Click Add to add the entry to the list box on the right. You can position the entries in the list box by using the Up and Down buttons. Remove HTML META Elements From Documents Check box to specify that HTML META elements are to be removed from documents to prevent them from being condensed. Uncheck the check box to indicate that HTML META elements are not to be removed from documents. Rebase Delta Optimization Threshold (%) Delta threshold, expressed as a percent, when rebasing is to be triggered. This entry represents the size of a page delta relative to total page size, expressed as a percent. This entry triggers rebasing when the delta response size exceeds the threshold as a percentage of base file size. Valid entries are 0 to 10000 percent. Rebase Flash Forward Threshold (%) Threshold, expressed as a percent, when rebasing is to be triggered based on the percent of FlashForwarded URLs in the response. This entry triggers rebasing when the difference between the percentages of FlashForwarded URLs in the delta response and the base file exceeds the threshold. Valid entries are 0 to 10000 percent. Rebase History Size (Pages) Number of pages to be stored before the ACE resets all rebase control parameters to zero and starts over. This option prevents the base file from becoming too rigid. Valid entries are 10 to 2147483647. Rebase Modify Cool-Off Period (Seconds) Number of seconds after the last modification before performing a rebase. Valid entries are 1 to 14400 seconds (4 hours). Rebase Reset Period (Seconds) Period of time, in seconds, for performing a meta data refresh. Valid entries are 1 to 900 seconds (15 minutes). Table 7-18 Application Acceleration and Optimization Additional Configuration Options (continued) Field Description 7-60 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers UTF-8 Character Set Threshold Number of 8-bit Unicode Transformation Format (UTF-8) characters that need to appear on a page to create a UTF-8 character set page. The UTF-8 character set is an international standard that allows Web pages to display non-ASCII or non-English multibyte characters. It can represent any universal character in the Unicode standard and is backwards compatible with ASCII. Valid entries are from 1 to 1,000,000. Server Load Threshold Trigger (%) Threshold, expressed as a percent, at which the TTL for cached objects is to be changed. The server load threshold trigger indicates that the time-to-live (TTL) period for cached objects is to be based dynamically on server load. With this method, TTL periods increase if the current response time from the origin sever is greater than the average response time and decrease if the current response time from the origin server is less than the average response time when the difference in response times exceeds a specified threshold amount. Valid entries are from 0 to 100 percent. Server Load Time-To-Live Change (%) Percentage by which the cache TTL is to be increased or decreased when the server load threshold trigger is met. This option specifies the percentage by which the cache TTL is increased or decreased in response to a change in server load. For example, if this value is set to 20 and the current TTL for a response is 300 seconds, and if the current server response times exceeds the trigger threshold, the cache TTL for the response is raised to 360 seconds. Valid entries are from 0 to 100 percent. Delta Optimization Mode Method by which delta optimization is to be implemented: • N/A—Indicates that a delta optimization mode is not configured. • Enable The All-User Mode For Delta Optimization—Indicates that the ACE is to generate the delta against a single base file that is shared by all users of the URL. This option is usable in most cases if the structure of a page is common across all users, and the disk space overhead is minimal. • Enable The Per-User Mode For Delta Optimization—Indicates that the ACE is to generate the delta against a base file that is created specifically for that user. This option is useful when page contents, including layout elements, are different for each user, and delivers the highest level of condensation. However, this increases disk space requirements because a copy of the base page that is delivered to each user is cached. This option is useful when privacy is required because base pages are not shared among users. Enable Appscope Options Appscope Optimize Rate (%) Percentage of all requests or sessions to be sampled for performance with acceleration (or optimization) applied. All applicable optimizations for the class will be performed. Valid entries are from 0 to 100 percent, with a default of 10 percent. The sum of this value and the value entered in the Passtthrough Rate Percent field must not exceed 100. Appscope Passthrough Rate (%) Percentage of all requests or sessions to be sampled for performance without optimization. No optimizations for the class will be performed. Valid entries are from 0 to 100, with a default of 10 percent. The sum of this value and the value entered in the Optimize Rate Percent field must not exceed 100. Table 7-18 Application Acceleration and Optimization Additional Configuration Options (continued) Field Description 7-61 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Table 7-19 lists the parameter expander functions that you can use. Max Number For Parameter Summary Log (Bytes) Maximum number of bytes that are to be logged for each parameter value in the parameter summary of a transaction log entry in the statistics log. If a parameter value exceeds this limit, it is truncated at the specified limit. Valid entries are 0 to 10,000 bytes. Specify String For Grouping Requests String that the ACE is to use to sort requests for AppScope reporting. The string can contain a URL regular expression that defines a set of URLs in which URLs that differ only by their query parameters are to be treated as separate URLs in AppScope reports. For example, to define a string that is used to identify the URLs http://server/catalog.asp?region=asia and http://server/catalog.asp?region=america as two separate reporting categories, you would enter http_query_param(region). Valid entries contain 1 to 255 characters and can contain the parameter expander functions listed in Table 7-19. Table 7-18 Application Acceleration and Optimization Additional Configuration Options (continued) Field Description Table 7-19 Parameter Expander Functions Variable Description $(number) Expands to the corresponding matching subexpression (by number) in the URL pattern. Subexpressions are marked in a URL pattern using parentheses (). The numbering of the subexpressions begins with 1 and is the number of the left-parenthesis “(“ counting from the left. You can specify any positive integer for the number. $(0) matches the entire URL. For example, if the URL pattern is ((http://server/.*)/(.*)/)a.jsp, and the URL that matches it is http://server/main/sub/a.jsp?category=shoes&session=99999, then the following are correct: $(0) = http://server/main/sub/a.jsp $(1) = http://server/main/sub/ $(2) = http://server/main $(3) = sub If the specified subexpression does not exist in the URL pattern, then the variable expands to the empty string. $http_query_string() Expands to the value of the whole query string in the URL. For example, if the URL is http://myhost/dothis?param1=value1¶m2=value2, then the following is correct: $http_query_string() = param1=value1¶m2=value2 This function applies to both GET and POST requests. 7-62 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers $http_query_param(query-param-name) The obsolete syntax is also supported: $param(query-param-name) Expands to the value of the named query parameter (case-sensitive). For example, if the URL is http://server/main/sub/a.jsp?category=shoes&session=99999, then the following are correct: $http_query_param(category) = shoes $http_query_param(session) = 99999 If the specified parameter does not exist in the query, then the variable expands to the empty string. This function applies to both GET and POST requests. $http_cookie(cookie-name) Evaluates to the value of the named cookie. For example, $http_cookie(cookiexyz). The cookie name is case-sensitive. $http_header(request-header-name) Evaluates to the value of the specified HTTP request header. In the case of multivalued headers, it is the single representation as specified in the HTTP specification. For example, $http_header(user-agent). The HTTP header name is not case-sensitive. $http_method() Evaluates to the HTTP method used for the request, such as GET or POST. Boolean Functions: $http_query_param_present(query-param-name) $http_query_param_notpresent(query-param-name) $http_cookie_present(cookie-name) $http_cookie_notpresent(cookie-name) $http_header_present(request-header-name) $http_header_notpresent(request-header-name) $http_method_present(method-name) $http_method_notpresent(method-name) Evaluates to a Boolean value: True or False, depending on the presence or absence of the element in the request. The elements are a specific query parameter (query-param-name), a specific cookie (cookie-name), a specific request header (request-header-name), or a specific HTTP method (method-name). All identifiers are case-sensitive except for the HTTP request header name. $regex_match(param1, param2) Evaluates to a Boolean value: True if the two parameters match and False if they do not match. The two parameters can be any two expressions, including regular expressions, that evaluate to two strings. For example, this function: $regex_match($http_query_param(URL), .*Store\.asp.*) compares the query URL with the regular expression string .*Store\.asp.* If the URL matches this regular expression, this function evaluates to True. Table 7-19 Parameter Expander Functions (continued) Variable Description 7-63 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Step 13 When you finish configuring match criteria and actions, do one of the following: • Click OK to save your entries and to return to the Rule Match and Actions table. • Click Cancel to exit this procedure without saving your entries and to return to the Rule Match and Actions table. Step 14 When you finish configuring virtual server properties, do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The ACE appliance validates the action list configuration and deploys it. • Click Cancel to exit this procedure without saving your entries and to return to the Virtual Servers table. • Click Deploy Later to save your entries and apply the configuration at a later time. Related Topics • Optimization Traffic Policies and Typical Configuration Flow, page 15-2 • Configuring Traffic Policies for HTTP Optimization, page 15-6 • Configuring Virtual Server Protocol Inspection, page 7-18 • Configuring Virtual Server Layer 7 Load Balancing, page 7-30 • Configuring Virtual Server Default Layer 7 Load Balancing, page 7-50 Configuring Virtual Server NAT You can configure Name Address Translation (NAT) for virtual servers. Assumptions This topic assumes the following: • Make sure that a virtual server has been configured in the Properties configuration subset. For more information, see the “Configuring Virtual Server Properties” section on page 7-11 • Make sure that a VLAN has been configured. See the “Configuring Virtual Context VLAN Interfaces” section on page 12-6 for information on configuring a VLAN interface. • Make sure that at least one NAT pool has been configured on a VLAN interface. See the “Configuring VLAN Interface NAT Pools” section on page 12-26 for information on configuring a NAT pool. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers. The Virtual Servers table appears. Step 2 In the Virtual Servers table, choose the virtual server you want to configure for NAT, and click Edit. The Virtual Server configuration window appears. Step 3 In the Virtual Server configuration window, click NAT. The NAT table appears. 7-64 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Step 4 In the NAT table, click Add to add an entry, or choose an existing entry and click Edit to modify it. Step 5 In the VLAN drop-down list, choose the VLAN that you want to use for NAT. VLANs that have previously been defined for NAT do not appear in this list. VLAN numbers provide an indication of available NAT pools. Step 6 In the NAT Pool ID drop-down list, choose the NAT pool that you want to associate with the selected VLAN. Note the following about the NAT pool ID selections: NAT Pool IDs (Begin IP - End IP: Netmask: PAT) appear in a format that provides the details of the beginning and ending IP address range, netmask, and the PAT enabled or disabled setting. For example: 2 (10.77.241.2 - 10.77.241.15: 255.255.255.192: PAT Enabled). If the NAT pool had previously been associated but is no longer defined, then it appears as “ (Warning: Undefined NAT Pool)”. For example: 2 (Warning: Undefined NAT Pool) For more information about NAT pools, see the “Configuring VLAN Interface NAT Pools” section on page 12-26. Step 7 Do one of the following: • Click OK to save your entries and to return to the NAT table. The NAT table refreshes with the new entry. • Click Cancel to exit the procedure without saving your entries and to return to the NAT table. Step 8 When you finish configuring virtual server properties, do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries and to return to the Virtual Servers table. • Click Deploy Later to save your entries and apply the configuration at a later time. Related Topics • Configuring Virtual Servers, page 7-2 • Configuring Virtual Server Properties, page 7-11 • Configuring Virtual Server SSL Termination, page 7-17 • Configuring Virtual Server Protocol Inspection, page 7-18 • Configuring Virtual Server Layer 7 Load Balancing, page 7-30 • Configuring Virtual Server Default Layer 7 Load Balancing, page 7-50 7-65 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Configuring Virtual Servers Displaying Virtual Servers by Context You can display all virtual servers associated with a virtual context. Procedure Step 1 Choose Config > Devices. The device tree appears. Step 2 In the device tree, choose the context associated with the virtual servers that you want to display, and choose Load Balancing > Virtual Servers. Table 7-20 describes the information that displays. Related Topics • Configuring Virtual Servers, page 7-2 • Managing Virtual Servers, page 7-66 • Displaying Detailed Virtual Server Information, page 7-81 • Displaying Virtual Servers, page 7-81 Displaying Virtual Server Statistics and Status Information You can display virtual server statistics and status information for a particular virtual server by using the Details button. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers. The Virtual Servers table appears. Table 7-20 Virtual Servers Window Field Description Name Virtual server name. Configured State Current configured state, such as In Service or Out Of Service. Operational State Current operating state (if known), such as In Service or Out Of Service. Last Polled Date and time that ANM last polled the virtual server for backup statistics. VIP Address Virtual server IP address. Port Port that the virtual server uses for TCP or UDP. VLANs Associated VLANs. Server Farms Associated server farms. Owner Owner and context in which the virtual server was created 7-66 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Managing Virtual Servers Step 2 From the Virtual Servers table, choose a virtual server and click Details. A popup window appears that displays the show service-policy policy_name class-map class_name detail CLI command output. For details about the displayed fields, see either the Cisco ACE Module Server Load-Balancing Configuration Guide or the Cisco ACE 4700 Series Appliance Server Load-Balancing Configuration Guide. Note This feature requires ACE module software Version A2(1.2), ACE appliance software Version A3(2.1), or later versions of either software. An error displays with earlier software versions. Step 3 Click Update Details to refresh the window information. Step 4 Click Close to return to the Virtual Servers table. Related Topics • Configuring Virtual Servers, page 7-2 • Managing Virtual Servers, page 7-66 • Displaying Detailed Virtual Server Information, page 7-81 • Displaying Virtual Servers, page 7-81 Managing Virtual Servers This section shows how to display and manage the virtual servers from the Virtual Servers window (Config > Operations > Virtual Servers). This window provides you with information about each virtual server configured on ANM (see the “Displaying Virtual Servers” section on page 7-81) and provides access to function buttons that allow you to perform tasks such as activate or suspend a virtual server, display a virtual server topology map, or display connection statistics graphs. This section also shows how to display and manage GSS VIP answers (Config > Operations > GSS VIP Answers) and GSS DNS rules (Config > Operations > GSS DNS Rules). Guidelines and Restrictions The Virtual Servers, GSS VIP Answers, and GSS DNS Rules Operations windows contain a Rows per page option that includes an All setting for displaying all related configured items in one window. Use the All setting for viewing purposes only. ANM does not allow you to perform any operation from an Operations window if you have more than 200 items selected. For example, if you use the All option to display and select more than 200 virtual servers and then attempt to perform the suspend operation, ANM cancels the request and displays an error message. This section includes the following topics: • Managing Virtual Server Groups, page 7-67 • Activating Virtual Servers, page 7-71 • Suspending Virtual Servers, page 7-72 • Managing GSS VIP Answers, page 7-73 • Activating and Suspending DNS Rules Governing GSS Load Balancing, page 7-75 • Managing GSS VIP Answer and DNS Rule Groups, page 7-76 7-67 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Managing Virtual Servers • Displaying Detailed Virtual Server Information, page 7-81 • Displaying Virtual Servers, page 7-81 • Using the Virtual Server Connection Statistics Graph, page 7-84 • Using the Virtual Server Topology Map, page 7-85 • Understanding CLI Commands Sent from Virtual Server Table, page 7-86 Managing Virtual Server Groups This section describes how to organize virtual servers into groups, which allows you to display and manage a specific group of virtual servers without having to filter the virtual server display. When creating a group, you specify whether the group is available to just you or is available globally to all ANM users. The virtual server group feature is available from the virtual servers operations window (Config > Operations > Virtual Servers), which contains the Groups option for managing object groups. Figure 7-1 shows the Groups icon with the following available options for managing object groups: • Create New Group—Adds a new group. • Edit Group—Modifies an existing group. This option displays only after you select a group to display in Group mode. • Exit Group Mode—Changes the display from the group mode display to the display of all virtual servers. This option displays only after you select a group and the display enters the Group mode. • Saved Groups—Lists the currently configured groups along with each group’s privilege level (local or global) and owner. From this view, you can choose a group to display or delete a group. Figure 7-1 Object Grouping for Virtual Servers Guidelines and Restrictions Object grouping guidelines and restrictions are as follows: • When you create a global group, other users can see the group if they have access to at least one object within the group. This rule does not apply to the admin user or a user with the anm-admin role because they have visibility to all global groups. • To edit or delete a group, you must be the group owner, a user with the anm-admin role, or the admin user. • When you delete a locally authenticated user from the ANM database, ANM deletes all the global and user-specific groups that the user created. However, when you delete a remotely authorized user from the remote AAA server database, ANM does not delete the groups that the user created. In this case, you must manually delete the user’s groups. 7-68 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Managing Virtual Servers This section includes the following topics: • Creating a Virtual Server Group, page 7-68 • Editing or Copying a Virtual Server Group, page 7-69 • Displaying a Virtual Server Group, page 7-70 • Deleting a Virtual Server Group, page 7-70 Creating a Virtual Server Group You can create a virtual server group. Procedure Step 1 Choose Config > Operations > Virtual Servers. The Virtual Servers table appears. Step 2 Click the Groups icon located above the Virtual Servers table. The Groups menu appears below the icon (see Figure 7-1). Step 3 From the Groups menu, choose Create New Group. The display enters the edit mode and the Creating a New Group table appears with the list of the available virtual servers. Step 4 From the Creating a New Group table, check the check box next to the virtual servers that you want to include in the group. Step 5 (Optional) Check the Hide unselected check box to display only the virtual servers that you have chosen. Uncheck the check box to display all the available virtual servers. Step 6 Do one of the following: • Click Save as to save the group information. The Create Group popup window appears. From the popup window, do the following: a. In the Group Name text box, enter a name for the group. Enter 1 to 64 alphanumeric characters. Special characters and spaces are allowed. b. Choose the availability of the group by clicking one of the following radio buttons: – This user only (local)—Only you can view, modify, or delete the group. – All users (global)—All ANM users can view the group if they have permission to view at least one of the virtual servers associated with the group. A user with the admin or anm-admin can view all groups and can also edit or delete any group. c. Do one of the following: – Click Save to save the group information. The Create Group popup window closes and the Viewing Group table appears, displaying the new group’s name and associated virtual servers. To exit Group mode and return to the Virtual Servers table, click the Groups icon and click Exit Group Mode from the Groups menu. – Click Cancel to close the Create Group popup window without saving any information and return to the Creating a New Group table. 7-69 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Managing Virtual Servers • Click Back to View to exit the Group display mode and return to the Virtual Servers table. Related Topics • Managing Virtual Server Groups, page 7-67 • Editing or Copying a Virtual Server Group, page 7-69 • Displaying a Virtual Server Group, page 7-70 • Deleting a Virtual Server Group, page 7-70 Editing or Copying a Virtual Server Group You can edit a virtual server group or create a copy of a virtual server group under a different name. Procedure Step 1 Choose Config > Operations > Virtual Servers. The Virtual Servers table appears. Step 2 Click the Groups icon located above the Virtual Servers table. The Groups menu appears below the icon (see Figure 7-1). Step 3 From the Groups menu, choose the group that you want to edit. The Viewing Group table appears, displaying the selected group’s name and associated virtual servers. Step 4 Click the Groups icon again and from the Groups menu, choose Edit Group. The Editing Group table appears, displaying the complete list of available virtual servers with the virtual servers currently associated with the group highlighted and checked. Step 5 Modify the group as needed by adding (check) or removing (uncheck) virtual servers as needed. Skip this step if you only want to save a copy of the current group under a different name. Step 6 Do one of the following: • Click Save to save the changes and return to the Viewing Group table, where you can view the changes. • Click Save as to save the configuration under a new group name. The Create Group popup window appears. From the popup window, do the following: a. In the Group Name text box, enter a name for the group. Enter 1 to 64 alphanumeric characters. Special characters and spaces are allowed. b. Choose the availability of the group by clicking one of the following radio buttons: – This user only (local)—Only you can view, modify, or delete the group. – All users (global)—All ANM users can view the group if they have permission to view at least one of the virtual servers associated with the group. The admin user or a user with the anm-admin role can view all global groups and can also edit or delete these groups. c. Do one of the following: – Click Save to save the group information. The Create Group popup window closes and the Viewing Group table appears, displaying the new group’s name and associated virtual servers. 7-70 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Managing Virtual Servers – Click Cancel to close the Create Group popup window without saving any information and to return to the Creating a New Group table. Click Back to View to exit the edit mode and return to the Group mode. Step 7 (Optional) To exit Group mode and return to the Virtual Servers table, click the Groups icon and click Exit Group Mode from the Groups menu. Related Topics • Managing Virtual Server Groups, page 7-67 • Creating a Virtual Server Group, page 7-68 • Displaying a Virtual Server Group, page 7-70 • Deleting a Virtual Server Group, page 7-70 Displaying a Virtual Server Group You can display the list of virtual servers associated with a virtual server group. Procedure Step 1 Choose Config > Operations > Virtual Servers. The Virtual Servers table appears. Step 2 Click the Groups icon located above the Virtual Servers table. The Groups menu appears below the icon (see Figure 7-1). Step 3 From the Groups menu, choose the group that you want to display. The Viewing Group table appears, displaying the selected group’s name and associated virtual servers. Step 4 (Optional) To exit Group mode and return to the Virtual Servers table, click the Groups icon and click Exit Group Mode from the Groups menu. Related Topics • Managing Virtual Server Groups, page 7-67 • Creating a Virtual Server Group, page 7-68 • Editing or Copying a Virtual Server Group, page 7-69 • Deleting a Virtual Server Group, page 7-70 Deleting a Virtual Server Group You can delete a virtual server group. Deleting a virtual server group does not delete the group’s associated virtual servers from the ANM database. 7-71 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Managing Virtual Servers Procedure Step 1 Choose Config > Operations > Virtual Servers. The Virtual Servers table appears. Step 2 Click the Groups icon located above the Virtual Servers table. The Groups menu appears below the icon (see Figure 7-1). Step 3 From the Groups menu, click X (delete) next to the group that you want to delete. The Delete Group confirmation popup window appears. Step 4 From the Delete Group confirmation popup window, do one of the following: • Click Delete to removes the virtual server group. • Click Cancel to ignore the deletion request. Related Topics • Managing Virtual Server Groups, page 7-67 • Creating a Virtual Server Group, page 7-68 • Editing or Copying a Virtual Server Group, page 7-69 • Displaying a Virtual Server Group, page 7-70 Activating Virtual Servers You can activate a virtual server. Note A missing operation or Admin state on a CSM or CSS device most likely means that the community string was not enabled on those devices. If the community string is not enabled on a CSM or CSS device, and any kind of operation is performed on those devices, it will not succeed, and ANM will not provide any kind of indication. • For CSM devices, you must enable the community string of the Catalyst 6500 series chassis. • For CSS devices, you must enable the community string of the CSS device itself. Guidelines and Restrictions ANM does not support CSM DNS virtual servers. If you create this type of virtual server, ANM issues an error message if you attempt to use ANM to activate or suspend it. Procedure Step 1 Choose Config > Operations > Virtual Servers. The Virtual Servers table appears. Step 2 (Optional) To display only the virtual servers of a specific virtual server group, do the following: a. Click the Groups icon located above the Virtual Servers table. The Groups menu appears below the icon (see Figure 7-1). 7-72 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Managing Virtual Servers b. From the Groups menu, choose the group to display. Step 3 In the Virtual Servers table, choose the virtual server that you want to activate, and click Activate. The server is activated and the window refreshes with updated information in the Configured State column. Related Topics • Managing Virtual Servers, page 7-66 • Displaying Virtual Servers, page 7-81 • Suspending Virtual Servers, page 7-72 Suspending Virtual Servers You can suspend a virtual server. Note A missing operation or Admin state on a CSM or CSS device most likely means that the community string was not enabled on those devices. If the community string is not enabled on a CSM or CSS device, and any kind of operation is performed on those devices, it will not succeed, and ANM will not provide any kind of indication. • For CSM devices, you must enable the community string of the Catalyst 6500 series chassis. • For CSS devices, you must enable the community string of the CSS device itself. Guidelines and Restrictions ANM does not support CSM DNS virtual servers. If you create this type of virtual server, ANM issues an error message if you attempt to use ANM to activate or suspend it. Procedure Step 1 Choose Config > Operations > Virtual Servers. The Virtual Servers table appears. Step 2 (Optional) To display only the virtual servers of a specific virtual server group, do the following: a. Click the Groups icon located above the Virtual Servers table. The Groups menu appears below the icon (see Figure 7-1). b. From the Groups menu, choose the group to display. Step 3 In the Virtual Servers table, choose the virtual server that you want to suspend, and click Suspend. The Suspend Virtual Server window appears. Step 4 In the Reason field of the Suspend Virtual Server window, enter the reason for this action. You might enter a trouble ticket, an order ticket, or a user message. 7-73 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Managing Virtual Servers Note Do not enter a password in this field. Related Topics • Managing Virtual Servers, page 7-66 • Displaying Virtual Servers, page 7-81 • Activating Virtual Servers, page 7-71 Managing GSS VIP Answers This section describes how to manage GSS VIP answers. In a GSS network, the term answers refers to resources that respond to content queries. When you create an answer using the primary Global Site Selector Manager (PGSSM), you are simply identifying a resource on your GSS network to which queries can be directed and that can provide your user’s D-proxy with the address of a valid host to serve their request. Virtual IP (VIP) addresses associated with an SLB such as the Cisco CSS, Cisco CSM, Cisco IOS-compliant SLB, LocalDirector, or a Web server are types of answers that are specified in the ANM user interface in the GSS VIP Answers table found in ANM under Configuration > Operations. Use this procedure to poll, activate, or suspend GSS VIP answers. Prerequisites Make sure that you have established GSS VIP answers using the PGSSM. Procedure Step 1 Choose Config > Operations > GSS VIP Answers. The GSS Answers table appears. For a list of fields available, see Table 7-21. Table 7-21 GSS Answer Table Field Description Multiple Row Selection Checkbox Check box that selects all entries at the same time, or you can check line items individually. IP Address VIP answer IP address. Name VIP answer name. Config State VIP answer configured status. PGSSM Oper State Operational status as shown on the primary GSS manager (PGSSM). Answer Group Answer group names to which the VIP answer belong. Location Logical groupings for GSS resources that correspond to geographical entities such as a city, data center, or content site. Device Primary GSS device name on ANM. PGSSM Time Last operational status update time on the primary GSS. 7-74 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Managing Virtual Servers Step 2 (Optional) To display only the answers of a specific GSS VIP Answer group, do the following: a. Click the Groups icon located above the DNS Rules table. The Groups menu appears below the icon (see Figure 7-1). b. From the Groups menu, choose the group to display. Step 3 In the GSS Answers table, check the check boxes to the left of the answers that you want to poll, activate, or suspend. Step 4 Do one of the following: • Click Active/Suspended hyperlink to view the VIP answer details across the GSS node(s). A popup window appears listing all nodes associated with the VIP, operational state, hit count, and timestamp for each node. • Click Poll Now to query the chosen resource to verify it is still active. Note If you click Poll Now immediately after you click Activate or Suspend, you might not get the VIP answer operational status on the PGSSM that reflects your most recent configuration. It might be necessary to click Poll Now two or three times in succession to get an accurate result. The ability of Cisco License Manager to update the VIP answer operational status and statistics accurately in detailed GSS statistics window might depend on the polling interval that has been configured on the GSS. The polling interval can be configured directly on the GSS device. (The default is 5 minutes.) Depending on the interval, it can take 5 minutes or more for the ANM server to show an accurate result. • Click Activate to reactivate a GSS answer. • Click Suspend to temporarily stop the GSS from using an associated answer. If you clicked Activate or Suspend, a dialog box prompts for a Reason. Acceptable text consists of any characters or nothing at all. Step 5 Do one of the following: • Click Deploy Now to complete Activation or Suspension. • Click Cancel to cancel the Activation or Suspension operation. Related Topics • Managing GSS VIP Answer and DNS Rule Groups, page 7-76 • Information About Load Balancing, page 7-1 • Activating and Suspending DNS Rules Governing GSS Load Balancing, page 7-75 7-75 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Managing Virtual Servers Activating and Suspending DNS Rules Governing GSS Load Balancing You can activate or suspend DNS rules associated with your GSS VIP answers table. The DNS rules table in Configuration > Operations navigation tree specifies actions for the GSS to take when it receives a request from a known source (a member of a source address list) for a known hosted domain (a member of a domain list). The DNS rule specifies which response (answer) is given to the requesting user’s local DNS host (D-proxy) and how that answer is chosen. One of a variety of balance methods is used to determine the best response to the request, based on the status and load of the GSS host devices. Prerequisites Make sure that you have established GSS VIP answers and DNS rules using the PGSSM. Procedure Step 1 Choose Config > Operations > DNS Rules. The DNS Rules table appears. For a list of fields available, see Table 7-22. Step 2 (Optional) To display only the rules of a specific DNS Rules group, do the following: a. Click the Groups icon located above the DNS Rules table. The Groups menu appears below the icon (see Figure 7-1). b. From the Groups menu, choose the group to display. Step 3 In the DNS Rules table, check the checkbox to the left of the rules that you want to activate or suspend. Step 4 Click the Activate or Suspend button. A dialog box prompts for a Reason. Acceptable text consists of any characters or none at all. Step 5 Do one of the following: • Click Deploy Now to complete Activation or Suspension. Table 7-22 DNS Rules Table Field Description Multiple Row Selection Checkbox Check box that selects all entries at the same time, or you can check line items individually. Name Name of the DNS rule. Source Address Collection of IP addresses or address blocks for known client DNS proxies (or D-proxies). Domains Domain list name containing one or more domain names that point to content for which the GSS is acting as the authoritative DNS server and for which you wish to use the GSS technology to balance traffic and user requests. Config State DNS rules configured status, either Active or Suspended. Answer Group Lists of GSS resources that are candidates to respond to DNS queries received from a user for a hosted domain. Owner Owner names, providing a simple way to organize and identify groups of related GSS resources. Device Primary GSS device name on ANM. PGSSM Time Last operational status update time on the GSS. 7-76 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Managing Virtual Servers • Click Cancel to cancel the Activation or Suspension operation. Related Topics • Managing GSS VIP Answer and DNS Rule Groups, page 7-76 • Information About Load Balancing, page 7-1 • Managing GSS VIP Answers, page 7-73 Managing GSS VIP Answer and DNS Rule Groups This section describes how to organize GSS VIP answers or DNS rules into groups, which allows you to display and manage a specific group of VIP answers or DNS rules without having to filter the display. When creating a group, you specify whether the group is available to just you or is available globally to all ANM users. The GSS object grouping feature is available from the following operations windows: • Answer VIPs (Config > Operations > GSS VIP Answers) • DNS Rules (Config > Operations > GSS DNS Rules) These windows contain the Groups option for managing object groups. Figure 7-2 shows the Groups icon with the following available options for managing object groups: • Create New Group—Adds a new group. • Edit Group—Modifies an existing group. This option displays only after you select a group to display in Group mode. • Exit Group Mode—Changes the display from the Group mode display to the display of all VIP answers or DNS rules. This option displays only after you select a group and the display enters the Group mode. • Saved Groups—Lists the currently configured groups with each group’s privilege level (local or global) and owner. From this view, you can choose a group to display or delete a group. Figure 7-2 Object Grouping for GSS VIP Answers and DNS Rules Guidelines and Restrictions Object grouping guidelines and restrictions are as follows: • When you create a global group, other users can see the group if they have access to at least one object within the group. This rule does not apply to the admin user or a user with the anm-admin role because they have visibility to all global groups. 7-77 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Managing Virtual Servers • To edit or delete a group, you must be the group owner, a user with the anm-admin role, or the admin user. • When you delete a locally authenticated user from the ANM database, ANM deletes all the global and user-specific groups that the user created. However, when you delete a remotely authorized user from the remote AAA server database, ANM does not delete the groups that the user created. In this case, you must manually delete the user’s groups. This section includes the following topics: • Creating a VIP Answer or DNS Rule Group, page 7-77 • Editing or Copying a VIP Answer or DNS Rule Group, page 7-78 • Displaying a VIP Answer or DNS Rule Group, page 7-79 • Deleting a VIP Answer or DNS Rule Group, page 7-80 Creating a VIP Answer or DNS Rule Group You can create a GSS answer VIP or DNS rule group. Procedure Step 1 Choose one of the following depending on the group type that you want to create: • Config > Operations > GSS VIP Answers. • Config > Operations > GSS DNS Rules Depending on your choice, either the Answer VIPs or DNS Rules object table appears. Step 2 Click the Groups icon located above the objects table. The Groups menu appears below the icon (see Figure 7-2). Step 3 From the Groups menu, choose Create New Group. The display enters the edit mode and the Creating a New Group table appears with the list of the available GSS VIP answer or DNS rule objects. Step 4 From the Creating a New Group table, check the check box next to the GSS objects that you want to include in the group. Step 5 (Optional) Check the Hide unselected check box to display only the GSS objects that you have chosen. Uncheck the check box to display all the available GSS objects. Step 6 Do one of the following: • Click Save as to save the group information. The Create Group popup window appears. From the popup window, do the following: a. In the Group Name text box, enter a name for the group. Enter 1 to 64 alphanumeric characters. Special characters and spaces are allowed. b. Choose the availability of the group by clicking one of the following radio buttons: – This user only (local)—Only you can view, modify, or delete the group. – All users (global)—All ANM users can view the group if they have permission to view at least one of the GSS objects associated with the group. A user with the admin or anm-admin can view all groups and can also edit or delete any group. c. Do one of the following: 7-78 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Managing Virtual Servers – Click Save to save the group information. The Create Group popup window closes and the Viewing Group table appears, displaying the new group’s name and associated objects. To exit Group mode and return to the Real Servers table, click the Groups icon and click Exit Group Mode from the Groups menu. – Click Cancel to close the Create Group popup window without saving any information and to return to the Creating a New Group table. • Click Back to View to exit the Group display mode and return to the objects table Related Topics • Managing GSS VIP Answer and DNS Rule Groups, page 7-76 • Editing or Copying a VIP Answer or DNS Rule Group, page 7-78 • Displaying a VIP Answer or DNS Rule Group, page 7-79 • Deleting a VIP Answer or DNS Rule Group, page 7-80 • Managing GSS VIP Answers, page 7-73 • Activating and Suspending DNS Rules Governing GSS Load Balancing, page 7-75 Editing or Copying a VIP Answer or DNS Rule Group You can edit a GSS VIP answer or DNS rule group or create a copy of a group under a different name. Procedure Step 1 Choose one of the following depending on the group type that you want to edit or copy: • Config > Operations > GSS VIP Answers. • Config > Operations > GSS DNS Rules Depending on your choice, either the Answer VIPs or DNS Rules object table appears. Step 2 Click the Groups icon located above the objects table. The Groups menu appears below the icon (see Figure 7-2). Step 3 From the Groups menu, choose the group that you want to edit. The Viewing Group table appears, displaying the selected group’s name and associated GSS VIP answer or DNS rule objects. Step 4 Click the Groups icon again and from the Groups menu, choose Edit Group. The Editing Group table appears, displaying the complete list of available objects with the objects currently associated with the group highlighted and checked. Step 5 Modify the group as needed by adding (check) or removing (uncheck) objects as needed. Skip this step if you only want to save a copy of the current group under a different name. Step 6 Do one of the following: • Click Save to save the changes and return to the Viewing Group table, where you can view the changes. • Click Save as to save the configuration under a new group name. The Create Group popup window appears. 7-79 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Managing Virtual Servers From the popup window, do the following: a. In the Group Name text box, enter a name for the group. Enter 1 to 64 alphanumeric characters. Special characters and spaces are allowed. b. Choose the availability of the group by clicking one of the following radio buttons: – This user only (local)—Only you can view, modify, or delete the group. – All users (global)—All ANM users can view the group if they have permission to view at least one of the real servers associated with the group. The admin user or a user with the anm-admin role can view all global groups and can also edit or delete these groups. c. Do one of the following: – Click Save to save the group information. The Create Group popup window closes and the Viewing Group table appears, displaying the new group’s name and associated objects. – Click Cancel to close the Create Group popup window without saving any information and to return to the Creating a New Group table. Click Back to View to exit the edit mode and return to the Group mode. Step 7 (Optional) To exit Group mode and return to the GSS objects table, click the Groups icon and click Exit Group Mode from the Groups menu. Related Topics • Managing GSS VIP Answer and DNS Rule Groups, page 7-76 • Creating a VIP Answer or DNS Rule Group, page 7-77 • Displaying a VIP Answer or DNS Rule Group, page 7-79 • Deleting a VIP Answer or DNS Rule Group, page 7-80 • Managing GSS VIP Answers, page 7-73 • Activating and Suspending DNS Rules Governing GSS Load Balancing, page 7-75 Displaying a VIP Answer or DNS Rule Group You can display the list of GSS objects associated with a VIP answer or DNS rule group. Procedure Step 1 Choose one of the following depending on the group type that you want to edit or copy: • Config > Operations > GSS VIP Answers. • Config > Operations > GSS DNS Rules Depending on your choice, either the Answer VIPs or DNS Rules object table appears. Step 2 Click the Groups icon located above the objects table. The Groups menu appears below the icon (see Figure 7-2). Step 3 From the Groups menu, choose the group that you want to display. The Viewing Group table appears, displaying the selected group’s name and associated objects. 7-80 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Managing Virtual Servers Step 4 (Optional) To exit Group mode and return to the GSS objects table, click the Groups icon and click Exit Group Mode from the Groups menu. Related Topics • Managing GSS VIP Answer and DNS Rule Groups, page 7-76 • Creating a VIP Answer or DNS Rule Group, page 7-77 • Editing or Copying a VIP Answer or DNS Rule Group, page 7-78 • Deleting a VIP Answer or DNS Rule Group, page 7-80 • Managing GSS VIP Answers, page 7-73 • Activating and Suspending DNS Rules Governing GSS Load Balancing, page 7-75 Deleting a VIP Answer or DNS Rule Group You can delete a GSS VIP answer or DNS rule group. Deleting a group does not delete the group’s associated objects from the ANM database. Procedure Step 1 Choose one of the following depending on the group type that you want to edit or copy: • Config > Operations > GSS VIP Answers. • Config > Operations > GSS DNS Rules Depending on your choice, either the Answer VIPs or DNS Rules object table appears. Step 2 Click the Groups icon located above the objects table. The Groups menu appears below the icon (see Figure 7-2). Step 3 From the Groups menu, click X (delete) next to the group that you want to delete. The Delete Group confirmation popup window appears. Step 4 From the Delete Group confirmation popup window, do one of the following: • Click Delete to remove the selected group. • Click Cancel to ignore the deletion request. Related Topics • Managing GSS VIP Answer and DNS Rule Groups, page 7-76 • Creating a VIP Answer or DNS Rule Group, page 7-77 • Editing or Copying a VIP Answer or DNS Rule Group, page 7-78 • Displaying a VIP Answer or DNS Rule Group, page 7-79 • Activating and Suspending DNS Rules Governing GSS Load Balancing, page 7-75 7-81 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Managing Virtual Servers Displaying Detailed Virtual Server Information You can display detailed information about the state of a virtual server. Procedure Step 1 Choose Config > Operations > Virtual Servers. The Virtual Servers table appears. Step 2 (Optional) To display only the virtual servers of a specific virtual server group, do the following: a. Click the Groups icon located above the Virtual Servers table. The Groups menu appears below the icon (see Figure 7-1). b. From the Groups menu, choose the group to display. Step 3 In the Virtual Servers table, choose the virtual server whose configuration details that you want to display. Click the hyperlinked entry for that virtual server that appears in the Operational State column. The Details window appears with the following information: • Current operational status • Description, if one was entered • Configured interfaces, such as VLANs • Configured service policies including: – Configured class maps, detailed by type (such as load balancing or inspection) – States of configured options, indicated by word (ACTIVE, DISABLED, OUTOFSERVICE) and color (green, orange/yellow, and red) – Associated policy maps with details on their type and action (L7 loadbalance, serverfarm) – Statistics regarding connections and counts Related Topics • Configuring Virtual Servers, page 7-2 • Displaying Virtual Servers by Context, page 7-65 • Displaying Virtual Server Statistics and Status Information, page 7-65 • Managing Virtual Servers, page 7-66 Displaying Virtual Servers You can display all virtual servers. Procedure Step 1 Choose Config > Operations > Virtual Servers. The Virtual Servers table appears. Table 7-23 describes the Virtual Servers table information. 7-82 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Managing Virtual Servers Table 7-23 Virtual Server Table Fields Item Description Name Server farm name sorted by virtual context. Policy Map Associated policy map. IP Address:Protocol:Port Server farm IP address, protocol, and port used for communications. HA Indicators that display when the virtual server is part of a high availability pair. The indicators are as follows: • Asterisk (*)—The virtual server is associated with an HA pair and the HA configuration is complete. • Red dash (-)—The virtual server is associated with an HA pair; however, the HA configuration is incomplete. Typically, the HA pair are not properly configured for HA or only one of the devices has been imported into ANM. Ensure that both devices are imported into ANM and that they are configured as described in the “Configuring ACE High Availability” section on page 13-14. The table displays HA pair virtual servers together in the same row and they remain together no matter how you sort the information. SLB Device Associated ACE IP address and context. Admin Administrative state of the virtual server: Up or Down. Note For a CSM device, the virtual server Admin State is derived from the Operational State. In this case, the Operational State may display an Out of Service condition when the virtual server is configured to be Inservice (if all of the real servers are out of service). Oper Operational state of the virtual server: Up or Down. (ACE devices only) To display detailed information about the virtual server in a popup window, click the linked state value in this column. For more information about this popup window, see the “Displaying Virtual Server Statistics and Status Information” section on page 7-65. Note The display virtual server details feature requires ACE module software Version A2(1.2), ACE appliance software Version A3(2.1), or later versions of either software. An error displays with earlier software versions. DWS Operating state of Dynamic Workload Scaling for the virtual server, which can be: • N/A—Not applicable; the server farms associated with the virtual server are not configured to use Dynamic Workload Scaling. • Local—At least one server farm associated the virtual server is configured to use Dynamic Workload Scaling, but the ACE is sending traffic to the VM Controller’s local VMs only. • Expanded—At least one server farm associated the virtual server is configured to use Dynamic Workload Scaling and the ACE is sending traffic to the VM Controller’s local and remote VMs. 7-83 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Managing Virtual Servers You can activate or suspend virtual servers from this table and obtain additional information about the state of the virtual server. Step 2 (Optional) Use the display toggle button ( ) located above the table to control which virtual servers ANM displays as follows: • Show ANM recognized Virtual Servers—Displays only virtual servers that match ANM’s virtual server definition (see the “Virtual Server Configuration and ANM” section on page 7-2). • Show all Virtual Servers—Displays virtual servers that match ANM’s virtual server definition and those that do not match this definition but that ANM can recognize as virtual servers using SNMP polling. Note The display toggle button displays only when you have the “Display All Virtual Servers in Monitoring & Operations page” advanced setting feature enabled (see the “Managing the Display of Virtual Servers in the Operations and Monitoring Windows” section on page 18-66). Step 3 (Optional) To display only the virtual servers of a specific virtual server group, do the following: a. Click the Groups icon located above the Virtual Servers table. The Groups menu appears below the icon (see Figure 7-1). b. From the Groups menu, choose the group to display. You can activate or suspend virtual servers from this table and obtain additional information about the state of the virtual server. Related Topics • Activating Virtual Servers, page 7-71 • Suspending Virtual Servers, page 7-72 Conn Number of active connections. Note This column is populated for ACE appliances. For ACE devices, the Active Connections column displays N/A for older versions of the ACE appliance and module. Stat Age Age of the statistical information. Serverfarms Associated server farms. Note If you have the Details popup window feature enabled, click the value in this column to open the Details popup window and display detailed information about the server farm. By default, this feature is disabled. For information about enabling or disabling this feature, see the “Enabling the ACE Server Farm Details Popup Window Option for Virtual Servers” section on page 18-65. VLANs Associated VLANs. Table 7-23 Virtual Server Table Fields (continued) Item Description 7-84 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Managing Virtual Servers • Managing Virtual Server Groups, page 7-67 • Displaying Detailed Virtual Server Information, page 7-81 • Displaying Virtual Server Statistics and Status Information, page 7-65 • Displaying Virtual Servers by Context, page 7-65 Using the Virtual Server Connection Statistics Graph You can display real time and historical statistical information about the connections of a virtual server. ANM displays the information in graph or chart form. This feature also allows you to compare similar connection information across multiple virtual servers. Procedure Step 1 Choose Config > Operations > Virtual Servers. The Virtual Servers table appears. You can activate or suspend virtual servers from this table and obtain additional information about the state of the virtual server. Step 2 (Optional) To display only the virtual servers of a specific virtual server group, do the following: a. Click the Groups icon located above the Virtual Servers table. The Groups menu appears below the icon (see Figure 7-1). b. From the Groups menu, choose the group to display. Step 3 In the Virtual Servers table, check the check box next to server whose connection information you want to display, and click Graph. You can choose up to four virtual servers if you want to compare statistical data. The Virtual Server Graph window appears, displaying the default graph for each selected virtual server. For details about using the graph feature, see the “Configuring Historical Trend and Real Time Graphs for Devices” section on page 17-48. Step 4 Click Exit to return to the Virtual Server widow. Related Topics • Configuring Historical Trend and Real Time Graphs for Devices, page 17-48 • Activating Virtual Servers, page 7-71 • Suspending Virtual Servers, page 7-72 • Managing Virtual Server Groups, page 7-67 • Displaying Detailed Virtual Server Information, page 7-81 • Displaying Virtual Servers, page 7-81 • Using the Virtual Server Topology Map, page 7-85 • Displaying Virtual Server Statistics and Status Information, page 7-65 • Displaying Virtual Servers by Context, page 7-65 7-85 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Managing Virtual Servers Using the Virtual Server Topology Map You can display the nodes on your network based on the virtual server that you select. Procedure Step 1 Choose Config > Operations > Virtual Servers. The Virtual Servers table appears. Step 2 (Optional) To display only the virtual servers of a specific virtual server group, do the following: a. Click the Groups icon located above the Virtual Servers table. The Groups menu appears below the icon (see Figure 7-1). b. From the Groups menu, choose the group to display. Step 3 Use the display toggle button ( ) to ensure that the Virtual Servers table is set to Show ANM Recognized Virtual Servers. Note The topology map feature is not available when the Virtual Server table is set to Show All Virtual Servers (for more information, see the “Displaying Virtual Servers” section on page 7-81). Step 4 In the Virtual Servers table, choose the server whose topology map you want to display, and click Topology. The ANM Topology map appears. The map includes several tools for navigating the network map and zooming in and out. For details about using the map tools, see the “Displaying Network Topology Maps” section on page 17-68. Step 5 Click Exit to return to the Virtual Server widow. Related Topics • Suspending Virtual Servers, page 7-72 • Managing Virtual Server Groups, page 7-67 • Displaying Detailed Virtual Server Information, page 7-81 • Displaying Virtual Servers, page 7-81 • Using the Virtual Server Connection Statistics Graph, page 7-84 • Displaying Virtual Server Statistics and Status Information, page 7-65 • Displaying Virtual Servers by Context, page 7-65 7-86 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Deploying Virtual Servers Understanding CLI Commands Sent from Virtual Server Table Table 7-24 displays the CLI commands dispatched to the device for a given Virtual Servers table option, and is sorted by device. Deploying Virtual Servers You can deploy virtual servers on your network at times that are convenient and appropriate for your environment. For example, if your site prefers to make changes to the network during a specific time each night, you can modify and save virtual server configurations during the day and then deploy them when appropriate. This section includes the following topics: • Deploying a Virtual Server, page 7-87 • Displaying All Staged Virtual Servers, page 7-87 • Modifying Deployed Virtual Servers, page 7-88 • Modifying Staged Virtual Servers, page 7-88 Table 7-24 CLI Commands Deployed from Virtual Servers Table Command Sample CLI Sent ACE Modules and Appliances Virtual Server Activate policy-map multi-match int25 class VIP3 loadbalance vip inservice Virtual Server Suspend policy-map multi-match int25 class VIP3 no loadbalance vip inservice CSMs Virtual Server Activate vserver APP1 inservice Virtual Server Suspend vserver APP1 no inservice CSS Devices Virtual Server Activate owner hm content LB active Virtual Server Suspend owner hm content LB suspend 7-87 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Deploying Virtual Servers Deploying a Virtual Server You can deploy virtual servers on your network at times that are convenient and appropriate for your environment. For example, if your site prefers to make changes to the network during a specific time each night, you can modify and save virtual server configurations during the day and then deploy them when appropriate. Procedure Step 1 Choose Config > Deploy. The Staged Objects table appears. Step 2 Fro the Staged Objects table, choose the virtual server that you want to deploy on your network, and click Deploy. The virtual server is deployed and the table refreshes with updated information. Related Topics • Configuring Virtual Servers, page 7-2 • Displaying All Staged Virtual Servers, page 7-87 • Modifying Staged Virtual Servers, page 7-88 Displaying All Staged Virtual Servers You can display all objects that have been configured but have not yet been deployed on your network. Procedure Step 1 Do one of the following: • Choose Config > Deploy. The Staged Objects table appears listing the following: – Virtual server name – Device ID and virtual context – Time the virtual server was created – User who last modified the object – Time the object was last updated • Choose Config > Devices > context > Load Balancing > Virtual Servers. The Virtual Servers table appears. Virtual servers with configurations that have not been deployed appear with the status Not Deployed in the Configured State column. Related Topics • Configuring Virtual Servers, page 7-2 7-88 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Deploying Virtual Servers • Deploying a Virtual Server, page 7-87 • Modifying Staged Virtual Servers, page 7-88 • Modifying Deployed Virtual Servers, page 7-88 Modifying Deployed Virtual Servers You can modify the configuration of a deployed virtual server. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Virtual Servers. The Virtual Servers table appears. Step 2 In the Virtual Servers table, choose the virtual server you want to modify, and click Edit. The Virtual Server configuration window appears. Step 3 In the Virtual Server configuration window, modify the virtual server's configuration as desired. See Table 7-1 for virtual server configuration options. Step 4 When you are done modifying the configuration, do one of the following: • Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries and to return to the Virtual Servers table. Related Topics • Managing Virtual Servers, page 7-66 • Displaying All Staged Virtual Servers, page 7-87 • Activating Virtual Servers, page 7-71 • Suspending Virtual Servers, page 7-72 Modifying Staged Virtual Servers You can modify the configuration of a staged virtual server. Procedure Step 1 Choose Config > Deploy. The Staged Objects table appears, listing those virtual servers that have not yet been deployed in the network. Step 2 From the Staged Objects table, choose the virtual server you want to modify, and click Edit. The Virtual server configuration window appears. Step 3 In the Virtual server configuration window, modify the virtual server configuration as desired. 7-89 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Deploying Virtual Servers See Table 7-1 for virtual server configuration options. Step 4 When you are done modifying the configuration, do one of the following: • Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries and to return to the Virtual Servers table. • Click Deploy Later to save your entries and apply this configuration at a later time. Related Topics • Deploying a Virtual Server, page 7-87 • Displaying All Staged Virtual Servers, page 7-87 • Activating Virtual Servers, page 7-71 7-90 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 7 Configuring Virtual Servers Deploying Virtual Servers CHAPTER 8-1 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 8 Configuring Real Servers and Server Farms Date: 3/28/12 This chapter describes how to configure real servers and server farms on the Cisco Application Control Engine (ACE) using Cisco Application Networking Manager (ANM). Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed. If you are using ANM with an ACE module or ACE appliance and you configure a named object at the ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows you to use when configuring a named object. If you use special characters that ANM does not support, you may not be able to import or manage the ACE using ANM. This chapter includes the following sections: • Information About Server Load Balancing, page 8-1 • Configuring Real Servers, page 8-5 • Managing Real Servers, page 8-9 • Configuring Dynamic Workload Scaling, page 8-26 • Configuring Server Farms, page 8-30 • Configuring Health Monitoring, page 8-49 • Configuring Secure KAL-AP, page 8-77 Information About Server Load Balancing Server load balancing (SLB) is the process of deciding to which server a load-balancing device should send a client request for service. For example, a client request can consist of an HTTP GET for a Web page or an FTP GET to download a file. The job of the load balancer is to select the server that can successfully fulfill the client request and do so in the shortest amount of time without overloading either the server or the server farm as a whole. 8-2 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Information About Server Load Balancing Depending on the load-balancing algorithm or predictor that you configure, the ACE performs a series of checks and calculations to determine the server that can best service each client request. The ACE bases server selection on several factors, including the server with the fewest connections with respect to load, source or destination address, cookies, URLs, or HTTP headers. ANM allows you to configure load balancing using: • Virtual servers—See Configuring Virtual Servers, page 7-2. • Real servers—See Configuring Real Servers, page 8-5. • Dynamic Workload Scaling—See Configuring Dynamic Workload Scaling, page 8-26. • Server farms—See Configuring Server Farms, page 8-30. • Sticky groups—See Configuring Sticky Groups, page 9-7. • Parameter maps—See Configuring Parameter Maps, page 10-1. For more information about SLB as configured and performed by the ACE, see: • Configuring Virtual Servers, page 7-2 • Load-Balancing Predictors, page 8-2 • Real Servers, page 8-3 • Dynamic Workload Scaling Overview, page 8-4 • Server Farms, page 8-5 • Configuring Health Monitoring, page 8-49 • TCL Scripts, page 8-50 • Configuring Stickiness, page 9-1 This section includes the following topics: – Load-Balancing Predictors, page 8-2 – Real Servers, page 8-3 – Server Farms, page 8-5 Load-Balancing Predictors The ACE uses the following predictors to select the best server to satisfy a client request: • Hash Address—Selects the server using a hash value based on either the source or destination IP address, or both. Use these predictors for firewall load balancing (FWLB). Note FWLB allows you to scale firewall protection by distributing traffic across multiple firewalls on a per-connection basis. All packets belonging to a particular connection must go through the same firewall. The firewall then allows or denies transmission of individual packets across its interfaces. For more information about configuring FWLB on the ACE, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide. • Hash Content— Selects the server by using a hash value based on the specified content string of the HTTP packet body • Hash Cookie—Selects the server using a hash value based on a cookie name. • Hash Header—Selects the server using a hash value based on the HTTP header name. 8-3 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Information About Server Load Balancing • Hash Layer4—Selects the server using a Layer 4 generic protocol load-balancing method. • Hash URL—Selects the server using a hash value based on the requested URL. You can specify a beginning pattern and an ending pattern to match in the URL. Use this predictor method to load-balance cache servers. Cache servers perform better with the URL hash method because you can divide the contents of the caches evenly if the traffic is random enough. In a redundant configuration, the cache servers continue to work even if the active ACE switches over to the standby ACE. For information about configuring redundancy, see the “Configuring High Availability” section on page 13-1. • Least Bandwidth—Selects the server with the least amount of network traffic or a specified sampling period. Use this type for server farms with heavy traffic, such as downloading video clips. • Least Connections—Selects the server with the fewest number of active connections based on server weight. For the least connection predictor, you can configure a slow-start mechanism to avoid sending a high rate of new connections to servers that you have just put into service. • Least Loaded—Selects the server with the lowest load as determined by information from SNMP probes. • Response—Selects the server with the lowest response time for a specific response-time measurement. • Round Robin—Selects the next server in the list of real servers based on server weight (weighted roundrobin). Servers with a higher weight value receive a higher percentage of the connections. This is the default predictor. Note The different hash predictor methods do not recognize the weight value that you configure for real servers. The ACE uses the weight that you assign to real servers only in the round-robin and least-connections predictor methods. Related Topics Configuring the Predictor Method for Server Farms, page 8-39 Real Servers To provide services to clients, you configure real servers on the ACE. Real servers can be dedicated physical servers or VMware virtual machines (VMs) that you configure in groups called server farms. Note VMs that you define as real servers can be VMs associated with a VMware vCenter Server that you import into ANM (see the “Importing VMware vCenter Servers” section on page 5-24) and VMs that the ACE recognizes when configured for Dynamic Workload Scaling (see the “Configuring Dynamic Workload Scaling” section on page 8-26). Real servers provide client services such as HTTP or XML content, website hosting, FTP file uploads or downloads, redirection for web pages that have moved to another location, and so on. You identify real servers with names and characterize them with IP addresses, connection limits, and weight values. The ACE also allows you to configure backup servers in case a server is taken out of service for any reason. After you create and name a real server on the ACE, you can configure several parameters, including connection limits, health probes, and weight. You can assign a weight to each real server based on its relative importance to other servers in the server farm. The ACE uses the server weight value for the 8-4 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Information About Server Load Balancing weighted round-robin and the least-connections load-balancing predictors. The load-balancing predictor algorithms (for example, roundrobin, least connections, and so on) determine the servers to which the ACE sends connection requests. For a listing and brief description of the load-balancing predictors, see the “Load-Balancing Predictors” section on page 8-2. The ACE uses traffic classification maps (class maps) within policy maps to identify traffic that meets defined criteria and to apply specific actions to that traffic based on the SLB configuration. If a primary real server fails, the ACE takes that server out of service and no longer includes it in load-balancing decisions. If you configured a backup server for the real server that failed, the ACE redirects the primary real server connections to the backup server. For information about configuring a backup server, see the “Configuring Virtual Server Layer 7 Load Balancing” section on page 7-30. The ACE can take a real server out of service for the following reasons: • Probe failure • ARP timeout • Neighbor Discovery (ND) failure (IPv6 only, which requires ACE module and ACE appliance software Version A5(1.0) or later) • Specifying Out Of Service as the administrative state of a real server • Specifying Inservice Standby as the administrative state of a real server The Out Of Service and Inservice Standby selections both provide the graceful shutdown of a server. Related Topics • Configuring Real Servers, page 8-5 • Configuring Health Monitoring for Real Servers, page 8-51 Dynamic Workload Scaling Overview Note Dynamic Workload Scaling requires ACE module or appliance software Version A4(2.0) or later and a pair of the Cisco Nexus 7000 Series switches with Overlay Transport Virtualization (OTV) technology. The ACE Dynamic Workload Scaling (DWS) feature permits on-demand access to remote resources, such as VMs, that you own or lease from an Internet service provider or cloud service provider. This feature uses Cisco Nexus 7000 Series switches with OTV to create a Data Center Interconnect (DCI) on a Layer 2 link over an existing IP network between geographically distributed data centers (see Figure 1-1). The local data center Cisco Nexus 7000 Series switch contains an OTV forwarding table that lists the MAC addresses of the Layer 2 extended virtual private network (VPN) and identifies the addresses as either local or remote. When you configure the ACE for DWS, the ACE uses an XML query to poll the Cisco Nexus 7000 Series switch and obtain the OTV forwarding table information to determine the locality of the VMs (local or remote). The ACE also uses a health monitor probe that it sends to the local VMware vCenter Server to monitor the load of the local VMs based on CPU usage, memory usage, or both. When the average CPU and/or memory usage of the local VMs reaches its configured maximum threshold value, the ACE bursts traffic to the remote VMs. The ACE stops bursting traffic to the remote VMs when local VM usage drops below its configured minimum threshold value. 8-5 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Real Servers To use DWS, you configure the ACE to connect to the Data Center Interconnect device (Cisco Nexus 7000 Series switch) and the VMware Controller associated with the local and remote VMs. You also configure the ACE with the probe type VM to monitor a server farm’s local VM CPU and memory usage, which determines when the ACE bursts traffic to the remote VMs (see the “Configuring Dynamic Workload Scaling” section on page 8-26). For more details on this feature, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide. Server Farms Typically, in data centers, servers are organized into related groups called server farms. Servers within server farms often contain identical content (referred to as mirrored content) so that if one server becomes inoperative, another server can take its place immediately. Also, having mirrored content allows several servers to share the load of increased demand during important local or international events, such as the Olympic Games. This phenomenon of a sudden large demand for content is called a flash crowd. After you create and name a server farm, you can add existing real servers to it and configure other server farm parameters, such as the load-balancing predictor, server weight, backup server, health probe, and so on. For a listing and brief description of load-balancing predictors, see the “Load-Balancing Predictors” section on page 8-2. Related Topics Configuring Server Farms, page 8-30 Configuring Real Servers Real servers are dedicated physical servers that are typically configured in groups called server farms. These servers provide services to clients, such as HTTP or XML content, streaming media (video or audio), TFTP or FTP services, and so on. When configuring real servers, you assign names to them and specify IP addresses, connection limits, and weight values. The ACE uses traffic classification maps (class maps) within policy maps to filter specified traffic and to apply specific actions to that traffic based on the load-balancing configuration. A load-balancing predictor algorithm (such as round-robin or least connections) determines the servers to which the ACE sends connection requests. For information about configuring class maps, see the “Configuring Virtual Context Class Maps” section on page 14-6. This section includes the following topics: • Configuring Load Balancing on Real Servers, page 8-6 • Displaying Real Server Statistics and Status Information, page 8-9 8-6 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Real Servers Configuring Load Balancing on Real Servers You can configure load balancing on real servers. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Real Servers. The Real Servers table appears. Step 2 In the Real Servers table, click Poll Now to instruct ANM to poll the devices and display the current values, and click OK when prompted if you want to poll the devices for data now. Step 3 Click Add to add a new real server, or choose a real server you want to modify and click Edit. The Real Servers configuration window appears. Step 4 In the Real Servers configuration window, configure the server using the information in Table 8-1. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Table 8-1 Real Server Attributes Field Description Name Field that allows you to either enter a unique name for this server or accept the automatically incremented value in this field. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters. Type Type of server: • Host—The real server provides content and services to clients. • Redirect—The server redirects traffic to a new location. State State of the real server: • In Service—The real server is in service. • Out Of Service—The real server is out of service. Description Brief description for this real server. Valid entries are strings of up to 240 characters. Spaces and special characters are allowed. IP Address Type Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. These selections appear only for real servers specified as hosts. Select the IP address type of this real server: • IPv6—The real server has an IPv6 address. • IPv4—The real server has an IPv4 address. IPv6/IPv4 Address For ACE module and ACE appliance software versions earlier than A5(1.0), this field does not include the IP version number. This field appears for only real servers specified as hosts. Enter a unique IP address as indicated by the IP Address Type field. The IP address cannot be of an existing virtual IP address (VIP), real server or interface in the context. 8-7 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Real Servers Fail-On-All Field that appears only for real servers identified as host servers. By default, real servers with multiple probes configured for them have an OR logic associated with them, which means that if one of the real server probes fails, the real server fails and enters the PROBE-FAILED state. Check this checkbox to configure a real server to remain in the OPERATIONAL state unless all probes associated with it fail (AND logic). The Fail-On-All function is applicable to all probe types. Min. Connections Minimum number of connections to be allowed on this server before the ACE starts sending connections again after it has exceeded the Max. Connections limit. This value must be less than or equal to the Max. Connections value. By default, this value is equal to the Max. Connections value. Valid entries are from 2 to 4000000. Max. Connections Maximum number of active connections allowed on this server. When the number of connections exceeds this value, the ACE stops sending connections to this server until the number of connections falls below the Min. Connections value. Valid entries are from 2 to 4000000, and the default is 4000000. Weight Field that appears only for real servers identified as hosts. Enter the weight to be assigned to this real server in a server farm. Valid entries are from 1 to 100, and the default is 8. Probes Field that appears only as follows: • For all host real servers. The Available probe list contains all configured probe types. • For redirect real servers configured on ACE devices that use the following software versions: – ACE module: A2(3.x) and later releases – ACE appliance: A3(x) and later releases The redirect real server Available probe list contains only configured probes of the type Is Routed, which means that the ACE routes the probe address according to the ACE internal routing table (see the “Configuring Health Monitoring for Real Servers” section on page 8-51). In the Probes field, choose the probes to use for health monitoring in the Available Items list, and click Add. The probes appear in the Selected Items list. Note The probe must have the same IP address type (IPv6 or IPv4) as the real server. For example, you cannot configure an IPv6 probe to an IPv4 real server. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. Note The list of available probes does not include VM probes used to monitor local VM usage. To remove probes that you do not want to use for health monitoring, choose them in the Selected Items list, and click Remove. The probes appear in the Available probe list. Table 8-1 Real Server Attributes (continued) Field Description 8-8 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Real Servers Step 5 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit the procedure without saving your entries and to return to the Real Servers table. • Click Next to deploy your entries and to configure another real server. Step 6 To display statistics and status information for an existing real server, choose a real server from the Real Servers table, then click Details. The show rserver name detail CLI command output appears. See the “Displaying Real Server Statistics and Status Information” section on page 8-9 for details. Related Topics • Managing Real Servers, page 8-9 • Configuring Health Monitoring for Real Servers, page 8-51 • Configuring Server Farms, page 8-30 Web Host Redirection URL string used to redirect requests to another server. This field appears only for real servers identified as redirect servers. Enter the URL and port used to redirect requests to another server. Valid entries are in the form http://host.com:port where host is the name of the server and port is the port to be used. Valid host entries are unquoted text strings with no spaces and a maximum of 255 characters. Valid port numbers are from 1 to 65535. The relocation string supports the following special characters: • %h—Inserts the hostname from the request Host header • %p—Inserts the URL path string from the request Redirection Code Field that appears only for real servers identified as redirect servers. Choose the appropriate redirection code: • N/A—Webhost redirection code is not defined. • 301—Requested resource has been moved permanently. For future references to this resource, the client should use one of the returned URIs. • 302—Requested resource has been found, but has been moved temporarily to another location. For future references to this resource, the client should use the request URI because the resource may be moved to other locations from time to time. Rate Bandwidth Bandwidth rate is the number of bytes per second and applies to the network traffic exchanged between the ACE and the real server in both directions. Specify the real server bandwidth limit in bytes per second. Valid entries are from 2 to 300000000. The default is 300000000. Rate Connection Connection rate is the number of connections per second received by the ACE and applies only to new connections destined to a real server. Specify the limit for connections per second. Valid entries are from 2 to 350000. The default is 350000. Table 8-1 Real Server Attributes (continued) Field Description 8-9 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Managing Real Servers • Configuring Sticky Groups, page 9-7 Displaying Real Server Statistics and Status Information You can display statistics and status information for a particular real server. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Real Servers. The Real Servers table appears. Step 2 In the Real Servers table, choose a real server from the Real Servers table, and click Details. The show rserver name detail CLI command output appears. For details on the displayed output fields, see either the Cisco ACE Module Server Load-Balancing Configuration Guide or the Cisco ACE 4700 Series Appliance Server Load-Balancing Configuration Guide, Chapter 2, Configuring Real Servers and Server Farms. Step 3 Click Update Details to refresh the output for the show rserver name detail CLI command. The new information appears in a separate panel with a new timestamp; both the old and the new real server statistics and status information appear side-by-side to avoid overwriting the last updated information. Step 4 Click Close to return to the Real Servers table. Related Topics • Configuring Real Servers, page 8-5 • Managing Real Servers, page 8-9 • Displaying Real Servers, page 8-18 Managing Real Servers This section shows how to display and manage the real servers from the Real Servers window (Config > Operations > Real Servers). This window provides you with information about each real server configured on ANM (see the “Displaying Real Servers” section on page 8-18) and provides access to function buttons that allow you to perform tasks such as activate or suspend a real server, display a real server topology map, or display connection statistics graphs. Guidelines and Restrictions The Real Servers window contains a Rows per page option that includes an All setting for displaying all configured real servers in one window. Use the All setting for viewing purposes only. ANM does not allow you to perform any operation from this window if you have more than 200 real servers selected. For example, if you use the All option to display and select more than 200 real servers and then attempt to perform the suspend operation, ANM cancels the request and displays an error message. This section includes the following topics: • Managing Real Server Groups, page 8-10 • Activating Real Servers, page 8-14 • Suspending Real Servers, page 8-15 8-10 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Managing Real Servers • Modifying Real Server Weight Value, page 8-17 • Displaying Real Servers, page 8-18 • Using the Real Server Connection Statistics Graph, page 8-22 • Using the Real Server Topology Map, page 8-23 • CLI Commands Sent from the Real Server Table, page 8-23 • Server Weight Ranges, page 8-25 Managing Real Server Groups This section describes how to organize real servers into groups, which allows you to display and manage a specific group of real servers without having to filter the real server display. When creating a group, you specify whether the group is available to just you or is available globally to all ANM users. The real server group feature is available from the real servers operations window (Config > Operations > Real Servers), which contains the Groups option for managing object groups. Figure 8-1 shows the Groups icon with the following available options for managing object groups: • Create New Group—Adds a new group. • Edit Group—Modifies an existing group. This option displays only after you select a group to display in Group mode. • Exit Group Mode—Changes the display from the specific group display to the display of all real servers. This option displays only after you select a group and the display enters the Group mode. • Saved Groups—Lists the currently configured groups with each group’s privilege level (local or global) and owner. From this view, you can choose a group to display or delete a group. Figure 8-1 Object Grouping for Real Servers Guidelines and Restrictions This topic includes the following guidelines and restrictions: • When you create a global group, other users can see the group if they have access to at least one object within the group. This rule does not apply to the admin user or a user with the anm-admin role because they have visibility to all global groups. • To edit or delete a group, you must be the group owner, a user with the anm-admin role, or the admin user. 8-11 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Managing Real Servers • When you delete a locally authenticated user from the ANM database, ANM deletes all the global and user-specific groups that the user created. However, when you delete a remotely authorized user from the remote AAA server database, ANM does not delete the groups that the user created. In this case, you must manually delete the user’s groups. This section includes the following topics: • Creating a Real Server Group, page 8-11 • Editing or Copying a Real Server Group, page 8-12 • Displaying a Real Server Group, page 8-13 • Deleting a Real Server Group, page 8-13 Creating a Real Server Group You can create a real server group. Procedure Step 1 Choose Config > Operations > Real Servers. The Real Servers table appears. Step 2 Click the Groups icon located above the Real Servers table. The Groups menu appears below the icon (see Figure 8-1). Step 3 From the Groups menu, choose Create New Group. The display enters the edit mode and the Creating a New Group table appears with the list of the available real servers. Step 4 From the Creating a New Group table, check the check box next to the real servers that you want to include in the group. Step 5 (Optional) Check the Hide unselected check box to display only the real servers that you have chosen. Uncheck the check box to display all the available real servers. Step 6 Do one of the following: • Click Save as to save the group information. The Create Group popup window appears. From the popup window, do the following: a. In the Group Name text box, enter a name for the group. Enter 1 to 64 alphanumeric characters. Special characters and spaces are allowed. b. Choose the availability of the group by clicking one of the following radio buttons: – This user only (local)—Only you can view, modify, or delete the group. – All users (global)—All ANM users can view the group if they have permission to view at least one of the real servers associated with the group. A user with the admin or anm-admin can view all groups and can also edit or delete any group. c. Do one of the following: – Click Save to save the group information. The Create Group popup window closes and the Viewing Group table appears, displaying the new group’s name and associated real servers. To exit Group mode and return to the Real Servers table, click the Groups icon and click Exit Group Mode from the Groups menu. 8-12 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Managing Real Servers – Click Cancel to close the Create Group popup window without saving any information and to return to the Creating a New Group table. • Click Back to View to exit the Group mode and return to the Virtual Servers table. Related Topics • Managing Real Server Groups, page 8-10 • Editing or Copying a Real Server Group, page 8-12 • Displaying a Real Server Group, page 8-13 • Deleting a Real Server Group, page 8-13 Editing or Copying a Real Server Group You can edit a real server group or create a copy of a real server group under a different name. Procedure Step 1 Choose Config > Operations > Real Servers. The Real Servers table appears. Step 2 Click the Groups icon located above the Real Servers table. The Groups menu appears below the icon (see Figure 8-1). Step 3 From the Groups menu, choose the group that you want to edit. The Viewing Group table appears, displaying the selected group’s name and associated real servers. Step 4 Click the Groups icon again and from the Groups menu, choose Edit Group. The Editing Group table appears, displaying the complete list of available real servers with the real servers currently associated with the group highlighted and checked. Step 5 Modify the group as needed by adding (check) or removing (uncheck) real servers as needed. Skip this step if you only want to save a copy of the current group under a different name. Step 6 Do one of the following: • Click Save to save the changes and return to the Viewing Group table, where you can view the changes. • Click Save as to save the configuration under a new group name. The Create Group popup window appears. From the popup window, do the following: a. In the Group Name text box, enter a name for the group. Enter 1 to 64 alphanumeric characters. Special characters and spaces are allowed. b. Choose the availability of the group by clicking one of the following radio buttons: – This user only (local)—Only you can view, modify, or delete the group. – All users (global)—All ANM users can view the group if they have permission view at least one of the real servers associated with the group. The admin user or a user with the anm-admin role can view all global groups and can also edit or delete these groups. c. Do one of the following: 8-13 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Managing Real Servers – Click Save to save the group information. The Create Group popup window closes and the Viewing Group table appears, displaying the new group’s name and associated real servers. – Click Cancel to close the Create Group popup window without saving any information and to return to the Creating a New Group table. Click Back to View to exit the edit mode and return to the Group mode. Step 7 (Optional) To exit Group mode and return to the Real Servers table, click the Groups icon and click Exit Group Mode from the Groups menu. Related Topics • Managing Real Server Groups, page 8-10 • Creating a Real Server Group, page 8-11 • Displaying a Real Server Group, page 8-13 • Deleting a Real Server Group, page 8-13 Displaying a Real Server Group You can display the list of real servers associated with a real server group. Procedure Step 1 Choose Config > Operations > Real Servers. The Real Servers table appears. Step 2 Click the Groups icon located above the Real Servers table. The Groups menu appears below the icon (see Figure 8-1). Step 3 From the Groups menu, choose the group that you want to display. The Viewing Group table appears, displaying the selected group’s name and associated real servers. Step 4 (Optional) To exit Group mode and return to the Real Servers table, click the Groups icon and click Exit Group Mode from the Groups menu. Related Topics • Managing Real Server Groups, page 8-10 • Creating a Real Server Group, page 8-11 • Editing or Copying a Real Server Group, page 8-12 • Deleting a Real Server Group, page 8-13 Deleting a Real Server Group You can delete a real server group. Deleting a real server group does not delete the group’s associated real servers from the ANM database. 8-14 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Managing Real Servers Procedure Step 1 Choose Config > Operations > Real Servers. The Real Servers table appears. Step 2 Click the Groups icon located above the Real Servers table. The Groups menu appears below the icon (see Figure 8-1). Step 3 From the Groups menu, click X (delete) next to the group that you want to delete. The Delete Group confirmation popup window appears. Step 4 From the Delete Group confirmation popup window, do one of the following: • Click Delete to removes the real server group. • Click Cancel to ignore the deletion request. Related Topics • Managing Real Server Groups, page 8-10 • Creating a Real Server Group, page 8-11 • Editing or Copying a Real Server Group, page 8-12 • Displaying a Real Server Group, page 8-13 Activating Real Servers You can activate a real server. Note If you are using the ANM plug-in for vCenter Server to access ANM, see the “Activating Real Servers Using vSphere Client” section on page B-15. Procedure Step 1 Choose Config > Operations > Real Servers. The Real Servers table appears. Step 2 (Optional) To display only the real servers of a specific real server group, do the following: a. Click the Groups icon located above the Real Servers table. The Groups menu appears below the icon (see Figure 8-1). b. From the Groups menu, choose the group to display. Step 3 From the Real Servers table, choose the servers that you want to activate, and click Activate. The Activate Server window appears. Step 4 In the Reason field of the Activate Server window, enter a reason for this action. You might enter a trouble ticket, an order ticket, or a user message. 8-15 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Managing Real Servers Note Do not enter a password in this field. Step 5 Do one of the following: • Click OK to activate the server and to return to the Real Servers table. The server appears in the table with the status Inservice. • Click Cancel to exit this procedure without activating the server and to return to the Real Servers table. Related Topics • Managing Real Servers, page 8-9 • Managing Real Server Groups, page 8-10 • Suspending Real Servers, page 8-15 • Displaying Real Servers, page 8-18 • Using the Real Server Connection Statistics Graph, page 8-22 • Using the Real Server Topology Map, page 8-23 Suspending Real Servers You can suspend a real server. Note If you are using the ANM plug-in for vCenter Server to access ANM, see the “Suspending Real Servers Using vSphere Client” section on page B-16. Procedure Step 1 Choose Config > Operations > Real Servers. The Real Servers table appears. Step 2 (Optional) To display only the real servers of a specific real server group, do the following: a. Click the Groups icon located above the Real Servers table. The Groups menu appears below the icon (see Figure 8-1). b. From the Groups menu, choose the group to display. Step 3 In the Real Servers table, choose the server that you want to suspend, and click Suspend. The Suspend Real Servers window appears. Step 4 In the Reason field of the Suspend Real Servers window, enter the reason for this action. You might enter a trouble ticket, an order ticket, or a user message. Note Do not enter a password in this field. 8-16 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Managing Real Servers Step 5 From the Suspend Real Servers Type drop-down list, choose one of the following: • Graceful—When executed on a primary server, the ACE gracefully shuts down the server with sticky connections as follows: – Tears down existing non-TCP connections to the server – Allows current TCP connections to complete – Allows new sticky connections for existing server connections that match entries in the sticky database – Load balances all new connections (other than the matching sticky connections mentioned above) to the other servers in the server farm When executed on a backup real server, the ACE places the backup server in service standby mode. Note For the CSS, when the device is in the In Service admin state and you perform a graceful suspend operation, ANM saves the last known non-zero service (or real server) weight, and then sets the weight to zero. ANM references the saved weight when performing an Activate operation. If the current weight is zero, and a non-zero weight has been saved for that service (or real server), the Activate operation also sets the weight to the saved value. To allow ANM to save and reset the weight value when gracefully suspending and then activating the CSS, you must have the device configured to permit SNMP traffic. For each device type, see the corresponding configuration guide to configure the device to permit SNMP traffic. When the CSS is in the In Service Standby admin state and you perform a graceful suspend operation, ANM does not set the weight to zero. Note Graceful suspend and suspend options vary by device type. For the commands deployed by the device type when these options are selected, see the “CLI Commands Sent from the Real Server Table” section on page 8-23. • Suspend—The ACE resets all non-TCP connections to the server. For TCP connections, existing flows are allowed to complete before the ACE takes the real server out of service. No new connections are allowed. The ACE resets all Secure Sockets Layer (SSL) connections to the real server. • Suspend and Clear Connections—Performs the tasks described for Suspend and clears the existing connections to this server. Step 6 Do one of the following: • Click Deploy Now to suspend the server and to return to the Real Servers table. The server appears in the table with the status Out Of Service. • Click Cancel to exit this procedure without suspending the server and to return to the Real Servers table. Related Topics • Managing Real Servers, page 8-9 • Managing Real Server Groups, page 8-10 8-17 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Managing Real Servers • Activating Real Servers, page 8-14 • Displaying Real Servers, page 8-18 • Using the Real Server Connection Statistics Graph, page 8-22 • Using the Real Server Topology Map, page 8-23 Modifying Real Server Weight Value You can modify the weight value assigned to a real server that defines the connection capacity of the server in relation to the other real servers. The ACE uses the weight value that you specify for a server in the weighted round-robin and least-connections load-balancing predictors. Servers with a higher configured weight value have a higher priority with respect to connections than servers with a lower weight. For example, a server with a weight of 5 would receive five connections for every one connection for a server with a weight of 1. Note If you are using the ANM plug-in for vCenter Server to access ANM, see the “Modifying Real Server Weight Value Using vSphere Client” section on page B-18. Procedure Step 1 Choose Config > Operations > Real Servers. The Real Servers table appears. Step 2 (Optional) To display only the real servers of a specific real server group, do the following: a. Click the Groups icon located above the Real Servers table. The Groups menu appears below the icon (see Figure 8-1). b. From the Groups menu, choose the group to display. Step 3 In the Real Servers table, choose the servers whose configuration you want to modify, and click Change Weight below the table to the right of Activate and Suspend. The Change Weight Real Servers window appears. Step 4 In the Change Weight Real Servers window, enter the following information for the selected server: • Reason for change such as trouble ticket, order ticket or user message. Note Do not enter a password in this field. • Weight value (for allowable ranges for each device type, see Table 8-5). Step 5 Do one of the following: • Click Deploy Now to accept your entries and to return to the Real Servers table. The server appears in the table with the updated information. • Click Cancel to exit this procedure without saving your entries and to return to the Real Servers table. 8-18 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Managing Real Servers Related Topics • Managing Real Servers, page 8-9 • Managing Real Server Groups, page 8-10 • Activating Real Servers, page 8-14 • Displaying Real Servers, page 8-18 • Using the Real Server Connection Statistics Graph, page 8-22 • Using the Real Server Topology Map, page 8-23 Displaying Real Servers You can display the list of real servers configured on ANM with information specific to each server. Procedure Step 1 Choose Config > Operations > Real Servers. The Real Servers table appears, which contains the information described in Table 8-2. Note In the table, N/A indicates that either the information is not available from the database or that it is not being collected using SNMP. Table 8-2 Real Server Table Fields Item Description Name Real server name. For CSM real servers only, if you have the reverse DNS lookup feature enabled, ANM displays the DNS name of the CSM real server in this field. ANM learns and updates the DNS names during the following operations: • CSM import • CSM CLI synchronization • ANM restart By default, the reverse DNS lookup feature is disabled. You can enable it by modifying the ANM properties file and restarting ANM as follows: a. echo "cisco.anm.enable-csm-dns-lookup=true" >> /opt/CSCOanm/etc/cs-config.properties b. /opt/CSCOanm/bin/anm-tool restart IP address Real server IP address. Port Port used by the real server for communications. 8-19 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Managing Real Servers VM Virtual machine indicator that specifies if the real server is a VMware vCenter Server virtual machine (Yes) or is not a virtual machine (–). If the indicator state is Yes, you can click this link to open the Virtual Machine Details popup window to display statistical information about the VM. ANM polls the VM on a regular basis to update the displayed information. Click OK to close the popup window and return to the Real Servers table. Vservers Associated virtual servers. HA Indicators that display when the real server is part of a high availability pair. The indicators are as follows: • Asterisk (*)—The real server is associated with an HA pair and the HA configuration is complete. • Red dash (-)—The real server is associated with an HA pair; however, the HA configuration is incomplete. Typically, the HA pair are not properly configured for HA or only one of the devices has been imported into ANM. Ensure that both devices are imported into ANM and that they are configured as described in the “Configuring ACE High Availability” section on page 13-14. The table displays HA pair real servers together in the same row and they remain together no matter how you sort the information. SLB Device Name of the server load-balancing device. Admin Administrative state of the real server: In Service, Out Of Service, or In Service Standby. Table 8-2 Real Server Table Fields (continued) Item Description 8-20 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Managing Real Servers Oper Operational state of the real server. Possible states are as follows: • Failed—Server has failed and is not retried for the amount of time specified by its retry timer. • Inband probe failed—Server has failed the inband Health Probe agent. • Inservice—Server is in use as a destination for server load-balancing client connections. • Inservice standby—Server is the backup real server, which remains inactive unless the primary real server fails. • Operation wait—Server is ready to become operational but is waiting for the associated redirect virtual server to be in service. • Out of service—Server is not in use by a server load balancer as a destination for client connections. • Probe failed—Server load-balancing probe to this server has failed. No new connections are assigned to this server until a probe to this server succeeds. • Probe testing—Server has received a test probe from the server load balancer. • Ready to test —Server has failed and its retry timer has expired; test connections will begin flowing to it soon. • Return code failed—Server has been disabled because it returned an HTTP code that matched a configured value. • Test wait—Server is ready to be tested. This state is applicable only when the server is used for HTTP redirect load balancing. • Testing—Server has failed and has been given another test connection. The success of this connection is not known. • Throttle: DFP —DFP has lowered the weight of the server to throttle level; no new connections are assigned to the server until DFP raises its weight. • Throttle: max clients—Server has reached its maximum number of allowed clients. • Throttle: max connections —Server has reached its maximum number of connections and is no longer being given connections. • Unknown—State of the server is not known. Note If you have the Details popup window feature enabled, click the value in this column to open the Details popup window and display detailed information about the real server. By default, this feature is disabled. For information about enabling or disabling this feature, see the “Enabling the ACE Real Server Details Popup Window Option” section on page 18-64. Conn Number of current connections. Wt Current server weight. Table 8-2 Real Server Table Fields (continued) Item Description 8-21 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Managing Real Servers Step 2 (Optional) To display only the real servers of a specific real server group, do the following: a. Click the Groups icon located above the Real Servers table. The Groups menu appears below the icon (see Figure 8-1). b. From the Groups menu, choose the group to display. Step 3 (Optional) Use the function buttons located at the bottom of the window to activate or suspend a real server, change the weight assigned to a real server, and so forth. Table 8-3 describes the check box and function button options. Step 4 (Optional) To identify any SNMP-related issues, select the real server’s virtual context in the object selector. If there are problems with SNMP, the SNMP status appears in the upper right above the content pane. Locality Item that pertains only to ACE software Version A4(2.0) or later releases on either device type (appliance or module). Locality also requires that you have the ACE configured for Dynamic Workload Scaling (see the “Configuring Dynamic Workload Scaling” section on page 8-26). Location of the real server, which must be a VM and not a physical server. Possible locality states are as follows: • N/A—Not available; the ACE cannot determine if the real server is local or remote. A possible cause for this issue is that Dynamic Workload Scaling is not configured correctly. • Local—The real server is located in the local network. • Remote—The real server is located in the remote network. The ACE bursts traffic to this server when the CPU and/or memory usage of the local real servers reaches the specified maximum threshold value. Stat Age Age of the statistical information. Server Farm Associated server farm. Table 8-2 Real Server Table Fields (continued) Item Description Table 8-3 Real Server Window Check Box and Function Button Options Check Box/Function Button Description Poll Now Function button that updates the displayed information. Activate Function button that activates a suspended real server (see the “Activating Real Servers” section on page 8-14). Suspend Function button that suspends an active real server (see the “Suspending Real Servers” section on page 8-15). Change Weight Function button used to change the weight assigned to a real server (see the “Server Weight Ranges” section on page 8-25). Graph Function button that displays the statistics graph for a selected real server (see the “Using the Real Server Connection Statistics Graph” section on page 8-22). Topology Function button that displays the topology map for a selected real server (see the “Using the Real Server Topology Map” section on page 8-23). 8-22 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Managing Real Servers Related Topics • Displaying Real Server Statistics and Status Information, page 8-9 • Using the Real Server Connection Statistics Graph, page 8-22 • Managing Real Server Groups, page 8-10 • Using the Real Server Topology Map, page 8-23 • Activating Real Servers, page 8-14 • Suspending Real Servers, page 8-15 • Modifying Real Server Weight Value, page 8-17 • Enabling the ACE Real Server Details Popup Window Option, page 18-64 • Filtering Entries, page 1-14 Using the Real Server Connection Statistics Graph You can display real time and historical statistical information about the connections of a real server. ANM displays the information in graph or chart form. This feature also allows you to compare similar connection information across multiple real servers. Procedure Step 1 Choose Config > Operations > Real Servers. The Real Servers table appears. Step 2 (Optional) To display only the real servers of a specific real server group, do the following: a. Click the Groups icon located above the Real Servers table. The Groups menu appears below the icon (see Figure 8-1). b. From the Groups menu, choose the group to display. Step 3 In the Real Servers table, check the check box next to server whose connection information you want to display, and click Graph. You can choose up to four real servers if you want to compare statistical data. The Real Server Graph window appears, displaying the default graph for each selected real server. For details about using the graph feature, see the “Configuring Historical Trend and Real Time Graphs for Devices” section on page 17-48. Related Topics • Managing Real Server Groups, page 8-10 • Activating Real Servers, page 8-14 • Suspending Real Servers, page 8-15 • Modifying Real Server Weight Value, page 8-17 • Displaying Real Servers, page 8-18 • Using the Real Server Topology Map, page 8-23 8-23 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Managing Real Servers Using the Real Server Topology Map You can display the nodes on your network based on the real server that you select. Procedure Step 1 Choose Config > Operations > Real Servers. The Real Servers table appears. Step 2 (Optional) To display only the real servers of a specific real server group, do the following: a. Click the Groups icon located above the Real Servers table. The Groups menu appears below the icon (see Figure 8-1). b. From the Groups menu, choose the group to display. Step 3 In the Real Servers table, choose the server whose topology map you want to display, and click Topology. The ANM Topology map appears. The map includes several tools for navigating the network map and zooming in and out. For details about using the map tools, see the “Displaying Network Topology Maps” section on page 17-68. Step 4 Click Exit to return to the Real Server widow. Related Topics • Managing Real Server Groups, page 8-10 • Activating Real Servers, page 8-14 • Suspending Real Servers, page 8-15 • Modifying Real Server Weight Value, page 8-17 • Displaying Real Servers, page 8-18 • Using the Real Server Connection Statistics Graph, page 8-22 CLI Commands Sent from the Real Server Table Table 8-4 displays the CLI commands dispatched to the device for a given Real Servers table option and is sorted by device type. Table 8-4 CLI Commands Deployed from the Real Servers Table Command Sample CLI Sent ACE Modules and Appliances Real Server Activation serverfarm host sf1 rserver rs1 80 inservice 8-24 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Managing Real Servers Real Server Graceful Suspend serverfarm host sf1 rserver rs1 80 inservice standby Real Server Suspend serverfarm host sf1 rserver rs1 80 no inservice Real Server Suspend and Clear Connections serverfarm host sf1 rserver rs1 80 no inservice clear conn rserver rs1 80 serverfarm sf1 Real Server Change Weight serverfarm host sf1 rserver rs1 80 weight 2 CSMs Real Server Activation serverfarm host sf1 real 10.10.10.10 80 inservice Real Server Graceful Suspend serverfarm host sf1 real 10.10.10.10 80 inservice standby Real Server Suspend serverfarm host sf1 real 10.10.10.10 80 no inservice Real Server Suspend and Clear Connections serverfarm host sf1 real 10.10.10.10 80 no inservice clear module contentSwitchingModule 3 connections real 10.10.10.10 Real Server Change Weight serverfarm host sf1 rserver 10.10.10.10 80 weight 2 CSM Named Real Commands Sent Real Server Activation serverfarm host sf1 real name rs1 80 inservice Real Server Graceful Suspend serverfarm host sf1 real name rs1 80 inservice standby Table 8-4 CLI Commands Deployed from the Real Servers Table (continued) Command Sample CLI Sent 8-25 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Managing Real Servers Server Weight Ranges Table 8-5 displays the allowable server weight ranges by device type. Real Server Suspend serverfarm host sf1 real name rs1 80 no inservice Real Server Suspend and Clear Connections serverfarm host sf1 real name rs1 80 no inservice clear module contentSwitchingModule 3 connections real 10.10.10.10 Real Server Change Weight serverfarm host sf1 real name rs1 80 weight 2 CSS Devices Real Server Activation service myReal7 active Real Server Graceful Suspend service myReal7 weight 0 Real Server Suspend service myReal7 suspend Real Server Suspend and Clear Connections service myReal7 suspend Real Server Change Weight service myReal7 weight 2 Table 8-4 CLI Commands Deployed from the Real Servers Table (continued) Command Sample CLI Sent Table 8-5 Real Servers Table Server Weight Ranges Device Type Valid Weight Configurations ACE Appliances and Modules 1 to 100 CSMs 0 to 100 CSS Devices 0 to 10 8-26 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Dynamic Workload Scaling Configuring Dynamic Workload Scaling Note Dynamic Workload Scaling requires ACE software Version A4(2.0) or later release on either device type (appliance or module). This section describes how to configure the ACE Dynamic Workload Scaling (DWS) feature, which enables an ACE to burst traffic to a remote pool of VMs when the average CPU and/or memory usage of the local VMs has reached a specified maximum threshold value. When the usage drops below a specified minimum threshold value, the ACE stops bursting traffic to the remote VMs. Note To enable the ACE to use the VMs associated with DWS for load balancing, you must configure them as real servers on the ACE (see the “Configuring Real Servers” section on page 8-5). For more information about DWS, see the “ANM Overview” section on page 1-1 and the “Dynamic Workload Scaling Overview” section on page 8-4. Prerequisites DWS requires the following configuration elements: • An ACE with software Version A4(2.0) or later and configured with the following items: – Nexus 7000 Series switch—XML interface IP address of the local Cisco Nexus 7000 Series switch that the ACE polls to obtain VM location information (local or remote). You can define up to two switch profiles per Admin context depending on the ACE software version (see Guidelines and Restrictions). For information about defining a switch profile, see the “Configuring and Verifying a Cisco Nexus 7000 Series Switch Connection” section on page 8-27. Note The Nexus 7000 Series switch must be configured for DCI/OTV in the local data center and in the remote data center. For details about configuring a Nexus 7000 for DCI/OTV, see the Cisco Nexus 7000 NX-OS OTV Configuration Guide, Release 5.x. – VM Controller—IP address of the VM Controller (also known as VMware vCenter Server) that the ACE sends a health probe to monitor usage of the local VMs associated with a server farm. – VM probe—Probe that the ACE sends to the VM Controller to monitor local VM usage based on CPU usage, memory usage, or both (see the “Configuring Health Monitoring” section on page 8-49). – Server Farms—Groups of networked real servers (physical servers and VMs) that provide content delivery (see the “Configuring Server Farms” section on page 8-30).V • VMware vCenter Server 4.0 or later. • Multiple local and remote VMs configured as real servers and associated with server farms configured on the ACE. • ACE backend interface MTU set to 1430 or less to accommodate DCI encapsulation and the Don’t Fragment (DF) bit is automatically set on the DCI link. For details about setting the ACE MTU, see the Cisco 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide. 8-27 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Dynamic Workload Scaling This section includes the following topics: • Configuring and Verifying a Cisco Nexus 7000 Series Switch Connection, page 8-27 • Configuring and Verifying a VM Controller Connection, page 8-29 Configuring and Verifying a Cisco Nexus 7000 Series Switch Connection Note This feature requires ACE software Version A4(2.0) or later release on either device type (appliance or module). You can configure an ACE with the Cisco Nexus 7000 Series switch attributes required to allow the ACE to communicate with the switch using SSH. When configured for DWS, the ACE uses the Nexus 7000 Series switch to obtain VM location information (local or remote). You can also use this procedure to edit the attributes of an existing Nexus 7000 Series switch profile or remove a switch profile. Guidelines and Restrictions The number of Nexus 7000 Series switch profiles that you can define per ACE Admin context is as follows: • ACE software Version A4(2.0) to A5(1.1)—One switch profile only. • ACE software Version A5(1.2) or later—Up to two switch profiles. Procedure Step 1 Choose Config > Devices > Admin_context > Load Balancing > Dynamic Workload Scaling > Nexus 7000 Setup. The Nexus 7000 Setup pane appears. Note If existing Nexus 7000 Series switch profiles already exist, the Name field lists their profile names in drop-down list on the right. Multiple switch profiles requires ACE software Version A5(1.2) or later. Step 2 From the Nexus 7000 Setup pane, do one of the following: • To define a new Nexus 7000 series switch profile, do the following: a. From the Name field, click the text box radio button if it is not already selected and enter a Nexus 7000 name with a maximum of 64 characters. See the Note at the beginning of this chapter for ACE object naming specifications. b. From the Primary IP filed, enter the Nexus 7000 XML interface IP address in dotted-decimal format (such as 192.168.11.1). c. From the User Name field, enter the username that the ACE uses for access and authentication on the Nexus 7000 Series switch. Valid entries are unquoted text strings with a maximum of 64 characters with no spaces. 8-28 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Dynamic Workload Scaling Note The user must have either the vdc-admin or network-admin role to receive the Nexus 7000 Series switch output for the VM location information in XML format. d. From the Password field, enter the password that the ACE uses for authentication on the Nexus 7000 Series switch. Valid entries are unquoted text strings with a maximum of 64 characters with no spaces. e. From the Confirm field, reenter the password and go to Step 3. • To edit an existing Nexus 7000 Series switch profile, do the following: a. From the Name field, click the radio button for the drop down list that contains the list of existing switch profile names. b. From the drop down list, choose the switch profile to edit. The current profile attributes display. c. Edit the profile fields as described in the procedure above for creating a new profile and go to Step 3. Step 3 Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. Note Configuring the ACE for DWS also requires configuring the ACE with the VM Controller information (see the “Configuring and Verifying a VM Controller Connection” section on page 8-29) and configuring a VM health probe (see the “Configuring Health Monitoring” section on page 8-49). Step 4 (Optional) Click Details to verify connectivity between the ACE and the Nexus 7000 Series switch. The ACE show nexus-device device_name detail CLI command output displays in a popup window and includes information such as the device name, IP address, and connection information. For more information about the command output, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide. Step 5 (Optional) Click Delete to delete the currently configured Cisco Nexus 7000 series switch. Caution If the ACE is currently configured for DWS, deleting the Nexus 7000 Series switch disables the feature. Related Topics • Configuring and Verifying a VM Controller Connection, page 8-29 • Configuring Health Monitoring, page 8-49 • Configuring Dynamic Workload Scaling, page 8-26 • Dynamic Workload Scaling Overview, page 8-4 • Configuring Real Servers, page 8-5 • Configuring Load Balancing Using Server Farms, page 8-31 8-29 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Dynamic Workload Scaling Configuring and Verifying a VM Controller Connection Note This feature requires ACE software Version A4(2.0) or later release on either device type (appliance or module). You can configure an ACE with the VM Controller (VMware vCenter Server) attributes required to allow the ACE to communicate with the VM Controller to obtain local VM load information. Guidelines and Restrictions Configure only one VM Controller per ACE Admin context. Prerequisites The ACE is configured to communicate with the local Cisco Nexus 7000 Series switch that enables the ACE to discover the locality of the VM Controller VMs (see the “Configuring and Verifying a Cisco Nexus 7000 Series Switch Connection” section on page 8-27). Procedure Step 1 Choose Config > Devices > Admin_context > Load Balancing > Dynamic Workload Scaling > VM Controller Setup. The VM Controller Setup pane appears. Step 2 From the VM Controller Setup pane, define the VM Controller using the information in Table 8-6. Step 3 Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. Note Configuring the ACE for Dynamic Workload Scaling also requires configuring the ACE with the Nexus 7000 information (see the “Configuring and Verifying a Cisco Nexus 7000 Series Switch Connection” section on page 8-27) and configuring a VM health probe (see the “Configuring Health Monitoring” section on page 8-49). Table 8-6 VM Controller Setup Field Description Name VM Controller name (see the Note at the beginning of this chapter for ACE object naming specifications). URL IP address or URL for the VM Controller web services API agent. The URL must point to the VM Controller software development kit (SDK). For example, https://1.2.3.4/sdk. Enter up to 255 characters. User Name Username that the ACE uses for access and authentication on the VM Controller. The user must have a read-only role at least or a role with a read privilege. Valid entries are unquoted text strings with a maximum of 64 characters and no spaces. Password Password that the ACE uses for authentication on the VM Controller. Valid entries are unquoted text strings with a maximum of 64 characters and no spaces. Reenter the password in the Confirm field. 8-30 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Server Farms Step 4 (Optional) Click Details to verify connectivity between the ACE and the remote VM Controller. The ACE show vm-controller device_name detail CLI command output displays in a popup window and includes information such as the VM Controller status, IP address, and connection information. Step 5 (Optional) Click Delete to delete the currently configured VM Controller. Note If the ACE is currently configured for Dynamic Workload Scaling, you must delete the associated VM health probe before you can delete the VM controller (see the “Configuring Health Monitoring” section on page 8-49). Related Topics • Configuring and Verifying a Cisco Nexus 7000 Series Switch Connection, page 8-27 • Configuring Health Monitoring, page 8-49 • Configuring Dynamic Workload Scaling, page 8-26 • Dynamic Workload Scaling Overview, page 8-4 • Configuring Real Servers, page 8-5 • Configuring Load Balancing Using Server Farms, page 8-31 Configuring Server Farms You can configure load balancing using server farms, which are groups of networked real servers (physical servers and VMs) that contain the same content and that typically reside in the same physical location in a data center. Websites often include groups of servers configured in a server farm. Load-balancing software distributes client requests for content or services among the real servers based on the configured policy and traffic classification, server availability and load, and other factors. If one server goes down, another server can take its place and continue to provide the same content to the clients who requested it. Guidelines and Restrictions • With Dynamic Workload Scaling configured on the ACE, the real servers that are VMs can also reside in a remote datacenter (see the “Configuring Dynamic Workload Scaling” section on page 8-26). • A server farm can support a mix of IPv6 and IPv4 real servers, and can be associated with both IPv6 and IPv4 probes. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. This section includes the following topics: • Configuring Load Balancing Using Server Farms, page 8-31 • Adding Real Servers to a Server Farm, page 8-37 • Configuring the Predictor Method for Server Farms, page 8-39 • Configuring Server Farm HTTP Return Error-Code Checking, page 8-46 • Displaying All Server Farms, page 8-48 • Displaying Server Farm Statistics and Status Information, page 8-48 8-31 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Server Farms Configuring Load Balancing Using Server Farms Procedure Step 1 Choose Config > Devices > context > Load Balancing > Server Farms. The Server Farms table appears. Step 2 In the Server Farms table, click Poll Now to instruct ANM to poll the devices and display the current values, and click OK when prompted if you want to poll the devices for data now. Step 3 Click Add to add a new server farm, or choose an existing server farm and click Edit. The Server Farms configuration window appears. Step 4 In the Server Farms configuration window, configure the server farm using the information in Table 8-7. Table 8-7 Server Farm Attributes Field Description Name Unique name for this server farm or accept the automatically incremented value in this field. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters. Type Type of server farm as follows: • Host—Server farm consists of real servers that provide content and services to clients. • Redirect—Server farm consists only of real servers that redirect client requests to alternate locations specified in the real server configuration. (See the “Configuring Real Servers” section on page 8-5.) Description Brief description for this server farm. Valid entries are unquoted alphanumeric text strings with no spaces and a maximum of 240 characters. Fail Action Action that the ACE is to take with respect to connections if any real server in the server farm fails: • N/A—The ACE is to take no action if any server in the server farm fails. • Purge—The ACE is to remove connections to a real server if that real server in the server farm fails. The ACE sends a reset command to both the client and the server that failed. • Reassign—The ACE is to reassign the existing server connections to the backup real server (if configured) if the real server fails after you enter this command. If a backup real server has not been configured for the failing server, this selection leaves the existing connections untouched in the failing real server. 8-32 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Server Farms Failaction Reassign Across Vlans Option that is available only for the ACE module A2(3.0), ACE appliance A4(1.0), and later releases of either device type. This field appears only when the Fail Action is set to Reassign. Check the check box to specify that the ACE reassigns the existing server connections to the backup real server on a different VLAN interface (commonly referred to as a bypass VLAN) if the real server fails. If a backup real server has not been configured for the failing server, this option has no effect and leaves the existing connections untouched in the failing real server. Note the following configuration requirements and restrictions when you enable this option: • Enable the Transparent option (see the next Field) to instruct the ACE not to use NAT to translate the ACE VIP address to the server IP address. The Failaction Reassign Across Vlans option is intended for use in stateful firewall load balancing (FWLB) on your ACE, where the destination IP address for the connection coming in to the ACE is for the end-point real server, and the ACE reassigns the connection so that it is transmitted through a different next hop. • Enable the MAC Sticky option on all server-side interfaces to ensure that packets that are going to and coming from the same server in a flow will traverse the same firewalls or stateful devices (see the “Configuring Virtual Context VLAN Interfaces” section on page 12-6). • Configure the Predictor Hash Address option after you add the serverfarm (see the “Configuring the Predictor Method for Server Farms” section on page 8-39). • You must configure identical policies on the primary interface and the backup-server interface. The backup interface must have the same feature configurations as the primary interface. • If you configure a policy on the backup-server interface that is different from the policies on the primary-server interface, that policy will be effective only for new connections. The reassigned connection will always have only the primary-server interface policies. • Interface-specific features (for example, NAT, application protocol inspection, outbound ACLs, or SYN cookie) are not supported. • You cannot reassign connections to the failed real server after it comes back up. This restriction also applies to same-VLAN backup servers. • Real servers must be directly connected to the ACE. This requirement also applies to same-VLAN backup server. • You must disable sequence number randomization on the firewall (see the “Configuring Connection Parameter Maps” section on page 10-3). • Probe configurations should be similar on both ACEs and the interval values should be low. For example, if you configure a high interval value on ACE-1 and a low interval value on ACE-2, the reassigned connections may become stuck because of the probe configuration mismatch. ACE-2 with the low interval value will detect the primary server failure first and will reassign all its incoming connections to the backup-server interface VLAN. ACE-1 with the high interval value may not detect the failure before the primary server comes back up and will still point to the primary server. To minimize packet loss, we recommend the following probe parameter values on both ACEs: Interval: 2, Faildetect: 2, Passdetect interval: 2, and Passdetect count: 5. Table 8-7 Server Farm Attributes (continued) Field Description 8-33 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Server Farms Transparent Field that appears only for host server farms. Specify whether network address translation from the VIP address to the server IP is to occur. Check the check box to indicate that network address translation from the VIP address to the server IP address is to occur. Uncheck the check box to indicate that network address translation from the VIP address to the server IP address is not to occur. Dynamic Workload Scaling Option that is available only for ACE software Version A4(2.0) or later release on either device type (appliance or module). Field that appears only for host server farms. Allows the ACE to burst traffic to remote VMs when the average CPU or memory usage of the local VMs has reached its specified maximum threshold value. The ACE stops bursting traffic to the remote VMs when the average CPU or memory usage of the local VMs has dropped below its specified minimum threshold value. This option requires that you have the ACE configured for Dynamic Workload Scaling using a Nexus 7000, VM Controller, and VM probe (see the “Configuring Dynamic Workload Scaling” section on page 8-26). Click one of the following radio button options: • N/A—Not applicable (default). • Local—Restricts the ACE to use of local VMs only for server load balancing. • Burst—Enables the ACE to burst traffic to remote VMs when needed. When you choose Burst, the VM Probe Name field displays along with a list of available VM probes. Choose an available VM probe or click Add to display the Health Monitoring popup window and create or edit a VM probe (see the “Configuring Health Monitoring” section on page 8-49). Fail-On-All Field that appears only for host server farms. By default, real servers that you configure in a server farm inherit the probes that you configure directly on that server farm. When you configure multiple probes on a server farm, the real servers in the server farm use an OR logic with respect to the probes, which means that if one of the probes configured on the server farm fails, all the real servers in that server farm fail and enter the PROBE-FAILED state. With AND logic, if one server farm probe fails, the real servers in the server farm remain in the operational state. If all the probes associated with the server farm fail, then all the real servers in that server farm fail and enter the PROBE-FAILED state. Check this check box to configure the real servers in a server farm to use AND logic with respect to multiple server farm probes. The Fail-On-All function is applicable to all probe types. Table 8-7 Server Farm Attributes (continued) Field Description 8-34 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Server Farms Inband-Health Check Option that is available only for the ACE module A4(1.0), ACE appliance A4(1.0), and later releases of either device type. Field that appears only for host server farms. By default, the ACE monitors the health of all real servers in a configuration through the use of ARPs and health probes. However, there is latency period between when the real server goes down and when the ACE becomes aware of the state. The inband health monitoring feature allows the ACE to monitor the health of the real servers in the server farm through the following connection failures: • For TCP, resets (RSTs) from the server or SYN timeouts. • For UDP, ICMP Host, Network, Port, Protocol, and Source Route unreachable messages. When you configure the failure-count threshold and the number of these failures exceeds the threshold within the reset-time interval, the ACE immediately marks the server as failed, takes it out of service, and removes it from load balancing. The server is not considered for load balancing until the optional resume-service interval expires. The Inband-Health Check attributes are as follows: • Count—Tracks the total number of TCP or UDP failures, and increments the counters. • Log—Logs a syslog error message when the number of events reaches the threshold value that you set for the Connection Failure Threshold Count attribute. • Remove—Logs a syslog error message when the number of events reaches the configured threshold and removes the real server from service. Connection Failure Threshold Count This field appears only when the Inband-Health Check is set to Log or Remove. Enter the maximum number of connection failures that a real server can exhibit in the reset-time interval before ACE marks the real server as failed. Valid entries are as follows: • ACE appliance—1 to 4294967295 • ACE module—4 to 4294967295 Reset Timeout (Milliseconds) This field appears only when the Inband-Health Check is set to Log or Remove. Enter the number of milliseconds for the reset-time interval. Valid entries are integers from 100 to 300000. The default interval is 100. This interval starts when the ACE detects a connection failure. If the connection failure threshold is reached during this interval, the ACE generates a syslog message. If you configure the remove keyword, the ACE also removes the real server from service. Changing the setting of this option affects the behavior of the real server, as follows: • When the real server is in the OPERATIONAL state, even if several connection failures have occurred, the new reset-time interval takes effect the next time that a connection error occurs. • When the real server in the INBAND-HM-FAILED state, the new reset-time interval takes effect the next time that a connection error occurs after the server transitions to the OPERATIONAL state. Table 8-7 Server Farm Attributes (continued) Field Description 8-35 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Server Farms Resume Service (Seconds) Field that appears only when the Inband-Health Check is set to Remove. Enter the number of seconds after a server has been marked as failed to reconsider it for sending live connections. Valid entries are integers from 30 to 3600. The default setting is 0. The setting of this option affects the behavior of the real server in the inband failed state, as follows: • When this field is not configured and has the default setting of 0, the real server remains in the failed state until you manually suspend and then reactivate it. • When this field is not configured and has the default setting of 0 and then you configure this option with an integer between 30 and 3,600, the failed real server immediately transitions to the Operational state. • When you configure this field and then increase the value, the real server remains in the failed state for the duration of the previously-configured value. The new value takes effect the next time the real server transitions to the failed state. • When you configure this field and then decrease the value, the failed real server immediately transitions to the Operational state. • When you configure this field with an integer between 30 and 3,600 and then reset it to the default of 0, the real server remains in the failed state for the duration of the previously-configured value. The default setting takes effect the next time the real server transitions to the failed state. Then the real server remains in the failed state until you manually suspend and then reactivate it. • When you change this field within the reset-time interval the real server in the OPERATIONAL with several connection failures, the new threshold interval takes effect the next time that a connection error occurs, even if it occurs within the current reset-time interval. Partial-Threshold Percentage Field that appears only for host server farms. Enter the minimum percentage of real servers in the primary server farm that must remain active for the server farm to stay up. If the percentage of active real servers falls below this threshold, the ACE takes the server farm out of service. Valid entries are from 0 to 99. The default is 0. Back Inservice Field that appears only for host server farms. Enter the percentage of real servers in the primary server farm that must be active again for the ACE to place the server farm back into service. Valid entries are from 0 to 99. The value in this field should be larger than the value in the Partial Threshold Percentage field. The default is 0. Table 8-7 Server Farm Attributes (continued) Field Description 8-36 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Server Farms Step 5 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The window refreshes with additional configuration options: – To add real servers to the server farm, see the “Adding Real Servers to a Server Farm” section on page 8-37. – To specify a predictor method for the server farm, see the “Configuring the Predictor Method for Server Farms” section on page 8-39. – To configure return code checking, see the “Configuring Server Farm HTTP Return Error-Code Checking” section on page 8-46. • Click Cancel to exit the procedure without saving your entries and to return to the Server Farms table. • Click Next to deploy your entries and to configure another server farm. Step 6 (Optional) To display statistics and status information for an existing server farm, choose a server farm from the Server Farms table, and click Details. The show serverfarm name detail CLI command output appears. See the “Displaying Server Farm Statistics and Status Information” section on page 8-48 for details. Probes Field that appears only as follows: • For all host server farms. The Available probe list contains all probe types. • For redirect server farms configured on ACE devices that use the following software versions: – ACE module: A2(3.x) and later releases – ACE appliance: A3(x) and later releases The redirect server farm Available probe list contains only probes of the type Is Routed, which means that the ACE routes the probe address according to the ACE internal routing table (see the “Configuring Health Monitoring for Real Servers” section on page 8-51). In the Available Items list, choose the probes to use for health monitoring, and click Add. The selected probes appear in the Selected Items list. Note You can associate both IPv6 and IPv4 probes to a server farm. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. Note The list of available probes does not include VM health monitoring probes. To choose a VM probe for monitoring local VM usage, see the Dynamic Workload Scaling field. To remove probes that you do not want to use for health monitoring, select them in the Selected Items list, and click Remove. The selected probes appear in the Available Items list. Table 8-7 Server Farm Attributes (continued) Field Description 8-37 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Server Farms Related Topics • Configuring Health Monitoring for Real Servers, page 8-51 • Configuring Real Servers, page 8-5 • Configuring Sticky Groups, page 9-7 • Configuring the Predictor Method for Server Farms, page 8-39 • Configuring Server Farm HTTP Return Error-Code Checking, page 8-46 • Configuring Dynamic Workload Scaling, page 8-26 Adding Real Servers to a Server Farm You can add real servers to a server farm. After adding a server farm (see the “Configuring Server Farms” section on page 8-30), you can associate real servers with it and configure predictors and retcode maps. The options for these attributes appear after you have successfully added a new server farm. Assumptions This topic assumes the following: • A server farm has been added to ANM (see the “Configuring Server Farms” section on page 8-30). • At least one real server exists. Consideration A server farm can support a mix of IPv6 and IPv4 real servers. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Server Farms. The Server Farms table appears. Step 2 In the Server Farms table, choose the server farm that you want to associate with real servers. The Real Servers table appears. Step 3 In the Real Servers table, click Add to add a new entry, or select an existing server and click Edit to modify it. The Real Servers configuration pane appears. Step 4 In the Real Servers configuration pane, configure the real server using the information in Table 8-8. Table 8-8 Real Server Configuration Attributes Field Description Name Server that you want to associate with the server farm. Port Port number to be used for server port address translation (PAT). Valid entries are from 1 to 65535. Backup Server Name Server that is to act as the backup server for the server farm. Leave this field blank to indicate that there is no designated backup server for the server farm. Backup Server Port Server port number. If you select a backup server, enter the backup server port number. Valid entries are from 1 to 65535. 8-38 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Server Farms Fail-On-All Field that appears only for real servers identified as host servers. By default, real servers with multiple probes configured for them have an OR logic associated with them. This means that if one of the real server probes fails, the real server fails and enters the PROBE-FAILED state. Check this checkbox to configure a real server to remain in the OPERATIONAL state unless all probes associated with it fail (AND logic). The Fail-On-All function is applicable to all probe types. State State of this server as follows: • In Service—The server is in service. • In Service Standby—The server is a backup server and remains inactive unless the primary server fails. If the primary server fails, the backup server becomes active and starts accepting connections. • Out Of Service—The server is out of service. Min. Connections Minimum number of connections that the number of connections must fall below before the ACE resumes sending connections to the server after it has exceeded the number in the Max. Connections field. The number in this field must be less than or equal to the number in the Max. Connections field. For ACE appliances, valid entries are from 2 to 4294967295. For ACE modules, valid entries are from 2 to 4000000. Max. Connections Maximum number of active connections that can be sent to the server. When the number of connections exceeds this number, the ACE stops sending connections to the server until the number of connections falls below the number specified in the Min. Connections field. For ACE appliances, valid entries are from 2 to 4294967295. For ACE modules, valid entries are from 2 to 4000000. Weight Weight to assign to the server. Valid entries are from 1 to 100. The default is 8. Probes Probes to apply to the server. Choose the probes in the Available Items list that you want to apply to this server, and click Add. The selected probes appear in the Selected Items list. To remove probes that you do not want to use, choose the probes in the Selected Items list, and click Remove. The selected probes appear in the Available Items list. Note The VM probe type does not display in the Available Items list even if you have one configured. Rate Bandwidth Bandwidth rate, which is the number of bytes per second and applies to the network traffic exchanged between the ACE and the real server in both directions. Specify the bandwidth limit in bytes per second. Valid entries are from 2 to 300000000. The default is 300000000. Rate Connection Connection rate, which is the number of connections per second received by the ACE and applies only to new connections destined to a real server. Specify the limit for connections per second. Valid entries are from 2 to 350000. The default is 350000. Table 8-8 Real Server Configuration Attributes (continued) Field Description 8-39 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Server Farms Step 5 When you finish configuring this server for this server farm, do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. You return to the Real Servers table. • Click Cancel to exit this procedure without saving your entries and to return to the Real Servers table. • Click Next to deploy your entries and to add another real server for this server farm. Related Topics • Configuring Health Monitoring for Real Servers, page 8-51 • Configuring Real Servers, page 8-5 • Configuring Sticky Groups, page 9-7 • Configuring the Predictor Method for Server Farms, page 8-39 • Configuring Server Farm HTTP Return Error-Code Checking, page 8-46 • Configuring Dynamic Workload Scaling, page 8-26 Configuring the Predictor Method for Server Farms You can configure the predictor method for a server farm. The predictor method specifies how the ACE is to select a server in the server farm when it receives a client request for a service. After adding a server farm (see the “Configuring Server Farms” section on page 8-30), you can associate real servers with it and configure the predictor method and retcode maps. The options for these attributes appear after you have successfully added a new server farm. Note You can configure only one predictor method per server farm. Assumptions This topic assumes the following: • A server farm has been added to ANM (see the “Configuring Server Farms” section on page 8-30.) • At least one real server exists. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Server Farms. The Server Farms table appears. Step 2 In the Server Farms table, choose the server farm that you want to configure the predictor method for, and click the Predictor tab. The Predictor configuration pane appears. Step 3 In the Type field of the Predictor configuration pane, choose the method that the ACE is to use to select a server in this server farm when it receives a client request (see Table 8-9). Step 4 Enter the required information for the selected predictor method (see Table 8-9). 8-40 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Server Farms Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Table 8-9 Predictor Method Attributes Predictor Method Description / Action Hash Address Server selection method that uses a hash value based on the source or destination IP address. To configure the hash address predictor method, do the following: a. In the Mask Type field, indicate whether server selection is based on source IP address or the destination IP address as follows: – N/A—This option is not defined. – Destination—The server is selected based on the destination IP address. – Source—The server is selected based on the source IP address. Note If you configure the server farm with IPv6 and IPv4 Hash Address predictors at the same time, both predictors must have the same mask type. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. b. In the IP Netmask field, choose the subnet mask to apply to the address. If none is specified, the default is 255.255.255.255. c. In the IPv6 Prefix-Length field, enter the IPv6 prefix length. If none is specified, the default is 128. This field appears only for ACE module and ACE appliance software Version A5(1.0) or later. 8-41 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Server Farms Hash Content Server selection method that uses a hash value based on the specified content string of the HTTP packet body. Do the following: a. In the Begin Pattern field, enter the beginning pattern of the content string and the pattern string to match before hashing. If you do not specify a beginning pattern, the ACE starts parsing the HTTP body immediate following the offset byte. You cannot configure different beginning and ending patterns for different server farms that are part of the same traffic classification. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. b. In the End Pattern field, enter the pattern that marks the end of hashing. If you do not specify either a length or an end pattern, the ACE continues to parse the data until it reaches the end of the field or the end of the packet, or until it reaches the maximum body parse length. You cannot configure different beginning and ending patterns for different server farms that are part of the same traffic classification. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. c. In the Length (Bytes) field, enter the length in bytes of the portion of the content (starting with the byte after the offset value) that the ACE uses for sticking the client to the server. Valid entries are from 1 to 1000 bytes. The offset and length can vary from 0 to 1000 bytes. If the payload is longer than the offset but shorter than the offset plus the length of the payload, the ACE sticks the connection based on that portion of the payload starting with the byte after the offset value and ending with the byte specified by the offset plus the length. The total of the offset and the length cannot exceed 1000. Note You cannot specify both the length and the end-pattern options for a Hash Content predictor. d. In the HTTP Content Offset (Bytes) field, enter the portion of the content that the ACE uses to stick the client on a particular server by indicating the bytes to ignore starting with the first byte of the payload. Valid entries are integers from 0 to 999 bytes. The default is 0, which indicates that the ACE does not exclude any portion of the content. Hash Cookie Server selection method that uses a hash value based on the cookie name. In the Cookie Name field, enter a cookie name in the form of an unquoted text string with no spaces and a maximum of 64 characters. Hash Header Server selection method that uses a hash value based on the header name. In the Header Name field, choose the HTTP header to be used for server selection as follows: • To specify an HTTP header that is not one of the standard HTTP headers, click the first radio button and enter the HTTP header name in the Header Name field. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters. • To specify one of the standard HTTP headers, click the second radio button, and then choose one of the HTTP headers from the list. Table 8-9 Predictor Method Attributes (continued) Predictor Method Description / Action 8-42 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Server Farms Hash Layer4 Layer 4 generic protocol load-balancing method. Use this predictor to load balance packets from protocols that are not explicitly supported by the ACE. a. In the Begin Pattern field, enter the beginning pattern of the Layer 4 payload and the pattern string to match before hashing. If you do not specify a beginning pattern, the ACE starts parsing the HTTP body immediate following the offset byte. You cannot configure different beginning and ending patterns for different server farms that are part of the same traffic classification. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. b. In the End Pattern field, enter the pattern that marks the end of hashing. If you do not specify either a length or an end pattern, the ACE continues to parse the data until it reaches the end of the field or the end of the packet, or until it reaches the maximum body parse length. You cannot configure different beginning and ending patterns for different server farms that are part of the same traffic classification. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. c. In the Length (Bytes) field, enter the length in bytes of the portion of the payload (starting with the byte after the offset value) that the ACE uses for sticking the client to the server. Valid entries are from 1 to 1000 bytes. The offset and length can vary from 0 to 1000 bytes. If the payload is longer than the offset but shorter than the offset plus the length of the payload, the ACE sticks the connection based on that portion of the payload starting with the byte after the offset value and ending with the byte specified by the offset plus the length. The total of the offset and the length cannot exceed 1000. Note You cannot specify both the length and end-pattern options for a Hash Layer 4 predictor. d. In the HTTP Content Offset (Bytes) field, enter the portion of the content that the ACE uses to stick the client on a particular server by indicating the bytes to ignore starting with the first byte of the payload. Valid entries are from 0 to 999 bytes. The default is 0, which indicates that the ACE does not exclude any portion of the content. Hash URL Server selection method that uses a hash value based on the URL. Use this method to load balance firewalls. Enter values in one or both of the pattern fields as follows: • In the URL Begin Pattern field, enter the beginning pattern of the URL and the pattern string to parse. • In the URL End Pattern field, enter the ending pattern of the URL and the pattern string to parse. Valid entries for these fields are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters for each pattern that you configure. The following special characters are also allowed: @ # $ Table 8-9 Predictor Method Attributes (continued) Predictor Method Description / Action 8-43 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Server Farms Least Bandwidth Server with the least amount of network traffic over a specified sampling period. Do the following: a. In the Assess Time (Seconds) field, enter the number of seconds for which the ACE is to collect traffic information. Valid entries are from 1 to 10 seconds. b. In the Least Bandwidth Samples field, enter the number of samples over which you want to weight and average the results of the probe query to calculate the final load value. Valid entries are 1, 2, 4, 8, and 16 (values from 1 to 16 that are also a power of 2). Least Connections Server with the fewest number of connections. In the Slow Start Duration (Seconds) field, enter the slow-start value to be applied to this predictor method. Valid entries are from 1 to 65535, where 1 is the slowest ramp-up value. The slow-start mechanism is used to avoid sending a high rate of new connections to servers that you have just put into service. Table 8-9 Predictor Method Attributes (continued) Predictor Method Description / Action 8-44 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Server Farms Least Loaded Least loaded server based on information from SNMP probes. Do the following: a. In the SNMP Probe Name field, choose the name of the SNMP probe to use. b. In the Auto Adjust field, configure the autoadjust feature to instruct the ACE to apply the maximum load of 16000 to a real server whose load reaches zero or override the default behavior. By default, the ACE applies the average load of the server farm to a real server whose load is zero. The ACE periodically adjusts this load value based on feedback from the server SNMP probe and other configured options. Options include the following: – Average—Instructs the ACE to apply the average load of the server farm to a real server whose load is zero. This setting allows the server to participate in load balancing, while preventing it from being flooded by new connections. This is the default setting. – Maxload—Instructs the ACE to apply the maximum load of the server farm to a real server whose load reaches zero. The maxload option requires the following ACE software versions: - ACE appliance—A3(2.7) or A4(1.0) or later - ACE module—A2(2.4), A2(3.2), or A4(1.0) or later If you choose the maxload option and the ACE does not support the option, ANM issues a command parse error message. – Off—Instructs the ACE to send all new connections to the server that has a load of zero until the next load update arrives from the SNMP probe for this server. There may be times when you want the ACE to send all new connections to a real server whose load is zero. c. In the Weight Connection field, check the check box to instruct the ACE to use the current connection count in the final load calculation for a real server. When you configure this option, the ACE includes the current connection count in the total load calculation for each real server in a server farm. Uncheck the check box to reset the behavior of the ACE to the default of excluding the current connection count from the load calculation. To instruct the ACE to select the server with the lowest load, use the predictor least-loaded command in server farm host or redirect configuration mode. With this predictor, the ACE uses SNMP probes to query the real servers for load parameter values (for example, CPU utilization or memory utilization). This predictor is considered adaptive because the ACE continuously provides feedback to the load-balancing algorithm based on the behavior of the real server. To use this predictor, you must associate an SNMP probe with it. The ACE queries user-specified OIDs periodically based on a configurable time interval. The ACE uses the retrieved SNMP load value to determine the server with the lowest load. The syntax of this predictor command is as follows: predictor least-loaded probe name The name argument specifies the identifier of the existing SNMP probe that you want the ACE to use to query the server. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. Table 8-9 Predictor Method Attributes (continued) Predictor Method Description / Action 8-45 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Server Farms Step 5 Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. Related Topics • Configuring Health Monitoring for Real Servers, page 8-51 • Configuring Real Servers, page 8-5 • Configuring Sticky Groups, page 9-7 • Adding Real Servers to a Server Farm, page 8-37 • Configuring Dynamic Workload Scaling, page 8-26 Least Loaded (continued) For example, to configure the ACE to select the real server with the lowest load based on feedback from an SNMP probe called PROBE_SNMP, enter the following commands: host1/Admin(config)# serverfarm SF1 host1/Admin(config-sfarm-host)# predictor least-loaded probe PROBE_SNMP host1/Admin(config-sfarm-host-predictor)# To reset the predictor method to the default of round-robin, enter the following command: host1/Admin(config-sfarm-host)# no predictor Response Server selection method based on the lowest response time for a requested response-time measurement. a. In the Response Type field, select the type of measurement to use as follows: – App-Req-To-Resp—The response time from when the ACE sends an HTTP request to a server to the time that the ACE receives a response from the server for that request. – Syn-To-Close—The response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server. – Syn-To-Synack—The response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a SYN-ACK from the server. b. In the Response Samples field, enter the number of samples over which you want to average the results of the response-time measurement. Valid entries are 1, 2, 4, 8, and 16 (values from 1 to 16 that are also a power of 2). c. In the Weight Connection field, check the check box to instruct the ACE to use the current connection count in the final load calculation for a real server. When you configure this option, the ACE includes the current connection count in the total load calculation for each real server in a server farm. Uncheck the check box to reset the behavior of the ACE to the default of excluding the current connection count from the load calculation. Round Robin Server selection method in which The ACE selects the next server in the list of servers based on server weight. This method is the default predictor. Table 8-9 Predictor Method Attributes (continued) Predictor Method Description / Action 8-46 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Server Farms Configuring Server Farm HTTP Return Error-Code Checking Note This feature is available only for server farms configured as hosts. It is not available for server farms configured with the type Redirect. You can configure HTTP return error-code checking (retcode map) for a server farm. After adding a server farm (see the “Configuring Server Farms” section on page 8-30), you can associate real servers with it and configure the predictor method and retcode maps. These options appear after you have successfully added a server farm. Assumption A host type server farm has been added to ANM (see the “Configuring Server Farms” section on page 8-30). Procedure Step 1 Choose Config > Devices > context > Load Balancing > Server Farms. The Server Farms table appears. Step 2 In the Server Farms table, choose the server farm that you want to configure for return error-code checking, and click the Retcode Map tab. The Retcode Map table appears. Step 3 In the Retcode Map table, click Add to add a new entry to the table. The Retcode Map configuration pane appears. Note You cannot modify an entry in the Retcode Map table. Instead, delete the existing entry, then add a new one. Step 4 In the Lowest Retcode field of the Retcode Map configuration pane, enter the minimum value for an HTTP return error code. Valid entries are from 100 to 599. This number must be less than or equal to the number in the Highest Retcode field. Step 5 In the Highest Retcode field, enter the maximum number for an HTTP return error code. Valid entries are from 100 to 599. This number must be greater than or equal to the number in the Lowest Retcode field. Step 6 In the Type field, specify the action to be taken and related options using the information in Table 8-10. Note For ACE appliances, the only available option is Count. Table 8-10 Return-Code Type Configuration Options Option Description Count Total number of return codes received for each return code number that you specify. 8-47 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Server Farms Step 7 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries and to return to the Retcode Map table. • Click Next to deploy your entries and to add another retcode map. Log Syslog error message generated when the number of events reaches a specified threshold. a. In the Threshold field, enter the number of events that the ACE is to receive before generating a syslog error message. Valid entries are as follows: – ACE appliance (all) and ACE module pre A4(1.0)—1 to 4294967295. – ACE module A4(1.0)—4 to 4294967295. b. In the Reset (Seconds) field, enter the time interval in seconds for which the ACE checks for the return code. Valid entries are as follows: – ACE appliance or module pre A4(1.0)—1 to 4294967295 – ACE appliance or module A4(1.0) and later—1 to 2147483647 Remove The ACE generates a syslog error message when the number of events reaches a specified threshold and then removes the server from service. a. In the Threshold field, enter the number of events that the ACE is to receive before generating a syslog error message and removing the server from service. Valid entries are from 1 to 4294967295. b. In the Reset (Seconds) field, enter the time interval in seconds for which the ACE checks for the return code. Valid entries are from 1 to 4294967295 seconds. c. In the Resume Service (Seconds) field, enter the number of seconds that the ACE waits before it resumes service for the real server automatically after taking the real server out of service. Valid entries are 30 to 3600 seconds. The default is 0 seconds. The setting of this field affects the behavior of the real server in the failed state, as follows: – When this field is not configured and has the default setting of 0, the real server remains in the failed state until you manually remove it from service and read it. – When this field is not configured and has the default setting of 0 and then you configure it with an integer between 30 and 3,600, the failed real server immediately transitions to the Operational state. – When you configure this field and then increase the value, the real server remains in the failed state for the duration of the previously-configured value. The new value takes effect the next time the real server transitions to the failed state. – When you configure this field and then decrease the value, the failed real server immediately transitions to the Operational state. – When you configure this field with an integer between 30 and 3,600 and then reset it to the default of 0, the real server remains in the failed state for the duration of the previously-configured value. The default setting takes effect the next time the real server transitions to the failed state. Then the real server remains in the failed state until you manually remove it from service and read it. Table 8-10 Return-Code Type Configuration Options (continued) Option Description 8-48 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Server Farms Related Topics • Information About Virtual Contexts, page 6-2 • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 • Configuring Real Servers, page 8-5 • Configuring Sticky Groups, page 9-7 • Configuring Dynamic Workload Scaling, page 8-26 Displaying All Server Farms You can display all server farms associated with a virtual context. Procedure Step 1 Choose Config > Devices. The Virtual Contexts table appears. Step 2 In the Virtual Contexts table, choose the virtual context with the server farms you want to display, and click Load Balancing > Server Farms. The Server Farms table appears with the following information: • Server farm name • Server farm type (either host or redirect) • Description • Number of real servers associated with the server farm • Number of predictor methods for the server farm • Number of entries in the HTTP retcode map table You can click on any of the entries in the last three columns to view specific information about those entries. Related Topics • Displaying Server Farm Statistics and Status Information, page 8-48 • Configuring Server Farms, page 8-30 • Adding Real Servers to a Server Farm, page 8-37 • Configuring the Predictor Method for Server Farms, page 8-39 • Configuring Server Farm HTTP Return Error-Code Checking, page 8-46 • Configuring Dynamic Workload Scaling, page 8-26 Displaying Server Farm Statistics and Status Information You can display statistics and status information for a particular server farm. 8-49 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring Procedure Step 1 Choose Config > Devices > context > Load Balancing > Server Farms. The Server Farms table appears. Step 2 In the Server Farms table, choose a server farm from the Server Farms table, and click Details. The show serverfarm name detail CLI command output appears. For details about the displayed output fields, see the Cisco ACE Module Server Load-Balancing Configuration Guide or the Cisco ACE 4700 Series Appliance Server Load-Balancing Configuration Guide, Chapter 2, Configuring Real Servers and Server Farms. Step 3 Click Update Details to refresh the output for the show serverfarm name detail CLI command. The new information appears in a separate panel with a new timestamp; both the old and the new server farm statistics and status information appear side-by-side to avoid overwriting the last updated information. Step 4 Click Close to return to the Server Farms table. Related Topics • Displaying All Server Farms, page 8-48 • Configuring Server Farms, page 8-30 • Adding Real Servers to a Server Farm, page 8-37 • Configuring the Predictor Method for Server Farms, page 8-39 • Configuring Server Farm HTTP Return Error-Code Checking, page 8-46 • Configuring Dynamic Workload Scaling, page 8-26 Configuring Health Monitoring You can instruct the ACE to check the health of servers and server farms by configuring health probes (sometimes referred to as keepalives). After you create a probe, you assign it to a real server or a server farm. A probe can be one of many types, including TCP, ICMP, Telnet, HTTP, and so on. You can also configure scripted probes using the TCL scripting language (see the “TCL Scripts” section on page 8-50). The ACE sends out probes periodically to determine the status of a server, verifies the server response, and checks for other network problems that may prevent a client from reaching a server. Based on the server response, the ACE can place the server in or out of service, and, based on the status of the servers in the server farm, it can make reliable load-balancing decisions. Health monitoring on the ACE tracks the state of a server by sending out probes. Also referred to as out-of-band health monitoring, the ACE verifies the server response or checks for any network problems that can prevent a client to reach a server. Based on the server response, the ACE can place the server in or out of service, and can make reliable load-balancing decisions. The ACE identifies the health of a server in the following categories: • Passed—The server returns a valid response. • Failed—The server fails to provide a valid response to the ACE or the ACE is unable to reach a server for a specified number of retries. 8-50 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring By configuring the ACE for health monitoring, the ACE sends active probes periodically to determine the server state. The ACE supports 4000 unique probe configurations which includes ICMP, TCP, HTTP, and other predefined health probes. The ACE also allows the opening of 1000 sockets simultaneously. This section includes the following topics: • “TCL Scripts” section on page 8-50 • “Configuring Health Monitoring for Real Servers” section on page 8-51 • “Configuring Probe Attributes” section on page 8-56 • “Configuring DNS Probe Expect Addresses” section on page 8-73 • “Configuring Headers for HTTP and HTTPS Probes” section on page 8-74 • “Configuring Health Monitoring Expect Status” section on page 8-74 • “Configuring an OID for SNMP Probes” section on page 8-76 • “Displaying Health Monitoring Statistics and Status Information” section on page 8-77 TCL Scripts The ACE supports several specific types of health probes (for example HTTP, TCP, or ICMP health probes) when you need to use a diverse set of applications and health probes to administer your network. The basic health probe types supported in the current ACE software release may not support the specific probing behavior that your network requires. To support a more flexible health-probing functionality, the ACE allows you to upload and execute Toolkit Command Language (TCL) scripts on the ACE. The TCL interpreter code in the ACE is based on Release 8.44 of the standard TCL distribution. You can create a script to configure health probes. Script probes operate similar to other health probes available in the ACE software. As part of a script probe, the ACE executes the script periodically, and the exit code that is returned by the executing script indicates the relative health and availability of specific real servers. For information on health probes, see the “Configuring Health Monitoring for Real Servers” section on page 8-51. For your convenience, the following sample scripts for the ACE are available to support the TCL feature and are supported by Cisco TAC: • ECHO_PROBE_SCRIPT • FINGER_PROBE_SCRIPT • FTP_PROBE_SCRIPT • HTTP_PROBE_SCRIPT • HTTPCONTENT_PROBE • HTTPHEADER_PROBE • HTTPPROXY_PROBE • IMAP_PROBE • LDAP_PROBE • MAIL_PROBE • POP3_PROBE • PROBENOTICE_PROBE 8-51 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring • RTSP_PROBE • SSL_PROBE_SCRIPT These scripts are located in the probe: directory and are accessible in both the Admin and user contexts. Note that the script files in the probe: directory are read-only, so you cannot copy or modify them. However, you can copy files from the probe: directory. For more information, see either the Cisco Application Control Engine Module Administration Guide or the Cisco 4700 Series Application Control Engine Appliance Administration Guide. To load a script into memory on the ACE and enable it for use, use the script file command. For detailed information on uploading and executing TCL scripts on the ACE, see either the Cisco ACE Module Server Load-Balancing Configuration Guide or the Cisco ACE 4700 Series Appliance Server Load-Balancing Configuration Guide. Configuring Health Monitoring for Real Servers You can establish monitoring of real servers to determine their viability in load-balancing decisions. To check the health and availability of a real server, the ACE periodically sends a probe to the real server. Depending on the server response, the ACE determines whether or not to include the server in its load-balancing decision. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Health Monitoring. The Health Monitoring table appears. Step 2 In the Health Monitoring table, click Add to add a new health monitoring probe, or choose an existing entry and click Edit to modify it. The Health Monitoring window appears. Step 3 In the Name field of the Health Monitoring window, enter a name that identifies the probe and that associates the probe with the real server. Valid entries are text strings with a maximum of 64 characters. Step 4 In the Type field, choose the type of probe that you want to use. The probe type determines what the probe sends to the real server. See Table 8-11 for the types of probes and their descriptions. Table 8-11 Probe Types Probe Type Description DNS Sends a request to a DNS server giving it a configured domain. To determine if the server is up, the ACE must receive the configured IP address for that domain. ECHO-TCP Sends a string to the server and compares the response with the original string. If the response string matches the original, the server is marked as passed. If not, the ACE retries as configured before the server is marked as failed. ECHO-UDP Sends a string to the server and compares the response with the original string. If the response string matches the original, the server is marked as passed. If not, the ACE retries as configured before the server is marked as failed. FINGER Sends a probe to the server to verify that a defined username is a username on the server. 8-52 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring FTP Initiates an FTP session. By default, this probe is for an anonymous login with the option of configuring a user ID and password. The ACE performs an FTP GET or LS to determine the outcome of the problem. This probe supports only active connections. HTTP Sets up a TCP connection and issues an HTTP request. Any valid HTTP response causes the probe to mark the real server as passed. HTTPS Similar to an HTTP probe, but this probe uses SSL to generate encrypted data. ICMP Sends an ICMP request and listens for a response. If the server returns a response, the ACE marks the real server as passed. If there is no response and times out, or an ICMP standard error occurs, such as DESTINATION_UNREACHABLE, the ACE marks the real server as failed. IMAP Initiates an IMAP session, using a configured user ID and password. Then, the probe attempts to retrieve email from the server and validates the result of the probe based on the return codes received from the server. POP Initiates a POP session, using a configured user ID and password. Then, the probe attempts to retrieve email from the server and validates the result of the probe based on the return codes received from the server. RADIUS Connects to a RADIUS server and logs into it to determine if the server is up. RTSP Establishes a TCP connection and sends a request packet to the server. The ACE compares the response with the configured response code to determine whether the probe succeeded. Scripted Executes probes from a configured script to perform health probing. This method allows you to author specific scripts with features not present in standard probes. For ACE appliances, the script probe filename must first be established on the device. SIP-TCP Establishes a TCP connection and sends an OPTIONS request packet to the user agent on the server. The ACE compares the response with the configured response code or expected string, or both, to determine whether the probe has succeeded. If you do not configure an expected status code, any response from the server is marked as failed. SIP-UDP Establishes a UDP connection and sends an OPTIONS request packet to the user agent on the server. The ACE compares the response with the configured response code or expected string, or both, to determine whether the probe has succeeded. If you do not configure an expected status code, any response from the server is marked as failed. SMTP Initiates an SMTP session by logging into the server. SNMP Establishes a UDP connection and sends a maximum of eight SMNP OID queries to probe the server. The ACE weighs and averages the load information that is retrieved and uses it as input to the least-loaded algorithm for load-balancing decisions. If the retrieved value is within the configured threshold, the server is marked as passed. If the threshold is exceeded, the server is marked as failed. TCP Initiates a TCP handshake and expects a response. By default, a successful response causes the probe to mark the server as passed. The probe then sends a FIN to end the session. If the response is not valid, or if there is no response, the probe marks the real server as failed. TELNET Establishes a connection to the real server and verifies that a greeting from the application was received. Table 8-11 Probe Types (continued) Probe Type Description 8-53 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring Step 5 Enter health monitoring general attributes (see Table 8-12). Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Note Click More Settings to access the additional general attributes for the selected probe type. By default, ANM hides the probe attributes with default values and the probe attributes that are not commonly used. UDP Sends a UDP packet to a real server. The probe marks the server as failed only if an ICMP Port Unreachable messages is returned. VM This probe type requires the following: • The ACE appliance or module is using software Version A4(2.0) or a later release. • The ACE is configured with a VM Controller connection (see the “Configuring and Verifying a VM Controller Connection” section on page 8-29). Sends a probe to the VMware VM Controller to determine the average amount of both CPU and memory usage of its associated local VMs. The probe response determines whether the ACE load-balances traffic to the local VMs only or bursts traffic to the remote VMs due to high usage of the local VMs. Note You use a VM probe when you configure the ACE for Dynamic Workload Scaling (see the “Configuring Dynamic Workload Scaling” section on page 8-26). Table 8-11 Probe Types (continued) Probe Type Description Table 8-12 Health Monitoring General Attributes Field Action Description Description for this probe. Valid entries are unquoted alphanumeric text strings with no spaces and a maximum of 240 characters. Probe Interval (Seconds) Number of seconds that the ACE is to wait before sending another probe to a server marked as passed. Valid entries are from 2 to 65535 for all probe types except the VM probe, which has a range from 300 to 65535. The default values are as follows: • ACE appliance (all software versions)—Default is 15 seconds for all probe types except the VM probe, which has a default of 300 seconds. • ACE module: – Software Version A4(1.0) and later—Default is 15 seconds for all probe types except the VM probe, which has a default of 300 seconds. – All software versions before A4(1.0)—Default is 120 seconds. Note The VM probe type requires ACE software Version A4(2.0) or later on either device type. 8-54 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring Pass Detect Interval (Seconds) Number of seconds that the ACE is to wait before sending another probe to a server marked as failed. Valid entries are from 2 to 65535. The default values are as follows: • ACE appliance (all software versions)—Default is 60 seconds. • ACE module: – Software Version A4(1.0) and later—Default is 60 seconds. – All software versions before A4(1.0)—Default is 300 seconds. Note This field is not applicable for the VM probe type. Fail Detect Consecutive number of times that an ACE must detect that probes have failed to contact a server before marking the server as failed. Valid entries are from 1 to 65535. The default is 3. Note This field is not applicable for the VM probe type. More Settings (Not applicable for the VM probe type) Pass Detect Count Number of successful probe responses from the server before the server is marked as passed. Valid entries are from 1 to 65535. The default is 3. Receive Timeout (Seconds) Number of seconds that the ACE is to wait for a response from a server that has been probed before marking the server as failed. Valid entries are from 1 to 65535. The default is 10. Destination IPv4/IPv6 Address1 The IPv6 option requires ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. Preferred destination IP address. By default, the probe uses the IP address from the real or virtual server configuration for the destination IP address. To override the destination address that the probe uses, enter the preferred destination IP address in this field. Note The following probes support IPv6 destination addresses: DNS, HTTP, HTTPS, ICMP, TCP, and UDP. Note When you assign a probe to a real server, they must be configured with the same IP address type (IPv6 or IPv4). Is Routed 2 Check box that indicates that the destination IP address is routed according to the ACE internal routing table. Uncheck the check box to indicate that the destination IP address is not routed according to the ACE internal routing table. Port By default, the precedence in which the probe inherits the port number is as follows: • The port number that you configure for the probe. • The configured port number from the real server in server farm. • The configured port number from the VIP in a Layer 3 and Layer 4 class map. • The default port number. Table 8-13 lists the default port number for each probe type. If you explicitly configure a default port, the ACE always sends the probe to the default port. The probe does not dynamically inherit the port number from the real server in a server farm or from the VIP specified in the class map. Table 8-12 Health Monitoring General Attributes (continued) Field Action 8-55 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring Step 6 Enter the attributes for the specific probe type selected as follows: • For DNS probes, see Table 8-14. • For Echo-TCP probes, see Table 8-15. • For Echo-UDP probes, see Table 8-16. • For Finger probes, see Table 8-17. • For FTP probes, see Table 8-18. • For HTTP probes, see Table 8-19. • For HTTPS probes, see Table 8-20. • There are no specific attributes for ICMP probes. • For IMAP probes, see Table 8-21. • For POP probes, see Table 8-22. • For RADIUS probes, see Table 8-23. • For RTSP probes, see Table 8-24. 1. The Dest IP Address field is not applicable to the Scripted probe type. 2. The Is Routed field is not applicable to the RTSP, Scripted, SIP-TCP, and SIP-UDP probe types. Table 8-13 Default Port Numbers for Probe Types Probe Type Default Port Number DNS 53 Echo 7 Finger 79 FTP 21 HTTP 80 HTTPS 443 ICMP Not applicable IMAP 143 POP3 110 RADIUS 1812 RTSP 554 Scripted 1 SIP (both TCP and UDP) 5060 SMTP 25 SNMP 161 Telnet 23 TCP 80 UDP 53 VM 443 8-56 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring • For Scripted probes, see Table 8-25. • For SIP-TCP probes, see Table 8-26. • For SIP-UDP probes, see Table 8-27. • For SMTP probes, see Table 8-28. • For SNMP probes, see Table 8-29. • For TCP probes, see Table 8-30. • For Telnet probes, see Table 8-31. • For UDP probes, see Table 8-32. • For VM probes, see Table 8-33. Step 7 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries and to return to the Health Monitoring table. • Click Next to deploy your entries and to configure another probe. Step 8 (Optional) To display statistics and status information for a particular probe, choose the probe from the Health Monitoring table, and click Details. The show probe name detail CLI command output appears. See the “Displaying Health Monitoring Statistics and Status Information” section on page 8-77 for details. Related Topics • Configuring DNS Probe Expect Addresses, page 8-73 • Configuring Headers for HTTP and HTTPS Probes, page 8-74 • Configuring Health Monitoring Expect Status, page 8-74 • Displaying Health Monitoring Statistics and Status Information, page 8-77 • Configuring Real Servers, page 8-5 • Configuring Server Farms, page 8-30 • Configuring Sticky Groups, page 9-7 Configuring Probe Attributes You can configure health monitoring probe-specific attributes. This section includes the following topics: • DNS Probe Attributes, page 8-57 • Echo-TCP Probe Attributes, page 8-58 • Echo-UDP Probe Attributes, page 8-58 • Finger Probe Attributes, page 8-58 • FTP Probe Attributes, page 8-59 8-57 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring • HTTP Probe Attributes, page 8-60 • HTTPS Probe Attributes, page 8-61 • IMAP Probe Attributes, page 8-63 • POP Probe Attributes, page 8-64 • RADIUS Probe Attributes, page 8-65 • RTSP Probe Attributes, page 8-65 • Scripted Probe Attributes, page 8-66 • SIP-TCP Probe Attributes, page 8-67 • SIP-UDP Probe Attributes, page 8-68 • SMTP Probe Attributes, page 8-69 • SNMP Probe Attributes, page 8-69 • TCP Probe Attributes, page 8-70 • Telnet Probe Attributes, page 8-70 • UDP Probe Attributes, page 8-71 • VM Probe Attributes, page 8-72 Refer to the following topics for additional configuration options for health-monitoring probes: • Configuring DNS Probe Expect Addresses, page 8-73 • Configuring Headers for HTTP and HTTPS Probes, page 8-74 • Configuring Health Monitoring Expect Status, page 8-74 • Configuring an OID for SNMP Probes, page 8-76 • Displaying Health Monitoring Statistics and Status Information, page 8-77 DNS Probe Attributes Table 8-14 lists the DNS probe attributes. Note Click More Settings to access the additional attributes for the DNS probe type. By default, ANM hides the probe attributes with default values and the probe attributes that are not commonly used. To configure expect addresses for DNS probes, see the “Configuring DNS Probe Expect Addresses” section on page 8-73. Table 8-14 DNS Probe Attributes Field Action Domain Name Domain name that the probe is to send to the DNS server. Valid entries are unquoted text strings with a maximum of 255 characters. More Settings Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine the port number. For more information, see the general attribute Port field description. 8-58 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring Echo-TCP Probe Attributes Table 8-15 lists the Echo-TCP probe attributes. Note Click More Settings to access the additional attributes for the Echo-TCP probe type. By default, ANM hides the probe attributes with default values and the probe attributes that are not commonly used. Echo-UDP Probe Attributes Table 8-16 lists the Echo-UDP probe attributes. Note Click More Settings to access the additional attributes for the Echo-UDP probe type. By default, ANM hides the probe attributes with default values and the probe attributes that are not commonly used. Finger Probe Attributes Table 8-17 lists the Finger probe attributes. Note Click More Settings to access the additional attributes for the Finger probe type. By default, ANM hides the probe attributes with default values and the probe attributes that are not commonly used. Table 8-15 Echo-TCP Probe Attributes Field Action Send Data ASCII data that the probe is to send to the server. Valid entries are unquoted text strings with no spaces and a maximum of 255 characters. More Settings TCP Connection Termination Check box that when checked, configures the ACE to terminate TCP connections gracefully by sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a TCP connection by sending an RST. Open Timeout (Seconds) Number of seconds to wait when opening a connection with a real server. Valid entries are integers from 1 to 65535. The default is as follows: • For ACE module version A2(3.x) and earlier, the default is 10 seconds. • For ACE module version A4(1.0) and later or ACE appliance version A3(1.x) and later, the default is 1 second. Table 8-16 Echo-UDP Probe Attributes Field Action Send Data ASCII data that the probe is to send to the server. Valid entries are unquoted text strings with no spaces and a maximum of 255 characters. More Settings Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine the port number. For more information, see the general attribute Port field description. 8-59 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring FTP Probe Attributes Table 8-18 lists the FTP probe attributes. Note Click More Settings to access the additional attributes for the FTP probe type. By default, ANM hides the probe attributes with default values and the probe attributes that are not commonly used. To configure probe expect statuses for FTP probes, see the “Configuring Health Monitoring Expect Status” section on page 8-74. Table 8-17 Finger Probe Attributes Field Action Send Data ASCII data that the probe is to send to the server. Valid entries are unquoted text strings with no spaces and a maximum of 255 characters. More Settings Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine the port number. For more information, see the general attribute Port field description. TCP Connection Termination Check box that when checked, configures the ACE to terminate TCP connections gracefully by sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a TCP connection by sending an RST. Open Timeout (Seconds) Number of seconds to wait when opening a connection with a real server. Valid entries are from 1 to 65535. The default is as follows: • For ACE module version A2(3.x) and earlier, the default is 10 seconds. • For ACE module version A4(1.0) and later or ACE appliance version A3(1.x) and later, the default is 1 second. Table 8-18 FTP Probe Attributes Field Action More Settings Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine the port number. For more information, see the general attribute Port field description. TCP Connection Termination Check box that when checked, configures the ACE to terminate TCP connections gracefully by sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a TCP connection by sending an RST. Open Timeout (Seconds) Number of seconds to wait when opening a connection with a real server. Valid entries are integers from 1 to 65535. The default is as follows: • For ACE module version A2(3.x) and earlier, the default is 10 seconds. • For ACE module version A4(1.0) and later or ACE appliance version A3(1.x) and later, the default is 1 second. 8-60 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring HTTP Probe Attributes Table 8-19 lists the HTTP probe attributes. Note Click More Settings to access the additional attributes for the HTTP probe type. By default, ANM hides the probe attributes with default values and the probe attributes which are not commonly used. Table 8-19 HTTP Probe Attributes Field Action Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine the port number. For more information, see the general attribute Port field description. Request Method Type Type of HTTP request method that is to be used for this probe. Choose one of the following: • N/A—This option is not defined. • Get—The HTTP request method is a GET with a URL of “/”. This request method directs the server to get the page, and the ACE calculates a hash value for the content of the page. If the page content information changes, the hash value no longer matches the original hash value and the ACE assumes the service is down. This is the default request method. • Head—The server is to only get the header for the page. Using this method can prevent the ACE from assuming that the service is down due to changed content and therefore changed hash values. Request HTTP URL Field that appears if you chose Head or Get in the Request Method Type field. Enter the URL path on the remote server. Valid entries are strings of up to 255 characters specifying the URL path. The default path is “/”. More Settings Append Port Host Tag Check box that when checked, configures the ACE to append port information in the HTTP Host header when you configure a nondefault destination port for an HTTP probe. By default, the check box is unchecked and the ACE does not append this information. Note This feature requires ACE module software Version A2(3.4) and ACE appliance software Version A3(2.7) or later releases. TCP Connection Termination Check box that when checked, configures the ACE to terminate TCP connections gracefully by sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a TCP connection by sending an RST. Open Timeout (Seconds) Number of seconds to wait when opening a connection with a real server. Valid entries are from 1 to 65535. The default is as follows: • For ACE module software Version A2(3.x) and earlier, the default is 10 seconds. • For ACE module software Version A4(1.0) and later or ACE appliance software Version A3(1.x) and later, the default is 1 second. User Name User identifier to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters. 8-61 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring To configure probe headers and expect statuses for HTTP probes, see the following topics: • Configuring Headers for HTTP and HTTPS Probes, page 8-74 • Configuring Health Monitoring Expect Status, page 8-74 HTTPS Probe Attributes Table 8-20 lists the HTTPS probe attributes. Note Click More Settings to access the additional attributes for the HTTPS probe type. By default, ANM hides the probe attributes with default values and the probe attributes that are not commonly used. Password Password to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters. Reenter the password in the Confirm field. Expect Regular Expression Expected response data from the probe destination. Valid entries are text strings (quotes allowed) with a maximum of 255 characters. Expect Regex Offset Number of characters into the received message or buffer where the ACE is to begin looking for the string specified in the Expect Regular Expression field. Valid entries are from 1 to 4000. Hash Check box that when checked, configures the ACE to use an MD5 hash for an HTTP GET probe. Uncheck the check box to configure the ACE not to use an MD5 hash for an HTTP GET probe. Hash String Field that appears if the Hash check box is selected. Enter the 32-bit hash value that the ACE is to compare with the hash that is generated from the HTTP page sent by the server. If you do not provide this value, the ACE generates a value the first time it queries the server, stores this value, and matches this value with other responses from the server. A successful comparison causes the probe to maintain an Alive state. Enter the MD5 hash value as a quoted or unquoted hexadecimal string with 16 characters. Table 8-19 HTTP Probe Attributes (continued) Field Action 8-62 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring Table 8-20 HTTPS Probe Attributes Field Action Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine the port number. For more information, see the general attribute Port field description. Request Method Type Type of HTTP request method that is to be used for this probe. Choose one of the following: • N/A—This option is not defined. • Get—The HTTP request method is a GET with a URL of “/”. This request method directs the server to get the page, and the ACE calculates a hash value for the content of the page. If the page content information changes, the hash value no longer matches the original hash value and the ACE assumes the service is down. This is the default request method. • Head—The server is to only get the header for the page. Using this method can prevent the ACE from assuming that the service is down due to changed content and as a result changed hash values. Request HTTP URL Field that appears if you chose Head or Get in the Request Method Type field. Enter the URL path on the remote server. Valid entries are strings of up to 255 characters specifying the URL path. The default path is “/’. Cipher Choose the cipher suite to be used with this HTTPS probe: • RSA_ANY—The HTTPS probe accepts all RSA-configured cipher suites and that no specific suite is configured. This is the default action. • RSA_EXPORT1024_WITH_DES_CBC_SHA • RSA_EXPORT1024_WITH_RC4_56_MD5 • RSA_EXPORT1024_WITH_RC4_56_SHA • RSA_EXPORT_WITH_DES40_CBC_SHA • RSA_EXPORT_WITH_RC4_40_MD5 • RSA_WITH_3DES_EDE_CBC_SHA • RSA_WITH_AES_128_CBC_SHA • RSA_WITH_AES_256_CBC_SHA • RSA_WITH_DES_CBC_SHA • RSA_WITH_RC4_128_MD5 • RSA_WITH_RC4_128_SHA SSL Version Version of SSL or TLS to be used in ClientHello messages sent to the server as follows: • All—The probe is to use all SSL versions. • SSLv3—The probe is to use SSL version 3. • TLSv1—The probe is to use TLS version 1. By default, the probe sends ClientHello messages with an SSL version 3 header and a TLS version 1 message. More Settings 8-63 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring To configure probe headers and expect statuses for HTTPS probes, see the following topics: • Configuring Headers for HTTP and HTTPS Probes, page 8-74 • Configuring Health Monitoring Expect Status, page 8-74 IMAP Probe Attributes Table 8-21 lists the IMAP probe attributes. Append Port Host Tag Check box that when checked, configures the ACE to append port information in the HTTPS Host header when you configure a nondefault destination port for an HTTPS probe. By default, the check box is unchecked and the ACE does not append this information. Note This feature requires ACE module software Version A2(3.4) and ACE appliance software Version A3(2.7) or later releases. TCP Connection Termination Check box that when checked, configures the ACE to terminate TCP connections gracefully by sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a TCP connection by sending an RST. Open Timeout (Seconds) Number of seconds to wait when opening a connection with a real server. Valid entries are from 1 to 65535. The default is as follows: • For ACE module version A2(3.x) and earlier, the default is 10 seconds. • For ACE module version A4(1.0) and later or ACE appliance version A3(1.x) and later, the default is 1 second. User Name User identifier to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters. Password Password to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters. Reenter the password in the Confirm field. Expect Regular Expression Expected response data from the probe destination. Valid entries are text strings (quotes allowed) with a maximum of 255 characters. Expect Regex Offset Number of characters into the received message or buffer where the ACE is to begin looking for the string specified in the Expect Regular Expression field. Value entries are from 1 to 4000. Hash Check box that when checked, configures the ACE to use an MD5 hash for an HTTP GET probe. Uncheck the check box to configure the ACE not to use an MD5 hash for an HTTP GET probe. Hash String Field that appears if the Hash check box is selected. Enter the 32-bit hash value that the ACE is to compare with the hash that is generated from the HTTP page sent by the server. If you do not provide this value, the ACE generates a value the first time it queries the server, stores this value, and matches this value with other responses from the server. A successful comparison causes the probe to maintain an Alive state. Enter the MD5 hash value as a quoted or unquoted hexadecimal string with 16 characters. Table 8-20 HTTPS Probe Attributes (continued) Field Action 8-64 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring Note Click More Settings to access the additional attributes for the IMAP probe type. By default, ANM hides the probe attributes with default values and the probe attributes are not commonly used. POP Probe Attributes Table 8-22 lists the POP probe attributes. Note Click More Settings to access the additional attributes for the POP probe type. By default, ANM hides the probe attributes with default values and the probe attributes which are not commonly used. Table 8-21 IMAP Probe Attributes Field Action User Name User identifier to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters. Password Password to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters. Reenter the password in the Confirm field. Mailbox Name User mailbox name from which to retrieve email for this IMAP probe. Valid entries are unquoted text strings with a maximum of 64 characters. Request Command Request method command for this probe. Valid entries are text strings with a maximum of 32 characters and no spaces. More Settings Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine the port number. For more information, see the general attribute Port field description. TCP Connection Termination Check box that when checked, configures the ACE to terminate TCP connections gracefully by sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a TCP connection by sending an RST. Open Timeout (Seconds) Number of seconds to wait when opening a connection with a real server. Valid entries are from 1 to 65535. The default is as follows: • For ACE module version A2(3.x) and earlier, the default is 10 seconds. • For ACE module version A4(1.0) and later or ACE appliance version A3(1.x) and later, the default is 1 second. Table 8-22 POP Probe Attributes Field Action User Name User identifier to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters. Password Password to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters. Reenter the password in the Confirm field. 8-65 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring RADIUS Probe Attributes Table 8-23 lists the RADIUS probe attributes. Note Click More Settings to access the additional attributes for the RADIUS probe type. By default, ANM hides the probe attributes with default values and the probe attributes that are not commonly used. RTSP Probe Attributes Table 8-24 lists the RTSP probe attributes. Request Command Request method command for this probe. Valid entries are text strings with a maximum of 32 characters and no spaces. More Settings Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine the port number. For more information, see the general attribute Port field description. TCP Connection Termination Check box that when checked, configures the ACE to terminate TCP connections gracefully by sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a TCP connection by sending an RST. Open Timeout (seconds) Number of seconds to wait when opening a connection with a real server. Valid entries are from 1 to 65535. The default is as follows: • For ACE module version A2(3.x) and earlier, the default is 10 seconds. • For ACE module version A4(1.0) and later or ACE appliance version A3(1.x) and later, the default is 1 second. Table 8-22 POP Probe Attributes (continued) Field Action Table 8-23 RADIUS Probe Attributes Field Action User Secret Shared secret to be used to allow probe access to the RADIUS server. Valid entries are case-sensitive strings with no spaces and a maximum of 64 characters. User Name User identifier to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters. Password Password to be used for authentication on the real server. Valid entries are unquoted text strings with a maximum of 64 characters. Reenter the password in the Confirm field. More Settings Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine the port number. For more information, see the general attribute Port field description. NAS IP Address IP address of the Network Access Server (NAS) in dotted-decimal format, such as 192.168.11.1. 8-66 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring Note Click More Settings to access the additional attributes for the RTSP probe type. By default, ANM hides the probe attributes with default values and the probe attributes that are not commonly used. To configure probe expect statuses for RTSP probes, see the “Configuring Health Monitoring Expect Status” section on page 8-74. Scripted Probe Attributes Table 8-25 lists the HTTP probe attributes. Note Click More Settings to access the additional attributes for the Scripted probe type. By default, ANM hides the probe attributes with default values and the probe attributes that are not commonly used. Table 8-24 RTSP Probe Attributes Field Action Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine the port number. For more information, see the general attribute Port field description. RTSP Require Header Value Require header for the probe. RTSP Proxy Require Header Value Proxy-Require header for the probe. RTSP Request Method Type Request method type: • N/A—No request method is selected. • Describe—Probe is to use the Describe request type. More Settings TCP Connection Termination Check box that when checked, configures the ACE to terminate TCP connections gracefully by sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a TCP connection by sending an RST. Open Timeout (Seconds) Number of seconds to wait when opening a connection with a real server. Valid entries are from 1 to 65535. The default is as follows: • For ACE module version A2(3.x) and earlier, the default is 10 seconds. • For ACE module version A4(1.0) and later or ACE appliance version A3(1.x) and later, the default is 1 second. 8-67 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring SIP-TCP Probe Attributes Table 8-26 lists the SIP-TCP probe attributes. Note Click More Settings to access the additional attributes for the SIP-TCP probe type. By default, ANM hides the probe attributes with default values and the probe attributes that are not commonly used. Table 8-25 Scripted Probe Attributes Field Action Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine the port number. For more information, see the general attribute Port field description. Script Name Local name that you want to assign to this file on the ACE. This file can reside in the disk0: directory or the probe: directory (if the probe: directory exists). Note The script file must first be established on the ACE device and the name must be entered exactly as is appears on the device. See your ACE documentation for more details. Valid entries are unquoted text strings with no spaces and a maximum of 255 characters. Script Arguments Valid arguments, which are unquoted text strings with no spaces; separate multiple arguments with a space. The field limit is 255 characters. More Settings Script Needs To Be Copied From Remote Location? Check box that indicates that the file needs to be copied from a remote server. Uncheck this check box to indicate that the script resides locally. Protocol Field that appears if the script is to be copied from a remote server. Choose the protocol to be used for copying the script: • FTP—The script is to be copied using FTP. • TFTP—The script is to be copied using TFTP. User Name Field that appears if FTP is selected in the Protocol field. Enter the name of the user account on the remote server. Password Field that appears if FTP is selected in the Protocol field. Enter the password for the user account on the remote server. Reenter the password in the Confirm field. Source File Name Field appears if the script is to be copied from a remote server. Enter the host IP address, path, and filename of the file on the remote server in the format host-ip/path/filename where: • host-ip represents the IP address of the remote server. • path represents the directory path of the file on the remote server. • filename represents the filename of the file on the remote server. For example, your entry might be 192.168.11.2/usr/bin/my-script.ext. 8-68 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring To configure probe expect statuses for SIP-TCP probes, see the “Configuring Health Monitoring Expect Status” section on page 8-74. SIP-UDP Probe Attributes Table 8-27 lists the SIP-UDP probe attributes. Note Click More Settings to access the additional attributes for the SIP-UDP probe type. By default, ANM hides the probe attributes with default values and the probe attributes that are not commonly used. Table 8-26 SIP-TCP Probe Attributes Field Action More Settings Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine the port number. For more information, see the general attribute Port field description. TCP Connection Termination Check box that when checked, configures the ACE to terminate TCP connections gracefully by sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a TCP connection by sending an RST. Open Timeout (Seconds) Number of seconds to wait when opening a connection with a real server. Valid entries are from 1 to 65535. The default is as follows • For ACE module version A2(3.x) and earlier, the default is 10 seconds. • For ACE module version A4(1.0) and later or ACE appliance version A3(1.x) and later, the default is 1 second. Expect Regular Expression Expected response data from the probe destination. Valid entries are text strings with a maximum of 255 characters. This field accepts both single and double quotes. Double quotes are considered delimiters so they don't appear on the device. Single quotes will appear on the device. Expect Regex Offset Number of characters into the received message or buffer where the ACE is to begin looking for the string specified in the Expect Regular Expression field. Value entries are from 1 to 4000. Table 8-27 SIP-UDP Probe Attributes Field Action More Settings Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine the port number. For more information, see the general attribute Port field description. Expect Regular Expression Expected response data from the probe destination. Valid entries are text strings with a maximum of 255 characters. This field accepts both single and double quotes. Double quotes are considered delimiters so they don't appear on the device. Single quotes will appear on the device. Expect Regex Offset Number of characters into the received message or buffer where the ACE is to begin looking for the string specified in the Expect Regular Expression field. Value entries are from 1 to 4000. 8-69 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring To configure probe expect statuses for SIP-UDP probes, see the “Configuring Health Monitoring Expect Status” section on page 8-74. SMTP Probe Attributes Table 8-28 lists the SMTP probe attributes. Note Click More Settings to access the additional attributes for the SMTP probe type. By default, ANM hides the probe attributes with default values and the probe attributes that are not commonly used. To configure probe expect statuses for SMTP probes, see the “Configuring Health Monitoring Expect Status” section on page 8-74. SNMP Probe Attributes Table 8-29 lists the SNMP probe attributes. Note Click More Settings to access the additional attributes for the SNMP probe type. By default, ANM hides the probe attributes with default values and the probe attributes that are not commonly used. Table 8-28 SMTP Probe Attributes Field Action More Settings Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine the port number. For more information, see the general attribute Port field description. TCP Connection Termination Check box that when checked, configures the ACE to terminate TCP connections gracefully by sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a TCP connection by sending an RST. Open Timeout (Seconds) Number of seconds to wait when opening a connection with a real server. Valid entries are from 1 to 65535. The default is as follows: • For ACE module version A2(3.x) and earlier, the default is 10 seconds. • For ACE module version A4(1.0) and later or ACE appliance version A3(1.x) and later, the default is 1 second. Table 8-29 SNMP Probe Attributes Field Action SNMP Community SNMP community string. Valid entries are unquoted text strings with no spaces and a maximum of 255 characters. More Settings 8-70 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring To configure the SNMP OID for SNMP probes, see the “Configuring an OID for SNMP Probes” section on page 8-76. TCP Probe Attributes Table 8-30 lists the TCP probe attributes. Note Click More Settings to access the additional attributes for the TCP probe type. By default, ANM hides the probe attributes with default values and the probe attributes that are not commonly used. Telnet Probe Attributes Table 8-31 lists the Telnet probe attributes. Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine the port number. For more information, see the general attribute Port field description. SNMP Version SNMP version for the probe: • N/A—No version is selected. • SNMPv1—This probe is to use SNMP version 1. • SNMPv2c—This probe is to use SNMP version 2c. Table 8-29 SNMP Probe Attributes (continued) Field Action Table 8-30 TCP Probe Attributes Field Action Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine the port number. For more information, see the general attribute Port field description. Send Data ASCII data that the probe is to send to the server. Valid entries are unquoted text strings with no spaces and a maximum of 255 characters. More Settings TCP Connection Termination Check box that when checked, configures the ACE to terminate TCP connections gracefully by sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a TCP connection by sending an RST. Open Timeout (Seconds) Number of seconds to wait when opening a connection with a real server. Valid entries are from 1 to 65535. The default is as follows: • For ACE module version A2(3.x) and earlier, the default is 10 seconds. • For ACE module version A4(1.0) and later or ACE appliance version A3(1.x) and later, the default is 1 second. Expect Regular Expression Expected response data from the probe destination. Valid entries are text strings (quotes allowed) with a maximum of 255 characters. Expect Regex Offset Number of characters into the received message or buffer where the ACE is to begin looking for the string specified in the Expect Regular Expression field. Value entries are from 1 to 4000. 8-71 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring Note Click More Settings to access the additional attributes for the Telnet probe type. By default, ANM hides the probe attributes with default values and the probe attributes that are not commonly used. UDP Probe Attributes Table 8-32 lists the UDP probe attributes. Note Click More Settings to access the additional attributes for the UDP probe type. By default, ANM hides the probe attributes with default values and the probe attributes that are not commonly used. Table 8-31 Telnet Probe Attributes Field Action More Settings Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine the port number. For more information, see the general attribute Port field description. TCP Connection Termination Check box that when checked, configures the ACE to terminate TCP connections gracefully by sending a FIN to the server. Uncheck the check box to configure the ACE to terminate a TCP connection by sending an RST. Open Timeout (Seconds) Enter the number of seconds to wait when opening a connection with a real server. Valid entries are from 1 to 65535. The default is as follows: • For ACE module version A2(3.x) and earlier, the default is 10 seconds. • For ACE module version A4(1.0) and later or ACE appliance version A3(1.x) and later, the default is 1 second. Table 8-32 UDP Probe Attributes Field Action Port Enter the port number that the probe is to use. By default, the probe uses port inheritance to determine the port number. For more information, see the general attribute Port field description. Send Data ASCII data that the probe is to send to the server. Valid entries are unquoted text strings with no spaces and a maximum of 255 characters. More Settings Expect Regular Expression Expected response data from the probe destination. Valid entries are text strings (quotes allowed) with a maximum of 255 characters. Expect Regex Offset Number of characters into the received message or buffer where the ACE is to begin looking for the string specified in the Expect Regular Expression field. Value entries are from 1 to 4000. 8-72 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring VM Probe Attributes Note You use a VM probe when you configure the ACE for Dynamic Workload Scaling (see the “Configuring Dynamic Workload Scaling” section on page 8-26), which requires that the ACE appliance or module is using software Version A4(2.0) or a later release. You configure the VM probe attributes to control when the ACE bursts traffic to remote VMs based on an average of local VM CPU usage, memory usage, or both. The ACE obtains the usage information by sending the VM probe to the specified VM Controller associated with the local VMs (see Figure 1-1). It calculates the average aggregate load information for all local VMs as a percentage of CPU usage or memory usage and uses either or both percentages to determine when to burst traffic to the remote data center. If the server farm consists of both physical servers and VMs, the ACE considers load information only from the VMs. By default, the VM probe checks the percentage of usage for either the CPU or memory against the maximum threshold value. Whichever percentage reaches its maximum threshold value first causes the ACE to burst traffic to the remote data center. The default maximum burst threshold value of 99 percent instructs the ACE to always load balance traffic to the local VMs unless the load value is equal to 100 percent or the VMs are not in the Operational state. If you configure the maximum burst threshold value to 1 percent, the ACE always bursts traffic to the remote data center. When the usage percentage is less than the minimum threshold value, the ACE stops bursting traffic to the remote data center and continues to load balance traffic to the local VMs. Any active connections to the remote data center are allowed to complete. Table 8-33 lists the VM probe attributes. To associate the VM probe with a server farm, see the “Configuring Server Farms” section on page 8-30. Related Topics • Configuring Dynamic Workload Scaling, page 8-26 • Configuring Server Farms, page 8-30 • Dynamic Workload Scaling Overview, page 8-4 Table 8-33 VM Probe Attributes Field Action Max CPU Burst Threshold Percentage of CPU usage by the local VMs at which the ACE begins to burst traffic to the remote VMs. Enter a value from 1 to 99. The default is 99. Min CPU Burst Threshold Percentage of CPU usage by the local VMs below which the ACE stops bursting traffic to the remote VMs. Enter a value from 1 to 99. The default is 99. Max Memory Burst Threshold Percentage of memory usage by the local VMs at which the ACE begins to burst traffic to the remote VMs. Enter a value from 1 to 99. The default is 99. Min Memory Burst Threshold Percentage of memory usage by the local VMs below which the ACE stops bursting traffic to the remote VMs. Enter a value from 1 to 99. The default is 99. VM Controller Name Identifier of the VM Controller that is associated with the local VMs and that you configured in the “Configuring and Verifying a VM Controller Connection” section on page 8-29. Click the radio button for the VM Controller. 8-73 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring Configuring DNS Probe Expect Addresses You can specify the IP address that the ACE expects to receive in response to a DNS request. When a DNS probe sends a domain name resolve request to the server, it verifies the returned IP address by matching the received IP address with the configured addresses. Assumption A DNS probe has been configured. See the “Configuring Health Monitoring for Real Servers” section on page 8-51 for more information. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Health Monitoring. The Health Monitoring table appears. Step 2 In the Health Monitoring table, choose the DNS probe that you want to configure with an expected IP address. The Expect Addresses table appears. Step 3 In the Expect Addresses table, click Add to add an entry to the Expect Addresses table. The Expect Address configuration pane appears. Note You cannot modify an entry in the Expect Addresses table. Instead, delete the existing entry, then add a new one. Step 4 In the IPv4/IPv6 Address field, enter the IP address that the ACE appliance is to expect as a server response to a DNS request. You can enter multiple addresses in this field. However, you cannot mix IPv4 and IPv6 addresses. Note IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. Step 5 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entry and to return to the Expect Addresses table. • Click Next to deploy your entry and to add another IP Address to the Expect Addresses table. Related Topics • Configuring Health Monitoring for Real Servers, page 8-51 • DNS Probe Attributes, page 8-57 • Displaying Health Monitoring Statistics and Status Information, page 8-77 8-74 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring Configuring Headers for HTTP and HTTPS Probes You can specify header fields for HTTP and HTTPS probes. Assumption An HTTP or HTTPS probe has been configured. See the “Configuring Health Monitoring for Real Servers” section on page 8-51 for more information. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Health Monitoring. The Health Monitoring table appears. Step 2 In the Health Monitoring table, choose the HTTP or HTTPS probe that you want to configure with a header. The Probe Headers table appears. Step 3 In the Probe Headers table, click Add to add an entry, or choose an existing entry and click Edit to modify it. The Probe Headers configuration pane appears. Step 4 In the Header Name field of the Probe Headers configuration pane, choose the HTTP header the probe is to use. Step 5 In the Header Value field, enter the string to assign to the header field. Valid entries are text strings with a maximum of 255 characters. If the string includes spaces, enclose the string with quotes. Step 6 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entry and to return to the Probe Headers table. • Click Next to deploy your entry and to add another header entry to the Probe Headers table. Related Topics • Configuring Health Monitoring for Real Servers, page 8-51 • HTTP Probe Attributes, page 8-60 • HTTPS Probe Attributes, page 8-61 • Displaying Health Monitoring Statistics and Status Information, page 8-77 Configuring Health Monitoring Expect Status You can configure a single or range of code responses that the ACE expects from the probe destination. When the ACE receives a response from the server, it expects a status code to mark a server as passed. By default, there are no status codes configured on the ACE. If you do not configure a status code, any response code from the server is marked as failed. 8-75 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring Expect status codes can be configured for FTP, HTTP, HTTPS, RTSP, SIP-TCP, SIP-UDP, and SMTP probes. Assumption An FTP, HTTP, HTTPS, RTSP, SIP-TCP, SIP-UDP or SMTP probe has been configured. See the “Configuring Health Monitoring for Real Servers” section on page 8-51 for more information. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Health Monitoring. The Health Monitoring table appears. Step 2 In the Health Monitoring table, choose the probe that you want to configure for expect status codes, and click the Expect Status tab. The Expect Status table appears. Step 3 In the Expect Status table, click Add to add an entry, or select an existing entry and click Edit to modify it. The Expect Status configuration pane appears. Step 4 In the Expect Status configuration pane, configure a single expect status code as follows: a. In the Min. Expect Status Code field, enter the expect status code for this probe. Valid entries are from 0 to 999. b. In the Max. Expect Status code, enter the same expect status code that you entered in the Min Expect Status Code field. Step 5 In the Expect Status configuration pane, configure a range of expect status codes as follows: a. In the Min. Expect Status Code, enter the lower limit of the range of status codes. Valid entries are from 0 to 999. b. In the Max. Expect Status Code, enter the upper limit of a range of status codes. Valid entries are from 0 to 999. The value in this field must be greater than or equal to the value in the Min Expect Status Code field. Step 6 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries and to return to the Expect Status table. • Click Next to deploy your entries and to add another expect status code to the Expect Status table. Related Topics • Configuring Health Monitoring for Real Servers, page 8-51 • FTP Probe Attributes, page 8-59 • HTTP Probe Attributes, page 8-60 • SMTP Probe Attributes, page 8-69 • Displaying Health Monitoring Statistics and Status Information, page 8-77 8-76 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Health Monitoring Configuring an OID for SNMP Probes You can configure OID queries to probe the server. When the ACE sends a probe with an SNMP OID query, the ACE uses the retrieved value as input to the least-loaded algorithm for load-balancing decisions. Least-loaded load balancing bases the server selection on the server with the lowest load value. If the retrieved value is within the configured threshold, the server is marked as passed. If the threshold is exceeded, the server is marked as failed. The ACE allows a maximum of eight OID queries to probe the server. Assumption An SNMP probe has been configured. See the “Configuring Health Monitoring for Real Servers” section on page 8-51 for more information. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Health Monitoring. The Health Monitoring table appears. Step 2 In the Health Monitoring table, choose the SNMP probe for which you want to specify an OID. The SNMP OID for Server Load Query table appears. Step 3 In the SNMP OID for Server Load Query table, click Add to add an entry, or choose an existing entry and click Edit to modify it. The SNMP OID configuration pane appears. Step 4 In the SNMP OID field of the SNMP OID configuration pane, enter the OID that the probe is to use to query the server for a value. Valid entries are unquoted strings with a maximum of 255 alphanumeric characters in dotted-decimal notation, such as .1.3.6.1.4.2021.10.1.3.1. The OID string is based on the server type. Step 5 In the Max. Absolute Server Load Value field, enter the OID value in the form of an integer and to indicate that the retrieved OID value is an absolute value instead of a percent. Valid entries are from 1 to 4294967295. When the ACE sends a probe with an SNMP OID query, the ACE uses the retrieved value as input to the least-loaded algorithm for load-balancing decisions. By default, the ACE assumes that the retrieved OID value is a percentile value. Use this option to specify that the retrieved OID value is an absolute value. Step 6 In the Server Load Threshold Value field, specify the threshold at which the server is to be taken out of service as follows: • When the OID value is based on a percent, valid entries are integers from 1 to 100. • When the OID is based on an absolute value, valid entries are from 1 to the value specified in the Maximum Absolute Server Load Value field. Step 7 In the Server Load Weighting field, enter the weight to assign to this OID for the SNMP probe. Valid entries are from 0 to 16000. Step 8 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries and to return to the SNMP OID table. 8-77 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Secure KAL-AP • Click Next to deploy your entries and to add another item to the SNMP OID table. Related Topics • Configuring Health Monitoring for Real Servers, page 8-51 • SNMP Probe Attributes, page 8-69 • Displaying Health Monitoring Statistics and Status Information, page 8-77 Displaying Health Monitoring Statistics and Status Information You can display statistics and status information for a particular probe. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Health Monitoring. The Health Monitoring table appears. Step 2 In the Health Monitoring table, choose a probe from the Health Monitoring table, and click Details. The show probe name detail CLI command output appears. For details on the displayed output fields, see the Cisco ACE Module Server Load-Balancing Configuration Guide or the Cisco ACE 4700 Series Appliance Server Load-Balancing Configuration Guide, Chapter 4, Configuring Health Monitoring. Note For a DNS probe, the detailed probe results always identify a default DNS domain of www.Cisco.com. Step 3 Click Update Details to refresh the output for the show probe name detail CLI command. Step 4 Click Close to return to the Health Monitoring table. Related Topics • Configuring Health Monitoring for Real Servers, page 8-51 Configuring Secure KAL-AP You can configure a secure keepalive-appliance protocol (KAL-AP) associated with a virtual context. A KAL-AP on the ACE enables communication between the ACE and a Global Site Selector (GSS), which sends KAL-AP requests to report the server states and loads for global-server load-balancing (GSLB) decisions. The ACE uses KAL-AP through a UDP connection to calculate weights and provide information for server availability to the KAL-AP device. The ACE acts as a server and listens for KAL-AP requests. When KAL-AP is initialized on the ACE, the ACE listens on the standard 5002 port for any KAL-AP requests. You cannot configure any other port. The ACE supports secure KAL-AP for MD5 encryption of data between it and the GSS. For encryption, you must configure a shared secret as a key for authentication between the GSS and the ACE context. 8-78 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 8 Configuring Real Servers and Server Farms Configuring Secure KAL-AP Assumptions This topic assumes the following: • You have created a virtual context that specifies the Keepalive Appliance Protocol over UDP. • You have enabled KAL-AP on the ACE by configuring a management class map and policy map, and apply it to the appropriate interface. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Secure KAL-AP. The Secure KAL-AP table appears. Step 2 In the Secure KAL-AP table, click Add to configure secure KAL-AP for MD5 encryption of data. The Secure KAL-AP configuration window appears. Step 3 In the IP Address field of the Secure KAL-AP configuration window, enable secure KAL-AP by configuring the VIP address for the GSS. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1). Step 4 In the Hash Key field, enter the MD5 encryption method shared secret between the KAL-AP device and the ACE. Enter the shared secret as a case-sensitive string with no spaces and a maximum of 31 alphanumeric characters. The ACE supports the following special characters in a shared secret: , . / = + - ^ @ ! % ~ # $ * ( ) Step 5 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The ACE validates the secure KAL-AP configuration and deploys it. • Click Cancel to exit this procedure without accepting your entries and to return to the Secure KAL-AP table. • Click Next to accept your entries. Related Topics • Creating Virtual Contexts, page 6-2 • Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps, page 14-12 CHAPTER 9-1 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 9 Configuring Stickiness Date: 3/28/12 This chapter describes how to configure stickiness on the Cisco Application Control Engine (ACE) using Cisco Application Networking Manager (ANM). Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed. If you are using ANM with an ACE module or ACE appliance and you configure a named object at the ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows you to use when configuring a named object. If you use special characters that ANM does not support, you may not be able to import or manage the ACE using ANM. This chapter includes the following sections: • Information About Stickiness, page 9-1 • Sticky Types, page 9-2 • Sticky Groups, page 9-6 • Sticky Table, page 9-6 • Configuring Sticky Groups, page 9-7 Information About Stickiness When customers visit an e-commerce site, they usually start out browsing the site. The site may require that the client become “stuck” to one server once the connection is established, or once client starts to build a shopping cart. In either case, once the client adds items to the shopping cart, it is important that all of the client requests get directed to the same server so that all the items are contained in one shopping cart on one server. An instance of a customer’s shopping cart is typically local to a particular web server and is not duplicated across multiple servers. E-commerce applications are not the only types of applications that require stickiness. Any web application that maintains client information may require stickiness, such as banking applications or online trading. Other uses include FTP and HTTP file transfers. 9-2 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 9 Configuring Stickiness Sticky Types Stickiness allows the same client to maintain multiple simultaneous or subsequent TCP or IP connections with the same real server for the duration of a session. A session is series of transactions between a client and a server over some finite period of time (from several minutes to several hours). This feature is particularly useful for e-commerce applications where a client needs to maintain multiple connections with the same server while shopping online, especially while building a shopping cart and during the checkout process. Depending on the configured SLB policy, the ACE sticks a client to an appropriate server after the ACE has determined which load-balancing method to use. If the ACE determines that a client is already stuck to a particular server, then the ACE sends that client request to that server, regardless of the load-balancing criteria specified by the matched policy. If the ACE determines that the client is not stuck to a particular server, it applies the normal load-balancing rules to the content request. For information about stickiness, see the following topics: • Sticky Types, page 9-2 • Sticky Groups, page 9-6 • Sticky Table, page 9-6 Related Topics • Configuring Virtual Server Default Layer 7 Load Balancing, page 7-50 • Configuring Sticky Groups, page 9-7 Sticky Types All ACE devices support stickiness based on the following: • HTTP cookies • HTTP headers • IP addresses • HTTP content • Layer 4 payloads • RADIUS attributes • RTSP headers • SIP headers This section includes the following topics: • HTTP Content Stickiness, page 9-3 • HTTP Cookie Stickiness, page 9-3 • HTTP Header Stickiness, page 9-4 • IP Netmask and IPv6 Prefix Stickiness, page 9-4 • Layer 4 Payload Stickiness, page 9-4 • RADIUS Stickiness, page 9-5 • RTSP Header Stickiness, page 9-5 • SIP Header Stickiness, page 9-5 9-3 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 9 Configuring Stickiness Sticky Types HTTP Content Stickiness HTTP content stickiness allows you to stick a client to a server based on the content of an HTTP packet. You can specify a beginning pattern and ending pattern, the number of bytes to parse, and an offset that specifies how many bytes to ignore from the beginning of the data. Related Topics • Configuring Stickiness, page 9-1 • Sticky Types, page 9-2 • Sticky Groups, page 9-6 • Sticky Table, page 9-6 HTTP Cookie Stickiness Client cookies uniquely identify clients to the ACE and the servers that provide content. A cookie is a small data structure within the HTTP header that is used by a server to deliver data to a web client and request that the client store the information. In certain applications, the client returns the information to the server to maintain the connection state or persistence between the client and the server. When the ACE examines a request for content and determines through policy matching that the content is sticky, it examines any cookie or URL present in the content request. The ACE uses the information in the cookie or URL to direct the content request to the appropriate server. The ACE supports the following types of cookie stickiness: • Dynamic cookie learning You can configure the ACE to look for a specific cookie name and automatically learn its value either from the client request HTTP header or from the server Set-Cookie message in the server response. Dynamic cookie learning is useful when dealing with applications that store more than just the session ID or user ID within the same cookie. Only very specific bytes of the cookie value are relevant to stickiness. By default, the ACE learns the entire cookie value. You can optionally specify an offset and length to instruct the ACE to learn only a portion of the cookie value. Alternatively, you can specify a secondary cookie value that appears in the URL string in the HTTP request. This option instructs the ACE to search for (and eventually learn or stick to) the cookie information as part of the URL. URL learning is useful with applications that insert cookie information as part of the HTTP URL. In some cases, you can use this feature to work around clients that reject cookies. • Cookie insert The ACE inserts the cookie on behalf of the server upon the return request, so that the ACE can perform cookie stickiness even when the servers are not configured to set cookies. The cookie contains information that the ACE uses to ensure persistence to a specific real server. Related Topics • Configuring Stickiness, page 9-1 • Sticky Types, page 9-2 • Sticky Groups, page 9-6 • Sticky Table, page 9-6 9-4 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 9 Configuring Stickiness Sticky Types HTTP Header Stickiness You can use HTTP-header information to provide stickiness. With HTTP header stickiness, you can specify a header offset to provide stickiness based on a unique portion of the HTTP header. Related Topics • Configuring Stickiness, page 9-1 • Sticky Types, page 9-2 • Sticky Groups, page 9-6 • Sticky Table, page 9-6 IP Netmask and IPv6 Prefix Stickiness You can use the source IP address, the destination IP address, or both to uniquely identify individual clients and their requests for stickiness purposes based on their IP netmask or IPv6 prefix. However, if an enterprise or a service provider uses a megaproxy to establish client connections to the Internet, the source IP address no longer is a reliable indicator of the true source of the request. In this case, you can use cookies or one of the other sticky methods to ensure session persistence. Note IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. Related Topics • Configuring Stickiness, page 9-1 • Sticky Types, page 9-2 • Sticky Groups, page 9-6 • Sticky Table, page 9-6 Layer 4 Payload Stickiness Layer 4 payload stickiness allows you to stick a client to a server based on the data in Layer 4 frames. You can specify a beginning pattern and ending pattern, the number of bytes to parse, and an offset that specifies how many bytes to ignore from the beginning of the data. Related Topics • Configuring Stickiness, page 9-1 • Sticky Types, page 9-2 • Sticky Groups, page 9-6 • Sticky Table, page 9-6 9-5 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 9 Configuring Stickiness Sticky Types RADIUS Stickiness RADIUS stickiness can be based on the following RADIUS attributes: • Calling Station ID • Username Related Topics • Configuring Stickiness, page 9-1 • Sticky Types, page 9-2 • Sticky Groups, page 9-6 • Sticky Table, page 9-6 RTSP Header Stickiness Real time streaming protocol (RTSP) stickiness is based on information in the RTSP session header. With RTSP header stickiness, you can specify a header offset to provide stickiness based on a unique portion of the RTSP header. Related Topics • Configuring Stickiness, page 9-1 • Sticky Types, page 9-2 • Sticky Groups, page 9-6 • Sticky Table, page 9-6 SIP Header Stickiness Session initiation protocol (SIP) header stickiness is based on the SIP Call-ID header field. SIP header stickiness requires the entire SIP header, so you cannot specify an offset. Related Topics • Configuring Stickiness, page 9-1 • Sticky Types, page 9-2 • Sticky Groups, page 9-6 • Sticky Table, page 9-6 9-6 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 9 Configuring Stickiness Sticky Groups Sticky Groups The ACE uses the concept of sticky groups to configure stickiness. A sticky group allows you to specify sticky attributes. After you configure a sticky group and its attributes, you associate the sticky group with a Layer 7 policy-map action in a Layer 7 server load balancing (SLB) policy map.You can create a maximum of 4096 sticky groups in each context. Each sticky group that you configure on the ACE contains a series of parameters that determine the following: • Sticky method • Timeout • Replication • Sticky method-specific attributes Note The context in which you configure a sticky group must be associated with a resource class that allocates a portion of ACE resources to stickiness. See the “Using Resource Classes” section on page 6-43 for information about configuring ACE resources. Related Topics • Configuring Stickiness, page 9-1 • Sticky Types, page 9-2 • Sticky Table, page 9-6 Sticky Table The ACE uses a sticky table to keep track of sticky connections. Table entries are as follows: • Sticky groups • Sticky methods • Sticky connections • Real servers The sticky table can hold a maximum of four million entries (four million simultaneous users). When the table reaches the maximum number of entries, additional sticky connections cause the table to wrap and the first users become unstuck from their respective servers. The ACE uses a configurable timeout mechanism to age out sticky table entries. When an entry times out, it becomes eligible for reuse. High connection rates may cause the premature aging out of sticky entries. In this case, the ACE reuses the entries that are closest to expiration first. Sticky entries can be either dynamic (generated by the ACE on demand) or static (user-configured). When you create a static sticky entry, the ACE places the entry in the sticky table immediately. Static entries remain in the sticky database until you remove them from the configuration. You can create a maximum of 4096 static sticky entries in each context. If the ACE takes a real server out of service for whatever reason (probe failure, no inservice command, or ARP timeout), the ACE removes from the database any sticky entries that are related to that server. 9-7 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 9 Configuring Stickiness Configuring Sticky Groups Related Topics • Configuring Stickiness, page 9-1 • Sticky Types, page 9-2 • Sticky Groups, page 9-6 Configuring Sticky Groups You can configure sticky groups. Stickiness (or session persistence) is a feature that allows the same client to maintain multiple simultaneous or subsequent TCP connections with the same real server for the duration of a session. A session is a series of transactions between a client and a server over some finite period of time (from several minutes to several hours). This feature is particularly useful for e-commerce applications where a client needs to maintain multiple TCP connections with the same server while shopping online, especially while building a shopping cart and during the checkout process. E-commerce applications are not the only types of applications that require stickiness. Any web application that maintains client information may require stickiness, such as banking applications or online trading. Other uses include FTP and HTTP file transfers. The ACE uses the concept of sticky groups to configure stickiness. A sticky group allows you to specify sticky attributes. After you configure a sticky group and its attributes, you associate the sticky group with a Layer 7 policy-map action in a Layer 7 SLB policy map. Note (Pre ACE version A4(1.0) module or appliance only) The context in which you configure a sticky group must be associated with a resource class that allocates a portion of ACE resources to stickiness. See the “Using Resource Classes” section on page 6-43 for information about configuring ACE resources. Assumption (Pre ACE version A4(1.0) module or appliance only) The context in which you are configuring a sticky group is associated with a resource class that allocates resources to stickiness. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Stickiness. The Sticky Groups table appears. Step 2 In the Sticky Groups table, click Add to add a new sticky group, or choose an existing sticky group that you want to modify and click Edit. Step 3 Configure the sticky group using the information in Table 9-1. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. 9-8 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 9 Configuring Stickiness Configuring Sticky Groups Table 9-1 Sticky Group Attributes Field Description Group Name Sticky group identifier. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. Type Method to be used when establishing sticky connections and to configure any type-specific attributes. The choices are as follows: • HTTP Content—The ACE sticks client connections to the same real server based on a string in the data portion of the HTTP packet. See Table 9-2 for additional configuration options. • HTTP Cookie—The ACE either learns a cookie from the HTTP header of a client request or inserts a cookie in the Set-Cookie header of the response from the server to the client and then uses the learned cookie to provide stickiness between the client and server for the duration of the transaction. See Table 9-3 for additional configuration options. • HTTP Header—The ACE sticks client connections to the same real server based on HTTP headers. See Table 9-4 for additional configuration options. • IP Netmask—The ACE sticks a client to the same server for multiple subsequent connections as needed to complete a transaction using the client source IPv4 IP address, the destination IPv4 IP address, or both. You can optionally configure an IPv6 prefix length with this sticky type. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. See Table 9-5 for additional configuration options. Note If an organization uses a megaproxy to load balance client requests across multiple proxy servers when a client connects to the Internet, the source IP address is no longer a reliable indicator of the true source of the request. In this situation, you can use cookies or another sticky method to ensure session persistence. • V6 Prefix—(Option that appears only for ACE module and ACE appliance software Version A5(1.0) or later.) The ACE appliance sticks a client to the same server for multiple subsequent connections as needed to complete a transaction using the client source IP address, the destination IP address, or both based on their IPv6 prefix. You can optionally configure an IPv4 netmask with this sticky type. See Table 9-6 for additional configuration options. • Layer 4 Payload—The ACE sticks client connections to the same real server based on a string in the payload portion of the Layer 4 protocol packet. See Table 9-7 for additional configuration options. • RADIUS—The ACE sticks client connections to the same real server based on a RADIUS attribute. See Table 9-8 for additional configuration options. • RTSP Header—The ACE sticks client connections to the same real server based on the RTSP Session header field. See Table 9-9 for additional configuration options. • SIP Header—The ACE sticks client connections to the same real server based on the SIP Call-ID header field. Cookie Name This option appears for sticky type HTTP Cookie. Enter a unique identifier for the cookie. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. 9-9 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 9 Configuring Stickiness Configuring Sticky Groups Enable Insert This option appears only for sticky type HTTP Cookie. Check this check box if the ACE appliance is to insert a cookie in the Set-Cookie header of the response from the server to the client. This option is useful when you want to use a session cookie for persistence but the server is not currently setting the appropriate cookie. When selected, the ACE appliance selects a cookie value that identifies the original server from which the client received a response. For subsequent connections of the same transaction, the client uses the cookie to stick to the same server. Clear this check box to disable cookie insertion. Browser Expire This option appears for sticky type HTTP Cookie and you select Enable Insert. Check this check box to allow the client's browser to expire a cookie when the session ends. Clear this check box to disable browser expire. Offset (Bytes) This option appears for sticky types HTTP Cookie and HTTP Header. Enter the number of bytes the ACE appliance is to ignore starting with the first byte of the cookie. Valid entries are integers from 0 to 999. The default is 0 (zero), which indicates that the ACE appliance does not exclude any portion of the cookie. Length (Bytes) This option appears for sticky types HTTP Cookie and HTTP Header. Enter the length of the portion of the cookie (starting with the byte after the offset value) that the ACE appliance is to use for sticking the client to the server. Valid entries are integers from 1 to 1000. Secondary Name This option appears only for sticky type HTTP Cookie. Enter an alternate cookie name that is to appear in the URL string of the Web page on the server. The ACE appliance uses this cookie to maintain a sticky connection between a client and a server and adds a secondary entry in the sticky table. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters. Header Name This option appears for sticky type HTTP Header. Select the HTTP header to use for sticking client connections. Netmask This option appears only for sticky type IP Netmask. Select the netmask to apply to the source IP address, the destination IP address, or both. IPv4 Netmask This option appears only for sticky type IP Netmask or IPv6 Prefix (IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later). This option is mandatory for the sticky type IP Netmask and optional for the sticky type IPv6 Prefix. Select the netmask to apply to the source IP address, the destination IP address, or both. IPv6 Prefix Length This option appears only for ACE module and ACE appliance software Version A5(1.0) or later and for sticky type IPv6 Prefix or IP Netmask. This option is mandatory for the sticky type IPv Prefix and optional for the sticky type IP Netmask. Enter the IPv6 prefix length to apply to the source IP address, the destination IP address, or both. Table 9-1 Sticky Group Attributes (continued) Field Description 9-10 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 9 Configuring Stickiness Configuring Sticky Groups Step 4 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. To configure sticky statics, see the “Configuring Sticky Statics” section on page 9-15. • Click Cancel to exit the procedure without saving your entries and to return to the Sticky Groups table. • Click Next to deploy your entries and to configure another sticky group. Related Topics • Configuring Sticky Statics, page 9-15 Address Type This option appears only for sticky type IP Netmask or IPv6 Prefix (IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later). Indicate whether this sticky type is to be applied to the client source IP address, the destination IP address, or both: • Both—Indicates that this sticky type is to be applied to both the source IP address and the destination IP address. • Destination—Indicates that this sticky type is to be applied to the destination IP address only. Source—Indicates that this sticky type is to be applied to the source IP address only. Sticky Server Farm Server farm that you want to associate with this sticky group. Backup Server Farm Backup server farm that is associated with this sticky group. If the primary server farm is down, the ACE uses the backup server farm. Aggregate State Field that appears when a server farm and backup server farm are selected. Check box that indicates that the state of the backup server farm is tied to the virtual server state. Uncheck this check box if the backup server farm is not tied to the virtual server state. Sticky Enabled On Backup Server Farm Field that appears when a server farm and backup server farm are selected. Check box that indicates that the backup server farm is sticky. Uncheck this check box if the backup server farm is not sticky. Replicate On HA Peer Check box that indicates that the ACE to replicate sticky table entries on the standby ACE. If a failover occurs and this option is selected, the new active ACE can maintain the existing sticky connections. Uncheck this check box to indicate that the ACE is not to replicate sticky table entries on the standby ACE. Timeout (Minutes) Number of minutes that the ACE keeps the sticky information for a client connection in the sticky table after the latest client connection terminates. Valid entries are from 1 to 65535; the default is 1440 minutes (24 hours). Timeout Active Connections Check box that specifies that the ACE is to time out sticky table entries even if active connections exist after the sticky timer expires. Uncheck this check box to specify that the ACE is not to time out sticky table entries even if active connections exist after the sticky timer expires. This behavior is the default. Table 9-1 Sticky Group Attributes (continued) Field Description 9-11 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 9 Configuring Stickiness Configuring Sticky Groups • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 • Configuring Real Servers, page 8-5 • Configuring Server Farms, page 8-30 Sticky Group Attribute Tables This section describes the different sticky group type-specific attributes. Note There are no specific sticky group type-specific attributes for SIP Header. This section includes the following topics: • HTTP Content Sticky Group Attributes, page 9-11 • HTTP Cookie Sticky Group Attributes, page 9-12 • HTTP Header Sticky Group Attributes, page 9-13 • IP Netmask Sticky Group Attributes, page 9-13 • V6 Prefix Sticky Group Attributes, page 9-13 • Layer 4 Payload Sticky Group Attributes, page 9-14 • RADIUS Sticky Group Attributes, page 9-14 • RTSP Header Sticky Group Attributes, page 9-15 HTTP Content Sticky Group Attributes Table 9-2 describes the HTTP content sticky group attributes. Table 9-2 HTTP Content Sticky Group Attributes Field Description HTTP Content Check box that instructs the ACE to use the constant portion of HTTP content to make persistent connections to a specific server. Uncheck the check box to identify specific content for stickiness in the Offset, Length, Begin Pattern, and End Pattern fields. HTTP content may change over time with only a portion remaining constant throughout a transaction between the client and a server. Offset Number of bytes that the virtual server is to ignore starting with the first byte of the cookie. Valid entries are from 0 to 999. The default is 0 (zero), which indicates that the virtual server does not exclude any portion of the cookie. Length (Bytes) Length of the portion of the cookie (starting with the byte after the offset value) that the ACE is to use for sticking the client to the server. Valid entries are from 1 to 1000. 9-12 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 9 Configuring Stickiness Configuring Sticky Groups HTTP Cookie Sticky Group Attributes Table 9-3 describes the HTTP cookie sticky group attributes. Begin Pattern Beginning pattern of the HTTP content payload and the pattern string to match before hashing. If you do not specify a beginning pattern, the ACE begins parsing immediately after the offset byte. You cannot configure different beginning and ending patterns for different server farms that are part of the same traffic classification. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. You can enter a text string with spaces if you enclose the entire string in quotation marks ("). The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. End Pattern Pattern that marks the end of hashing. If you do not specify an end pattern or a length, the ACE continues to parse the data until it reaches the end of the field or packet, or until it reaches the maximum body parse length. You cannot configure different beginning and ending patterns for different server farms that are part of the same traffic classification. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. You can enter a text string with spaces if you enclose the entire string in quotation marks ("). The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. Table 9-2 HTTP Content Sticky Group Attributes (continued) Field Description Table 9-3 HTTP Cookie Sticky Group Attributes Field Description Cookie Name Unique identifier for the cookie. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. Enable Insert Check box that determines if the virtual server is to insert a cookie in the Set-Cookie header of the response from the server to the client. This option is useful when you want to use a session cookie for persistence but the server is not currently setting the appropriate cookie. When selected, the virtual server selects a cookie value that identifies the original server from which the client received a response. For subsequent connections of the same transaction, the client uses the cookie to stick to the same server. Uncheck the check box to disable cookie insertion. Offset Number of bytes that the virtual server is to ignore starting with the first byte of the cookie. Valid entries are from 0 to 999. The default is 0 (zero), which indicates that the virtual server does not exclude any portion of the cookie. Length (Bytes) Length of the portion of the cookie (starting with the byte after the offset value) that the ACE is to use for sticking the client to the server. Valid entries are from 1 to 1000. Secondary Name Alternate cookie name that is to appear in the URL string of the web page on the server. The virtual server uses this cookie to maintain a sticky connection between a client and a server and adds a secondary entry in the sticky table. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters. 9-13 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 9 Configuring Stickiness Configuring Sticky Groups HTTP Header Sticky Group Attributes Table 9-4 describes the HTTP header sticky group attributes. IP Netmask Sticky Group Attributes Table 9-5 describes the IP netmask sticky group attributes. V6 Prefix Sticky Group Attributes Table 9-5 describes the V6 prefix sticky group attributes, which requires ACE module and ACE appliance software Version A5(1.0) or later. Table 9-4 HTTP Header Sticky Group Attributes Field Description Header Name HTTP header to use for sticking client connections. Offset Number of bytes the virtual server is to ignore starting with the first byte of the cookie. Valid entries are from 0 to 999. The default is 0 (zero), which indicates that the virtual server does not exclude any portion of the cookie. Length (Bytes) Length of the portion of the cookie (starting with the byte after the offset value) that the ACE is to use for sticking the client to the server. Valid entries are from 1 to 1000. Table 9-5 IP Netmask Sticky Group Attributes Field Description Netmask Netmask to apply to the source IP address, destination IP address, or both. IPv6 Prefix Length (Optional field that requires ACE module and ACE appliance software Version A5(1.0) or later) IPv6 prefix length to apply to the source IP address, destination IP address, or both. Address Type Address type that the sticky type is to be applied to as follows: • Both—Sticky type is applied to both the source IP address and the destination IP address. • Destination—Sticky type is applied to the destination IP address only. • Source—Sticky type applied to the source IP address only. Table 9-6 IV6 Prefix Sticky Group Attributes Field Description Prefix Length (Field that requires ACE module and ACE appliance software Version A5(1.0) or later) IPv6 prefix length to apply to the source IP address, destination IP address, or both. IPv4 Netmask (Optional) Netmask to apply to the source IP address, destination IP address, or both. Address Type Address type that the sticky type is to be applied to as follows: • Both—Sticky type is applied to both the source IP address and the destination IP address. • Destination—Sticky type is applied to the destination IP address only. • Source—Sticky type applied to the source IP address only. 9-14 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 9 Configuring Stickiness Configuring Sticky Groups Layer 4 Payload Sticky Group Attributes Table 9-7 describes the Layer 4 payload sticky group attributes. RADIUS Sticky Group Attributes Table 9-8 describes the RADIUS sticky group attributes. Table 9-7 Layer 4 Payload Sticky Group Attributes Field Description Offset Number of bytes the virtual server is to ignore starting with the first byte of the cookie. Valid entries are from 0 to 999. The default is 0 (zero), which indicates that the virtual server does not exclude any portion of the cookie. Length (Bytes) Length of the portion of the cookie (starting with the byte after the offset value) that the ACE is to use for sticking the client to the server. Valid entries are from 1 to 1000. The default is 1000. Begin Pattern Beginning pattern of the Layer 4 payload and the pattern string to match before hashing. If you do not specify a beginning pattern, the ACE begins parsing immediately after the offset byte. You cannot configure different beginning and ending patterns for different server farms that are part of the same traffic classification. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. You can enter a text string with spaces provided that you enclose the entire string in quotation marks ("). The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. End Pattern Pattern that marks the end of hashing. If you do not specify an end pattern or a length, the ACE continues to parse the data until it reaches the end of the field or packet, or until it reaches the maximum body parse length. You cannot configure different beginning and ending patterns for different server farms that are part of the same traffic classification. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. You can enter a text string with spaces provided that you enclose the entire string in quotation marks ("). The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. Enable Sticky For Response Check box that enables the ACE to parse server responses and perform sticky learning. The ACE uses a hash of the server response bytes to populate the sticky database. The next time that the ACE receives a client request with those same bytes, it sticks the client to the same server. Uncheck the check box to reset the behavior of the ACE to the default of not parsing server responses and performing sticky learning. Table 9-8 RADIUS Sticky Group Attributes Field Description RADIUS Types Choose the RADIUS attribute to use for sticking client connections: • N/A—This option is not configured. • RADIUS Calling ID—Stickiness is based on the RADIUS framed IP attribute and the calling station ID attribute. • RADIUS User Name—Stickiness is based on the RADIUS framed IP attribute and the username attribute. 9-15 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 9 Configuring Stickiness Displaying All Sticky Groups by Context RTSP Header Sticky Group Attributes Table 9-9 describes the RTSP header sticky group attributes. Displaying All Sticky Groups by Context You can display all sticky groups associated with a virtual context. Procedure Step 1 Choose Config > Devices. The Virtual Contexts table appears. Step 2 In the Virtual Contexts table, choose the virtual context with the sticky groups that you want to display, and choose Load Balancing > Stickiness. The Sticky Groups table appears, listing the sticky groups associated with the selected context. Related Topics • Configuring Sticky Groups, page 9-7 • Configuring Sticky Statics, page 9-15 Configuring Sticky Statics You can configure sticky statics. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Assumption A sticky group has been configured. See the “Configuring Sticky Groups” section on page 9-7 for more information. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Stickiness. Table 9-9 RTSP Header Sticky Group Attributes Field Description Offset Number of bytes that the virtual server is to ignore starting with the first byte of the cookie. Valid entries are from 0 to 999. The default is 0 (zero), which indicates that the virtual server does not exclude any portion of the cookie. Length (Bytes) Length of the portion of the cookie (starting with the byte after the offset value) that the ACE is to use for sticking the client to the server. Valid entries are from 1 to 1000. The default is 1000. 9-16 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 9 Configuring Stickiness Configuring Sticky Statics The Sticky Groups table and Sticky Statics tab appears. If you do not see the Sticky Statics tab beneath the Sticky Groups table, click the Switch between Configure and Browse Modes button. Step 2 From the Sticky Groups table, choose the sticky group that you want to configure for sticky statics Step 3 From the Sticky Statics tab, click Add to add a new entry to the table, or select an existing entry, then click Edit to modify it. The Sticky Statics configuration screen appears. Step 4 In the Sequence Number field, either accept the automatically incremented number for this entry or enter a new sequence number.The sequence number indicates the order in which multiple sticky static configurations are applied. The sequence number indicates the order in which multiple sticky static configurations are applied. Step 5 From the Type drop-down list, choose the sticky group type. The choices are as follows: • HTTP Content—The ACE sticks client connections to the same real server based on a string in the data portion of the HTTP packet. • HTTP Cookie—The ACE either learns a cookie from the HTTP header of a client request or inserts a cookie in the Set-Cookie header of the response from the server to the client, and then uses the learned cookie to provide stickiness between the client and server for the duration of the transaction. • HTTP Header—The ACE sticks client connections to the same real server based on HTTP headers. • IP Netmask—The ACE sticks a client to the same server for multiple subsequent connections as needed to complete a transaction using the client source IP address, the destination IP address, or both based on the IPv4 netmask. You can optionally configure an IPv6 prefix length with this sticky type. Note If an organization uses a megaproxy to load balance client requests across multiple proxy servers when a client connects to the Internet, the source IP address is no longer a reliable indicator of the true source of the request. In this situation, you can use cookies or another sticky method to ensure session persistence. • V6 Prefix—(Option that appears only for ACE module and ACE appliance software Version A5(1.0) or later) The ACE sticks a client to the same server for multiple subsequent connections as needed to complete a transaction using the client source IP address, the destination IP address, or both based on the IPv6 prefix length. You can optionally configure an IPv4 netmask with this sticky type. • Layer 4 Payload—The ACE sticks client connections to the same real server based on a string in the payload portion of the Layer 4 protocol packet. • RADIUS—The ACE sticks client connections to the same real server based on a RADIUS attribute. • RTSP Header—The ACE sticks client connections to the same real server based on the RTSP Session header field. • SIP Header—The ACE sticks client connections to the same real server based on the SIP Call-ID header field. Step 6 If you chose HTTP Cookie, HTTP, RTSP, or SIP Header for the sticky type, in the Static Value field, enter the cookie string value. Valid entries are unquoted text strings with a maximum of 255 alphanumeric characters. If the string includes spaces, enclose the string with quotes. 9-17 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 9 Configuring Stickiness Configuring Sticky Statics Step 7 If you chose IP Netmask or V6 Prefix for the sticky type, do the following: a. For the IP Address Type, select either IPv4 or IPv6. b. In the Static Source field, enter the source IP address of the client. c. In the Static Destination field, enter the destination IP address of the client. Step 8 In the Named Real Server field, choose the real server to associate with this static sticky entry. Step 9 In the Port field, enter the port number of the real server. Valid entries are from 1 to 65535. Step 10 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit the procedure without saving your entries and to return to the Sticky Statics table. • Click Next to deploy your entries and to configure another sticky static entry. Related Topics Configuring Sticky Groups, page 9-7 9-18 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 9 Configuring Stickiness Configuring Sticky Statics CHAPTER 10-1 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 10 Configuring Parameter Maps Date: 3/28/12 This chapter describes how to configure parameter maps on the Cisco Application Control Engine (ACE) using Cisco Application Networking Manager (ANM). Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed. If you are using ANM with an ACE module or ACE appliance and you configure a named object at the ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows you to use when configuring a named object. If you use special characters that ANM does not support, you may not be able to import or manage the ACE using ANM. This chapter includes the following sections: • Information About Parameter Maps, page 10-1 • Configuring Connection Parameter Maps, page 10-3 • Configuring Generic Parameter Maps, page 10-8 • Configuring HTTP Parameter Maps, page 10-9 • Configuring Optimization Parameter Maps, page 10-12 • Configuring RTSP Parameter Maps, page 10-20 • Configuring SIP Parameter Maps, page 10-21 • Configuring Skinny Parameter Maps, page 10-23 • Configuring DNS Parameter Maps, page 10-25 • Supported MIME Types, page 10-26 Information About Parameter Maps Parameter maps allow you to perform actions on traffic that ingresses an ACE interface based on certain criteria, such as protocol or connection attributes. After you configure a parameter map, you associate it with a policy map to implement configured behavior. Table 10-1 describes the parameter maps that you can configure using ANM and the ACE devices that support them. 10-2 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Information About Parameter Maps Related Topics • Configuring Connection Parameter Maps, page 10-3 • Configuring Generic Parameter Maps, page 10-8 • Configuring HTTP Parameter Maps, page 10-9 • Configuring Optimization Parameter Maps, page 10-12 • Configuring RTSP Parameter Maps, page 10-20 • Configuring SIP Parameter Maps, page 10-21 • Configuring Skinny Parameter Maps, page 10-23 • Configuring Generic Parameter Maps, page 10-8 • Configuring Traffic Policies, page 14-1 • Configuring Parameter Maps, page 10-1 • Configuring Virtual Contexts, page 6-8 Table 10-1 Parameter Map Types and ACE Support Parameter Map Description ACE Device ACE Module ACE Appliance Connection Connection parameter maps combine all IP and TCP connection-related behaviors pertaining to: • TCP normalization, termination, and server reuse • IP normalization, fragmentation, and reassembly X X Generic Generic parameter maps combine related generic protocol actions for server load-balancing connections. X X HTTP HTTP parameter maps configure ACE behavior for HTTP load-balanced connections. X X Optimization Optimization parameter maps specify optimization-related commands that pertain to application acceleration and optimization functions performed by the ACE. X RTSP Real Time Streaming Protocol (RTSP) parameter maps configure advanced RTSP behavior for server load-balancing connections. X X SIP Session Initiation Protocol (SIP) parameter maps configure SIP deep packet inspection on the ACE. X X Skinny Skinny Client Control Protocol (SCCP) parameter maps configure SCCP packet inspection on the ACE. X X DNS Domain Name System (DNS) parameter maps configure DNS actions for DNS packet inspection. X X 10-3 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Configuring Connection Parameter Maps Configuring Connection Parameter Maps You can configure a connection parameter map for use with a Layer 3/Layer 4 policy map. Connection parameter maps combine all IP and TCP connection-related behaviors pertaining to the following: • TCP normalization, termination, and server reuse • IP normalization, fragmentation, and reassembly Procedure Step 1 Choose Config > Devices > context > Load Balancing > Parameter Maps > Connection Parameter Maps. The Connection Parameter Maps table appears. Step 2 In the Connection Parameter Maps table, click Add to add a new parameter map, or choose an existing parameter map and click Edit to modify it. The Connection Parameter Maps configuration window appears. Step 3 In the Connection Parameter Maps configuration window, configure the parameter map using the information in Table 10-2. Click More Settings to access the additional Connection Parameter Map configuration attributes. By default, ANM hides the default Connection Parameter Map configuration attributes and the attributes that are not commonly used. Table 10-2 Connection Parameter Map Attributes Field Description Parameter Name Unique name for the parameter map. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. Description Field that appears for ACE module A2(1.5), ACE appliance A3(2.3), and later releases of either device type. If you attempt to use the Description feature with an ACE that is running an earlier software version, ANM displays an invalid command detected error message and does not deploy the parameter map. Brief description of the parameter map. Enter a text string with a maximum of 240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed. Double quotes must be entered as matching pairs. Inactivity Timeout (Seconds) Number of seconds that the ACE is to wait before disconnecting idle connections. Valid entries are from 0 to 3217203. A value of 0 indicates that the ACE is never to time out a TCP connection. 10-4 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Configuring Connection Parameter Maps More Settings Exceeds MSS Action that the ACE takes to handle segments that exceed the maximum segment size (MSS): • Allow—The ACE is to permit segments that exceed the configured MSS. • Drop—The ACE is to discard segments that exceed the configured MSS. Max. Connection Limit Maximum number of concurrent connections to allow for the parameter map. Valid entries are from 0 to 4000000. Nagle Check box that enables the Nagle algorithm, which instructs a sender to buffer any data to be sent until all outstanding data has been acknowledged or until there is a full segment of data to send. Enabling the Nagle algorithm increases throughput, but it can increase latency in your TCP connection. Uncheck the check box to disable the Nagle algorithm. Note Disable the Nagle algorithm when you observe unacceptable delays in TCP connections. Random Sequence Number Check box that enables the use of random TCP sequence numbers, which adds a measure of security to TCP connections by making it more difficult for a hacker to guess or predict the next sequence number in a TCP connection. Uncheck the check box to disable the use of random TCP sequence numbers. This option is enabled by default. Bandwidth Rate Limit Option that appears for ACE modules only. Enter the bandwidth-rate limit in bytes per second for the parameter map. Valid entries are from 0 to 300000000 bytes. Connection Rate Limit Connection-rate limit in connections per second. Valid entries are from 0 to350000. Reserved Bits Action that the ACE takes to handle segments with the reserved bits set in the TCP header: • Allow—Segments with the reserved bits are to be permitted. • Drop—Segments with the reserved bits are to be discarded. • Clear—Reserved bits in TCP headers are to be cleared and segments are to be allowed. Type-of-Service IP Header Type of service for an IP packet that determines how the network handles the packet and balances its precedence, throughput, delay, reliability, and cost. Enter the type-of-service value to be applied to IP packets. Valid entries are from 0 to 255. For more information about type of service, refer to RFCs 791, 1122, 1349, and 3168. ACK Delay Time (Milliseconds) Number of milliseconds that the ACE is to wait before sending an acknowledgement from a client to a server. Valid entries are from 0 to 400. TCP Buffer Share (Bytes) Option that appears for only ACE modules. To improve throughput and overall performance, the ACE buffers the number of bytes you specify before processing received data or transmitting data. Use this option to increase the default buffer size and thereby realize improved network performance. Enter the maximum size of the TCP buffer in bytes. Valid entries are from 8192 to 262143 bytes. Default is 32768. Note If you enter a value in this field for an ACE device that does not support this option, an error message appears. Leave this field blank when creating or modifying a connection parameter map for devices that do not support this option. Table 10-2 Connection Parameter Map Attributes (continued) Field Description 10-5 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Configuring Connection Parameter Maps Smallest TCP MSS (Bytes) Size of the smallest segment of TCP data that the ACE is to accept. Valid entries are from 0 to 65535 bytes. The value 0 indicates that the ACE is not to set a minimum limit. Largest TCP MSS (Bytes) Size of the largest segment of TCP data that the ACE is to accept. Valid entries are from 0 to 65535 bytes. The value 0 indicates that the ACE is not to set a maximum limit. SYN Retries Number of attempts that the ACE is to make to transmit a TCP segment when initiating a Layer 7 connection. Valid entries are from 1 to 15. The default is 4. TCP WAN Optimization RTT Option that specifies how the ACE is to apply TCP optimizations to packets on a connection associated with a Layer 7 policy map using a round-trip time (RTT) value. The choices are as follows: • An entry of 0 (zero) indicates that the ACE is to apply TCP optimizations to packets for the life of a connection. • An entry of 65535 (the default) indicates that the ACE is to perform normal operations (that is, without optimizations) for the life of a connection. • Entries from 1 to 65534 indicate that the ACE is to use the following guidelines: • If the actual client RTT is less than the configured RTT, the ACE performs normal operations for the life of the connection. • If the actual client RTT is greater than or equal to the configured RTT, the ACE performs TCP optimizations on the packets for the life of a connection. Valid entries are from 0 to 65535. Timeout For Embryonic Connections (Seconds) Number of seconds that the ACE is to wait before timing out an embryonic connection, which is a TCP three-way handshake for a connection that does not complete for some reason. Valid entries are from 0 to 4294967295. The default is 5. A value of 0 indicates that the ACE is never to time out an embryonic connection. Half Closed Timeout (Seconds) Number of seconds the ACE is to wait before closing a half-closed connection, which is one in which the client or server sends a FIN and the server or client acknowledges the FIN without sending a FIN itself. Valid entries are from 0 to 4294967295. The default is 3600 (1 hour). A value of 0 indicates that the ACE is never to time out a half-closed connection. Slow Start Algorithm Check box that enables the slow start algorithm. When enabled, the slow start algorithm increases TCP window size as ACK handshakes arrive so that new segments are injected into the network at the rate at which acknowledgements are returned by the host at the other end of the connection. Uncheck the check box to disable the slow start algorithm. This option is disabled by default. SYN Segments With Data Action that the ACE takes to handle TCP SYN segments that contain data: • Allow—The ACE is to permit SYN segments that contain data and mark them for processing. • Drop—The ACE is to discard SYN segments that contain data. Table 10-2 Connection Parameter Map Attributes (continued) Field Description 10-6 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Configuring Connection Parameter Maps Urgent Pointer Policy Action that the ACE takes to handle urgent data as identified by the Urgent data control bit. Urgent data, as indicated by a control bit in the TCP header, indicates that urgent data is to be processed as soon as possible, even before normal data. The choices are as follows: • Allow—The ACE is to permit the status of the Urgent control bit. • Clear—The ACE is to set the Urgent control bit to 0 (zero) and thereby invalidate the Urgent Pointer which provides segment information. TCP Window Scale Factor TCP window scale factor. The TCP window scaling extension expands the definition of the TCP window to 32 bits and uses a scale factor to carry the 32-bit value in the 16-bit window of the TCP header. Increasing the window size improves TCP performance in network paths with large bandwidth, long-delay characteristics. Valid entries are from 0 to 14 (the maximum scale factor). For more information on TCP window scaling, refer to RFC 1323. Action For TCP Options Range Action that the ACE takes to handle the following TCP options: • Selective ACK • Timestamps • Action For TCP Window Scale Factor The choices are as follows: • N/A—This option is not set. • Allow—The ACE is to allow any segment with the specified option set. • Drop—The ACE is to discard any segment with the specified option set. Lower TCP Options Option that appears if you chose Allow or Drop for the Action For TCP Options Range. Enter the lower limit of the TCP option range. Valid entries are 6, 7, or a value from 9 to 255. See Table 10-3 for information on TCP options. Upper TCP Options Option that appears if you chose Allow or Drop for the Action For TCP Options Range. Enter the upper limit of the TCP option range. Valid entries are 6, 7, or a value from 9 to 255. See Table 10-3 for information on TCP options. Selective ACK Action that the ACE takes to handle the selective ACK option that is specified in SYN segments: • Allow—The ACE allows any segment with the specified option set. • Clear—The ACE clears the specified option from any segment that has it set and allow the segment. Table 10-2 Connection Parameter Map Attributes (continued) Field Description 10-7 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Configuring Connection Parameter Maps Table 10-3 lists the TCP options for connection parameter maps. Timestamps Action that the ACE takes to handle the time stamp option that is specified in SYN segments: • Allow—The ACE allows any segment with the specified option set. • Clear—The ACE clears the specified option from any segment that has it set and allow the segment. Action For TCP Window Scale Factor Action that the ACE takes to handle the TCP window scale factor option that is specified in SYN segments: • Allow—The ACE allows any segment with the specified option set. • Clear—The ACE clears the specified option from any segment that has it set and allow the segment. • Drop—The ACE discards any segment with the specified option set. Table 10-2 Connection Parameter Map Attributes (continued) Field Description Table 10-3 TCP Options for Connection Parameter Maps1 1. For more information about TCP options, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide. Type Length Meaning 6 6 Echo (obsoleted by option 8) 7 6 Echo Reply (obsoleted by option 8) 9 2 Partial Order Connection Permitted 10 3 Partial Order Service Profile 11 CC 12 CC.NEW 13 CC.ECHO 14 3 TCP Alternate Checksum Request 15 N TCP Alternate Checksum Data 16 Skeeter 17 Bubba 18 3 Trailer Checksum Option 19 18 MD5 Signature Option 20 SCPS Capabilities 21 Selective Negative Acknowledgements (SNACK) 22 Record Boundaries 23 Corruption Experienced 24 SNAP 25 Unassigned (released 12/18/2000) 26 TCP Compression Filter 10-8 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Configuring Generic Parameter Maps Step 4 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without accepting your entries and to return to the Parameter Map table. • Click Next to accept your entries and to add another parameter map. Related Topics • Configuring Parameter Maps, page 10-1 • Configuring Traffic Policies, page 14-1 • Configuring Virtual Contexts, page 6-8 Configuring Generic Parameter Maps You configure a generic parameter map, which allows you to specify nonprotocol-specific behavior for data parsing. Generic parameter maps examine the payload and make decisions regardless of the protocol. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Parameter Maps > Generic Parameter Maps. The Generic Parameter Maps table appears. Step 2 In the Generic Parameter Maps table, click Add to add a new parameter map, or choose an existing parameter map and click Edit to modify it. The Parameter Maps configuration window appears. Step 3 In the Parameter Maps configuration window, configure the parameter map using the information in Table 10-4. Table 10-4 Generic Parameter Map Attributes Field Description Parameter Name Unique name for the parameter map. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. Description Field that appears for ACE module A2(1.5), ACE appliance A3(2.3), and later releases of either device type. If you attempt to use the Description feature with an ACE that is running an earlier software version, ANM displays an invalid command detected error message and does not deploy the parameter map. Brief description of the parameter map. Enter a text string with a maximum of 240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed. Double quotes must be entered as matching pairs. 10-9 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Configuring HTTP Parameter Maps Step 4 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries and to return to the Generic Parameter Maps table. • Click Next to deploy your entries and to configure another generic parameter map. Related Topics • Configuring Parameter Maps, page 10-1 • Configuring Traffic Policies, page 14-1 • Configuring Parameter Maps, page 10-1 • Configuring Virtual Contexts, page 6-8 Configuring HTTP Parameter Maps You can configure an HTTP parameter map for use with a Layer 3/Layer 4 policy map. HTTP parameter maps allow you to configure ACE behavior for HTTP load-balanced connections. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Parameter Maps > HTTP Parameter Maps. The HTTP Parameter Maps table appears. Step 2 In the HTTP Parameter Maps table, click Add to add a new parameter map, or choose an existing parameter map and click Edit to modify it. The HTTP Parameter Maps configuration window appears. Step 3 In the HTTP Parameter Maps configuration window, configure the parameter map using the information in Table 10-5. Case-Insensitive Check box that instructs the ACE to be case insensitive for the parameter map. Uncheck this check box to instruct the ACE to be case sensitive for this parameter map. Max. Parse Length (Bytes) Number of bytes to parse for the total length of all generic headers. Valid entries are from 1 to 65535. The default is 2048 bytes. Table 10-4 Generic Parameter Map Attributes (continued) Field Description 10-10 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Configuring HTTP Parameter Maps Table 10-5 HTTP Parameter Map Attributes Field Description Parameter Name Unique name for the parameter map. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. Description Field that appears for ACE module A2(1.5), ACE appliance A3(2.3), and later releases of either device type. If you attempt to use the Description feature with an ACE that is running an earlier software version, ANM displays an invalid command detected error message and does not deploy the parameter map. Brief description of the parameter map. Enter a text string with a maximum of 240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed. Double quotes must be entered as matching pairs. Case-Insensitive Check box that instructs the ACE to be case insensitive. Uncheck this check box to indicate that the ACE is to be case sensitive. This check box is cleared by default. Header Modify Per-Request Check box to require that SSL information is inserted for every HTTP GET request. Current functionality only requires that the information be inserted at the first GET request. Exceed Max. Parse Length Action that the ACE takes to handle cookies, HTTP headers, and URLs that exceed the maximum parse length. The choices are as follows: • Continue—The ACE is to continue load balancing. When this option is selected, the HTTP Persistence Rebalance option is disabled if the total length of all cookies, HTTP headers, and URLs exceeds the maximum parse value. • Drop—The ACE is to stop load balancing and to discard the packet. HTTP Persistence Rebalance Check box that instructs the ACE to do the following: • Separately load balance each subsequent HTTP request on the same TCP connection. • Insert the header and cookie for every request instead of only the first request. Uncheck this check box to indicate that this option is disabled. This option is enabled by default. TCP Server Connection Reuse Check box that instructs the ACE to reduce the number of open connections on a server by allowing connections to persist and be reused by multiple client connections. If you enable this feature, perform the following tasks: • Ensure that the ACE maximum segment size (MSS) is the same as the server maximum segment size. • Configure port address translation (PAT) on the interface that is connected to the real server. • Configure on the ACE the same TCP options that exist on the TCP server. • Ensure that each server farm is homogeneous (all real servers within a server farm have identical configurations). Uncheck this check box to disable this option. Content Max. Parse Length (Bytes) Maximum number of bytes to parse in HTTP content. Valid entries are from 1 to 65535. The default is 4096. Header Max. Parse Length (Bytes) Maximum number of bytes to parse for the total length of cookies, HTTP headers, and URLs. Valid entries are from 1 to 65535. The default is 4096. 10-11 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Configuring HTTP Parameter Maps Step 4 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without accepting your entries and to return to the Parameter Map table. • Click Next to accept your entries and to add another parameter map. Related Topics • Configuring Parameter Maps, page 10-1 • Configuring Traffic Policies, page 14-1 • Configuring Parameter Maps, page 10-1 Secondary Cookie Delimiters ASCII-character delimiters to be used to separate cookies in a URL string. Valid entries are unquoted text strings with no spaces and a maximum of 4 characters. The default delimiters are /&#+. MIME Type To Compress Option that appears only for ACE appliances (all versions) and ACE modules version A4(1.0) and later. In the field on the left, enter the Multipurpose Internet Mail Extension (MIME) type to compress, and click Add. The MIME type appears in the column on the right. To remove or change a MIME type, choose it in the column on the right, and click Remove. The selected MIME type appears in the field on the left where you can modify or delete it. To specify the sequence in which compression is to be applied, choose MIME types in the column on the right, and click Up or Down to arrange the MIME types. The “Supported MIME Types” section on page 10-26 lists the supported MIME types. You can use an asterisk (*) to indicate a wildcard, such as text/*, which would include all text MIME types (text/html, text/plain, and so on). User Agent Not To Compress Option that appears only for ACE appliances (all versions) and ACE modules version A4(1.0) and later. A user agent is a client that initiates a request. Examples of user agents include browsers, editors, and other end-user tools. When you specify a user agent string in this field, the ACE does not compress the response to a request when the request contains the matching user agent string. In the field on the left, enter the user agent string to be matched, and click Add. The string appears in the column on the right. To remove or change a user agent string, choose it in the column on the right, and click Remove. The selected string appears in the field on the left where you can modify or delete it. To specify the sequence in which strings are to be matched, choose strings in the column on the right, and click Up or Down to arrange the strings in the desired sequence. Valid entries are 64 characters. Min. Size To Compress (Bytes) Option that appears only for ACE appliances (all versions) and ACE modules version A4(1.0) and later. Enter the threshold at which compression is to occur. The ACE compresses files that are the minimum size or larger. Valid entries are from 1 to 4096 bytes. Table 10-5 HTTP Parameter Map Attributes (continued) Field Description 10-12 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Configuring Optimization Parameter Maps • Configuring Virtual Contexts, page 6-8 Configuring Optimization Parameter Maps Note Optimization parameter maps are available for ACE appliances only. You can configure an optimization parameter map for use with a Layer 3/Layer 4 policy map. Optimization parameter maps specify optimization-related commands that pertain to application acceleration and optimization functions performed by the ACE. See the “Configuring Application Acceleration and Optimization” section on page 15-1 or the Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide for more information about application acceleration and optimization. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Parameter Maps > Optimization Parameter Maps. The Optimization Parameter Maps table appears. Step 2 In the Optimization Parameter Maps table, click Add to add a new parameter map, or choose an existing parameter map and click Edit to modify it. The Optimization Parameter Maps configuration window appears. Step 3 In the Optimization Parameter Maps configuration window, configure the parameter map using the information in Table 10-6. Table 10-6 Optimization Parameter Map Attributes Field Description Parameter Name Unique name for the parameter map. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. Description Field that appears for ACE module A2(1.5), ACE appliance A3(2.3), and later releases of either device type. If you attempt to use the Description feature with an ACE that is running an earlier software version, ANM displays an invalid command detected error message and does not deploy the parameter map. Brief description of the parameter map. Enter a text string with a maximum of 240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed. Double quotes must be entered as matching pairs. Set Browser Freshness Period Method that the ACE uses to determine the freshness of objects in the client’s browser: • N/A—This option is not configured. • Disable Browser Object Freshness Control—Browser freshness control is not used. • Set Freshness Similar To Flash Forward Objects—The ACE sets freshness similar to that used for FlashForwarded objects and to use the values specified in the Maximum Time for Cache Time-To-Live and Minimum Time for Cache Time-To-Live fields. 10-13 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Configuring Optimization Parameter Maps Duration For Browser Freshness (Seconds) Field that appears if the Set Browser Freshness Period option is not configured. Enter the number of seconds that objects in the client’s browser are considered fresh. Valid entries are 0 to 2147483647 seconds. Response Codes To Ignore (Comma Separated) Comma-separated list of HTTP response codes for which the response body must not be read. For example, an entry of 302 indicates that the ACE is to ignore the response body of a 302 (redirect) response from the origin server. Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters from 100 to 599, inclusive. Appscope Optimize Rate (%) Percentage of all requests or sessions to be sampled for performance with acceleration (or optimization) applied. All applicable optimizations for the class will be performed. Valid entries are from 0 to 100 percent. The default is 10 percent. The sum of this value and the value entered in the Passthru Rate Percent field must not exceed 100. Appscope Passthrough Rate (%) Percentage of all requests or sessions to be sampled for performance without optimization. No optimizations for the class will be performed. Valid entries are from 0 to 100. The default is 10 percent. The sum of this value and the value entered in the Optimize Rate Percent field must not exceed 100. Max. Number for Parameter Summary Log (Bytes) Maximum number of bytes that are to be logged for each parameter value in the parameter summary of a transaction log entry in the statistics log. If a parameter value exceeds this limit, it is truncated at the specified limit. Valid entries are from 0 to 10,000 bytes. Max. For Post Data to Scan for Logging (KBytes) Maximum number of kilobytes of POST data that the ACE is to scan for parameters for the purpose of logging transaction parameters in the statistics log. Valid entries are from 0 to 1000 KB. String For Grouping Requests String that the ACE uses to sort requests for AppScope reporting. The string can contain a URL regular expression that defines a set of URLs in which URLs that differ only by their query parameters are to be treated as separate URLs in AppScope reports. For example, to define a string that is used to identify the URLs http://server/catalog.asp?region=asia and http://server/catalog.asp?region=america as two separate reporting categories, you would enter http_query_param(region). Valid entries are from 1 to 255 characters and can contain the parameter expander functions listed in Table 10-7. Base File Anonymous Level Base file anonymous level. Information that is common to a large set of users is generally not confidential or user-specific. Conversely, information that is unique to a specific user or a small set of users is generally confidential or user-specific. The anonymous base file feature enables the ACE to create and deliver condensed base files that contain only information that is common to a large set of users. No information unique to a particular user, or across a very small subset of users, is included in anonymous base files. Enter the value for base file anonymity for the all-user condensation method. Valid entries are from 0 to 50. The default is 0, which disables the base file anonymity feature. Table 10-6 Optimization Parameter Map Attributes (continued) Field Description 10-14 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Configuring Optimization Parameter Maps Cache-Key Modifier Expression Cache key modifier expression. A cache object key is a unique identifier that is used to identify a cached object to be served to a client, replacing a trip to the origin server. The cache key modifier feature allows you to modify the canonical form of a URL; that is, the portion before “?” in a URL. For example, the canonical URL of http://www.xyz.com/somepage.asp?action=browse&level=2 is http://www.xyz.com/somepage.asp. Enter a regular expression containing embedded variables as described in Table 10-7. The ACE transforms URLs specified in class maps for this virtual server with the expression and variable entered here. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. If the string includes spaces, enclose the string with quotation marks (“). Min. Time For Cache Time-To-Live (Seconds) Minimum number of seconds that an object without an explicit expiration time should be considered fresh in the ACE cache. This value specifies the minimum time that content can be cached. If the ACE is configured for FlashForward optimization, this value should normally be 0. If the ACE is configured for dynamic caching, this value should indicate how long the ACE should cache the page. (See Table 7-17 for information about these configuration options.) Valid entries are from 0 to 2147483647 seconds. Max. Time For Cache Time-To-Live (Seconds) Maximum number of seconds that an object without an explicit expiration time should be considered fresh in the ACE cache. Valid entries are from 0 to 2147483647 seconds. Cache Time-To-Live Duration (%) Percentage of an object’s age at which an embedded object without an explicit expiration time is considered fresh. Valid entries are from 0 to 100 percent. Expression To Modify Cache Key Query Parameter Regular expression that contains embedded variables as described in Table 10-7. The ACE transforms URLs specified in class maps for this virtual server with the expression and variable entered here. The cache parameter feature allows you to modify the query parameter of a URL; that is, the portion after “?” in a URL. For example, the query parameter portion of http://www.xyz.com/somepage.asp?action=browse&level=2 is action=browse&level=2. If no string is specified, the query parameter portion of the URL is used as the default value for this portion of the cache key. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. Canonical URL Expressions (Comma Separated) Comma-separated list of parameter expander functions as defined in Table 10-7 to identify the URLs to associate with this parameter map. The ACE uses the canonical URL feature to eliminate the “?” and any characters that follow to identify the general part of the URL. This general URL is then used to create the base file. In this way, the ACE maps multiple URLs to a single canonical URL. Valid entries are unquoted text strings with a maximum of 255 alphanumeric characters. Enable Cacheable Content Optimization Check box that enables delta optimization of content that can be cached. This feature allows the ACE to detect content that can be cached and perform delta optimization on it. Uncheck the check box to disable this feature. Table 10-6 Optimization Parameter Map Attributes (continued) Field Description 10-15 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Configuring Optimization Parameter Maps Enable Delta Optimization On First Visit To Web Page Check box that enables condensation on the first visit to a web page. Uncheck the check box to disable this feature. Min. Page Size For Delta Optimization (Bytes) Minimum page size, in bytes, that can be condensed. Valid entries are from 1 to 250000 bytes. Max. Page Size For Delta Optimization (Bytes) Maximum page size, in bytes, that can be condensed. Valid entries are from 1 to 250000 bytes. Set Default Client Script Scripting language that the ACE recognizes on condensed content pages: • N/A—This option is not configured. • Javascript—The default scripting language is JavaScript. • Visual Basic Script—The default scripting language is Visual Basic. Exclude Iframes From Delta Optimization Check box that specifies that delta optimization is not to be applied to IFrames (inline frames). Uncheck the check box to indicate that delta optimization is to be applied to IFrames. Exclude Non-ASCII Data From Delta Optimization Check box that specifies that delta optimization is not to be applied to non-ASCII data. Uncheck the check box to indicate that delta optimization is to be applied to non-ASCII data. Exclude JavaScripts From Delta Optimization Check box that specifies that delta optimization is not to be applied to JavaScript. Clear the check box to indicate that delta optimization is to be applied to JavaScript. MIME Types To Exclude From Delta Optimization Mime types to exclude from delta optimization. Do the following: 1. In the first field, enter a comma-separated list of the MIME (Multipurpose Internet Mail Extension) type messages that are not to have delta optimization applied, such as image/Jpeg, text/html, application/msword, or audio/mpeg. See the “Supported MIME Types” section on page 10-26 for a list of supported MIME types. 2. Click Add to add the entry to the list box on the right. You can position the entries in the list box by using the Up and Down buttons. Remove HTML META Elements From Documents Check box that specifies that HTML META elements are to be removed from documents to prevent them from being condensed. Uncheck the check box to indicate that HTML META elements are not to be removed from documents. Set Flash Forward Refresh Policy Method the ACE is to use to refresh stale embedded objects: • N/A—This option is not configured. • Allow Flash Forward To Indirect Refresh Of Objects—The ACE uses FlashForward to indirectly refresh embedded objects. • Bypass Flash Forward To Direct Refresh Of Objects—The ACE bypasses FlashForward for stale embedded objects so that they are refreshed directly. Rebase Delta Optimization Threshold (%) Delta threshold, expressed as a percent, when rebasing is to be triggered. This entry represents the size of a page delta relative to total page size, expressed as a percent. This entry triggers rebasing when the delta response size exceeds the threshold as a percentage of base file size. Valid entries are from 0 to 10000 percent. Table 10-6 Optimization Parameter Map Attributes (continued) Field Description 10-16 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Configuring Optimization Parameter Maps Rebase Flash Forward Threshold (%) Threshold, expressed as a percent, when rebasing is to be triggered based on the percent of FlashForwarded URLs in the response. This entry triggers rebasing when the difference between the percentages of FlashForwarded URLs in the delta response and the base file exceeds the threshold. Valid entries are from 0 to 10000 percent. Rebase History Size (Pages) Number of pages to be stored before the ACE resets all rebase control parameters to zero and starts over. This option prevents the base file from becoming too rigid. Valid entries are from 10 to 2147483647. Rebase Modify Cool-Off Period (Seconds) Number of seconds after the last modification before performing a rebase. Valid entries are from 1 to 14400 seconds (4 hours). Rebase Reset Period (Seconds) Period of time, in seconds, for performing a meta data refresh. Valid entries are from 1 to 900 seconds (15 minutes). Override Client Request Headers Action that the ACE takes to handle client request headers (primarily for embedded objects): • N/A—This feature is not enabled. • All Cache Request Headers Are Ignored—The ACE ignores all cache request headers. • Overrides The Cache Control: No Cache HTTP Header From A Request—The ACE ignores cache control request headers that state no cache. Override Server Response Headers Action that the ACE takes to handle origin server response headers (primarily for embedded objects): • N/A—This feature is not enabled. • All Cache Request Headers Are Ignored—The ACE ignores all response headers. • Overrides The Cache Control: Private HTTP Header From A Response—The ACE ignores cache control response headers that state private. UTF-8 Character Set Threshold UTF-8 (8-bit Unicode Transformation Format) character set, which is an international standard that allows Web pages to display non-ASCII or non-English multibyte characters. It can represent any universal character in the Unicode standard and is backwards compatible with ASCII. Enter the number of UTF-8 characters that need to appear on a page to constitute a UTF-8 character set page. Valid entries are from 1 to 1,000,000. Server Load Threshold Trigger (%) Server load threshold trigger that indicates that the time-to-live (TTL) period for cached objects is to be based dynamically on server load. With this method, TTL periods increase if the current response time from the origin sever is greater than the average response time and decrease if the current response time from the origin server is less than the average response time when the difference in response times exceeds a specified threshold amount. Enter the threshold, expressed as a percent, at which the TTL for cached objects is to be changed. Valid entries are from 0 to 100 percent. Table 10-6 Optimization Parameter Map Attributes (continued) Field Description 10-17 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Configuring Optimization Parameter Maps Table 10-7 lists the parameter expander functions that you can use. Server Load Time-To-Live Change (%) Option that specifies the percentage by which the cache TTL is increased or decreased in response to a change in server load. For example, if this value is set to 20 and the current TTL for a response is 300 seconds. and if the current server response times exceeds the trigger threshold, the cache TTL for the response is raised to 360 seconds. Enter the percent by which the cache TTL is to be increased or decreased when the server load threshold trigger is met. Valid entries are from 0 to 100 percent. Delta Optimization Mode Method by which delta optimization is to be implemented. The choices are as follows: • N/A—This option is not configured. • Enable The All-User Mode For Delta Optimization—The ACE is to generate the delta against a single base file that is shared by all users of the URL. This option is usable in most cases if the structure of a page is common across all users, and the disk space overhead is minimal. • Enable The Per-User Mode For Delta Optimization—The ACE is to generate the delta against a base file that is created specifically for that user. This option is useful when page contents, including layout elements, are different for each user, and delivers the highest level of condensation. However, this increases disk space requirements because a copy of the base page that is delivered to each user is cached. This option is useful when privacy is required because base pages are not shared among users. String To Be Used For Server HTTP Header Option that defines a string that is to be sent in the server header for an HTTP response. This option provides you with a method for uniquely tagging the context or URL match statement by setting the server header value to a particular string. The server header string can be used when a particular URL is not being transmitted to the correct target context or match statement. Enter the string that is to appear in the server header. Valid entries are quoted text strings with a maximum of 64 alphanumeric characters. Table 10-6 Optimization Parameter Map Attributes (continued) Field Description 10-18 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Configuring Optimization Parameter Maps Table 10-7 Parameter Expander Functions Variable Description $(number) Expands to the corresponding matching subexpression (by number) in the URL pattern. Subexpressions are marked in a URL pattern using parentheses (). The numbering of the subexpressions begins with 1 and is the number of the left-parenthesis “(“ counting from the left. You can specify any positive integer for the number. $(0) matches the entire URL. For example, if the URL pattern is ((http://server/.*)/(.*)/)a.jsp, and the URL that matches it is http://server/main/sub/a.jsp?category=shoes&session=99999, then the following are correct: $(0) = http://server/main/sub/a.jsp $(1) = http://server/main/sub/ $(2) = http://server/main $(3) = sub If the specified subexpression does not exist in the URL pattern, then the variable expands to the empty string. $http_query_string() Expands to the value of the whole query string in the URL. For example, if the URL is http://myhost/dothis?param1=value1¶m2=value2, then the following is correct: $http_query_string() = param1=value1¶m2=value2 This function applies to both GET and POST requests. $http_query_param(query-param-name) The obsolete syntax is also supported: $param(query-param-name) Expands to the value of the named query parameter (case sensitive). For example, if the URL is http://server/main/sub/a.jsp?category=shoes&session=99999, then the following are correct: $http_query_param(category) = shoes $http_query_param(session) = 99999 If the specified parameter does not exist in the query, then the variable expands to the empty string. This function applies to both GET and POST requests. $http_cookie(cookie-name) Evaluates to the value of the named cookie. For example, $http_cookie(cookiexyz). The cookie name is case sensitive. $http_header(request-header-name) Evaluates to the value of the specified HTTP request header. In the case of multivalued headers, it is the single representation as specified in the HTTP specification. For example, $http_header(user-agent). The HTTP header name is not case sensitive. $http_method() Evaluates to the HTTP method used for the request, such as GET or POST. 10-19 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Configuring Optimization Parameter Maps Step 4 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The ACE validates the parameter map configuration and deploys it. • Click Cancel to exit this procedure without accepting your entries and to return to the Parameter Map table. • Click Next to accept your entries and to add another parameter map. Related Topics • Configuring Parameter Maps, page 10-1 • Configuring Traffic Policies, page 14-1 • Configuring Parameter Maps, page 10-1 • Configuring Virtual Contexts, page 6-8 Boolean Functions: $http_query_param_present(query-param-name) $http_query_param_notpresent(query-param-name) $http_cookie_present(cookie-name) $http_cookie_notpresent(cookie-name) $http_header_present(request-header-name) $http_header_notpresent(request-header-name) $http_method_present(method-name) $http_method_notpresent(method-name) Evaluates to a Boolean value: True or False, depending on the presence or absence of the element in the request. The elements are a specific query parameter (query-param-name), a specific cookie (cookie-name), a specific request header (request-header-name), or a specific HTTP method (method-name). All identifiers are case sensitive except for the HTTP request header name. $regex_match(param1, param2) Evaluates to a Boolean value: True if the two parameters match and False if they do not match. The two parameters can be any two expressions, including regular expressions, that evaluate to two strings. For example, this function: $regex_match($http_query_param(URL), .*Store\.asp.*) compares the query URL with the regular expression string .*Store\.asp.* If the URL matches this regular expression, this function evaluates to True. Table 10-7 Parameter Expander Functions (continued) Variable Description 10-20 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Configuring RTSP Parameter Maps Configuring RTSP Parameter Maps You can configure a Real Time Streaming protocol (RTSP) parameter map, which allows you to configure advanced RTSP behavior for server load-balancing connections. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Parameter Maps > RTSP Parameter Maps. The RTSP Parameter Maps table appears. Step 2 In the RTSP Parameter Maps table, click Add to add a new parameter map, or choose an existing parameter map and click Edit to modify it. The Parameter Maps configuration window appears. Step 3 In the Parameter Maps configuration window, configure the parameter map using the information in Table 10-8. Step 4 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries and to return to the RTSP Parameter Maps table. • Click Next to deploy your entries and to configure another RTSP parameter map. Related Topics • Configuring Parameter Maps, page 10-1 • Configuring Traffic Policies, page 14-1 • Configuring Parameter Maps, page 10-1 Table 10-8 RTSP Parameter Map Attributes Field Description Parameter Name Unique name for the parameter map. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. Description Field that appears for ACE module A2(1.5), ACE appliance A3(2.3), and later releases of either device type. If you attempt to use the Description feature with an ACE that is running an earlier software version, ANM displays an invalid command detected error message and does not deploy the parameter map. Brief description of the parameter map. Enter a text string with a maximum of 240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed. Double quotes must be entered as matching pairs. Case-Insensitive Check box that instructs the ACE to be case insensitive. Uncheck the check box to instruct the ACE is to be case sensitive. Header Max. Parse Length (Bytes) Number of bytes to parse for the total length of RTSP headers. Valid entries are from 1 to 65535. The default is 2048 bytes. 10-21 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Configuring SIP Parameter Maps • Configuring Virtual Contexts, page 6-8 Configuring SIP Parameter Maps You can configure Session Initiation Protocol (SIP) parameter maps, which allow you to configure SIP deep-packet inspection policy maps on the ACE. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Parameter Maps > SIP Parameter Maps. The SIP Parameter Maps table appears. Step 2 In the SIP Parameter Maps table, click Add to add a new parameter map, or choose an existing parameter map and click Edit to modify it. The Parameter Maps configuration window appears. Step 3 In the Parameter Maps configuration window, configure the parameter map using the information in Table 10-9. Table 10-9 SIP Parameter Map Attributes Field Description Parameter Name Unique name for the parameter map. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. Description Field that appears for ACE module A2(1.5), ACE appliance A3(2.3), and later releases of either device type. If you attempt to use the Description feature with an ACE that is running an earlier software version, ANM displays an invalid command detected error message and does not deploy the parameter map. Brief description of the parameter map. Enter a text string with a maximum of 240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed. Double quotes must be entered as matching pairs. Instant Messaging Check box that enables instant messaging (IM) over SIP after it has been disabled. Uncheck this check box to disable this feature. Logging All Check box that appears only for ACE module and ACE appliance software Version A4(1.0) or later. Check this check box to enable logging of all received and transmitted SIP packets in the system log (syslog) in addition to the dropped packets, which by default are logged. The ACE allows all headers sent in the SIP packet, including proprietary headers. In the event of a failover for SIP sessions over UDP, the ACE continues to process SIP packets for established SIP sessions. Uncheck this check box to disable this feature. 10-22 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Configuring SIP Parameter Maps Max. Forward Validation Option that allows you to configure the ACE to validate the value of the Max-Forward header field. Specify how the ACE is to handle the validation of Max-Forward header fields. The choices are as follows: • N/A—The ACE is not to validate Max-Forward header fields. • Drop—The ACE is to drop the SIP message if it does not pass Max-Forward header validation. • Deny—The ACE is to reset the SIP connection if it does not pass Max-Forward header validation. Log Max. Forward Validation Event Check box that instructs the ACE to log Max-Forward validation events. Uncheck the check box to disable this feature. Mask UA Software Version Check box that instructs the ACE to mask the user agent software version. If the software version of a user agent is exposed, that user agent might be vulnerable to attacks from hackers who exploit the security holes present in that particular software version. This option allows you to mask or log the user agent software version so that it is not exposed. Uncheck the check box to disable this feature. Log UA Software Version Check box that instructs the ACE to log the user agent software version. Uncheck the check box to disable this feature. Strict Header Validation Action that the ACE is to take to handle header validation. You can ensure the validity of SIP packet headers by configuring the ACE to check for the presence of the following mandatory SIP header fields: • From • To • Call-ID • CSeq • Via • Max-Forwards If one of the header fields is missing in a SIP packet, the ACE considers that packet invalid. The ACE also checks for forbidden header fields, according to RFC 3261. Specify how the ACE is to handle header validation. The choices are as follows: • N/A—The ACE does not to perform header validation. • Drop—The ACE drops the SIP message if the SIP packet does not pass header validation. • Reset—The ACE resets the connection if the SIP packet does not pass header validation. Log Strict Header Validation Check box that instructs the ACE to log header validation events. Uncheck the check box to disable this feature. Mask Non SIP URI Check box that instructs the ACE to mask non-SIP URIs in SIP messages. This option and the next enable the detection of non-SIP URIs in SIP messages. Uncheck the check box to disable this feature. Table 10-9 SIP Parameter Map Attributes (continued) Field Description 10-23 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Configuring Skinny Parameter Maps Step 4 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries and to return to the SIP Parameter Maps table. • Click Next to deploy your entries and to configure another SIP parameter map. Related Topics • Configuring Parameter Maps, page 10-1 • Configuring Traffic Policies, page 14-1 • Configuring Parameter Maps, page 10-1 • Configuring Virtual Contexts, page 6-8 Configuring Skinny Parameter Maps You can configure Skinny Client Control Protocol (SCCP or Skinny) parameter maps, which allow you to configure SCCP packet inspection on the ACE. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Parameter Maps > Skinny Parameter Maps. The Skinny Parameter Maps table appears. Step 2 In the Skinny Parameter Maps table, click Add to add a new parameter map, or choose an existing parameter map and click Edit to modify it. The Parameter Maps configuration window appears. Log Non SIP URI Check box that instructs the ACE to log non-SIP URIs in SIP messages. Uncheck the check box to disable this feature. SIP Media Pinhole Timeout (Seconds) Timeout period for SIP media pinhole (secure port) connections in seconds. Valid entries are from 1 to 65535 seconds. The default is 5. Table 10-9 SIP Parameter Map Attributes (continued) Field Description 10-24 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Configuring Skinny Parameter Maps Step 3 In the Parameter Maps configuration window, configure the parameter map using the information in Table 10-10. Step 4 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries and to return to the Skinny Parameter Maps table. • Click Next to deploy your entries and to configure another Skinny parameter map. Related Topics • Configuring Parameter Maps, page 10-1 Table 10-10 Skinny Parameter Map Attributes Field Description Parameter Name Unique name for the parameter map. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. Description Field that appears for ACE module A2(1.5), ACE appliance A3(2.3), and later releases of either device type. If you attempt to use the Description feature with an ACE that is running an earlier software version, ANM displays an invalid command detected error message and does not deploy the parameter map. Brief description of the parameter map. Enter a text string with a maximum of 240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed. Double quotes must be entered as matching pairs. Enforce Registration Check box that enables Skinny registration enforcement. You can configure the ACE to allow only registered Skinny clients to make calls. To accomplish this task, the ACE maintains the state of each Skinny client. After a client registers with CCM, the ACE opens a secure port (pinhole) to allow that client to make a call. Uncheck the check box to disable this feature. Message Id Max Maximum value for the station message ID in hexadecimal that the ACE is to accept. Valid entries are hexadecimal values from 0x0 to 0x4000 with a default value of 0x181. If a packet arrives with a station message ID greater than the specified value, the ACE drops the packet and generates a syslog message. Note The Message Id Max. hexadecimal value should always start with 0x or 0X. Min. SCCP Prefix Length (Bytes) Minimum SCCP prefix length in bytes. By default, the ACE drops SCCP messages that have an SCCP Prefix length that is less than the message ID. The ACE drops Skinny message packets that fail this check and generates a syslog message. Valid entries are from 4 to 4000 bytes. Max. SCCP Prefix Length (Bytes) Maximum SCCP prefix length in bytes. This feature allows you to configure the ACE so that it checks the maximum SCCP prefix length. The ACE drops Skinny message packets that fail this check and generates a syslog message. Valid entries are from 4 to 4000 bytes. 10-25 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Configuring DNS Parameter Maps • Configuring Traffic Policies, page 14-1 • Configuring Virtual Contexts, page 6-8 Configuring DNS Parameter Maps You can configure Domain Name System (DNS) parameter maps, which allow you to configure DNS actions for DNS packet inspection. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Parameter Maps > DNS Parameter Maps. The DNS Parameter Maps table appears. Step 2 In the DNS Parameter Maps table, click Add to add a new parameter map, or choose an existing parameter map and click Edit to modify it. The DNS Parameter Maps configuration window appears. Step 3 In the DNS Parameter Maps configuration window, configure the parameter map using the information in Table 10-11. Step 4 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries and to return to the DNS Parameter Maps table. • Click Next to deploy your entries and to configure another DNS parameter map. Related Topics • Configuring Parameter Maps, page 10-1 Table 10-11 DNS Parameter Map Attributes Field Description Parameter Name Unique name for the parameter map. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. Description Field that appears for ACE module A2(1.5), ACE appliance A3(2.3), and later releases of either device type. If you attempt to use the Description feature with an ACE that is running an earlier software version, ANM displays an invalid command detected error message and does not deploy the parameter map. Brief description of the parameter map. Enter a text string with a maximum of 240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed. Double quotes must be entered as matching pairs. Timeout (Seconds) Amount of time in seconds that the ACE keeps the query entries without answers in the hash table before timing them out. Configure the ACE to time out DNS queries that have no matching server response. Specify the Enter an integer from 2 to 120 seconds. The default is 10 seconds. 10-26 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Supported MIME Types • Configuring Traffic Policies, page 14-1 • Configuring Virtual Contexts, page 6-1 Supported MIME Types The ACE supports the following MIME types: • application/msexcel • application/mspowerpoint • application/msword • application/octet-stream • application/pdf • application/postscript • application/\x-gzip • application/\x-java-archive • application/\x-java-vm • application/\x-messenger • application/\zip • audio/* • audio/basic • audio/midi • audio/mpeg • audio/x-adpcm • audio/x-aiff • audio/x-ogg • audio/x-wav • image/* • image/gif • image/jpeg • image/png • image/tiff • image/x-3ds • image/x-bitmap • image/x-niff • image/x-portable-bitmap • image/x-portable-greymap • image/x-xpm • text/* • text/css 10-27 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Supported MIME Types • text/html • text/plain • text/richtext • text/sgml • text/xmcd • text/xml • video/* • video/flc • video/mpeg • video/quicktime • video/sgi • video/x-fli 10-28 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 10 Configuring Parameter Maps Supported MIME Types CHAPTER 11-1 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 11 Configuring SSL Date: 3/28/12 This chapter describes how to configure Secure Sockets Layer (SSL) on the Cisco Application Control Engine (ACE) using Cisco Application Networking Manager (ANM). Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed. If you are using ANM with an ACE module or ACE appliance and you configure a named object at the ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows you to use when configuring a named object. If you use special characters that ANM does not support, you may not be able to import or manage the ACE using ANM. This chapter includes the following sections: • SSL Overview, page 11-2 • SSL Configuration Prerequisites, page 11-2 • Summary of SSL Configuration Tasks, page 11-3 • SSL Setup Sequence, page 11-4 • Using SSL Certificates, page 11-5 • Using SSL Keys, page 11-10 • Configuring SSL Parameter Maps, page 11-18 • Configuring SSL Chain Group Parameters, page 11-23 • Configuring SSL CSR Parameters, page 11-24 • Generating CSRs, page 11-26 • Configuring SSL Proxy Service, page 11-27 • Configuring SSL OCSP Service, page 11-29 • Enabling Client Authentication, page 11-31 11-2 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL SSL Overview SSL Overview SSL is an application-level protocol that provides encryption technology for the Internet, ensuring secure transactions such as the transmission of credit card numbers for e-commerce websites. SSL initiation occurs when the ACE device (either an ACE module or an ACE appliance) acts as a client and initiates the SSL session between it and the SSL server. SSL termination occurs when the ACE, acting as an SSL server, terminates an SSL connection from a client and then establishes a TCP connection to an HTTP server. SSL provides the secure transaction of data between a client and a server through a combination of privacy, authentication, and data integrity. SSL relies upon certificates and private-public key exchange pairs for this level of security. Figure 11-1 shows the following network connections in which the ACE terminates the SSL connection with the client: • Client to ACE—SSL connection between a client and the ACE acting as an SSL proxy server • ACE to Server—TCP connection between the ACE and the HTTP server Figure 11-1 SSL Termination with Client The ACE uses parameter maps, SSL proxy services, and class maps to build the policy maps that determine the flow of information between the client, the ACE, and the server. SSL termination is a Layer 3 and Layer 4 application because it is based on the destination IP addresses of the inbound traffic flow from the client. For this type of application, you create a Layer 3 and Layer 4 policy map that the ACE applies to the inbound traffic. If you need to delete any of the SSL objects (authorization groups, chain groups, parameter maps, keys, CRLs, or certificates), you must remove the dependency from within the proxy service first before removing the SSL object. Before configuring the ACE for SSL, see the “SSL Configuration Prerequisites” section on page 11-2. SSL Configuration Prerequisites This SSL configuration prerequisites are as follows: • Your ACE hardware is configured for server load balancing (SLB). Note During the real server and server farm configuration process, when you associate a real server with a server farm, ensure that you assign an appropriate port number for the real server. The default behavior by the ACE is to automatically assign the same destination port that was used by the inbound connection to the outbound server connection if you do not specify a port. Client Front-end Back-end Ciphertext Clear Text SSL Termination (ACE as Server) SSL Termination with a Client Server 243313 11-3 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Summary of SSL Configuration Tasks • Your policy map is configured to define the SSL session parameters and client/server authentication tools, such as the certificate and RSA key pair. • Your class map is associated with the policy map to define the virtual SSL server IP address that the destination IP address of the inbound traffic must match. • You must import a digital certificate and its corresponding public and private key pair to the desired ACE context. • At least one SSL certificate is available. • If you do not have a certificate and corresponding key pair, you can generate an RSA key pair and a certificate signing request (CSR). Create a CSR when you need to apply for a certificate from a certificate authority (CA). The CA signs the CSR and returns the authorized digital certificate to you. Note You cannot generate a CSR in Building Blocks (Config > Global > All Building Blocks); SSL CSR generation is available only in virtual context configuration. Summary of SSL Configuration Tasks Table 11-1 describes the tasks for using SSL keys and certificates. Table 11-1 SSL Key and Certificate Procedure Overview Task Description Create an SSL parameter map. Create an SSL parameter map to specify the options that apply to SSL sessions such as the method to be used to close SSL connections, the cipher suite, and version of SSL or TSL. See the “Configuring SSL Parameter Maps” section on page 11-18. Create an SSL key pair file. Create an SSL RSA key pair file to generate a CSR, create a digital signature, and encrypt packet data during the SSL handshake with an SSL peer. See the “Generating SSL Key Pairs” section on page 11-14. Configure CSR parameters. Set CSR parameters to define the distinguished name attributes of a CSR. See the “Configuring SSL CSR Parameters” section on page 11-24. Create a CSR. Create a CSR to submit with the key pair file when you apply for an SSL certificate. See the “Generating CSRs” section on page 11-26. Copy and paste the CSR into the Certificate Authority (CA) web-based application or email the CSR to the CA. Using the SSL key pair and CSR, apply for an approved certificate from a Certificate Authority. Use the method specified by the CA for submitting your request. Save the approved certificate from the CA in its received format on an FTP, SFTP, or TFTP server. When you receive the approved certificate, save it in the format in which it was received on a network server accessible via FTP, SFTP, or TFTP. 11-4 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL SSL Setup Sequence For more information about using SSL with ACE, see the Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide or Cisco Application Control Engine Module SSL Configuration Guide. SSL Setup Sequence The SSL setup sequence provides detailed instructions with illustrations for configuring SSL on ACE devices from ANM (Figure 11-2). The purpose of this option is to provide a visual guide for performing typical SSL operations, such as SSL CSR generation, SSL proxy creation, and so on. This option does not replace any existing SSL functions or configuration windows already present in ANM. It is only intended as an additional guide for anyone unfamiliar or unclear with the SSL operations that need to be performed on the ACE device. From the SSL setup sequence, you are allowed to configure all SSL operations, without duplicating the edit/delete/table/view operations that the other SSL configuration windows provide. The tools and operations involved in typical SSL operations are as follows: • SSL Import/Create Keys • SSL Import Certificates • SSL CSR generation • SSL proxy creation Note The SSL Setup Sequence in ANM uses the terms SSL Policies and SSL Proxy Service interchangeably. Import the approved certificate and key pair into the desired virtual context. Import the approved certificate and the associated SSL key pair into the appropriate context using ANM. For more information, see following sections: • “Importing SSL Certificates” section on page 11-7 • “Importing SSL Key Pairs” section on page 11-11 Confirm that the public key in the key pair file matches the public key in the certificate file. Examine the contents of the files to confirm that the key pair information is the same in both the key pair file and the certificate file. Configure the virtual context for SSL. See the “Configuring Traffic Policies” section on page 14-1. Configure authorization group. Create a group of certificates that are trusted as certificate signers by creating an authentication group. See the “Configuring SSL Authentication Groups” section on page 11-31. Configure CRL. See the “Configuring CRLs for Client Authentication” section on page 11-33. Table 11-1 SSL Key and Certificate Procedure Overview (continued) Task Description 11-5 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Using SSL Certificates For more information on SSL configuration features, see the “Summary of SSL Configuration Tasks” section on page 11-3. Figure 11-2 SSL Setup Sequence Related Topics • Configuring SSL, page 11-1 • Importing SSL Certificates, page 11-7 • Importing SSL Key Pairs, page 11-11 • Configuring SSL Parameter Maps, page 11-18 • Configuring SSL Chain Group Parameters, page 11-23 • Configuring SSL Proxy Service, page 11-27 Using SSL Certificates Digital certificates and key pairs are a form of digital identification for user authentication. Certificate Authorities issue certificates that attest to the validity of the public keys they contain. A client or server certificate includes the following identification attributes: • Name of the Certificate Authority and Certificate Authority digital signature • Name of the client or server (the certificate subject) that the certificate authenticates • Issuer • Time stamps that indicate the certificate’s start date • Time stamps that indicate the certificate’s expiration date • CA certificate A Certificate Authority has one or more signing certificates that it uses for creating SSL certificates and certificate revocation lists (CRLs). Each signing certificate has a matching private key that is used to create the Certificate Authority signature. The Certificate Authority makes the signing certificates (with the public key embedded) available to the public, enabling anyone to access and use the signing certificates to verify that an SSL certificate or CRL was actually signed by a specific Certificate Authority. Note For the ACE module A2(3.0), ACE appliance A4(1.0), or later releases of either device type, the ACE supports a maximum of eight CRLs for any context. For earlier releases of either device type, the ACE supports a maximum of four CRLs for any context. 11-6 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Using SSL Certificates All certificates have an expiration date, usually one year after the certificate was issued. You can monitor certificate expiration status by going to Monitor > Devices > context > Dashboard. ANM issues a warning email daily before the certificate expiration date. You establish how many days before the expiration date that the warning email messages begin in the Threshold Groups settings window, which you can access using either of the following methods: • Choose Monitor > Alarm Notifications > Thresholds Groups. • Click the Configure Certificate Expiry Threshold Alarms button in the Certificates window (Config > Devices > context > SSL > Certificates). Note The Certificates window (Config > Devices > context > SSL > Certificates) contains the Expiry Date field, which displays the certificate expiration date. Due to a known issue with the ACE module and appliance, it is possible that this field displays either “Null” or characters that are unparseable or unreadable. When this issue occurs, ANM is unable to track the certificate expiration date. If the certificate is defined in a threshold group configured for certificate expiration alarm notifications and this issue occurs, ANM may not issue an expiration alarm when expected or it may issue a false alarm. If you encounter this issue, remove the certificate from the ACE, reimport it, and then verify that the correct expiration date displays in the Certificates window. For more information about configuring the certificate expiration alarm notification, see the “Configuring Alarm Notifications on ANM” section on page 17-57. The ACE requires certificates and corresponding key pairs for the following: • SSL Termination—The ACE acts as an SSL proxy server and terminates the SSL session between it and the client. For SSL termination, you must obtain a server certificate and corresponding key pair. • SSL Initiation—The ACE acts as a client and initiates the SSL session between it and the SSL server. For SSL initiation, you must obtain a client certificate and corresponding key pair. Note The ACE includes a preinstalled sample certificate and corresponding key pair. This feature is available only for the ACE module A2(3.0), ACE appliance A4(1.0), and later releases of either device type. The certificate is for demonstration purposes only and does not have a valid domain. It is a self-signed certificate with basic extensions named cisco-sample-cert. The key pair is an RSA 1024-bit key pair named cisco-sample-key. You can display the sample certificate and corresponding key pair files as follows: • To display the cisco-sample-cert file, choose Config > Devices > context > SSL > Certificates. • To display the cisco-sample-key file, choose Config > Devices > context > SSL > Keys. You can add these files to an SSL-proxy service (see the “Configuring SSL Proxy Service” section on page 11-27) and are available for use in any context with the filenames remaining the same in each context. The ACE allows you to export these files but does not allow you to import any files with these names. When you upgrade the ACE software, these files are overwritten with the files provided in the upgrade image. You cannot use the crypto delete CLI command to delete these files unless you downgrade the ACE software because a software downgrade preserves these files as if they were user-installed SSL files. 11-7 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Importing SSL Certificates Related Topics • Configuring SSL, page 11-1 • Exporting SSL Certificates, page 11-15 • Importing SSL Certificates, page 11-7 • Using SSL Keys, page 11-10 • Importing SSL Key Pairs, page 11-11 • Configuring SSL CSR Parameters, page 11-24 • Generating CSRs, page 11-26 • Configuring SSL Proxy Service, page 11-27 Importing SSL Certificates You can import SSL certificates from a remote server to the ACE, which can support the following number of certificates and key pairs depending on the installed software version: • ACE Module: – A2(3.x) and earlier—3800 certificates and 3800 key pairs – A4(1.0)— 4096 certificates and 4096 key pairs • ACE Appliance: – A3(1.x) and earlier—3800 certificates and 3800 key pairs – A3(2.x) and later (including A4(1.0))—4096 certificates and 4096 key pairs Assumptions This topic assumes the following: • You have configured the ACE for server load balancing. (See the “Information About Load Balancing” section on page 7-1.) • You have obtained an SSL certificate from a certificate authority (CA) and have placed it on a network server accessible by the ACE. Note You cannot import SSL certificates in Building Blocks (Config > Global > All Building Blocks); SSL certificate imports are available only in virtual context configuration. Procedure Step 1 To configure a virtual context, choose Config > Devices > context > SSL > Certificates. The Certificates table appears, listing any valid SSL certificates. The cisco-sample-cert certificate is included in the list only for the ACE module A2(3.0), ACE appliance A4(1.0), and later releases of either device type. For information on this sample certificate, see the “Using SSL Certificates” section on page 11-5. Step 2 In the Certificates table, do one of the following: • To import a single SSL certificate, click Import. The Import dialog box appears. • To import multiple SSL certificates, click Bulk Import. The Bulk Import dialog box appears. 11-8 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Importing SSL Certificates Note The SSL bulk import feature is available only for ACE module A2(2.0), ACE appliance A4(1.0), or later releases of either device type. If you attempt to use the bulk import feature with an ACE that is running an earlier software version, ANM displays an invalid command detected error message and does not deploy the bulk import configuration for the ACE. Note SSL bulk import can take longer based on the number of SSL certificates being imported. It will progress to completion on the ACE. To see the imported certificates in ANM, perform a CLI Sync for this context once the SSL bulk import has completed. For information on synchronizing contexts, see the “Synchronizing Virtual Context Configurations” section on page 6-105. Step 3 Enter the applicable information: • For the Import dialog box, see Table 11-2. • For the Bulk Import dialog box, see Table 11-3 (ACE module A2(2.0), ACE appliance A4(1.0), and later releases of either device type only). Table 11-2 SSL Certificate Management Import Attributes Field Description Protocol Method to use for accessing the network server: • FTP—FTP is to be used to access the network server when importing the SSL certificate. • SFTP—SFTP is to be used to access the network server when importing the SSL certificate. • TERMINAL—You will import the file using cut and paste by pasting the certificate information to the terminal display. You can use the terminal method to display only PEM files, which are in ASCII format. • TFTP—TFTP is to be used to access the network server when importing the SSL certificate. IP Address Field that appears for FTP, TFTP, and SFTP. Enter the IP address of the remote server on which the SSL certificate file resides. Remote File Name Field that appears for single-file SSL certificate importing and FTP, TFTP, and SFTP. Enter the directory and filename of the single certificate file on the network server. Local File Name Filename to use for the single SSL certificate file when it is imported to the ACE. User Name Field that appears for FTP and SFTP. Enter the name of the user account on the network server. Password Field that appears for FTP and SFTP. Enter the password for the user account on the network server. Confirm Field that appears for FTP and SFTP. Reenter the password. Passphrase Field that appears for FTP, TFTP, SFTP, and TERMINAL. Enter the passphrase that was created with the file. Without this phrase, you cannot use the file. Passphrases are used only with encrypted PEM and PKCS files. Confirm Field that appears for FTP, SFTP, and TERMINAL. Reenter the passphrase. 11-9 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Importing SSL Certificates Step 4 Do one of the following: • Click OK to accept your entries and to return to the Certificates table. ANM updates the Certificates table with the newly installed certificate. • Click Cancel to exit this procedure without saving your entries and to return to the Certificates table. Non-Exportable Check box that specifies that this certificate file cannot be exported from the ACE. The ability to export SSL certificates allows you to copy signed certificates to another server on your network so that you can then import them onto another ACE or Web server. Exporting is similar to copying in that the original files are not deleted. Import Text Field that appears for Terminal. Cut the certificate information from the remote server and paste it into this field. Table 11-3 SSL Certificate Management Bulk Import Attributes Field Description Protocol SFTP is to be used to access the network server when importing the SSL certificates. SFTP is the only supported protocol for bulk import. IP Address IP address of the remote server on which the SSL certificate files reside. Remote Path Path to the SSL certificate files that reside on the remote server. The ACE fetches only files specified by the path; it does not recursively fetch remote directories. Enter a filename path including wildcards (for example, /remote/path/*.pem). The ACE supports POSIX pattern matching notation, as specified in section 2.13 of the "Shell and Utilities" volume of IEEE Std 1003.1-2004. This notation includes the "*," "?" and "[" metacharacters. To fetch all files from a remote directory, specify a remote path that ends with a wildcard character (for example, /remote/path/*). Do not include spaces or the following special characters: ;<>\|`@$&() The ACE fetches all files on the remote server that matches the wildcard criteria. However, it imports only files with names that have a maximum of 40 characters. If the name of a file exceeds 40 characters, the ACE does not import the file and discards it. User Name Name of the user account on the network server. Password Password for the user account on the network server. Confirm Password confirmation. Passphrase Passphrase that was created with the file. Without this phrase, you cannot use the file. Passphrases are used only with encrypted PEM and PKCS files. Confirm Passphrase confirmation. Non-Exportable Check box to specify that this certificate file cannot be exported from the ACE. The ability to export SSL certificates allows you to copy signed certificates to another server on your network so that you can then import them onto another ACE or Web server. Exporting is similar to copying in that the original files are not deleted. Table 11-2 SSL Certificate Management Import Attributes (continued) Field Description 11-10 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Using SSL Keys Related Topics • Configuring SSL, page 11-1 • Using SSL Keys, page 11-10 • Importing SSL Key Pairs, page 11-11 • Configuring SSL Parameter Maps, page 11-18 • Configuring SSL Chain Group Parameters, page 11-23 • Configuring SSL CSR Parameters, page 11-24 • Configuring SSL Proxy Service, page 11-27 Using SSL Keys You can display options for working with SSL and SSL keys. The ACE and its peer use a public key cryptographic system named Rivest, Shamir, and Adelman Signatures (RSA) for authentication during the SSL handshake to establish an SSL session. The RSA system uses key pairs that consist of a public key and a corresponding private (secret) key. During the handshake, the RSA key pairs encrypt the session key that both devices will use to encrypt the data that follows the handshake. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > SSL > Keys. • To configure a building block, choose Config > Global > building_block > SSL > Keys. The Keys table appears. Step 2 In the Keys table, continue with one of the following options: • Generate a key pair—See Generating SSL Key Pairs, page 11-14. • Import a key pair—See Importing SSL Key Pairs, page 11-11. • Export a key pair—See Exporting SSL Key Pairs, page 11-16. • Generate a CSR—See Generating CSRs, page 11-26. Related Topics • Generating SSL Key Pairs, page 11-14 • Importing SSL Key Pairs, page 11-11 • Generating SSL Key Pairs, page 11-14 • Exporting SSL Key Pairs, page 11-16 • Configuring SSL, page 11-1 11-11 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Using SSL Keys Importing SSL Key Pairs You can import an SSL key pair file from a network server to an ACE, which can support the following number of certificates and key pairs depending on the installed software version: • ACE Module: – A2(3.x) and earlier—3800 certificates and 3800 key pairs – A4(1.0)— 4096 certificates and 4096 key pairs • ACE Appliance: – A3(1.x) and earlier—3800 certificates and 3800 key pairs – A3(2.x) and later (including A4(1.0))—4096 certificates and 4096 key pairs Assumptions This topic assumes the following: • You have configured the ACE for server load balancing. (See the “Information About Load Balancing” section on page 7-1.) • You have obtained an SSL key pair from a certificate authority (CA) and have placed the pair on a network server accessible by the ACE. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > SSL > Keys. • To configure a building block, choose Config > Global > building_block > SSL > Keys. The Keys table appears, listing existing SSL keys. For the ACE module A2(3.0), ACE appliance A4(1.0), and later releases of both either type, the cisco-sample-key key pair is included in the list. For information on this sample key pair, see the “Using SSL Certificates” section on page 11-5. Step 2 Do one of the following: • To import a single SSL key pair, in the Keys table, click Import. The Import dialog box appears. • To import multiple SSL key pairs, click Bulk Import. The Bulk Import dialog box appears. Note The SSL bulk import feature is available only for ACE module A2(2.0), ACE appliance A4(1.0), and later releases of either device type. If you attempt to use the bulk import feature with an ACE that is running an earlier software version, ANM displays an invalid command detected error message and does not deploy the bulk import configuration for the ACE. Note SSL bulk import can take longer based on the number of SSL keys being imported. It will progress to completion on the ACE. To see the imported keys in ANM, perform a CLI Sync for this context once the SSL bulk import has completed. For information on synchronizing contexts, see the “Synchronizing Virtual Context Configurations” section on page 6-105. Step 3 Enter the applicable information as follows: 11-12 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Using SSL Keys • For the Import dialog box, see Table 11-4. • For the Bulk Import dialog box, see Table 11-5 (ACE module A2(2.0), ACE appliance A4(1.0), and later releases of either device type only). Table 11-4 SSL Key Pair Import Attributes Field Description Protocol Method to use for accessing the network server: • FTP—FTP is to be used to access the network server when importing the SSL key pair file. • SFTP—SFTP is to be used to access the network server when importing the SSL key pair file. • TERMINAL—You will import the file using cut and paste by pasting the certificate and key pair information to the terminal display. You can use the terminal method to display only PEM files, which are in ASCII format. • TFTP—TFTP is to be used to access the network server when importing the SSL key pair file. IP Address Field that appears for FTP, TFTP, and SFTP. Enter the IP address of the remote server on which the SSL key pair file resides. Remote File Name Field that appears for single-file SSL key pair importing and FTP, TFTP, and SFTP. Enter the directory and filename of the single key pair file on the network server. Local File Name Filename to be used for the single SSL key pair file when it is imported to the ACE. User Name This field appears for FTP and SFTP. Enter the name of the user account on the network server. Password Field that appears for FTP and SFTP. Enter the password for the user account on the network server. Confirm Field that appears for FTP, SFTP, and TERMINAL. Reenter the password. Passphrase Field that appears for FTP, TFTP, SFTP, and TERMINAL. Enter the passphrase that was created with the file. Without this phrase, you cannot use the file. Passphrases are used only with encrypted PEM and PKCS files. Confirm Field that appears for FTP and SFTP. Reenter the passphrase. Non-Exportable Check box to specify that this key pair file cannot be exported from the ACE. The ability to export SSL key pair files allows you to copy key pair files to another server on your network so that you can then import them onto another ACE or Web server. Exporting is similar to copying in that the original files are not deleted. Uncheck the check box to indicate that this key pair file can be exported from the ACE. Import Text Field that appears for Terminal. Cut the key pair information from the remote server and paste it into this field. Table 11-5 SSL Key Pair Bulk Import Attributes Field Description Protocol SFTP is to be used to access the network server when importing the SSL key pairs. SFTP is the only supported protocol for bulk import. IP Address IP address of the remote server on which the SSL key pair files resides. 11-13 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Using SSL Keys Step 4 Do one of the following: • Click OK to accept your entries and to return to the Keys table. ANM updates the Keys table with the imported key pair file information. • Click Cancel to exit this procedure without saving your entries and to return to the Keys table. Related Topics • Configuring SSL, page 11-1 • Importing SSL Certificates, page 11-7 • Configuring SSL Parameter Maps, page 11-18 • Configuring SSL Chain Group Parameters, page 11-23 • Configuring SSL CSR Parameters, page 11-24 • Configuring SSL Proxy Service, page 11-27 Remote Path Path to the key pair files that reside on the remote server. The ACE fetches only files specified by the path; it does not recursively fetch remote directories. Enter a filename path including wildcards (for example, /remote/path/*.pem). The ACE module supports POSIX pattern matching notation, as specified in section 2.13 of the "Shell and Utilities" volume of IEEE Std 1003.1-2004. This notation includes the "*," "?" and "[" metacharacters. To fetch all files from a remote directory, specify a remote path that ends with a wildcard character (for example, /remote/path/*). Do not include spaces or the following special characters: ;<>\|`@$&() The ACE module fetches all files on the remote server that matches the wildcard criteria. However, it imports only files with names that have a maximum of 40 characters. If the name of a file exceeds 40 characters, the ACE module does not import the file and discards it. User Name Name of the user account on the network server. Password Password for the user account on the network server. Confirm Password confirmation. Passphrase Passphrase that was created with the file. Without this phrase, you cannot use the file. Passphrases are used only with encrypted PEM and PKCS files. Confirm Passphrase confirmation. Non-Exportable Check box to specify that this certificate file cannot be exported from the ACE. The ability to export SSL key pairs allows you to copy signed certificates to another server on your network so that you can then import them onto another ACE or Web server. Exporting is similar to copying in that the original files are not deleted. Table 11-5 SSL Key Pair Bulk Import Attributes (continued) Field Description 11-14 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Using SSL Keys Generating SSL Key Pairs The ACE can generate SSL RSA key pairs if you do not have any matching key pairs. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > SSL > Keys. • To configure a building block, choose Config > Global > building_block > SSL > Keys. The Keys table appears. For the ACE module A2(3.0), ACE appliance A4(1.0), and later releases of either device type, the cisco-sample-key key pair is included in the list. For information about this sample key pair, see the “Using SSL Certificates” section on page 11-5. Step 2 In the Keys table, click Add to add a new key pair. The Keys configuration window appears. Note You cannot modify an existing entry in the Keys table. Instead, delete the existing entry, then add a new one. Step 3 In the Keys configuration window, enter the information in Table 11-6. Step 4 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries and to return to the Keys table. Table 11-6 Key Attributes Field Description Name Name of the SSL key pair. Valid entries are alphanumeric strings up to 64 characters. Size (Bits) Key pair security strength. The number of bits in the key pair file defines the size of the RSA key pair used to secure Web transactions. Longer keys produce more secure implementations by increasing the strength of the RSA security policy. Options and their relative levels of security are as follows: • 512—Least security • 768—Normal security • 1024—High security, level 1 • 1536—High security, level 2 • 2048—High security, level 3 Type RSA is a public-key cryptographic system used for authentication. Exportable Key Check box that specifies that the key pair file can be exported. Uncheck the check box to indicate that the key pair file cannot be exported. 11-15 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Exporting SSL Certificates • Click Next to deploy your entries and to define another RSA key pair. After generating an RSA key pair, you can do the following: • Create a CSR parameter set. The CSR parameter set defines the distinguished name attributes for the ACE to use during the CSR-generating process. For details on defining a CSR parameter set, see the “Configuring SSL CSR Parameters” section on page 11-24. • Generate a CSR for the RSA key pair file and transfer the CSR request to the certificate authority for signing. This provides an added layer of security because the RSA private key originates directly within the ACE and does not have to be transported externally. Each generated key pair must be accompanied by a corresponding certificate to work. For details on generating a CSR, see the “Generating CSRs” section on page 11-26. Related Topics • Configuring SSL, page 11-1 • Importing SSL Certificates, page 11-7 • Importing SSL Key Pairs, page 11-11 • Configuring SSL Chain Group Parameters, page 11-23 • Configuring SSL CSR Parameters, page 11-24 • Configuring SSL Proxy Service, page 11-27 Exporting SSL Certificates You can export SSL certificates from the ACE to a remote server. The ability to export SSL certificates allows you copy signed certificates to another server on your network so that you can then import them onto another ACE or Web server. Exporting certificates is similar to copying in that the original certificates are not deleted. Assumption The SSL certificate can be exported (see the “Importing SSL Certificates” section on page 11-7). Note You can export an SSL certificate in Building Blocks (Config > Global > All Building Blocks); SSL certificate export is available only in virtual context configuration. Procedure Step 1 To configure a virtual context, choose Config > Devices > context > SSL > Certificates. The Certificates table appears, listing any valid SSL certificates. The cisco-sample-cert certificate is included in the list only for the ACE module A2(3.0), ACE appliance 4(1.0), and later releases of either device type. For information about this sample certificate, see the “Using SSL Certificates” section on page 11-5. Step 2 In the Certificates table, choose the certificate you want to export, and click Export. The Export dialog box appears. 11-16 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Exporting SSL Certificates Step 3 In the Export dialog box, enter the information in Table 11-7. Step 4 Do one of the following: • Click OK to export the certificate and to return to the Certificates table. • Click Cancel to exit this procedure without exporting the certificate and to return to the Certificates table. Related Topics • Configuring SSL, page 11-1 • Importing SSL Certificates, page 11-7 • Importing SSL Key Pairs, page 11-11 • Generating SSL Key Pairs, page 11-14 • Configuring SSL Chain Group Parameters, page 11-23 • Configuring SSL CSR Parameters, page 11-24 • Configuring SSL Proxy Service, page 11-27 Exporting SSL Key Pairs You can export SSL key pairs from the ACE to a remote server. The ability to export SSL key pairs allows you copy SSL key pair files to another server on your network so that you can then import them onto another ACE or Web server. Exporting key pair files is similar to copying in that the original key pairs are not deleted. Table 11-7 SSL Certificate Export Attributes Field Description Protocol Method to be used for exporting the SSL certificate: • FTP—FTP is to be used to access the network server when exporting the SSL certificate. • SFTP—SFTP is to be used to access the network server when exporting the SSL certificate. • TERMINAL—You will export the certificate using cut and paste by pasting the certificate and key pair information to the terminal display. You can use the terminal method to display only PEM files, which are in ASCII format. • TFTP—TFTP is to be used to access the network server when exporting the SSL certificate. IP Address Field that appears for FTP, TFTP, and SFTP. Enter the IP address of the remote server to which the SSL certificate file is to be exported. Remote File Name Field that appears for FTP, TFTP, and SFTP. Enter the directory and filename to be used for the SSL certificate file on the remote network server. User Name Field that appears for FTP and SFTP. Enter the name of the user account on the remote network server. Password Field that appears for FTP and SFTP. Enter the password for the user account on the remote network server. Confirm Field that appears for FTP and SFTP. Reenter the password. 11-17 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Exporting SSL Certificates Assumption The SSL key pair can be exported (see the “Generating SSL Key Pairs” section on page 11-14). Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > SSL > Keys. • To configure a building block, choose Config > Global > building_block > SSL > Keys. The Keys table appears. For the ACE module A2(3.0) and later releases only, the cisco-sample-key key pair is included in the list. For information about this sample key pair, see the “Using SSL Certificates” section on page 11-5. Step 2 In the Keys table, choose the key entry you want to export, and click Export. The Export dialog box appears. Step 3 In the Export dialog box, enter the information in Table 11-8. Step 4 Do one of the following: • Click OK to export the key pair and to return to the Keys table. • Click Cancel to exit this procedure without exporting the key pair and to return to the Keys table. Related Topics • Configuring SSL, page 11-1 • Importing SSL Certificates, page 11-7 Table 11-8 SSL Key Export Attributes Field Description Protocol Specify the method to be used for exporting the SSL key pair: • FTP—FTP is to be used to access the network server when exporting the SSL key pair. • SFTP—SFTP is to be used to access the network server when exporting the SSL key pair. • TERMINAL—You will export the key pair using cut and paste by pasting the key pair information to the terminal display. You can use the terminal method to display only PEM files, which are in ASCII format. • TFTP—TFTP is to be used to access the network server when exporting the SSL key pair. IP Address Field that appears for FTP, TFTP, and SFTP. Enter the IP address of the remote server to which the SSL key pair is to be exported. Remote File Name Field that appears for FTP, TFTP, and SFTP. Enter the directory and filename to be used for the SSL key pair file on the remote network server. User Name Field that appears for FTP and SFTP. Enter the name of the user account on the remote network server. Password Field that appears for FTP and SFTP. Enter the password for the user account on the remote network server. Confirm Field that appears for FTP and SFTP. Reenter the password. 11-18 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Configuring SSL Parameter Maps • Importing SSL Key Pairs, page 11-11 • Generating SSL Key Pairs, page 11-14 • Configuring SSL Chain Group Parameters, page 11-23 • Configuring SSL CSR Parameters, page 11-24 • Configuring SSL Proxy Service, page 11-27 Configuring SSL Parameter Maps You can create SSL parameter maps., which defines the SSL session parameters that the ACE applies to an SSL proxy service. SSL parameter maps let you apply the same SSL session parameters to different proxy services. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > SSL > Parameter Map. • To configure a building block, choose Config > Global > building_block > SSL > Parameter Map. The Parameter Map table appears. Step 2 In the Parameter Map table, click Add to add a new SSL parameter map, or choose an existing entry to modify and click Edit. The Parameter Map configuration window appears. Step 3 In the Parameter Map configuration window, enter the information in Table 11-9. Table 11-9 SSL Parameter Map Attributes Field Description Name Unique name for the parameter map. Valid entries are alphanumeric strings with a maximum of 64 characters. Description Field that appears for ACE module A2(1.5), ACE appliance A3(2.3), and later releases of either device type. If you attempt to use the Description feature with an ACE that is running an earlier software version, ANM displays an invalid command detected error message and does not deploy the parameter map. Brief description of the parameter map. Enter a text string with a maximum of 240 alphanumeric characters (A–Z, a–z, 0–9). Spaces and special characters are allowed. Double quotes must be entered as matching pairs. Queue Delay Timeout (Milliseconds) Time (in milliseconds) to wait before emptying the queued data for encryption. Valid entries are 0 to 10000 milliseconds. If disabled (set to 0), the ACE encrypts the data from the server as soon as it arrives and then sends the encrypted data to the client. Note The Queue Delay Timeout is only applied to data that the SSL module sends to the client. This avoids a potentially long delay in passing a small HTTP GET to the real server. 11-19 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Configuring SSL Parameter Maps Session Cache Timeout (Milliseconds) Timeout value of an SSL session ID to remain valid before the ACE requires the full SSL handshake to establish a new SSL session. This feature allows the ACE to reuse the master key on subsequent connections with the client, which can speed up the SSL negotiation process. Valid entries are 0 to 72000 milliseconds. Specifying a value of 0 causes the ACE to implement a least recently used (LRU) timeout policy. By disabling this option (with the no command), the full SSL handshake occurs for each new connection with the ACE module. Reject Expired CRL Certificates Check box that instructs the ACE to reject any certificates listed on an expired CRL. Uncheck the check box to instruct the ACE to accept certificates listed on an expired CRL, which is the default setting. Close Protocol Behavior Method that the ACE uses to close the SSL connection: • Disabled—The ACE sends a close-notify alert message to the SSL peer; however, the SSL peer does not expect a close-notify alert before removing the session. Whether the SSL peer sends a close-notify alert message or not, the session information is preserved, allowing session resumption for future SSL connections. • None—The ACE does not send a close-notify alert message to the SSL peer, nor does the ACE expect a close-notify alert message from the peer. The ACE preserves the session information so that SSL resumption can be used for future SSL connections. This is the default. Note Where ACE 1.0 is already configured with the Strict option, ANM interprets it as the option None. This is due to the change in ACE 1.0 configuration (which no longer allows the Strict option). SSL Version Version of SSL be to used during SSL communications: • All—The ACE uses both SSL v3 and TLS v1 in its communications with its SSL peer. • SSL3—The ACE uses only SSL v3 in its communications with its SSL peer. • TLS1—The ACE uses only TLS v1 in its communications with its SSL peer. Table 11-9 SSL Parameter Map Attributes (continued) Field Description 11-20 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Configuring SSL Parameter Maps Step 4 Click the Parameter Map Cipher tab and click Add to add a cipher, or choose an existing cipher and click Edit. Enter the information in Table 11-10. Ignore Authentication Failure Option that enables the ACE to ignore expired or invalid SSL certificates and continue setting up the connection as follows: • ACE module versions 3.0(0)A2(1.1) forward and ACE appliance version A3(1.0) only—If checked, this feature enables the ACE to ignore expired or invalid server certificates and to continue setting up the back-end connection in an SSL initiation configuration. This option allows the ACE to ignore the following nonfatal errors with respect to server certificates: – Certificate not yet valid – Certificate has expired – Certificate revoked – Unknown issuer • ACE module version A2(3.0) and later only—If checked, this feature enables the ACE to ignore expired or invalid client or server certificates and to continue setting up the SSL connection. This options allows the ACE to ignore the following nonfatal errors with respect to either client certificates for SSL termination configurations, or server certificates for SSL initiation configurations: – Certificate not yet valid (both) – Certificate has expired (both) – Certificate revoked (both) – Unknown issuer (both) – No client certificate (client certificate only) – CRL not available (client certificate only) – CRL has expired (client certificate only) – Certificate has signature failure (client certificate only) – Certificate other error (client certificate only) Table 11-9 SSL Parameter Map Attributes (continued) Field Description Table 11-10 SSL Parameter Map Cipher Configuration Attributes Field Description Cipher Name Cipher to use. For more information on the SSL cipher suites that ACE supports, see the Cisco 4700 Series Application Control Engine Appliance SSL Configuration Guide or the Cisco Application Control Engine Module SSL Configuration Guide. Cipher Priority Priority that you want to assign to this cipher suite. The priority indicates the cipher’s preference for use. Valid entries are from 1 to 10 with 1 indicating the least preferred and 10 indicating the most preferred. When determining which cipher suite to use, the ACE chooses the cipher suite with the highest priority. 11-21 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Configuring SSL Parameter Maps Step 5 In the Parameter Map Cipher table, do one of the following: • Click Deploy Now to deploy the Parameter Map Cipher on the ACE and save your entries to the running-configuration and startup-configuration files • Click Cancel to exit the procedure without saving your entries and to return to the Parameter Map Cipher table. • Click Next to deploy your entries and to add another entry to the Parameter Map Cipher table. Step 6 Click the Redirect Authentication Failure tab and click Add to add a redirect or choose an existing redirect, and click Edit. Note This option is available only for the ACE module A2(3.0), ACE appliance A4(1.0), and later releases of either device type. Enter the information in Table 11-11. Note The Redirect Authentication Failure feature is only for SSL termination configurations in which the ACE performs client authentication. The ACE ignores these attributes if you configure them for an SSL initiation configuration. Table 11-11 SSL Parameter Map Redirect Configuration Attributes Field Description Client Certificate Validation Type of certificate validation failure to redirect. From the drop-down list, choose the type to redirect: • Any—Associates any of the certificate failures with the redirect. You can configure the authentication-failure redirect any command with individual reasons for redirection. When you do, the ACE attempts to match one of the individual reasons before using the any reason. You cannot configure the authentication-failure redirect any command with the authentication-failure ignore command. • Cert-expired—Associates an expired certificate failure with a redirect. • Cert-has-signature-failure—Associates a certificate signature failure with a redirect. • Cert-not-yet-valid—Associates a certificate that is not yet valid failure with the redirect. • Cert-other-error—Associates a all other certificate failures with a redirect. • Cert-revoked—Associates a revoked certificate failure with a redirect. • CRL-has-expired—Associates an expired CRL failure with a redirect. • CRL-not-available—Associates a CRL that is not available failure with a redirect. • No-client-cert—Associates no client certificate failure with a redirect. • Unknown-issuer—Associates an unknown issuer certificate failure with a redirect. Redirect Type Redirect type to use: • Server Farm—Specifies a redirect server farm for the redirect. • URL—Specifies a static URL path for the redirect. 11-22 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Configuring SSL Parameter Maps Step 7 In the Redirect Authentication Failure table, do one of the following: • Click Deploy Now to deploy the Redirect Authentication Failure table on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit the procedure without saving your entries and to return to the Redirect Authentication Failure table. • Click Next to deploy your entries and to add another entry to the Redirect Authentication Failure table. Step 8 In the Parameter Map table, do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit the procedure without saving your entries and to return to the Parameter Map table. • Click Next to deploy your entries and to add another entry to the Parameter Map table. Related Topics • Configuring SSL, page 11-1 • Importing SSL Certificates, page 11-7 • Importing SSL Key Pairs, page 11-11 • Generating SSL Key Pairs, page 11-14 • Configuring SSL Chain Group Parameters, page 11-23 • Configuring SSL CSR Parameters, page 11-24 • Configuring SSL Proxy Service, page 11-27 Server Farm Name Field that appears when the Redirect Type is set to Server Farm. ANM displays the available server farms as follows: • ACE software Version A4(1.0) or later—ANM displays all configured host and redirect server farms. • All earlier ACE software versions—ANM displays only those server farms configured as redirect server farms. Choose one of the available server farm options or click Plus (+) to open the server farm configuration popup and configure a redirect server farm (see the “Configuring Server Farms” section on page 8-30). Redirect URL Field that appears when the Redirect Type is set to URL. Specifies the static URL path for the redirect. Enter a string with a maximum of 255 characters and no spaces. Redirect Code Field appears when the Redirect Type is set to URL. Enter the redirect code that is sent back to the client: • 301—Status code for a resource permanently moving to a new location. • 302—Status code for a resource temporarily moving to a new location. Table 11-11 SSL Parameter Map Redirect Configuration Attributes Field Description 11-23 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Configuring SSL Chain Group Parameters Configuring SSL Chain Group Parameters You can configure certificate chain groups for a virtual context. A chain group specifies the certificate chains that the ACE sends to its peer during the handshake process. A certificate chain is a hierarchal list of certificates that includes the ACE’s certificate, the root certificate authority certificate, and any intermediate certificate authority certificates. Using the information provided in a certificate chain, the certificate verifier searches for a trusted authority in the certificate hierarchal list up to and including the root certificate authority. If the verifier finds a trusted authority before reaching the root certificate authority certificate, it stops searching further. Assumption At least one SSL certificate is available. Procedure Step 1 Choose Config > Devices > context > SSL > Chain Group Parameters. The Chain Group Parameters table appears. Step 2 In the Chain Group Parameters table, click Add to add a new chain group, or choose an existing chain group, and click Edit to modify it. The Chain Group Parameters configuration window appears. Step 3 In the Name field of the Chain Group Parameters configuration window, enter a unique name for the chain group. Valid entries are alphanumeric strings with a maximum of 64 characters. Step 4 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The updated Chain Group Parameters window appears along with the Chain Group Certificates table. Continue with Step 5. • Click Cancel to exit the procedure without saving your entries and to return to the Chain Group Parameters table. • Click Next to deploy your entries and to add another entry to the Chain Group Parameters table. Step 5 In the Chain Group Certificates table, click Add to add an entry. The Chain Group Certificates configuration window appears. Note You cannot modify an existing entry in the Chain Group Certificates table. Instead, delete the entry, then add a new one. Step 6 In the Certificate Name field, choose the certificate to add to this chain group. Step 7 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. 11-24 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Configuring SSL CSR Parameters • Click Cancel to exit the procedure without saving your entries and to return to the Chain Group Certificates table. • Click Next to deploy your entries and to add another certificate to this chain group table. Related Topics • Configuring SSL, page 11-1 • Importing SSL Certificates, page 11-7 • Importing SSL Key Pairs, page 11-11 • Generating SSL Key Pairs, page 11-14 • Configuring SSL Parameter Maps, page 11-18 • Configuring SSL CSR Parameters, page 11-24 • Configuring SSL Proxy Service, page 11-27 Configuring SSL CSR Parameters A certificate signing request (CSR) is a message you send to a certificate authority such as VeriSign and Thawte to apply for a digital identity certificate. The CSR contains information that identifies the SSL site, such as location and a serial number, and a public key that you choose. A corresponding private key is not included in the CSR, but is used to digitally sign the request. The CSR may be accompanied by other credentials or proofs of identity required by the certificate authority, and the certificate authority may contact the applicant for more information. If the request is successful, the certificate authority returns a digitally signed (with the private key of the certificate authority) identity certificate. CSR parameters define the distinguished name attributes the ACE applies to the CSR during the CSR-generating process. These attributes provide the certificate authority with the information it needs to authenticate your site. Defining a CSR parameter set lets you to generate multiple CSRs with the same distinguished name attributes. Each context on the ACE can contain up to eight CSR parameter sets. Use this procedure to define the distinguished name attributes for SSL CSRs. Procedure Step 1 Choose the item to configure: • To configure a virtual context, choose Config > Devices > context > SSL > CSR Parameters. • To configure a building block, choose Config > Global > building_block > SSL > CSR Parameters. The CSR Parameters table appears. Step 2 In the CSR Parameters table, click Add to add new set of CSR attributes, or choose an existing entry to modify and click Edit. The CSR Parameters configuration window appears. 11-25 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Configuring SSL CSR Parameters Step 3 In the CSR Parameters configuration window, enter the information in Table 11-12. Step 4 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries and to return to the CSR Parameters table. • Click Next to deploy your entries and to define another set of CSR attributes. Related Topics • Configuring SSL, page 11-1 • Importing SSL Certificates, page 11-7 • Importing SSL Key Pairs, page 11-11 • Configuring SSL Parameter Maps, page 11-18 • Configuring SSL Chain Group Parameters, page 11-23 • Configuring SSL Proxy Service, page 11-27 Table 11-12 SSL CSR Parameter Attributes Field Description Name Unique name for this parameter set. Valid entries are alphanumeric strings with a maximum of 64 characters. Country Name of the country where the SSL site resides. Valid entries are 2 alphabetic characters representing the country, such as US for the United States. The International Organization for Standardization (ISO) maintains the complete list of valid country codes on its Web site (www.iso.org). State Name of the state or province where the SSL site resides. Locality Name of the city where the SSL site resides. Common Name Name of the domain or host of the SSL site. Valid entries are strings with a maximum of 64 characters. Special characters are allowed. Serial Number Serial number to assign to the certificate. Valid entries are alphanumeric strings with a maximum of 16 characters. Organization Name Name of the organization to include in the certificate. Valid entries are alphanumeric strings with a maximum of 64 characters. Email Site email address. Valid entries are text strings, including alphanumeric and special characters (for example, @ symbol in email address) with a maximum of 40 characters. Organization Unit Name of the organization to include in the certificate. Valid entries are alphanumeric strings with a maximum of 64 characters. 11-26 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Configuring SSL CSR Parameters Generating CSRs You can generate an SSL certificate signing request (CSR), which is a message that you send to a certificate authority such as VeriSign and Thawte to apply for a digital identity certificate. Create a CSR when you need to apply for a certificate from a certificate authority. When the certificate authority approves a request, it signs the CSR and returns the authorized digital certificate to you. This certificate includes the private key of the certificate authority. When you receive the authorized certificate and key pair, you can import them for use (see the “Importing SSL Certificates” section on page 11-7 and the “Importing SSL Key Pairs” section on page 11-11). Note You cannot generate a CSR in Building Blocks (Config > Global > All Building Blocks); SSL CSR generation is available only in virtual context configuration. Assumption You have configured SSL CSR parameters (see the “Configuring SSL CSR Parameters” section on page 11-24). Procedure Step 1 Choose Config > Devices > context > SSL > Keys. The Keys table appears. Step 2 In the Keys table, choose a key and click Generate CSR. The Generate a Certificate Signing Request dialog box appears. Step 3 In the CSR Parameter field of the Generate a Certificate Signing Request dialog box, choose the CSR parameter to be used. Step 4 Do one of the following: • Click OK to generate the CSR. The CSR appears in a popup window which you can now submit to a certificate authority for approval. Work with your certificate authority to determine the method of submission, such as email or a Web-based application. Click Close to close the popup window and to return to the Keys table. • Click Cancel to exit this procedure without generating the CSR and to return to the Keys table. Related Topics • Configuring SSL, page 11-1 • Importing SSL Certificates, page 11-7 • Importing SSL Key Pairs, page 11-11 • Configuring SSL Parameter Maps, page 11-18 • Configuring SSL Chain Group Parameters, page 11-23 • Configuring SSL Proxy Service, page 11-27 11-27 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Configuring SSL Proxy Service Configuring SSL Proxy Service You can configure an SSL proxy service that defines the SSL parameter map, key pair, certificate, and chain group the ACE uses during SSL handshakes. By configuring an SSL proxy server service on the ACE, the ACE can act as an SSL server. Assumption You have configured at least one SSL key pair, certificate, chain group, or parameter map to apply to this proxy service. Procedure Step 1 Choose Config > Devices > context > SSL > Proxy Service. The Proxy Service table appears. Step 2 In the Proxy Service table, click Add to add a new proxy service, or choose an existing service and click Edit to modify it. The Proxy Service configuration window appears. Step 3 In the Proxy Service configuration window, enter the information in Table 11-13. Table 11-13 SSL Proxy Service Attributes Field Description Proxy Service Name Unique name for this proxy service. Valid entries are alphanumeric strings with a maximum of 40 to 65 characters, depending on your ACE and hardware version. Keys Key pair that the ACE is to use during the SSL handshake for data encryption. Caution When choosing the key pair from the drop-down list, be sure to choose the keys that correspond to the certificate that you choose. Note If you use SSL Setup Sequence to create the proxy service, ANM selects the keys that correspond to the certificate that you choose. If ANM cannot detect a corresponding key pair, you can select a key pair from the drop-down list and click Verify Key to have ANM verify that the keys correspond to the selected certificate. ANM displays a message to let you know that your key pair selection either matches or does not match the selected certificate. For more information about SSL Setup Sequence, see the “SSL Setup Sequence” section on page 11-4. The cisco-sample-key option is available for the ACE module A2(3.0) and later releases only. For information about this sample key pair, see the “Using SSL Certificates” section on page 11-5. 11-28 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Configuring SSL Proxy Service Certificates Certificate that the ACE is to use during the SSL handshake to prove its identity. Caution When choosing the certificate from the drop-down list, be sure to choose the certificate that corresponds to the keys that you choose. Note If you use SSL Setup Sequence to create the proxy service, ANM selects the keys that correspond to the certificate that you choose. If ANM cannot detect a corresponding key pair, you can select a key pair from the drop-down list and click Verify Key to have ANM verify that the keys correspond to the selected certificate. ANM displays a message to let you know that your key pair selection either matches or does not match the selected certificate. For more information about SSL Setup Sequence, see the “SSL Setup Sequence” section on page 11-4. The cisco-sample-cert option is available only for the ACE module A2(3.0), ACE appliance A4(1.0), and later releases of either device type. For information about this sample certificate, see the “Using SSL Certificates” section on page 11-5. Chain Groups Chain group that the ACE is to use during the SSL handshake. To create a chain group, see the “Configuring SSL Chain Group Parameters” section on page 11-23. Auth Groups Authorization group name that the ACE is to use during the SSL handshake. To create an authorization group, see the “Configuring SSL Authentication Groups” section on page 11-31. CRL Best-Effort Field that displays only when Auth Groups is selected. Allows ANM to search client certificates for the service to determine if it contains a CRL in the extension. ANM then retrieves the value, if it exists. CRL Name Field that displays only when Auth Groups is selected. Do one of the following: • Choose N/A when the CRL name is not applicable. • Choose the CRL name that the ACE used for authentication. OCSP Best-Effort Field that displays for ACE module or appliance software Version A5(1.0) or later, and when Auth Groups is selected. Check the OCSP Best-Effort checkbox to allow the ACE appliance to extract the extension to find the OCSP server information from the certificate itself where, from the revocation status, information about the certificate could be obtained. If this extension is missing from the certificate and the best effort OCSP server information is configured with the SSL proxy, the cert is considered revoked. Uncheck the checkbox to display the OCSP server field to choose the available OCSP server. OCSP Servers Field that displays for ACE module or appliance software Version A5(1.0) or later, and when the OCSP Best-Effort checkbox is unchecked. Choose the available OCSP server. Table 11-13 SSL Proxy Service Attributes (continued) Field Description 11-29 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Configuring SSL OCSP Service Step 4 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries and to return to the Proxy Service table. • Click Next to deploy your entries and to add another proxy service. • Click Delete to remove this configuration on the ACE. Note When an authorization group is deleted, the CRL Name object (if it exists) is deleted automatically. Related Topics • Configuring SSL, page 11-1 • Importing SSL Certificates, page 11-7 • Importing SSL Key Pairs, page 11-11 • Configuring SSL Parameter Maps, page 11-18 • Configuring SSL Chain Group Parameters, page 11-23 • Configuring SSL CSR Parameters, page 11-24 Configuring SSL OCSP Service Note The SSL Online Certificate Status Protocol feature requires ACE module and ACE appliance software Version A5(1.0) or later. SSL Online Certificate Status Protocol (OCSP) service defines the host server for certificate revocation checks using OCSP. The OCSP server, also known as the OCSP responder, maintains or obtains the information about the certificates issued by different CAs that are revoked and possibly non-revoked, Parameter Maps SSL parameter map to associate with this SSL proxy server service. Revocation Check Priority Order Field that displays for ACE module or appliance software Version A5(1.0) or later. Priority setting for the revocation check. Choose one of the following: • N/A—Indicates that this field is not applicable. • CRL-OCSP—The ACE uses the CRLs first to determine the revocation status, and then the OCSP servers. • OCSP-CRL—The ACE uses the OCSP servers first to determine the revocation status, and then the CRLs. Table 11-13 SSL Proxy Service Attributes (continued) Field Description 11-30 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Configuring SSL OCSP Service and provides this information when requested by OCSP clients. OCSP can provide latest information about the revocation status of the certificate. Use of OCSP removes the need to download and cache the CRLs which could be very large in sizes and impose large memory requirements on systems. You can configure a maximum of 64 OCSP server configurations system-wide on the ACE. You can configure all of these servers in a single or multiple contexts. Use this procedure to define the attributes that the ACE appliance is to use during SSL handshakes so that it can act as an SSL server. Assumption Configure OCSP on an associated proxy service. You can configure both OCSP and CRLs for authentication. Procedure Step 1 Select Config > Devices > context > SSL > OCSP Service. The OCSP Service table appears. Step 2 Click Add to add a new OCSP service, or select an existing service, then click Edit to modify it. The OCSP Service configuration screen appears. Step 3 In the Name field, enter a unique name for this OCSP service. Valid entries are alphanumeric strings with a maximum of 64 characters. This name is used when you apply this configuration to an SSL proxy service. Step 4 In the URL field, enter an HTTP based URL for the OCSP host name and optional port ID in the form of http://ocsp_hostname.com:port_id. If you do not specify a port ID, the ACE uses the default value of 2560. Step 5 Optionally, in the Request Signer’s Certificate field, you can select a filename for the signer certificate to sign the requests to the server. By default, the request is not signed. Step 6 Optionally, in the Response Signer’s Certificate field, you can select a filename for the signer certificate to verify the signature on the server responses. By default, the responses are not verified. Step 7 Check the Enable Nonce check box to enable the inclusion of the nonce in the requests to the server. By default, nonce is disabled. Clear the checkbox to disable the inclusion of the nonce in requests to the server. Step 8 In the TCP Connection Inactivity Timeout field, enter an integer from 2 to 3600 to specify the TCP connection inactivity timeout in seconds. The default is 300 seconds. Step 9 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE appliance. • Click Cancel to exit this procedure without saving your entries and to return to the OCSP Service table. • Click Next to save your entries and to add another proxy service. Related Topics • Configuring SSL, page 11-1 • Configuring SSL Proxy Service, page 11-27 11-31 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Enabling Client Authentication Enabling Client Authentication During the flow of a normal SSL handshake, the SSL server sends its certificate to the client. Then the client verifies the identity of the server through the certificate. However, the client does not send any identification of its own to the server. When you enable the client authentication feature on the ACE, it will require that the client send a certificate to the server. Then the server verifies the following information on the certificate: • A recognized CA issued the certificate. • The valid period of the certificate is still in effect. • The certificate signature is valid and not tampered. • The CA has not revoked the certificate. • At least one SSL certificate is available. Use the following procedures to enable or disable client authentication: • Configuring SSL Proxy Service, page 11-27 • Configuring SSL Authentication Groups, page 11-31 • Configuring CRLs for Client Authentication, page 11-33 Configuring SSL Authentication Groups You can specify the certificate authentication groups that the ACE uses during the SSL handshake and enable client authentication on this SSL-proxy service. The ACE includes the certificates configured in the group along with the certificate that you specified for the SSL proxy service. On the ACE, you can implement a group of certificates that are trusted as certificate signers by creating an authentication group. After creating the authentication group and assigning its certificates, then you can assign the authentication group to a proxy service in an SSL termination configuration to enable client authentication. For information on client authentication, see the “Enabling Client Authentication” section on page 11-31. For information on server authentication and assigning an authentication group, see the “Configuring SSL Proxy Service” section on page 11-27. Note You cannot create an authorization group in Building Blocks (Config > Global > All Building Blocks); You can only create SSL authentication groups while configuring virtual contexts in specific modules. Assumptions • At least one SSL certificate is available. • Your ACE supports authentication groups. See the Supported Devices Table for Cisco Application Networking Manager for details. Procedure Step 1 Choose Config > Devices > context > SSL > Auth Group Parameters. The Auth Group Parameters table appears. 11-32 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Enabling Client Authentication Step 2 In the Auth Group Parameters table, click Add to add an authentication group, or choose an existing authorization group and click Edit to modify it. The Auth Group Parameters configuration window appears. Step 3 In the Name field of the Auth Group Parameters configuration window, enter a unique name for the authorization group. Valid entries are alphanumeric strings with a maximum of 64 characters. Step 4 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The updated Auth Group Parameters window appears along with the Auth Group Certificates table. Continue with Step 5. • Click Cancel to exit the procedure without saving your entries and to return to the Auth Group Parameters table. • Click Next to deploy your entries and to add another entry to the Auth Group Parameters table. Step 5 In the Auth Group Certificate field, click Add to add an entry. The Auth Group Certificates configuration window appears. Note You cannot modify an existing entry in the Auth Group Certificates table. Instead, delete the entry, then add a new one. Step 6 In the Certificate Name field, choose the certificate to add to this authorization group. Step 7 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit the procedure without saving your entries and to return to the Auth Group Parameters table. • Click Next to deploy your entries and to add another entry to the Auth Group Parameters table. Step 8 You can repeat the previous step to add more certificates to the authorization group or click Deploy Now. Step 9 After you configure authorization group parameters, you can configure the SSL proxy service to use a CRL. See the “Configuring CRLs for Client Authentication” section on page 11-33. Note When you enable client authentication, a significant performance decrease may occur. Additional latency may occur when you configure CRL retrieval. Related Topics • Configuring SSL Chain Group Parameters, page 11-23 • Configuring CRLs for Client Authentication, page 11-33 11-33 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Enabling Client Authentication Configuring CRLs for Client Authentication You can configure the ACE to scan for CRLs and retrieve them. By default, ACE does not use certificate revocation lists (CRLs) during client authentication. You can configure the SSL proxy service to use a CRL by having the ACE scan each client certificate for the service to determine if it contains a CRL in the extension and then retrieve the value, if it exists. For more information about SSL termination on the ACE, see either the Cisco Application Control Engine Module SSL Configuration Guide or the Cisco ACE 4700 Series Appliance SSL Configuration Guide. Note The ACE supports the creation of a maximum of eight CRLs for any context. Note When you enable client authentication, a significant performance decrease may occur. Additional latency may occur when you configure CRL retrieval. Assumption A CRL cannot be configured on an SSL proxy without first configuring an authorization group. Procedure Step 1 Choose Config > Devices > context > SSL > Certificate Revocation Lists (CRLs). The Certificate Revocation Lists (CRLs) table appears. Step 2 In the Certificate Revocation Lists (CRLs) table, click Add to add a CRL, or choose an existing CRL and click Edit to modify it. The Certificate Revocation Lists (CRLs) window appears. Step 3 In the Certificate Revocation Lists (CRLs) window, enter the information in Table 11-14. Step 4 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The updated Certificate Revocation Lists (CRLs) table appears. • Click Cancel to exit the procedure without saving your entries and to return to the Certificate Revocation Lists (CRLs) table. • Click Next to deploy your entries and to add another entry to the Certificate Revocation Lists (CRLs) table. Table 11-14 SSL Certificate Revocation List Field Description Name CRL name. Valid entries are unquoted alphanumeric strings with a maximum of 64 characters. URL URL where the ACE retrieves the CRL. Valid entries are unquoted alphanumeric strings with a maximum of 255 characters. Only HTTP URLs are supported. ACE checks the URL and displays an error if it does not match. 11-34 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 11 Configuring SSL Enabling Client Authentication Related Topics • Configuring SSL Proxy Service, page 11-27 • Configuring SSL Authentication Groups, page 11-31 CHAPTER 12-1 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 12 Configuring Network Access Date: 3/28/12 This chapter describes how to configure network access using Cisco Application Networking Manager (ANM). Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed. If you are using ANM with an ACE module or ACE appliance and you configure a named object at the ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows you to use when configuring a named object. If you use special characters that ANM does not support, you may not be able to import or manage the ACE using ANM. This chapter includes the following sections: • Information About VLANs, page 12-2 • Configuring VLANs Using Cisco IOS Software (ACE Module), page 12-3 • Configuring Virtual Context VLAN Interfaces, page 12-6 • Configuring Virtual Context BVI Interfaces, page 12-19 • Configuring VLAN Interface NAT Pools, page 12-26 • Configuring Virtual Context Static Routes, page 12-28 • Configuring Global IP DHCP, page 12-29 • Configuring Static VLANs for Over 8000 Static NAT Configurations, page 12-31 • Configuring Gigabit Ethernet Interfaces on the ACE Appliance, page 12-32 • Configuring Port-Channel Interfaces for the ACE Appliance, page 12-35 12-2 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Information About VLANs Information About VLANs This section provides an overview of how the ACE module and appliance use VLANs. This section includes the following topics: • ACE Module VLANs, page 12-2 • ACE Appliance VLANs, page 12-2 ACE Module VLANs The ACE module does not include any external physical interfaces to receive traffic from clients and servers. Instead, it uses internal VLAN interfaces. You assign VLANs from the supervisor engine to the ACE. After the VLANs are assigned to the ACE, you can configure the corresponding VLAN interfaces on the ACE as either routed or bridged for use. When you configure an IP address on an interface, the ACE automatically makes it a routed mode interface. Similarly, when you configure a bridge group on an interface VLAN, the ACE automatically makes it a bridged interface. Then, you associate a bridge-group virtual interface (BVI) with the bridge group. For more information on bridged groups and BVIs, see the “Configuring Virtual Context BVI Interfaces” section on page 12-19. The ACE also supports shared VLANS, which are multiple interfaces in different contexts on the same VLAN within the same subnet. Only routed interfaces can share VLANs. Note that there is no routing across contexts even when shared VLANs are configured. Related Topics • Configuring VLANs Using Cisco IOS Software (ACE Module), page 12-3 • Configuring Virtual Context VLAN Interfaces, page 12-6 • Configuring Virtual Context BVI Interfaces, page 12-19 • Configuring Virtual Context Static Routes, page 12-28 • Configuring Global IP DHCP, page 12-29 ACE Appliance VLANs The ACE appliance has four physical Ethernet interface ports. All VLANs are allocated to the physical ports. After the VLANs are assigned, you can configure the corresponding VLAN interfaces as either routed or bridged for use. When you configure an IP address on an interface, the ACE appliance automatically makes it a routed mode interface. Similarly, when you configure a bridge group on an interface VLAN, the ACE appliance automatically makes it a bridged interface. Then, you associate a BVI with the bridge group. The ACE appliance also supports shared VLANs, which are multiple interfaces in different contexts on the same VLAN within the same subnet. Only routed interfaces can share VLANs. Note that there is no routing across contexts even when shared VLANs are configured. In routed mode, the ACE is considered a router hop in the network. In the Admin or user contexts, the ACE supports static routes only. The ACE supports up to eight equal cost routes for load balancing. 12-3 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring VLANs Using Cisco IOS Software (ACE Module) Related Topics • Configuring Virtual Context VLAN Interfaces, page 12-6 • Configuring Virtual Context BVI Interfaces, page 12-19 • Configuring Gigabit Ethernet Interfaces on the ACE Appliance, page 12-32 • Configuring Port-Channel Interfaces for the ACE Appliance, page 12-35 Configuring VLANs Using Cisco IOS Software (ACE Module) To allow the ACE module to receive traffic from the supervisor engine in the Catalyst 6500 series switch or Cisco 7600 series router, you must create VLAN groups on the supervisor engine and then assign the groups to the ACE module. After the VLAN groups are assigned to the ACE module, you can configure the VLAN interfaces on the ACE module. By default, all VLANs are allocated to the Admin context on the ACE module. This section includes the following topics: • Creating VLAN Groups Using Cisco IOS Software • Assigning VLAN Groups to the ACE Module Through Cisco IOS Software • Adding Switched Virtual Interfaces to the MSFC Creating VLAN Groups Using Cisco IOS Software In Cisco IOS software, you can create one or more VLAN groups and then assign the groups to the ACE module. For example, you can assign all the VLANs to one group, create an inside group and an outside group, or create a group for each customer. You cannot assign the same VLAN to multiple groups; however, you can assign up to a maximum of 16 groups to an ACE. VLANs that you want to assign to multiple ACEs, for example, can reside in a separate group from VLANs that are unique to each ACE. To assign VLANs to a group using Cisco IOS software on the supervisor engine, use the svclc vlan-group command. The syntax of this command is as follows: svclc vlan-group group_number vlan_range The arguments are as follows: • group_number—Number of the VLAN group. • vlan_range—One or more VLANs (2 to 1000 and 1025 to 4094) identified in one of the following ways: – A single number (n) – A range (n-x) Separate numbers or ranges by commas, as shown in this example: 5,7-10,13,45-100 For example, to create three VLAN groups, 50 with a VLAN range of 55 to 57, 51 with a VLAN range of 75 to 86, and 52 with VLAN 100, enter: Router(config)# svclc vlan-group 50 55-57 Router(config)# svclc vlan-group 51 70-86 12-4 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring VLANs Using Cisco IOS Software (ACE Module) Router(config)# svclc vlan-group 52 100 Related Topics • Assigning VLAN Groups to the ACE Module Through Cisco IOS Software, page 12-4 • Adding Switched Virtual Interfaces to the MSFC, page 12-5 Assigning VLAN Groups to the ACE Module Through Cisco IOS Software The ACE module cannot receive traffic from the supervisor engine unless you assign VLAN groups to it. To assign the VLAN groups to the ACE module using Cisco IOS software on the supervisor engine, use the svc module command in configuration mode. The syntax of this command is as follows: svc module slot_number vlan-group group_number_range The arguments are as follows: • slot_number—Slot number where the ACE module resides. To display slot numbers and the devices in the chassis, use the show module command in Exec mode. The ACE module appears as the Application Control Engine Module in the Card Type field. • group_number_range—One or more group numbers that are identified in one of the following ways: – A single number (n) – A range (n-x) Separate numbers or ranges by commas, as shown in this example: 5,7-10 For example, to assign VLAN groups 50 and 52 to the ACE module in slot 5, and VLAN groups 51 and 52 to the ACE module in slot 8, enter the following commands: Router(config)# svc module 5 vlan-group 50,52 Router(config)# svc module 8 vlan-group 51,52 To view the group configuration for the ACE module and the associated VLANs, use the show svclc vlan-group command. For example, enter the following commands: Router(config)# exit Router# show svclc vlan-group To view VLAN group numbers for all devices, use the show svc module command. For example, enter the following command: Router# show svc module Note Enter the show vlans command in Exec mode from the Admin context to display the ACE module VLANs that are downloaded from the supervisor engine. Related Topics • Creating VLAN Groups Using Cisco IOS Software, page 12-3 • Adding Switched Virtual Interfaces to the MSFC, page 12-5 12-5 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring VLANs Using Cisco IOS Software (ACE Module) Adding Switched Virtual Interfaces to the MSFC A VLAN defined on the Multilayer Switch Feature Card (MSFC) is called a switched virtual interface (SVI). If you assign the VLAN used for the SVI to the ACE module, then the MSFC routes between the ACE module and other Layer 3 VLANs. By default, only one SVI can exist between the MSFC and the ACE. However, for multiple contexts, you may configure multiple SVIs for unique VLANs on each context. Procedure: Step 1 (Optional) If you need to add more than one SVI to the ACE module, enter the following command: Router(config)# svclc multiple-vlan-interfaces Step 2 Add a VLAN interface to the MSFC. For example, to add VLAN 55, enter the following command: Router(config)# interface vlan 55 Step 3 Set the IP address for this interface on the MSFC. For example, to set the address 10.1.1.1 255.255.255.0, enter the following command: Router(config-if)# ip address 10.1.1.1 255.255.255.0 Step 4 Enable the interface. For example, enter the following command: Router(config-if)# no shut Note To monitor any VLAN that is associated with more than two trunk ports, physical ports, or trunk-physical ports on the supervisor engine, enable the autostate feature by using the svclc autostate command. When you associate a VLAN to these ports, autostate declares that the VLAN is up. When a VLAN state change occurs on the supervisor engine, autostate sends a notification to the ACE module to bring the interface up or down. To view this SVI configuration, use the show interface vlan command. For example, enter the following command: Router# show int vlan 55 Related Topics • Creating VLAN Groups Using Cisco IOS Software, page 12-3 • Assigning VLAN Groups to the ACE Module Through Cisco IOS Software, page 12-4 12-6 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Virtual Context VLAN Interfaces Configuring Virtual Context VLAN Interfaces You can configure VLAN interfaces for virtual contexts on the ACE. Note The options that appear when you choose Config > Devices > context depend on the device associated with the virtual context and the role associated with your account. Assumptions This topic assumes the following: • A Layer 3/Layer 4 or Management policy map has been configured for this virtual context. For more information, see the “Configuring Traffic Policies” section on page 14-1. • An access control list has been configured for this virtual context. Entering an ACL name does not configure the ACL; you must configure the ACL on the ACE appliance. For more information, see the “Configuring Security with ACLs” section on page 6-78. Procedure Step 1 Choose Config > Devices > context > Network > VLAN Interfaces. The VLAN Interface table appears. Step 2 In the VLAN Interface table, click Poll Now to instruct ANM to poll the devices and display the current values and click OK when prompted if you want to poll the devices for data now. Step 3 Click Add to add a new VLAN interface, or choose an existing VLAN interface and click Edit to modify it. Note If you click Edit, not all of the fields can be modified. Step 4 Enter the VLAN interface attributes (see Table 12-1). Click More Settings to access the additional VLAN interface attributes. By default, ANM hides the default VLAN interface attributes and the VLAN interface attributes that are not commonly used. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Note If you create a fault-tolerant VLAN, do not use it for any other network traffic. Table 12-1 VLAN Interface Attributes Field Description VLAN VLAN identifier. Either accept the automatically incremented entry or enter a different value. Valid entries are from 2 to 4094. Description Brief description for this interface. 12-7 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Virtual Context VLAN Interfaces Interface Type Role of the virtual context in the network topology of the VLAN interface: • Routed—In a routed topology, the ACE virtual context acts as a router between the client-side network and the server-side network. In this topology, every real server for the application must be routed through the ACE virtual context, either by setting the default gateway on each real server to the virtual contexts server-side VLAN interface address, or by using a separate router with appropriate routes configured between the ACE virtual context and the real servers. Note A routed VLAN interface can support both IPv4 and IPv6 addresses at the same time. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. • Bridged—In a bridged topology, the ACE virtual context bridges two VLANs, a client-side VLAN and a real-server VLAN, on the same subnet using a bridged virtual interface (BVI). In this case, the real server routing does not change to accommodate the ACE virtual context. Instead, the ACE virtual context becomes a “bump in the wire” that transparently handles traffic to and from the real servers. • Unknown—Choose Unknown if you are unsure of the network topology of the VLAN interface. IP Address Field that appears for the Routed Interface Type. Enter the IPv4 address assigned to this interface. This address must be a unique IP address that is not used in another context. Duplicate IP addresses in different contexts are not supported. If this interface is only used for IPv6 traffic, entering an IPv4 address is optional. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. Alias IP Address Field that appears for the Routed interface type. Enter the IPv4 address of the alias that this interface is associated with. Peer IP Address Field that appears for the Routed interface type. Enter the IPv4 address of the remote peer. Netmask Field that appears for the Routed interface type. Choose the subnet mask to be used. BVI Field that appears for the Bridged interface type. Enter the number of the bridge group to be configured on this VLAN. When you configure a bridge group on a VLAN, the ACE automatically makes it bridged. Valid entries are from 1 to 4094. Admin Status Administrative state of the interface. Specify whether you want the interface to be Up or Down. Enable MAC Sticky Check box that instructs the ACE to convert dynamic MAC addresses to sticky secure MAC addresses and to add this information to the running configuration. Uncheck the check box to indicate that the ACE is not to convert dynamic MAC addresses to sticky secure MAC addresses. Table 12-1 VLAN Interface Attributes (continued) Field Description 12-8 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Virtual Context VLAN Interfaces Enable Normalization Check box that specifies that normalization is to be enabled on this interface. Uncheck the check box to indicate that normalization is to be disabled on this interface for IPv4, IPv6, or both. The IPv6 option requires ACE module and ACE appliance software Version A5(1.0) or later. Caution Disabling normalization may expose your ACE and network to potential security risks. Normalization protects your networking environment from attackers by enforcing strict security policies that are designed to examine traffic for malformed or malicious segments. Enable IPv6 Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later, and for the Routed interface type. Check the check box to enable IPv6 on this interface. By default, IPv6 is disabled. The interface cannot be in bridged mode. When you enable IPv6, the ACE automatically does the following: • Configures a link-local address (if not previously configured) • Performs duplicate address detection (DAD) Clear the check box to indicate that IPv6 is disabled on this interface. IPv6 Global Address Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later, and for the Routed interface type. A global address is an IPv6 unicast address that is used for general IPv6 communication. Each global address is unique across the entire Internet. Therefore, its scope is global. The low order 64 bits can be assigned in several ways, including autoconfiguration using the EUI-64 format. You can configure only one globally unique IPv6 address on an interface. When you configure a global IPv6 address on an interface, the ACE automatically does the following: • Configures a link-local address (if not previously configured) • Performs duplicate address detection (DAD) on both addresses IPv6 Address To configure an IPv6 global address on an interface, enter a complete IPv6 address with a prefix of 2000::/3 to 3fff::/3. For example, enter 2001:DB8:1::0. Check the EUI-64 box to specify that the low order 64 bits are automatically generated in the IEEE 64-bit Extended Unique Identifier (EUI-64) format specified in RFC 2373. To use EUI-64, the Prefix Length field must be less than or equal to 64 and the host segment must be all zeros. Alias IPv6 Address When you configure redundancy with active and standby ACEs, you can configure a VLAN interface that has an alias global IPv6 address that is shared between the active and standby ACEs. The alias IPv6 address serves as a shared gateway for the two ACEs in a redundant configuration. You can configure only one alias global IPv6 address on an interface. To configure an IPv6 alias global address, enter a complete IPv6 address with a prefix of 2000::/3 to 3fff::/3. For example, enter 2001:DB8:1::0. Note You must configure redundancy (fault tolerance) on the ACE for the alias global IPv6 address to work. Table 12-1 VLAN Interface Attributes (continued) Field Description 12-9 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Virtual Context VLAN Interfaces Peer IPv6 Address To configure an IPv6 peer global address, enter a complete IPv6 address with a prefix of 2000::/3 to 3fff::/3. For example, enter 2001:DB8:1::0. Check the EUI-64 box to specify that the low order 64 bits are automatically generated in the IEEE 64-bit Extended Unique Identifier (EUI-64) format specified in RFC 2373. To use EUI-64, the Prefix Length field must be less than or equal to 64 and the host segment must be all zeros. Note The IPv6 peer global address must be unique across multiple contexts on a shared VLAN. Check the EUI-64 box to specify that the low order 64 bits are automatically generated in the IEEE 64-bit Extended Unique Identifier (EUI-64) format specified in RFC 2373. To use EUI-64, the Prefix Length field must be less than or equal to 64 and the host segment must be all zeros. Prefix Length Enter the prefix length for all global addresses to specify how many of the most significant bits (MSBs) are used for the network identifier. Enter an integer from 3 to 127. If you use the optional EUI-64 check box for the global and peer addresses, the prefix must be less than or equal to 64. IPv6 Unique-Local Address Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later, and for the Routed interface type. A unique local address is an optional IPv6 unicast address that is used for local communication within an organization and it is similar to a private IPv4 address (for example, 10.10.2.1). Unique local addresses have a global scope, but they are not routable on the internet, and they are assigned by a central authority. All unique local addresses have a predefined prefix of FC00::/7. You can configure only one IPv6 unique local address on an interface. IPv6 Address To configure a unique local address, enter a complete IPv6 address with an FC00::/7 prefix in the first field. In the second field after the /, enter the prefix length to specify how many of the most significant bits (MSBs) are used for the network identifier. Check the EUI-64 box to specify that the low order 64 bits are automatically generated in the IEEE 64-bit Extended Unique Identifier (EUI-64) format specified in RFC 2373. To use EUI-64, the Prefix Length field must be less than or equal to 64 and the host segment must be all zeros. Peer IPv6 Address In a redundant configuration, you can configure an IPv6 peer unique local address on the active that is synchronized to the standby ACE. You can configure only one peer unique local IPv6 address on an interface. To configure a peer unique local address, enter a complete IPv6 address with an FC00::/7 prefix in the first field. In the second field after the /, enter the prefix length to specify how many of the most significant bits (MSBs) are used for the network identifier. Note The IPv6 peer unique local address must be unique across multiple contexts on a shared VLAN. Check the EUI-64 box to specify that the low order 64 bits are automatically generated in the IEEE 64-bit Extended Unique Identifier (EUI-64) format specified in RFC 2373. To use EUI-64, the Prefix Length field must be less than or equal to 64 and the host segment must be all zeros. Prefix Length Enter the prefix length for all unique-local addresses to specify how many of the most significant bits (MSBs) are used for the network identifier. Enter an integer from 7 to 127. If you use the optional EUI-64 check box for the global and peer addresses, the prefix must be less than or equal to 64. Table 12-1 VLAN Interface Attributes (continued) Field Description 12-10 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Virtual Context VLAN Interfaces IPv6 Link-Local Address Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later, and for the Routed interface type. By default, when you enable IPv6 or configure a global IPv6 address on an interface, the ACE automatically creates a link local address for it. Every link local address must have a predefined prefix of FE80::/10. You can configure only one IPv6 link local address on an interface. This address always has the prefix of 64. To manually configure the link local address, enter a complete IPv6 address with an FE80::/10 prefix in this field. For example, enter FE80:DB8:1::1. IPv6 Peer Link-Local Address Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later, and for the Routed interface type. In a redundant configuration, you can configure an IPv6 peer link local address for the standby ACE. You can configure only one peer link local address on an interface. To configure the peer link local address, enter a complete IPv6 address with an FE80::/10 prefix in this field. Note The IPv6 peer link local address must be unique across multiple contexts on a shared VLAN. Table 12-1 VLAN Interface Attributes (continued) Field Description 12-11 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Virtual Context VLAN Interfaces More Settings Enable ICMP Guard For ACE module and ACE appliance software versions earlier than A5(1.0), this field does not include the IP version number check boxes and is for enabling the IPv4 version only. Check the IPv4, IPv6, or both check boxes to indicate that ICMP Guard is to be enabled on the ACE. Clear the check boxes to indicate that ICMP Guard is not to be enabled on ACE. Caution Disabling ICMP security checks may expose your ACE and network to potential security risks. When you disable ICMP Guard, the ACE appliance no longer performs NAT translations on the ICMP header and payload in error packets, which can potentially reveal real host IP addresses to attackers. Enable DHCP Relay For ACE module and ACE appliance software versions earlier than A5(1.0), this field does not include the IP version number check boxes and is for enabling the IPv4 version only. Check the IPv4, IPv6, or both check boxes to indicate that the ACE is to accept DHCP requests from clients on this interface and to enable the DHCP relay agent. For IPv6, link local address for the Clear the check boxes to indicate that the ACE is not to accept DHCP requests or enable the DHCP relay agent. Reverse Path Forwarding (RPF) For ACE module and ACE appliance software versions earlier than A5(1.0), this field does not include the IP version number check boxes and is for enabling the IPv4 version only. Check the IPv4, IPv6, or both check boxes to indicate that the ACE is to discard IP packets if no reverse route is found or if the route does not match the interface on which the packets arrived. Clear the check boxes to indicate that the ACE is not to filter or discard packets based on the ability to verify the source IP address. Reassembly Timeout (Seconds) Enter the number of seconds that the ACE appliance is to wait before it abandons the fragment reassembly process if it doesn’t receive any outstanding fragments for the current fragment chain (that is, fragments belonging to the same packet). • For IPv4, valid entries are 1 to 30 seconds. The default is 5. • For IPv6, valid entries are 1 to 60 seconds. The default is 60. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. Max. Fragment Chains Allowed Enter the maximum number of fragments belonging to the same packet that the ACE appliance is to accept for reassembly. For IPv4 and IPv6, valid entries are integers from 1 to 256. The default is 24. Min. Fragment MTU Value Enter the minimum fragment size that the ACE appliance accepts for reassembly for a VLAN interface. • For IPv4, valid entries are 28 to 9216 bytes. The default is 576. • For IPv6, valid entries are 56 to 9216 bytes. The default is 1280. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. Table 12-1 VLAN Interface Attributes (continued) Field Description 12-12 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Virtual Context VLAN Interfaces Action For IP Header Options For ACE module and ACE appliance software versions earlier than A5(1.0), this field does not include the IP version number and is for IPv4 only. Choose the IPv4, IPv6, or both action the ACE appliance is to take when an IP option is set in a packet: • Allow—Indicates that the ACE appliance is to allow the IP packet with the IP options set. • Clear—Indicates that the ACE appliance is to clear all IP options from the packet and to allow the packet. • Clear-Invalid—Indicates that the ACE appliance is to clear the invalid IP options from the packet and then allow the packet. This action is the default for IPv4. • Drop—Indicates that the ACE appliance is to discard the packet regardless of any options that are set. This action is the default for IPv6. Enable MAC Address Autogenerate MAC address autogenerate option, which allows you to configure a different MAC address for the VLAN interface. Min. TTL IP Header Value Minimum number of hops that a packet is allowed to reach its destination. Valid entries are from 1 to 255. This field is applicable for IPv4 and IPv6 traffic. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. Each router along the path decrements the TTL by one. If the packet TTL reaches zero before the packet reaches its destination, the packet is discarded. MTU Value Number of bytes for Maximum Transmission Units (MTUs). Valid entries are from 68 to 9216. The default is 1500. Enable Syn Cookie Threshold Value Field that is applicable for ACE module software Version A2(1.0) and later, and ACE appliance software Version A3(1.0) and later. Embryonic connection threshold above which the ACE applies SYN-cookie DoS protection. Valid entries are as follows: • 2 to 65535 for ACE module software versions earlier than A4(1.0). • 1 to 65535 for ACE module software Version A4(1.0) and later, and ACE appliance software Version A3(1.0) and later. Action For DF Bit Action that the ACE takes when a packet has its DF (Don’t Fragment) bit set in the IP header. Choose one of the following settings: • Allow—The ACE permits the packet with the DF bit set. If the packet is larger than the next-hop MTU, ACE discards the packet and sends an ICMP unreachable message to the source host. This is the default. • Clear—The ACE clears the DF bit and permit the packet. If the packet is larger than the next-hop MTU, the ACE fragments the packet. Table 12-1 VLAN Interface Attributes (continued) Field Description 12-13 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Virtual Context VLAN Interfaces ARP Inspection Type Type of ARP inspection, which prevents malicious users from impersonating other hosts or routers, known as ARP spoofing. ARP spoofing can enable a “man-in-the-middle” attack. For example, a host sends an ARP request to the gateway router. The gateway router responds with the gateway router MAC address. By default, ARP inspection is disabled on all interfaces, allowing all ARP packets through the ACE. When you enable ARP inspection, the ACE appliance uses the IP address and interface ID (ifID) of an incoming ARP packet as an index into the ARP table. ARP inspection operates only on ingress bridged interfaces. Note If ARP inspection fails, then the ACE does not perform source MAC validation. Choices are as follows: • N/A—ARP inspection is disabled. • Flood—Enables ARP forwarding of nonmatching ARP packets. The ACE appliance forwards all ARP packets to all interfaces in the bridge group. This setting is the default. In the absence of a static ARP entry, this option bridges all packets. • No Flood—Disables ARP forwarding for the interface and drops nonmatching ARP packets. In the absence of a static ARP entry, this option does not bridge any packets. UDP Config Commands UDP boost command options: • N/A—Not applicable. • IP Destination Hash—Performs destination IP hash during connection. • IP Source Hash—Performs source IP hash during connection lookup. Table 12-1 VLAN Interface Attributes (continued) Field Description 12-14 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Virtual Context VLAN Interfaces Secondary IP Groups Option that is available only for the ACE module A2(3.0), ACE appliance A4(1.0), and later releases of both device types. This option displays only when Interface Type is set to Routed. The number of secondary IP groups that you can enter for a VLAN depends on the ACE release as follows: • ACE module A2(3.0) and ACE appliance A4(1.0)—Up to 4 secondary IP groups. • ACE module A2(3.1) and later—Up to 15 secondary IP groups. The IP, alias IP, and peer IP addresses of each Secondary IP group should be in the same subnet. Note You cannot configure secondary IP addresses on FT VLANs. To create secondary IP groups for the VLAN, do the following: a. Define one or more of the following secondary IP address types: – IP—Secondary IP address assigned to this interface.The primary address must be active for the secondary address to be active. – AliasIP—Secondary IP address of the alias associated with this interface. – PeerIP—Secondary IP address of the remote peer. – Netmask—Secondary subnet mask to be used. The ACE has a system limit of 1,024 for each secondary IP address type. b. Click Add to selection (right arrow) to add the group to the group display area. c. Repeat the first two steps for each additional group. d. (Optional) Rearrange the order in which the groups are listed by selecting one of the group listings in the group display area and click either Move item up in list (up arrow) or Move item down in list (down arrow). Note that the ACE does not care what order the groups are in. e. (Optional) Edit a group or remove it from the list by selecting the desired group in the group display area and click Remove from selection (left arrow). Input Policies Policy map that is associated with this VLAN interface. From the Available list, double-click a policy map name or use the right arrow to move it to the Selected list. This policy map is to be applied to the inbound direction of the interface; that is, all traffic received by this interface. If you choose more than one policy map, use the Up and Down arrows to choose the priority of the policy map in the Selected list. These arrows modify the order of the policy maps for new VLANs only; they do not modify the policy map order when editing an existing policy map. Input Access Group ACL input access group to be associated with this VLAN interface. From the Available list, double-click an ACL name or use the right arrow to move it to the Selected list. Any ACL group listed in the Selected list specifies that this access group is to be applied to the inbound direction of the interface. Output Access Group ACL output access group that is associated with this VLAN interface. From the Available list, double-click an ACL name or use the right arrow to move it to the Selected list. Any ACL group listed in the Selected list specifies that this access group is to be applied to the outbound direction of the interface; that is, all traffic sent by this interface. Table 12-1 VLAN Interface Attributes (continued) Field Description 12-15 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Virtual Context VLAN Interfaces Static ARP Entry (IP/MAC Address) Static ARP entry. Do the following: a. In the ARP IP Address field, enter the IP address. This field accepts IPv4 addresses only. b. In the ARP MAC Address field, enter the hardware MAC address for the ARP table entry (for example, 00.02.9a.3b.94.d9). c. When completed, use the right arrow to move the static ARP entry to the list box. Use the Up and Down arrows to choose the priority of the static ARP entry in the list box. These arrows modify the order of the static ARPs for new VLANs only; they do not modify the static ARP order when editing an existing policy map. DHCP Relay Configuration Enter the IPv4 address of the DHCP server to which the DHCP relay agent is to forward client requests. Enter the IP address in dotted-decimal notation, such as 192.168.11.2. IPv6 DHCP Forward Interface VLAN Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later. Enter the VLAN to forward all received client requests with destination being the IPv6 DHCP address configured in the IPv6 DHCP Relay Configuration field. IPv6 DHCP Relay Configuration Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later. Enter the IPv6 address for the DHCP server where the DHCP relay agent forwards client requests. Select the VLAN when the server address is a link local address. Note When you enter a DHCPv6 server global IPv6 address, a VLAN is not required. Managed-Config Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later. Check box to indicate that the interface use the stateful autoconfiguration mechanism to configure IPv6 addresses. Uncheck the check box to indicate that the interface does not use the stateful autoconfiguration mechanism to configure IPv6 addresses. Other-Config Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later. Check box to indicate that the interface use the stateful autoconfiguration mechanism to configure parameters other than IPv6 addresses. Uncheck the check box to indicate that the interface does not use the stateful autoconfiguration mechanism to configure parameters other than IPv6 addresses. NS Interval Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later. The ACE sends neighbor solicitation messages through ICMPv6 on the local link to determine the IPv6 addresses of nearby nodes (hosts or routers). You can configure the rate at which the ACE sends these neighbor solicitation messages. By default, the interval at which the ACE sends NS messages for DAD default is 1000 milliseconds (msecs). To configure the interval, enter an integer from 1000 to 2147483647. NS Reachable Time Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later. The neighbor solicitation reachable time is the time period in milliseconds during which a host considers the peer is reachable after a reachability confirmation from the peer. A reachability confirmation can include neighbor solicitation or advertisement, or any upper protocol traffic. By default, this time period is 0 milliseconds. To configure this time, enter an integer from 0 to 3600000. Table 12-1 VLAN Interface Attributes (continued) Field Description 12-16 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Virtual Context VLAN Interfaces Retransmission time Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later. By default, the advertised retransmission time is 0 milliseconds. To configure the retransmission time, enter an integer from 0 to 3600000. DAD Attempts Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later. By default, the number of attempts for sending duplicate address detection (DAD) is 1. To configure the DAD attempts, enter an integer from 0 to 255. RA Hop Limit Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later. By default, the hop limit that neighbors should use when originating IPv6 packets is 64. To configure the hop limit in the IPv6 header, enter an integer from 0 to 255. RA Lifetime Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later. The router advertisement lifetime is the length of time that neighboring nodes should consider the ACE as the default router before they send RS messages again. By default, this length of time is 1800 seconds (30 minutes). To configure the RA lifetime, enter an integer from 0 to 9000. RA Interval Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later. By default, the rate at which the ACE sends RA messages is 600 seconds. To configure the rate, enter an integer from 4 to 1800. Suppress RA Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later. Check box to instruct the ACE to not respond to RS messages. The ACE also stops periodic unsolicited RAs that it sends at the RA interval. By default, the ACE automatically responds to RS messages that it receives from neighbors with RA messages that include, for example, the network prefix. You can instruct the ACE to not respond to RS messages. Uncheck the check box to reset the default behavior of automatically responding to RS messages. IPv6 Router Prefix Advertisement Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later. Click the Add button to configure the IPv6 prefixes that the ACE advertises in RA messages on the local link. IPv6 Address/Prefix Length To configure IPv6 address advertised in the RA messages, enter a complete IPv6 address in the first field. In the second field after the /, enter the prefix length to specify how many of the most significant bits (MSBs) are used for the network identifier. No Advertisements Check the check box to indicate that the route prefix is not advertised. Clear the check box to indicate that the route prefix is advertised. Table 12-1 VLAN Interface Attributes (continued) Field Description 12-17 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Virtual Context VLAN Interfaces Step 5 Do one of the following: • Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. This option appears for virtual contexts. • Click Cancel to exit this procedure without saving your entries and to return to the previous window. Step 6 (Optional) To display statistics and status information for a VLAN interface, choose the VLAN interface from the VLAN Interface table, then click Details. The show interface vlan CLI command output appears. See the “Displaying VLAN Interface Statistics and Status Information” section on page 12-18 for details. Related Topics • Configuring VLAN Interface NAT Pools, page 12-26 • Displaying All VLAN Interfaces, page 12-18 • Displaying VLAN Interface Statistics and Status Information, page 12-18 Lifetime Configure the prefix lifetime attributes as follows: • Lifetime Duration: – Valid Lifetime—By default, the prefix lifetime is 2592000 seconds (30 days). To configure the prefix lifetime in seconds, enter an integer from 0 to 2147183647. Select Infinite to indicate that the prefix never expires. – Preferred Lifetime—By default, the prefix lifetime is 604800 seconds (10 days).To configure how long an IPv6 address remains preferred in seconds, enter an integer from 0 to 2147183647. This lifetime must not exceed the Valid Lifetime. Select Infinite to indicate that the preferred lifetime never expires. • Lifetime Expiration Date: – Valid Month/Day/Year/Time—Valid lifetime expiration date and time. – Preferred Month/Day/Year/Time—Preferred lifetime expiration date and time. Use the drop-down lists to select a day, month, and year. To specify the time, use the hh:mm format. Off-link This option appears when you enter a Preferred Lifetime field. Check this check box to indicate that the route prefix is on a different subnet for a router to route to it. Clear the check box to indicate that the route prefix is on the same subnet for a router to route to it. No-autoconfig This option appears when you enter a Preferred Lifetime field. Check this check box to indicate to the host that it cannot use this prefix when creating an stateless IPv6 address. Clear the check box to indicate to the host that it can use this prefix when creating an stateless IPv6 address. Table 12-1 VLAN Interface Attributes (continued) Field Description 12-18 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Virtual Context VLAN Interfaces Displaying All VLAN Interfaces You can display all of the VLAN interfaces associated with a specific virtual context by choosing Config > Devices > context > Network > VLAN Interfaces. The VLAN Interface table appears with the information shown in Table 12-2. Related Topics • Configuring Virtual Context VLAN Interfaces, page 12-6 • Configuring Virtual Context BVI Interfaces, page 12-19 • Displaying VLAN Interface Statistics and Status Information, page 12-18 Displaying VLAN Interface Statistics and Status Information You can display statistics and status information for a particular VLAN interface. Procedure Step 1 Choose Config > Devices > context > Network > VLAN Interfaces. The VLAN Interfaces table appears. Step 2 Choose a VLAN interface from the VLAN Interfaces table, and click Details. The show interface vlan, show ipv6 interface vlan, and show ipv6 neighbors CLI commands appears. The IPv6 commands require ACE module and ACE appliance software Version A5(1.0) or later. Click on the command to display its output. For details on the displayed output fields, see either the Cisco ACE Module Routing and Bridging Configuration Guide or the Cisco ACE 4700 Series Appliance Routing and Bridging Configuration Guide. Table 12-2 VLAN Interface Table Fields Field Description VLAN VLAN number. Description Description for this interface. Interface Type Role of the virtual context in the network topology of the VLAN interface. IP Address IP address assigned to this interface including the netmask for an IPv4 address or a prefix length for an IPv6 address. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. This table does not display the IPv6 link-local, unique-local, and multicast addresses for the interface. To display these addresses, click Details to display the output for the show ipv6 vlan command. IPv6 Config Status The status whether IPv6 is enabled or disabled on the interface. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. Admin Status Status of the interface, which can be Up or Down. Operational Status Operational state of the device (Up or Down). Last Polled Date and time of the last time that ANM polled the device to display the current values. 12-19 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Virtual Context BVI Interfaces Step 3 Click Update Details to refresh the output for the show interface vlan CLI command. Step 4 Click Close to return to the VLAN Interfaces table. Related Topics • Configuring Virtual Context VLAN Interfaces, page 12-6 • Displaying All VLAN Interfaces, page 12-18 Configuring Virtual Context BVI Interfaces You can configure Bridge-Group Virtual Interfaces (BVI) for virtual contexts. The ACE supports virtual contexts containing BVI interfaces. You can configure two interface VLANs into a group and bridge packets between them. All interfaces are in one broadcast domain and packets from one VLAN are switched to the other VLAN. The ACE bridge mode supports only two Layer 2 VLANs per bridge group. Note The options that appear when you choose Config > Devices > context depend on the device associated with the virtual context and the role associated with your account. This section includes the following topics: • Configuring BVI Interfaces for a Virtual Context, page 12-19 • Displaying All BVI Interfaces by Context, page 12-25 • Displaying BVI Interface Statistics and Status Information, page 12-26 Configuring BVI Interfaces for a Virtual Context You can configure BVI interfaces for a virtual context. Procedure Step 1 Choose Config > Devices > context > Network > BVI Interfaces. The BVI Interface configuration table appears. Step 2 Click Poll Now to instruct ANM to poll the devices and display the current values, and click OK when prompted if you want to poll the devices for data now. Step 3 Click Add to add a new BVI interface. Step 4 Enter the interface attributes (see Table 12-3). Note When you create or edit a virtual context BVI, if either of the two VLANs do not exist, ANM creates the VLAN and populates the BVI with the description specified in the BVI Interface window. If you delete the BVI and there are values specified in either of the two VLAN fields, ANM removes the BVI value from the VLAN. 12-20 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Virtual Context BVI Interfaces Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Table 12-3 BVI Interface Attributes Field Description BVI BVI identifier. Either accept the automatically incremented entry or enter a different, unique value for the BVI. Valid entries are from 1 to 4094. Description Brief description for this interface. IP Address IPv4 address assigned to this interface. This address must be a unique IP address that is not used in another context. Duplicate IP addresses in different contexts are not supported. Note If this interface is only used for IPv6 traffic, entering an IPv4 address is optional. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. Alias IP Address IPv4 address of the alias that this interface is associated with. Peer IP Address IPv4 address of the remote peer. Netmask Subnet mask to be used. Admin Status Administrative state of the interface: Up or Down. Secondary IP Groups Option that is available only for the ACE module A2(3.0), ACE appliance A4(1.0), and later releases of either device type. The number of secondary IP groups that you can enter for a BVI depends on the ACE release as follows: • ACE module A2(3.0) and ACE appliance A4(1.0)—Up to 4 secondary IP groups. • ACE module A2(3.1) and later—Up to 15 secondary IP groups. To create secondary IP groups for this BVI, do the following: a. Define one or more of the following secondary IP address types: – IP—Secondary IP address assigned to this interface.The primary address must be active for the secondary address to be active. – AliasIP—Secondary IP address of the alias associated with this interface. – PeerIP—Secondary IP address of the remote peer. – Netmask—Secondary subnet mask to be used. The ACE has a system limit of 1,024 for each secondary IP address type. b. Click Add to selection (right arrow) to add the group to the group display area. c. Repeat the first two steps for each additional group. d. (Optional) Rearrange the order in which the groups are listed by selecting one of the group listings in the group display area and click either Move item up in list (up arrow) or Move item down in list (down arrow). Note that the ACE does not care what order the groups are in. e. (Optional) Edit a group or remove it from the list by selecting the desired group in the group display area and click Remove from selection (left arrow). First VLAN First VLAN whose bridge group is to be configured with this BVI. This VLAN can be the server or client VLAN. Valid entries are from 2 to 4094. 12-21 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Virtual Context BVI Interfaces First VLAN Description Brief description for the first VLAN. Second VLAN Second VLAN whose bridge group is to be configured with this BVI. This VLAN can be the server or client VLAN. Valid entries are from 2 to 4094. Second VLAN Description Brief description for the second VLAN. Enable IPv6 Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later. Check box to enable IPv6 on this interface. By default, IPv6 is disabled. The interface cannot be in bridged mode. When you enable IPv6, the ACE automatically does the following: • Configures a link-local address (if not previously configured) • Performs duplicate address detection (DAD) on both addresses Uncheck the check box to indicate that IPv6 is disabled on this interface. IPv6 Global Address Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later. A global address is an IPv6 unicast address that is used for general IPv6 communication. Each global address is unique across the entire Internet. Therefore, its scope is global. The low order 64 bits can be assigned in several ways, including autoconfiguration using the EUI-64 format. You can configure only one globally unique IPv6 address on an interface. When you configure a global address, the ACE automatically does the following: • Configures a link-local address (if not previously configured) • Performs duplicate address detection (DAD) on both addresses IPv6 Address To configure an IPv6 global address on an interface, enter a complete IPv6 address with a prefix of 2000::/3 to 3fff::/3. For example, enter 2001:DB8:1::0. Check the EUI-64 check box to specify that the low order 64 bits are automatically generated in the IEEE 64-bit Extended Unique Identifier (EUI-64) format specified in RFC 2373. To use EUI-64, the Prefix Length field must be less than or equal to 64 and the host segment must be all zeros. Alias IPv6 Address When you configure redundancy with active and standby devices, you can configure a VLAN interface that has an alias global IPv6 address that is shared between the active and standby devices. The alias IPv6 address serves as a shared gateway for the two ACEs in a redundant configuration. You can configure only one alias global IPv6 address on an interface. To configure an IPv6 alias global address, enter a complete IPv6 address with a prefix of 2000::/3 to 3fff::/3. For example, enter 2001:DB8:1::0. Note You must configure redundancy (fault tolerance) on the ACE for the alias global IPv6 address to work. Table 12-3 BVI Interface Attributes (continued) Field Description 12-22 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Virtual Context BVI Interfaces Peer IPv6 Address To configure an IPv6 peer global address, enter a complete IPv6 address with a prefix of 2000::/3 to 3fff::/3. For example, enter 2001:DB8:1::0. Check the EUI-64 box to specify that the low order 64 bits are automatically generated in the IEEE 64-bit Extended Unique Identifier (EUI-64) format specified in RFC 2373. To use EUI-64, the Prefix Length field must be less than or equal to 64 and the host segment must be all zeros. Note The IPv6 peer global address must be unique across multiple contexts on a shared VLAN. Prefix Length Enter the prefix length for all global addresses to specify how many of the most significant bits (MSBs) are used for the network identifier. Enter an integer from 1 to 128. If you use the optional EUI-64 check box for the global and peer addresses, the prefix must be less than or equal to 64. IPv6 Unique-Local Address Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later. A unique local address is an optional IPv6 unicast address that is used for local communication within an organization and it is similar to a private IPv4 address (for example, 10.10.2.1). Unique local addresses have a global scope, but they are not routable on the internet, and they are assigned by a central authority. All unique local addresses have a predefined prefix of FC00::/7. You can configure only one IPv6 unique local address on an interface. IPv6 Address To configure a unique local address, enter a complete IPv6 address with an FC00::/7 prefix in the first field. In the second field after the /, enter the prefix length to specify how many of the most significant bits (MSBs) are used for the network identifier. Check the EUI-64 box to specify that the low order 64 bits are automatically generated in the IEEE 64-bit Extended Unique Identifier (EUI-64) format specified in RFC 2373. To use EUI-64, the Prefix Length field must be less than or equal to 64 and the host segment must be all zeros. Peer IPv6 Address In a redundant configuration, you can configure an IPv6 peer unique local address on the active that is synchronized to the standby ACE. You can configure only one peer unique local IPv6 address on an interface. To configure a peer unique local address, enter a complete IPv6 address with an FC00::/7 prefix in the first field. In the second field after the /, enter the prefix length to specify how many of the most significant bits (MSBs) are used for the network identifier. Note The IPv6 peer unique local address must be unique across multiple contexts on a shared VLAN. Check the EUI-64 box to specify that the low order 64 bits are automatically generated in the IEEE 64-bit Extended Unique Identifier (EUI-64) format specified in RFC 2373. To use EUI-64, the Prefix Length field must be less than or equal to 64 and the host segment must be all zeros. Prefix Length Enter the prefix length for all global addresses to specify how many of the most significant bits (MSBs) are used for the network identifier. Enter an integer from 1 to 128. If you use the optional EUI-64 check box for the global and peer addresses, the prefix must be less than or equal to 64. Table 12-3 BVI Interface Attributes (continued) Field Description 12-23 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Virtual Context BVI Interfaces IPv6 Link-Local Address Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later. By default, when you enable IPv6 or configure any other valid IPv6 address on an interface, the ACE automatically creates a link local address for it. Every link local address must have a predefined prefix of FE80::/10. You can configure only one IPv6 link local address on an interface. This address always has the prefix of 64. To manually configure the link local address, enter a complete IPv6 address with an FE80::/10 prefix in this field. For example, enter FE80:DB8:1::1 IPv6 Peer Link-Local Address Field that appears only for ACE module and ACE appliance software Version A5(1.0) or later. In a redundant configuration, you can configure an IPv6 peer link local address for the standby ACE. You can configure only one peer link local address on an interface. To configure the peer link local address, enter a complete IPv6 address with an FE80::/10 prefix in this field. Note The IPv6 peer link local address must be unique across multiple contexts on a shared VLAN. More Settings (The More Seetings option appears only for ACE module and ACE appliance software Version A5(1.0) or later.) Managed-Config Check box to indicate that the interface use the stateful autoconfiguration mechanism to configure IPv6 addresses. Uncheck the check box to indicate that the interface does not use the stateful autoconfiguration mechanism to configure IPv6 addresses. Other-Config Check box to indicate that the interface use the stateful autoconfiguration mechanism to configure parameters other than IPv6 addresses. Clear the check box to indicate that the interface does not use the stateful autoconfiguration mechanism to configure parameters other than IPv6 addresses. NS Interval The ACE sends neighbor solicitation messages through ICMPv6 on the local link to determine the IPv6 addresses of nearby nodes (hosts or routers). You can configure the rate at which the ACE sends these neighbor solicitation messages. By default, the interval at which the ACE sends NS messages for DAD default is 1000 milliseconds (msecs). To configure the interval, enter an integer from 1000 to 2147483647. NS Reachable Time The neighbor solicitation reachable time is the time period in milliseconds during which a host considers the peer is reachable after a reachability confirmation from the peer. A reachability confirmation can include neighbor solicitation or advertisement, or any upper protocol traffic. By default, this time period is 0 milliseconds. To configure this time, enter an integer from 0 to 3600000. Retransmission time By default, the advertised retransmission time is 0 milliseconds. To configure the retransmission time, enter an integer from 0 to 3600000. DAD Attempts By default, the number of attempts for sending duplicate address detection (DAD) is 1. To configure the DAD attempts, enter an integer from 0 to 255. RA Hop Limit By default, the hop limit that neighbors should use when originating IPv6 packets is 64. To configure the hop limit in the IPv6 header, enter an integer from 0 to 255. Table 12-3 BVI Interface Attributes (continued) Field Description 12-24 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Virtual Context BVI Interfaces RA Lifetime The RA lifetime is the length of time that neighboring nodes should consider the ACE as the default router before they send RS messages again. By default, this length of time is 1800 seconds (30 minutes). To configure the RA lifetime, enter an integer from 0 to 9000. RA Interval By default, the rate at which the ACE sends RA messages is 600 seconds. To configure the rate, enter an integer from 4 to 1800. Suppress RA By default, the ACE automatically responds to RS messages that it receives from neighbors with RA messages that include, for example, the network prefix. You can instruct the ACE to not respond to RS messages. Check the check box to instruct the ACE to not respond to RS messages. Clear the check box to reset the default behavior of automatically responding to RS messages. IPv6 Router Advertisement Settings Click the Add button to configure the IPv6 prefixes that the ACE advertises in RA messages on the local link. IPv6 Address/Prefix Length To configure IPv6 address advertised in the RA messages, enter a complete IPv6 address in the first field. In the second field after the /, enter the prefix length to specify how many of the most significant bits (MSBs) are used for the network identifier. No Advertisements Check the check box to indicate that the route prefix is not advertised. Clear the check box to indicate that the route prefix is advertised. Lifetime Configure the prefix lifetime attributes as follows: • Lifetime Duration: – Valid Lifetime—By default, the prefix lifetime is 2592000 seconds (30 days). To configure the prefix lifetime in seconds, enter an integer from 0 to 2147183647. Select Infinite to indicate that the prefix never expires. – Preferred Lifetime—By default, the prefix lifetime is 604800 seconds (10 days).To configure how long an IPv6 address remains preferred in seconds, enter an integer from 0 to 2147183647. This lifetime must not exceed the Valid Lifetime. Select Infinite to indicate that the preferred lifetime never expires. • Lifetime Expiration Date: – Valid Month/Day/Year/Time—Valid lifetime expiration date and time. – Preferred Month/Day/Year/Time—Preferred lifetime expiration date and time. Use the drop-down lists to select a day, month, and year. To specify the time, use the hh:mm format. Table 12-3 BVI Interface Attributes (continued) Field Description 12-25 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Virtual Context BVI Interfaces Step 5 Do one of the following: • Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. This option appears for virtual contexts. • Click Cancel to exit this procedure without saving your entries and to return to the previous table. Step 6 To display statistics and status information for a BVI interface, choose the BVI interface from the BVI Interface table, and click Details. The show interface bvi, show ipv6 interface bvi, and show ipv6 neighbors CLI command outputs appears. IPv6 commands requires ACE module and ACE appliance software Version A5(1.0) or later. See the “Displaying BVI Interface Statistics and Status Information” section on page 12-26 for details. Related Topics • Configuring Network Access, page 12-1 • Configuring Virtual Context Primary Attributes, page 6-14 Displaying All BVI Interfaces by Context You can display all of the BVI interfaces associated with a specific context by choosing Config > Devices > context > Network > BVI Interfaces. The BVI Interface table appears with the information shown in Table 12-4. Off-link This option appears when you enter a Preferred Lifetime field. Check this check box to indicate that the route prefix is on a different subnet for a router to route to it. Clear the check box to indicate that the route prefix is on the same subnet for a router to route to it. No-autoconfig This option appears when you enter a Preferred Lifetime field. Check this check box to indicate to the host that it cannot use this prefix when creating an stateless IPv6 address. Clear the check box to indicate to the host that it can use this prefix when creating an stateless IPv6 address. Table 12-3 BVI Interface Attributes (continued) Field Description Table 12-4 BVI Interface Fields Field Description BVI Name of the BVI interface. Description Description for the BVI interface. IP Address IP address assigned to this interface including the netmask for an IPv4 address or a prefix length for an IPv6 address. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. IPv6 Config Status The status whether IPv6 is enabled or disabled on the interface. IPv6 requires ACE module and ACE appliance software Version A5(1.0) or later. 12-26 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring VLAN Interface NAT Pools Related Topics • Displaying BVI Interface Statistics and Status Information, page 12-26 Displaying BVI Interface Statistics and Status Information You can display statistics and status information for a particular BVI interface by using the Details button. Procedure Step 1 Choose Config > Devices > context > Network > BVI Interfaces. The BVI Interface table appears. Step 2 In the BVI Interface table, choose a BVI interface from the BVI Interface table, and click Details. The show interface bvi, show ipv6 interface bvi, and show ipv6 neighbors CLI command outputs appear. The IPv6 commands require ACE module and ACE appliance software Version A5(1.0) or later. For details about the displayed output fields, see either the Cisco ACE Module Routing and Bridging Configuration Guide or the Cisco ACE 4700 Series Appliance Routing and Bridging Configuration Guide. Step 3 Click Update Details to refresh the command output. Step 4 Click Close to return to the BVI Interface table. Related Topics • Displaying All BVI Interfaces by Context, page 12-25 Configuring VLAN Interface NAT Pools You can configure Network Address Translation (NAT) pools for a VLAN interface. NAT is designed to simplify and conserve IP addresses. It allows private IP networks that use unregistered IP addresses to connect to the Internet. NAT operates on a router, usually connecting two networks, and translates the private (not globally unique) addresses in the internal network into legal addresses before the packets are forwarded to another network. The ACE allows you to configure NAT so that it advertises only one address for the entire network to the outside world. This feature, which effectively hides the entire internal network behind that address, offers both security and address conservation. Admin Status Status of the interface, which can be Up or Down. Operational Status Operational state of the device (Up or Down). Last Polled Date and time of the last time that ANM polled the device to display the current values. Table 12-4 BVI Interface Fields (continued) Field Description 12-27 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring VLAN Interface NAT Pools Several internal addresses can be translated to only one or a few external addresses by using Port Address Translation (PAT) in conjunction with NAT. With PAT, you can configure static address translations at the port level and use the remainder of the IP address for other translations. PAT effectively extends NAT from one-to-one to many-to-one by associating the source port with each flow. Note The options that appear when you choose Config > Devices > context depend on the device associated with the virtual context and the role associated with your account. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Note When server load balancing is IPv6 to IPv4 or IPv4 to IPv6, you must configure source NAT. Assumption You have successfully configured at least one VLAN interface (see the “Configuring Virtual Context VLAN Interfaces” section on page 12-6). Procedure Step 1 Choose Config > Devices > context > Network > NAT Pools. The NAT Pools table appears. Step 2 In the NAT Pools table, click Add to add a new NAT pool, or choose an existing NAT pool and click Edit to modify it. Note If you click Edit, not all of the fields can be modified. Step 3 Choose the VLAN interface that you want to configure a NAT pool for and click the NAT Pool tab. The NAT Pool configuration table appears. Step 4 In the NAT Pool configuration table, click Add to add a new entry. Step 5 In the VLAN ID field, from the drop-down list, choose a VLAN entry. Step 6 In the NAT Pool ID field, either accept the automatically incremented entry or enter a new number to uniquely identify this pool. Valid entries are from 1 to 2147483647. Step 7 In the IP Address Type field, choose either IPv4 or IPv6. This field appears only for ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. Step 8 In the Start IP Address field, enter an IP address for the selected IP Address Type. This entry identifies either a single IP address or, if using a range of IP addresses, the first IP address in a range of global addresses for this NAT pool. Step 9 In the End IP Address field, enter the highest IP address in a range of global IP addresses for this NAT pool. 12-28 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Virtual Context Static Routes Enter the IP address for the selected IP Address Type. Leave this field blank if you want to identify only the single IP address in the Start IP Address field. Step 10 Depending on the IP address type that you chose, do one of the following: • For IPv4, in the Netmask field, choose the subnet mask for the global IP addresses in the NAT pool. • For IPv6, in the Prefix Length field, enter the prefix length for the global IP addresses in the NAT pool. Step 11 Check the PAT Enabled check box to instruct the ACE to perform port address translation (PAT) in addition to NAT. Uncheck the check box to indicate that the ACE is not to perform port address translation (PAT) in addition to NAT. Step 12 Do one of the following: • Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. This option appears for virtual contexts. • Click Cancel to exit this procedure without saving your entries and to return to the NAT Pools table. • Click Next to deploy your entries and to add another NAT Pool entry. Related Topics • Configuring Virtual Context VLAN Interfaces, page 12-6 • Configuring Virtual Context BVI Interfaces, page 12-19 Configuring Virtual Context Static Routes You can configure context static routes. Admin and user context modes do not support dynamic routing, therefore you must use static routes for any networks to which the ACE is not directly connected, such as when there is a router between a network and the ACE. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Procedure Step 1 Choose Config > Devices > context > Network > Static Routes. The Static Routes configuration table appears and displays the following information: • Destination prefix • Destination prefix mask • Next hop IP address Step 2 In the Static Routes configuration table, click Add to add a new static route. Note You cannot modify an existing static route. To make changes to an existing static route, you must delete the static route and then add it back. 12-29 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Global IP DHCP Step 3 In the IP Address Type, choose either IPv4 or IPv6 for the route. This field appears only for ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 or IPv6. Step 4 In the Destination Prefix field, enter the IP address based on the address type (IPv4 or IPv6) for the route. The address that you specify for the static route is the address that is in the packet before entering the ACE and performing network address translation. Step 5 Depending on the IP address type that you chose, do one of the following: • For IPv4, in the Destination Prefix Mask field, choose the subnet to use for this route. • For IPv6, in the Destination Prefix-length field, enter the prefix length from 0 to 128 to use for this route. Step 6 (IPv6 IP address type only) For the Forward Interface Type, choose one of the following: • N/A (Not applicable) • VLAN • BVI If you select VLAN or BVI, select its number from the drop down menu. To configure an interface, click Plus. After configuring it, select its number from the drop down menu. Step 7 In the Next Hop field, enter the IP address of the gateway router based on the address type (IPv4 or IPv6) for this route. The gateway address must be in the same network as a VLAN interface for this context. Step 8 Do one of the following: • Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. This option appears for virtual contexts. • Click Cancel to exit this procedure without saving your entries and to return to the previous table. • Click Next to deploy your entries and to add another static route. Related Topics • Configuring Virtual Contexts, page 6-8 • Configuring Virtual Context Primary Attributes, page 6-14 Configuring Global IP DHCP You can configure the Dynamic Host Configuration (DHCP) relay agent at the context level so the configuration applies to all interfaces associated with the context. When you configure the ACE as a DHCP relay agent, it is responsible for forwarding the requests and responses that are negotiated between the DHCP clients and the server. By default, the DHCP relay agent is disabled. You must configure a DHCP server when you enable the DHCP relay agent. Note The options that appear when you choose Config > Devices > context depend on the device associated with the virtual context and the role associated with your account. 12-30 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Global IP DHCP Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Procedure Step 1 Choose Config > Devices > context > Network > Global IP DHCP. The Global IP DHCP configuration table appears. Step 2 From the Global IP DHCP configuration table, in the Enable DHCP Relay For The Context field, click IPv4, IPv6, or both to enable DHCP relay for the context and all interfaces associated with this context. For ACE module and ACE appliance software versions earlier than A5(1.0), this field does not include the IP version number and is for IPv4 only. Step 3 In the Relay Agent Information Reforwarding Policy field, choose a relay agent information forwarding policy: • N/A—Specifies to not configure the DHCP relay to identify what is to be performed if a forwarded message already contains relay information. • Keep—Specifies that existing information is left unchanged on the DHCP relay agent. • Replace—Specifies that existing information is overwritten on the DHCP relay agent. Step 4 In the IP DHCP Server field, choose the IP DHCP server to which the DHCP relay agent is to forward client requests. Step 5 In the IPv6 Forward Interface VLAN field, you can optionally enter the VLAN interface number that you configured in the IPv6 DHCP Forward Interface VLAN field on the interface where the multicast DHCP relay message is sent. This field appears only for ACE module and ACE appliance software Version A5(1.0) or later. Step 6 In the IPv6 DHCP server, specify one or more IP DHCP servers and IPv6 addresses to which the DHCP relay agent is to forward client requests. This field appears only for ACE module and ACE appliance software Version A5(1.0) or later. Step 7 Do one of the following: • Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. This option appears for virtual contexts. • Click Cancel to exit this procedure without saving your entries and to return to the previous table. • Click Next to deploy your entries and to add another DHCP relay entry. 12-31 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Static VLANs for Over 8000 Static NAT Configurations Configuring Static VLANs for Over 8000 Static NAT Configurations Note This feature applies to ACE modules only and was deprecated beginning with ACE software Version A5(1.0). You can create more than 8,000 static NAT configurations (one static NAT configuration with a netmask is counted as one configuration). In addition, follow these restrictions and guidelines when using this feature: • This feature is supported in routed mode only. • Only one mapped interface is allowed per virtual context. However, each static NAT configuration must have a different mapped IP address. • At any point, you can configure no more than one next-hop on the mapped interface. • Bidirectional NAT, or in other words, source-address as well as destination-address translation, for the same flow is not supported. • You must have fewer than 1,000 real IP addresses on the same subnet as the real interface. In addition, you must have fewer than 1,000 mapped IP address on the same subnet as the mapped interface. • If you use this feature, we recommended that you do not use MP-based NAT for the same virtual context. Procedure Step 1 Choose Config > Devices > context > Network > Static NAT Overwrite. The Static NAT Overwrite configuration table appears. Step 2 In the Static NAT Overwrite configuration table, click Add to add a new static NAT. Step 3 In the Mapped IP Address field, enter the IP address to which the real IP address is translated. In a context, the mapped IP address must be different in each static NAT configuration. Step 4 In the Real VLAN Number field, choose the VLAN number of the interface connected to the real IP address network. The list of available real VLANs includes routed mode VLANs only (for more information, see Interface Type). Step 5 In the Mapped VLAN Number field, choose the VLAN number of the interface connected to the mapped IP address network. The list of available mapped VLANs includes routed mode VLANs only (for more information, see Interface Type). In a context, the mapped interface must be the same in each static NAT configuration. Step 6 In the Real IP Address field, enter the real server IP address to be translated. In a context, you must configure a different address for configurations that have the same real server interface. Step 7 In the Real IP Netmask field, choose the subnet mask for the real server address. Step 8 Do one of the following: 12-32 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Gigabit Ethernet Interfaces on the ACE Appliance • Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. This option appears for virtual contexts. • Click Cancel to exit this procedure without saving your entries and to return to the previous table. • Click Next to deploy your entries and to add another DHCP relay entry. Configuring Gigabit Ethernet Interfaces on the ACE Appliance Note This feature is for ACE appliances only. You can configure a Gigabit Ethernet interface on the ACE appliance, which provides physical Ethernet ports to connect servers, PCs, routers, and other devices to the ACE appliance. The ACE appliance supports four Layer 2 Ethernet ports for performing Layer 2 switching. You can configure the four Ethernet ports to provide an interface for connecting to 10-Mbps, 100-Mbps, or 1000-Mbps networks. Each Layer 2 Ethernet port supports autonegotiate, full-duplex, or half-duplex operation on an Ethernet LAN, and can carry traffic within a designated VLAN. A Layer 2 Ethernet port can be configured as follows: • Member of Port-Channel Group—The port is configured as a member of a port-channel group, which associates a physical port on the ACE appliance to a logical port to create a port-channel logical interface. The VLAN association is derived from port-channel configuration. The port is configured as a Layer 2 EtherChannel, where each EtherChannel bundles the individual physical Ethernet data ports into a single logical link that provides the aggregate bandwidth of up to four physical links on the ACE. • Access VLAN—The port is assigned to a single VLAN. This port is referred to as an access port and provides a connection for end users or node devices, such as a router or server. • Trunk port—The port is associated with IEEE 802.1Q encapsulation-based VLAN trunking to allocate VLANs to ports and to pass VLAN information (including VLAN identification) between switches for all Ethernet channels defined in a Layer 2 Ethernet data port or a Layer 2 EtherChannel (port-channel) group on the ACE appliance. This section includes the following topics: • Configuring Gigabit Ethernet Interfaces, page 12-32 • Displaying Gigabit Ethernet Interface Statistics and Status Information, page 12-35 Configuring Gigabit Ethernet Interfaces This section describes how to configure Gigabit Interfaces on the ACE. Procedure Step 1 Choose Config > Devices > context > Network > GigabitEthernet Interfaces. The GigabitEthernet Interfaces table appears. Step 2 In the GigabitEthernet Interfaces table, click Poll Now to instruct ANM to poll the devices and display the current values, and click OK when prompted to poll the devices for data. 12-33 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Gigabit Ethernet Interfaces on the ACE Appliance Step 3 Choose an existing gigabit Ethernet interface, and click Edit to modify it. Step 4 Enter the gigabit Ethernet physical interface attributes (see Table 12-5). Table 12-5 Physical Interface Attributes Field Description Interface Name Name of the Gigabit Ethernet interface, which is in the format slot_number/port_number where slot_number is the physical slot on the ACE for the specified port, and port_number is the physical Ethernet data port on the ACE for the specified port. Description Brief description for this interface. Admin Status Administrative state of the interface: Up or Down. Speed Port speed: • Auto—Autonegotiate with other devices • 10 Mbps • 100 Mbps • 1000 Mbps Duplex Interface duplex mode: • Auto—Resets the specified Ethernet port to automatically negotiate port speed and duplex of incoming signals. This is the default setting. • Full—Configures the specified Ethernet port for full-duplex operation, which allows data to travel in both directions at the same time. • Half—Configures the specified Ethernet port for half-duplex operation. A half-duplex setting ensures that data only travels in one direction at any given time. Port Operation Mode Port operation mode: • N/A—Specifies that this option is not to be used. • Channel Group—Specifies to map the port to a port channel. You must specify: • Port Channel Group Number—Specifies the port channel group number. • HA VLAN—Specifies the high availability (HA) VLAN used for communication between the members of the FT group. • Switch Port—Specifies the interface switch port type: • Access—Specifies that the port interface is an access port. You must specify a VLAN as an access port in the Access VLAN field. • Trunk—Specifies that the port interface is a trunk port. When you choose Trunk, you must complete one or both of the following fields: - Trunk Native VLAN—Identifies the 802.1Q native VLAN for a trunk. - Trunk Allowed VLANs—Selectively allocates individual VLANs to a trunk link. HA LAN High availability (HA) VLAN used for communication between the members of the FT group. 12-34 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Gigabit Ethernet Interfaces on the ACE Appliance Step 5 Do one of the following: • Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit the procedure without saving your changes and to return to the Physical Interface table. • Click Next or Previous to go to the next or previous physical channel. • Click Delete to remove this entry from the Physical Interface table and to return to the table. Step 6 (Optional) To display statistics and status information for a particular Gigabit Ethernet interface, choose the interface from the GigabitEthernet Interfaces table, and click Details. The show interface gigabitEthernet CLI command output appears. See the “Displaying Gigabit Ethernet Interface Statistics and Status Information” section on page 12-35 for details. Related Topics • Configuring Virtual Context VLAN Interfaces, page 12-6 • Configuring Virtual Context BVI Interfaces, page 12-19 • Configuring Port-Channel Interfaces for the ACE Appliance, page 12-35 Carrier Delay Configurable delay at the physical port level to address any issues with transition time, based on the variety of peers. Valid values are from 0 to 120 seconds. The default is 0 (no carrier delay). Note If you connect an ACE to a Catalyst 6500 series switch, your configuration on the switch may include the Spanning-Tree Protocol (STP). However, the ACE does not support STP. In this case, you may find that the Layer 2 convergence time is much longer than the physical port up time. For example, the physical port would normally be up within 3 seconds, but STP moving to the forward state may need approximately 30 seconds. During this transitional time, although the ACE declares the port to be up, the traffic does not pass. In this case, you should specify a carrier delay. QoS Trust COS Quality of Service (QoS) for the physical Ethernet port. By default, QoS is disabled for each physical Ethernet port on the ACE. QoS for a configured physical Ethernet port is based on VLAN Class of Service (CoS) bits (priority bits that segment the traffic in eight different classes of service). When you enable QoS on a port (a trusted port), traffic is mapped into different ingress queues based on their VLAN CoS bits. If there are no VLAN CoS bits, or QoS is not enabled on the port (untrusted port), the traffic is then mapped into the lowest priority queue. You can enable QoS for an Ethernet port configured for fault tolerance. In this case, heartbeat packets are always tagged with CoS bits set to 7 (a weight of High). Note We recommend that you enable QoS on the FT VLAN port to provide higher priority for FT traffic. Table 12-5 Physical Interface Attributes (continued) Field Description 12-35 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Port-Channel Interfaces for the ACE Appliance Displaying Gigabit Ethernet Interface Statistics and Status Information You can display statistics and status information for a particular Gigabit Ethernet interface. Procedure Step 1 Choose Config > Devices > context > Network > GigabitEthernet Interfaces. The GigabitEthernet Interfaces table appears. Step 2 In the GigabitEthernet Interfaces table, choose a Gigabit Ethernet interface from the GigabitEthernet Interfaces table, and click Details. The show interface gigabitEthernet CLI command output appears. For details on the displayed output fields, see the Cisco ACE 4700 Series Appliance Routing and Bridging Configuration Guide. Step 3 (Optional) Click Update Details to refresh the display. Step 4 Click Close to return to the GigabitEthernet Interfaces table. Related Topics Configuring Gigabit Ethernet Interfaces on the ACE Appliance, page 12-32 Configuring Port-Channel Interfaces for the ACE Appliance This section discusses how to configure port channel interfaces for the ACE appliance. It consists of the following topics: • Why Use Port Channels?, page 12-35 • Configuring a Port-Channel Interface, page 12-36 • Configuring a Catalyst 6500 Series Switch for an ACE Appliance Port-Channel Interface Connection, page 12-38 • Displaying Port Channel Interface Statistics and Status Information, page 12-40 Why Use Port Channels? A port channel groups multiple physical ports into a single logical port. This is also called port aggregation or channel aggregation. A port channel containing multiple physical ports has several advantages: • Improves link reliability through physical redundancy. • Allows greater total throughput to the ACE appliance. For example, four 1-Gigabit Ethernet interfaces can be aggregated into a single 4-Gigabit channel. • Allows traffic capacity to be scaled up in the future, without network disruption at that time. A port channel can do everything a switched port can do, but a switched port cannot do everything a port channel can do. We recommend that you use a port channel. • Provides maximum flexibility of network configuration and focuses network configuration on VLANs rather than physical cabling. 12-36 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Port-Channel Interfaces for the ACE Appliance The disadvantage of a port channel is that it requires additional configuration on the switch the ACE is connected to, as well as the ACE itself. There are many methods of port aggregation implemented by different switches, and not every method works with ACE. For an example of how to configure a Cisco Catalyst 6500 switch to enable a port channel connection to ACE, see the “Configuring a Catalyst 6500 Series Switch for an ACE Appliance Port-Channel Interface Connection” section on page 12-38. Using a port channel also requires more detailed knowledge of your network's VLANs, because all “cabling” to and from the ACE will be handled over VLANs rather than using physical cables. Nonetheless, use of port channels is highly recommended, especially in a production deployment of ACE. Figure 12-1 illustrates a port channel interface. Figure 12-1 Example of a Port Channel Interface Related Topics Configuring a Port-Channel Interface, page 12-36 Displaying Port Channel Interface Statistics and Status Information, page 12-40 Configuring a Port-Channel Interface Note This feature is for ACE appliances only. You can group physical ports together on the ACE appliance to form a logical Layer 2 interface called the port channel. All the ports belonging to the same port channel must be configured with same values; for example, port parameters, VLAN membership, and trunk configuration. Only one port channel in a channel group is allowed, and a physical port can belong to a single port-channel interface only. Step 1 Choose Config > Devices > context > Network > Port Channel Interfaces. The Port Channel Interface table appears. Step 2 In the Port Channel Interface table, click Poll Now to instruct ANM to poll the devices and display the current values, and click OK when prompted to poll the devices for data. Step 3 Click Add to add a port channel interface, or choose an existing port channel interface and click Edit to modify it. 247843 Switch ACE Appliance Port Channel VLANs Ethernet Ports 12-37 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Port-Channel Interfaces for the ACE Appliance Note If you click Edit, not all of the fields can be modified. Step 4 Enter the port channel interface attributes (see Table 12-6). Step 5 Do one of the following: • Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit the procedure without saving your changes and to return to the Port Channel Interface table. • Click Next to deploy your entries and to add another port-channel interface. Table 12-6 Port Channel Interface Attributes Field Description Interface Number Channel number for the port-channel interface, which can be from 1 to 255. Description Brief description for this interface. Fault Tolerant VLAN Fault tolerant (FT) VLAN used for communication between the members of the FT group. Admin Status Administrative state of the interface: Up or Down. Load Balancing Method Load balancing method: • Dst-IP—Loads distribution on the destination IP address. • Dst-MAC—Loads distribution on the destination MAC address. • Dst-Port—Loads distribution on the destination TCP or UDP port. • Src-Dst-IP—Loads distribution on the source or destination IP address. • Src-Dst-MAC—Loads distribution on the source or destination MAC address. • Src-Dst-Port—Loads distribution on the source or destination port. • Src-IP—Loads distribution on the source IP address. • Src-MAC—Loads distribution on the source MAC address. • Src-Port—Loads distribution on the TCP or UDP source port. Switch Port Type Interface switchport type: • N/A—Indicates that the switchport type is not specified. • Access—Specifies that the port interface is an access port. You must specify a VLAN as an access port in the Access VLAN field. • Trunk—Specifies that the port interface is a trunk port. When you choose Trunk, you must complete the following fields: – Trunk Native VLAN—Identifies the 802.1Q native VLAN for a trunk. – Trunk Allowed VLANs—Selectively allocate individual VLANs to a trunk link. 12-38 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Port-Channel Interfaces for the ACE Appliance Step 6 (Optional) To display statistics and status information for a particular port-channel interface, choose the interface from the Port Channel Interfaces table, and click Details. The show interface port-channel CLI command output appears. See the “Displaying Port Channel Interface Statistics and Status Information” section on page 12-40 for details. Related Topics • Configuring Port-Channel Interfaces for the ACE Appliance, page 12-35 • Configuring Port-Channel Interfaces for the ACE Appliance, page 12-35 • Displaying Port Channel Interface Statistics and Status Information, page 12-40 • Configuring Virtual Context VLAN Interfaces, page 12-6 Configuring a Catalyst 6500 Series Switch for an ACE Appliance Port-Channel Interface Connection This section provides information for you to configure a port-channel interface on a network device such as the Catalyst 6500 Series switch. After you configure the port channels for the ACE appliance through ANM and you physically connect the Gigabit Ethernet physical interfaces on the ACE appliance to the Catalyst 6500 Series switch ports, configure the port channels on the switch. The information outlined in this topic is intended as an example of configuring port channels on a switch. You can adapt this information for whatever switch the ACE appliance is connected to in your network. For specific details on configuring the Catalyst 6500 Series switch, see the documentation set on www.Cisco.com. This section includes the following topics: • Creating the Port Channel Interface on the Catalyst 6500 • Adding Interfaces to the Port Channel Creating the Port Channel Interface on the Catalyst 6500 This section contains and example in which a Catalyst 6500 Series switch is configured with a port channel using an 802.1q trunk that allows the associated VLANs. The native VLAN of the trunk is VLAN 10. Note Default VLAN 1 should not be used for the native VLAN because this VLAN is used internally on the ACE appliance. Port-channel load balancing is used to distribute the traffic load across each of the links in the port channel to ensure efficient utilization of each link. Port-channel load balancing on the Catalyst 6500 Series switch can use MAC addresses or IP addresses, Layer 4 port numbers, source addresses, destination addresses, or both source and destination addresses. By default, the ACE appliance uses Src-Dst-MAC to make a load balancing decision (see Table 12-6). We recommend that you use the source and destination Layer 4 port for the load-balancing decision. 12-39 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Port-Channel Interfaces for the ACE Appliance The following example illustrates the CLI commands used to configure a port channel interface for the Catalyst 6500 Series switch: Switch(config)# port-channel load-balance src-dst-port Switch(config)# interface port-channel 1 Switch(config-if)# description For Connection with ACE Appliance Switch(config-if)# switchport Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport trunk native vlan 10 Switch(config-if)# switchport trunk allowed vlan 10,20,30,31, 40,50 Switch(config-if)# switchport nonegotiate Switch(config-if)# mls qos trust cos After you configure the port channel on the Catalyst 6500 Series switch, you can then add it to the configuration of the four interfaces as described in the “Adding Interfaces to the Port Channel” section on page 12-39. Note The ACE appliance does not support Port Aggregation Protocol (PAgP) or Link Aggregate Control Protocol (LACP) so the port-channel interface is configured using mode on. Adding Interfaces to the Port Channel The following example illustrates the CLI commands used to configure the four switch ports 3/9 through 3/12 as members of the port channel on the Catalyst 6500 Series switch: Switch(config-if)# int range Gig 3/9 - 12 Switch(config-if-range)# channel-group 1 mode on Switch(config-if-range)# speed 1000 Switch(config-if-range)# spanning-tree portfast trunk Switch(config-if-range)# no shut On the ACE appliance, you can configure the Ethernet port speed for a setting of 10, 100, or 1000 Mbps by configuring the Speed field for a Gigabit Ethernet physical interface attributes (see Table 12-5). The default for the ACE appliance is the auto-negotiate interface speed. We recommend that you configure the speed to 1000 on both the Catalyst 6500 Series switch and the ACE appliance to avoid relying on auto negotiation of the interface speed. A speed setting of 1000 helps to avoid the possibility of the interface operating below the expected Gigabit speed and ensures that the port-channel interface reaches the maximum 4 Gbps throughput. The ACE appliance does not implement Spanning-Tree protocol and does not take part in Spanning-Tree root bridge election process. PortFast is configured on the Catalyst 6500 Series switch to reduce the time required for spanning tree to allow traffic on the port connected to the ACE interface by immediately moving to the forwarding state, bypassing the block, listening, and learning states. The average time for switch port moving into a forward state is approximately 30 seconds. Using PortFast reduces this time to approximately 5 seconds. Note In virtual partitions operating in bridge mode, the ACE offers an option to bridge Spanning-Tree BPDUs between two VLANs to prevent the possibility of a loop. Such a loop may occur when two partitions actively forward traffic. This should not happen during normal operation; however, the option to bridge BPDUs provides a safeguard against this condition. Upon detecting BPDUs, the switch connected to the ACE appliance immediately blocks the port/VLAN from which the loop originated from. We recommend that you configure an ethertype ACL that includes the BPDU protocol and apply the ACL to Layer 2 interfaces in bridge mode. 12-40 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 12 Configuring Network Access Configuring Port-Channel Interfaces for the ACE Appliance Displaying Port Channel Interface Statistics and Status Information You can display statistics and status information for a particular port-channel interface. Procedure Step 1 Choose Config > Devices > context > Network > Port Channel Interfaces. The Port Channel Interfaces table appears. Step 2 In the Port Channel Interfaces table, choose a port-channel interface from the Port Channel Interfaces table, and click Details. The show interface port-channel CLI command output appears. For details about the displayed output fields, see the Cisco ACE 4700 Series Appliance Routing and Bridging Configuration Guide. Step 3 (Optional) Click Update Details to refresh the display. Step 4 Click Close to return to the Port Channel Interfaces table. Related Topics Configuring Port-Channel Interfaces for the ACE Appliance, page 12-35 CHAPTER 13-1 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 13 Configuring High Availability Date: 3/28/12 This chapter describes how to configure high availability for ANM servers and ACE devices. Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed. If you are using ANM with an ACE module or ACE appliance and you configure a named object at the ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows you to use when configuring a named object. If you use special characters that ANM does not support, you may not be able to import or manage the ACE using ANM. This chapter includes the following sections: • Understanding ANM High Availability, page 13-2 • Understanding ACE Redundancy, page 13-6 • Configuring ACE High Availability, page 13-14 • Configuring ACE High Availability Peers, page 13-15 • Clearing ACE High Availability Pairs, page 13-17 • Configuring ACE High Availability Groups, page 13-17 • Displaying High Availability Group Statistics and Status, page 13-21 • Switching Over an ACE High Availability Group, page 13-22 • Deleting ACE High Availability Groups, page 13-23 • ACE High Availability Tracking and Failure Detection Overview, page 13-23 • Tracking ACE VLAN Interfaces for High Availability, page 13-24 • Tracking Hosts for High Availability, page 13-25 • Configuring Host Tracking Probes, page 13-26 • Configuring ACE Peer Host Tracking Probes, page 13-28 • Configuring ACE HSRP Groups, page 13-29 • Synchronizing ACE High Availability Configurations, page 13-30 • Synchronizing SSL Certificate and Key Pairs on Both ACE Peers, page 13-32 13-2 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Understanding ANM High Availability Understanding ANM High Availability ANM high availability (or fault tolerance) ensures that your network services and applications are always available. High availability (HA) provides seamless switchover of flows in case an ANM server becomes unresponsive or a critical host or interface fails. High availability uses two ANM nodes, where one node is the active node and the other is the standby node. The ANM high availability features are as follows: • Automatic determination of node status, whether active or standby, using heartbeat counts. • Designation of the virtual IP address (VIP), which is associated with the active node. • Near real-time replication of ANM configuration and events after a failover occurs. • Automatic inspection of certificate/key presence on HA peer upon SSL certificate or key import. During normal operation, ANM high availability performs the following actions: • The two nodes constantly exchange heartbeat packets over both interfaces. • Database operations that occur on the active node’s database are replicated on the standby node’s database. • The monitor function ensures that the necessary processes are running on both the active and standby node. For example, not all processes necessarily run on the standby node, so after a node changes from active to standby, ANM high availability function stops certain processes on the standby node. When you log into ANM, you log in using a virtual IP address (VIP) that associates with the active node. The VIP is the only IP address you need to remember. If the current active node fails, the standby node takes over as the active node and the VIP automatically associates with the node that has just become active. When a failover occurs and the standby node becomes the active node, all existing web sessions are lost. In addition, there is a slight delay while the standby node takes over as the active node. After the switchover is complete and the ANM fully initializes, you can log into ANM using the same VIP. All ANM functions remain the same. ANM uses heartbeat counts to determine when a failover should occur. Because both nodes are constantly sending and receiving heartbeat packets, if heartbeat packets are no longer being received on a node, its peer node is determined to be dead. If this peer node was the active node, then the standby node takes over as the active node. The VIP automatically associates with the newly active node, and the monitoring process starts any necessary processes on the newly active node that were not already running. Similarly, if you manually issue a failover to cause the active node to become the standby node, the heartbeat process disassociates the VIP from the node and tells the monitoring function to stop processes that are not normally run on the standby node. Related Topics • Understanding ANM High Availability Processes, page 13-3 • Configuring ANM High Availability Overview, page 13-3 • CLI Commands for ANM High Availability Processes, page 13-4 • Recovering From an HA Database Replication Failure, page 13-6 13-3 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Understanding ANM High Availability Understanding ANM High Availability Processes During normal high availability operation, the active node runs all ANM processes required for normal operation of ANM. The standby node runs only a minimal set of processes. Table 13-1 lists the processes, their descriptions, and on which node they run. Note If you are running standalone ANM, all processes show in Table 13-1, with the exception of the heartbeat process, are constantly running. Related Topics • CLI Commands for ANM High Availability Processes, page 13-4 • Understanding ANM High Availability, page 13-2 • Configuring ACE High Availability, page 13-14 • Understanding ACE Redundancy, page 13-6 Configuring ANM High Availability Overview Configuring ANM high availabitly depends on whether you are using ANM Virtual Appliance or ANM server. ANM Vitual Appliance You can implement redundancy for ANM Virtual Appliance using the high availability feature of the underlying VMware vSphere platform. VMware HA (High Availability) detects faults in the operation of managed virtual machines and provides redundancy in case of a failure. You implement VMware HA for ANM Virtual Appliance in the same manner as for any VM-based application running on VMware infrastructure; that is, ANM Virtual Appliance does not impose any special requirements for implementing VMware HA. For additional information about installing ANM Virtual Appliance, see the Installation Guide for the Cisco Application Networking Manager 5.2 Virtual Appliance. Table 13-1 ANM High Availability Processes Process Description Node on Which Process Runs Monit Starts, stops, restarts, and monitors local ANM processes Active and standby Heartbeat Provides UDP-based heartbeat between nodes, helps determine active vs. standby states, and associates the VIP Active and standby Mysql Provides persistent storage and implements database replication between active and standby nodes Active and standby ANM Java process Active node only DAL Java process Active node only Ip-disc Java process Active node only Licman Java process for license management Active and standby 13-4 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Understanding ANM High Availability ANM Server ANM high availability consists of two nodes, which both run the ANM software. Each node must have at least two network interfaces as follows: • A primary interface, normally used to access the node. • A heartbeat interface, which is used to provide additional redundancy. The heartbeat interfaces of the two nodes must be connected via a crossover Ethernet connection. • The two Ethernet interfaces used on one of the hosts should match the two interfaces used on the other host, with regard to the subnets they participate in. For example, if HA Node 1 uses eth0 for the primary interface and eth1 for the heartbeat interface, then HA Node 2 should also use eth0 for the primary interface and eth1 for the heartbeat interface. Note ANM does not configure the primary and heartbeat IP addresses of the nodes’ interfaces. You must manually configure the node’s interfaces. When you installed ANM, you provided values for high availability parameters, determined the node IDs of the two nodes designated as Node 1 and Node 2. For additional information about the installation parameters, see the Installation Guide for Cisco Application Networking Manager 5.2. Related Topics • Understanding ANM High Availability, page 13-2 • Configuring ACE High Availability Groups, page 13-17 • Configuring ACE High Availability, page 13-14 CLI Commands for ANM High Availability Processes You use two commands to view ANM processes: • Use the /opt/CSCOanm/bin/anm-tool command to start and stop the ANM processes and to view the status of the ANM processes. • Use the /opt/CSCOanm/bin/anm-ha command to check high availability configuration or to force a node to become standby or active. Table 13-2 lists the sub-commands and their descriptions. 13-5 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Understanding ANM High Availability Related Topics • Understanding ANM High Availability Processes, page 13-3 Table 13-2 CLI Sub-commands for Processes Command Sub-command Description /opt/CSCOanm/bin/anm-tool info-services Indicates the state of all ANM processes. This command does not return process status if monit is not running. stop-services Stops all ANM processes, including monit. Note Monit must be running in order for the info-services command to provide status information. Note When ANM is running in HA mode and the standby ANM is just starting up, the active ANM copies its entire database to the standby ANM. During the copy process, the active ANM cannot be stopped or restarted using the anm-tool command. Check the Admin > ANM Management page for the HA Replication Status and wait until the status is set to OK before attempting to stop ANM. start-services Starts the relevant ANM processes. restart-services Restarts the relevant ANM processes. Note When ANM is running in HA mode and the standby ANM is just starting up, the active ANM copies its entire database to the standby ANM. During the copy process, the active ANM cannot be stopped or restarted using the anm-tool command. Check the Admin > ANM Management page for the HA Replication Status and wait until the status is set to OK before attempting to restart ANM. info Provides additional information (state, whether running or stopped, start time, and PID) regarding the Java processes. Monit need not be running for this command to return information. /opt/CSCOanm/bin/anm-ha check Checks the local node’s high availability configuration. If errors are returned, HA might not function correctly until you fix the errors. Note You must run this command on both the active and standby node. While errors might indicate a problem, they could also simply indicate a known condition. For example, you receive a warning if the ANM cannot ping the peer node via either of the specified IP addresses; however, if the peer is down, the warning can be ignored because this is a known issue. It is also possible that no error might be returned even though there is a configuration problem. For example, the configuration of the two nodes must match; however the check sub-command cannot validate that the configurations match. active Forces the local node to become active and the peer node to become the standby node. standby Forces the local node to become standby and the peer node to become the active node. 13-6 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Understanding ACE Redundancy • Understanding ANM High Availability, page 13-2 • Configuring ACE High Availability, page 13-14 • Understanding ACE Redundancy, page 13-6 Recovering From an HA Database Replication Failure This section provides an overview of the database replication process that occurs between ANM HA active and standby nodes and how to recover from a replication failure. When the active ANM is running and the standby ANM is just starting up, the active ANM copies its entire database to the standby ANM. This process normally takes from a few seconds to a few minutes depending on the size of the configuration data and monitoring data. During the replication process, the active ANM database is locked and the active ANM cannot be stopped or restarted using the anm-tool command nor can it perform a failover. It is possible for the database replication process to fail if the standby ANM is stopped or powered down, the connectivity is down, or the active ANM is powered down. The failure of the replication process does not affect the integrity of the active ANM database. The procedure in this section describes what to do if you encounter a replication failure. Procedure Step 1 Check the standby ANM and make sure that it has stopped. If the standby ANM is still running, stop it because its database might be incomplete due to the replication failure. Step 2 Check the connectivity between the active ANM and standby ANM and make sure that both links are up and connected. Step 3 Do one of the following: • If the active ANM is still running, login and check to see that its configuration is normal. • If the active ANM has stopped or powered down, restart it now. Step 4 After the active ANM is running normally, restart the standby ANM. Caution Do not restart the standby ANM before the active ANM is running and operating normally. Step 5 From the standby ANM GUI, choose Admin > ANM Management to display the ANM Server window and make sure that the HA Replication Status is set to OK before performing any daily management tasks. Understanding ACE Redundancy ACE module redundancy (or fault tolerance) uses a maximum of two ACEs in the same Catalyst 6500 switch or in separate switches to ensure that your network remains operational even if one of the modules becomes unresponsive. 13-7 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Understanding ACE Redundancy ACE appliance redundancy uses a maximum of two ACEs to ensure that your network remains operational even if one of the ACE appliances becomes unresponsive. Note Redundancy is supported between ACEs of the same type only. Redundancy is not supported between an ACE appliance and an ACE module operating as peers. Redundancy must be of the same ACE device type and software version. For additional information about ACE redundancy, see either the Cisco Application Control Engine Module Administration Guide or the Cisco 4700 Series Application Control Engine Appliance Administration Guide. This section includes the following topics: • ACE High Availability Polling, page 13-7 • ACE Redundancy Protocol, page 13-8 • ACE Stateful Failover, page 13-9 • ACE Fault-Tolerant VLAN, page 13-10 • ACE Configuration Synchronization, page 13-11 • ACE Redundancy Configuration Requirements and Restrictions, page 13-12 • ACE High Availability Troubleshooting Guidelines, page 13-12 ACE High Availability Polling Approximately every two minutes, the ANM issues the show ft group command to the ACE to gather the redundancy statistics of each virtual context. The state information is displayed in the HA State and HA Autosync fields when you click Config > Devices > virtual context. Note To display statistics and status information for a particular high availability group displayed in the High Availability (HA) Setup window (Config > Devices > admin_context > High Availability (HA) > Setup), see the “Displaying High Availability Group Statistics and Status” section on page 13-21. The possible HA states are as follows: • Active—Local member of the FT group is active and processing flows. • Standby Cold—Indicates if the FT VLAN is down but the peer ACE is still alive, or the configuration or application state synchronization failed. When a context is in this state and a switchover occurs, the transition to the ACTIVE state is stateless. • Standby Bulk—Local standby context is waiting to receive state information from its active peer context. The active peer context receives a notification to send a snapshot of the current state information for all applications to the standby context. • Standby Hot—Local standby context has all the state information it needs to statefully assume the active state if a switchover occurs. • Standby Warm—Allows the configuration and state synchronization process to continue on a best-effort basis when you upgrade or downgrade the ACE software. 13-8 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Understanding ACE Redundancy • Inconclusive—Indicates that ANM was able to determine that the given ACE was configured in HA, however ANM was able to find more than one ACE module or ACE appliance that appeared to be a peer. In this case, ANM was unable to conclusively find a unique HA peer for the given ACE module or ACE appliance. For additional details on addressing this state, see the “ANM Requirements for ACE High Availability” section on page 5-8 for details. Inconclusive is not shown in the HA State field but is shown in the HA Peer field. It is possible that a context HA peer is inconclusive, but its HA State and HA Peer state are still shown normally because these states are from context polling from the ACE device. Note When you upgrade or downgrade the ACE from one software version to another, there is a point in the process when the two ACEs have different software versions and, therefore, a software incompatibility. When the Standby Warm state appears, this means that the active ACE will continue to synchronize configuration and state information to the standby even though the standby may not recognize or understand the software commands or state information. This standby state allows the standby ACE to come up with best-effort support. Related Topics • ACE High Availability Polling, page 13-7 • ACE Redundancy Protocol, page 13-8 ACE Redundancy Protocol You can configure a maximum of two ACEs of the same type (peers) for redundancy in the same Catalyst 6500 switch or in different chassis for redundancy. Each peer ACE can contain one or more fault-tolerant (FT) groups. Each FT group consists of two members: one active context and one standby context. An FT group has a unique group ID that you assign. Note For the replication process to function properly and successfully replicate the configuration for a user context when switching from the active context to the standby context, ensure that each user context has been added to the FT group. All applicable user contexts must be part of an FT group for redundancy to function properly. One virtual MAC address (VMAC) is associated with each FT group. The format of the VMAC is: 00-0b-fc-fe-1b-groupID. Because a VMAC does not change upon switchover, the client and server ARP tables does not require updating. The ACE selects a VMAC from a pool of virtual MACs available to it. For more information, see the “Configuring Virtual Contexts” section on page 6-8. Each FT group acts as an independent redundancy instance. When a switchover occurs, the active member in the FT group becomes the standby member and the original standby member becomes the active member. A switchover can occur for the following reasons: • The active member becomes unresponsive. • A tracked host or interface fails. • You force a switchover for a high availability group by clicking Switchover in the HA Groups table (see the “Switching Over an ACE High Availability Group” section on page 13-22). 13-9 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Understanding ACE Redundancy To outside nodes (clients and servers), the active and standby FT group members appear as one node with respect to their IP addresses and associated VMAC. ACE provides active-active redundancy with multiple contexts only when there are multiple FT groups configured on each ACE and both devices contain at least one active group member (context). With a single context, the ACE supports active-backup redundancy and each group member is an Admin context. The ACE sends and receives all redundancy-related traffic (protocol packets, configuration data, heartbeats, and state replication packets) on a dedicated FT VLAN. You cannot use this dedicated VLAN for normal traffic. To optimize the transmission of heartbeat packets for multiple FT groups and to minimize network traffic, the ACE sends and receives heartbeat messages using a separate process. The ACE uses the heartbeat to probe the peer ACE, rather than probe each context. When an ACE does not receive a heartbeat from the peer ACE, all the contexts in the standby state become active. The ACE sends heartbeat packets over UDP. You can set the frequency with which the ACE sends heartbeat packets as part of the FT peer configuration. For details about configuring the heartbeat, see the “Configuring ACE High Availability Peers” section on page 13-15. The election of the active member within each FT group is based on a priority scheme. The member configured with the higher priority is elected as the active member. If a member with a higher priority is found after the other member becomes active, the new member becomes active because it has a higher priority. This behavior is known as preemption and is enabled by default. You can override this default behavior by disabling preemption. To disable preemption, use the Preempt parameter. Enabling Preempt causes the member with the higher priority to assert itself and become active. For details about configuring preemption, see the “Configuring ACE High Availability Groups” section on page 13-17. For additional information about ACE redundancy, see either the Cisco Application Control Engine Module Administration Guide or the Cisco 4700 Series Application Control Engine Appliance Administration Guide. Related Topics • Understanding ACE Redundancy, page 13-6 • ACE High Availability Polling, page 13-7 ACE Stateful Failover The ACE replicates flows on the active FT group member to the standby group member per connection for each context. The replicated flows contain all the flow-state information necessary for the standby member to take over the flow if the active member becomes unresponsive. If the active member becomes unresponsive, the replicated flows on the standby member become active when the standby member assumes mastership of the context. The active flows on the former active member transition to a standby state to fully back up the active flows on the new active member. Note For the replication process to function properly and successfully replicate the configuration for a user context when switching from the active context to the standby context, ensure that the user context has been added to the FT group. All applicable user contexts must be part of an FT group for redundancy to function properly. Note By default, connection replication is enabled in the ACE. 13-10 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Understanding ACE Redundancy After a switchover occurs, the same connection information is available on the new active member. Supported end-user applications do not need to reconnect to maintain the same network session. The state information passed to the standby ACE includes the following data: • Network Address Translation (NAT) table based on information synchronized with the connection record • All Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) connections not terminated by the ACE • HTTP connection states (Optional) • Sticky table Note In a user context, the ACE allows a switchover only of the FT group that belongs to that context. In the Admin context, the ACE allows a switchover of all FT groups in all configured contexts in the ACE. To ensure that bridge learning occurs quickly upon a switchover in a Layer 2 configuration in the case where a VMAC moves to a new location, the new active member sends a gratuitous ARP on every interface associated with the active context. Also, when there are two VLANs on the same subnet and servers need to send packets to clients directly, the servers must know the location of the gateway on the client-side VLAN. The active member acts as the bridge for the two VLANs. In order to initiate learning of the new location of the gateway, the new active member sends an ARP request to the gateway on the client VLAN and bridges the ARP response onto the server VLAN. For additional information about ACE redundancy, see either the Cisco Application Control Engine Module Administration Guide or Cisco 4700 Series Application Control Engine Appliance Administration Guide. Related Topics • Understanding ACE Redundancy, page 13-6 ACE Fault-Tolerant VLAN ACE redundancy uses a dedicated fault-tolerant VLAN between redundant ACEs of the same type to transmit flow-state information and the redundancy heartbeat. Do not use this dedicated VLAN for normal network traffic. You must configure this same VLAN on both peers. You also must configure a different IP address within the same subnet on each ACE for the fault-tolerant VLAN. The two redundant ACEs constantly communicate over the fault-tolerant VLAN to determine the operating status of each ACE. The standby member uses the heartbeat packet to monitor the health of the active member. The active member uses the heartbeat packet to monitor the health of the standby member. Communications over the switchover link include the following data: • Redundancy protocol packets • State information replication data • Configuration synchronization information • Heartbeat packets 13-11 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Understanding ACE Redundancy For multiple contexts, the fault-tolerant VLAN resides in the system configuration data. Each fault-tolerant VLAN on the ACE has one unique MAC address associated with it. The ACE uses these ACE MAC addresses as the source or destination MACs for sending or receiving redundancy protocol state and configuration replication packets. Note The IP address and the MAC address of the fault-tolerant VLAN do not change at switchover. For additional information about ACE redundancy, see either the Cisco Application Control Engine Module Administration Guide or the Cisco 4700 Series Application Control Engine Appliance Administration Guide. Related Topics Understanding ACE Redundancy, page 13-6 ACE Configuration Synchronization For redundancy to function properly, both members of an fault-tolerant group must have identical configurations. The ACE automatically replicates the active configuration on the standby member using a process called configuration synchronization (config sync). Config sync automatically replicates any changes made to the configuration of the active member to the standby member. After the ACE synchronizes the redundancy configuration from the active member to the standby peer, it disables configuration mode on the standby. See the “Configuring ACE High Availability Peers” section on page 13-15. Note The Application Networking Manager manages local configurations only. When ANM detects a pair of ACE peers operating in high availability (HA), ANM allows you to make configuration changes on either the active or standby ACE. ANM then automatically (and seamlessly) pushes the configuration to the active ACE and locally replicates the configuration on the standby imported into ANM. This action is similar to what is performed by the ACE to the peers. Note Keep in mind that the configuration pushed while the standby ACE has been selected does not mean that ANM pushed the configuration to the standby ACE. Typically, with auto-sync turned off, configuration changes are disabled on the standby ACE. In this case, ANM tries to push the configuration to the active ACE in the HA device pair. For additional information about ACE redundancy, see either the Cisco Application Control Engine Module Administration Guide or Cisco 4700 Series Application Control Engine Appliance Administration Guide. Related Topics • Understanding ACE Redundancy, page 13-6 • Synchronizing ACE High Availability Configurations, page 13-30 • Synchronizing SSL Certificate and Key Pairs on Both ACE Peers, page 13-32 13-12 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Understanding ACE Redundancy ACE Redundancy Configuration Requirements and Restrictions Follow these requirements and restrictions when configuring the ACE redundancy feature. • In bridged mode (Layer 2), two contexts cannot share the same VLAN. • To achieve active-active redundancy, a minimum of two contexts and two fault-tolerant groups are required on each ACE. • When you configure redundancy, the ACE keeps all interfaces that do not have an IP address in the Down state. The IP address and the peer IP address that you assign to a VLAN interface should be in the same subnet, but different IP addresses. For more information about configuring VLAN interfaces, see the “Configuring Virtual Context VLAN Interfaces” section on page 12-6. • When importing an ACE HA pair into ANM, follow one of the configuration requirements outlined below for ANM to uniquely identify the ACE HA pair: – Use a unique combination of FT interface VLAN and FT IP address/peer IP address for every ACE HA pair imported into ANM. For HA, it is critical that the combination of FT interface VLAN and IP address/peer IP address always be unique across every pair of ACE peer devices. – Define a peer IP address in the management interface, using the management IP address of the peer ACE (module or appliance). Note that the management IP address and management peer IP address used for this definition should be the management IP address used to import both ACE devices into ANM. For more information about the use of multiple HA pairs imported into ANM, see the “ANM Requirements for ACE High Availability” section on page 5-8 For additional information about ACE redundancy, see either the Cisco Application Control Engine Module Administration Guide or the Cisco 4700 Series Application Control Engine Appliance Administration Guide. Related Topics • Understanding ANM High Availability, page 13-2 ACE High Availability Troubleshooting Guidelines This section provides the following set of guidelines for troubleshooting an ACE high availability (or redundancy) configuration in ANM: • If the high availability setup of two ACE devices is successful, the HA State field of the ACE HA Management table should indicate no errors. If the HA State field does not read Compatible, verify that both ACE devices are the same type of hardware. ACE modules cannot be synchronized with ACE appliances. • If the high availability setup of two ACE devices is successful, the License Compatibility and SRG Compatibility fields of the show ft peer CLI command output on the ACE (module or appliance) should indicate no errors. See either the Cisco Application Control Engine Module Administration Guide or Cisco 4700 Series Application Control Engine Appliance Administration Guide for details on the show ft peer CLI command. – If the SRG Compatibility field indicates a problem, this means that the versions of the ACE software running on the devices are not compatible with each other. One or both of the devices will need to have an appropriate version of the ACE software installed before they can be synchronized. 13-13 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Understanding ACE Redundancy – If the License Compatibility field indicates a licensing problem, go to the Licenses page of ACE Hardware Setup (see the “Using ACE Hardware Setup” section on page 3-5) and make sure each ACE device has a valid license installed. Licenses must be installed on each device separately because each license is only valid for one hardware device. For proper HA functionality, the licenses on both ACEs in the pair must be also compatible with each other. This means both licenses must permit the same bandwidth and the same number of virtual contexts. Note If the licenses' bandwidth limits do not match, configuration synchronization may appear to work (although Admin context synchronization may actually not be functional), and the License Compatibility field may not show an error. However, failover from the higher bandwidth ACE to a lower bandwidth ACE could result in loss of traffic. 13-14 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Configuring ACE High Availability Configuring ACE High Availability The tasks involved with configuring high availability on ACE devices are described in Table 13-3. Related Topics • Understanding ACE Redundancy, page 13-6 • Configuring ACE High Availability Peers, page 13-15 • Configuring ACE High Availability Groups, page 13-17 • ACE High Availability Tracking and Failure Detection Overview, page 13-23 • Synchronizing ACE High Availability Configurations, page 13-30 • Synchronizing SSL Certificate and Key Pairs on Both ACE Peers, page 13-32 Table 13-3 High Availability Task Overview Task Reference Step 1 Create a fault-tolerant VLAN and identify peer IP addresses and configure peer devices for heartbeat count and interval. Configuring ACE High Availability Peers, page 13-15 Step 2 Reconcile SSL certificates and keys, create a fault-tolerant group, assign peer priorities, associate the group with a context, place the group in service, and enable automatic synchronization. Configuring ACE High Availability Groups, page 13-17 Step 3 Configure tracking for switchover. ACE High Availability Tracking and Failure Detection Overview, page 13-23 13-15 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Configuring ACE High Availability Peers Configuring ACE High Availability Peers Note This functionality is available for only Admin contexts. Fault-tolerant peers transmit and receive heartbeat packets and state and configuration replication packets. The standby member uses the heartbeat packet to monitor the health of the active member, while the active member uses the heartbeat packet to monitor the health of the standby member. When the heartbeat packets are not received from the active member when expected, switchover occurs and the standby member assumes all active communications previously on the active member. Use this procedure to do the following tasks: • Identify the two members of a high availability pair. • Assign IP addresses to the peer ACEs. • Assign a fault-tolerant VLAN to high availability peers and bind a physical gigabit Ethernet interface to the FT VLAN. • Configure heartbeat frequency and count on the ACEs in a fault-tolerant VLAN. Note For ANM to properly manage high availability peers, ensure that the combination of FT interface VLAN along with IP and peer IP address always be unique across every pair of ACE devices in high availability when those devices are imported into ANM. For details, see the “ANM Requirements for ACE High Availability” section on page 5-8. Assumption At least one fault-tolerant VLAN has been configured. Note A fault-tolerant VLAN cannot be used for other network traffic. Procedure Step 1 Choose Config > Devices > admin_context > High Availability (HA) > Setup. The HA Management window appears with two columns; one for the selected ACE and one for a peer ACE. Step 2 Click Edit and enter the information for the primary ACE and the peer ACE as described in Table 13-4. Table 13-4 High Availability Management Configuration Attributes Field This Device Peer Device Module Name of the ACE Not applicable. VLAN Fault-tolerant VLAN to be used for this high availability pair. Valid entries are from 1 to 4094. Note This VLAN cannot be used for other network traffic. Not applicable. 13-16 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Configuring ACE High Availability Peers Step 3 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. Continue with configuring high availability groups. The HA Management window appears at the top of the content area and the HA Groups table appears at the bottom. See the “Configuring ACE High Availability Groups” section on page 13-17 to configure a high availability group. • Click Cancel to exit this procedure without saving your entries and to view the HA Management window. Related Topics • Understanding ANM High Availability, page 13-2 • Configuring ACE High Availability, page 13-14 • Configuring ACE High Availability Groups, page 13-17 • Synchronizing ACE High Availability Configurations, page 13-30 IP Address IP address for the fault-tolerant VLAN in dotted-decimal format, such as 192.168.11.2. Enter the IP address of the peer interface in dotted-decimal format so that the peer ACE can communicate on the fault-tolerant VLAN. Netmask Subnet mask that is to be used for the fault-tolerant VLAN. Not applicable. Query VLAN VLAN that the standby ACE is to use to determine whether the active ACE is down or if there is a connectivity problem with the fault-tolerant VLAN. Choose the VLAN that the standby ACE is to use to determine whether the active ACE is down or if there is a connectivity problem with the fault-tolerant VLAN. Heartbeat Count Number of heartbeat intervals that must occur with no heartbeat packet received by the standby ACE before the standby ACE determines that the active member is not available. Valid entries are from 10 to 50. Not applicable. Heartbeat Interval Number of milliseconds that the active ACE is to wait between each heartbeat it sends to the standby ACE. Valid entries are from 100 to 1000. Not applicable. Interface Enabled Interface Enabled check box that enables the high availability interface. Uncheck the check box to disable the high availability interface. Not applicable. Shared VLAN Host ID Specific bank of MAC addresses that the ACE uses. Enter a number from 1 to 16. Be sure to configure different bank numbers for multiple ACEs. Not applicable. Peer Shared VLAN Host ID Specific bank of MAC addresses for the same ACE in a redundant configuration. Valid entries are from 1 to 16. Be sure to configure different bank numbers for multiple ACEs. Not applicable. HA State Read-only field with the current state of high availability on the ACE. Not applicable. Table 13-4 High Availability Management Configuration Attributes (continued) Field This Device Peer Device 13-17 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Clearing ACE High Availability Pairs • Synchronizing SSL Certificate and Key Pairs on Both ACE Peers, page 13-32 • Tracking ACE VLAN Interfaces for High Availability, page 13-24 Clearing ACE High Availability Pairs Note This functionality is available for only Admin contexts. You can remove a high availability link between two ACEs. Procedure Step 1 Choose Config > Devices > admin_context > High Availability (HA) > Setup. The HA Management window appears. Step 2 Choose the ACE pair whose high availability configuration that you want to remove, and click Clear. A message appears asking you to confirm the clearing of the high availability link. Step 3 Do one of the following: • Click OK to confirm the removal of this high availability link and to return to the HA Management window. • Click Cancel to exit this procedure without removing this high availability link and to return to the HA Management window. Related Topics • Understanding ANM High Availability, page 13-2 • Configuring ACE High Availability Peers, page 13-15 • Editing High Availability Groups, page 13-19 • ACE High Availability Tracking and Failure Detection Overview, page 13-23 • Tracking ACE VLAN Interfaces for High Availability, page 13-24 • Tracking Hosts for High Availability, page 13-25 Configuring ACE High Availability Groups Note This functionality is available for only Admin contexts. You can configure a high availability group, or fault-tolerant group, which consists of a maximum of two contexts: One active context on one ACE and one standby context on the peer ACE. You can create multiple fault-tolerant groups on each ACE up to a maximum of: • For the ACE module—251 groups (250 user contexts and 1 Admin context). • For the ACE appliance—21 groups (20 user contexts and 1 Admin context). 13-18 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Configuring ACE High Availability Groups Note For the replication process to function properly and successfully replicate the configuration for a user context when switching from the active context to the standby context, ensure that each user context has been added to the FT group. All applicable user contexts must be part of an FT group for redundancy to function properly. Assumption At least one high availability pair has been configured (see the “Configuring ACE High Availability Peers” section on page 13-15). Procedure Step 1 Choose Config > Devices > admin_context > High Availability (HA) > Setup. The HA Management window appears at the top of the content area and the HA Groups table appears at the bottom. Step 2 In the HA Groups table of the HA Management window, click Add to add a new high availability group. The table refreshes with the configurable fields. Step 3 Check the Enabled check box to enable the high availability group. Uncheck the Enabled check box to disable the high availability group. Step 4 In the Context field, choose the virtual context to associate with this high availability group. Step 5 In the Priority (Actual) field, enter the priority that you want to assign to the first device in the group. Valid entries are from 1 to 255. A member of a fault-tolerant group becomes the active member through a process based on the priority assigned. In this process, the group member with the higher priority becomes the active member. When you set up a fault-tolerant pair, use a higher priority for the group where the active member initially resides. Step 6 Check the Preempt check box to specify that the group member with the higher priority is to always assert itself and become the active member. Uncheck the Preempt check box to specify that you do not want the group member with the higher priority to always become the active member. Step 7 In the Peer Priority (Actual) field, enter the priority that you want to assign to the peer device in the group. Valid entries are from 1 to 255. A member of a fault-tolerant group becomes the active member through a process based on the priority assigned. In this process, the group member with the higher priority becomes the active member. When you set up a fault-tolerant pair, use a higher priority for the group where the active member initially resides. Step 8 Check the Autosync Run check box to enable automatic synchronization of the running configuration files. Uncheck the Autosync Run check box to disable automatic synchronization of the running configuration files. If you disable automatic synchronization, you need to update the configuration of the standby context manually. See the “Synchronizing Virtual Context Configurations” section on page 6-105. 13-19 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Configuring ACE High Availability Groups Note If you check Autosync Run for the HA group, you must manually sync the standby context in order for ANM to allow subsequent configuration changes. Until you have done this, the standby context will be marked out of sync. See the “Synchronizing Virtual Context Configurations in High Availability Mode” section on page 13-31. Step 9 Check the Autosync Startup check box to enable automatic synchronization of the startup configuration files. Uncheck the Autosync Run check box to disable automatic synchronization of the startup configuration files. If you disable automatic synchronization, you need to update the configuration of the standby context manually. See the “Synchronizing Virtual Context Configurations” section on page 6-105. Step 10 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The HA Groups table refreshes with the new high availability group. • Click Cancel to exit this procedure without saving your entries and to return to the HA Management window and HA Groups table. Step 11 (Optional) To display statistics and status information for a particular high availability group, choose the group from the ACE HA Groups table, and click Details. The show ft group group_id detail CLI command output appears. See the “Displaying High Availability Group Statistics and Status” section on page 13-21 for details. Related Topics • Configuring ACE High Availability Peers, page 13-15 • Editing High Availability Groups, page 13-19 • Synchronizing Virtual Context Configurations, page 6-105 • Synchronizing SSL Certificate and Key Pairs on Both ACE Peers, page 13-32 • Tracking ACE VLAN Interfaces for High Availability, page 13-24 • Tracking Hosts for High Availability, page 13-25 Editing High Availability Groups Note This functionality is available for only Admin contexts. You can modify the attributes of a high availability group. Note If you need to modify a fault-tolerant group, take the group out of service before making any other changes (see the “Taking a High Availability Group Out of Service” section on page 13-20). When you finish making all changes, place the group back into service (see the “Enabling a High Availability Group” section on page 13-21). 13-20 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Configuring ACE High Availability Groups Procedure Step 1 Choose Config > Devices > admin_context > High Availability (HA) > Setup. The HA Management window appears at the top of the content area and the HA Groups table appears at the bottom. Step 2 In the HA Groups table, choose the high availability group that you want to modify, and click Edit. The table refreshes with configurable fields. Step 3 Modify the fields as desired. For information on these fields, see the “Configuring ACE High Availability Groups” section on page 13-17. Note If you leave unchecked Autosync Run for the HA group, you must manually sync the standby context in order for ANM to allow subsequent configuration changes. Until you have done this, the standby context will be marked out of sync. See the “Synchronizing Virtual Context Configurations in High Availability Mode” section on page 13-31. Step 4 When you finish modifying this group, do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. You return to the HA Groups table. • Click Cancel to exit this procedure without saving your entries and to return to the HA Management window. Related Topics • Configuring ACE High Availability Groups, page 13-17 • Taking a High Availability Group Out of Service, page 13-20 • Enabling a High Availability Group, page 13-21 • Configuring ACE High Availability Peers, page 13-15 • ACE High Availability Tracking and Failure Detection Overview, page 13-23 Taking a High Availability Group Out of Service Note This functionality is available for only Admin contexts. You can take a high availability group out of service, which you must do before you can modify it. Procedure Step 1 Choose Config > Devices > admin_context > High Availability (HA) > Setup. The HA Management window appears at the top of the content area and the HA Groups table appears at the bottom. 13-21 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Displaying High Availability Group Statistics and Status Step 2 In the HA Groups table, choose the high availability group you want to take out of service, and click Edit. The table refreshes with configurable fields. Step 3 Uncheck the Enabled check box. Step 4 Click Deploy Now to take the high availability group out of service and to return to the HA Groups table. You can now make the necessary modifications to the high availability group. To put the high availability group back in service, see the “Enabling a High Availability Group” section on page 13-21. Related Topics Enabling a High Availability Group, page 13-21 Enabling a High Availability Group Note This functionality is available for only Admin contexts. You can put a high availability group back into service after taking it out of service. Procedure Step 1 Choose Config > Devices > admin_context > High Availability (HA) > Setup. The HA Management window appears at the top of the content area and the HA Groups table appears at the bottom. Step 2 In the HA Groups table, choose the high availability group you want to take out of service, and click Edit. The table refreshes with configurable fields. Step 3 Check the Enabled check box. Step 4 Click Deploy Now to put the high availability group in service and to return to the HA Groups table. Related Topics Taking a High Availability Group Out of Service, page 13-20 Displaying High Availability Group Statistics and Status You can display statistics and status information for a particular high availability group by using the Details button. ANM accesses the show ft group group_id detail CLI command to display detailed ACE HA group information. Procedure Step 1 Choose Config > Devices > admin_context > High Availability (HA) > Setup. 13-22 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Switching Over an ACE High Availability Group The HA Management window appears at the top of the content area and the HA Groups table appears at the bottom. Step 2 Choose an ACE HA group from the ACE HA Groups table and click Details. The show ft group group_id detail CLI command output appears. For details on the displayed output fields, see either the Cisco ACE Module Administration Guide or the Cisco ACE 4700 Series Appliance Administration Guide. Step 3 Click Update Details to refresh the output for the show ft group group_id detail CLI command. Step 4 Click Close to return to the VLAN Interfaces table. Switching Over an ACE High Availability Group Note This functionality is available for only Admin contexts. You can force the failover of a high availability group. You may need to force a switchover when you want to make a particular context the standby (for example, for maintenance or a software upgrade on the currently active context). If the standby group member can statefully become the active member of the high availability group, a switchover occurs. Procedure Step 1 Choose Config > Devices > admin_context > High Availability (HA) > Setup. The HA Management window appears at the top of the content area and the HA Groups table appears at the bottom. Step 2 In the HA Groups table, choose the group that you want to switch over, and click Switchover. The standby group member becomes active, while the previously active group member becomes the standby member. Note You must manually sync the standby context in order for ANM to allow subsequent configuration changes. Until you have done this, the standby context will be marked out of sync. See the “Synchronizing Virtual Context Configurations in High Availability Mode” section on page 13-31. Related Topics • Understanding ANM High Availability, page 13-2 • Configuring ACE High Availability Peers, page 13-15 • Configuring ACE High Availability Groups, page 13-17 • Synchronizing SSL Certificate and Key Pairs on Both ACE Peers, page 13-32 • Tracking ACE VLAN Interfaces for High Availability, page 13-24 13-23 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Deleting ACE High Availability Groups Related Topics • Understanding ANM High Availability, page 13-2 • Configuring ACE High Availability Peers, page 13-15 • Configuring ACE High Availability Groups, page 13-17 Deleting ACE High Availability Groups Note This functionality is available for only Admin contexts. You can remove a high availability group from ANM management. Procedure Step 1 Choose Config > Devices > admin_context > High Availability (HA) > Setup. The HA Management window appears at the top of the content area and the HA Groups table appears at the bottom. Step 2 In the HA Groups table, choose the high availability group that you want to remove, and click Delete. A message appears asking you to confirm the deletion. Step 3 Do one of the following: • Click Deploy Now to delete the high availability group and to return to the HA Groups table. The selected group no longer appears. • Click Cancel to exit this procedure without deleting the high availability group and to return to the HA Groups table. Related Topics • Configuring ACE High Availability Peers, page 13-15 • Configuring ACE High Availability Groups, page 13-17 • Tracking ACE VLAN Interfaces for High Availability, page 13-24 ACE High Availability Tracking and Failure Detection Overview ANM supports the tracking and detection of failures to ensure that switchover occurs as soon as the criteria are met (see Configuring ACE High Availability Peers, page 13-15). You can track and detect failures on the following: • Hosts—See Tracking Hosts for High Availability, page 13-25. • Interfaces—See Tracking ACE VLAN Interfaces for High Availability, page 13-24. When the active member of a fault-tolerant group becomes unresponsive, the following occurs: 1. The active member’s priority is reduced by 10. 13-24 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Tracking ACE VLAN Interfaces for High Availability 2. If the resulting priority value is less than that of the standby member, the active member switches over and the standby member becomes the new active member. All active flows continue uninterrupted. 3. When the failed member comes back up, its priority is incremented by 10. 4. If the resulting priority value is greater than that of the currently active member, a switchover occurs again, returning the flows to the originally active member. Note In a user context, the ACE allows a switchover only of the fault-tolerant groups belonging to that context. In an Admin context, the ACE allows a switchover of all fault-tolerant groups on all configured contexts on the ACE. Related Topics • Configuring ACE High Availability Groups, page 13-17 • Tracking ACE VLAN Interfaces for High Availability, page 13-24 • Tracking Hosts for High Availability, page 13-25 Tracking ACE VLAN Interfaces for High Availability You can configure a tracking and failure detection process for a VLAN interface. Procedure Step 1 Choose Config > Devices > admin_context > HA Tracking And Failure Detection > Interfaces. The Track Interface table appears. Step 2 Click Add to add a new tracking process to this table, or choose an existing entry and click Edit to modify it. The Track Interface configuration window appears. Step 3 In the Track Object Name field of the Track Interface configuration window, enter a unique identifier for the tracking process. Valid entries are unquoted text strings with no spaces. Step 4 In the Priority field, enter the priority for the interface on the active member. Valid entries are from 0 to 255 with higher values indicating higher priorities. The values that you enter here and in the Interface Peer Priority field (see Step 6) reflect the point at which you want switchover to occur. If the tracked interface goes down, the priority of that fault-tolerant group is decremented by the value entered in the Priority field. If the priority of the fault-tolerant group on the active member falls below that of the standby member, a switchover occurs. Step 5 In the VLAN Interface field, choose the fault-tolerant VLAN that you want the active member to track. Step 6 In the Interface Peer Priority field, enter the priority for the interface on the standby member. Valid entries are from 0 to 255 with higher values indicating higher priorities. The values that you enter here and in the Priority field (See Step 4) reflect the point at which you want switchover to occur. If the tracked interface goes down, the priority of that fault-tolerant group is decremented by the value entered in the Interface Peer Priority field. If the priority of the fault-tolerant group on the active member falls below that of the standby member, a switchover occurs. 13-25 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Tracking Hosts for High Availability Step 7 In the Peer VLAN Interface field, enter the identifier of an existing fault-tolerant VLAN that you want the standby member to track. Valid entries are from 1 to 4096. Step 8 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. You return to the Track Interface table. • Click Cancel to exit this procedure without saving your entries and to return to the Track Interface table. • Click Next to deploy your entries and to configure the next entry in the Track Interface table. Related Topics • Configuring ACE High Availability Peers, page 13-15 • Configuring ACE High Availability Groups, page 13-17 • Tracking Hosts for High Availability, page 13-25 Tracking Hosts for High Availability You can configure a tracking and failure detection process for a gateway or host. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Procedure Step 1 Choose Config > Devices > admin_context > HA Tracking And Failure Detection > Hosts. The Track Host table appears. Step 2 In the Track Host table, click Add to add a new tracking process to the table, or choose an existing entry and click Edit to modify it. The Track Host configuration window appears. Step 3 In the Track Object Name field of the Track Host configuration window, enter a unique identifier for the tracking process. Valid entries are unquoted text strings with no spaces. Step 4 In the IP Address Type field, choose either IPv4 or IPv6 for the host address type. This field appears only for ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. Step 5 In the Track Host/IP Address field, enter the IPv4 or IPv6 address or hostname of the gateway or host that you want the active member of the high availability group to track. Step 6 In the Priority field, enter the priority of the probe sent by the active member. 13-26 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Configuring Host Tracking Probes Valid entries are from 0 to 255. Higher values indicate higher priorities. Assign a priority value based on the relative importance of the host that the probe is tracking. If the probe goes down, the ACE decrements the priority of the fault-tolerant group on the active member by the value in the Priority field. Step 7 In the Peer Host/IP Address field, enter the IPv4 or IPv6 address or hostname of the host that you want the standby member to track. Step 8 In the Peer Priority field, enter the priority of the probe sent by the standby member. Valid entries are from 0 to 255. Higher values indicate higher priorities. Assign a priority value based on the relative importance of the host that the probe is tracking. If the probe goes down, the ACE decrements the priority of the fault-tolerant group on the standby member by the value in the Priority field. Step 9 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. Continue with configuring track host probes. See Configuring Host Tracking Probes, page 13-26. • Click Cancel to exit this procedure without saving your entries and to return to the Track Host table. • Click Next to deploy your entries and to configure another tracking process. Related Topics • Configuring Host Tracking Probes, page 13-26 • Configuring ACE High Availability Peers, page 13-15 • Configuring ACE High Availability Groups, page 13-17 • Tracking ACE VLAN Interfaces for High Availability, page 13-24 Configuring Host Tracking Probes You can configure probes on the active high availability group member to track the health of the gateway or host. Assumptions This topic assumes the following: • At least one host tracking process for high availability has been configured (see Tracking Hosts for High Availability, page 13-25.) • At least one health monitoring probe has been configured (see Configuring Health Monitoring for Real Servers, page 8-51). Procedure Step 1 Choose Config > Devices > admin_context > HA Tracking And Failure Detection > Hosts. The Track Host table appears. Step 2 Choose the tracking process that you want to modify, and click the Peer Track Host Probe tab. The Peer Track Host Probes table appears. 13-27 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Configuring Host Tracking Probes Step 3 In the Peer Track Host Probes table, click Add to add a peer host tracking probe, or choose an existing peer host tracking probe and click Edit to modify it. The Peer Track Host Probes configuration window appears. Step 4 In the Probe Name field, choose the name of the probe to be used for the peer host tracking process. Step 5 In the Priority field, enter a priority for the host that you are tracking by the active member. Valid entries are from 1 to 255 with higher values indicating higher priorities. Assign a priority value based on the relative importance of the gateway or host that the probes are tracking. If the host goes down, the ACE decrements the priority of the high availability group on the standby member by the value in this Priority field. Step 6 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. You return to the Track Host Probe table. The table includes the added probe. • Click Cancel to exit this procedure without saving your entries and to return to the Track Host Probe table. • Click Next to deploy your entries and to configure another track host probe. Related Topics • Configuring ACE Peer Host Tracking Probes, page 13-28 • Configuring ACE High Availability Peers, page 13-15 • Configuring ACE High Availability Groups, page 13-17 • Tracking ACE VLAN Interfaces for High Availability, page 13-24 Deleting Host Tracking Probes You can remove a high availability host tracking probe. Procedure Step 1 Choose Config > Devices > ACE admin_context > HA Tracking And Failure Detection > Hosts. The Track Host table appears. Step 2 In the Track Host table, choose the tracking process you want to modify, and click the Track Host Probe tab. The Track Host Probe table appears. Step 3 In the Track Host table, choose the probe that you want to remove, and click Delete. The probe is deleted and the Track Host Probe table refreshes without the deleted probe. Related Topics • Configuring ACE Peer Host Tracking Probes, page 13-28 • Configuring ACE High Availability Peers, page 13-15 13-28 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Configuring ACE Peer Host Tracking Probes • Configuring ACE High Availability Groups, page 13-17 • Tracking ACE VLAN Interfaces for High Availability, page 13-24 Configuring ACE Peer Host Tracking Probes You can configure probes on the standby member of a high availability group to track the health of the gateway or host. Assumptions This topic assumes the following: • At least one host tracking process for high availability has been configured (see Tracking Hosts for High Availability, page 13-25.) • At least one health monitoring probe has been configured (see Configuring Health Monitoring for Real Servers, page 8-51). Procedure Step 1 Choose Config > Devices > ACE admin_context > HA Tracking And Failure Detection > Hosts. The Track Host table appears. Step 2 In the Track Host table, choose the tracking process that you want to modify, and click the Peer Track Host Probe tab. The Peer Track Host Probes table appears. If the Track Host Probe and Peer Track Host Probes tabs do not appear below the Track Host table, click Show Tabs below the Track Host table name. Step 3 In the Peer Track Host Probes table, click Add to add a peer host tracking probe, or choose an existing peer host tracking probe and click Edit to modify it. The Peer Track Host Probes configuration window appears. Step 4 In the Probe Name field of the Peer Track Host Probes configuration window, choose the name of the probe to be used for the peer host tracking process. Step 5 In the Priority field, enter a priority for the host you are tracking by the standby member of the high availability group. Valid entries are from 0 to 255 with higher values indicating higher priorities. Assign a priority value based on the relative importance of the gateway or host that the probes are tracking. If the host goes down, the ACE decrements the priority of the high availability group on the standby member by the value in this Priority field. Step 6 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. You return to the Peer Track Host Probes table. The table includes the added probe. • Click Cancel to exit this procedure without saving your entries and to return to the Peer Track Host Probes table. • Click Next to deploy your entries and to configure another peer track host probe. 13-29 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Configuring ACE HSRP Groups Related Topics • Configuring Host Tracking Probes, page 13-26 • Configuring ACE High Availability Peers, page 13-15 • Configuring ACE High Availability Groups, page 13-17 • Tracking ACE VLAN Interfaces for High Availability, page 13-24 Deleting Peer Host Tracking Probes You can remove a high availability peer host tracking probe. Procedure Step 1 Choose Config > Devices > ACE admin_context > HA Tracking And Failure Detection > Hosts. The Track Host table appears. Step 2 In the Track Host table, choose the tracking process that you want to modify and click the Peer Track Host Probe tab. The Peer Track Host Probes table appears. If the Track Host Probe and Peer Track Host Probes tabs do not appear below the Track Host table, click Show Tabs below the Track Host table name. Step 3 In the Peer Track Host Probes table, choose the probe that you want to remove, and click Delete. The probe is deleted and the Peer Track Host Probes table refreshes without the deleted probe. Related Topics • Configuring ACE Peer Host Tracking Probes, page 13-28 • Configuring Host Tracking Probes, page 13-26 • Tracking ACE VLAN Interfaces for High Availability, page 13-24 Configuring ACE HSRP Groups You can add or edit a Hot Standby Router Protocol (HSRP) group. Assumptions This topic assumes the following: • At least one host tracking process for high availability has been configured (see Tracking Hosts for High Availability, page 13-25.) • Before you configure an HSRP tracking and failure detection process on the ACE, you must configure the HSRP group on the Catalyst 6500 Supervisor. 13-30 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Synchronizing ACE High Availability Configurations Procedure Step 1 Choose Config > Devices > ACE admin_context > HA Tracking And Failure Detection > HSRP Groups. The HSRP Groups table appears. Step 2 In the HSRP Groups table, click Add to add a new HSRP group, or choose an existing entry and click Edit to modify it. The HSRP Group configuration window appears. Step 3 In the Track Object Name field of the HSRP Group configuration window, enter a unique identifier for the tracking process. Valid entries are unquoted text strings with no spaces. Step 4 In the Priority field, enter the priority of the HSRP group as an from 0 to 255. The default is 0. Higher values indicate higher priorities. Assign a priority value based on the relative importance of the HSRP group that you are tracking. If the HSRP group goes down, the ACE decrements the priority of the FT group on the active member. If the priority of the FT group on the active member falls below the priority of the FT group on the standby member, a switchover occurs. Step 5 In the HSRP Group Name, enter a name for the HSRP group. Step 6 In the HSRP Peer Priority field, enter the priority of the HSRP group as a value from 0 to 255. The default is 0. Higher values indicate higher priorities. Assign a priority value based on the relative importance of the HSRP group you are tracking. If the HSRP group goes down, the ACE decrements the priority of the FT group on the standby member. Step 7 In the HSRP Group Name of Peer field, enter a name for the HSRP group on the peer ACE. Step 8 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. You return to the HSRP Groups table. The table includes the added HSRP group. • Click Cancel to exit this procedure without saving your entries and to return to the HSRP Groups table. Synchronizing ACE High Availability Configurations When two ACE devices are configured as high availability peers, their configurations must be synchronized at all times so that the standby member can take over for the active member seamlessly. As they synchronize, however, the configuration on the hot standby ACE can become out of sync with the ANM-maintained configuration data for that ACE. Note ANM manages local configurations only. 13-31 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Synchronizing ACE High Availability Configurations Note Although a context might have been configured for syslog notification, changes applied to the standby ACE configuration can change syslog notification configuration so that you are not notified of the out-of-sync configurations. As a result, it is important for you to manually synchronize ANM with the standby ACE. Synchronizing configuration files for the standby ACE requires the following: 1. Auditing the standby ACE to confirm that its configuration does not agree with the ANM-maintained configuration data for the ACE. See Synchronizing Virtual Context Configurations, page 6-105. 2. Uploading the configuration from the standby ACE to the ANM server. See Synchronizing Virtual Context Configurations, page 6-105. 3. Ensuring that the SSL certificate/keys are imported and identical for the pair. See Synchronizing SSL Certificate and Key Pairs on Both ACE Peers, page 13-32. 4. For an Admin context, uploading configurations on any newly imported user contexts. If new user contexts are not updated, they cannot be managed using ANM. Synchronizing Virtual Context Configurations in High Availability Mode When configuration changes are made from ANM on any of the ACE devices in a HA pair, ANM automatically detects the active HA peer and deploys the configuration changes to the active ACE alone. ANM does not attempt to deploy a configuration to a standby ACE even if you selected the standby ACE from the ANM device tree. ANM detects the active ACE and will always deploy configuration changes only to the active ACE. In addition, if ACE HA auto-sync is enabled, after the deployment is successful, ANM will locally replicate the configuration in the ANM database on the standby as well to ensure that the ANM configuration is in synchronization with that of the two ACE peers. In a high availability pair, the two configured virtual contexts synchronize with each other as part of their ongoing communications. However, their copies do not synchronize in ANM and the configuration on the standby member may become out-of-sync with the configuration on the ACE. After the active member of a high availability pair fails and the standby member becomes active, the newly active member detects any out-of-sync virtual context configurations and reports that status in the Virtual Contexts table so that you can synchronize the virtual context configurations. Note If a context is put into an out-of-sync state, this context will be automatically synchronized by the backend ANM. It is not necessary for you to perform an explicit synchronization to take care of the out-of-sync state. For information on synchronizing virtual context configurations, see Synchronizing Virtual Context Configurations, page 6-105. Related Topics • Configuring ACE High Availability Peers, page 13-15 • Configuring ACE High Availability Groups, page 13-17 • Synchronizing Virtual Context Configurations, page 6-105 13-32 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Synchronizing SSL Certificate and Key Pairs on Both ACE Peers Synchronizing SSL Certificate and Key Pairs on Both ACE Peers You can reconcile the SSL certificates and key pairs. When SSL certificate/key import is attempted on a peer that is configured in HA, ANM detects the HA state and also imports the same certificate/key into the other HA peer. In addition, when you are configuring two peers in HA from ANM, a warning message appears asking you to perform certificate/key reconciliation and offers the appropriate window enabling you to do this. Guidelines and Restrictions The certificate/key reconciliation feature is available from the Admin context only; however, executing this feature from the Admin context also reconciles the SSL certificates and key pairs on all the virtual contexts associated with the ACE peers. Procedure Step 1 Choose Config > Devices > admin_context > High Availability (HA) > Setup. The HA Management window appears at the top of the content area and the HA Groups table appears at the bottom. Step 2 In the HA Groups table, choose the group that you want to reconcile the SSL certificates and key pairs on the two HA pairs after a switchover occurs, and click SSL Certificate/Key Reconcile. The SSL Certificate/Key Reconciliation popup window appears. Information appears in this popup window for the primary ACE and the peer ACE as described in Table 13-5. Table 13-5 SSL Certificate/Key Reconciliation Popup Window Attributes Field Description This Device IP address for the fault-tolerant VLAN. Peer Device Fault-tolerant VLAN to be used for this high availability pair. Valid entries are from 1 to 4094. Note This VLAN cannot be used for other network traffic. Context Name Unique name for the virtual context Matched State Feature that indicates a match between the SSL certificates and key pairs on the active ACE and the standby ACE peer. Not Matched State Feature that indicates that there is not a match between the SSL certificates and key pairs on the active ACE and the standby ACE peer. SSL Certificates/Keys On Both HA Peers File Type Format of the file: PEM, DER, or PKCS12. Name Name of the file that contains the certificate or key pair. Exportable Field that indicates whether or not you can export the file from the ACE. Choices are as follows: • Yes—You can export the file to an FTP, SFTP, or TFP server (see Chapter 11, “Configuring SSL”). • No—You cannot export the file as it is protected. Matched Field that indicates that the SSL certificate and key pair is a match on the peer ACE. Available On Field that identifies the ACE devices that contain the SSL certificate and key pair. 13-33 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Synchronizing SSL Certificate and Key Pairs on Both ACE Peers Step 3 To copy an SSL certificate and key pair to the ACE peer device, choose it from the SSL Certificates/Keys On Both HA Peers list, and then click Copy To Peer (or click Cancel to close the SSL Certificate/Key Reconciliation popup window without performing the copy). Step 4 To delete an SSL certificate and key pair from the ACE HA pair, choose it from the SSL Certificates/Keys On Both HA Peers list, and click Delete (or click Cancel to close the SSL Certificate/Key Reconciliation popup window without performing the deletion). Related Topics • Understanding ANM High Availability, page 13-2 • Configuring ACE High Availability Peers, page 13-15 • Configuring ACE High Availability Groups, page 13-17 • Synchronizing ACE High Availability Configurations, page 13-30 13-34 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 13 Configuring High Availability Synchronizing SSL Certificate and Key Pairs on Both ACE Peers CHAPTER 14-1 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 14 Configuring Traffic Policies Date: 3/28/12 Cisco Application Networking Manager helps you configure class maps and policy maps to provide a global level of classification for filtering traffic received by or passing through the ACE. Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed. If you are using ANM with an ACE module or ACE appliance and you configure a named object at the ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows you to use when configuring a named object. If you use special characters that ANM does not support, you may not be able to import or manage the ACE using ANM. This chapter includes the following sections: • Traffic Policy Overview, page 14-1 • Class Map and Policy Map Overview, page 14-2 • Configuring Virtual Context Class Maps, page 14-6 • Setting Match Conditions for Class Maps, page 14-8 • Configuring Virtual Context Policy Maps, page 14-32 • Configuring Rules and Actions for Policy Maps, page 14-34 • Configuring Actions Lists, page 14-85 Traffic Policy Overview Cisco Application Networking Manager helps you configure class maps and policy maps to provide a global level of classification for filtering traffic received by or passing through the ACE. You create traffic policies and attach these policies to one or more VLAN interfaces associated with the ACE to apply feature-specific actions to the matching traffic. The ACE uses the individual traffic policies to implement functions such as: • FTP command inspection • IP normalization and fragment reassembly • Network Address Translation (NAT) 14-2 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Class Map and Policy Map Overview • Optimization of HTTP traffic • Protocol deep packet inspection • Remote access using Secure Shell (SSH) or Telnet • Secure Socket Layer (SSL) security services between a Web browser (the client) and the HTTP connection (the server) • Server load balancing • TCP termination, normalization, and reuse Related Topics • Class Map and Policy Map Overview, page 14-2 • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 Class Map and Policy Map Overview You classify inbound network traffic destined to, or passing through, the ACE based on a series of flow match criteria specified by a class map. Each class map defines a traffic classification; that is, network traffic that is of interest to you. A policy map defines a series of actions (functions) that you want applied to a set of classified inbound traffic. Class maps enable you to classify network traffic based on the following criteria: • Layer 3 and Layer 4 traffic flow information—Source or destination IP address, source or destination port, virtual IP address, or IP protocol • Layer 7 protocol information—HTTP cookie, HTTP URL, HTTP header, HTTP content, FTP request commands, RADIUS, RDP, RTSP, Skinny, or SIP The policies that you can configure depend on the ACE you are configuring. Table 14-1 lists the available policies and the ACE devices that support them. Table 14-1 Traffic Policies and ACE Device Support Policy Map Type Description ACE Device ACE Module ACE Appliance Layer 3/4 Management Traffic (First-Match) Layer 3 and Layer 4 policy map for network management traffic received by the ACE X X Layer 3/4 Network Traffic (First-Match) Layer 3 and Layer 4 policy map for traffic passing through the ACE X X Layer 7 Command Inspection - FTP (First-Match) Layer 7 policy map for inspection of FTP commands X X Layer 7 Deep Packet Inspection - HTTP (All-Match) Layer 7 policy map for inspection of HTTP packets X X Layer 7 Deep Packet Inspection - SIP (All-Match) Layer 7 policy map for inspection of SIP packets X X Layer 7 Deep Packet Inspection - Skinny Layer 7 policy map for inspection of Skinny Client Control Protocol (SCCP) X X 14-3 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Class Map and Policy Map Overview The traffic classification process consists of the following three steps: 1. Creating a class map, which comprise a set of match criteria related to Layer 3 and Layer 4 traffic classifications or Layer 7 protocol classifications. 2. Creating a policy map, which refers to the class maps and identifies a series of actions to perform based on the traffic match criteria. 3. Activating the policy map and attaching it to a specific VLAN interface or globally to all VLAN interfaces associated with a context by configuring a virtual context global traffic policy to filter traffic received by the ACE. The following overview topics describe the components that define a traffic policy: • Class Maps, page 14-3 • Policy Maps, page 14-4 • Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps, page 14-5 • Applying a Policy Map Globally to All VLAN Interfaces, page 6-35 Class Maps A class map defines each type of Layer 3 and Layer 4 traffic class and each Layer 7 protocol class. You create class maps to classify the traffic received and transmitted by the ACE as follows: • Layer 3 and Layer 4 traffic classes contain match criteria that identify the IP network traffic that can pass through the ACE or network management traffic that can be received by the ACE. • Layer 7 protocol-specific classes identify: – Server load-balancing traffic on generic, HTTP, RADIUS, RTSP, or SIP traffic – HTTP or SIP traffic for deep packet inspection – FTP traffic for inspection of commands Layer 7 HTTP Optimization (First-Match) Layer 7 policy map for optimizing HTTP traffic X Layer 7 Server Load Balancing (First-Match) Layer 7 policy map for HTTP server load balancing X X Server Load Balancing - Generic (First-Match) Generic Layer 7 policy map for server load balancing X X Server Load Balancing - RADIUS (First-Match) Layer 7 policy map for RADIUS server load balancing X X Server Load Balancing - RDP (First-Match) Layer 7 policy map for RDP server load balancing X X Server Load Balancing - RTSP (First-Match) Layer 7 policy map for RTSP server load balancing X X Server Load Balancing - SIP (First-Match) Layer 7 policy map for SIP server load balancing X X Table 14-1 Traffic Policies and ACE Device Support (continued) Policy Map Type Description ACE Device ACE Module ACE Appliance 14-4 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Class Map and Policy Map Overview A traffic class contains the following components: • Class map name • Class map type • One or more match conditions that define the match criteria for the class map • Instructions on how the ACE evaluates match conditions when you specify more than one match statement in a traffic class (match-any, match-all) The individual match conditions specify the criteria for classifying Layer 3 and Layer 4 network traffic as well as the Layer 7 server load balancing and application protocol-specific fields. The ACE evaluates the packets to determine whether they match the specified criteria. If a statement matches, the ACE considers that packet to be a member of the class and forwards the packet according to the specifications set in the traffic policy. Packets that fail to meet any of the matching criteria are classified as members of the default traffic class if one is specified. The ACE allows you to configure two Layer 7 load-balancing class maps in a nested traffic class configuration to create a single traffic class. You can nest Layer 7 class maps to achieve complex logical expressions. The ACE restricts the nesting of class maps to two levels to prevent you from including one nested class map under a different class map. Related Topics • Class Map and Policy Map Overview, page 14-2 • Policy Maps, page 14-4 • Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps, page 14-5 • Configuring Traffic Policies, page 14-1 • Configuring Virtual Context Class Maps, page 14-6 Policy Maps A policy map creates the traffic policy. The purpose of a traffic policy is to implement specific ACE functions associated with a traffic class. A traffic policy contains the following components: • Policy map name • Previously created traffic class map or, optionally, the class-default class map • One or more of the individual Layer 3 and Layer 4 or Layer 7 policies that specify the actions to be performed by the ACE A Layer 7 policy map is always associated within a Layer 3 and Layer 4 policy map to provide an entry point for traffic classification. Layer 7 policy maps are considered to be child policies and can only be nested under a Layer 3 and Layer 4 policy map. Only a Layer 3 and Layer 4 policy map can be activated on a VLAN interface; a Layer 7 policy map cannot be directly applied on an interface. For example, to associate a Layer 7 load-balancing policy map, you nest the load-balancing policy map by using the Layer 3 and Layer 4 Policy map action type. If none of the classifications specified in policy maps match, then the ACE executes the default actions specified against the class map configured with the Use Class Default option to use a default class map (if specified). All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. The Use Class Default feature has an implicit match-any match statement and is used to match any traffic classification. 14-5 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Class Map and Policy Map Overview The ACE supports flexible class map ordering within a policy map. The ACE executes only the actions for the first matching traffic classification, so the order of class maps within a policy map is very important. The policy lookup order is based on the security features of the ACE. The policy lookup order is implicit, irrespective of the order in which you configure policies on the interface. The policy lookup order of the ACE is as follows: 1. Access control (permit or deny a packet) 2. Permit or deny management traffic 3. TCP/UDP connection parameters 4. Load balancing based on a virtual IP (VIP) 5. Application protocol inspection 6. Source NAT 7. Destination NAT The sequence in which the ACE applies the actions for a specific policy is independent of the actions configured for a class map inside a policy. Related Topics • Class Map and Policy Map Overview, page 14-2 • Class Maps, page 14-3 • Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps, page 14-5 • Configuring Traffic Policies, page 14-1 • Configuring Virtual Context Policy Maps, page 14-32 Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps Parameter maps allow you to combine related actions in a Layer 3 and Layer 4 policy map. For example, an HTTP parameter map provides a means of performing actions on traffic ingressing an ACE interface based on certain criteria such as HTTP header and cookie settings, server connection reuse, action to be taken when an HTTP header, cookie, or URL exceeds a configured maximum length, and so on. The ACE uses policy maps to combine class maps and parameter maps into traffic policies and to perform certain configured actions on the traffic that matches the specified criteria in the policies. See Table 10-1 for a list of the available parameter maps and the ACE devices that support them. Related Topics • Configuring Parameter Maps, page 10-1 • Class Map and Policy Map Overview, page 14-2 • Class Maps, page 14-3 • Policy Maps, page 14-4 14-6 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Virtual Context Class Maps Protocol Inspection Overview Certain applications require special handling of the data portion of a packet as the packets pass through the ACE. Application protocol inspection helps to verify the protocol behavior and identify unwanted or malicious traffic passing through the ACE. Based on the specifications of the traffic policy, the ACE accepts or rejects the packets to ensure the secure use of applications and services. For information about application protocol inspection as configured and performed by the ACE, see the related topics. Related Topics • Configuring Virtual Context Policy Maps, page 14-32 • Setting Match Conditions for Layer 7 FTP Command Inspection Class Maps, page 14-22 • Setting Policy Map Rules and Actions for Layer 7 HTTP Deep Packet Inspection, page 14-51 • Setting Policy Map Rules and Actions for Layer 7 SIP Deep Packet Inspection, page 14-68 Configuring Virtual Context Class Maps You can create a class map to classify the traffic received and transmitted by the ACE. For more information about class maps, see the “Class Maps” section on page 14-3. Note To delete a class map from a context, the class map must no longer be in use. To delete multiple class maps, none of the class maps must be in use. If you attempt to delete multiple class maps and one of the class maps is still in use, none of the class maps are deleted and a message appears stating that one of the class maps is in use. Remove the class map that is still in use from your selection, then click Delete. The selected class maps are removed. Procedure Step 1 Choose Config > Devices > context > Expert > Class Maps. The Class Maps table appears. Step 2 In the Class Maps table, click Add to add a new class map, or choose an existing class map and click Edit to modify it. Step 3 (Optional) Enter a class map identifier number. The Name field contains an automatically incremented number for the class map. You can leave the number as it is or enter a different, unique number. Step 4 In the Class Map Type field, choose the type of class map that you are creating. The types that are available depend on the ACE that you are configuring. Table 14-2 lists the available class map types and the ACE devices that support them. 14-7 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Virtual Context Class Maps Step 5 In the Match Type field, choose the method to be used to evaluate multiple match statements when multiple match conditions exist: • All—A match exists only if all match conditions are satisfied. If you choose All, you can specify multiple types of match conditions. • Any—A match exists if at least one of the match conditions is satisfied. If you choose Any, you can specify only one type of match condition. This field does not appear for Layer 7 Command Inspection - FTP class maps. Step 6 In the Description field, enter a brief description for the class map. Step 7 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and to configure match conditions for the class map. See Setting Match Conditions for Class Maps, page 14-8 for more information. • Click Cancel to exit the procedure without saving your entries and to return to the Class Maps table. • Click Next to deploy your entries and to configure another class map. Related Topics • Information About Virtual Contexts, page 6-2 • Deleting Class Maps, page 14-8 • Setting Match Conditions for Class Maps, page 14-8 • Configuring Virtual Context Policy Maps, page 14-32 Table 14-2 Class Maps and ACE Device Support Class Map ACE Devices ACE Module ACE Appliance Layer 3/4 Management Traffic X X Layer 3/4 Network Traffic X X Layer 7 Command Inspection - FTP X X Layer 7 Deep Packet Inspection - HTTP X X Layer 7 Deep Packet Inspection - SIP X X Layer 7 Server Load Balancing X X Server Load Balancing - Generic X X Server Load Balancing - RADIUS X X Server Load Balancing - RTSP X X Server Load Balancing - SIP X X 14-8 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Setting Match Conditions for Class Maps Deleting Class Maps You can delete a class map. To delete a class map from a context, the class map must no longer be in use. To delete multiple class maps, none of the class maps must be in use. Assumption The class map to be deleted is not being used. Procedure Step 1 Choose Config > Devices > context > Expert > Class Maps. The Class Maps table appears. Step 2 In the Class Maps table, choose the class maps that you want to delete and click Delete. A confirmation popup window appears, asking you to confirm the deletion. If you attempt to delete multiple class maps and one of the class maps is still in use, none of the class maps are deleted and a message appears stating that one of the class map is in use. Remove the class map that is still in use from your selection, then click Delete. The Class Maps table refreshes and the deleted class maps no longer appear. Step 3 Do one of the following: • Click OK to confirm the deletion. • Click Cancel to retain the class map and to return to the Class Maps table. Related Topics • Class Map and Policy Map Overview, page 14-2 • Configuring Virtual Context Class Maps, page 14-6 Setting Match Conditions for Class Maps Table 14-3 lists the class maps available for all ACE devices and provides links to topics for setting match conditions: Table 14-3 Class Maps Available for All ACE Devices Class Map Related Topic Layer 3/Layer 4 management traffic Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps, page 14-12 Layer 3/Layer 4 network traffic Setting Match Conditions for Layer 3/Layer 4 Network Traffic Class Maps, page 14-9 Layer 7 FTP command inspection Setting Match Conditions for Layer 7 FTP Command Inspection Class Maps, page 14-22 Layer 7 HTTP deep packet inspection Setting Match Conditions for Layer 7 HTTP Deep Packet Inspection Class Maps, page 14-17 Layer 7 server load balancing Setting Match Conditions for Layer 7 Server Load Balancing Class Maps, page 14-14 14-9 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Setting Match Conditions for Class Maps Setting Match Conditions for Layer 3/Layer 4 Network Traffic Class Maps You can match criteria for a Layer 3/Layer 4 network traffic class map on the ACE. Assumption You have configured a Layer 3/Layer 4 network traffic class map and want to establish match conditions. Procedure Step 1 Choose Config > Devices > context > Expert > Class Maps. The Class Maps table appears. Step 2 In the Class Maps table, choose the Layer 3/4 network traffic class map that you want to set match conditions for. The Match Condition table appears. Step 3 In the Match Condition table, click Add to add match criteria, or choose the match condition you want to modify and click Edit. The Match Condition configuration window appears. Step 4 In the Sequence Number field of the Match Condition configuration window, enter a value from 2 to 255. Step 5 In the Match Condition Type field, choose the type of match condition to use for this class map and configure any match-specific attributes as described in Table 14-4. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Generic server load balancing Setting Match Conditions for Generic Server Load Balancing Class Maps, page 14-23 Layer 7 SIP deep packet inspection Setting Match Conditions for Layer 7 SIP Deep Packet Inspection Class Maps, page 14-30 RADIUS server load balancing Setting Match Conditions for RADIUS Server Load Balancing Class Maps, page 14-25 RTSP server load balancing Setting Match Conditions for RTSP Server Load Balancing Class Maps, page 14-26 SIP server load balancing Setting Match Conditions for SIP Server Load Balancing Class Maps, page 14-27 Table 14-3 Class Maps Available for All ACE Devices (continued) Class Map Related Topic Table 14-4 Layer 3/Layer 4 Network Traffic Class Map Match Conditions Match Condition Description Access List Access list that is the match type for this match condition. In the Extended ACL field, choose the ACL to use as the match condition. Any Any Layer 3 or Layer 4 IPv4 traffic passing through the ACE meets the match condition. 14-10 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Setting Match Conditions for Class Maps Anyv6 Any Layer 3 or Layer 4 IPv6 traffic passing through the ACE meets the match condition. This option requires ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. Destination Address Destination address that is the match type for this match condition. Do the following: a. In the IP Address Type field, choose either IPv4 or IPv6. This field appears only for ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. b. In the Destination Address field, enter the destination IP address for this match condition in the format based on the address type (IPv4 or IPv6). c. Depending on the destination IP address type that you chose, do one of the following: – For IPv4, in the Destination Netmask field, select the subnet mask of the IP address. – For IPv6, in the Destination Prefix-length field, enter the prefix length for the address. Port UDP or TCP port or range of ports for IPv4 traffic that is the match type for this match condition. Do the following: a. In the Port Protocol field, choose TCP or UDP as the protocol to match. b. In the Port Operator field, choose the match criteria for the port. Choices are as follows: – Any—Any port using the selected protocol meets the match condition. – Equal To—Specific port using the protocol meets the match condition. – In the Port Number field, enter the port to be matched. Valid entries are integers from 0 to 65535. A value of 0 indicates that the ACE is to include all ports. – Range—Port must be one of a range of ports to meet the match condition. Do the following: 1. In the Lower Port Number field, enter the first port number in the port range for the match condition. 2. In the Upper Port Number field, enter the last port number in the port range for the match condition. Valid entries are integers from 0 to 65535. A value of 0 indicates that the ACE is to include all ports. Portv6 UDP or TCP port or range of ports for IPv6 traffic that is the match type for this match condition. This option requires ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. For port configuration information, see Port. Table 14-4 Layer 3/Layer 4 Network Traffic Class Map Match Conditions (continued) Match Condition Description 14-11 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Setting Match Conditions for Class Maps Source Address Source IP address that is the match type for this match condition. Do the following: a. In the IP Address Type field, choose either IPv4 or IPv6. This field appears only for ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. b. In the Source IP Address field, enter the source IP address for this match condition in the format based on the address type (IPv4 or IPv6). c. Depending on the source IP address type that you chose, do one of the following: – For IPv4, in the Source Netmask field, select the subnet mask of the IP address. – For IPv6, in the Source Prefix-length field, enter the prefix length for the address. Virtual Address Virtual IP address that is the match type for this match condition. Do the following: a. In the IP Address Type field, choose either IPv4 or IPv6. This field appears only for ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. a. In the Virtual IP Address field, enter the virtual IP address for this match condition in the format based on the address type (IPv4 or IPv6). b. Depending on the IP address type that you chose, do one of the following: – For IPv4, in the Virtual IP Netmask field, choose the subnet mask for the virtual IP address. – For IPv6, in the Virtual Prefix-length field, enter the prefix length for the address. c. In the Virtual Address Protocol field, choose the protocol to be used for this match condition. For a list of protocols and their respective numbers, see Table 6-20. Note Depending on the protocol that you choose, such as TCP or UDP, additional fields appear. If they appear, enter the information described in the following steps. d. In the Port Operator field, choose the match criteria for the port: – Any—Any port using the selected protocol meets the match condition. – Equal To—A specific port using the protocol meets the match condition. – In the Port Number field, enter the port to be matched. Valid entries are from 0 to 65535. A value of 0 indicates that the ACE is to include all ports. – Range—The port must be one of a range of ports to meet the match condition. Valid entries are from 0 to 65535. A value of 0 indicates that the ACE is to include all ports. Do the following: 1. In the Lower Port Number field, enter the first port number in the port range for the match condition. 2. In the Upper Port Number field, enter the last port number in the port range for the match condition. Table 14-4 Layer 3/Layer 4 Network Traffic Class Map Match Conditions (continued) Match Condition Description 14-12 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Setting Match Conditions for Class Maps Step 6 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. You return to the Match Condition table. Note If you click Deploy Now, the ACE drops the traffic and then restarts it, even if you have not made changes. If you have not altered existing match conditions, click Cancel instead of Deploy Now to ensure uninterrupted traffic. • Click Cancel to exit the procedure without saving your entries and to return to the Match Condition table. • Click Next to deploy your entries and to configure additional match conditions. Related Topics • Configuring Traffic Policies, page 14-1 • Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps, page 14-12 • Setting Match Conditions for Layer 7 Server Load Balancing Class Maps, page 14-14 • Configuring Virtual Context Policy Maps, page 14-32 • Configuring Virtual Context Class Maps, page 14-6 Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps You can identify the network management protocols that can be received by the ACE. Assumption You have configured a Layer 3/Layer 4 network management class map and want to establish match conditions. Procedure Step 1 Choose Config > Devices > context > Expert > Class Maps. The Class Maps table appears. Step 2 In the Class Maps table, choose the Layer 3/Layer 4 management class map that you want to set match conditions for. The Match Condition table appears. Step 3 In the Match Condition table, click Add to add match criteria, or choose the match conditions that you want to modify and click Edit. The Match Condition configuration window appears. Step 4 Enter the match conditions (see Table 14-5). Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. 14-13 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Setting Match Conditions for Class Maps Step 5 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. You return to the Match Condition table. Table 14-5 Layer 3/Layer 4 Management Traffic Class Map Match Conditions Field Description Sequence Number Number from 2 to 255 as the line number. The number entered here does not indicate a priority or sequence for the match conditions. Match Condition Type Confirm that Management is selected. Note To change the type of match condition, you must delete the class map and add it again with the correct match type. Management Protocol Type Field that identifies the network management protocols that can be received by the ACE. Choose the allowed protocol for this match condition as follows: • HTTP—Specifies the Hypertext Transfer Protocol (HTTP). • HTTPS—Specifies the secure (SSL) Hypertext Transfer Protocol (HTTP) for connectivity with the ANM GUI on the ACE. • ICMP—Specifies the Internet Control Message Protocol (ICMP), commonly referred to as ping. • ICMPv6—Specifies the Internet Control Message Protocol version 6 (ICMPv6). • SNMP—Specifies the Simple Network Management Protocol (SNMP). • SSH—Specifies a Secure Shell (SSH) connection to the ACE. • TELNET—Specifies a Telnet connection to the ACE. • KAL-AP-UDP—Specifies the KeepAlive Appliance Protocol over UDP. • XML-HTTPS—Specifies HTTPS as the transfer protocol for sending and receiving XML documents between the ACE and a Network Management System (NMS). Communication is performed using port 10443. This option is available for ACE appliances only. Traffic Type Type of traffic: • Any—Any client source IP address meets the match condition. • Source Address—A specific source IP address is part of the match condition. Source Address Field that appears if Source Address is selected for Traffic Type. Depending on the management protocol type that you chose, do one of the following • For ICMP, enter the source IP address of the client in dotted-decimal notation, such as 192.168.11.1. • For ICMPv6, enter a complete IPv6 address. Source Netmask Field that appears if Source Address is selected for Traffic Type. Choose the subnet mask for the source IP address. Source Prefix-length This field appears if ICMPv6 is selected for the Management Protocol Type and Source Address is selected for Traffic Type. Enter the prefix length for the source IPv6 address. 14-14 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Setting Match Conditions for Class Maps Note If you click Deploy Now, the ACE drops the traffic and then restarts it, even if you have not made changes. If you have not altered existing match conditions, click Cancel instead of Deploy Now to ensure uninterrupted traffic. • Click Cancel to exit the procedure without saving your entries and to return to the Match Condition table. • Click Next to deploy your entries and to configure additional match conditions. Related Topics • Configuring Traffic Policies, page 14-1 • Configuring Virtual Context Class Maps, page 14-6 • Configuring Real Servers, page 8-5 • Configuring Server Farms, page 8-30 • Configuring Sticky Groups, page 9-7 Setting Match Conditions for Layer 7 Server Load Balancing Class Maps You can set match conditions for Layer 7 server load balancing class maps. Assumption You have configured a load-balancing class map and want to establish the match conditions. Procedure Step 1 Choose Config > Devices > context > Expert > Class Maps. The Class Maps table appears. Step 2 In the Class Maps table, choose the Layer 7 server load balancing class map you want to set match conditions for. The Match Condition table appears. Step 3 In the Match Condition table, click Add to add match criteria, or choose the match condition that you want to modify and click Edit. The Match Condition configuration window appears. Step 4 In the Sequence Number field, enter a value from 2 to 255 as the line number. The number entered here does not indicate a priority or sequence for the match conditions. Step 5 In the Match Condition Type field, choose the type of match to use and configure condition-specific attributes as described in Table 14-6. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. 14-15 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Setting Match Conditions for Class Maps Table 14-6 Layer 7 Server Load Balancing Class Map Match Conditions Match Condition Description Class Map Class map that is to be used to establish a match condition. In the Class Map field, choose the class map to apply to this match condition. HTTP Content Specific content contained within the HTTP entity-body that is used to establish a match condition. Do the following: a. In the Content Expression field, enter the content that is to be matched. Valid entries are alphanumeric strings from 1 to 255 characters. b. In the Content Offset (Bytes) field, enter the number of bytes to be ignored starting with the first byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and the body of the message. Valid entries are from 1 to 255. HTTP Cookie HTTP cookie that is to be used to establish a match condition. Do the following: a. In the Cookie Name field, enter a unique cookie name. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. b. In the Cookie Value field, enter a unique cookie value expression. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. c. Check the Secondary Cookie Matching check box to instruct the ACE to use both the cookie name and the cookie value to satisfy this match condition. Uncheck this check box to indicate that the ACE is to use either the cookie name or the cookie value to satisfy this match condition. HTTP Header HTTP header that is to be used to establish a match condition. Do the following: a. In the Header Name field, specify the header to match in one of the following ways: – To specify an HTTP header that is not one of the standard HTTP headers, click the first radio button, and enter the HTTP header name in the Header Name field. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters. – To specify a standard HTTP header, click the second radio button, and choose an HTTP header from the list. b. In the Header Value (Bytes) field, enter the header value expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching. If the string includes spaces, enclose the string in quotes. See Table 14-33 for a list of the supported characters that you can use in regular expressions. 14-16 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Setting Match Conditions for Class Maps Step 6 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. You return to the Match Condition table. Note If you click Deploy Now, the ACE drops the traffic and then restarts it, even if you have not made changes. If you have not altered existing match conditions, click Cancel instead of Deploy Now to ensure uninterrupted traffic. • Click Cancel to exit the procedure without saving your entries and to return to the Match Condition table. • Click Next to deploy your entries and to configure additional match conditions. Related Topics • Information About Virtual Contexts, page 6-2 • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 HTTP URL Portion of an HTTP URL that is to be used to establish a match condition. Do the following: a. In the URL Expression field, enter a URL or a portion of a URL to match. Valid entries are URL strings from 1 to 255 alphanumeric characters and include only the portion of the URL following www.hostname.domain. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. b. In the Method Expression field, enter the HTTP method to match. Valid entries are method names entered as unquoted text strings with no spaces and a maximum of 15 alphanumeric characters. You can enter either one of the standard HTTP 1.1 method names (OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT) or a text string that must be matched exactly (for example, CORVETTE). Source Address Source IP address that is to be used to establish a match condition. Do the following: a. In the IP Address Type field, choose either IPv4 or IPv6. This field appears only for ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. b. In the Source Address field, enter the source IP address for this match condition in the format based on the address type (IPv4 or IPv6). c. Depending on the IP address type that you chose, do one of the following: – For IPv4, in the Source Netmask field, choose the subnet mask of the source IP address. – For IPv6, in the Source Prefix-length field, enter the prefix length for the address. Table 14-6 Layer 7 Server Load Balancing Class Map Match Conditions (continued) Match Condition Description 14-17 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Setting Match Conditions for Class Maps Setting Match Conditions for Layer 7 HTTP Deep Packet Inspection Class Maps You can configure a Layer 7 class map for deep packet inspection of HTTP traffic by the ACE. When these features are configured, the ACE performs a stateful deep packet inspection of the HTTP protocol and permits or restricts traffic based on the actions in the defined policy maps. You can configure the following security features as part of HTTP deep packet inspection to be performed by the ACE: • Regular expression matching on name in an HTTP header, URL name, or content expressions in an HTTP entity body • Content, URL, and HTTP header length checks • MIME-type message inspection • Transfer-encoding methods • Content type verification and filtering • Port 80 misuse by tunneling protocols • RFC compliance monitoring and RFC method filtering Use this procedure to configure a Layer 7 class map for deep packet inspection of HTTP traffic. Assumption You have configured a Layer 7 HTTP deep packet inspection class map and want to establish match conditions. Procedure Step 1 Choose Config > Devices > context > Expert > Class Maps. The Class Maps table appears. Step 2 In the Class Maps table, choose the Layer 7 HTTP deep packet inspection class map that you want to set match conditions for. The Match Condition table appears. Step 3 In the Match Condition table, click Add to add match criteria, or choose the match condition that you want to modify and click Edit. The Match Condition configuration window appears. Step 4 In the Sequence Number field of the Match Condition configuration window, enter a value from 2 to 255 as the line number. The number entered here does not indicate a priority or sequence for the match conditions. Step 5 In the Match Condition Type field, choose the method that match decisions are to be made and configure condition-specific attributes as described in Table 14-7. 14-18 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Setting Match Conditions for Class Maps Table 14-7 Layer 7 HTTP Deep Packet Inspection Class Map Match Conditions Match Condition Description Content Specific content contained within the HTTP entity-body that is to be used for protocol inspection decisions. Do the following: a. In the Content Expression field, enter the content that is to be matched. Valid entries are alphanumeric strings from 1 to 255 characters. b. In the Content Offset (Bytes) field, enter the number of bytes to be ignored starting with the first byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and the body of the message. Valid entries are from 1 to 255. Content Length Content parse length in an HTTP message that is to be used for protocol inspection decisions. Do the following: a. In the Content Length Operator field, choose the operand to use to compare content length as follows: – Equal To—The content length must equal the number in the Content Length Value (Bytes) field. – Greater Than—The content length must be greater than the number in the Content Length Value (Bytes) field. – Less Than—The content length must be less than the number in the Content Length Value (Bytes) field. – Range—The content length must be within the range specified in the Content Length Lower Value (Bytes) field and the Content Length Higher Value (Bytes) field. b. Enter values to apply for content length comparison as follows: – If you chose Equal To, Greater Than, or Less Than in the Content Length Operator field, the Content Length Value (Bytes) field appears. In the Content Length Value (Bytes) field, enter the number of bytes for comparison. Valid entries are from 0 to 4294967295. – If you chose Range in the Content Length Operator field, the Content Length Lower Value (Bytes) and the Content Length Higher Value (Bytes) fields appear. Do the following: 1. In the Content Length Lower Value (Bytes) field, enter the lowest number of bytes to be used for this match condition. Valid entries are from 0 to 4294967295. The number in this field must be less than the number entered in the Content Length Higher Value (Bytes) field. 2. In the Content Length Higher Value (Bytes) field, enter the highest number of bytes to be used for this match condition. Valid entries are from 0 to 4294967295. The number in this field must be greater than the number entered in the Content Length Lower Value (Bytes) field. 14-19 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Setting Match Conditions for Class Maps Header Name and value in an HTTP header that are to be used for protocol inspection decisions. Do the following: a. In the Header field, choose one of the predefined HTTP headers to be matched, or choose HTTP Header to specify a different HTTP header. b. If you chose HTTP Header, in the Header Name field, enter the name of the HTTP header to match. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. c. In the Header Value (Bytes) field, enter the header value expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching. If the string includes spaces, enclose the string with quotes. All headers in the header map must be matched. See Table 14-33 for a list of the supported characters that you can use in regular expressions. Header Length Length of the header in the HTTP message that is to be used for protocol inspection decisions. Do the following: a. In the Header Length Type field, specify whether HTTP header request or response messages are to be used for protocol inspection decisions as follows: – Request—HTTP header request messages are to be checked for header length. – Response—HTTP header response messages are to be checked for header length. b. In the Header Length Operator field, choose the operand to use to compare header length: – Equal To—The header length must equal the number in the Header Length Value (Bytes) field. – Greater Than—The header length must be greater than the number in the Header Length Value (Bytes) field. – Less Than—The header length must be less than the number in the Header Length Value (Bytes) field. – Range—The header length must be within the range specified in the Header Length Lower Value (Bytes) field and the Header Length Higher Value (Bytes) field. c. Enter values to apply for header length comparison as follows: – If you chose Equal To, Greater Than, or Less Than in the Header Length Operator field, the Header Length Value (Bytes) field appears. In the Header Length Value (Bytes) field, enter the number of bytes for comparison. Valid entries are from 0 to 255. – If you chose Range in the Header Length Operator field, the Header Length Lower Value (Bytes) and the Header Length Higher Value (Bytes) fields appear. Do the following: 1. In the Header Length Lower Value (Bytes) field, enter the lowest number of bytes to be used for this match condition. Valid entries are from 0 to 255. The number in this field must be less than the number entered in the Header Length Higher Value (Bytes) field. 2. In the Header Length Higher Value (Bytes) field, enter the highest number of bytes to be used for this match condition. Valid entries are from 1 to 255. The number in this field must be greater than the number entered in the Header Length Lower Value (Bytes) field. Table 14-7 Layer 7 HTTP Deep Packet Inspection Class Map Match Conditions (continued) Match Condition Description 14-20 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Setting Match Conditions for Class Maps Header MIME Type Multipurpose Internet Mail Extension (MIME) message types that are to be used for protocol inspection decisions. In the Header MIME Type field, choose the MIME message type to use for this match condition. Port Misuse Feature that specifies that the misuse of port 80 (or any other port running HTTP) is to be used for protocol inspection decisions. Choose the application category to use for this match condition: • IM—Instant messaging applications are to be used for this match condition. • P2P—Peer-to-peer applications are to be used for this match condition. • Tunneling—Tunneling applications are to be used for this match condition. Request Method Request method that is to be used for protocol inspection decisions. By default, ACEs allow all request and extension methods. This option allows you to configure class maps that define protocol inspection decisions based on compliance to request methods defined in RFC 2616 and by HTTP extension methods. Do the following: a. In the Request Method Type field, choose the type of compliance to be used for protocol inspection decision. Choices are as follows: – Ext—HTTP extension method is to be used for protocol inspection decisions. – RFC—Request method defined in RFC 2616 is to be used for protocol inspection decisions. Depending on your selection, the Ext Request Method field or the RFC Request Method field appears. b. In the Request Method field, choose the specific request method to be used. Transfer Encoding Field that appears when an HTTP transfer-encoding type is used for protocol inspection decisions. The transfer-encoding general-header field indicates the type of transformation, if any, that has been applied to the HTTP message body to safely transfer it between the sender and the recipient. In the Transfer Encoding field, choose the type of encoding that is to be checked: • Chunked—The message body is transferred as a series of chunks. • Compress—The encoding format that is produced by the UNIX file compression program compress. • Deflate—The .zlib format that is defined in RFC 1950 in combination with the DEFLATE compression mechanism described in RFC 1951. • Gzip—The encoding format that is produced by the file compression program GZIP (GNU zip) as described in RFC 1952. • Identity—The default (identity) encoding which does not require the use of transformation. URL URL name used for protocol inspection decisions. In the URL field, enter a URL or a portion of a URL to match. Valid entries are URL strings from 1 to 255 alphanumeric characters and include only the portion of the URL following www.hostname.domain. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. Table 14-7 Layer 7 HTTP Deep Packet Inspection Class Map Match Conditions (continued) Match Condition Description 14-21 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Setting Match Conditions for Class Maps Step 6 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. Note If you click Deploy Now, the ACE drops the traffic, then restarts it, even if you have not made changes. If you have not altered existing match conditions, click Cancel instead of Deploy Now to ensure uninterrupted traffic. • Click Cancel to exit this procedure without saving your entries and to return to the Match Condition table. • Click Next to configure another match condition for this class map. Related Topics • Configuring Virtual Context Policy Maps, page 14-32 • Setting Match Conditions for Layer 3/Layer 4 Network Traffic Class Maps, page 14-9 • Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps, page 14-12 URL Length URL length to be used for protocol inspection decisions. Do the following: a. In the URL Length Operator field, choose the operand to be used to compare URL length: – Equal To—The URL length must equal the number in the URL Length Value (Bytes) field. – Greater Than—The URL length must be greater than the number in the URL Length Value (Bytes) field. – Less Than—The URL length must be less than the number in the URL Length Value (Bytes) field. – Range—The URL length must be within the range specified in the URL Length Lower Value (Bytes) field and the URL Length Higher Value (Bytes) field. b. Enter values to apply for URL length comparison as follows: – If you chose Equal To, Greater Than, or Less Than in the URL Length Operator field, the URL Length Value (Bytes) field appears. In the URL Length Value (Bytes) field, enter the value for comparison. Valid entries are from 1 to 65535 bytes. – If you chose Range in the URL Length Operator field, the URL Length Lower Value (Bytes) and the URL Length Higher Value (Bytes) fields appear. Do the following: 1. In the URL Length Lower Value (Bytes) field, enter the lowest number of bytes to be used for this match condition. Valid entries are integers from 1 to 65535. The number in this field must be less than the number entered in the URL Length Higher Value (Bytes) field. 2. In the URL Length Higher Value (Bytes) field, enter the highest number of bytes to be used for this match condition. Valid entries are integers from 1 to 65535. The number in this field must be greater than the number entered in the URL Length Lower Value (Bytes) field. Table 14-7 Layer 7 HTTP Deep Packet Inspection Class Map Match Conditions (continued) Match Condition Description 14-22 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Setting Match Conditions for Class Maps • Setting Match Conditions for Layer 7 Server Load Balancing Class Maps, page 14-14 • Setting Match Conditions for Layer 7 FTP Command Inspection Class Maps, page 14-22 Setting Match Conditions for Layer 7 FTP Command Inspection Class Maps You can set match conditions for a Layer 7 FTP command inspection class map. Assumption You have configured a Layer 7 FTP command inspection class map and want to establish match criteria. Procedure Step 1 Choose Config > Devices > context > Expert > Class Maps. The Class Maps table appears. Step 2 In the Class Maps table, choose the Layer 7 FTP command inspection class map that you want to set match conditions for. The Match Condition table appears. Step 3 In the Match Condition table, click Add to add match criteria, or choose the match condition that you want to modify and click Edit. The Match Condition configuration window appears. Step 4 In the Sequence Number field of the Match Condition configuration window, enter a value from 2 to 255. Step 5 In the Match Condition Type field, confirm that Request Method Name is selected as the match condition type for this class map. Step 6 In the Request Method Name field, choose the FTP command to be inspected. Table 14-8 identifies the FTP commands that can be inspected. Table 14-8 FTP Commands for Inspection FTP Command Description Appe Append data to the end of the specified file on the remote host. Cdup Change to the parent of the current directory. Dele Delete the specified file. Get Copy the specified file from the remote host to the local system. Help List all available FTP commands. Mkd Create a directory using the specified path and directory name. Put Copy the specified file from the local system to the remote host. Rmd Remove the specified directory. Rnfr Rename a file, specifying the current file name. Used with rnto. Rnto Rename a file, specifying the new file name. Used with rnfr. Site Execute a site-specific command. Stou Store a file on the remote host and give it a unique name. Syst Query the remote host for operating system information. 14-23 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Setting Match Conditions for Class Maps Step 7 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. You return to the Match Condition table. Note If you click Deploy Now, the ACE drops the traffic and then restarts it, even if you have not made changes. If you have not altered existing match conditions, click Cancel instead of Deploy Now to ensure uninterrupted traffic. • Click Cancel to exit this procedure without saving your entries and to return to the Match Condition table. • Click Next to configure another match condition for this class map. Related Topics • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 Setting Match Conditions for Generic Server Load Balancing Class Maps You can set match conditions for a generic server load balancing class map. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Assumption You have configured a generic server load balancing class map and want to establish match criteria. Procedure Step 1 Choose Config > Devices > context > Expert > Class Maps. The Class Maps table appears. Step 2 In the Class Maps table, choose the generic server load balancing class map that you want to set match conditions for. The Match Condition table appears. Step 3 In the Match Condition table, click Add to add match criteria, or choose the match condition that you want to modify and click Edit. The Match Condition configuration window appears. Step 4 In the Sequence Number field of the Match Condition configuration window, enter a value from 2 to 255. Step 5 In the Match Condition Type field, choose the match condition type for this class map and configure any match-specific criteria as described in Table 14-9. 14-24 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Setting Match Conditions for Class Maps Step 6 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. You return to the Match Condition table. Note If you click Deploy Now, the ACE drops the traffic and then restarts it even if you have not made changes. If you have not altered existing match conditions, click Cancel instead of Deploy Now to ensure uninterrupted traffic. • Click Cancel to exit this procedure without saving your entries and to return to the Match Condition table. • Click Next to configure another match condition for this class map. Related Topics • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 Table 14-9 Generic Server Load Balancing Class Map Match Conditions Match Condition Description Class Map Class map that is used to establish a match condition. In the Class Map field, choose the class map to use for this match condition. Layer 4 Payload Generic data parsing that is used to establish a match condition. Do the following: a. In the Layer 4 Payload Regex field, enter the Layer 4 payload expression contained within the TCP or UDP entity body to use for this match condition. Valid entries are text strings with a maximum of 255 alphanumeric characters. See Table 14-33 for a list of the supported characters that you can use for matching string expressions. b. In the Layer 4 Payload Offset field, enter the absolute offset where the Layer 4 payload expression search starts. The offset starts at the first byte of the TCP or UDP body. Valid entries are from 0 to 999. Source Address Source IP address that is used to establish a match condition. Do the following: a. In the IP Address Type field, choose either IPv4 or IPv6. This field appears only for ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. b. In the Source Address field, enter the source IP address for this match condition in the format based on the address type (IPv4 or IPv6). c. Depending on the IP address type that you chose, do one of the following: – For IPv4, in the Source Netmask field, choose the subnet mask for the source IP address. – For IPv6, in the Source Prefix-length field, enter the prefix length for the address. 14-25 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Setting Match Conditions for Class Maps Setting Match Conditions for RADIUS Server Load Balancing Class Maps You can set match conditions for a RADIUS server load balancing class map. Assumption You have configured a RADIUS server load balancing class map and want to establish match criteria. Procedure Step 1 Choose Config > Devices > context > Expert > Class Maps. The Class Maps table appears. Step 2 In the Class Maps table, choose the RADIUS server load balancing class map that you want to set match conditions for. The Match Condition table appears. Step 3 In the Match Condition table, click Add to add match criteria, or choose the match condition that you want to modify and click Edit. The Match Condition configuration window appears. Step 4 In the Sequence Number field, enter a value from 2 to 255. Step 5 In the Match Condition Type field, choose the match condition type for this class map and configure any match-specific criteria as described in Table 14-10. Step 6 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. You return to the Match Condition table. Note If you click Deploy Now, the ACE drops the traffic and then restarts it, even if you have not made changes. If you have not altered existing match conditions, click Cancel instead of Deploy Now to ensure uninterrupted traffic. • Click Cancel to exit this procedure without saving your entries and to return to the Match Condition table. • Click Next to configure another match condition for this class map. Table 14-10 RADIUS Server Load Balancing Class Map Match Conditions Match Condition Description Calling Station ID Unique identifier of the calling station that is used to establish a match condition. In the RADIUS Calling Station ID field, enter the calling station identifier to match. Valid entries are strings containing 1 to 64 alphanumeric characters. See Table 14-33 for a list of the supported characters that you can use for matching string expressions. User Name Username that is used to establish a match condition. In the User Name field, enter the name to match. Valid entries are strings containing 1 to 64 alphanumeric characters. See Table 14-33 for a list of the supported characters that you can use for matching string expressions. 14-26 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Setting Match Conditions for Class Maps Related Topics • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 Setting Match Conditions for RTSP Server Load Balancing Class Maps You can set match conditions for a RTSP server load balancing class map. Assumption You have configured a RTSP server load balancing class map and want to establish match criteria. Procedure Step 1 Choose Config > Devices > context > Expert > Class Maps. The Class Maps table appears. Step 2 In the Class Maps table, choose the RTSP server load balancing class map that you want to set match conditions for. The Match Condition table appears. Step 3 In the Match Condition table, click Add to add match criteria, or choose the match condition that you want to modify and click Edit. The Match Condition configuration window appears. Step 4 In the Sequence Number field, enter a value from 2 to 255. Step 5 In the Match Condition Type field, choose the match condition type for this class map and configure any match-specific criteria as described in Table 14-11. Table 14-11 RTSP Server Load Balancing Class Map Match Conditions Match Condition Description Class Map Class map that is used to establish a match condition. In the Class Map field, choose the class map to use for this match condition. RTSP Header Name and value in an RTSP header that is used to establish a match condition. Do the following a. In the Header Name field, specify the header in one of the following ways: – To specify an RTSP header that is not one of the standard RSTP headers, choose the first radio button and enter the RTSP header name in the Header Name field. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters. – To specify one of the standard RTSP headers, choose the second radio button and choose one of the RTSP headers from the list. b. In the Header Value (Bytes) field, enter the header value expression string to compare against the value in the specified field in the RTSP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching. If the string includes spaces, enclose the string with quotes. All headers in the header map must be matched. See Table 14-33 for a list of the supported characters that you can use in regular expressions. 14-27 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Setting Match Conditions for Class Maps Step 6 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. You return to the Match Condition table. Note If you click Deploy Now, the ACE drops the traffic and then restarts it, even if you have not made changes. If you have not altered existing match conditions, click Cancel instead of Deploy Now to ensure uninterrupted traffic. • Click Cancel to exit this procedure without saving your entries and to return to the Match Condition table. • Click Next to configure another match condition for this class map. Related Topics • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 Setting Match Conditions for SIP Server Load Balancing Class Maps You can set match conditions for a SIP server load balancing class map. Assumption You have configured a SIP server load balancing class map and want to establish match criteria. RTSP URL URL or portion of a URL that is used to establish a match condition. Do the following: a. In the URL Expr field, enter a URL, or portion of a URL, to match. The ACE performs matching on whatever URL string appears after the RTSP method, regardless of whether the URL includes the host name. The ACE supports regular expressions for matching URL strings. See Table 14-33 for a list of the supported characters that you can use in regular expressions. b. In the Method field, enter the RTSP method to match. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. The method can be either one of the standard RTSP method names (DESCRIBE, ANNOUNCE, GET_PARAMETER, OPTIONS, PAUSE, PLAY, RECORD, REDIRECT, SETUP, SET_PARAMETER, TEARDOWN) or a text string that must be matched exactly (for example, STINGRAY). Source Address Source IP address that is used to establish a match condition. Do the following: a. In the Source Address field, enter the source IP address for this match condition in dotted-decimal format, such as 192.168.11.1. b. In the Source Netmask field, choose the subnet mask for the source IP address. Table 14-11 RTSP Server Load Balancing Class Map Match Conditions (continued) Match Condition Description 14-28 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Setting Match Conditions for Class Maps Procedure Step 1 Choose Config > Devices > context > Expert > Class Maps. The Class Maps table appears. Step 2 In the Class Maps table, choose the SIP server load balancing class map that you want to set match conditions for. The Match Condition table appears. Step 3 In the Match Condition table, click Add to add match criteria, or choose the match condition that you want to modify and click Edit. The Match Condition configuration window appears. Step 4 In the Sequence Number field of the Match Condition configuration window, enter a value from 2 to 255. Step 5 In the Match Condition Type field, choose the match condition type for this class map and configure any match-specific criteria as described in Table 14-12. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Table 14-12 SIP Server Load Balancing Class Map Match Conditions Match Condition Description Class Map Class map that is used to establish a match condition. In the Class Map field, choose the class map to use for this match condition. 14-29 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Setting Match Conditions for Class Maps Step 6 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. You return to the Match Condition table. Note If you click Deploy Now, the ACE drops the traffic and then restarts it, even if you have not made changes. If you have not altered existing match conditions, click Cancel instead of Deploy Now to ensure uninterrupted traffic. • Click Cancel to exit this procedure without saving your entries and to return to the Match Condition table. • Click Next to configure another match condition for this class map. Related Topics • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 SIP Header SIP header name and value that are used to establish a match condition. Do the following: a. In the Header Name field, specify the header in one of the following ways: – To specify a SIP header that is not one of the standard SIP headers, choose the first radio button and enter the SIP header name in the Header Name field. Enter an unquoted text string with no spaces and a maximum of 64 characters. – To specify one of the standard SIP headers, choose the second radio button and choose one of the SIP headers from the list. b. In the Header Value (Bytes) field, enter the header value expression string to compare against the value in the specified field in the SIP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching. If the string includes spaces, enclose the string with quotes. All headers in the header map must be matched. See Table 14-33 for a list of the supported characters that you can use in regular expressions. Source Address Source IP address that is used to establish a match condition. Do the following: a. In the IP Address Type field, select either IPv4 or IPv6. This field appears only for ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. b. In the Source Address field, enter the source IP address for this match condition in the format based on the address type (IPv4 or IPv6). c. Depending on the IP address type that you chose, do one of the following: – For IPv4, in the Source Netmask field, choose the subnet mask for the source IP address. – For IPv6, in the Source Prefix-length field, enter the prefix length for the address. Table 14-12 SIP Server Load Balancing Class Map Match Conditions (continued) Match Condition Description 14-30 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Setting Match Conditions for Class Maps Setting Match Conditions for Layer 7 SIP Deep Packet Inspection Class Maps You can set match conditions for a SIP deep packet inspection class map. Assumption You have configured a SIP deep packet inspection class map and want to establish match criteria. Procedure Step 1 Choose Config > Devices > context > Expert > Class Maps. The Class Maps table appears. Step 2 In the Class Maps table, choose the SIP deep packet inspection class map that you want to set match conditions for. The Match Condition table appears. Step 3 In the Match Condition table, click Add to add match criteria, or choose the match condition that you want to modify and click Edit. The Match Condition configuration window appears. Step 4 In the Sequence Number field of the Match Condition configuration window, enter a value from 2 to 255. Step 5 In the Match Condition Type field, choose the match condition type for this class map and configure any match-specific criteria as described in Table 14-13. Table 14-13 Layer 7 SIP Deep Packet Inspection Class Map Match Conditions Match Condition Description Called Party Destination or called party in the URI of the SIP To header that is used to establish a match condition. In the Called Party field, enter a regular expression that identifies the called party in the URI of the SIP To header for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. Calling Party Source or calling party in the URI of the SIP From header that is used to establish a match condition. In the Calling Party field, enter a regular expression that identifies the called party in the URI of the SIP To header for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. IM Subscriber IM (instant messaging) subscriber that is used to establish a match condition. In the IM Subscriber field, enter a regular expression that identifies the IM subscriber for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. Message Path Message coming from or transiting through certain SIP proxy servers that is used to establish a match condition. In the Message Path field, enter a regular expression that identifies the SIP proxy server for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. 14-31 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Setting Match Conditions for Class Maps Step 6 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. You return to the Match Condition table. Note If you click Deploy Now, the ACE drops the traffic and then restarts it, even if you have not made changes. If you have not altered existing match conditions, click Cancel instead of Deploy Now to ensure uninterrupted traffic. • Click Cancel to exit this procedure without saving your entries and to return to the Match Condition table. SIP Content Length SIP message body length that is used to establish a match condition. Do the following: a. In the Content Operator field, confirm that Greater Than is selected. b. In the Content Length field, enter the maximum size of a SIP message body in bytes that the ACE is to allow without performing SIP protocol inspection. If a SIP message exceeds the specified value, the ACE performs SIP protocol inspection as defined in an associated policy map. Valid entries are from 0 to 65534 bytes. SIP Content Type Content type in the SIP message body that is used to establish a match condition. In the Content Type field, enter the a regular expression that identifies the content type in the SIP message body to use for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. SIP Request Method SIP request method that is used to establish a match condition. In the Request Method field, choose the request method that is to be matched. Third Party Third party who is authorized to register other users on their behalf that is used to establish a match condition. In the Third Party Registration Entities field, enter a regular expression that identifies a privileged user authorized for third-party registrations for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. URI Length SIP URI or user identifier that is used to establish a match condition. Do the following: a. In the URI Type field, choose the type of URI to use: – SIP URI—The calling party URI is used for this match condition. – Tel URI—A telephone number is used for this match condition. b. In the URI Operator field, confirm that Greater Than is selected. c. In the URI Length field, enter the maximum length of the SIP URI or Tel URI in bytes. Valid entries are integers from 0 to 254 bytes. Table 14-13 Layer 7 SIP Deep Packet Inspection Class Map Match Conditions (continued) Match Condition Description 14-32 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Virtual Context Policy Maps • Click Next to configure another match condition for this class map. Related Topics • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 Configuring Virtual Context Policy Maps You can create policy maps for a context that establish traffic policy for the ACE. The purpose of a traffic policy is to implement specific ACE functions associated with a traffic class. A traffic policy contains the following: • A policy map name. • A previously created traffic class map or, optionally, the class-default class map. • One or more of the individual Layer 3/Layer 4 or Layer 7 policies that specify the actions to be performed by the ACE. The ACE executes actions specified in a policy map on a first-match, multi-match, or all-match basis as follows: • First-match—With a first-match policy map, the ACE executes only the action specified against the first classification that it matches. Layer 3/Layer 4 Management Traffic, Layer 7 Server Load Balancing, Layer 7 Command Inspection - FTP, and Layer 7 HTTP Optimization policy maps are first-match policy maps. • Multi-match—With a multi-match policy map, the ACE executes all possible actions applicable for a specific classification. Layer 3/Layer 4 Network Traffic policy maps are multi-match policy maps. • All-match—With an all-match policy map, the ACE attempts to match all specified conditions against the matching classification and executes the actions of all matching classes until it encounters a deny for a match request. You can display a context’s policy maps and their types in the Policy Maps table (Config > Virtual Contexts > context > Expert > Policy Maps.) The types of policy maps that you can configure depend on the ACE device type. Table 14-14 lists the types of policy maps with brief descriptions and the ACE devices that support them. Table 14-14 Policy Maps and ACE Device Support Policy Map Type Description ACE Device ACE Module ACE Appliance Layer 3/4 Management Traffic (First-Match) Layer 3 and Layer 4 policy map for network management traffic received by the ACE X X Layer 3/4 Network Traffic (First-Match) Layer 3 and Layer 4 policy map for traffic passing through the ACE X X Layer 7 Command Inspection - FTP (First-Match) Layer 7 policy map for inspection of FTP commands X X 14-33 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Virtual Context Policy Maps Procedure Step 1 Choose Config > Devices > context > Expert > Policy Maps. The Policy Maps table appears. Step 2 In the Policy Maps table, click Add to add a new policy map, or choose an existing policy map and click Edit to modify it. Step 3 The Policy Map Name field contains an automatically incremented number for the policy map. Either leave the entry as it is or enter a different, unique number. Step 4 In the Type field, choose the type of policy map to create. See Table 14-14 for a list of the policy maps and their availability for the different ACE models. Step 5 In the Description field, enter a brief description of the policy map. Step 6 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. To define rules and actions for the policy map, see Configuring Rules and Actions for Policy Maps, page 14-34. • Click Cancel to exit this procedure without saving your entries and to return to the Policy Maps table. • Click Next to deploy your entries and to configure another policy map. Layer 7 Deep Packet Inspection - HTTP (All-Match) Layer 7 policy map for inspection of HTTP packets X X Layer 7 Deep Packet Inspection - SIP (All-Match) Layer 7 policy map for inspection of SIP packets X X Layer 7 Deep Packet Inspection - Skinny Layer 7 policy map for inspection of Skinny Client Control Protocol (SCCP) X X Layer 7 HTTP Optimization (First-Match) Layer 7 policy map for optimizing HTTP traffic X Layer 7 Server Load Balancing (First-Match) Layer 7 policy map for HTTP server load balancing X X Server Load Balancing - Generic Generic Layer 7 policy map for server load balancing X X Server Load Balancing - RADIUS (First-Match) Layer 7 policy map for RADIUS server load balancing X X Server Load Balancing - RDP (First-Match) Layer 7 policy map for RDP server load balancing X X Server Load Balancing - RTSP (First-Match) Layer 7 policy map for RTSP server load balancing X X Server Load Balancing - SIP (First-Match) Layer 7 policy map for SIP server load balancing X X Table 14-14 Policy Maps and ACE Device Support (continued) Policy Map Type Description ACE Device ACE Module ACE Appliance 14-34 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Related Topics • Information About Virtual Contexts, page 6-2 • Configuring Virtual Context Class Maps, page 14-6 • Configuring Rules and Actions for Policy Maps, page 14-34 Configuring Rules and Actions for Policy Maps Table 14-15 lists the policy maps and related topics for setting rules and actions. Table 14-15 Topic Reference for Policy Map Rules and Actions Policy Map Type Topic for Setting Rules and Actions Layer 3/4 Management Traffic (First-Match) Setting Policy Map Rules and Actions for Layer 3/Layer 4 Management Traffic, page 14-39 Layer 3/4 Network Traffic (First-Match) Setting Policy Map Rules and Actions for Layer 3/Layer 4 Network Traffic, page 14-41 Layer 7 Command Inspection - FTP (First-Match) Setting Policy Map Rules and Actions for Layer 7 FTP Command Inspection, page 14-48 Layer 7 Deep Packet Inspection - HTTP (All-Match) Setting Policy Map Rules and Actions for Layer 7 HTTP Deep Packet Inspection, page 14-51 Layer 7 Deep Packet Inspection - SIP (All-Match) Setting Policy Map Rules and Actions for Layer 7 SIP Deep Packet Inspection, page 14-68 Layer 7 Deep Packet Inspection - Skinny Setting Policy Map Rules and Actions for Layer 7 Skinny Deep Packet Inspection, page 14-71 Layer 7 HTTP Optimization (First-Match) Setting Policy Map Rules and Actions for Layer 7 HTTP Optimization, page 14-57 Layer 7 Server Load Balancing (First-Match) Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic, page 14-61 Server Load Balancing - Generic (First-Match) Setting Policy Map Rules and Actions for Generic Server Load Balancing, page 14-35 Server Load Balancing - RADIUS (First-Match) Setting Policy Map Rules and Actions for RADIUS Server Load Balancing, page 14-73 Server Load Balancing - RDP (First-Match) Setting Policy Map Rules and Actions for RDP Server Load Balancing, page 14-75 Server Load Balancing - RTSP (First-Match) Setting Policy Map Rules and Actions for RTSP Server Load Balancing, page 14-76 Server Load Balancing - SIP (First-Match) Setting Policy Map Rules and Actions for SIP Server Load Balancing, page 14-79 14-35 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Setting Policy Map Rules and Actions for Generic Server Load Balancing You can configure the rules and actions for generic traffic received by the ACE. Assumptions This topic assumes the following: • A generic traffic policy map has been configured. • A class map has been defined for a class map rule if you do not want to use the class-default class map. Procedure Step 1 Choose Config > Devices > context > Expert > Policy Maps. The Policy Maps table appears. Step 2 In the Policy Maps table, choose the generic traffic policy map that you want to set rules and actions for. The Rule table appears. Step 3 In the Rule table, click Add to add a new rule, or choose the rule that you want to modify and click Edit. The Rule window appears. Step 4 In the Type field of the Rule window, configure rules using the information in Table 14-16. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Table 14-16 Generic Server Load Balancing Policy Map Rules Option Description Class Map Class map to use for this traffic policy. From the Use Class Map field, do one of the following: • To use the default class map, choose class-default. The class-default class map is a reserved, well-known class map created by the ACE. You cannot delete or modify this class. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications matches the traffic, then the ACE performs the action specified by the class-default class map. The class-default class map has an implicit match any statement that enables it to match all traffic. • To use a previously created class map, do the following: 1. Choose others. 2. In the Class Map Name field, choose the class map to use. 14-36 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Match Condition Match condition is used for this traffic policy. Match Condition Name Enter a name for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. Match Condition Type Layer 4 Payload Layer 4 payload data that is used for the network matching criteria. Do the following: a. In the Layer 4 Payload RegexMatch Condition field, enter a Layer 4 payload expression that is contained within the TCP or UDP entity body. Valid entries are strings containing 1 to 255 alphanumeric characters. Table 14-33 lists the supported characters that you can use for matching string expressions. b. In the Layer 4 Payload Offset field, enter the absolute offset in the data where the Layer 4 payload expression search string starts. The offset starts at the first byte of the TCP or UDP body. Valid entries are from 0 to 999. Source Address Client source host IP address and subnet mask that are used for the network traffic matching criteria. Do the following: a. In the IP Address Type field, choose either IPv4 or IPv6. This field appears only for ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. b. In the Source IP v4/v6 Address field, enter the source IP address of the client in the format based on the address type (IPv4 or IPv6). c. Depending on the IP address type that you chose, do one of the following: – For IPv4, in the Source Netmask field, choose the subnet mask for the source IP address. – For IPv6, in the Source Prefix-length field, enter the prefix length for the address. Insert Before a. Indicate whether this rule is to precede another rule for this policy map: – N/A—This option is not configured. – False—This rule is not to precede another rule in this policy map. – True—This rule is to precede another rule in this policy map. The Insert Before Policy Rule field appears. b. If you chose True, in the Insert Before Policy Rule field, choose the rule that you want the current rule to precede. Table 14-16 Generic Server Load Balancing Policy Map Rules (continued) Option Description 14-37 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 5 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The window refreshes and the Action table appears. Continue with Step 6. • Click Cancel to exit this procedure without saving your entries and to return to the Rule table. Note If you chose the Insert Before option described in Table 14-16 and specified True, perform the following steps to refresh the Rule tab before adding an action for this rule: 1. Click the Rule tab to refresh the Rule table. 2. In the Rule table, choose the newly added rule. When the window refreshes, an empty action list appears. Step 6 In the Action table, click Add to add an entry or choose an existing entry to modify and click Edit. Step 7 In the Id field, accept the automatically incremented entry or assign a unique identifier for this action. Step 8 In the Action Type field, configure actions for this rule using the information in Table 14-17. Table 14-17 Generic Server Load Balancing Policy Map Actions Action Description Drop Field that instructs the ACE to discard packets that match this policy map. In the Action Log field, specify whether or not the dropped packets are to be logged in the software: • N/A—This option is not configured. • False—Dropped packets are not to be logged in the software. • True—Dropped packets are to be logged in the software. Forward Field that instructs the ACE to forward the traffic that matches this policy map to its destination. Reverse Sticky Feature that applies only to the ACE module version 3.0(0)A2(1.1), ACE appliance version A4(1.0), or later releases of either device type. Reverse IP stickiness is an enhancement to regular stickiness and is used mainly in FWLB. It ensures that multiple distinct connections that are opened by hosts at both ends (client and server) are load-balanced and stuck to the same firewall. Reverse stickiness applies to such protocols as FTP, RTSP, SIP, and so on where there are separate control channels and data channels opened by the client and the server, respectively. For complete details about reverse stickiness, see the Release Note for the Cisco Application Control Engine Module (Software Version 3.0(0)A2(X)). In the Sticky Group field, choose an existing IP netmask sticky group that you want to associate with reverse IP stickiness. 14-38 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 9 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit the procedure without saving your entries and to return to the Action table. • Click Next to deploy your entries and to configure another action. Related Topics • Configuring Traffic Policies, page 14-1 • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 Server Farm Serverfarm that the ACE is to load balance client requests for content. Do the following: a. In the Server Farm field, choose the server farm for this policy map action. b. In the Backup Server Farm field, choose the backup server farm for this action. c. Check the Sticky Enabled check box to indicate that the backup server farm is sticky. Uncheck this check box if the backup server farm is not sticky. d. Check the Aggregate State Enabled check box to indicate that the operational state of the backup server farm is taken into consideration when evaluating the state of the load-balancing class in a policy map. Uncheck this check box to indicate that the operational state of the backup server farm is not taken into consideration when evaluating the state of the load-balancing class in a policy map. Server Farm-NAT Dynamic NAT that the ACE is to apply to traffic for this policy map. Do the following: a. In the NAT Pool ID field, enter the number of the pool of IP addresses that exist under the VLAN specified in the VLAN Id field. Valid entries are from 1 to 2147483647. For information about configuring NAT pools, see “Configuring Virtual Context BVI Interfaces” section on page 12-19. b. In the VLAN ID field, choose the VLAN to use for NAT. Valid entries are from 1 to 4094. c. In the Server Farm Type field, indicate whether the server farm is a backup or primary server farm. Set-IP-TOS IP Differentiated Services Code Point (DSCP) bit in the Type of Service (ToS) byte that the ACE is to set. After the IP DSCP bit is set, other Quality of Service (QoS) services can then operate on the bit settings. In the IP TOS Rewrite Value field, enter the IP DSCP value. Valid entries are from 0 to 255. Sticky Group Sticky group that you want to associate with reverse stickiness. Sticky Server Farm Sticky server farm that the ACE is to load balance client requests for content. In the Sticky Group field, choose the sticky server farm that is to be used for requests that match this policy map. Table 14-17 Generic Server Load Balancing Policy Map Actions (continued) Action Description 14-39 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps • Configuring Rules and Actions for Policy Maps, page 14-34 Setting Policy Map Rules and Actions for Layer 3/Layer 4 Management Traffic You can configure the rules and actions for IP management traffic received by the ACE. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Assumptions This topic assumes the following: • A network management policy map has been configured. • A class map has been defined for a class map rule if you do not want to use the class-default class map. Procedure Step 1 Choose Config > Devices > context > Expert > Policy Maps. The Policy Maps table appears. Step 2 In the Policy Maps table, choose the Layer 3/Layer 4 management traffic policy map that you want to set rules and actions for. The Rule table appears. Step 3 In the Rule table, click Add to add a new rule, or choose the rule that you want to modify and click Edit. The Rule window appears. Step 4 In the Type field of the Rule window, confirm that classmap is selected. Step 5 In the Use Class Map field, do one of the following: • For an IPv4 default class map, choose the class-default radio button. • For an IPv6 default class map, choose the class-default-v6 radio button. • For a previously created class map, go to Step 6. Step 6 To use a previously created class map for this rule, do the following: a. In the Use Class Map field, choose the others radio button. b. In the Class Map Name field, choose the class map to be used. c. In the Insert Before field, specify whether this rule is to precede another rule in this policy map: – N/A—This option is not configured. – False—This rule is not to precede another rule in this policy map. – True—This rule is to precede another rule in this policy map. The Insert Before Policy Rule field appears d. If you chose True, in the Insert Before Policy Rule field, choose the rule that you want the current rule to precede. 14-40 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 7 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The Action table appears. To define actions for this rule, continue with Step 8. • Click Cancel to exit this procedure without saving your entries and to return to the Policy Maps table. • Click Next to deploy your entries and to configure another rule. Note If you chose the Insert Before option in Step 6 and specified True, perform the following steps to refresh the Rule tab before adding an action for this rule: 1. Click the Rule tab to refresh the Rule table. 2. In the Rule table, choose the newly added rule. When the window refreshes, an empty action list appears. Step 8 In the Action table, click Add to add an action or choose an existing action, and click Edit to modify it. The Action configuration window appears. Step 9 In the Id field of the Action configuration window, either accept the automatically incremented entry or assign a unique identifier for this action. Step 10 In the Action Type field, confirm that Management Permit is selected to indicate that this action permits or denies network management traffic. Step 11 In the Action field, specify the action that is to occur: • Deny—The ACE is to deny network management traffic when this rule is met. • Permit—The ACE is to accept network management traffic when this rule is met. Step 12 Do the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit the procedure without saving your entries and to return to the Action table. • Click Next to deploy your entries and to configure another action. Related Topics • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 • Configuring Rules and Actions for Policy Maps, page 14-34 14-41 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Setting Policy Map Rules and Actions for Layer 3/Layer 4 Network Traffic You can configure rules and actions for Layer 3/Layer 4 traffic other than network management traffic. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Assumptions This topic assumes the following: • You have configured a Layer 3/Layer 4 policy map. • A class map has been defined if you do not want to use the class-default class map. Procedure Step 1 Choose Config > Devices > context > Expert > Policy Maps. The Policy Maps table appears. Step 2 In the Policy Maps table, choose the Layer 3/Layer 4 network traffic policy map that you want to set rules and actions for. The Rule table appears. Step 3 In the Rule table, click Add to add a new rule, or choose the rule that you want to modify and click Edit. The Rule configuration window appears. Step 4 In the Type field of the Rule configuration window, confirm that Class Map is selected. Step 5 In the Use Class Map field, choose one of the following: • For an IPv4 default class map, choose the class-default radio button. • For an IPv6 default class map, choose the class-default-v6 radio button. • For a previously created class map, go to Step 6. Step 6 To use a previously created class map for this rule, do the following: a. In the Use Class Map field, choose the others radio button. b. In the Class Map Name field, choose the class map to be used. c. In the Insert Before field, choose one of the following to indicate whether this rule is to precede another rule in this policy map: – N/A—Indicates that this option is not configured. – False—Indicates that this rule is not to precede another rule in this policy map. – True—Indicates that this rule is to precede another rule in this policy map. If you select True, the Insert Before Policy Rule field appears. Select the rule that you want the current rule to precede. 14-42 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 7 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The window refreshes and the Action field appears. To configure actions for this rule, continue with Step 8. • Click Cancel to exit this procedure without saving your entries and to return to the Policy Maps table. • Click Next to deploy your entries and to configure another rule. Note If you chose the Insert Before option in Step 6 and specified True, perform the following steps to refresh the Rule tab before adding an action for this rule: 1. Click the Rule tab to refresh the Rule table. 2. In the Rule table, choose the newly added rule. When the window refreshes, an empty action list appears. Step 8 In the Action field, click Edit. The Action table appears. Step 9 In the Action table, click Add to add an action or choose an existing action and click Edit to modify it. The Action configuration window appears. Step 10 In the Id field, either accept the automatically incremented entry or assign a unique identifier for this action. Step 11 In the Action Type field, choose the type of action to be taken for this rule and configure the related attributes. See Table 14-18. Table 14-18 Layer 3/Layer 4 Network Traffic Policy Map Actions Action Description/Steps Appl-Parameter-DNS DNS parameter map that contains DNS-related actions that is to be implemented for this rule. In the Parameter Map field, specify the name of the DNS parameter map to use. Appl-Parameter-Generic Generic parameter map that is to be implemented for this rule. In the Parameter Map field, specify the name of the generic parameter map to use. Appl-Parameter-HTTP HTTP parameter map that contains HTTP-related actions that is to be implemented for this rule. In the Parameter Map field, specify the name of the HTTP parameter map to use. Appl-Parameter-RTSP RTSP parameter map that contains RTSP-related actions that is to be implemented for this rule. In the Parameter Map field, specify the name of the RTSP parameter map to use. Appl-Parameter-SIP SIP parameter map that contains SIP-related actions that is to be implemented for this rule. In the Parameter Map field, specify the name of the SIP parameter map to use. Appl-Parameter-Skinny Skinny parameter map that contains Skinny-related actions that is to be implemented for this rule. In the Parameter Map field, specify the name of the Skinny parameter map to use. Connection Connection parameter map that contains TCP/IP connection-related commands that pertain to normalization and termination that is to be implemented for this rule. In the Connection Parameter Maps field, choose the Connection parameter map that is to be used. 14-43 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps HTTP Optimize Option that appears for ACE appliances only. In the HTTP Optimization Policy field, choose the HTTP optimization policy map to use. Inspect Application inspection that is to be implemented for this rule. Do the following: a. In the Inspect Type field, choose the protocol that is to be inspected. b. Provide any protocol-specific information. Table 14-19 describes the available options for application inspection actions. KAL-ap-Primary-Out-of -Service Feature that is supported only for ACE module software Version A2(3.1), ACE appliance software Version A4(1.0), and later versions of either device type. This feature enables the ACE to notify a Global Site Selector (GSS) that the primary server farm is down when the backup server farm is in use. By default, when you configure a redirect server farm as a backup server farm on the ACE and the primary server farm fails, the backup server farm redirects client requests to another data center; however, the VIP remains in the INSERVICE state. When you configure the ACE to communicate with a GSS, it provides information for server availability. When a backup server is in use after the primary server farm is down, this feature enables the ACE to inform the GSS that the VIP for the primary server farm is out of service by returning a load value of 255. The GSS recognizes that the primary server farm is down and sends future DNS requests with the IP address of the other data center. KAL-AP-TAG Feature that is supported only for the ACE module software Version A2(2.0), ACE appliance software Version A4(1.0), and later versions for both device types. The KAL-AP-TAG feature allows the Cisco Global Site Selector (GSS) proprietary KAL-AP protocol to extract load and availability information from the ACE when a firewall is positioned between the GSS and the ACE. This feature allows you to configure a tag (name) per VIP for a maximum of 4096 tags on an ACE. This feature does not replace the tag per domain feature. For more information about this feature, see the Release Note for the Cisco Application Control Engine Module (Software Version A2(2.0)) or the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide (Software Version A2(3.0)), the Configuring Health Monitoring chapter. Note The KAL-AP-TAG selection is not available for the class-default class map. In the KAL-AP-Tag Name field, enter the name as an unquoted text string with no spaces and a maximum of 76 alphanumeric characters. The following scenarios are not supported and will result in an error: • You cannot configure a tag name for a VIP that already has a tag configuration as part of a different policy configuration. • You cannot associate the same tag name with more than one VIP. • You cannot associate the same tag name with a domain and a VIP. • You cannot assign two different tags to two different Layer 3 class maps that have the same VIP, but different port numbers. The KAL-AP protocol considers these class maps to have the same VIP and calculates the load for both Layer 3 rules together when the GSS queries the VIP. Table 14-18 Layer 3/Layer 4 Network Traffic Policy Map Actions (continued) Action Description/Steps 14-44 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps NAT Network address translation (NAT) that the ACE is to use for this rule. Do the following: a. In the NAT Mode field, choose the type of NAT to be used: – Dynamic NAT—NAT is to translate local addresses to a pool of global addresses. Continue with Step c. – Static NAT—NAT is to translate each local address to a fixed global address. Continue with Step b. b. If you chose Static NAT, do the following: 1. In the IP Address Type field, choose either IPv4 or IPv6. This field appears only for ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. 2. In the Static Mapped Address field, enter the IP address to use for static NAT translation. This entry establishes the globally unique IP address of a host as it appears to the outside world. The policy map performs the global IP address translation for the source IP address specified in the ACL (as part of the class-map traffic classification). 3. Depending on the IP address type that you chose, do one of the following: - For IPv4, in the Static Mapped Netmask field, choose the subnet mask to apply to the static mapped address. - For IPv6, in the Static Mapped Prefix-length field, enter the prefix length for the static mapped address. 4. In the NAT Protocol field, choose the protocol to use for NAT. Choices are as follows: - N/A—This attribute is not set. - TCP—The ACE is to use TCP for NAT. - UDP—The ACE is to use UDP for NAT. 5. In the Static Port field, enter the TCP or UDP port to use for static port redirection. Valid entries are from 0 to 65535. 6. In the VLAN Id field, choose the VLAN to use for NAT. c. If you chose Dynamic NAT, do the following: 1. In the NAT Pool Id field, enter the number of the pool of IP addresses that exist under the VLAN specified in the VLAN Id field. Valid entries are from 1 to 2147483647. See the “Configuring Virtual Context BVI Interfaces” section on page 12-19. 2. In the VLAN Id field, choose the VLAN to use for NAT. Note For dynamic NAT, ACE allows you to associate a non-configured NAT pool ID to the dynamic NAT action. However, the ANM will not discover the dynamic NAT action when the NAT pool ID is not configured. You must associate the configured NAT pool ID to the dynamic NAT action for ANM discovery to complete successfully. Policymap Layer 7 server load-balancing policy map that the ACE is to associate with this Layer 3/Layer 4 policy map. In the Policy Map field, choose the Layer 7 policy map. Table 14-18 Layer 3/Layer 4 Network Traffic Policy Map Actions (continued) Action Description/Steps 14-45 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps SSL-Proxy SSL proxy server service that defines the SSL parameters that the ACE is to use during the handshake and subsequent SSL session. Do the following: a. In the SSL Proxy field, choose the SSL proxy server service to use in the handshake and subsequent SSL session when the ACE engages with an SSL client. b. In the SSL Proxy Type field, confirm that Server is selected to indicate that the ACE is to be configured so that it is recognized as an SSL server. UDP-Fast-Age Option that appears for ACE modules only. The ACE is to close the connection immediately after sending a response to the client, thereby enabling per-packet load balancing for UDP traffic. VIP-Advertise Option that appears for ACE modules release only. The ACE is to advertise the IP address of a virtual server as the host route. Do the following: a. In the Active field, check the checkbox if you want the ACE to advertises the IP address of the virtual server as the host route only if there is at least one active real server in the server farm. Note Uncheck the Active field check box if you want the ACE to always advertises the IP address of the virtual server whether there is any active real server associated with the VIP. b. If you check the Active field check box, in the Metric Distance field, enter the administrative distance to include in the routing table. Valid entries are from 1 to 254. VIP-ICMP-Reply VIP is to send an ICMP ECHO-REPLY response to ICMP requests. Do the following: a. In the Active field, check the checkbox to instruct the ACE to reply to an ICMP request only if the configured VIP is active. If the VIP is not active and the active option is specified, the ACE discards the ICMP request and the request times out. b. In the Primary Inservice field, check the checkbox to instruct the ACE to reply to an ICMP ping only if the primary server farm state is UP, regardless of the state of the backup server farm. If this option is enabled and the primary server farm state is DOWN, the ACE discards the ICMP request and the request times out. VIP-In-Service VIP is to be enabled for server load-balancing operations. Table 14-18 Layer 3/Layer 4 Network Traffic Policy Map Actions (continued) Action Description/Steps 14-46 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 14-19 Layer 3/Layer 4 Network Traffic Policy Map Application Inspection Options Option Description DNS Domain Name System (DNS) query inspection is to be implemented. DNS requires application inspection so that DNS queries will not be subject to the generic UDP handling based on activity timeouts. Instead, the UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query has been received. The ACE performs the reassembly of DNS packets to verify that the packet length is less than the configured maximum length. In the DNS Max. Length field, enter the maximum length of a DNS reply in bytes. Default for all modules and ACE 4710 devices is 512. Valid range for ACE 1.0 modules is 64 to 65535, and for all other supported modules and ACE 4710 devices, 64 to 65535. FTP FTP inspection is to be implemented. The ACE inspects FTP packets, translates the address and port embedded in the payload, and opens up secondary channel for data. a. In the Parameter Map field, specify a previously created parameter map used to define parameters for FTP inspection. b. In the FTP Strict field, specify whether or not the ACE is to check for protocol RFC compliance and prevent Web browsers from sending embedded commands in FTP requests: – N/A—This attribute is not set. – False—The ACE is not to check for RFC compliance or prevent Web browsers from sending embedded commands in FTP requests. – True—The ACE is to check for RFC compliance and prevent Web browsers from sending embedded commands in FTP requests. c. If you chose True, in the FTP Inspect Policy field, choose the Layer 7 FTP command inspection policy to be implemented for this rule. HTTP Enhanced Hypertext Transfer Protocol (HTTP) inspection is to be performed on HTTP traffic. The inspection checks are based on configured parameters in an existing Layer 7 policy map and internal RFC compliance checks performed by the ACE. By default, the ACE allows all request methods. Do the following: a. In the HTTP Inspect Policy field, choose the HTTP inspection policy map to be implemented for this rule. If you do not specify a Layer 7 policy map, the ACE performs a general set of Layer 3 and Layer 4 protocol fixup actions and internal RFC compliance checks. b. In the URL Logging field, specify whether or not Layer 3 and Layer 4 traffic is to be monitored: – N/A—This attribute is not set. – False—Layer 3 and Layer 4 traffic is not to be monitored. – True—Layer 3 and Layer 4 traffic is to be monitored. When enabled, this function logs every URL request that is sent in the specified class of traffic, including the source or destination IP address and the URL that is accessed. 14-47 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps ICMP Internet Control Message Protocol (ICMP) payload inspection is to be performed. ICMP inspection allows ICMP traffic to have a “session” so that it can be inspected similarly to TCP and UDP traffic. In the ICMP Error field, specify whether or not the ACE is to perform name address translation on ICMP error messages: • N/A—This attribute is not set. • False—The ACE is not to perform NAT on ICMP error messages. • True—The ACE is to perform NAT on ICMP error messages. When enabled, the ACE creates translation sessions for intermediate or endpoint nodes that send ICMP error messages based on the NAT configuration. The ACE overwrites the packet with the translated IP addresses. ILS Internet Locator Service (ILS) protocol inspection is to be implemented. RTSP Real Time Streaming Protocol (RTSP) packet inspection is to be implemented. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. The ACE monitors Setup and Response (200 OK) messages in the control channel established using TCP port 554 (no UDP support). In the Parameter Map field, choose a previously defined parameter map used to define parameters for RTSP inspection. SIP SIP protocol inspection is to be implemented. SIP is used for call handling sessions and instant messaging. The ACE inspects signaling messages for media connection addresses, media ports, and embryonic connections. The ACE also uses NAT to translate IP addresses that are embedded in the user-data portion of the packet. Do the following: a. In the Parameter Map field, specify a previously created parameter map used to define parameters for SIP inspection. b. In the SIP Inspect Policy field, choose a previously created Layer 7 SIP inspection policy map to implement packet inspection of Layer 7 SIP application traffic. If you do not specify a Layer 7 policy map, the ACE performs a general set of Layer 3 and Layer 4 HTTP fixup actions and internal RFC compliance checks. Skinny Cisco Skinny Client Control Protocol (SCCP) protocol inspection is to be implemented. The SCCP is a Cisco proprietary protocol that is used between Cisco CallManager and Cisco VOiP phones. The ACE uses NAT to translate embedded IP addresses and port numbers in SCCP packet data. Do the following: a. In the Parameter Map field, specify a previously created connection parameter map used to define parameters for Skinny inspection. b. In the Skinny Inspect Policy field, choose a previously created Layer 7 Skinny inspection policy map to implement packet inspection of Layer 7 Skinny application traffic. If you do not specify a Layer 7 policy map, the ACE performs a general set of Layer 3 and Layer 4 HTTP fixup actions and internal RFC compliance checks. Table 14-19 Layer 3/Layer 4 Network Traffic Policy Map Application Inspection Options (continued) Option Description 14-48 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 12 Do the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries and to return to the Action table. • Click Next to deploy your entries and to configure another Action. Related Topics • Configuring Traffic Policies, page 14-1 • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 Setting Policy Map Rules and Actions for Layer 7 FTP Command Inspection You can add rules and actions for Layer 7 FTP command inspection policy maps. File Transfer Protocol (FTP) inspection inspects FTP sessions for address translation in a message, dynamic opening of ports, and stateful tracking of request and response messages. Each specified FTP command must be acknowledged before the ACE allows a new command. Command filtering allows you to restrict specific commands by the ACE. When the ACE denies a command, it closes the connection. The FTP command inspection process, as performed by the ACE: • Prepares a dynamic secondary data connection. The channels are allocated in response to a file upload, a file download, or a directory listing event and must be prenegotiated. The port is negotiated through the PORT or PASV commands. • Tracks the FTP command-response sequence. The ACE performs the command checks listed below. If you specify the FTP Strict field in a Layer 3 and Layer 4 policy map, the ACE tracks each FTP command and response sequence for the anomalous activity outlined below. The FTP Strict parameter is used in conjunction with a Layer 7 FTP policy map (nested within the Layer 3 and Layer 4 policy map) to deny certain FTP commands or to mask the server reply for SYST command. Note The use of the FTP Strict parameter may affect FTP clients that do not comply with the RFC standards. – Truncated command—Checks the number of commas in the PORT and PASV reply command against a fixed value of five. If the value is not five, the ACE assumes that the PORT command is truncated and issues a warning message and closes the TCP connection. – Incorrect command—Checks the FTP command to verify if it ends with characters, as required by RFC 959. If the FTP command does not end with those characters, the ACE closes the connection. – Size of RETR and STOR commands—Checked the size of the RETR and STOR commands against a fixed constant of 256. If the size is greater, the ACE logs an error message and closes the connection. – Command spoofing—Verifies that the PORT command is always sent from the client. If a PORT command is sent from the server, the ACE denies the TCP connection. 14-49 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps – Reply spoofing—Verifies that the PASV reply command (227) is always sent from the server. If a PASV reply command is sent from the client, the ACE denies the TCP connection. This denial prevents a security hole when the user executes “227 xxxxx a1, a2, a3, a4, p1, p2.” – Invalid port negotiation—Checks the negotiated dynamic port value to verify that it is greater than 1024 (port numbers in the range from 2 to 1024 are reserved for well-known connections). If the negotiated port falls in this range, the ACE closes the TCP connection. – Command pipelining—Checks the number of characters present after the port numbers in the PORT and PASV reply command against a constant value of 8. If the number of characters is greater than 8, the ACE closes the TCP connection. • Translates embedded IP addresses in conjunction with NAT. FTP command inspection translates the IP address within the application payload. Refer to RFC 959 for background details. Procedure Step 1 Choose Config > Devices > context > Expert > Policy Maps. The Policy Maps table appears. Step 2 In the Policy Maps table, choose the Layer 7 FTP command inspection policy map that you want to set rules and actions for. The Rule table appears. Step 3 In the Rule table, click Add to add a new rule, or choose an existing rule and click Edit to modify it. The Rule configuration window appears. Step 4 In the Type field of the Rule configuration window, configure rules using the information in Table 14-20. Table 14-20 Layer 7 FTP Command Inspection Policy Map Rules Option Description Class Map Class map to use for this traffic policy. Do the following: a. To use the class-default class map, check the Use Class Default check box. The class-default class map is a reserved, well-known class map created by the ACE. You cannot delete or modify this class. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications matches the traffic, then the ACE performs the action specified by the class-default class map. The class-default class map has an implicit match any statement that enables it to match all traffic. b. To use a previously created class map, do the following: 1. Clear the Use Class Default check box. 2. In the Class Map Name field, choose the class map to be used. 14-50 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 5 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The window refreshes and the Action table appears. Continue with Step 6. • Click Cancel to exit this procedure without saving your entries and to return to the Policy Maps table. • Click Next to deploy your entries and to configure another rule. Note If you chose the Insert Before option described in Table 14-20 and specified True, perform the following steps to refresh the Rule tab before adding an action for this rule: 1. Click the Rule tab to refresh the Rule table. 2. In the Rule table, choose the newly added rule. When the window refreshes, an empty action list appears. Step 6 In the Action table, click Add to add an entry, or choose an existing entry and click Edit to modify it. The Action configuration window appears. Step 7 In the Id field of the Action configuration window, either accept the automatically incremented entry or assign a unique identifier for this action. Step 8 In the Action Type field, specify the action to be taken for this rule: • Deny—The ACE is to deny the specified FTP command when this rule is met. Match Condition Match condition to use for this traffic policy. Do the following: a. In the Match Condition Name field, enter a name for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. b. In the Match Condition Type field, confirm that Request Method Name is selected. c. In the Request Method Name field, choose the FTP command to be inspected for this rule. Table 14-8 describes the FTP commands that can be inspected. Insert Before Order of the rules in the policy map. Do the following: a. Specify whether or not this rule is to precede another rule for this policy map. Choices are as follows: – N/A—This option is not configured. – False—This rule is not to precede another rule in this policy map. – True—This rule is to precede another rule in this policy map. The Insert Before Policy Rule field appears. b. If you chose True, in the Insert Before Policy Rule field, choose the rule that you want the current rule to precede. Table 14-20 Layer 7 FTP Command Inspection Policy Map Rules (continued) Option Description 14-51 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps • Mask Reply—The ACE is to mask the reply to the FTP syst command by filtering sensitive information from the command output. The action applies to the FTP syst command only. Step 9 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries and to return to the Action table. • Click Next to deploy your entries and to configure another action for this rule. Related Topics • Configuring Traffic Policies, page 14-1 • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 Setting Policy Map Rules and Actions for Layer 7 HTTP Deep Packet Inspection You can add rules and actions for Layer 7 HTTP deep packet inspection policy maps. The ACE performs a stateful deep packet inspection of the HTTP protocol. Deep packet inspection is a special case of application inspection where the ACE examines the application payload of a packet or a traffic stream and makes decisions based on the content of the data. During HTTP deep inspection, the main focus of the application inspection process is on HTTP attributes such as HTTP header, URL, and to a limited extent, the payload. User-defined regular expressions can also be used to detect “signatures” in the payload. You define policies to permit or deny the traffic, or to send a TCP reset message to the client or server to close the connection. The security features covered by HTTP application inspection include: • RFC compliance monitoring and RFC method filtering • Content, URL, and HTTP header length checks • Transfer-encoding methods • Content type verification and filtering • Port 80 misuse Procedure Step 1 Choose Config > Devices > context > Expert > Policy Maps. The Policy Maps table appears. Step 2 In the Policy Maps table, choose the Layer 7 deep packet inspection policy map that you want to set rules and actions for. The Rule table appears. Step 3 In the Rule table, click Add to add a new rule, or choose an existing rule and click Edit to modify it. The Rule configuration window appears. Step 4 In the Type field of the Rule configuration window, configure rules using the information in Table 14-21. 14-52 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 14-21 Layer 7 HTTP Deep Packet Inspection Policy Map Rules Option Description Class Map Class map to use for this traffic policy. From the Use Class Map field, do one of the following: • To use the default class map, choose class-default. The class-default class map is a reserved, well-known class map created by the ACE. You cannot delete or modify this class. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications matches the traffic, then the ACE performs the action specified by the class-default class map. The class-default class map has an implicit match any statement that enables it to match all traffic. • To use a previously created class map, do the following: 1. Choose others. 2. In the Class Map Name field, choose the class map to use. Match Condition Match condition to use for this traffic policy. Do the following: a. In the Match Condition Name field, enter a name for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. b. In the Match Condition Type field, choose the method by which match decisions are to be made and their corresponding conditions. See Table 14-22 for information about these selections. Insert Before Order of the rules in the policy map. Do the following: a. Specify whether or not this rule is to precede another rule for this policy map. Choices are as follows: – N/A—This option is not configured. – False—This rule is not to precede another rule in this policy map. – True—This rule is to precede another rule in this policy map. The Insert Before Policy Rule field appears. b. If you chose True, in the Insert Before Policy Rule field, choose the rule that you want the current rule to precede. 14-53 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 14-22 Layer 7 HTTP Deep Packet Inspection Policy Map Match Conditions Match Condition Description Content Content contained within the HTTP entity-body that is used for protocol inspection decisions. Do the following: a. In the Content Expression field, enter the content that is to be matched. Valid entries are alphanumeric strings from 1 to 255 characters. b. In the Content Offset (Bytes) field, enter the number of bytes to be ignored starting with the first byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and the body of the message. Valid entries are from 1 to 255 bytes. Content Length Content parse length in an HTTP message that is used for protocol inspection decisions. Do the following: a. In the Content Length Operator field, choose the operand to be used to compare content length: – Equal To—Content length must equal the number in the Content Length Value (Bytes) field. – Greater Than—Content length must be greater than the number in the Content Length Value (Bytes) field. – Less Than—Content length must be less than the number in the Content Length Value (Bytes) field. – Range—Content length must be within the range specified in the Content Length Lower Value (Bytes) field and the Content Length Higher Value (Bytes) field. b. Enter values to apply for content length comparison as follows: – If you chose Equal To, Greater Than, or Less Than in the Content Length Operator field, the Content Length Value (Bytes) field appears. In the Content Length Value (Bytes) field, enter the number of bytes for comparison. Valid entries are from 0 to 4294967295. – If you chose Range in the Content Length Operator field, the Content Length Lower Value (Bytes) and the Content Length Higher Value (Bytes) fields appear: 1. In the Content Length Lower Value (Bytes) field, enter the lowest number of bytes to be used for this match condition. Valid entries are from 0 to 4294967295. The number in this field must be less than the number entered in the Content Length Higher Value (Bytes) field. 2. In the Content Length Higher Value (Bytes) field, enter the highest number of bytes to be used for this match condition. Valid entries are from 1 to 4294967295. The number in this field must be greater than the number entered in the Content Length Lower Value (Bytes) field. Content Type Verification Match command that verifies the content MIME-type messages with the header MIME-type. This inline match command limits the MIME-types in HTTP messages allowed through the ACE. It verifies that the header MIME-type value is in the internal list of supported MIME-types and the header MIME-type matches the actual content in the data or entity body portion of the message. If they do not match, the ACE performs the specified Layer 7 policy map action. 14-54 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Header Name and value in an HTTP header that are used for protocol inspection decisions. Do the following: a. In the Header field, choose one of the predefined HTTP headers to be matched, or choose HTTP Header to specify a different HTTP header. b. If you chose HTTP Header, in the Header Name field, enter the name of the HTTP header to match. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. c. In the Header Value (Bytes) field, enter the header value expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching. To include spaces in the string, enclose the entire string in quotes. All headers in the header map must be matched. See Table 14-33 for a list of the supported characters that you can use in regular expressions. Header Length Length of the header in the HTTP message that is used for protocol inspection decisions. Do the following: a. In the Header Length Type field, specify whether or not HTTP header request or response messages are to be used for protocol inspection decisions: – Request—HTTP header request messages are to be checked for header length. – Response—HTTP header response messages are to be checked for header length. b. In the Header Length Operator field, choose the operand to be used to compare header length: – Equal To—The header length must equal the number in the Header Length Value (Bytes) field. – Greater Than—The header length must be greater than the number in the Header Length Value (Bytes) field. – Less Than—The header length must be less than the number in the Header Length Value (Bytes) field. – Range—The header length must be within the range specified in the Header Length Lower Value (Bytes) field and the Header Length Higher Value (Bytes) field. c. Enter values to apply for header length comparison as follows: – If you chose Equal To, Greater Than, or Less Than in the Header Length Operator field, the Header Length Value (Bytes) field appears. In the Header Length Value (Bytes) field, enter the number of bytes for comparison. Valid entries are from 0 to 255. – If you chose Range in the Header Length Operator field, the Header Length Lower Value (Bytes) and the Header Length Higher Value (Bytes) fields appear. Do the following: 1. In the Header Length Lower Value (Bytes) field, enter the lowest number of bytes to be used for this match condition. Valid entries are from 0 to 255. The number in this field must be less than the number entered in the Header Length Higher Value (Bytes) field. 2. In the Header Length Higher Value (Bytes) field, enter the highest number of bytes to be used for this match condition. Valid entries are from 1 to 255. The number in this field must be greater than the number entered in the Header Length Lower Value (Bytes) field. Table 14-22 Layer 7 HTTP Deep Packet Inspection Policy Map Match Conditions (continued) Match Condition Description 14-55 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Header MIME Type Multipurpose Internet Mail Extension (MIME) message types that are used for protocol inspection decisions. In the Header MIME Type field, choose the MIME message type to be used for this match condition. Port Misuse Misuse of port 80 (or any other port running HTTP) that is used for protocol inspection decisions. In the Port Misuse field, choose the application category to be used for this match condition: • IM—Instant messaging applications are to be used for this match condition. • P2P—Peer-to-peer applications are to be used for this match condition. • Tunneling—Tunneling applications are to be used for this match condition. Request Method Request method that is used for protocol inspection decisions. By default, ACEs allow all request and extension methods. This option allows you to configure class maps that define protocol inspection decisions based on compliance to request methods defined in RFC 2616 and by HTTP extension methods. a. In the Request Method Type field, choose the type of compliance to be used for protocol inspection decision: – Ext—An HTTP extension method is to be used for protocol inspection decisions. Note The list of available HTTP extension methods from which to choose varies depending on the version of software installed in the ACE. – RFC—A request method defined in RFC 2616 is to be used for protocol inspection decisions. b. In the Request Method field, choose the specific request method to be used. Strict HTTP Internal compliance checks that are performed to verify that a message is compliant with the HTTP RFC standard, RFC 2616. If the HTTP message is not compliant, the ACE performs the specified Layer 7 policy map action. Transfer Encoding HTTP transfer-encoding type that is used for protocol inspection decisions. The transfer-encoding general-header field indicates the type of transformation, if any, that has been applied to the HTTP message body to safely transfer it between the sender and the recipient. In the Transfer Encoding field, choose the type of encoding that is to be checked: • Chunked—Message body is transferred as a series of chunks. • Compress—Encoding format that is produced by the UNIX file compression program compress. • Deflate—The .zlib format that is defined in RFC 1950 in combination with the DEFLATE compression mechanism described in RFC 1951. • Gzip—Encoding format that is produced by the file compression program GZIP (GNU zip) as described in RFC 1952. • Identity—Default (identity) encoding which does not require the use of transformation. Table 14-22 Layer 7 HTTP Deep Packet Inspection Policy Map Match Conditions (continued) Match Condition Description 14-56 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 5 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The window refreshes and the Action table appears. To define actions for this rule, continue with Step 6. • Click Cancel to exit this procedure without saving your entries and to return to the Policy Maps table. • Click Next to deploy your entries and to configure another rule. URL URL names are used for protocol inspection decisions. In the URL field, enter a URL or a portion of a URL to match. Valid entries are URL strings from 1 to 255 alphanumeric characters and include only the portion of the URL following www.hostname.domain. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. URL Length URL length that is used for protocol inspection decisions. Do the following: a. In the URL Length Operator field, choose the operand to be used to compare URL length: – Equal To—URL length must equal the number in the URL Length Value (Bytes) field. – Greater Than—URL length must be greater than the number in the URL Length Value (Bytes) field. – Less Than—URL length must be less than the number in the URL Length Value (Bytes) field. – Range—URL length must be within the range specified in the URL Length Lower Value (Bytes) field and the URL Length Higher Value (Bytes) field. b. Enter values to apply for URL length comparison as follows: – If you chose Equal To, Greater Than, or Less Than in the URL Length Operator field, the URL Length Value (Bytes) field appears. In the URL Length Value (Bytes) field, enter the value for comparison. Valid entries are from 1 to 65535 bytes. – If you chose Range in the URL Length Operator field, the URL Length Lower Value (Bytes) and the URL Length Higher Value (Bytes) fields appear. Do the following: 1. In the URL Length Lower Value (Bytes) field, enter the lowest number of bytes to be used for this match condition. Valid entries are from 1 to 65535. The number in this field must be less than the number entered in the URL Length Higher Value (Bytes) field. 2. In the URL Length Higher Value (Bytes) field, enter the highest number of bytes to be used for this match condition. Valid entries are from 1 to 65535. The number in this field must be greater than the number entered in the URL Length Lower Value (Bytes) field. Table 14-22 Layer 7 HTTP Deep Packet Inspection Policy Map Match Conditions (continued) Match Condition Description 14-57 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Note If you chose the Insert Before option described in Table 14-21 and specified True, perform the following steps to refresh the Rule tab before adding an action for this rule: 1. Click the Rule tab to refresh the Rule table. 2. In the Rule table, choose the newly added rule. When the window refreshes, an empty action list appears. Step 6 In the Action table, click Add to add a new action, or choose an existing action and click Edit to modify it. The Action configuration window appears. Step 7 In the Id field of the Action configuration window, either accept the automatically incremented entry or assign a unique identifier for this action. Step 8 In the Action Type field, choose the action to be taken for this rule: • Permit—The HTTP traffic is to be allowed if it meets the match criteria. • Reset—The HTTP traffic is to be denied if it meets the match criteria. A TCP reset message is sent to the client or server to close the connection. Step 9 In the Action Log field, specify whether or not the action taken is to be logged: • N/A—This option is not configured. • False—Dropped packets are not to be logged in the software. • True—Dropped packets are to be logged in the software. Step 10 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries and to return to the Action table. • Click Next to configure another action for this policy map and rule. Related Topics • Configuring Traffic Policies, page 14-1 • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 • Configuring Rules and Actions for Policy Maps, page 14-34 Setting Policy Map Rules and Actions for Layer 7 HTTP Optimization Note HTTP optimization policy maps are available for ACE appliances only. You can add rules and actions for Layer 7 HTTP optimization policy maps. 14-58 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Assumptions This topic assumes the following: • An action list has been configured. See Configuring an HTTP Optimization Action List, page 15-3 for more information. • A class map has been defined if you are not using the class-default class map. See Configuring Virtual Context Class Maps, page 14-6 for more information. Procedure Step 1 Choose Config > Devices > context > Expert > Policy Maps. The Policy Maps table appears. Step 2 In the Policy Maps table, choose the Layer 7 HTTP optimization policy map that you want to set rules and actions for. The Rule table appears. Step 3 In the Rule table, click Add to add a new rule, or choose an existing rule and click Edit to modify it. The Rule configuration window appears. Step 4 In the Type field of the Rule configuration window, configure rules using the information in Table 14-23. Table 14-23 Layer 7 HTTP Optimization Policy Map Rules Option Description Class Map Class map to use for this traffic policy. From the Use Class Map field, do one of the following: • To use the default class map, choose class-default. The class-default class map is a reserved, well-known class map created by the ACE. You cannot delete or modify this class. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications matches the traffic, then the ACE performs the action specified by the class-default class map. The class-default class map has an implicit match any statement that enables it to match all traffic. • To use a previously created class map, do the following: 1. Choose others. 2. In the Class Map Name field, choose the class map to use. 14-59 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Match Condition Match condition to use for this traffic policy. Do the following: a. In the Match Condition Name field, enter a name for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. b. In the Match Condition Type field, choose the method by which match decisions are to be made and their corresponding conditions. See Table 14-24 for information about these selections. Insert Before Order of the rules in the policy map. Do the following: a. Specify whether or not this rule is to precede another rule for this policy map: – N/A—This option is not configured. – False—This rule is not to precede another rule in this policy map. – True—This rule is to precede another rule in this policy map. The Insert Before Policy Rule field appears. b. If you chose True, in the Insert Before Policy Rule field, choose the rule that you want the current rule to precede. Table 14-23 Layer 7 HTTP Optimization Policy Map Rules (continued) Option Description 14-60 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 5 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The window refreshes and the Action table appears. To define actions for this rule, continue with Step 6. • Click Cancel to exit this procedure without saving your entries and to return to the Rule table. • Click Next to deploy your entries and to configure another rule. Table 14-24 Layer 7 HTTP Optimization Policy Map Match Conditions Match Condition Procedure Cookie HTTP cookie that is to be used to establish a match condition. Do the following: a. In the Cookie Name field, enter a unique cookie name. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. b. In the Cookie Value field, enter a unique cookie value expression. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. c. In the Secondary Cookie field, check the checkbox to specify that the ACE is to use either the cookie name or the cookie value to satisfy this match condition. Uncheck this check box to indicate that the ACE is to use either the cookie name or the cookie value to satisfy this match condition. Header HTTP header that is to be used to establish a match condition. Do the following: a. In the Header field, choose one of the predefined HTTP headers to be matched, or choose HTTP Header to specify a different HTTP header. b. If you chose HTTP Header, in the Header Name field, enter the name of the HTTP header to match. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. c. In the Header Value (Bytes) field, enter the header value expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching. To include spaces in the string, enclose the entire string in quotes. All headers in the header map must be matched. See Table 14-33 for a list of the supported characters that you can use in regular expressions. HTTP URL Portion of an HTTP URL that is to be used to establish a match condition. Do the following: a. In the URL Expression field, enter a URL or a portion of a URL to match. Valid entries are URL strings from 1 to 255 alphanumeric characters and include only the portion of the URL following www.hostname.domain. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. b. In the Method Expression field, enter the HTTP method to match. Valid entries are method names entered as unquoted text strings with no spaces and a maximum of 15 alphanumeric characters. You can enter either one of the standard HTTP 1.1 method names (OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT) or a text string that must be matched exactly (for example, CORVETTE). 14-61 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Note If you chose the Insert Before option described in Table 14-23 and specified True, perform the following steps to refresh the Rule tab before adding an action for this rule: 1. Click the Rule tab to refresh the Rule table. 2. In the Rule table, choose the newly added rule. When the window refreshes, an empty action list appears. Step 6 In the Action table, click Add to add a new action, or choose an existing action and click Edit to modify it. The Action configuration window appears. Step 7 In the Id field of the Action configuration window, either accept the automatically incremented entry or assign a unique identifier for this action. Step 8 In the Action Type field, confirm that Action List is selected. Step 9 In the Action List field, choose the action list to apply to this policy map and rule. Step 10 In the Optimization Parameter Map field, choose the optimization parameter map to apply to this policy map and rule. Step 11 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries and to return to the Action table. • Click Next to deploy your entries and to configure another action for this rule. Related Topics • Configuring Traffic Policies, page 14-1 • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 • Configuring Rules and Actions for Policy Maps, page 14-34 Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic You can set rules and actions for Layer 7 server load-balancing policy maps. Assumptions This topic assumes the following: • You have configured a load-balancing policy map and want to establish the corresponding rules and actions. • If you want to configure an SSL proxy action, you have configured SSL proxy service for this context. 14-62 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps • If you want to insert, rewrite, and delete HTTP headers, ensure that an HTTP header modify action list has been configured (see the “Configuring an HTTP Header Modify Action List” section on page 14-85). Procedure Step 1 Choose Config > Devices > context > Expert > Policy Maps. The Policy Maps table appears. Step 2 In the Policy Maps table, choose the load-balancing policy map you want to set rules and actions for. The Rule table appears. Step 3 In the Rule table, click Add to add a new rule, or choose an existing rule and Edit to modify it. The Rule configuration window appears. Step 4 From the Type field, choose one of the following rule types to use: • Class Map—Indicates that the ACE appliance is to use an existing class map that identifies the rules and corresponding actions. If you choose this rule type, go to Step 5. • Match Condition—Indicates that the ACE appliance is to use a set of conditions to identify the rules and corresponding actions. If you choose this rule type, go to Step 6. Step 5 If you chose Class Map rule type, from the Use Class Map field, either choose class-default to use the default class map or specify a previously created class map as follows: a. From the Use Class Map field, choose others. The Class Map field appears. b. From the Class Map field, choose the class map to use. c. In the Insert Before field, indicate whether this rule is to precede another rule in this policy map by choosing on of the following options: – N/A—Indicates that this option is not configured. – False—Indicates that this rule is not to precede another rule in this policy map. – True—Indicates that this rule is to precede another rule in this policy map. d. If you chose True, the Insert Before Policy Rule field appears. Select the rule that you want the current rule to precede. Step 6 If you chose the Match Conditions rule type, do the following: a. In the Match Condition Name field enter a name for the match condition. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. b. In the Match Condition Type field, select the method by which match decisions are to be made and their corresponding conditions. See Table 14-25 for information about these selections. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. 14-63 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Table 14-25 Layer 7 Server Load Balancing Policy Map Match Conditions Match Condition Description HTTP Content Option that appears for ACE modules only. Specific content contained within the HTTP entity-body is used to establish a match condition. Do the following: a. In the Content Expression field, enter the content that is to be matched. Valid entries are alphanumeric strings from 1 to 255 characters. b. In the Content Offset (Bytes) field, enter the number of bytes to be ignored starting with the first byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and the body of the message. Valid entries are from 1 to 255. HTTP Cookie HTTP cookies are to be used for this match condition. Do the following: a. In the Cookie Name field, enter a unique cookie name. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. b. In the Cookie Value field, enter a unique cookie value expression. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching string expressions. Table 14-33 lists the supported characters that you can use for matching string expressions. HTTP Header HTTP header and a corresponding value are to be used for this match condition. Do the following: a. In the Header Name field, specify the header to match in one of the following ways: – To specify an HTTP header that is not one of the standard HTTP headers, choose the first radio button, then enter the HTTP header name in the Header Name field. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters. – To specify a standard HTTP header, click the second radio button, then choose an HTTP header from the list. b. In the Header Value (Bytes) field, enter the header-value expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching. To include spaces, enclose the entire string in quotes. All headers in the header map must be matched. See Table 14-33 for a list of the supported characters that you can use in regular expressions. 14-64 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 7 For specific class maps and match conditions, in the Insert Before field, indicate whether this rule is to precede another defined policy rule by choosing one of the following: • N/A—Indicates that this option is not applicable. • False—Indicates that this rule is not to precede another defined policy rule. • True—Indicates that this rule is to precede another policy rule. If you select True, in the Insert Before Policy Rule field, select the policy rule that this rule is to precede. Step 8 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The window refreshes and the Action table appears. To define the actions for this rule, continue with Step 9. • Click Cancel to exit this procedure without saving your entries and to return to the Rule table. • Click Next to deploy your entries and to configure another rule. HTTP URL Rule that performs regular expression matching against the received packet data from a particular connection based on the HTTP URL string. Do the following: a. In the URL Expression field, enter a URL, or portion of a URL, to match. Valid entries are URL strings from 1 to 255 alphanumeric characters. Include only the portion of the URL following www.hostname.domain in the match statement. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. To match the www.anydomain.com portion, the URL string can take the form of a URL regular expression. The ACE supports regular expressions for matching URL strings. See Table 14-33 for a list of the supported characters that you can use in regular expressions. b. In the Method Expression field, enter the HTTP method to match. Valid entries are unquoted text strings with no spaces and a maximum of 15 alphanumeric characters. The method can either be one of the standard HTTP 1.1 method names (OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT) or a text string that must be matched exactly (for example, CORVETTE). Source Address Client source IP address that is used to establish match conditions. Do the following: a. In the IP Address Type field, choose either IPv4 or IPv6. This field appears only for ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. b. In the Source IP v4/v6 Address field, enter the source IP address of the client in the format based on the address type (IPv4 or IPv6). c. Depending on the IP address type that you chose, do one of the following: – For IPv4, from the Source Netmask field, choose the subnet mask of the IP address. – For IPv6, from the Source Prefix-length field, enter the prefix length for the address. Table 14-25 Layer 7 Server Load Balancing Policy Map Match Conditions (continued) Match Condition Description 14-65 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Note If you chose the Insert Before option described in Step 7 and specified True, perform the following steps to refresh the Rule tab before adding an action for this rule: 1. Click the Rule tab to refresh the Rule table. 2. In the Rule table, choose the newly added rule. When the window refreshes, an empty action list appears. Step 9 In the Action table, click Add to add a new action, or choose an existing action and click Edit to modify it. Step 10 In the Id field, either accept the automatically incremented entry or assign a unique identifier for this action. Step 11 In the Action Type field, choose the action to be taken and configure any action-specific attributes as described in Table 14-26. Table 14-26 Layer 7 Server Load Balancing Policy Map Actions Action Description Action Action that the ACE is to implement for the rule. In the Action List field, choose an action list to associate with this rule. Compress Option that appears for ACE appliances (all versions) and ACE modules version A4(1.0) and later. The ACE is to compress packets that match this policy map. This option is available only when you associate an HTTP-type class map with a policy map. In the Compress Method field, specify the method that the ACE is to use to compress packets: • Deflate—Indicates that the ACE is to use the DEFLATE compression method when the client browser supports both the DEFLATE and GZIP compression methods. • Gzip—Indicates that ACE is to use the GZIP compression method when the client browser supports both the DEFLATE and GZIP compression methods. Drop Field that instructs the ACE to discard packets that match the rule. In the Action Log field, specify whether or not the dropped packets are to be logged in the software: • N/A—This option is not configured. • False—Dropped packets are not to be logged in the software. • True—Dropped packets are to be logged in the software. Forward Field that instructs the ACE to forward requests that match this policy map without load balancing the requests. 14-66 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Insert-HTTP Field that instructs the ACE to insert an HTTP header for Layer 7 load balancing for requests that match this policy map. This option allows the ACE to identify a client whose IP address has been translated using NAT by inserting a generic header and string value in the client HTTP request. Do the following: a. In the HTTP Header Name field, enter the name of the generic field in the HTTP header. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. b. In the HTTP Header Value field, enter the value to be inserted into the HTTP header. Valid entries are unquoted text strings with a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching. To include spaces, enclose the entire string in quotes. All headers in the header map must be matched. See Table 14-33 for a list of the supported characters that you can use in regular expressions. Reverse Sticky Feature that applies only to the ACE module version 3.0(0)A2(1.1), ACE appliance version A4(1.0), or later releases of either device type. Reverse IP stickiness is an enhancement to regular stickiness and is used mainly in firewall load balancing (FWLB). It ensures that multiple distinct connections that are opened by hosts at both ends (client and server) are load-balanced and stuck to the same firewall. Reverse stickiness applies to such protocols as FTP, RTSP, SIP, and so on where there are separate control channels and data channels opened by the client and the server, respectively. For complete details about reverse stickiness, see the Release Note for the Cisco Application Control Engine Module (Software Version 3.0(0)A2(X)). In the Sticky Group field, choose the name of a an existing IP netmask sticky group that you want to associate with reverse IP stickiness. Server Farm Field that instructs the ACE to load balance client requests for content to a server farm. Do the following: a. In the Server Farm field, choose the server farm to which requests for content are to be sent. b. In the Backup Server Farm field, choose the backup server farm to which requests for content are to be sent. Choose N/A to indicate that no backup server farm is to be used. c. Choose the Sticky Enabled check box to indicate that the sticky group associated with this policy and applied to the primary server farm is applied to the backup server farm. Clear the Sticky Enabled check box to indicate that the sticky group associated with this policy and applied to the primary server farm in that policy is not applied to the backup server farm. d. Choose the Aggregate State Enabled check box to indicate that the operational state of the backup server farm is taken into consideration when evaluating the state of the load-balancing class in a policy map. Clear this check box to indicate that the operational state of the backup server farm is not taken into consideration when evaluating the state of the load-balancing class in a policy map. Table 14-26 Layer 7 Server Load Balancing Policy Map Actions (continued) Action Description 14-67 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Server Farm-NAT Option that appears for ACE modules only. The ACE is to apply dynamic NAT to traffic for this policy map. Do the following: a. In the NAT Pool ID field, enter the number of the pool of IP addresses that exist under the VLAN specified in the VLAN Id field. Valid entries are from 1 to 2147483647. For information on configuring NAT pools, see Configuring Virtual Context BVI Interfaces, page 12-19. b. In the VLAN ID field, choose the VLAN to use for NAT. Valid entries are from 1 to 4094. c. In the Server Farm Type field, indicate whether the server farm is a backup or primary server farm. Set IP-TOS Set the IP Differentiated Services Code Point (DSCP) bit in the Type of Service (ToS) byte. After the IP DSCP bit is set, other Quality of Service (QoS) services can then operate on the bit settings. In the IP TOS Rewrite Value (Bytes) field, enter the IP DSCP value. Valid entries are from 0 to 255. SSL-Proxy SSL proxy client service that defines the SSL parameters that the ACE is to use during the handshake and subsequent SSL session. Do the following: a. In the SSL Proxy field, choose the SSL proxy service to be used for this action. b. In the SSL Proxy Type field, confirm that Client is selected to indicate that the ACE is to be configured so that it is recognized as an SSL client. Sticky-Server Farm Field that instructs the ACE to load balance requests that match this policy to a sticky server farm. In the Sticky Group field, choose the sticky server farm that is to be used for requests that match this policy map. Table 14-26 Layer 7 Server Load Balancing Policy Map Actions (continued) Action Description 14-68 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 12 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit the procedure without saving your entries and to return to the Action table. • Click Next to deploy your entries and to configure another action. Related Topics • Configuring Traffic Policies, page 14-1 • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 • Configuring Rules and Actions for Policy Maps, page 14-34 Setting Policy Map Rules and Actions for Layer 7 SIP Deep Packet Inspection You can configure the rules and actions for a SIP deep packet inspection policy map. Assumptions This topic assumes the following: • A SIP deep packet inspection policy map has been configured. • A class map has been defined for a class map rule if you do not want to use the class-default class map. Procedure Step 1 Choose Config > Devices > context > Expert > Policy Maps. The Policy Maps table appears. Step 2 In the Policy Maps table, choose the SIP deep packet inspection policy map that you want to set rules and actions for. The Rule table appears. Step 3 In the Rule table, click Add to add a new rule, or choose the rule that you want to modify and click Edit. The Rule window appears. Step 4 In the Type field of the Rule window, configure rules using the information in Table 14-27. 14-69 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 5 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The window refreshes and the Action table appears. Continue with Step 6. • Click Cancel to exit this procedure without saving your entries and to return to the Rule table. • Click Next to deploy your entries and to add another rule. Table 14-27 Layer 7 SIP Deep Packet Inspection Policy Map Rules Option Description Class Map Class map to use for this traffic policy. From the Use Class Map field, do one of the following: • To use the default class map, choose class-default. The class-default class map is a reserved, well-known class map created by the ACE. You cannot delete or modify this class. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications matches the traffic, then the ACE performs the action specified by the class-default class map. The class-default class map has an implicit match any statement that enables it to match all traffic. • To use a previously created class map, do the following: 1. Choose others. 2. In the Class Map Name field, choose the class map to use. Match Condition Match condition to use for this traffic policy. Do the following: a. In the Match Condition field, enter a name for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. b. In the Match Condition Type field, choose the type of match condition to use for this policy map and configure any type-specific options using the information in Table 7-10. Insert Before Order of the rules in the policy map. Do the following: a. Specify whether or not this rule is to precede another rule for this policy map: – N/A—This option is not configured. – False—This rule is not to precede another rule in this policy map. – True—This rule is to precede another rule in this policy map. The Insert Before Policy Rule field appears. b. If you chose True, in the Insert Before Policy Rule field, choose the rule that you want the current rule to precede. 14-70 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Note If you chose the Insert Before option described in Table 14-27 and specified True, perform the following steps to refresh the Rule tab before adding an action for this rule: 1. Click the Rule tab to refresh the Rule table. 2. In the Rule table, choose the newly added rule. When the window refreshes, an empty action list appears. Step 6 In the Action table, click Add to add an entry or choose an existing entry to modify and click Edit. Step 7 In the Id field, either accept the automatically incremented entry or assign a unique identifier for this action. Step 8 In the Action Type field, choose the action to be taken for this rule: • Drop—The SIP traffic is to be dropped if it meets the specified match criteria. • Permit—The SIP traffic is to be allowed if it meets the specified match criteria. • Reset—The SIP traffic is to be denied if it meets the specified match criteria. A TCP reset message is sent to the client or server to close the connection. Step 9 In the Action Log field, specify whether the action taken is to be logged: • N/A—This option is not configured. • False—Dropped packets are not to be logged in the software. • True—Dropped packets are to be logged in the software. Step 10 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit the procedure without saving your entries and to return to the Action table. • Click Next to deploy your entries and to configure another action. Related Topics • Configuring Traffic Policies, page 14-1 • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 • Configuring Rules and Actions for Policy Maps, page 14-34 14-71 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Setting Policy Map Rules and Actions for Layer 7 Skinny Deep Packet Inspection You can configure the rules and actions for a Skinny Client Control Protocol (SCCP) deep packet inspection policy map. Assumptions This topic assumes the following: • A Skinny deep packet inspection policy map has been configured. • A class map has been defined for a class map rule if you do not want to use the class-default class map. Procedure Step 1 Choose Config > Devices > context > Expert > Policy Maps. The Policy Maps table appears. Step 2 In the Policy Maps table, choose the Skinny deep packet inspection policy map that you want to set rules and actions for. The Rule table appears. Step 3 In the Rule table, click Add to add a new rule, or choose the rule you want to modify, then click Edit. The Rule window appears. Step 4 In the Type field of the Rule window, confirm that Match Condition is selected. Step 5 In the Match Condition Name field, enter a name for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. Step 6 In the Match Condition Type field, confirm that Message ID is selected. Step 7 In the Message ID Operator field, specify whether of not the match criteria is for a single message identifier or for a range of message identifiers: • Equal To—A single message identifier is used for this match condition. In the Message ID Value field, enter the numerical identifier of a SCCP message. Valid entries are from 0 to 65535. • Range—A range of message identifiers is used for this match condition. Do the following: a. In the Message ID Low Range Value field, enter the lowest numerical identifier of a range of SCCP messages. Valid entries are from 0 to 65535. b. In the Message ID High Range Value field, enter the highest numerical identifier of a range of SCCP messages. Valid entries are integers from 0 to 65535, and the value in this field must equal or be greater than the value in the Message ID Low Range Value field. Step 8 In the Insert Before field, specify whether or not this rule is to precede another rule in this policy map: • N/A—This option is not configured. • False—This rule is not to precede another rule in this policy map. 14-72 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps • True—This rule is to precede another rule in this policy map. The Insert Before Policy Rule field appears. Step 9 If you chose True, in the Insert Before Policy Rule field, choose the rule that you want the current rule to precede. Step 10 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The window refreshes and the Action table appears. To define the actions for this rule, continue with Step 11. • Click Cancel to exit this procedure without saving your entries and to return to the Rule table. • Click Next to deploy your entries and to configure another rule. Note If you chose the Insert Before option in Step 8 and specified True, perform the following steps to refresh the Rule tab before adding an action for this rule: 1. Click the Rule tab to refresh the Rule table. 2. In the Rule table, choose the newly added rule. When the window refreshes, an empty action list appears. Step 11 In Action table, click Add to add a new action, or choose an existing action and click Edit to modify it. The Action configuration window appears. Step 12 In the ID field, accept the automatically incremented entry or assign a unique identifier for this action. Step 13 In the Action Type field, confirm that Reset is selected. Step 14 In the Action Log field, specify whether the action taken is to be logged: • N/A—This option is not configured. • False—Dropped packets are not to be logged in the software. • True—Dropped packets are to be logged in the software. Step 15 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit the procedure without saving your entries and to return to the Action table. • Click Next to deploy your entries and to configure another action. Related Topics • Configuring Traffic Policies, page 14-1 • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 • Configuring Rules and Actions for Policy Maps, page 14-34 14-73 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Setting Policy Map Rules and Actions for RADIUS Server Load Balancing You can configure the rules and actions for RADIUS traffic received by the ACE. Assumptions This topic assumes the following: • A RADIUS server load balancing traffic policy map has been configured. • A class map has been defined for a class map rule if you do not want to use the class-default class map. Procedure Step 1 Choose Config > Devices > context > Expert > Policy Maps. The Policy Maps table appears. Step 2 In the Policy Maps table, choose the RADIUS server load balancing policy map that you want to set rules and actions for. The Rule table appears. Step 3 In the Rule table, click Add to add a new rule, or choose the rule you want to modify and click Edit. The Rule window appears. Step 4 In the Type field of the Rule window, configure rules using the information in Table 14-28. Table 14-28 RADIUS Server Load Balancing Policy Map Rules Option Description Class Map Class map to use for this traffic policy. From the Use Class Map field, do one of the following: • To use the default class map, choose class-default. The class-default class map is a reserved, well-known class map created by the ACE. You cannot delete or modify this class. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications matches the traffic, then the ACE performs the action specified by the class-default class map. The class-default class map has an implicit match any statement that enables it to match all traffic. • To use a previously created class map, do the following: 1. Choose others. 2. In the Class Map Name field, choose the class map to use. 14-74 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 5 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The window refreshes and the Action table appears. To enter actions for this rule, continue with Step 6. • Click Cancel to exit this procedure without saving your entries and to return to the Rule table. • Click Next to deploy your entries and to configure another rule. Note If you chose the Insert Before option described in Table 14-28 and specified True, perform the following steps to refresh the Rule tab before adding an action for this rule: 1. Click the Rule tab to refresh the Rule table. 2. In the Rule table, choose the newly added rule. When the window refreshes, an empty action list appears. Step 6 In the Action table, click Add to add an entry or choose an existing entry to modify and click Edit. Match Condition Match condition to use for this traffic policy. Do the following: a. In the Match Condition Name field, enter a name for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. b. In the Match Condition Type field, choose the type of match condition to use for this policy map: – Calling Station ID—A unique identifier of the calling station is used to establish a match condition. In the RADIUS Calling Station ID field, enter the calling station identifier to match. Valid entries are strings containing 1 to 64 alphanumeric characters. See Table 14-33 for a list of the supported characters that you can use for matching string expressions. – User Name—A username is used to establish a match condition. In the User Name field, enter the name to match. Valid entries are strings containing 1 to 64 alphanumeric characters. See Table 14-33 for a list of the supported characters that you can use for matching string expressions. Insert Before Order of the rules in the policy map. Do the following: a. Indicate whether this rule is to precede another rule for this policy map: – N/A—This option is not configured. – False—This rule is not to precede another rule in this policy map. – True—This rule is to precede another rule in this policy map. The Insert Before Policy Rule field appears. b. If you chose True, in the Insert Before Policy Rule field, choose the rule that you want the current rule to precede. Table 14-28 RADIUS Server Load Balancing Policy Map Rules (continued) Option Description 14-75 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 7 In the Id field, accept the automatically incremented entry or assign a unique identifier for this action. Step 8 In the Action Type field, configure actions for this rule using the information in Table 14-17. Step 9 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit the procedure without saving your entries and to return to the Action table. • Click Next to deploy your entries and to configure another action. Related Topics • Configuring Traffic Policies, page 14-1 • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 • Configuring Rules and Actions for Policy Maps, page 14-34 Setting Policy Map Rules and Actions for RDP Server Load Balancing Use this procedure to configure the rules and actions for RDP traffic received by the ACE. Assumptions This topic assumes the following: • An RDP server load balancing traffic policy map has been configured. • A class map has been defined for a class map rule if you do not want to use the class-default class map. Procedure Step 1 Choose Config > Devices > context > Expert > Policy Maps. The Policy Maps table appears. Step 2 In the Policy Maps table, choose the RDP server load balancing policy map that you want to set rules and actions for. The Rule table appears. Step 3 In the Rule table, click Add to add a new rule. The Rule window appears. Step 4 In the Type field of the Rule window, confirm that Class Map is selected. Step 5 Check the Use Class Default check box. Note You can only use the default class map (Class Default) with an RDP server load balancing policy map. 14-76 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps The class-default class map is a reserved, well-known class map created by the ACE. You cannot delete or modify this class. The class-default class map has an implicit match any statement that enables it to match all traffic. Step 6 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The window refreshes and the Action table appears. To enter actions for this rule, continue with Step 7. • Click Cancel to exit this procedure without saving your entries and to return to the Rule table. • Click Next to deploy your entries and to configure another rule. Step 7 In the Action table, click Add to add an entry, or choose an existing entry to modify and click Edit. Step 8 In the Id field, accept the automatically incremented entry or assign a unique identifier for this action. Step 9 In the Action Type field, configure actions for this rule using the information in Table 14-17. Step 10 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit the procedure without saving your entries and to return to the Action table. • Click Next to deploy your entries and to configure another action. Related Topics • Configuring Traffic Policies, page 14-1 • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 • Configuring Rules and Actions for Policy Maps, page 14-34 Setting Policy Map Rules and Actions for RTSP Server Load Balancing You can configure the rules and actions for RTSP traffic received by the ACE. Assumptions This topic assumes the following: • An RTSP server load balancing traffic policy map has been configured. • A class map has been defined for a class map rule if you do not want to use the class-default class map. Procedure Step 1 Choose Config > Devices > context > Expert > Policy Maps. The Policy Maps table appears. Step 2 In the Policy Maps table, choose the RTSP server load balancing policy map that you want to set rules and actions for. The Rule table appears. 14-77 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 3 In the Rule table, click Add to add a new rule, or choose the rule that you want to modify and click Edit. The Rule window appears. Step 4 In the Type field of the Rule window, configure rules using the information in Table 14-29. Table 14-29 RTSP Server Load Balancing Policy Map Rules Option Description Class Map Class map to use for this traffic policy. From the Use Class Map field, do one of the following: • To use the default class map, choose class-default. The class-default class map is a reserved, well-known class map created by the ACE. You cannot delete or modify this class. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications matches the traffic, then the ACE performs the action specified by the class-default class map. The class-default class map has an implicit match any statement that enables it to match all traffic. • To use a previously created class map, do the following: 1. Choose others. 2. In the Class Map Name field, choose the class map to use. Match Condition Match condition to use for this traffic policy. Do the following: a. In the Match Condition Name field, enter a name for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. b. In the Match Condition Type field, choose the type of match condition to use for this policy map and configure any type-specific options using the information in Table 14-30. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Insert Before Order of the rules in the policy map. Do the following: a. Indicate whether or not this rule is to precede another rule for this policy map by choosing one of the following options: – N/A—This option is not configured. – False—This rule is not to precede another rule in this policy map. – True—This rule is to precede another rule in this policy map. The Insert Before Policy Rule field appears. b. If you chose True, in the Insert Before Policy Rule field, choose the rule that you want the current rule to precede. 14-78 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 5 In the Insert Before field, indicate whether or not this rule is to precede another rule for this policy map: • N/A—This option is not configured. • False—This rule is not to precede another rule in this policy map. Table 14-30 RTSP Policy Map Match Conditions Match Condition Description RTSP Header RTSP header information that is used for matching criteria. Do the following: a. In the Header Name field, specify the header to match in one of the following ways: – To specify an RTSP header that is not one of the standard RTSP headers, choose the first radio button, then enter the RTSP header name in the Header Name field. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters. – To specify a standard RTSP header, click the second radio button, then choose an RTSP header from the list. b. In the Header Value (Bytes) field, enter the header value expression string to compare against the value in the specified field in the RTSP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching. If the string includes spaces, enclose the string with quotes. All headers in the header map must be matched. See Table 14-33 for a list of the supported characters that you can use in regular expressions. RTSP URL URL or portion of a URL that is used for match criteria. Do the following: a. In the URL Expr field, enter a URL, or portion of a URL, to match. The ACE performs matching on whatever URL string appears after the RTSP method, regardless of whether the URL includes the host name. The ACE supports regular expressions for matching URL strings. See Table 14-33 for a list of the supported characters that you can use in regular expressions. b. In the Method Expr field, enter the RTSP method to match. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. The method can be either one of the standard RTSP method names (DESCRIBE, ANNOUNCE, GET_PARAMETER, OPTIONS, PAUSE, PLAY, RECORD, REDIRECT, SETUP, SET_PARAMETER, TEARDOWN) or a text string that must be matched exactly (for example, STINGRAY). Source Address Source IP address that is used for match criteria. Do the following: a. In the IP Address Type field, choose either IPv4 or IPv6. This field appears only for ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. b. In the Source Address field, enter the source IP address for this match condition in the format based on the address type (IPv4 or IPv6). c. Depending of the IP address type that you chose, do one of the following: – For IPv4, In the Source Netmask field, choose the subnet mask for the source IP address. – For IPv6, in the Source Prefix-length field, enter the prefix length for the address. 14-79 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps • True—This rule is to precede another rule in this policy map. The Insert Before Policy Rule field appears. If you chose True, in the Insert Before Policy Rule field, choose the rule that you want the current rule to precede. Step 6 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The window refreshes and the Action table appears. Continue with Step 7. • Click Cancel to exit this procedure without saving your entries and to return to the Rule table. • Click Next to deploy your entries and to add another rule. Note If you chose the Insert Before option in Table 14-30 and specified True, perform the following steps to refresh the Rule tab before adding an action for this rule: 1. Click the Rule tab to refresh the Rule table. 2. In the Rule table, choose the newly added rule. When the window refreshes, an empty action list appears. Step 7 In the Action table, click Add to add an entry, or choose an existing entry to modify and click Edit. Step 8 In the Id field, accept the automatically incremented entry or assign a unique identifier for this action. Step 9 In the Action Type field, configure actions for this rule using the information in Table 14-17. Step 10 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit the procedure without saving your entries and to return to the Action table. • Click Next to deploy your entries and to configure another action. Related Topics • Configuring Traffic Policies, page 14-1 • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 • Configuring Rules and Actions for Policy Maps, page 14-34 Setting Policy Map Rules and Actions for SIP Server Load Balancing You can configure the rules and actions for SIP traffic received by the ACE. Assumptions This topic assumes the following: 14-80 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps • A SIP server load balancing traffic policy map has been configured. • A class map has been defined for a class map rule if you do not want to use the class-default class map. Procedure Step 1 Choose Config > Devices > context > Expert > Policy Maps. The Policy Maps table appears. Step 2 In the Policy Maps table, choose the SIP server load balancing policy map that you want to set rules and actions for. The Rule table appears. Step 3 In the Rule table, click Add to add a new rule, or choose the rule that you want to modify and click Edit. The Rule window appears. Step 4 In the Type field of the Rule window, configure rules using the information in Table 14-31. Table 14-31 SIP Server Load Balancing Policy Map Rules Option Description Class Map Class map to use for this traffic policy. From the Use Class Map field, do one of the following: • To use the default class map, choose class-default. The class-default class map is a reserved, well-known class map created by the ACE. You cannot delete or modify this class. All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. If none of the specified classifications matches the traffic, then the ACE performs the action specified by the class-default class map. The class-default class map has an implicit match any statement that enables it to match all traffic. • To use a previously created class map, do the following: 1. Choose others. 2. In the Class Map Name field, choose the class map to use. 14-81 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Match Condition Match condition to use for this traffic policy. Do the following: a. In the Match Condition field, enter a name for this match condition. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. b. In the Match Condition Type field, choose the type of match condition to use for this policy map and configure any type-specific options using the information in Table 14-32. Note Fields and information related to IPv6 require ACE module and ACE appliance software Version A5(1.0) or later. Insert Before Order of the rules in the policy map. Do the following: a. Indicate whether or not this rule is to precede another rule for this policy map. Choices are as follows: – N/A—This option is not configured. – False—This rule is not to precede another rule in this policy map. – True—This rule is to precede another rule in this policy map. The Insert Before Policy Rule field appears. b. If you chose True, in the Insert Before Policy Rule field, choose the rule that you want the current rule to precede. Table 14-31 SIP Server Load Balancing Policy Map Rules (continued) Option Description 14-82 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 5 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The window refreshes and the Action table appears so you can enter actions for this rule. Continue with Step 6. • Click Cancel to exit this procedure without saving your entries and to return to the Rule table. • Click Next to deploy your entries and to add another rule. Step 6 In the Action table, click Add to add an entry, or choose an existing entry to modify and click Edit. Step 7 In the Id field, accept the automatically incremented entry or assign a unique identifier for this action. Step 8 In the Action Type field, configure actions for this rule using the information in Table 14-17. Table 14-32 SIP Server Load Balancing Policy Map Match Conditions Match Condition Description SIP Header SIP header information that is used for matching criteria. Do the following: a. In the Header Name field, specify the header to match in one of the following ways: – To specify a SIP header that is not one of the standard SIP headers, choose the first radio button, then enter the SIP header name in the Header Name field. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters. – To specify a standard SIP header, click the second radio button, then choose an SIP header from the list. b. In the Header Value (Bytes) field, enter the header value expression string to compare against the value in the specified field in the SIP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE supports regular expressions for matching. If the string includes spaces, enclose the string with quotes. All headers in the header map must be matched. See Table 14-33 for a list of the supported characters that you can use in regular expressions. Source Address Source IP address is used for match criteria. Do the following: a. In the IP Address Type field, choose either IPv4 or IPv6. This field appears only for ACE module and ACE appliance software Version A5(1.0) or later, which supports IPv4 and IPv6. b. In the Source Address field, enter the source IP address for this match condition in the format based on the address type (IPv4 or IPv6). c. Depending on the IP address type that you chose, do one of the following: – For IPv4, in the Source Netmask field, choose the subnet mask for the source IP address. – For IPv6, in the Source Prefix-length field, enter the prefix length for the address. 14-83 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Step 9 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit the procedure without saving your entries and to return to the Action table. • Click Next to deploy your entries and to configure another action. Note If you chose the Insert Before option in Table 14-31 and specified True, perform the following steps to refresh the Rule tab before adding an action for this rule: 1. Click the Rule tab to refresh the Rule table. 2. In the Rule table, choose the newly added rule. When the window refreshes, an empty action list appears. Related Topics • Configuring Traffic Policies, page 14-1 • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 • Configuring Rules and Actions for Policy Maps, page 14-34 14-84 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Rules and Actions for Policy Maps Special Characters for Matching String Expressions Table 14-33 identifies the special characters that can be used in matching string expressions. Related Topics • Configuring Traffic Policies, page 14-1 • Configuring Virtual Context Class Maps, page 14-6 • Configuring Virtual Context Policy Maps, page 14-32 • Configuring Rules and Actions for Policy Maps, page 14-34 Table 14-33 Special Characters for Matching String Expressions Convention Description . One of any character. .* Zero or more of any character. \. Period (escaped). \xhh Non-printable character. [charset] Match any single character from the range. [^charset] Do not match any character in the range. All other characters represent themselves. () Expression grouping. expr1 | expr2 OR of expressions. (expr)* 0 or more of expression. (expr)+ 1 or more of expression. .\a Alert (ASCII 7). .\b Backspace (ASCII 8). .\f Form-feed (ASCII 12). .\n New line (ASCII 10). .\r Carriage return (ASCII 13). .\t Tab (ASCII 9). .\v Vertical tab (ASCII 11). .\0 Null (ASCII 0). .\\ Backslash. .\x## Any ASCII character as specified in two-digit hexadecimal notation. 14-85 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Actions Lists Configuring Actions Lists An action list is a named group of actions that you associate with a Layer 7 policy map. The ACE supports the following types action lists: • An HTTP optimization action list groups a series of individual application acceleration and optimization operations that you want the ACE to perform. The HTTP optimization action list is associated with a Layer 7 HTTP optimization policy map (see the “Setting Policy Map Rules and Actions for Layer 7 HTTP Optimization” section on page 14-57). • An HTTP header modify action list performs the following operations: – Groups a series of individual functions to insert, rewrite, or delete HTTP headers. – Configures the SSL URL rewrite function. – Inserts SSL session parameters, client certificate fields, and server certificate fields into the HTTP requests that the ACE receives over the connection. The HTTP header action list is associated with a Layer 7 server load-balancing policy map (see the “Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic” section on page 14-61). Table 14-34 lists the action lists that you can configure using the ACE. Configuring an HTTP Header Modify Action List An HTTP header modify action list groups a series of individual functions to insert, rewrite, or delete HTTP headers. It can also be used to configure the SSL URL rewrite function. This section includes the following topics: • Configuring HTTP Header Insertion, Deletion, and Rewrite, page 14-85 • Configuring SSL URL Rewrite, page 14-88 • Configuring SSL Header Insertion, page 14-89 Configuring HTTP Header Insertion, Deletion, and Rewrite You can configure an HTTP header modify action list that inserts, rewrites, or deletes HTTP headers. Procedure Step 1 Choose Config > Devices > context > Expert > HTTP Header Modify Action Lists. The HTTP Header Modify Action Lists table appears. Step 2 In the HTTP Header Modify Action Lists table, click Add to add a new action list, or choose an existing action list and click Edit to modify it. Table 14-34 Action Lists Action List Topic Optimization Action List Configuring an HTTP Optimization Action List, page 15-3 HTTP Header Modify Action List Configuring an HTTP Header Modify Action List, page 14-85 14-86 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Actions Lists Step 3 For a new action list, in the Action List Name field, enter a unique name for the action list. Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters. Click Deploy Now when completed to save the configuration and display the editing tabs. Step 4 Click the Header Action tab. The Header Action table appears. Step 5 In the Header Action table, click Add to add a new entry to the table. The Header Action configuration window appears. Enter the required information as shown in Table 14-35. Table 14-35 Header Action Configuration Window Fields Header Action Field Description / Action Operator HTTP header modify action that the ACE is to take in an HTTP request from a client, a response from a server, or both. Choices are as follows: • Delete—Deletes an HTTP header in a request from a client, in a response from a server, or both. • Insert—Insert a header name and value in an HTTP request from a client, a response from a server, or both. When the ACE uses Network Address Translation (NAT) to translate the source IP address of a client to a VIP, servers need a way to identify that client for the TCP and IP return traffic. To identify a client whose source IP address has been translated using NAT, you can instruct the ACE to insert a generic header and string value of your choice in the client HTTP request. • Rewrite—Rewrite an HTTP header in request packets from a client, response packets from a server, or both. 14-87 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Actions Lists Direction HTTP header modify action that the ACE is to take with respect to the selected operator (Insert, Delete, or Rewrite). Choices are as follows: Insert: • Both—Specifies that the ACE insert an HTTP header in both HTTP request packets and response packets. • Request—Specifies that the ACE insert an HTTP header only in HTTP request packets from clients. • Response—Specifies that the ACE insert an HTTP header only in HTTP response packets from servers. Delete: • Both—Specifies that the ACE delete the header in both HTTP request packets and response packets. • Request—Specifies that the ACE delete the header only in HTTP request packets from clients. • Response—Specifies that the ACE delete the header only in HTTP response packets from servers. Rewrite: • Both—Specifies that the ACE rewrite an HTTP header string in both HTTP request packets and response packets. • Request—Specifies that the ACE rewrite an HTTP header string only in HTTP request packets from clients. • Response—Specifies that the ACE rewrite an HTTP header string only in HTTP response packets from servers. Header Name Identifier of an HTTP header. Enter an unquoted text string with a maximum of 255 alphanumeric characters. Header Value Value of the HTTP header that you want to insert or replace in request packets, response packets, or both. Enter an unquoted text string with no spaces and a maximum of 255 alphanumeric characters. You can also use the following dynamic replacement strings: • %is—Inserts the source IP address in the HTTP header • %id—Inserts the destination IP address in the HTTP header • %ps—Inserts the source port in the HTTP header • %pd—Inserts the destination port in the HTTP header The ACE supports regular expressions for matching. To include spaces in the string, enclose the entire string in quotes. All headers in the header map must be matched. See Table 14-33 for a list of the supported characters that you can use in regular expressions. Replace Pattern string that you want to substitute for the header value regular expression. For dynamic replacement of the first and second parenthesized expressions from the header value, use %1 and %2, respectively. Table 14-35 Header Action Configuration Window Fields (continued) Header Action Field Description / Action 14-88 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Actions Lists Step 6 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries. • Click Next to save your entries. Related Topics Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic, page 14-61, Table 14-26 Configuring SSL URL Rewrite You can configure an HTTP header modify action list that performs SSL URL rewrite. When a client sends encrypted traffic to the ACE in an SSL termination configuration, the ACE terminates the SSL traffic and then sends clear text to the server. Because the server is unaware of the encrypted traffic flowing between the client and the ACE, the server may return to the client a URL in the Location header of HTTP redirect responses (301: Moved Permanently or 302: Found) in the form http://www.cisco.com instead of https://www.cisco.com. In this case, the client makes a request to the unencrypted insecure URL, even though the original request was for a secure URL. Because the client connection changes to HTTP, the requested data may not be available from the server using a clear text connection. To solve this problem, the ACE provides SSLURL rewrite, which changes the redirect URL from http:// to https:// in the Location response header from the server before sending the response to the client. By using URL rewrite, you can avoid nonsecure HTTP redirects. All client connections to the web server will be SSL, ensuring the secure delivery of HTTPS content back to the client. The ACE uses regular expression matching to determine whether the URL needs rewriting. If a Location response header matches the specified regular expression, the ACE rewrites the URL. In addition, the ACE provides parameters to add or change the SSL and the clear port numbers. Procedure Step 1 Choose Config > Devices > context > Expert > HTTP Header Modify Action Lists. The HTTP Header Modify Action Lists table appears. Step 2 In the HTTP Header Modify Action Lists table, click Add to add a new action list, or choose an existing action list and click Edit to modify it. Step 3 For a new action list, in the Action List Name field enter a unique name for the action list. Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters. Click Deploy Now when completed to save the configuration and display the editing tabs. Step 4 Click the SSL Action tab. The SSL Action table appears. Step 5 In the SSL Action table, click Add to add a new entry to the SSL Action table. The SSL Action configuration window appears. Enter the required information as shown in Table 14-36. 14-89 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Actions Lists Step 6 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries. • Click Next to save your entries. Related Topics • Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic, page 14-61, Table 14-26 Configuring SSL Header Insertion Note This option is available only for the ACE module A2(3.0), ACE appliance A4(1.0), and later releases of either device type. You can configure an HTTP header modify action list that performs SSL header insertion. When a client sends encrypted traffic to the ACE in an SSL termination configuration, the ACE terminates the SSL traffic and then sends clear text to the server, which is unaware of the encrypted traffic flowing between the client and the ACE. Using an action list associated with a Layer 7 HTTP load-balancing policy map, you can instruct the ACE to perform SSL HTTP header insertion. The ACE provides the server with the following SSL session information by inserting HTTP headers into the HTTP requests that it receives over the connection: Table 14-36 SSL Action Configuration Window Fields Header Action Field Description / Action URL Expression Field that specifies the rewriting of the URL in the Location response header based on a URL regular expression match. If the URL in the Location header matches the URL regular expression string that you specify, the ACE rewrites the URL from http:// to https:// and rewrites the port number. Enter an unquoted text string with no spaces and a maximum of 255 alphanumeric characters. Alternatively, you can enter a text string with spaces if you enclose the entire string in quotation marks (“). The location regex that you enter must be a pure URL (for example, www\.cisco\.com) with no port or path designations. To match a port, use the SSL Port and Clear Port parameters. If you need to match a path, use the HTTP header rewrite feature to rewrite the string. For information about the HTTP header rewrite feature, see the “Configuring HTTP Header Insertion, Deletion, and Rewrite” section on page 14-85. The ACE supports regular expressions for matching. To include spaces in the string, enclose the entire string in quotes. All headers in the header map must be matched. See Table 14-33 for a list of the supported characters that you can use in regular expressions. SSL Port SSL port number from which the ACE translates a clear port number before sending the server redirect response to the client. Enter a value from 1 to 65535. The default is 443. Clear Port Clear port number to which the ACE translates the SSL port number before sending a server redirect response to the client. Enter a value from 1 to 65535. The default is 80. 14-90 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Actions Lists • Session Parameters—SSL session parameters that the ACE and client negotiate during the SSL handshake. • Server Certificate Fields—Information regarding the SSL server certificate that resides on the ACE. • Client Certificate Fields—Information regarding the SSL client certificate that the ACE retrieves from the client when you configure the ACE to perform client authentication. Note To prevent HTTP header spoofing, the ACE deletes any incoming HTTP headers that match one of the headers that it is going to insert into the HTTP request. By default, the ACE inserts the SSL header information into the first HTTP request only that it receives over the connection. When the ACE and client need to renegotiate their connection, the ACE updates the HTTP header information that it send to the server to reflect the new session parameters. You can also instruct the ACE to insert the session information into every HTTP request that it receives over the connection by creating an HTTP parameter map with either the Header Modify Per-Request or HTTP Persistence Rebalance options enabled (see the “Configuring HTTP Parameter Maps” section on page 10-9). Note The maximum amount of data that the ACE can insert is 512 bytes. The ACE truncates the data if it exceeds this limit. Procedure Step 1 Choose Config > Devices > context > Expert > HTTP Header Modify Action Lists. The HTTP Header Modify Action Lists table appears. Step 2 In the HTTP Header Modify Action Lists table, do one of the following: • To add a new action list, click Add. In the Action List Name field, enter a unique name for the action list. Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters. Click Deploy Now when completed to save the configuration and display the editing tabs. • To edit an existing action list, choose the action list and click Edit to display the editing tabs. Step 3 Click the SSL Header Insert tab. The SSL Header Insert table appears. Step 4 In the SSL Header Insert table, click Add to add a new entry to the SSL Header Insert table. The SSL Header Insert configuration window appears. Enter the required information as shown in Table 14-37. Table 14-37 SSL Action Configuration Window Fields Header Action Field Description / Action Request Type of SSL header information to insert into the HTTP request: • Client-Certificate—Information about the client certificate that the ACE retrieves from the client. • Server-Certificate—Information about the server certificate that resides on the ACE. • Session—Information about the session parameters that the ACE and client negotiated during the SSL handshake. 14-91 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Actions Lists Algorithm Field that appears only when the Request field is set to either Client-Certificate or Server-Certificate. Specify the following certificate field information to insert into the HTTP request: • Authority-Key-Id—X.509 authority key identifier. • Basic-Constraints—X.509 basic constraints. • Certificate-Version—X.509 certificate version. • Data-Signature-Algorithm—X.509 hashing and encryption method. • Fingerprint-SHA1—SHA1 hash of the certificate. • Issuer—X.509 certificate issuer's distinguished name. • Issuer-CN—X.509 certificate issuer's common name. • Not-After—Date after which the certificate is not valid. • Not-Before—Date before which the certificate is not valid. • Public-Key-Algorithm—Algorithm used for the public key. • RSA-Exponent—Public RSA exponent. • RSA-Modulus—RSA algorithm modulus. • RSA-Modulus-Size—Size of the RSA public key. • Serial-Number—Certificate serial number. • Signature—Certificate signature. • Signature-Algorithm—Certificate signature algorithm. • Subject—X.509 subject's distinguished name. • Subject-CN—X.509 subject's common name. • Subject-Key-Id—X.509 subject key identifier. For more information, see the Cisco Application Control Engine Module SSL Configuration Guide. Table 14-37 SSL Action Configuration Window Fields (continued) Header Action Field Description / Action 14-92 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Actions Lists CipherKey Field that appears only when the Request field is set to Session. Indicate the following session parameters to insert into the HTTP request: • Cipher-Key-Size—Symmetric cipher key size. • Cipher-Name—Symmetric cipher suite name. • Cipher-Use-Size—Symmetric cipher use size. • Id—SSL Session ID. The default is 0. • Protocol-Version—Version of SSL or TLS. • Step-Up—Use of SGC or StepUp cryptography to increase the level of security by using 128-bit encryption. • Verify-Result—SSL session verify result. Possible values are as follows: – ok—The SSL session is established. – certificate is not yet valid—The client certificate is not yet valid. – certificate is expired—The client certificate has expired. – bad key size—The client certificate has a bad key size. – invalid not before field—The client certificate notBefore field is in an unrecognized format. – invalid not after field—The client certificate notAfter field is in an unrecognized format. – certificate has unknown issuer—The client certificate issuer is unknown. – certificate has bad signature—The client certificate contains a bad signature. – certificate has bad leaf signature—The client certificate contains a bad leaf signature. – unable to decode issuer public key—The ACE is unable to decode the issuer public key. – unsupported certificate—The client certificate is not supported. – certificate revoked— The client certificate has been revoked. – internal error—An internal error exists. For more information, see the Cisco Application Control Engine Module SSL Configuration Guide. Value Field that appears only when the Request field is set to either Client-Certificate or Server-Certificate. Choose one of the following options: • N/A—Specifies that the selected algorithm or cipher key is inserted without adding a prefix to it or renaming it. • Prefix—Enables you to specify a prefix string to place before the specified certificate or session field name. For example, if you specify the prefix Acme-SSL for the SSL session field name Cipher-Name, then the field name becomes Acme-SSL-Session-Cipher-Name. • Rename—Enables you to specify a new name for the specified certificate or session field name. Prefix Field that appears only when the Value field is set to Prefix. Enter a quoted text string to place before the specified certificate or session field name. The maximum combined number of prefix string and field name characters that the ACE permits is 32. Rename Field that appears only when the Value field is set to Rename. Enter a new name to the specified certificate or session field name. The name must be an unquoted text string with no spaces. The maximum number of field name string characters that the ACE permits is 32. Table 14-37 SSL Action Configuration Window Fields (continued) Header Action Field Description / Action 14-93 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Actions Lists Step 5 Repeat Step 4 for each certificate field or session parameter that you want the ACE to insert. Step 6 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. • Click Cancel to exit this procedure without saving your entries. • Click Next to deploy your entries and to add another entry to the SSL Header Insert table. Related Topics Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic, page 14-61, Table 14-26 14-94 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 14 Configuring Traffic Policies Configuring Actions Lists CHAPTER 15-1 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 15 Configuring Application Acceleration and Optimization Date: 3/28/12 With application acceleration and optimization features on ACE appliances, you can configure application delivery and application acceleration options that increase productivity and efficiency. The application acceleration features optimize network performance and improve access to critical business information. This capability accelerates the performance of Web applications, including customer relationship management, portals, and online collaboration by up to 10 times. Note Application acceleration performance on the ACE appliance is 50 to 100 Mbps throughput. With typical page sizes and browser usage patterns, this equates to roughly 1,000 concurrent connections. Subsequent connections bypass the application acceleration engine. This limitation applies only to traffic that is explicitly configured to receive application acceleration processing (for example, FlashForward, Delta Optimization). Traffic that is not configured to receive application acceleration processing is not subject to these limitations. Also, because the ACE HTTP compression is implemented separately in hardware, it is not subject to these limitations. For example, if you have a mix of application-accelerated and non-application-accelerated traffic, the former is limited; the latter is not. If you have 50 Mbps of application-accelerated traffic, the ACE can still deliver up to 1.9 Gbps throughput for the non-application-accelerated traffic. Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed. If you are using ANM with an ACE module or ACE appliance and you configure a named object at the ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows you to use when configuring a named object. If you use special characters that ANM does not support, you may not be able to import or manage the ACE using ANM. This chapter includes the following sections: • Optimization Overview, page 15-2 • Optimization Traffic Policies and Typical Configuration Flow, page 15-2 • Configuring an HTTP Optimization Action List, page 15-3 • Configuring Optimization Parameter Maps, page 15-6 15-2 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 15 Configuring Application Acceleration and Optimization Optimization Overview • Configuring Traffic Policies for HTTP Optimization, page 15-6 • Enabling HTTP Optimization Using Virtual Servers, page 15-9 • Configuring Global Application Acceleration and Optimization, page 15-9 Optimization Overview The application acceleration functions of the ACE appliance apply several optimization technologies to accelerate application performance. This functionality enables enterprises to optimize network performance and improve access to critical business information. The ACE appliance provides the following application acceleration and optimization functionality: • Delta optimization eliminates redundant traffic on the network by computing and transmitting only the changes that occur in a Web page between successive downloads of the same page or similar pages. • FlashForward object acceleration technology eliminates network delays associated with embedded Web objects able to be cached. such as images, style sheets, and JavaScript files by placing the responsibility for validating object freshness on the ACE appliance, rather than on the client, making the client more efficient. • Just-in-time object acceleration enables acceleration of non-cacheable embedded objects, resulting in improved application response time by eliminating the need for clients to download these objects on each request. • Adaptive dynamic caching accelerates enterprise application performance and improves server system scalability by enabling the ACE appliance itself to fulfill requests for dynamic content, which offloads application servers and databases. Refer to Configuring Application Acceleration and Optimization, page 15-1 or the Cisco 4700 Series Application Control Engine Appliance Application Acceleration and Optimization Configuration Guide for more information about application acceleration and optimization. Related Topics • Optimization Traffic Policies and Typical Configuration Flow, page 15-2 • Configuring Traffic Policies for HTTP Optimization, page 15-6 • Configuring Global Application Acceleration and Optimization, page 15-9 Optimization Traffic Policies and Typical Configuration Flow To define the different optimization and application acceleration functions that you want the ACE appliance to perform, you must configure at least one each of the following: • HTTP optimization action list—This action list specifies the actions that the ACE is to perform for application acceleration and optimization. You can configure action lists when configuring a virtual server, or as a separate procedure. See: – Configuring Application Acceleration and Optimization, page 7-53 – Configuring an HTTP Optimization Action List, page 15-3 15-3 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 15 Configuring Application Acceleration and Optimization Configuring an HTTP Optimization Action List • Layer 7 server load-balancing class map—This class map identifies the Layer 7 server load-balancing match criteria to apply to incoming traffic, such as URL, HTTP cookie, HTTP header, or source IP address. See Configuring Virtual Context Policy Maps, page 14-32 • Layer 7 HTTP optimization policy map—This policy map applies the HTTP optimization action list and optionally an optimization parameter map to Layer 7 HTTP traffic. See Configuring Virtual Context Policy Maps, page 14-32. • Layer 3 and Layer 4 class map—By using match criteria, this class map identifies the network traffic that can pass through the ACE appliance. The match criteria includes the VIP address for the network traffic. The ACE appliance uses these Layer 3 and Layer 4 traffic classes to perform server load balancing. See Configuring Virtual Context Policy Maps, page 14-32. • Layer 3 and Layer 4 policy map—This policy map associates server load-balancing actions and HTTP optimization action lists with the VIP. See Setting Policy Map Rules and Actions for Layer 3/Layer 4 Network Traffic, page 14-41 and Configuring Traffic Policies for HTTP Optimization, page 15-6. • Layer 7 server load-balancing policy map—This policy map specifies the server load-balancing actions that the ACE appliance is to perform. See Configuring Virtual Context Policy Maps, page 14-32. You can also configure: • Optimization parameter maps—Optimization parameter maps allow you to configure specific options for action list items. You can configure optimization parameter maps when configuring a virtual server or as a separate procedure. When you configure a parameter map with an action list for a class map, the ACE appliance validates the action list and parameter map configurations before deploying them. See: – Configuring Application Acceleration and Optimization, page 7-53 – Configuring Optimization Parameter Maps, page 10-12. • Global application acceleration and optimization options—The acceleration and optimization options allow you to apply specific acceleration and optimization features for logging and debugging on a global level on the ACE appliance. See Configuring Global Application Acceleration and Optimization, page 15-9. Related Topics • Configuring Traffic Policies for HTTP Optimization, page 15-6 • Optimization Overview, page 15-2 Configuring an HTTP Optimization Action List An HTTP optimization action list groups a series of individual application acceleration and optimization operations that you want the ACE to perform. Use this procedure to configure an HTTP optimization action list. Tip You can also configure action lists when configuring a virtual server. For more information, see “Configuring Application Acceleration and Optimization” section on page 7-53. 15-4 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 15 Configuring Application Acceleration and Optimization Configuring an HTTP Optimization Action List Procedure Step 1 Choose Config > Devices > context > Expert > Optimization Action List. The Action List table appears. Step 2 Click Add to add a new optimization action list, or choose an existing action list and click Edit to modify it. Step 3 Configure the optimization action list using the information in Table 15-1. Table 15-1 Action List Configuration Options Field Description Action List Name Unique name for the action list. Valid entries are unquoted text strings with a maximum of 64 alphanumeric characters. Enable Delta Check box that enables delta optimization for the specified URLs. Delta optimization dynamically updates client browser caches directly with content differences, or deltas, resulting in faster page downloads. Uncheck the check box to disable delta optimization for the specified URLs. Note The ACE restricts you from enabling delta optimization if you have previously specified either Cache Dynamic or Dynamic Dynamic Entity Tag. Enable AppScope Check box that enables AppScope performance monitoring for use with the ACE appliance. AppScope runs on the Management Console of the optional Cisco AVS 3180A Management Station and measures end-to-end application performance. Uncheck the check box to disable AppScope performance monitoring for use with the ACE appliance. Flash Forward Feature that reduces bandwidth usage and accelerates embedded object downloading by combining local object storage with dynamic renaming of embedded objects, thereby enforcing object freshness within the parent HTML page. Specify how the ACE appliance is to implement FlashForward: • N/A—Indicates that this feature is not enabled. • FlashForward—Indicates that FlashForward is to be enabled for the specified URLs and that embedded objects are to be transformed. • FlashForward Object—Indicates that FlashForward static caching is to be enabled for the objects that the corresponding URLs refer to, such as Cascading Style Sheets (CSS), JPEG, and GIF files. Cache Dynamic Check box that enables Adaptive Dynamic Caching for the specified URLs even if the expiration settings in the response indicate that the content is dynamic. The expiration of cache objects is controlled by the cache expiration settings based on time or server load. Uncheck the check box to disable this feature. Note The ACE restricts you from enabling Cache Dynamic if you have previously specified either Enable Delta or Dynamic Dynamic Entity Tag. 15-5 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 15 Configuring Application Acceleration and Optimization Configuring an HTTP Optimization Action List Step 4 Do one of the following: • Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The ACE appliance validates the action list configuration. • Click Cancel to exit this procedure without saving your entries. • Click Next to save your entries and to configure another action list. Related Topics • Optimization Traffic Policies and Typical Configuration Flow, page 15-2 • Configuring Optimization Parameter Maps, page 15-6 • Configuring Traffic Policies for HTTP Optimization, page 15-6 • Configuring Global Application Acceleration and Optimization, page 15-9 Cache Forward Check box that enables the cache forward feature for the corresponding URLs. Cache forward allows the ACE to serve the object from its cache (static or dynamic) even when the object has expired if the maximum cache TTL time period has not yet expired (set by specifying the Cache Time-To-Live Duration (%): field in an Optimization parameter map). At the same time, the ACE sends an asynchronous request to the origin server to refresh its cache of the object. Uncheck this check box to disable this feature. Dynamic Dynamic Entity Tag Check box that enables the acceleration of noncacheable embedded objects, which results in improved application response time. When enabled, this feature eliminates the need for users to download noncacheable objects on each request. Check the check box to indicate that the ACE appliance is to implement just-in-time object acceleration for noncacheable embedded objects. Uncheck this check box to disable this feature. Note The ACE restricts you from enabling Dynamic Dynamic Entity Tag if you have previously specified either Enable Delta or Cache Dynamic. Table 15-1 Action List Configuration Options Field Description 15-6 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 15 Configuring Application Acceleration and Optimization Configuring Optimization Parameter Maps Configuring Optimization Parameter Maps You can configure an Optimization parameter map for use with a Layer 3/Layer 4 policy map. Tip You can also configure optimization parameter maps when configuring a virtual server. For more information, see “Configuring Application Acceleration and Optimization” section on page 7-53. Procedure Step 1 Choose Config > Devices > context > Load Balancing > Parameter Maps > Optimization Parameter Maps. The Optimization Parameter Maps table appears. Step 2 Click Add to add a new parameter map, or choose an existing parameter map and click Edit to modify it. The Optimization Parameter Maps configuration window appears. Step 3 In the Parameter Name field, enter a unique name for this parameter map. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. Step 4 Configure optimization using the information in Table 10-6. Step 5 Do one of the following: • Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. The ACE validates the parameter map configuration and deploys it. This option appears for virtual contexts. • Click Cancel to exit this procedure without saving your entries and to return to the Parameter Map table. • Click Next to accept your entries and to add another parameter map. Related Topics • Optimization Traffic Policies and Typical Configuration Flow, page 15-2 • Configuring an HTTP Optimization Action List, page 15-3 • Configuring Traffic Policies for HTTP Optimization, page 15-6 • Configuring Global Application Acceleration and Optimization, page 15-9 Configuring Traffic Policies for HTTP Optimization Table 15-2 provides a high-level overview of the steps required to configure HTTP optimization on an ACE appliance. Note Table 15-2 includes only the significant steps in each task. For detailed information on configuring these items, select the links provided, click Help in the ANM GUI, or refer to Configuring Traffic Policies, page 14-1. 15-7 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 15 Configuring Application Acceleration and Optimization Configuring Traffic Policies for HTTP Optimization Assumption A virtual IP address has been configured for the context in which you configure HTTP optimization. Table 15-2 Configuring Traffic Policies for HTTP Optimization Task Procedure Step 1 Create a Layer 7 class map for server load balancing. a. Choose Config > Devices > context > Expert > Class Maps. b. Click Add to add a new class map. c. In the Class Map Type field, choose Layer 7 Server Load Balancing. d. In the Match Type field, choose the method the ACE appliance is to use to evaluate multiple match statements when multiple match conditions exist in the class map. e. Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. f. Configure match conditions for this class map. For more information, see: • Configuring Virtual Context Class Maps, page 14-6 • Setting Match Conditions for Layer 7 Server Load Balancing Class Maps, page 14-14 Step 2 Create an HTTP optimization action list to specify the optimization actions that are to be performed. a. Choose Config > Devices > context > Expert > Action Lists. b. Click Add to add a new action list. c. Configure the action list using the information in Table 15-1. d. Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. For more information, see Configuring an HTTP Optimization Action List, page 15-3. Step 3 Create a Layer 7 HTTP optimization policy map and associate it with the server load-balancing class map in Step 1 and the action list configured in Step 2. a. Choose Config > Devices > context > Expert > Policy Maps. b. Click Add to add a new policy map. c. In the Type field, choose Layer 7 HTTP Optimization. d. Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. e. In the Rules table, add the server load-balancing class map created in Step 1. f. In the Action table, add the action list created in Step 2. For more information, see: • Configuring Virtual Context Policy Maps, page 14-32 • Setting Policy Map Rules and Actions for Layer 7 HTTP Optimization, page 14-57 15-8 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 15 Configuring Application Acceleration and Optimization Configuring Traffic Policies for HTTP Optimization Step 4 Create a Layer 3/Layer 4 class map for server load balancing. a. Choose Config > Devices > context > Expert > Class Maps. b. Click Add to add a new class map. c. In the Class Map Type field, choose Layer 3/4 Network Traffic. d. In the Match Type field, choose the method the ACE appliance is to use to evaluate multiple match statements when multiple match conditions exist in the class map. e. Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. f. Configure Virtual Address match conditions for this class map. For more information, see: • Configuring Virtual Context Class Maps, page 14-6 • Setting Match Conditions for Layer 3/Layer 4 Network Traffic Class Maps, page 14-9 Step 5 Create a Layer 7 policy map for server load balancing and associate it with the Layer 7 server load-balancing class map from Step 1. a. Choose Config > Devices > context > Expert > Policy Maps. b. Click Add to add a new policy map. c. In the Type field, choose Layer 7 Server Load Balancing. d. Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. e. Associate the Layer 7 server load-balancing class map configured in Step 1 with this policy map by adding it to the Rule table. For more information, see: • Configuring Virtual Context Policy Maps, page 14-32 • Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic, page 14-61 Step 6 Create a Layer 3/Layer 4 network traffic policy map and associate it with the: • Layer 3/Layer 4 server load-balancing class map configured in Step 4 • Layer 7 server load-balancing policy map configured in Step 5 • HTTP optimization policy map configured in Step 3 a. Choose Config > Devices > context > Expert > Policy Maps. b. Click Add to add a new policy map. c. In the Type field, choose Layer 3/4 Network Traffic. d. Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. e. In the Rule table, add the Layer 3/Layer 4 server load-balancing class map configured in Step 4. f. In the Action table, add the: – Layer 7 server load-balancing policy map created in Step 5 – HTTP optimization policy map created in Step 3 For more information, see: • Configuring Virtual Context Policy Maps, page 14-32 • Setting Policy Map Rules and Actions for Layer 3/Layer 4 Network Traffic, page 14-41 Table 15-2 Configuring Traffic Policies for HTTP Optimization (continued) Task Procedure 15-9 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 15 Configuring Application Acceleration and Optimization Enabling HTTP Optimization Using Virtual Servers Related Topics • Optimization Traffic Policies and Typical Configuration Flow, page 15-2 • Configuring an HTTP Optimization Action List, page 15-3 • Optimization Overview, page 15-2 Enabling HTTP Optimization Using Virtual Servers You can configure HTTP optimization using virtual servers. Procedure Step 1 Create a virtual server by following the instructions in “Configuring Virtual Servers” section on page 7-2. Step 2 Configure HTTP optimization by following the instructions in “Configuring Application Acceleration and Optimization” section on page 7-53. Related Topics • Configuring Traffic Policies for HTTP Optimization, page 15-6 • Optimization Traffic Policies and Typical Configuration Flow, page 15-2 Configuring Global Application Acceleration and Optimization Note This functionality is available for Admin contexts only and only on ACE appliances. ANM allows you to configure global application acceleration and optimization options for logging and debugging as performed by the ACE appliance. Procedure Step 1 Choose Config > Virtual Contexts > admin_context > System > Application Acceleration And Optimization. The Application Acceleration And Optimization configuration window appears. Step 2 In the Debug Level field, enter the maximum level of system log messages to be sent to the syslog server, using the values in Table 6-5. The severity level that you specify indicates that you want syslog messages at that level and the more severe levels. For example, if you enter 3 for Error, syslog displays Error, Critical, Alert, and Emergency messages. Step 3 Check the AppScope Log check box to indicate that the ACE appliance is to upload optimization statistical log information to the optional AVS 3180A Management station. Clear the check box to indicate that the ACE appliance is not to upload this information. Step 4 Click Deploy Now to immediately deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files. 15-10 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 15 Configuring Application Acceleration and Optimization Configuring Global Application Acceleration and Optimization Related Topics • Optimization Overview, page 15-2 • Optimization Traffic Policies and Typical Configuration Flow, page 15-2 CHAPTER 16-1 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 16 Using Configuration Building Blocks Date: 3/28/12 Note Beginning with ANM software Version 5.1, the building block feature by default is hidden. If you have used the building block feature in the past and want to continuing using it after upgrading to ANM 5.1, you must enable it (see the “Enabling the Building Block Feature” section on page 16-5). Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed. If you are using ANM with an ACE module or ACE appliance and you configure a named object at the ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows you to use when configuring a named object. If you use special characters that ANM does not support, you may not be able to import or manage the ACE using ANM. Building blocks allow authorized users to create and design reusable configuration attributes which can then be applied to virtual contexts. The ANM also allows you to extract the configuration of an existing virtual context and tag it as a building block. In many cases, the same configuration settings can be used in several virtual contexts (for example, it can offer the same service bundle to many customers). To avoid repeating virtual context configuration and testing each time you create a virtual context, you can create a building block of many configuration attributes that can be applied to virtual contexts as appropriate or as needed. With building blocks, you can also create a variety of configurations that address customers’ differing needs. The ability to customize configurations to customer needs also allows you to use network resources most efficiently. Benefits of configuration building blocks include: • You can establish baseline versions of working configurations. • Users can make real-time changes to configurations and roll back to a previously working configuration, if needed. • Building blocks can be extracted from proven, working configurations. • Building blocks can be placed under version control, with tagged versions that cannot be modified. 16-2 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 16 Using Configuration Building Blocks Table 16-1 lists the configuration options that are available for each building block type and provides links to related topics. For descriptive information about the menu options, see “Configuring Virtual Contexts” section on page 6-8. Table 16-1 Building Block Configuration Options Menu Option Building Block Type ACE 2.0 Related Topic ACE 4710 Appliance System Primary Attributes X X Configuring Building Block Primary Attributes, page 16-8 Syslog X X Configuring Virtual Context Syslog Settings, page 6-19 SNMP X X Configuring SNMP for Virtual Contexts, page 6-27 Global Policies X X Applying a Policy Map Globally to All VLAN Interfaces, page 6-35 Licenses Application Acceleration and Optimization Resource Classes Checkpoints Backup/Restore1 Load Balancing Virtual Servers Real Servers X X Configuring Real Servers, page 8-5 Server Farms X X Configuring Server Farms, page 8-30 Health Monitoring X X Configuring Health Monitoring for Real Servers, page 8-51 Stickiness X X Configuring Sticky Groups, page 9-7 HTTP Parameter Map X X Configuring HTTP Parameter Maps, page 10-9 Connection Parameter Maps X X Configuring Connection Parameter Maps, page 10-3 Optimization Parameter Maps X Configuring Optimization Parameter Maps, page 10-12 Generic Parameter Maps X X Configuring Generic Parameter Maps, page 10-8 RTSP Parameter Maps X X Configuring RTSP Parameter Maps, page 10-20 SIP Parameter Maps X X Configuring SIP Parameter Maps, page 10-21 Skinny Parameter Maps X X Configuring Skinny Parameter Maps, page 10-23 DNS Parameter Maps X X Secure KAL-AP X X Configuring Secure KAL-AP, page 8-77 SSL Setup Sequence Certificates Keys X X Using SSL Keys, page 11-10 16-3 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 16 Using Configuration Building Blocks Parameter Maps X X Configuring SSL Parameter Maps, page 11-18 Chain Group Parameters CSR Parameters X X Configuring SSL CSR Parameters, page 11-24 Proxy Service Auth Group Parameters X X Configuring SSL Authentication Groups, page 11-31 Certificate Revocation Lists (CSL) X X Configuring CRLs for Client Authentication, page 11-33 Security ACLs X X Creating ACLs, page 6-79 Object Groups X X Configuring Object Groups, page 6-89 Network Port Channel Gigabit Ethernet Interfaces VLAN Interfaces X X Configuring Virtual Context VLAN Interfaces, page 12-6 BVI Interfaces X X Configuring Virtual Context BVI Interfaces, page 12-19 NAT Pools2 X Configuring VLAN Interface NAT Pools, page 12-26 Static Routes X X Configuring Virtual Context Static Routes, page 12-28 Global IP DHCP X X Configuring Global IP DHCP, page 12-29 Static NAT Overwrite X Configuring Static VLANs for Over 8000 Static NAT Configurations, page 12-31 High Availability Setup HA Tracking and Failure Detection Interfaces Hosts HSRP Groups Role-Based Access Control Users X X Configuring Device RBAC Users, page 5-53 Roles X X Configuring Device RBAC Roles, page 5-56 Domains X X Configuring Device RBAC Domains, page 5-61 Expert Class Map X X Configuring Virtual Context Class Maps, page 14-6 Policy Map X X Configuring Virtual Context Policy Maps, page 14-32 HTTP Header Modify Action Lists X X Configuring an HTTP Header Modify Action List, page 14-85 Table 16-1 Building Block Configuration Options (continued) Menu Option Building Block Type ACE 2.0 Related Topic ACE 4710 Appliance 16-4 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 16 Using Configuration Building Blocks Information About Building Block Versions and Tagging This chapter includes the following sections: • Information About Building Block Versions and Tagging, page 16-4 • Enabling the Building Block Feature, page 16-5 • Creating Building Blocks, page 16-5 • Extracting Building Blocks from Virtual Contexts, page 16-6 • Configuring Building Blocks, page 16-7 • Tagging Building Blocks, page 16-9 • Applying Building Blocks, page 16-9 • Displaying Building Block Use, page 16-11 Information About Building Block Versions and Tagging The ANM maintains version history for the building blocks that you create, design, and tag. You can tag a working building block version at any point during design or configuration, and reuse any tagged version of a building block. A building block is not available for deployment until it has been tagged. When you tag a building block, the ANM publishes it with a version tag, such as 1.0 or 1.1. You cannot edit tagged versions of a building block. After a building block is tagged, it is “frozen” and can no longer be modified in any way. When you open a tagged building block for editing, the ANM does not modify the tagged version, but instead creates a new working copy of the building block for you to work in. Any changes you make to the working copy are not available for deployment until you tag the building block under a new version tag. Related Topics • Enabling the Building Block Feature, page 16-5 • Using Configuration Building Blocks, page 16-1 • Creating Building Blocks, page 16-5 • Extracting Building Blocks from Virtual Contexts, page 16-6 • Applying Building Blocks, page 16-9 • Tagging Building Blocks, page 16-9 • Displaying Building Block Use, page 16-11 Optimization Action Lists X Configuring an HTTP Optimization Action List, page 15-3 Building Block Audit 1. Backup/Restore is only supported for software version A2(3.0) and higher for the ACE module. 2. NAT pools as a selection under Network is only supported for software version A2(3.0) and higher for the ACE module. Table 16-1 Building Block Configuration Options (continued) Menu Option Building Block Type ACE 2.0 Related Topic ACE 4710 Appliance 16-5 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 16 Using Configuration Building Blocks Enabling the Building Block Feature Enabling the Building Block Feature Beginning with ANM software Version 5.1, the building block feature by default is hidden because it has been replaced with the application template feature introduced in the same release. The application template feature provides a more efficient and easier way of configuring ACE devices (see Chapter 4, “Using Application Template Definitions”). If you have used the building block feature in the past and want to continuing using it after upgrading to ANM 5.1, you must enable it. This procedure shows how to enable the building block feature on ANM server and ANM Virtual Appliance. Procedure Step 1 Enable the building block feature as follows: • ANM Server—Open the /opt/CSCOanm/etc/cs-config.properties file in a text editor and add the following line: web.buildingblocks.enable=true • ANM Virtual Appliance—Enter the following command: anm-property set web.buildingblocks.enable true Step 2 Restart ANM as follows: • ANM Server—Enter the following command: /opt/CSCOanm/bin/anm-tool restart • ANM Virtual Appliance—Enter the following command: anm-tool restart Step 3 From the ANM client devices, close all open ANM browser instances, clear the browser cache, and log in again. Failure to clear the browser cache after enabling the building block feature can result in the Extract Building Block function buttons not displaying. Creating Building Blocks Use this procedure to create a building block without using an existing configuration. To create a building block from an existing virtual context, see Extracting Building Blocks from Virtual Contexts, page 16-6. Procedure Step 1 Choose Config > Building Blocks. The All Building Blocks table appears. Step 2 In the All Building Blocks table, click Add. The New Building Block window appears. Step 3 In the Name field of the New Building Block window, enter a unique name for this building block. 16-6 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 16 Using Configuration Building Blocks Extracting Building Blocks from Virtual Contexts Step 4 In the Type field, choose the type of building block to create: • ACE v1.0—Use with virtual contexts on ACE modules using the specified software version. • ACE v2.0—Use with virtual contexts on ACE modules using the specified software version. • ACE v2.3—Use with virtual contexts on ACE modules using the specified software version. • ACE v4.1—Use with virtual contexts on ACE modules using the specified software version. • ACE v4.2—Use with virtual contexts on ACE modules using the specified software version. • ACE4710 V 1.0—Use with virtual contexts on ACE appliances using the specified software version. • ACE4710 V 2.0—Use with virtual contexts on ACE appliances using the specified software version. • ACE4710 V 4.1—Use with virtual contexts on ACE appliances using the specified software version. • ACE4710 V 4.2—Use with virtual contexts on ACE appliances using the specified software version. See Table 16-1 for a list of the available configuration options for each building block type. Step 5 In the Description field, enter a brief description for this building block. Step 6 Do one of the following: • Click Save to save your entries and to continue with building block configuration. The Primary Attributes configuration window appears. • Click Cancel to exit this procedure without saving your entries and to return to the All Building Blocks table. • Click Tag to save your entries and tag the building block. After you tag a building block, the window refreshes and provides fields for applying the building block. For more information, see Applying Building Blocks, page 16-9. Related Topics • Enabling the Building Block Feature, page 16-5 • Using Configuration Building Blocks, page 16-1 • Extracting Building Blocks from Virtual Contexts, page 16-6 • Information About Building Block Versions and Tagging, page 16-4 • Applying Building Blocks, page 16-9 • Tagging Building Blocks, page 16-9 • Displaying Building Block Use, page 16-11 Extracting Building Blocks from Virtual Contexts An alternative to creating a new configuration building block and configuring each attribute individually is to extract a configuration building block from an existing virtual context. By extracting a building block from a virtual context, you can reduce the time you spend configuring and testing the configuration. 16-7 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 16 Using Configuration Building Blocks Configuring Building Blocks Use this procedure to create a working building block from a virtual context configuration. Procedure Step 1 Choose Config > Devices. The device tree appears. Step 2 In the device tree, choose the ACE with the virtual context whose configuration you want to use as a building block. The Virtual Contexts table appears. Step 3 In the Virtual Contexts table, choose the context with the configuration that you want to extract, and click Extract Building Block. A popup window appears, asking for a building block name. Step 4 In the Name field of the popup window, enter a name for this building block, and click OK. The window refreshes with the Primary Attributes window for the newly created building block (Config > Global > building_block). Step 5 Modify the building block as desired using the information in Table 16-1, or tag and deploy it as described in “Tagging Building Blocks” section on page 16-9 and “Applying Building Blocks” section on page 16-9). Related Topics • Enabling the Building Block Feature, page 16-5 • Applying Building Blocks, page 16-9 • Tagging Building Blocks, page 16-9 • Displaying Building Block Use, page 16-11 Configuring Building Blocks You can modify a working version of a configuration building block. Note You can modify only working versions of building blocks; you cannot modify tagged versions of building blocks. If you select a tagged building block version, and then select a configuration option (such as Load Balancing > Health Monitoring), you can view the entries for that tagged version, but you cannot modify them. Procedure Step 1 Choose Config > Building Blocks. The All Building Blocks table appears. Step 2 Choose the working version of the building block that you want to modify, then choose the attributes that you want to configure. For information about building block configuration options, see Table 16-1. 16-8 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 16 Using Configuration Building Blocks Configuring Building Blocks Note While it is possible to configure VLAN and BVI interfaces in a building block, we recommend that you do not do so. Applying a building block with these attributes configured to a virtual context with different settings can disrupt network traffic. Step 3 To apply this building block, tag it, and deploy it as described in “Tagging Building Blocks” section on page 16-9 and “Applying Building Blocks” section on page 16-9. Related Topics • Enabling the Building Block Feature, page 16-5 • Using Configuration Building Blocks, page 16-1 • Information About Building Block Versions and Tagging, page 16-4 • Creating Building Blocks, page 16-5 • Extracting Building Blocks from Virtual Contexts, page 16-6 • Tagging Building Blocks, page 16-9 • Displaying Building Block Use, page 16-11 Configuring Building Block Primary Attributes Use this procedure to change the description of a configuration building block. Procedure Step 1 Choose Config > Building Blocks. The All Building Blocks table appears. Step 2 In the All Building Blocks table, choose the building block that you want to modify, and choose System > Primary Attributes. The Primary Attributes window appears. Step 3 In the Description field of the Primary Attributes window, modify the description as desired. Step 4 Do one of the following: • Click Save to save your entries. The window refreshes with the saved information. • Click Tag to tag the building block. To deploy the tagged building block, see “Applying Building Blocks” section on page 16-9. Related Topics • Enabling the Building Block Feature, page 16-5 • Creating Building Blocks, page 16-5 • Configuring Building Blocks, page 16-7 • Tagging Building Blocks, page 16-9 16-9 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 16 Using Configuration Building Blocks Tagging Building Blocks Tagging Building Blocks You can tag a working copy of a building block. After creating a building block, you must tag it before you can apply it to virtual contexts. Procedure Step 1 Choose Config > Building Blocks. The All Building Blocks table appears. Step 2 In the All Building Blocks table, choose the working copy of the building block that you want to tag, and click Tag. The All Building Blocks table refreshes with the newly tagged building block identified by its version, such as 1.2 or 1.3. A working copy of the building block remains available so that you can use it for future building block versions. To apply the tagged building block to virtual contexts on your network, see “Applying Building Blocks” section on page 16-9. Related Topics • Enabling the Building Block Feature, page 16-5 • Using Configuration Building Blocks, page 16-1 • Information About Building Block Versions and Tagging, page 16-4 • Creating Building Blocks, page 16-5 • Applying Building Blocks, page 16-9 • Extracting Building Blocks from Virtual Contexts, page 16-6 • Displaying Building Block Use, page 16-11 Applying Building Blocks You can apply building blocks in two ways: • By selecting a virtual context, then applying the building block. See “Applying a Building Block to a Single Virtual Context” section on page 16-10. • By selecting the tagged building block, then applying it to one or more virtual contexts. See “Applying a Building Block to Multiple Virtual Contexts” section on page 16-10. 16-10 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 16 Using Configuration Building Blocks Applying Building Blocks Applying a Building Block to a Single Virtual Context You can apply a tagged building block to a virtual context using virtual context configuration screens. Note Before applying a building block to a virtual context, confirm that the VLAN and BVI interfaces are defined correctly for the virtual context. If needed, remove VLAN and BVI interface configuration information from the building block and then apply it. Procedure Step 1 Choose Config > Devices > All Devices. The device tree appears. Step 2 Choose the virtual context that you want to apply a building block to, and choose System > Primary Attributes. The Primary Attributes window appears. Step 3 In the Tagged Building Block to Apply field, choose the building block you want to apply to the virtual context. Step 4 Click Deploy Now. Related Topics • Enabling the Building Block Feature, page 16-5 • Applying a Building Block to Multiple Virtual Contexts, page 16-10 • Using Configuration Building Blocks, page 16-1 • Information About Building Block Versions and Tagging, page 16-4 • Extracting Building Blocks from Virtual Contexts, page 16-6 • Tagging Building Blocks, page 16-9 Applying a Building Block to Multiple Virtual Contexts You can apply a tagged building block to one or more contexts by using the building block configuration screens. Note Before applying a building block to a virtual context, confirm that the VLAN and BVI interfaces are defined correctly for the virtual context. If needed, remove VLAN and BVI interface configuration information from the building block and then apply it. Procedure Step 1 Choose Config > Building Blocks. The All Building Blocks table appears. 16-11 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 16 Using Configuration Building Blocks Displaying Building Block Use Step 2 In the All Building Blocks table, choose the tagged building block that you want to apply to one or more virtual contexts. Step 3 Choose System > Primary Attributes. The Primary Attributes configuration window appears. Step 4 In the Push Building Block to VCs field of the Primary Attributes configuration window, choose the contexts that you want to apply the building block to in the Available Items list, and click Add. They appear in the Selected Items list. To remove contexts that you do not want to apply the building block to, choose them in the Selected Items list, then click Remove. They items appear in the Available Items list. Step 5 Click Save. A progress bar reports status and the window refreshes when the operation is complete. Related Topics • Enabling the Building Block Feature, page 16-5 • Applying a Building Block to a Single Virtual Context, page 16-10 • Using Configuration Building Blocks, page 16-1 • Information About Building Block Versions and Tagging, page 16-4 • Creating Building Blocks, page 16-5 Displaying Building Block Use You can identify the virtual contexts using a building block. Procedure Step 1 Choose Config > Devices. The device tree appears. Step 2 In the device tree, choose All VC. The Virtual Contexts table appears. Step 3 In the Virtual Contexts table, use one of the following methods to display the building blocks being used: • For a small number of contexts, scan the Building Block column to see which building blocks are in use on virtual contexts. • For a large number of contexts, click Filter. The window refreshes so that you can enter search criteria. In the field beneath the Building Block column heading, enter a building block name or search string, then click Go. The table refreshes with entries that match the search criteria. Related Topics • Enabling the Building Block Feature, page 16-5 • Using Configuration Building Blocks, page 16-1 • Information About Building Block Versions and Tagging, page 16-4 16-12 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 16 Using Configuration Building Blocks Displaying Building Block Use • Creating Building Blocks, page 16-5 • Extracting Building Blocks from Virtual Contexts, page 16-6 • Tagging Building Blocks, page 16-9 CHAPTER 17-1 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 17 Monitoring Your Network Date: 3/28/12 Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed. If you are using ANM with an ACE module or ACE appliance and you configure a named object at the ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows you to use when configuring a named object. If you use special characters that ANM does not support, you may not be able to import or manage the ACE using ANM. The ANM Monitor function allows you to monitor key areas of system usage. The following functionality is provided under Monitor in ANM: • Dashboards—Operate as a central location for you to view monitoring results and track potential issues. There are three types of dashboards in ANM: ANM/Group Dashboard, ACE Dashboard, and Context Dashboard. Each dashboard provides quick access to all relevant monitoring pages. See “Using Dashboards to Monitor Devices and Virtual Contexts” section on page 17-4. • Events—Lists events originated from devices through syslog, SNMP traps. See “Monitoring Events” section on page 17-55. • Alarm Notifications—Allows you to define thresholds and view alarms. See “Configuring Alarm Notifications on ANM” section on page 17-57 and “Displaying Alarm Notifications” section on page 17-65. • Settings—Allows you to do the following: – Display the current polling status of all the objects that ANM manages. See the “Displaying the Polling Status of All Managed Objects” section on page 17-44. – Set global polling and SMTP configurations. See “Setting Polling Parameters” section on page 17-46. – Export historical data. See “Exporting Historical Data” section on page 52. • Topology maps—Allows you to display a network topology map based on a selected virtual or real server. See “Displaying Network Topology Maps” section on page 68. • Tools—Allows you to verify connectivity (using the ping command) between a virtual context and an IP address that you specify. See “Testing Connectivity” section on page 71. 17-2 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Setting Up Devices for Monitoring Note When ANM is unable to retrieve information for a monitored statistic, it displays one of the following status conditions in the table cell: • N/A (Not Available)—Indicates that ANM was unable to poll the device for the information for one of the following reasons: – ANM is experiencing polling errors with the device. – ANM is not able to communicate with the device. – If a poll was recently initiated, ANM is in the process of gathering information from the device. • Not Supported—Indicates that the device does not have the capability to provide the information. This condition can be caused when the device does not have the necessary SNMP instrumentation. It is possible that another similar device type is able to provide the statistical information because it has been updated with the necessary SNMP instrumentation. • Not Applicable—Indicates that the particular information is not valid or not applicable for the device type, or ANM is unable to retrieve the information from the device because the information is not available through SNMP for the device type. Before using the Monitoring functions, make sure that your devices are properly configured for polling (see “Setting Up Devices for Monitoring” section on page 17-2). Setting Up Devices for Monitoring In order for ANM to successfully monitor your devices, you must configure the devices correctly for polling as show in Table 17-1. Table 17-1 Configuring Devices for Monitoring Device Type How to Configure Parameters to Configure ACE modules Configure parameters on the Admin context only. • All devices must have a routable IP address from the ANM. • The management policy with the SNMP protocol must be associated to the IP address. • You must enable SNMPv2c with a matching SNMP community string between ANM and the devices to be polled. (See the “Configuring Virtual Contexts” section on page 6-1.) • Before using the Monitoring functions, you must enable monitoring on all devices that you want ANM to monitor (see the “Setting Polling Parameters” section on page 17-46). ACE appliances Configure parameters on the Admin context only. 17-3 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Device Monitoring Features Related Topics • Device Monitoring Features, page 17-3 • Using Dashboards to Monitor Devices and Virtual Contexts, page 17-4 • Monitoring Devices, page 17-24 Device Monitoring Features ANM provides several features that allow you to monitor your devices when you click Monitor: • Dashboards—Operate as a central location for you to view device and context monitoring results and track potential issues. There are three types of Dashboards in ANM: ANM/Group Dashboard, ACE Dashboard, and ACE Virtual Context Dashboard. Each Dashboard provides quick access to all relevant monitoring pages. See “Using Dashboards to Monitor Devices and Virtual Contexts” section on page 17-4. • System View—Provides device information and a general overview of your system as a whole, including High Availability (HA) information and licensing information. System View is available only for CSS and CSM devices. See “Monitoring the System” section on page 17-25. • Resource Usage—Provides resource usage information on connections and features. See “Monitoring Resource Usage” section on page 17-26. Resource usage is not available for CSS or CSM devices. • Traffic Summary—Provides traffic information for your devices. Traffic Summary is available only for the ACE module, ACE appliance, and CSS. See “Monitoring Traffic” section on page 17-30. • Load Balancing—Provides virtual server information and load balancing statistics. See “Monitoring Load Balancing” section on page 17-33 and “Monitoring Load Balancing Statistics” section on page 17-41. CSS Configure parameters on the CSS devices that you want ANM to monitor. You cannot use ANM to configure the CSS. • All devices must have a routable IP address from the ANM. • For CSS devices, you must enable SNMPv2c with a matching SNMP community string between ANM and the devices to be polled. (See the “Configuring CSS Primary Attributes” section on page 5-35.) • For CSM devices, you must enable SNMPv2c with a matching SNMP community string on the Cat6K chassis in which the CSM resides. (See the “Configuring CSM Primary Attributes” section on page 5-34.) • Before using the Monitoring functions, you must enable monitoring on all devices that you want ANM to monitor (see the “Setting Polling Parameters” section on page 17-46). CSM Configure parameters on the Cat6K chassis (in which the CSM resides) that you want ANM to monitor. You cannot use ANM to configure the CSM. Table 17-1 Configuring Devices for Monitoring (continued) Device Type How to Configure Parameters to Configure 17-4 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Using Dashboards to Monitor Devices and Virtual Contexts • Application Acceleration—Displays optimization statistics for ACE appliances on which you have configured application acceleration functions. See the “Monitoring Application Acceleration” section on page 17-43. This feature is only available on ACE appliances. • Polling Settings—Allows you to set polling parameters. See the “Setting Polling Parameters” section on page 17-46. • Historical Graphs—Allows you to view historical data for a group of monitoring page statistics. See the “Configuring Historical Trend and Real Time Graphs for Devices” section on page 17-48. Using Dashboards to Monitor Devices and Virtual Contexts ANM dashboards allow for faster and more accurate assessment and analysis of device and virtual context health and usage, as well as performance. Corresponding monitoring views allow for quick access to details for further investigation into potential problems highlighted in the dashboards. Graphs, as well as monitoring screens, allow you to view historical data and compare the performance with the peer objects. Note All client browsers require that you enable Adobe Flash Player 9 to properly display the monitoring graphs provided in ANM. Dashboards in ANM provide: • A central location for you to view monitoring highlights. • Emphasis on potential issues that require your attention. • Quick access to relevant ANM pages for more detailed monitoring data. In each dashboard, there are a relevant set of dashboard panes. The information shown in the dashboard panes differ based on the device or groups that you select in the device tree. The dashboard panes are moveable element inside the dashboard that can be minimized/maximized, moved, and, if desired, removed from view. You can also display a larger (full) window view for a dashboard window. Note Changes made to dashboard layout or pane selections are only applicable for the current session. Those changes are not maintained by ANM the next time you access an ANM dashboard. The dashboard tables and graphs autorefresh every two minutes. If desired, you can disable autofreshing by clicking the Pause Autofresh button in the upper-right corner of the dashboard. Note All dashboard contents are under Role-Based Access Control (RBAC). Options will be grayed or not displayed if proper permission has not been granted to the logged in user by the administrator. See the “How ANM Handles Role-Based Access Control” section on page 18-8 for more information about RBAC in ANM. This section includes the following topics: • ACE Dashboard, page 17-5 • ACE Virtual Context Dashboard, page 17-12 • ANM Group Dashboard, page 17-16 17-5 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Using Dashboards to Monitor Devices and Virtual Contexts ACE Dashboard The ACE Dashboard displays the information related to the ACE module or ACE appliance that is selected in the device tree. You access the ACE Dashboard by selecting Monitor > Devices > ACE > Dashboard. Figure 17-1 illustrates the individual components of the ACE Dashboard. Note The ANM software version that displays across the top of the window varies depending on your version of ANM. Figure 17-1 Example ACE Device Dashboard To enhance your viewing of the monitoring information in the ACE Dashboard, you can perform the following actions: • Click and drag an individual dashboard pane to move it to another location within the ACE Dashboard. • Use the Collapse/Expand buttons at the top right side of each dashboard pane to minimize/maximize a pane within the ACE Dashboard. • Click the Remove button to remove a dashboard pane from the ACE Dashboard. Click the Bring Back Closed Dashboard Panes button at the top of the ACE Dashboard to open the closed dashboard pane. Note When you close any of the panes in a dashboard by clicking the Remove button, all of the headers in the other dashboard panes turn black to indicate that a pane has been closed. To return the dashboard panes to normal, click the Bring Back Closed Dashboard Panes button to reload the removed dashboard pane. • Click the Screen View (Full)/Screen View (Normal) buttons to display a larger (full) window view for the ACE Dashboard. 17-6 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Using Dashboards to Monitor Devices and Virtual Contexts Changes made to dashboard layout or pane selections are only applicable for the current session. Those changes are not maintained by ANM the next time you access the ACE Dashboard. The components of the individual ACE Dashboard panes are described in the following sections. • Device Information Table, page 17-6 • License Status Table, page 17-6 • High Availability Table, page 17-7 • ACE Device Configuration Summary Table, page 17-7 • Context With Denied Resource Usage Detected Table, page 17-8 • Device Resource Usage Graph, page 17-9 • Top 10 Current Resources Table, page 17-10 • Control Plane CPU/Memory Graphs, page 17-11 Device Information Table The Device Information table lists the details that will identify the status of the selected ACE. It includes the following fields: • Host Name—Host name of the ACE module or ACE appliance. • Device Status—Device reachability status through SNMP and XML connectivity (Up or Down). • Device Type—ACE device specifics for the ACE module or ACE appliance. • Management IP—Management IP address of the admin virtual context. • Number of Contexts—Number of configured contexts, including the Admin context and configured user contexts. • Software Version—Release software version of the ACE module or ACE appliance. • Last Boot Reason—Reason for the last reboot of the ACE (if available). • Uptime—Length of time that the ACE has been up and running. The data shown in this table is collected during device discovery as well as during periodic monitor polling. The timestamp shown in the status bar is from the last polled time of the Admin virtual context. License Status Table The License Status table lists the license status of the selected ACE device. ANM uses the ACE show license status CLI command to obtain the license details. The timestamp shown in the status bar is from the last polled time of the Admin virtual context. 17-7 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Using Dashboards to Monitor Devices and Virtual Contexts High Availability Table The HA Peer Information table lists the details of the HA peer, if configured in HA mode. It includes the following information: • HA/FT Interface State—State of the local ACE. See the “ACE High Availability Polling” section on page 13-7. • My IP Address—IP address of the local ACE. • Peer IP Address—IP address of the peer ACE. • Software Compatibility—Status of whether the software version of the local ACE and the software version of the peer ACE are compatible. Possible states are the INIT, COMPATIBLE, or INCOMPATIBLE state. • License Compatibility—Status of whether the license of the local ACE and the license of the peer ACE are compatible. Possible states are the INIT, COMPATIBLE, or INCOMPATIBLE state. • Number of FT Groups—Number of configured FT groups. • Number of Heartbeats Transmitted—Total number of heartbeat packets transmitted. • Number of Heartbeats Received—Total number of heartbeat packets received. This data is collected during periodic monitoring polling. The timestamp shown in the status bar is from the last polled time of the Admin virtual context. ACE Device Configuration Summary Table The Device Configuration Summary table displays the following information: • Virtual Servers—Total count of virtual servers configured in all contexts and the count of virtual servers that are in the In Service or Out of Service state. ANM also identifies virtual servers that have a Status Not Available state (due to polled failing, polled disable, and so on) and have a Status Not Supported state (due to a lack of ACE SNMP support). A hyperlink enables you to view load balancing virtual server monitoring information based on the identified state (see the “Monitoring Load Balancing on Virtual Servers” section on page 17-33). For example, if you click the In Service hyperlink, you will see only the virtual servers that are currently in service. • Real Servers—Total count of real servers configured in all contexts and the count of real servers that are in In Service and Out of Service. A hyperlink enables you to view load balancing real server monitoring information based on the identified state (see the “Monitoring Load Balancing on Real Servers” section on page 17-37). For example, if you click the In Service hyperlink, you will see only the real servers that are currently in service. • Probes—Total count of probes configured in all contexts and the count of probes that are in the In Service and Out of Service state. A hyperlink enables you to view load balancing probe monitoring information based on the identified state (see the “Monitoring Load Balancing on Probes” section on page 17-40). For example, if you click the In Service hyperlink, you will see only the probes that are currently in service. • Gigabit Ethernets—(ACE appliance only) Total count of Gigabit Ethernet physical interfaces configured on the ACE appliance based on their operational status of Up and Down. A hyperlink enables you to view traffic summary information based on the identified state (see the “Monitoring Traffic” section on page 17-30). For example, if you click the Up hyperlink, you will see only the Gigabit Ethernet physical interfaces that currently have an operational status of Up. 17-8 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Using Dashboards to Monitor Devices and Virtual Contexts • VLANs—Total count of VLANs configured and the count of VLANs based on operational status - Up and Down. A hyperlink enables you to view traffic summary information based on the identified state (see the “Monitoring Traffic” section on page 17-30). For example, if you click the Up hyperlink, you will see only the VLAN interfaces that currently have an operational status of Up. • Port Channels—(ACE appliance only) Total count of port channels configured on the ACE appliance based on their operational status of Up and Down. A hyperlink enables you to view traffic summary information based on the identified state (see the “Monitoring Traffic” section on page 17-30). For example, if you click the Up hyperlink, you will see only the port channels that currently have an operational status of Up. • BVIs—Total count of BVI interfaces and the count of BVI interfaces based on their operational status of Up and Down. A hyperlink enables you to view traffic summary information based on the identified state (see the “Monitoring Traffic” section on page 17-30). For example, if you click the Up hyperlink, you will see only the BVI interfaces that currently have an operational status of Up. • Certificates—Total count of SSL certificates and the count of SSL certificates that are expiring beyond 30 days, expired, or that are expiring within 30 days. A hyperlink accesses a popup window for you to view the SSL certificates list based on the selection, displaying the certificate name, device name, days to expire, expiration date, and the date it was evaluated for you to determine the days to expire. Certificates are considered expired it their expiration date is within the next day (rounded down the next day). A hyperlink in the device name allows you to navigate to the context-based SSL Certificate configuration page (see the “Using SSL Certificates” section on page 11-5). This data is collected during discovery as well as during periodic monitoring polling. The timestamp shown in the status bar indicates a varying poll time; that is, different virtual contexts were polled and those context had different time stamps. The earliest time stamp of the polled virtual contexts is displayed in the status bar. All counts shown in the Device Configuration Summary table are based on the operational status of the monitored objects listed above. • Out Of Service—Indicates any status other than In Service (for example, Out Of Service, Failed, or Disabled). • Status not available—Indicates that ANM was unable to poll the operational status of this object. The display of this operational status could be due to polling errors or the device was unreachable. Also, if a poll was recently initiated, this operational status could indicate that ANM is in the process of collecting data. • Status not supported—Indicates that the device does not have the capability to provide an operational status of this object. The display of this operational status could be due to missing SNMP instrumentation on earlier ACE devices. Context With Denied Resource Usage Detected Table The Context With Denied Resource Usage Detected table lists all contexts for which the resource request is denied after reaching the maximum limit. An increase in the deny count (that is, the deny rate) results in the relevant context resource type appearing in this table. ANM obtains the count information by using the ACE show resource usage CLI command, which collects the information from the following MIBs: crlResourceLimitReqsDeniedCount and crlRateLimitResourceReqsDeniedCount. This table includes the following information: • Context—Name of the configured context that contains a denied resource. • Resource Type—Type of system resource in the context. 17-9 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Using Dashboards to Monitor Devices and Virtual Contexts • Denies/Second—Number of denied resources (per second) as a result of oversubscription or resource depletion. • Total Deny Count—Number of denied uses of the resource since the resource statistics were last cleared. • Last Polled Count—Date and time of the last time that ANM polled the device to display the current values. Note The Context With Denied Resource Usage Detected table does not display the sticky denied resource count because this count does not increment when the ACE sticky resources are exhausted. The ACE’s sticky table can hold a maximum of four million entries (four million simultaneous users). When the table reaches the maximum number of entries, additional sticky connections cause the table to wrap and the first users become unstuck from their respective servers. A hyperlink allows you to access the Resource Usage monitoring page to view a detailed list of resources used and denied counts (see the “Monitoring Resource Usage” section on page 17-26). Device Resource Usage Graph For each resource type, the ACE Dashboard displays the Top 3 virtual contexts that consume the resources in the Device Resource Usage graph (Figure 17-2). A tooltip is added to display the Top 3 context names and their consumption, consumption of the resource by rest of the contexts and the total consumption by all contexts. This data is collected by ANM by using the ACE show resource usage CLI command. The timestamp shown in the status bar indicates a varying poll time; that is, different virtual contexts were polled and those context had different time stamps. The earliest time stamp of the polled virtual contexts is displayed in the status bar. Figure 17-2 Device Resource Usage Graph To toggle the display of the Device Resource Usage graph in the monitoring window: • Click View As Chart to display the object data as a graph. • Click View As Grid to display the object data as a numerical line grid. Note If you want to save the graph as a JPEG file for archive or other purposes, click the Show As Image button. When you mouse over the graph, the Image Toolbar appears. From the Image Toolbar, you can save the graph as a JPEG or send it in an email. You can also print the graph if desired. If you want to export object data to Microsoft Excel for archive or other purposes, click the Export to Excel link in the View As Grid object display. 17-10 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Using Dashboards to Monitor Devices and Virtual Contexts Hyperlinks allow you to access the individual resource usage page for more details (see the “Monitoring Resource Usage” section on page 17-26). Note ACL Memory (for ACE module and ACE appliance) and Application Acceleration (for ACE appliance only) do not appear in the Device Resource Usage graph. To view the detailed counters, click the hyperlink to access individual resource usage page. Top 10 Current Resources Table The Top 10 Resource Usage table (Figure 17-3) displays the Top 10 resource types that have been evaluated for high resource utilization. The resource with highest utilization appears at the top. This data is collected by ANM by using the ACE show resource usage CLI command. Figure 17-3 Top 10 Current Resources Table—ACE Dashboard This table includes the following information: • Last Hour—Plot of high resource utilization during the past hour. • Resource Name—Type of system resource in the context. • Used By—Name of the virtual context that is placing the high demands on the resource. The Global Pool usage is critical in the setup where one or more contexts are configured to make use of the global pool once their reserved resource are depleted and resource is free in the global pool. In this situation, if the global pool is depleted, multiple contexts may be starved for resource. Note Contexts configured to make use of the global pool will not be evaluated for the Top 10 Resource Usage table. • Current Usage—Active concurrent instances or the current rate of the resource. • Average—Average value of resource usage (based on the last hour). • Max.—Highest value of resource usage (based on the last hour). • Last Polled Time—Date and time of the last time that ANM polled the device to display the current values. Hyperlinks allow you to access the individual resource usage page for more details (see the “Monitoring Resource Usage” section on page 17-26). You can choose to show or hide the syslog buffer information that displays in the Top 10 Current Resources pane. You may want to hide this information because it will always show 100 percent after the buffer becomes full and starts to wrap. For more information, see the “Managing the Syslog Buffer Display in the All Devices Dashboard” section on page 18-66. 17-11 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Using Dashboards to Monitor Devices and Virtual Contexts Control Plane CPU/Memory Graphs The Control Plane CPU/Memory graphs (Figure 17-4) show the utilization of the ACE CPU. This data consists of two graphs: • The Control Plane CPU Usage graph shows the utilization of the ACE CPU as a percentage. • The Control Plane Memory graph displays the consumed memory on Kbytes. A tooltip is added to display the Cache Memory, Total Memory, Shared Memory, Buffer Memory, and Free Memory usage as a percentage. To toggle the display of the Control Plane CPU/Memory graph in the monitoring window: • Click View As Chart to display the object data as a graph. • Click View As Grid to display the object data as a numerical line grid. Note If you want to save the graph as a JPEG file for archive or other purposes, click the Show As Image button. When you mouse over the graph, the Image Toolbar appears. From the Image Toolbar, you can save the graph as a JPEG or send it in an email. You can also print the graph if desired. If you want to export object data to Microsoft Excel for archive or other purposes, click the Export to Excel link in the View As Grid object display. Figure 17-4 Control Plane CPU/Memory Graphs 17-12 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Using Dashboards to Monitor Devices and Virtual Contexts ACE Virtual Context Dashboard The ACE Virtual Context Dashboard displays monitoring information for an ACE virtual context selected from the device tree,. You access the ACE Virtual Context Dashboard by selecting Monitor > Devices > virtual_context > Dashboard. Figure 17-5 illustrates the individual components of the ACE Virtual Context Dashboard. Note The ANM software version that displays across the top of the window varies depending on your version of ANM. Figure 17-5 ACE Virtual Context Dashboard To enhance your viewing of the monitoring information in the ACE Virtual Context Dashboard, you can perform the following actions: • Click and drag an individual dashboard pane to move it to another location within the ACE Virtual Context Dashboard. • Use the Collapse/Expand buttons at the top right side of each dashboard pane to minimize/maximize a pane within the ACE Virtual Context Dashboard. • Click the Remove button to remove a dashboard pane from the ACE Virtual Context Dashboard. Click the Bring Back Closed Dashboard Panes button at the top of the ACE Virtual Context Dashboard to open the closed dashboard pane. Note When you close any of the panes in a dashboard by clicking the Remove button, all of the headers in the other dashboard panes turn black to indicate that a pane has been closed. To return the dashboard panes to normal, click the Bring Back Closed Dashboard Panes button to reload the removed dashboard pane. • Click the Screen View (Full)/Screen View (Normal) buttons to display a larger (full) window view for the ACE Dashboard. 17-13 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Using Dashboards to Monitor Devices and Virtual Contexts Changes made to dashboard layout or pane selections are only applicable for the current session. Those changes are not maintained by ANM the next time you access the ACE Virtual Context Dashboard. The components of the individual ACE Virtual Context Dashboard panes are described in the following sections. • ACE Virtual Context Device Configuration Summary Table, page 17-13 • Context With Denied Resource Usage Detected Table, page 17-14 • Context Resource Usage Graph, page 17-15 • Load Balancing Servers Performance Graphs, page 17-15 ACE Virtual Context Device Configuration Summary Table The Device Configuration Summary table displays the following information: • Virtual Servers—Total count of virtual servers configured in all contexts and the count of virtual servers that are in the In Service and Out of Service state. ANM also identifies virtual servers that have a Status Not Available state (due to polled failing, polled disable, and so on) and have a Status Not Supported state (due to a lack of ACE SNMP support). A hyperlink enables you to view load balancing virtual server monitoring information based on the identified state (see the “Monitoring Load Balancing on Virtual Servers” section on page 17-33). For example, if you click the In Service hyperlink, you will see only the virtual servers that are currently in service. • Real Servers—Total count of real servers configured in all contexts and the count of real servers that are in In Service and Out of Service. A hyperlink enables you to view load balancing real server monitoring information based on the identified state (see the “Monitoring Load Balancing on Real Servers” section on page 17-37). For example, if you click the In Service hyperlink, you will see only the real servers that are currently in service. • Probes—Total count of probes configured in all contexts and the count of probes that are in the In Service and Out of Service state. A hyperlink enables you to view load balancing probe monitoring information based on the identified state (see the “Monitoring Load Balancing on Probes” section on page 17-40). For example, if you click the In Service hyperlink, you will see only the probes that are currently in service. • Gigabit Ethernets—(ACE appliance only) Total count of Gigabit Ethernet physical interfaces configured on the ACE appliance based on their operational status of Up and Down. A hyperlink enables you to view traffic summary information based on the identified state (see the “Monitoring Traffic” section on page 17-30). For example, if you click the Up hyperlink, you will see only the Gigabit Ethernet physical interfaces that currently have an operational status of Up. • VLANs—Total count of VLANs configured and the count of VLANs based on operational status - Up and Down. A hyperlink enables you to view traffic summary information based on the identified state (see the “Monitoring Traffic” section on page 17-30). For example, if you click the Up hyperlink, you will see only the VLAN interfaces that currently have an operational status of Up. • Port Channels—(ACE appliance only) Total count of port channels configured on the ACE appliance based on their operational status of Up and Down. A hyperlink enables you to view traffic summary information based on the identified state (see the “Monitoring Traffic” section on page 17-30). For example, if you click the Up hyperlink, you will see only the port channels that currently have an operational status of Up. • BVIs—Total count of BVI interfaces and the count of BVI interfaces based on their operational status of Up and Down. A hyperlink enables you to view traffic summary information based on the identified state (see the “Monitoring Traffic” section on page 17-30). For example, if you click the Up hyperlink, you will see only the BVI interfaces that currently have an operational status of Up. 17-14 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Using Dashboards to Monitor Devices and Virtual Contexts • Certificates—Total count of SSL certificates and the count of SSL certificates that are expiring beyond 30 days, expired, or that are expiring within 30 days. A hyperlink accesses a popup window for you to view the SSL certificates list based on the selection, displaying the certificate name, device name, days to expire, expiration date, and the date it was evaluated for you to determine the days to expire. Certificates are considered expired it their expiration date is within the next day (rounded down the next day). A hyperlink in the device name allows you to navigate to the context-based SSL Certificate configuration page (see the “Using SSL Certificates” section on page 11-5). Counts are based on the selected ACE virtual context and not for all ACE virtual contexts. This data is collected during discovery as well as during periodic monitoring polling. The timestamp shown in the status bar indicates a varying poll time; that is, different virtual contexts were polled and the contexts had different time stamps. The earliest time stamp of the polled virtual contexts is displayed in the status bar. All counts shown in the Device Configuration Summary table are based on the operational status of the monitored objects listed above. • Out Of Service—Indicates any status other than In Service (for example, Out Of Service, Failed, or Disabled). • Status not available—Indicates that ANM was unable to poll the operational status of this object. The display of this operational status could be due to polling errors or the device was unreachable. Also, if a poll was recently initiated, this operational status could indicate that ANM is in the process of collecting data. • Status not supported—Indicates that the device does not have the capability to provide an operational status of this object. The display of this operational status could be due to missing SNMP instrumentation on earlier ACE devices. Context With Denied Resource Usage Detected Table The Context With Denied Resource Usage Detected table lists all contexts for which the resource request is denied after reaching the maximum limit. An increase in the deny count (that is, the deny rate) will result in the relevant context resource type to appear in this table. This data is collected by ANM by using the ACE show resource usage CLI command. This table includes the following information: • Context—Name of the configured context that contains a denied resource. • Resource Type—Type of system resource in the context. • Denies/Second—Number of denied resources (per second) as a result of oversubscription or resource depletion. • Total Deny Count—Number of denied uses of the resource since the resource statistics were last cleared. • Last Polled Count—Date and time of the last time that ANM polled the device to display the current values. Note This information is collected from the following MIBs: crlResourceLimitReqsDeniedCount and crlRateLimitResourceReqsDeniedCount. A hyperlink allows you to access the Resource Usage monitoring page to view a detailed list of resources used and denied counts (see the “Monitoring Resource Usage” section on page 17-26). 17-15 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Using Dashboards to Monitor Devices and Virtual Contexts Context Resource Usage Graph The Context Resource Usage graph (see Figure 17-5) displays the details of each resource type utilized by the selected contexts. For each resource type, the graph includes the following monitoring statistics: Used, Global Available, and Guaranteed. This data is collected by ANM by using the ACE show resource usage CLI command. To toggle the display of the Context Resource Usage graph in the monitoring window: • Click View As Chart to display the object data as a graph. • Click View As Grid to display the object data as a numerical line grid. Note If you want to save the graph as a JPEG file for archive or other purposes, click the Show As Image button. When you mouse over the graph, the Image Toolbar appears. From the Image Toolbar, you can save the graph as a JPEG or send it in an email. You can also print the graph if desired. If you want to export object data to Microsoft Excel for archive or other purposes, click the Export to Excel link in the View As Grid object display. Hyperlinks allow you to access the individual resource usage page for more details (see the “Monitoring Resource Usage” section on page 17-26). Note ACL Memory (for ACE module and ACE appliance) and Application Acceleration (for ACE appliance only) do not appear in the Device Resource Usage graph. To view the detailed counters, click the hyperlink to access individual resource usage page. Load Balancing Servers Performance Graphs The Load Balancing Servers Performance graphs (Figure 17-6) include: • Top 5 Virtual Servers—Displays the top five virtual servers in the selected virtual context. You can select from server statistics (such as High Connection Rate, Dropped Connection Rate, and so on) that are collected by ANM polling for top performance evaluation. • Top 5 Real Servers—Displays the top five real servers in the selected virtual context. You can select from server statistics (such as High Connection Rate, Dropped Connection Rate, and so on) that are collected by ANM polling for top performance evaluation. You select the statistic from the Select Statistics drop-down list. To toggle the display of a Load Balancing Servers Performance graph in the monitoring window: • Click View As Chart to display the object data as a graph. • Click View As Grid to display the object data as a numerical line grid. Note If you want to save the graph as a JPEG file for archive or other purposes, click the Show As Image button. When you mouse over the graph, the Image Toolbar appears. From the Image Toolbar, you can save the graph as a JPEG or send it in an email. You can also print the graph if desired. If you want to export object data to Microsoft Excel for archive or other purposes, click the Export to Excel link in the View As Grid object display. 17-16 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Using Dashboards to Monitor Devices and Virtual Contexts Hyperlinks allow you to access the corresponding monitoring screens for more details: • Monitoring Load Balancing on Virtual Servers, page 17-33 • Monitoring Load Balancing on Real Servers, page 17-37 Figure 17-6 Load Balancing Servers Performance Graphs ANM Group Dashboard The ANM Group Dashboard displays overall information of the ANM server. You can specify to view details for the ANM-created All Devices Group and for a user-defined ANM device group (see the “Monitoring Device Groups” section on page 17-23). You access the ANM Group Dashboard by choosing Monitor > Devices > Groups > All Devices > Dashboard. Figure 17-7 illustrates the individual components of the ANM Group Dashboard. Note The ANM software version that displays across the top of the window varies depending on your version of ANM. Figure 17-7 ANM Group Dashboard 17-17 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Using Dashboards to Monitor Devices and Virtual Contexts To enhance your viewing of the monitoring information in the ANM Group Dashboard, you can perform the following actions: • Click and drag an individual dashboard pane to move it to another location within the ANM Group Dashboard. • Use the Collapse/Expand buttons at the top right side of each dashboard pane to minimize/maximize a pane within the ANM Group Dashboard. • Click the Remove button to remove a dashboard pane from the ANM Group Dashboard. Click the Bring Back Closed Dashboard Panes button at the top of the ANM Group Dashboard to open the closed dashboard pane. Note When you close any of the panes in a dashboard by clicking the Remove button, all of the headers in the other dashboard panes turn black to indicate that a pane has been closed. To return the dashboard panes to normal, click the Bring Back Closed Dashboard Panes button to reload the removed dashboard pane. • Click the Screen View (Full)/Screen View (Normal) buttons to display a larger (full) window view for the ACE Dashboard. Changes made to dashboard layout or pane selections are only applicable for the current session. Those changes are not maintained by ANM the next time you access the ANM Group Dashboard. The components of the individual ANM Group Dashboard panes are described in the following sections. • Managed Devices Table, page 17-17 • Context With Denied Resource Usage Detected Table, page 17-18 • ANM Group Device Configuration Summary Table, page 17-18 • Top 10 Current Resources Table, page 17-20 • Latest 5 Alarms Notifications Table, page 17-21 • Latest 5 Critical Events Table, page 17-21 • Contexts Performance Overview Graph, page 17-22 Managed Devices Table The Managed Devices table displays the total count of devices in the selected ANM device group and the count based on the state (Up or Down) of the imported ACE modules, ACE appliances, CSM, GSS, and CSS devices. The data shown in this table are collected during device discovery as well as during periodic monitor polling. The state of the individual device is identified from its XML connectivity and SNMP status (whichever is applicable). The most recent information is used to identify device status. Click the Device Details hyperlink to view a popup window containing the following device information: • Device Name—Name of the device managed by ANM. • State—Operational state of the device (Up or Down). If the State is Down, ANM displays whether the state has been detected through SNMP or XML. • Device Type—Device type assigned to the imported device by ANM (for example, ACE v 2.0). • # of VCs—Number of configured ACE virtual contexts, including the Admin context and configured user contexts. This value is only applicable for the ACE module and ACE appliance. 17-18 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Using Dashboards to Monitor Devices and Virtual Contexts • Last Polled Time—Date and time of the last time that ANM polled the device to display the current values. The data shown in this table is collected during device discovery as well as during periodic monitor polling. The timestamp shown in the status bar indicates a varying poll time; that is, different virtual contexts were polled and the contexts had different time stamps. The earliest time stamp of the polled virtual contexts is displayed in the status bar. Hyperlinks in the popup window allow you to access the individual ACE Device Dashboard for more details (see the “ACE Dashboard” section on page 17-5). Context With Denied Resource Usage Detected Table The Context With Denied Resource Usage Detected table lists all contexts for which the resource request is denied after reaching the maximum limit. An increase in the deny count (that is, the deny rate) will result in the relevant context resource type to appear in this table. This data is collected by ANM by using the ACE show resource usage CLI command. This table includes the following information: • Context—Name of the configured context that contains a denied resource. • Resource Type—Type of system resource in the context. • Denies/Second—Number of denied resources (per second) as a result of oversubscription or resource depletion. • Total Deny Count—Number of denied uses of the resource since the resource statistics were last cleared. • Last Polled Count—Date and time of the last time that ANM polled the device to display the current values. Note This information is collected from the following MIBs: crlResourceLimitReqsDeniedCount and crlRateLimitResourceReqsDeniedCount. A hyperlink allows you to access to Resource Usage monitoring page to view a detailed list of resources used and denied counts (see the “Monitoring Resource Usage” section on page 17-26). ANM Group Device Configuration Summary Table The Device Configuration Summary table displays the following information: • Virtual Servers—(ACE only) Total count of virtual servers configured in all contexts and the count of virtual servers that are in the In Service and Out of Service state. ANM also identifies virtual servers that have a Status Not Available state (due to polled failing, polled disable, and so on) and have a Status Not Supported state (due to a lack of ACE SNMP support). A hyperlink enables you to view load balancing virtual server monitoring information based on the identified state (see the “Monitoring Load Balancing on Virtual Servers” section on page 17-33). For example, if you click the In Service hyperlink, you will see only the virtual servers that are currently in service. • Real Servers—(ACE only) Total count of real servers configured in all contexts and the count of real servers that are in In Service and Out of Service. A hyperlink enables you to view load balancing real server monitoring information based on the identified state (see the “Monitoring Load Balancing on Real Servers” section on page 17-37). For example, if you click the In Service hyperlink, you will see only the real servers that are currently in service. 17-19 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Using Dashboards to Monitor Devices and Virtual Contexts • Probes—(ACE only) Total count of probes configured in all contexts and the count of probes that are in the In Service and Out of Service state. A hyperlink enables you to view load balancing probe monitoring information based on the identified state (see the “Monitoring Load Balancing on Probes” section on page 17-40). For example, if you click the In Service hyperlink, you will see only the probes that are currently in service. • Gigabit Ethernets—(ACE appliance only) Total count of Gigabit Ethernet physical interfaces configured on the ACE appliance based on their operational status of Up and Down. A hyperlink enables you to view traffic summary information based on the identified state (see the “Monitoring Traffic” section on page 17-30). For example, if you click the Up hyperlink, you will see only the Gigabit Ethernet physical interfaces that currently have an operational status of Up. • VLANs—(ACE only) Total count of VLANs configured and the count of VLANs based on operational status - Up and Down. A hyperlink enables you to view traffic summary information based on the identified state (see the “Monitoring Traffic” section on page 17-30). For example, if you click the Up hyperlink, you will see only the VLAN interfaces that currently have an operational status of Up. • Port Channels—(ACE appliance only) Total count of port channels configured on the ACE appliance based on their operational status of Up and Down. A hyperlink enables you to view traffic summary information based on the identified state (see the “Monitoring Traffic” section on page 17-30). For example, if you click the Up hyperlink, you will see only the port channels that currently have an operational status of Up. • BVIs—(ACE only) Total count of BVI interfaces and the count of BVI interfaces based on their operational status of Up and Down. A hyperlink enables you to view traffic summary information based on the identified state (see the “Monitoring Traffic” section on page 17-30). For example, if you click the Up hyperlink, you will see only the BVI interfaces that currently have an operational status of Up. • Certificates—(ACE only) Total count of SSL certificates and the count of SSL certificates that are valid, expired, or that are expiring within 30 days. A hyperlink accesses a popup window for you to view the SSL certificates list based on the selection, displaying the certificate name, device name, days to expire, expiration date, and the date it was evaluated for you to determine the days to expire. Certificates are considered expired it their expiration date is within the next day (rounded down the next day). A hyperlink in the device name allows you to navigate to the context-based SSL Certificate configuration page (see the “Using SSL Certificates” section on page 11-5). • GSS VIP Answers—(GSS only) Total number of configured VIP answers and their operating state, which is either Active or Other. The Other state can indicate any of the following states: Suspended, Operational Suspended, Unknown, Failed, or N/A. • GSS DNS Rules—(GSS only) Total number of configured DNS rules and their operating state, which is either Active or Other. The Other state can indicate either the Suspended or N/A states. This data is collected during discovery as well as during periodic monitoring polling. The timestamp shown in the status bar indicates a varying poll time; that is, different virtual contexts were polled and the contexts had different time stamps. The earliest time stamp of the polled virtual contexts is displayed in the status bar. All counts shown in the Device Configuration Summary table are based on the operational status of the monitored objects listed above. • Out Of Service—Indicates any status other than In Service (for example, Out Of Service, Failed, or Disabled). 17-20 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Using Dashboards to Monitor Devices and Virtual Contexts • Status not available—Indicates that ANM was unable to poll the operational status of this object. The display of this operational status could be due to polling errors or the device was unreachable. Also, if a poll was recently initiated, this operational status could indicate that ANM is in the process of collecting data. • Status not supported—Indicates that the device does not have the capability to provide an operational status of this object. The display of this operational status could be due to missing SNMP instrumentation on the CSS or on earlier ACE devices. Top 10 Current Resources Table The Top 10 Resource Usage table (Figure 17-8) displays the top 10 resource types that have been evaluated for high resource utilization. The resource with highest utilization appears at the top. This data is collected by ANM by using the ACE show resource usage CLI command. Figure 17-8 Top 10 Current Resources Table—ANM Group Dashboard This table includes the following information: • Last Hour—Plot of high resource utilization during the past hour. • Resource Name—Type of system resource in the context. • Used By—Name of the virtual context that is placing the high demands on the resource. The Global Pool usage is critical in the setup where one or more contexts are configured to make use of the global pool once their reserved resource are depleted and resource is free in the global pool. In this situation, if the global pool is depleted, multiple contexts may be starved for resource. Note Contexts configured to make use of the global pool will not be evaluated for the Top 10 Resource Usage table. • Current Usage—Active concurrent instances or the current rate of the resource. • Average—Average value of resource usage (based on the last hour). 17-21 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Using Dashboards to Monitor Devices and Virtual Contexts • Max.—Highest value of resource usage (based on the last hour). • Last Polled Time—Date and time of the last time that ANM polled the device to display the current values. Hyperlinks allow you to access the individual resource usage page for more details (see the “Monitoring Resource Usage” section on page 17-26). You can choose to show or hide the syslog buffer information that displays in the Top 10 Current Resources pane. You may want to hide this information because it will always show 100 percent after the buffer becomes full and starts to wrap (see the “Managing the Syslog Buffer Display in the All Devices Dashboard” section on page 18-66). Latest 5 Alarms Notifications Table The Latest 5 Alarm Notification table (Figure 17-9) displays the most recent five alarms for ANM along with a summary that explains the number of Critical, Major, Minor, and Informational alarms. This function interacts with the user-configured ANM alarm and threshold features (see the “Configuring Alarm Notifications on ANM” section on page 17-57). Figure 17-9 Latest 5 Alarms Notifications Table Note By default, no thresholds are configured in ANM. This table includes the following information: • Device—Name of the ACE device (appliance or module). • Severity— Severity level of the threshold, which can be one of the following: Info, Critical, Major, Minor. • Time—ANM timestamp at which the alarm occurred. • Category—Alarm name. • Details—Additional information about the alarm. A hyperlink allow you to view alarm notifications (see the “Displaying Alarm Notifications” section on page 17-65). Latest 5 Critical Events Table The Latest 5 Critical Events table display most recent five critical events that ANM receives from devices, including traps and high severity syslogs. ANM displays a summary that explains the number of Emergency, Alert, and Critical alarms. ANM displays critical events if the imported ACE device has been configured to send syslogs and traps to ANM. For information about configuring the ACE to send syslogs and traps, see either the Cisco Application Control Engine Module System Message Guide or the Cisco 4700 Series Application Control Engine Appliance System Message Guide. 17-22 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Using Dashboards to Monitor Devices and Virtual Contexts Figure 17-10 Latest 5 Critical Events Table The following details are shown in the Critical Events table: • Device/Context—ACE device name and virtual context where the event occurred. • Time—ANM timestamp at which the alarm occurred. • Type—Displays if the event appears in a syslog or a trap. • Details—Additional information about the critical event. A hyperlink allow you to view all events collected by ANM (see the “Monitoring Events” section on page 17-55). Contexts Performance Overview Graph The Contexts Performance Overview graph displays the top five virtual contexts based on user-configurable resource statistic such as ACL Memory, Bandwidth, and so on. You select the resource from the Select Statistics drop-down list. This data is collected by ANM by using the ACE show resource usage CLI command. Figure 17-11 Context Performance Graph To toggle the display of the top five virtual context chart in the Contexts Performance Overview graph: • Click View As Chart to display the resource statistic as a graph. • Click View As Grid to display the resource statistic as a numerical line grid. Note If you want to save the graph as a JPEG file for archive or other purposes, click the Show As Image button. When you mouse over the graph, the Image Toolbar appears. From the Image Toolbar, you can save the graph as a JPEG or send it in an email. You can also print the graph if desired. If you want to export object data to Microsoft Excel for archive or other purposes, click the Export to Excel link in the View As Grid object display. 17-23 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Monitoring Device Groups Monitoring Device Groups You can display monitoring information for device groups that you create in Cisco License Manager (see Configuring User-Defined Groups, page 5-72). When you choose Monitor > Devices > Groups > device_group, all monitoring features that are supported on any of the devices in the device group are displayed. Because some monitoring features, for example, Application Acceleration, are not supported on all device types, you can click the following buttons at the bottom of the Monitor screens to change what information appears: • Show Polled Devices—By default, only the devices in the device group that support the specified feature are displayed. • Show All Devices—All devices in the device group are shown on the Monitoring results window, whether or not the feature you selected is supported on all the devices. For example, if you create a device group that contains an ACE appliance and several other different device types, then choose Monitor > Devices > Groups > device_group > Application Acceleration, by default, only the ACE appliance appears in the Application Acceleration window because the other device types in the device group do not support this feature. If you click Show Polled Devices, all devices in the device group are displayed. When viewing monitoring information, you might see N/A, which indicates that ACE Device Manager was not able to obtain the specified value. In addition, the monitoring window displays N/A in certain fields for which polling has not been executed. Related Topics • Setting Up Devices for Monitoring, page 17-2 • Device Monitoring Features, page 17-3 • Using Dashboards to Monitor Devices and Virtual Contexts, page 17-4 • Monitoring Devices, page 17-24 17-24 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Monitoring Devices Monitoring Devices ANM monitors activities on ACE, CSS, and CSM devices. When you choose Monitor > Devices, you can view device information. Using SNMP and CLI commands, ANM gathers information about your devices and displays the information. Note If you get a warning message indicating that monitoring is not enabled or functioning, you must enable statistic monitoring on the device. See the “Setting Polling Parameters” section on page 17-46. Table 17-2 lists the features that appear under Monitor > Devices, depending on which device type you choose in the device tree. Related Topics • Using Dashboards to Monitor Devices and Virtual Contexts, page 17-4 • Monitoring the System, page 17-25 • Setting Up Devices for Monitoring, page 17-2 • Device Monitoring Features, page 17-3 • Setting Polling Parameters, page 17-46 • Configuring Historical Trend and Real Time Graphs for Devices, page 17-48 Table 17-2 Supported Features According to Device Type Device Type Selected in the Device Tree Supported Features Displayed Under Dashboard System View Resource Usage1 1. See the “Monitoring Resource Usage” section on page 17-26 for information about the options available under Resource Usage. Traffic Summary Load Balancing Application Acceleration Polling Settings ACE module X – X X X – – Admin context X – X X X – X User context X – X X X – X ACE appliance X – X X X X – Admin context X – X X X X X User context X – X X X X X CSS – X – X X2 2. CSS devices support Virtual Servers only, so you do not see the Load Balancing > Statistics menu option. – X CSM – X – – X – X GSS – – – – – – X Groups3 3. By default, all monitoring features that are supported on any of the devices in the device group appear when you select a device group. See the “Using Dashboards to Monitor Devices and Virtual Contexts” section on page 17-4 for more information about monitoring various device types within a device group. X – X X X X – 17-25 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Monitoring the System Monitoring the System Cisco License Manager provides a System View that displays device information and a general overview of your system as a whole. System View is available only for CSS and CSM devices. If a CSM has crashed, you can use the System View to find out when and why the crash occurred and display information that affects the module. The System View also displays High Availability (HA) information and licensing information. Note To monitor the ACE module or appliance, use the Device Dashboard function of ANM. See the “Using Dashboards to Monitor Devices and Virtual Contexts” section on page 17-4 for details. Note ANM does not support monitoring of chassis. Procedure Step 1 Choose Monitor > Devices > device > System View. The information that appears depends on what device type you select in the device tree. The System View displays the following information: • Device Information • High Availability • License Status • Module Information (for CSS devices only) Note You can sort the information displayed in the table by clicking on a column heading. Step 2 Click Poll Now to instruct ANM to poll the devices and display the current values. Step 3 Click OK when asked if you want to poll the devices for data now. Related Topics • Setting Up Devices for Monitoring, page 17-2 • Device Monitoring Features, page 17-3 • Setting Polling Parameters, page 17-46 • Monitoring Traffic, page 17-30 • Configuring Historical Trend and Real Time Graphs for Devices, page 17-48 17-26 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Monitoring Resource Usage Monitoring Resource Usage ANM provides resource usage so that you can easily determine if you need to reallocate resources to a particular virtual context, view traffic usage in your contexts, or determine available usage for your contexts. There are three modes in which ANM provides resource usage for ACEs: • Virtual-context based resource usage—You must select a virtual context from the device tree to view resource usage specific to the context (see the “Monitoring Virtual Context Resource Usage” section on page 17-26). • System-wide resource usage—You must select an ACE module or appliance from the device tree to view system-wide information and to display the following options: – Connections—Displays traffic resource usage information. See the “Monitoring System Traffic Resource Usage” section on page 17-27. – Features—Displays non-connection based resource usage information. See the “Monitoring System Non-Connection Based Resource Usage” section on page 17-29. • Dashboard usage—You can select an ACE module, ACE appliance, or ACE virtual context from the device tree, and then choose Monitor > Devices > ACE > Dashboard. See the “Using Dashboards to Monitor Devices and Virtual Contexts” section on page 17-4. See the “Configuring Virtualization” chapter of either the Cisco Application Control Engine Module Virtualization Configuration Guide or the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide for the maximum resource usage value for each attribute. Monitoring Virtual Context Resource Usage ANM displays resource usage for virtual contexts as explained in the following steps. See the “Configuring Virtualization” chapter of either the Cisco Application Control Engine Module Virtualization Configuration Guide or the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide for the maximum resource usage value for each attribute. Procedure Step 1 Choose Monitor > Devices > virtual_context > Resource Usage. The information in Table 17-3 appears in the Resource Usage window. Table 17-3 Virtual Context Resource Usage Field Descriptions Field Description ACL Memory (Bytes) ACL memory usage Application Acceleration (Connections) Number of application acceleration connections. Note This field displays if you selected an ACE appliance in the device tree. Bandwidth (Bytes/Sec) Bandwidth in bytes per second. Concurrent Connections (Connections) Number of simultaneous connections. Connection Rate (Connections/Sec) Connections per second. 17-27 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Monitoring Resource Usage Step 2 (Optional) Click Poll Now to instruct ANM to poll the devices and display the current values, and click OK when prompted if you want to poll the devices for data now. Step 3 (Optional) To display a historical trend graph of resource data for the virtual context, select up to four resources from the list and click Graph. The Resource Usage Graph appears (see the “Configuring Historical Trend and Real Time Graphs for Devices” section on page 17-48 for details). Related Topics • Monitoring System Traffic Resource Usage, page 17-27 • Monitoring System Non-Connection Based Resource Usage, page 17-29 • Configuring Historical Trend and Real Time Graphs for Devices, page 17-48 Monitoring System Traffic Resource Usage ANM displays system-wide traffic resource usage as explained in the following steps. See the “Configuring Virtualization” chapter of either the Cisco Application Control Engine Module Virtualization Configuration Guide or the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide for the maximum resource usage value for each attribute. HTTP-comp rate HTTP compression rate. Note This field displays when you select one of the following device types from the device tree: An ACE appliance (any version) or an ACE module version A4(1.0) or later. Inspect Connection Rate (Connections/Sec) RTSP/FTP inspection connections per second. MAC Miss Rate (Connections/Sec) MAC miss traffic punted to CP packets per second. Management Connection Rate (Connections) Number of management connections. Management Traffic Rate (Connections/Sec) Management traffic bytes per second. Proxy Connection Rate (Connections) Proxy connections. Regular Expression Memory (Bytes) Regular expressions usage in bytes. SSL Connection Rate (Transactions/Sec) SSL (Secure Sockets Layer) connections per second. Sticky Entries Number of sticky table entries. Syslog Buffer Size (Bytes) Syslog message buffer size in bytes. Syslog Message Rate (Messages/Sec) Syslog messages transmitted in messages per seconds. Throughput (Bytes/Sec) Displays through-the-ACE traffic. This is a derived value (you cannot configure it directly) and it is equal to the bandwidth rate minus the mgmt-traffic rate for the 1-Gbps and 2-Gbps licenses. Translation Entries Current number of network and port address translations. Table 17-3 Virtual Context Resource Usage Field Descriptions (continued) Field Description 17-28 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Monitoring Resource Usage Note You must select an ACE module or appliance from the device tree to view system-wide traffic resource usage information as shown in the following steps. Procedure Step 1 Choose Monitor > Devices > ACE > Resource Usage > Connections. The current resource usage information appears as shown in Table 17-4. Note There might be a slight delay because the resource usage information is gathered in real-time. Note If any of the percentages that display in the Resource Usage Connections table exceed 100 percent, this is an indication that a license on the ACE was recently installed or uninstalled using either ANM or the CLI. To correct the display problem, manually synchronize the Admin context of the ACE with the CLI (see the “Synchronizing Virtual Context Configurations” section on page 6-105). Step 2 Click Poll Now to instruct ANM to poll the devices and display the current values. Table 17-4 Resource Usage Connections Field Descriptions Field Description Context Name of the virtual context Conc. Conn. % Number of simultaneous connections Mgmt. Conn. % Number of management connections Proxy Conn. % Proxy connections Bandwidth (Bytes/S) % Bandwidth in bytes per second Throughput (Bytes/S) Note This field appears when you select an ACE in the device tree. Throughput in bytes per second Conn. Rate (Conn./S) % Connections per second SSL Conn. Rate (Trans./S) % SSL (Secure Sockets Layer) connections per second Mgmt. Traffic Rate (Conn./S) % Management traffic connections per second MAC Miss Rate (Conn./S) % MAC miss traffic punted to CP packets per second Insp. Conn. Rate (Conn./S) % RTSP/FTP inspection connections per second App. Acc. Conn. % Number of application acceleration connections. Note This field appears when you select an ACE appliance in the device tree. HTTP-Comp Rate % HTTP compression rate. Note This field appears when you select one of the following device types from the device tree: An ACE appliance (any version) or an ACE module version A4(1.0) or later. 17-29 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Monitoring Resource Usage Step 3 Click OK when asked if you want to poll the devices for data now. Related Topics • Monitoring Virtual Context Resource Usage, page 17-26 • Monitoring System Non-Connection Based Resource Usage, page 17-29 Monitoring System Non-Connection Based Resource Usage ANM displays system-wide, non-connection-based resource usage as explained in the following steps. Note You must select an ACE module or appliance from the device tree to view the non-connection based resource usage information as shown in the following steps. Step 1 Choose Monitor > Devices > ACE > Resource Usage > Features. The current resource usage information appears shown in Table 17-5. Note There might be a slight delay because the resource usage information is gathered real-time. Step 2 Click Poll Now to instruct ANM to poll the devices and display the current values. Step 3 Click OK when asked if you want to poll the devices for data now. Related Topics • Monitoring Virtual Context Resource Usage, page 17-26 • Monitoring System Traffic Resource Usage, page 17-27 • Configuring Historical Trend and Real Time Graphs for Devices, page 17-48 Table 17-5 Resource Usage Features Field Descriptions Field Description Context Name of the virtual context Translation Entries % Current number of network and port address translations ACL Memory (Bytes) % ACL memory usage in bytes RegEx Memory (Bytes) % Regular expressions memory usage in bytes Syslog Buffer Size (Bytes) % Syslog message buffer size in bytes Syslog Message Rate (Messages/S) % Syslog messages per second 17-30 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Monitoring Traffic Monitoring Traffic ANM determines traffic information for your ACE module, ACE appliance, or CSS devices by calculating the delta traffic values since the last polling cycle and displays the resulting values. You can view traffic summary information as shown in the steps below. Note To get traffic data polled directly from a device, click on an interface name that appears in the Interface column. See Displaying Device-Specific Traffic Data, page 17-31. Procedure Step 1 Choose Monitor > Devices > device > Traffic Summary. The information shown in Table 17-6 appears in the Traffic Summary page. Note You can click on any column heading to sort the table by that column. Table 17-6 Traffic Summary Fields Field Description Device Fully-qualified device name. This field does not appear for CSS devices. Interface Name of the interface. Click the interface hyperlink to get traffic data polled directly from the device as shown in Table 17-7. Admin Status User-specified status of the device, which can be one of the following states: • Up • Down • Testing, which indicates that no operational packets can be passed. Operational Status Current operational status of the device, which can be one of the following states: • Up • Down • Testing, which indicates that no operational packets can be passed • Unknown • Dormant, which indicates the interface is waiting for external actions (such as a serial line waiting for an incoming connection) • Not present, which indicates the interface has missing components Packets In / Sec This field appears for ACEs only. Per second, the number of packets delivered by this sub-layer to a higher (sub-)layer, which were not addressed to a multicast or broadcast address at this sub-layer. Packets Out / Sec This field appears for ACEs only. Per second, the total number of packets that higher-level protocol requested be transmitted, and which were not addressed to a multicast or broadcast address at this sub-layer, including those that were discarded or not sent. 17-31 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Monitoring Traffic Step 2 (Optional) Click Poll Now to instruct ANM to poll the devices and display the current values and click OK when prompted if you want to poll the devices for data now. Step 3 (Optional) To display a historical trend graph of traffic information, select up to four interfaces from the list and click Graph. The Resource Usage Graph appears (see the “Configuring Historical Trend and Real Time Graphs for Devices” section on page 17-48 for details). Step 4 (Optional) Choose a device, and click Details to see specific traffic information for the selected device (see the “Displaying Device-Specific Traffic Data” section on page 17-31). Related Topic • Displaying Device-Specific Traffic Data, page 17-31 • Configuring Historical Trend and Real Time Graphs for Devices, page 17-48 Displaying Device-Specific Traffic Data You can display device-specific traffic data. Procedure Step 1 Choose Monitor > Devices > device > Traffic Summary. Hyperlinked device names appear in the Interface column. Step 2 Choose a hyperlinked device name. The Traffic Summary Details window appears. The information shown in Table 17-7 appears. Note You can click on a column heading to sort the table by that column. Bytes In / Sec Number of octets received, including framing characters, per second. Bytes Out / Sec Number of octets per second transmitted out of the interface, including framing characters. Errors In / Sec Number of inbound packets discarded per second because they contained errors or because of an unknown or unsupported protocol. Errors Out / Sec Number of outbound packets discarded per second because they contained errors or because of an unknown or unsupported protocol. Last Polled Date and time of the last time that ANM polled the device to display the current values. This field appears if viewing traffic summary data at a device level or at a device group level in the device tree. Note The Last Polled time stamp appears in the table heading if viewing traffic summary data at a virtual context level. Table 17-6 Traffic Summary Fields (continued) Field Description 17-32 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Monitoring Traffic Step 3 Click OK to close the window and return to the Traffic Summary window. Related Topic Monitoring Traffic, page 17-30 Table 17-7 Traffic Summary Details Window Description Device Type Field Description ACE and CSS Bytes In Total number of octets received on the interface, including framing characters Bytes Out Total number of octets transmitted out of the interface, including framing characters Discarded Inbound Packets Number of inbound packets which were discarded even though no errors were detected to prevent their being delivered to a higher-layer protocol Discarded Outbound Packets Number of outbound packets which were discarded even though no errors were detected to prevent their being transmitted Inbound Packet Errors Total number of inbound packet errors Inbound Packets with Unknown Protocol Total number of packets received via the interface which were discarded because of an unknown or unsupported protocol Outbound Packet Errors Total number of outbound packet errors Packets In Number of packets delivered by this sub-layer to a higher (sub-)layer, which were not addressed to a multicast or broadcast address at this sub-layer. Packets Out Number of packets that higher-level protocols requested be transmitted, and which were not addressed to a multicast or broadcast address at this sub-layer, including those that were discarded or not sent. CSS only Active TCP Current number of active TCP flows on the interface Active UDP Current number of active UDP flows on the interface FCB Count Number of unused fastpath flow control blocks for the interface TCP Average Five second moving average of TCP flows per second on the interface TCP Current Number of new TCP flows within last second on the interface TCP High Maximum number of TCP flows in any one second interval on the interface TCP Total Total TCP flows on the interface UDP Average Five second moving average of UCP flows per second on the interface UDP Current Number of new UDP flows within last second on the interface UDP High Maximum number of UDP flows in any one second interval on the interface UDP Total Total UDP flows on the interface 17-33 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Monitoring Load Balancing Monitoring Load Balancing ANM monitors load balancing and allows you to view the information associated with virtual servers, real servers, probes, and load balancing statistics. This section includes the following topics: • Monitoring Load Balancing on Virtual Servers, page 17-33 • Monitoring Load Balancing on Real Servers, page 17-37 • Monitoring Load Balancing on Probes, page 17-40 • Monitoring Load Balancing Statistics, page 17-41 Monitoring Load Balancing on Virtual Servers ANM monitors load balancing and allows you to display the associated virtual server information as shown in the following steps. Note You can display additional load-balancing information about real servers, such as the number of servers that are functioning properly, and probes, such as viewing if an excessing number of probes are failing, by clicking the hyperlink in the respective columns in Table 17-8. Procedure Step 1 Choose Monitor > Devices > device > Load Balancing > Virtual Servers. Depending on the device type you selected in the device tree, the information described in Table 17-8 appears. Note For the ACE appliance and the ACE module running A2(3.0), click the Advanced Editing Mode button to show/hide additional load balancing virtual server monitoring fields. Note If you select a CSS device from the device tree, the navigation path does not include Load Balancing; the path is Monitor > Devices > CSS_device > Virtual Servers. 17-34 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Monitoring Load Balancing Table 17-8 Load Balancing Virtual Server Monitoring Information Device Type Field Description All Virtual Server Name of the virtual server. Note If a virtual server is associated with primary and backup server farms, two entries appear in the table: One for the primary server farm and one for the backup server farm. To view statistics for a selected virtual server, click the virtual server hyperlink. The Virtual Server Details popup window appears containing the individual statistic, associated counter value, and a description of the statistic. Click OK to close the popup window. IP Address IP address of the virtual server. Port Port to be used for the specified protocol. # Rservers Up Number of servers up/Number of total servers configured. Note You can click on the hyperlink in this column to view statistics for the real servers configured for the specified virtual server. See the “Monitoring Load Balancing on Real Servers” section on page 17-37. ACEs, CSM # Probes Failed For the ACE, this field displays Number of probes failed/Number of probes configured. For the CSM, this field displays Number of probes failed. Note For an ACE, you can click on the number displayed to view the statistics for the probes configured for the specified virtual server. See the “Monitoring Load Balancing on Probes” section on page 17-40. Operational Status The state of the server, which can be: • Inservice—Indicates the server is in service. • Out of Service—Indicates the server is out of service. Current Connections Current number of connections. Conns/Sec. Number of connections per second that the device receives. 17-35 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Monitoring Load Balancing ACEs only Device Fully-qualified device name. Protocol Protocol the virtual server supports, which can be: • Any—Indicates the virtual server is to accept connections using any IP protocol. • TCP—Indicates that the virtual server is to accept connections that use TCP. • UDP—Indicates that the virtual server is to accept connections that use UDP. Service Policy Policy map applied to the device. DWS Operating state of the Dynamic Workload Scaling feature for the associated server farm, which can be: • N/A—Not applicable; the virtual server’s server farm is not configured for Dynamic Workload Scaling. • Local—The server farm is configured for Dynamic Workload Scaling, but the ACE is load-balancing traffic to the local VM Controller VMs only. • Expanded—The server farm is configured for Dynamic Workload Scaling and the ACE is sending traffic to the local and remote VM Controller VMs. Dropped Conns/Sec. Number of connections per second that the ACE discarded. Server Farm Name of the server farm associated with the virtual server. Action Indicates if the device is functioning as a primary server (Primary) or a backup server (Backup). Algorithm Type of predictor algorithm specified on the load balancer, which can be: • Roundrobin • Leastconn • Hash URL • Hash Address • Hash Cookie • Hash Header Last Polled Date and time of the last time that ANM polled the device to display the current values. This field appears if viewing virtual server data at a device level or at a device group level in the device tree. Note The Last Polled time stamp appears in the table heading if viewing virtual server data at a virtual context level. Table 17-8 Load Balancing Virtual Server Monitoring Information (continued) Device Type Field Description 17-36 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Monitoring Load Balancing Step 2 (Optional) Use the display toggle button ( ) located above the table to control which virtual servers ANM displays as follows: • Show ANM Recognized Virtual Servers—Displays only virtual servers that match ANM’s virtual server definition (see the “Virtual Server Configuration and ANM” section on page 7-2). • Show All Virtual Servers—Displays virtual servers that match ANM’s virtual server definition and those that do not match this definition but that ANM can recognize as virtual servers using SNMP polling. Note The display toggle button displays only when you have the “Display All Virtual Servers in Monitoring & Operations page” advanced setting feature enabled (see the “Managing the Display of Virtual Servers in the Operations and Monitoring Windows” section on page 18-66). Step 3 (Optional) Use the function buttons described in Table 17-9 to update the virtual server information displayed, view graph information, or view the topology map. ACE appliance, ACE module running A2(3.0) (Advanced Editing Mode button) Client Packets/Sec Number of packets per second received from the client. Client Bytes/Sec Number of bytes per second received from the client. Server Packets/Sec Number of packets per second received from the server. Server Bytes/Sec Number of bytes per second received from the server. Drops/Sec Conn Rate Limit Number of active connection drops per second based on the connection rate limit of the real server Drops/Sec Max Conn Limit Number of active connection drops per second based on the maximum allowable number of active connections to a real server. ACEs, CSS, CSM Admin Status User-specified status of the virtual server, which can be: • In Service—Indicates the server is in service. • Out of Service—Indicates the server is out of service. Table 17-8 Load Balancing Virtual Server Monitoring Information (continued) Device Type Field Description 17-37 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Monitoring Load Balancing Related Topics • Monitoring Load Balancing on Real Servers, page 17-37 • Monitoring Load Balancing on Probes, page 17-40 • Configuring Historical Trend and Real Time Graphs for Devices, page 17-48 Monitoring Load Balancing on Real Servers ANM monitors load balancing and allows you to view the associated real server information. Procedure Step 1 Choose Monitor > Devices > device > Load Balancing > Real Servers. Depending on the device type you selected in the device tree, the information described in Table 17-10 appears. Table 17-9 Virtual Server Monitoring Window Function Buttons Function Button Description Poll Now Instructs ANM to poll the devices and display the current values. Choose one or more virtual servers and click Poll Now. Graph Displays a historical trend graph of virtual server information for a specific virtual server. Choose 1 to 4 virtual servers and click Graph. For more information, see the “Configuring Historical Trend and Real Time Graphs for Devices” section on page 17-48. Topology Displays the network topology map for a specific virtual server. Choose a virtual server and click Topology. Note The topology map feature is not available when the Virtual Server table is set to Show All Virtual Servers. Use the display toggle button ( ) to ensure that the Virtual Servers table is set to Show ANM Recognized Virtual Servers (see Step 2). The ANM Topology window appears, displaying the virtual server and associated network nodes. For information about using the topology map, see the “Displaying Network Topology Maps” section on page 17-68. 17-38 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Monitoring Load Balancing Table 17-10 Load Balancing Real Server Monitoring Information Device Type Field Description All Real Server Name of the real server. To view statistics for a selected real server, click the real server hyperlink. The Real Server Details popup window appears containing the individual statistic, associated counter value, and a description of the statistic. Click OK to close the popup window. IP Address IP address of the real server. This field appears only for real servers specified as hosts. Port Port number used for the server port address translation (PAT). Admin Status The specified state of the server, which can be: • Inservice—Indicates the server is in service. • Out of Service—Indicates the server is out of service. • In Service Standby—Indicates the server is a backup server and remains inactive unless the primary server fails. If the primary server fails, the backup server becomes active and starts accepting connections. Operational Status The state of the server, which can be: • Inservice—Indicates the server is in service. • Out of Service—Indicates the server is out of service. • Inservice Standby—Indicates the server is a backup server and remains inactive unless the primary server fails. If the primary server fails, the backup server becomes active and starts accepting connections. • Probe Failed—Indicates that ANM did not receive a response to a health probe that it sent to the server. VM Indicator that the real server is, or is not, a VMware virtual machine as follows: • – (dash)—The real server is not a VMware VM. • Yes—The real server is a VMware VM. To view details about the VM, click Yes. The Virtual Machine Details popup window appears and provides the following information about the VM: – Full path—Full path to the VM. – DNS Name—DNS name of the VM. – IP Address—VM IP address. – State—Operating state of the VM (for example, poweredOn). – Guest OS—Guest operating system (for example, Red Hat Enterprise Linux 5 (32-bit)). – Host—Host IP address. – Memory (MB)—Amount of memory. – CPU (MHz)—CPU frequency. – Triggered Alarms—Number of recorded triggered alarm conditions. Click OK to close the Virtual Machine Details popup window. Weight Weight assigned to the real server. 17-39 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Monitoring Load Balancing Step 2 (Optional) Use the function buttons described in Table 17-11 to update or change the real server information displayed. ACE, CSM Server Farm Primary server farm to use for load balancing. Current Connections Number of current connections to this server. If this field indicates N/A, the database does not have any information about current connections. If this field is 0, the database received an SNMP response of 0. Connections Rate Connections per second. Dropped Connections Rate Dropped connections per second. ACEs Only Device Fully qualified device name. Locality Field that pertains to the ACE module A4(2.0), ACE appliance A4(2.0), and later releases of either device type only. Locality also requires that you have the ACE configured for Dynamic Workload Scaling (see the “Configuring Dynamic Workload Scaling” section on page 8-26). Possible values for real server locality are as follows: • N/A—Not available; the ACE cannot determine the real server location (local or remote). A possible cause for this issue is that Dynamic Workload Scaling is not configured correctly. • Local—The real server is located in the local network. • Remote—The real server is located in the remote network. The ACE bursts traffic to this server when the local real server's CPU and/or memory usage reaches the specified maximum threshold value. Last Polled Date and time of the last time that ANM polled the device to display the current values. This field appears if viewing virtual server data at a device level or at a device group level in the device tree. Note The Last Polled time stamp appears in the table heading if viewing virtual server data at a virtual context level. CSSs Only Total Connections Total number of connections. Table 17-10 Load Balancing Real Server Monitoring Information (continued) Device Type Field Description 17-40 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Monitoring Load Balancing Related Topics • Monitoring Load Balancing, page 17-33 • Monitoring Load Balancing on Probes, page 17-40 • Configuring Historical Trend and Real Time Graphs for Devices, page 17-48 Monitoring Load Balancing on Probes To check the health and availability of a real server, the ACE periodically sends a probe to the real server. If you notice an excessive number of probes failing, you can view the monitoring information as shown in the following steps. Procedure Step 1 Choose Monitor > Devices > ACE > Load Balancing > Probes. The probe information described in Table 17-12 appears. Table 17-11 Real Server Monitoring Window Function Buttons Function Button Description Poll Now Instructs ANM to poll the devices and display the current values. Choose one or more real servers and click Poll Now. Click OK when asked if you want to poll the devices for data now. Graph Displays a historical trend graph of real server information for the specified real servers. Choose 1 to 4 real servers and click Graph. Choosing multiple real servers allows you to compare information. For more information, see the “Configuring Historical Trend and Real Time Graphs for Devices” section on page 17-48. Topology Displays the network topology map for the specified real server. Choose a real server and click Topology. The ANM Topology window appears, displaying the real server and associated network nodes. For information about using the topology map, see the “Displaying Network Topology Maps” section on page 17-68. 17-41 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Monitoring Load Balancing Step 2 (Optional) Click Poll Now to instruct ANM to poll the devices and display the current values. Step 3 (Optional) To view the details associated with a specific probe, choose a probe from the list and click Details. The show probe probe_name detail CLI command output appears in a popup window. Step 4 Click OK when asked if you want to poll the devices for data now. Related Topics • Monitoring Load Balancing, page 17-33 • Monitoring Load Balancing Statistics, page 17-41 • Configuring Historical Trend and Real Time Graphs for Devices, page 17-48 Monitoring Load Balancing Statistics You can monitor load balancing on your ACE and CSM devices as shown in the following procedure. Table 17-12 Load Balancing Probes Monitoring Information Field Description Device Name of the ACE managed by ANM. Probe Name of the probe. To view statistics for a selected probe, click the probe hyperlink. The Probe Details popup window appears containing the following probe statistics: • Failed Probes—Total number of failed probes. • Health of Probes—Health of the probe. Possible values are PASSED or FAILED. • Probes Passed—Total number of passed probes. Click OK to close the Probe Details popup window. Type Type of probe. For a complete list of probe types and their descriptions, see Table 8-11. Real Server Name of the real server that the probe is associated with. Server Farm Name of the server farm that the probe is associated with. Port Port number that the probe uses. By default, the probe uses the port number based on its type. Probe IP Address Destination or source address for the probe. Probed Port Source of the probe's port number. Probe Health Health of the probe. Possible values are PASSED or FAILED. Passed Rate Rate of passed probes Failed Rate Rate of failed probes Last Polled Time stamp for the last probe. This field appears if viewing probe data at a device level or at a device group level in the device tree. Note The Last Polled time stamp appears in the table heading if viewing probe data at a virtual context level. 17-42 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Monitoring Load Balancing Procedure Step 1 Choose Monitor > Devices > device > Load Balancing > Statistics. The Load Balancing Statistics Monitoring Information window displays the information described in Table 17-13. Step 2 (Optional) Click Poll Now to instruct ANM to poll the devices and display the current values and click OK when prompted if you want to poll the devices for data now. Step 3 (Optional) To display a historical trend graph of load balancing statistics, select up to four objects from the list and click Graph. The Resource Usage Graph appears (see the “Configuring Historical Trend and Real Time Graphs for Devices” section on page 17-48 for details). Related Topic • Testing Connectivity, page 17-71 • Configuring Historical Trend and Real Time Graphs for Devices, page 17-48 Table 17-13 Load Balancing Statistics Monitoring Information Device Type Field Description ACEs only Device Name of the device L4 Policy Connections Number of Layer 4 policy connections L7 Policy Connections Number of Layer 7 policy connections Failed Connections Number of failed connections Dropped L4 Policy Connections Number of dropped Layer 4 policy connections Dropped L7 Policy Connections Number of dropped Layer 7 policy connections Rejected Connections Due To No Policy Match Number of connections rejected because they did not match policies Rejected Connections Due To ACL Deny Number of connections rejected due to ACL parameters Rejected Connections Due To L7 Config Changes Number of rejected connections due to Layer 7 configuration changes Connection Timed Out Number of times the connection timed out. Last Polled Date and time of the last time that ANM polled the device to display the current values. CSM only Statistic Name of the monitored statistic. Value Statistic value. Rate Statistic rate. Description Explanation of the monitored CSM statistic. 17-43 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Monitoring Application Acceleration Monitoring Application Acceleration If you have configured application acceleration functions on the ACE, you can monitor the optimization statistics as shown in the following steps. Step 1 Choose Monitor > Devices > device > Application Acceleration. The Application Acceleration information appears as shown in Table 17-14. Note For connection-based syslogs, the following additional parameters are displayed: Source IP, Source Port, Destination IP, Destination Port, and Protocol Information. This allows you to sort and filter on these fields if desired. . Table 17-14 Application Acceleration Monitoring View Field Statistic Description Condenser Information Total HTTP Unoptimized Requests Received Total number of end-user HTTP request the condenser has received that cannot be optimized Accumulated Bytes Received Accumulated size (in bytes) of each end-user requested object Total Responses in Bytes Accumulated size (in bytes) of responses, both for condensable and non-condensable end-user HTTP requests Total Abandons of Delta Optimization Total number of abandons of delta optimization requests Cacheable Objects Statistics Total Objects Served from Cache Total number of cacheable objects served from the cache, excluding the not-modified replies Accumulated Bytes Served Accumulated size (in bytes) of the cacheable objects served from the cache, excluding not-modified replies Total Objects Not Found in Cache Total number of cacheable objects not found in the cache Accumulated Bytes Not Found Accumulated size (in bytes) of the cacheable objects not found in the cache Total IMS Requests for Valid Cache Total number of IMS requests for valid copies of objects in the cache Total Missed IMS Requests Total number of IMS request for objects that either do not exist or are stale in the cache Total Non-Cacheable Object Requests Total number of non-cacheable object requests Total Requests with Not Modified Responses Total number of requests for stale objects that have the response from the origin server as not modified 17-44 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Displaying the Polling Status of All Managed Objects Step 2 Click Poll Now to instruct ANM to poll the devices and display the current values. Step 3 Click OK when asked if you want to poll the devices for data now. Related Topics Configuring Application Acceleration and Optimization, page 15-1 Displaying the Polling Status of All Managed Objects You can display the polling status of the following objects that ANM manages: ACE virtual contexts and CSS, CSM, and GSS devices. Because ACE devices are partitioned into virtual contexts that can be polled individually, the polling status window displays the status of each ACE virtual context. From the polling status window, you have the option to restart polling to a virtual context or device that currently has polling disabled. Guidelines and Restrictions The time it takes the Polling Status window to reflect global changes that you make to the polling status or polling interval varies depending on the number of managed objects being polled. For information about making global polling changes, see the “Enabling Polling on All Devices” section on page 17-47. Procedure Step 1 Choose Monitor > Settings > Polling Status. The Polling Status window appears. Flash Forward Objects Statistics Successful Transformations Total number of successful transformations for FlashForward objects Unsuccessful Transformations Total number of unsuccessful transformations for FlashForward objects Total HTTP Requests Total number of HTTP requests (excluding the IMS requests) for the transformed FlashForward objects Total IMS Requests Total number of IMS requests for transformed FlashForward objects Table 17-14 Application Acceleration Monitoring View (continued) Field Statistic Description Table 17-15 Polling Status Window Field Description Name Name of the object polled. For all ACE devices, the context names associated with each ACE. For all other object types, such as a GSS, the device name. Type Type of object polled. The type will either be Virtual Context to indicate an ACE virtual context or a specific device type, such as GSS. 17-45 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Displaying the Polling Status of All Managed Objects Polling Config Polling configuration operational state: Enabled or Disabled. For more information, see the “Setting Polling Parameters” section on page 17-46. Polling Interval Frequency at which ANM polls the object. Polling Status Current polling status of the managed object: • Missing SNMP Credentials—SNMP credentials are not configured for this object; statistics are not collected. Add SNMPv2c credentials to fix this error. • Not Polled—SNMP polling has not started. For a virtual context, this problem might occur when the virtual context is first created from ANM and the SNMP credentials are not configured. Add SNMPv2c credentials to fix this error. • Polling Failed—SNMP polling failed due to some internal error. Try restarting polling to enable SNMP collection again. • Polling Started—No action is required. Everything is working properly. Polling states will display activity. • Polling Timed Out—SNMP polling has timed out. This problem might occur if the wrong credentials were configured or might be caused by an internal error (such as SNMP was configured incorrectly or the destination is not reachable). Verify that SNMP credentials are correct. If the problem persists, restart polling to enable SNMP collection again. • Unknown—SNMP polling is not working due to one of the above-mentioned conditions. Check the SNMPv2c credential configuration. Last Polled Time Time stamp of the last time ANM polled the object. CLI Sync Status (ACE virtual contexts only) Administrative configuration status of the context as follows: • Import Failed—The context did not import successfully. This problem could have occurred when the device was added to ANM or when the context was synchronized. Synchronize the context so that you can manage it (Config > Devices > ACE > context > Sync). • OK—The context is synchronized with the ACE CLI. • Out of Sync—The context is managed by ANM but the configuration for the context on the device differs from the configuration managed by ANM. For information on synchronizing contexts, see the “Synchronizing Virtual Context Configurations” section on page 6-105. • Unprovisioned—The context has been removed from the ACE using the CLI but has not been removed from ANM. To remove unprovisioned contexts, synchronize the associated Admin context. For all polled objects that are not virtual contexts, the value N/A appears in this column because ANM does not support auto synchronization for the CSS, CSM, or GSS devices. Last CLI Sync Status Change (ACE virtual contexts only) Time stamp of the last CLI synchronization with ANM. For all polled objects that are not virtual contexts, the value N/A appears in this column because ANM does not support auto synchronization for the CSS, CSM, or GSS devices. Table 17-15 Polling Status Window (continued) Field Description 17-46 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Setting Polling Parameters Step 2 (Optional) To restart polling of an object, check the check box associated with the object and click Restart Polling. Related Topics Setting Polling Parameters, page 17-46 Setting Polling Parameters You set polling parameters differently depending on the device type: • ACE devices—You set polling on specific virtual contexts or configure global polling. • CSM devices—You specify a single polling setting used by ANM. • CSS devices—You specify a single polling setting used by ANM. • GSS devices—You specify a single polling setting used by ANM for VIP Answers operation and configuration states and DNS Rules configuration states. When you choose Monitoring, the monitoring data for your devices is extracted from cache. The Monitoring window refreshes every two minutes as new monitoring data is gathered. When you import a context or device into ANM, the polling interval is set to 5 minutes by default. You can modify the polling parameter on each device (see the “Enabling Polling on Specific Devices” section on page 17-46) or you can modify the global parameter polling setting to change the polling parameters for all devices (see the “Enabling Polling on All Devices” section on page 17-47). This section includes the following topics: • Enabling Polling on All Devices, page 17-47 • Disabling Polling on Specific Devices, page 17-47 • Enabling Polling on Specific Devices, page 17-46 • Disabling Polling on All Devices, page 17-48 Enabling Polling on Specific Devices Procedure Step 1 Choose Monitor > Devices > context > Polling Settings. Step 2 In the Polling Stats field, click Enable. Step 3 From the Background Polling Interval field, choose a polling interval. Step 4 Click Deploy Now to save and apply the polling parameters. Related Topics • Disabling Polling on Specific Devices, page 17-47 • Enabling Polling on All Devices, page 17-47 • Disabling Polling on All Devices, page 17-48 17-47 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Setting Polling Parameters • Displaying the Polling Status of All Managed Objects, page 17-44 Disabling Polling on Specific Devices Procedure Step 1 Choose Monitor > Devices > context > Polling Settings. Step 2 In the Polling Stats field, click Disable. Step 3 Click Deploy Now to disable polling. Related Topics • Enabling Polling on Specific Devices, page 17-46 • Enabling Polling on All Devices, page 17-47 • Disabling Polling on All Devices, page 17-48 • Displaying the Polling Status of All Managed Objects, page 17-44 Enabling Polling on All Devices You can enable polling and set the polling interval for all devices as shown in the following procedure. Guidelines and Restrictions This topic includes the following guidelines and restrictions: • Currently this feature is available for any user under the ANM Inventory role task. When a user is assigned this task, global polling configuration changes made are applied to all devices, irrespective of the domains that are assigned for this user. • The time it takes the Polling Status window to reflect global changes that you make to the polling status or polling interval varies depending on the number of managed objects being polled. For information about viewing polling information, see the “Displaying the Polling Status of All Managed Objects” section on page 17-44. Procedure Step 1 Choose Monitor > Settings > Global Polling Configuration. Step 2 In the Polling Stats field, click Enable. Step 3 From the Background Polling Interval field, choose a polling interval. Step 4 Click OK to save and apply the polling parameters. Related Topics • Enabling Polling on Specific Devices, page 17-46 • Disabling Polling on Specific Devices, page 17-47 17-48 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Configuring Historical Trend and Real Time Graphs for Devices • Disabling Polling on All Devices, page 17-48 • Displaying the Polling Status of All Managed Objects, page 17-44 Disabling Polling on All Devices You can disable polling all devices as shown in the following steps. Procedure Step 1 Choose Monitor > Settings > Global Polling Configuration. Step 2 In the Polling Stats field, click Disable. Step 3 Click OK. Polling is disabled. Related Topics • Enabling Polling on Specific Devices, page 17-46 • Disabling Polling on Specific Devices, page 17-47 • Enabling Polling on All Devices, page 17-47 • Displaying the Polling Status of All Managed Objects, page 17-44 Configuring Historical Trend and Real Time Graphs for Devices ANM allows you to store historical data for a selected list of statistics calculated over the last hour, 2-hour, 4-hour, 8-hour, 24-hour, or month interval. You can view this historical data as a statistical graph from specific Monitor > Devices monitoring screens. For each monitoring page, default statistics are defined and the graph is drawn for the selected object(s) from the page. ANM also allows you to display real-time statistical information related to the selected monitoring window. Note All client browsers require that you enable Adobe Flash Player 9 to properly display the monitoring graphs provided in ANM. Historical graphs are available from the following Monitor > Device monitoring windows: • Traffic Summary window (CSS and ACE devices) • Load Balancing > Virtual Server window (CSM and ACE) • Load Balancing > Real Server window (CSM, CSS, and ACE devices) • Load Balancing > Statistics window (ACE and CSM devices) • Virtual Context-Based Resource Usage (ACE devices) In each monitoring view window, click the Graph button to view the Graph page. From this page, you can view up to a maximum of four individual graphs of object data. Tooltips appears within each graph to allow you to see the datapoint values used for plotting. 17-49 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Configuring Historical Trend and Real Time Graphs for Devices If you choose, you can overlay multiple objects for comparison on the same graph. Each graph grid provides a comma-separated list of select statistics. ANM supports a maximum of four lines per historical graph. The number of lines in a graph indicates the number of combinations of statistics and the objects (which can be a virtual server, real server, virtual context, and so on). For example, if you select two statistics and two real servers, then the number of possible combinations that can be displayed in a graph is four. Note The time displayed in all graphs is shown in ANM server time, not in client time. Procedure Step 1 Choose Monitor > Devices to view device information. Step 2 Choose the specific monitoring window from which you want to display historical data graphs for a selected list of items. Table 17-16 shows the different monitoring window types and how to select one. Step 3 Check the check boxes of up to four objects in the selected monitoring window that you want to view and click Graph. The graph window appears. ANM updates the monitoring window with the graph of the selected objects (see Figure 17-12). Note The ANM software version that displays across the top of the window varies depending on your version of ANM. Table 17-16 Selecting a Monitoring Window To Access.... Select... Resource Usage window Monitor > Devices > virtual_context > Resource Usage Traffic Summary window Monitor > Devices > Traffic Summary Virtual Servers window Monitor > Devices > Load Balancing > Virtual Servers Real Servers window Monitor > Devices > Load Balancing > Real Servers Statistics window Monitor > Devices > Load Balancing > Statistics 17-50 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Configuring Historical Trend and Real Time Graphs for Devices Figure 17-12 Displaying Historical Graphs Step 4 (Optional) To enhance your viewing of the graphs, use the Collapse/Expand buttons to minimize or maximize a graph in the monitoring window. Step 5 (Optional) Use the graphing tools described in Table 17-17 to modify the display. Table 17-17 Historical Graph Tools Tool Description Add Graph button Adds a graph to the selected monitoring window. View As Chart and View As Grid icons Toggles the display of an object graph in the monitoring window between a grid and a graph. The grid displays include the Export to Excel hyperlink that allows you to export object data to Microsoft Excel for archiving or other purposes. Show As Image icon Allows you to save the graph as a JPEG file for archiving or other purposes. When you mouse over the graph, the Image Toolbar appears. From the Image Toolbar, you can save the graph as a JPEG or send it in an e-mail. You can also print the graph if desired. 17-51 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Configuring Historical Trend and Real Time Graphs for Devices Select button (upper) Allows you to add one or more objects to a graph in the monitoring window to compare the performance of one object with its peer for the selected statistics. Do the following: a. In the graph that contains the object you want to replace, click the upper Select button. Note You cannot perform this function from the Resource Usage graph window, which contains only one Select button. This button is used for selecting multiple statistics (see Select button (lower)). The Objects Selector popup window appears. b. From the Objects Selector popup window, choose up to four objects and do one of the following: – Click OK to return to the graph window, which displays your selected objects. – Click Cancel to ignore any selections and return to the original graph. Select button (lower) To select multiple statistics for display in a graph in the monitoring window, perform the following steps: a. In the graph of the object that you want to add statistics, click the lower Select button within the graph. The Select Stats popup window appears. Note The Resource Usage graph window contains only one Select button; click this button. b. From the Select Stats popup window, choose the statistics to add to the graph. You can choose up to four statistics for display in a graph and the object statistics must be of the same unit of measure (for example, bytes/sec.). The selected statistics appear in the existing object graph in the monitoring window. Do one of the following: – Click OK to return to the graph window, which displays your selected statistics. – Click Set As Default And Draw Graph to set the current selections as the default objects to graph and return to the graph window, which displays your selected statistics. – Click Cancel to ignore any selections and return to the original graph. Table 17-17 Historical Graph Tools Tool Description 17-52 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Exporting Historical Data Step 6 To exit the display of graphs, click Exit Graph. Exporting Historical Data Note The data export feature requires either the ANM_ADMIN role or a role with a ANM_System privilege other than no-access. You can enable or disable the data export feature that allows ANM to export the historical data that it collects on the network devices that it manages. You create a data file purging policy to enable or disable the data export feature and define the purging attributes associated with this feature. By default, the data export feature is enabled, allowing ANM to export the raw statistical data that it collects during a polling session to the comma-separated values (CSV) data files in the following directory: /var/lib/anm/export/historical-data/date-stamp where date-stamp is the directory name, which is based on the date when the file was created and uses the format YYYY-MM-DD. For example, 2010-05-25. The exported data is saved to the files according to device type (for example, ACE_MODULE, CSS, or CSM) and its record type (for example, RT_INT or RT_CPU). Time drop-down list Modifies the time interval for the accumulated statistics displayed in a graph. Time interval choices include the average data calculated during the last hour, 2-hour, 4-hour, 8-hour, 24-hour, or 30-day (last month) interval. The time choices also include the Real Time option, which displays a maximum of 3 minutes of data at 10-second intervals (not configurable). Note the following usage considerations for the time interval for accumulated statistics: • When you specify to view average data calculated during the last hour, 2-hour, 4-hour, or 8-hour interval, raw data points collected by ANM within the selected time period will be displayed. For example, when you specify to view the data of the last hour, if ANM has been collecting data for over an hour at a default 5-minute interval, you will see 12 data points on the graph. • When you specify to view average data calculated during the last 24-hour interval, consolidated hourly data points will be displayed. For example, if ANM has been collecting data for more than 24 hours, you will see 24 data points on the graph. • When you specify to view average data calculated during the last 30-day interval, consolidated daily data points will be displayed. For example, if ANM has been collecting data for over 30 days, you will see 30 data points on the graph. Table 17-17 Historical Graph Tools Tool Description 17-53 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Exporting Historical Data The data export feature includes a data dictionary (stats-export.dict), which defines the device type and record type and can be used to interpret the data content and format of the exported files. You can download the data dictionary, which is written in XML, and display its content using IE browser or any XML editor/viewer, such as Stylus Studio. The data dictionary can be used as a tool when writing a script to extract specific data from a data file. For example, you can create a script that extracts data based on a device type, such as an ACE, that shows interface statistics for a virtual context within the ACE. Each record/row in the exported data file contains the following information: • Timestamp (in the format defined by the data dictionary) • Device-type • Optional record-type (defined in the data dictionary and used to define the format of each record) • Managed entity name (fully qualified name of the managed object with which the statistical data is associated; it should have the same name shown in the historical graph) • List of statistical data (list order is defined in the data dictionary associated with the record-type) The first line of each exported data file is a header describing the column of each row. Each field of the record is separated by the separator character, which is currently defined in the data dictionary as the comma. If the metric value is unknown, its value is left empty. Each record is separated by a new line character. The following data file content sample shows the data file header followed by the statistical information: DeviceType, RecordType, Timestamp, ManagedEntity, Current Connections, Total Connections, Dropped Connections, Total Client Packets, Total Server Packets, Total Client Bytes, Total Server Bytes, Total Drops Due To Maximum Connection Limit, Total Drops Due To Connection Rate Limit, Total Drops Due To Bandwidth Limit DT-ACE-VC,RT-VS,2010-05-28-14:21:08,172.23.244.130:2:Admin/test/global,0,0,0,0,0,0,0,0,0,0 DT-ACE-APPLIANCE-VC,RT-VS,2010-05-28-14:21:08,172.23.244.212:Admin/test_vs_3/global,0,0,0, 0,0,0,0,0,0,0 The header column names DeviceType, RecordType, Timestamp, and ManagedEntity are mandatory. The definitions of the mandatory headers can be found in the following data dictionary XML tags: • DeviceType definition is inside the device-type tag. • RecordType definition is inside the record-type tag. • ManagedEntity definition is inside the managed-entity tag. The column names that follow the mandatory names are the display names of the statistic. Guidelines and Restrictions: The data export guidelines and restrictions are as follows: • The time at which ANM exports the data file is not configurable. • By default, ANM exports raw historical data only. Snapshots and consolidated historical data (average, minimum, maximum) are not exported. The data export purging operation guidelines and restrictions are as follows: • ANM purges exported data according to the configurable purging policy. By default, the purging policy instructs ANM to purge the data file if it stays for more than 32 days or the total combined export data is bigger than 10000 M (10 G) of disk space or the disk usage is more than 80 percent. • You can configure ANM to send an email notification to up to five recipients when the disk space usage is higher than the defined threshold. • Each purge action removes at least one day of exported statistical data. 17-54 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Exporting Historical Data Procedure Step 1 Choose Monitor > Settings > Historical Data Export. The Historical Data Export window appears. Step 2 Configure the data export purging policy as shown in Table 17-18. Table 17-18 Historical Data Export Fields Item Description Retention Period (In Days) Maximum number of days that ANM is to keep the exported data files. The valid range is 1 to 365 days. The default is 32. Maximum Size Of Exported Data (In MBytes) Maximum allowable size of the data file to export. The valid range is 100 MB to 100000 MB. The default is 10000 MB. Current Size Of Exported Data (In MBytes) (Read only) Current size of the data file. Disk Space Utilization Threshold (In %) Percentage of disk space that the data file can utilize. Current Disk Space Utilization (In %) (Read only) Current amount of disk space that the data file is utilizing. Do You Want To Disable Data Export Check box for enabling or disabling the data export feature as follows: • Unchecked—Data export is enabled. This is the default setting. • Checked—Data export is disabled. E-mail Address To Send Notification When Disk Usage Is Greater Than Disk Space Utilization Threshold Setting Email addresses that ANM sends a notification to when the amount of disk space utilized by the data file exceeds the specified Disk Space Utilization Threshold value. ANM sends an email notification only once every 24 hours even when threshold-exceeding condition persists. Enter an email address and click the right arrow to add it to the list of email addresses to receive notifications. You can specify up to five email addresses. To edit or remove an address from the list, use the left arrow or double-click the address to move it to the edit box where you can modify or delete it. Note For email notifications, you must specify an SMTP server to use for outgoing emails (see the “Configuring SMTP for Email Notifications” section on page 17-68). Status Current status of the data export feature as follows: • RUNNING—Data export is enabled. An alert message may display in parenthesis next to the Running status. • STOP—Data export is disabled. To change the status, see the Do You Want To Disable Data Export checkbox. Statistical Data Last Purge At (Read only) Server time when ANM last purged the data file. Reason For Purging (Read only) Reason why ANM purged the data file; retention period, total size of the exported data file, or disk space usage. Location Of Exported Data (Read only) Path to the exported data files: /var/lib/anm/export/historical-data. 17-55 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Monitoring Events Step 3 (Optional) To download a copy of the data dictionary in zip file format, click Download Data Dictionary. Step 4 To save the current data file purging policy, click Save. Related Topics • Configuring SMTP for Email Notifications, page 17-68 Monitoring Events The events captured in the Events table include both ACE syslog events and SNMP trap events. A procedure for viewing both types of events and details of information extracted from the syslog are shown below. Fields providing traffic-oriented sorting capability, specifically the information signified by the column heads in the Events Fields window, shown in Table 17-19 (Source IP, Source Port, Destination IP, Destination Port, and Protocol) are only available for the ACE syslogs. Note We do not recommend that you send a high volume of syslogs to ANM. ANM will only process and persist syslogs at 100 messages per second. Any additional syslogs sent to ANM beyond that rate will be discarded. To address this behavior, set the syslog severity level to a setting that is no higher than the warning level (a severity level of 4-Warning). See the “Configuring Virtual Context Syslog Settings” section on page 6-19 for details. Assumptions To receive events from devices, the devices must have syslog and SNMP traps configured correctly. See the “Configuring Virtual Context Syslog Settings” section on page 6-19 and the “Configuring SNMP for Virtual Contexts” section on page 6-27. Procedure Step 1 Choose Monitor > Events. ANM displays all events received from ACE for Syslog and SNMP traps for all virtual contexts. See Table 17-19 for a description of the displayed information, which is extracted from the syslog. You can sort information in the table by clicking on a column heading. This allows you to group events and help troubleshooting traffic information. Table 17-19 Monitor > Events Fields Field Description Syslog ID/SNMP ID Displays the Syslog ID and SNMP ID. If the event is a trap, this field is empty. Severity Indicates the syslog severity level as described in Table 6-5. Origination Time Date and time that the event was last changed in the database. Source IP Displays the source name that is reporting the event, for example, :virtual_context. Source Port Displays the source port. Destination IP Displays the IP address of the destination if available. 17-56 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Monitoring Events Table 17-20 displays the complete list of published ACE syslogs where source and destination IP, ports and protocols are parsed so that the designated table fields populate. Note Only the ACE syslog messages shown in this table will populate the Events window fields explained in Table 17-19. Syslogs and traps not in this table will populate fields with a 0. Destination Port Displays the destination port if available. Protocol Protocol used in the syslog. Detail Provides additional detail about the event. Table 17-19 Monitor > Events Fields (continued) Field Description 17-57 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Configuring Alarm Notifications on ANM Related Topics • Monitoring Devices, page 17-24 • Performing Device Audit Trail Logging, page 18-59 Configuring Alarm Notifications on ANM To set up Monitoring alarm notifications, you define a threshold group and specify the statistics to be monitored by ANM for the threshold group. When the value for a specific statistic rises above the setting you specify, an alarm is issued to alert you. Note CISCO-EPM-NOTIFICAITON-MIB is used for ANM alarms notification. Table 17-20 ACE Syslogs Fields with Perishable Traffic Oriented Sorting Information Syslog Message Contents ACE-1-106021 Deny protocol reverse path check from source_address to dest_address on interface interface_name ACE-4-106023 Deny protocol number | name src incoming-interface:src-ip dst outgoing-interface:dst-ip by access-group "acl-name" (hash 1, hash 2) ACE-6-302022 Built TCP connection id for interface:real-address/real-port (mapped-address/mapped-port) to interface:real-address/real-port (mapped-address/mapped-port) ACE-6-302023 Teardown TCP connection id for interface:real-address/real-port to interface:real-address/real-port duration hh:mm:ss bytes bytes [reason] ACE-6-302024 Built UDP connection id for interface:real-address/real-port (mapped-address/mapped-port) to interface:real-address/real-port (mapped-address/mapped-port) ACE-6-302025 Teardown UDP connection id for interface:real-address/real-port to interface:real-address/real-port duration hh:mm:ss bytes bytes ACE-6-302026 Built ICMP connection for faddr/NATed_ID gaddr/icmp_type laddr/icmpID ACE-6-302027 Teardown ICMP connection for faddr/NATed ID gaddr/icmp_type laddr/icmpID ACE-6-302028 Built TCP connection id for interface: real-address/real-port (mapped-address/mapped-port) to interface: real-address/real-port (mapped-address/mapped-port) ACE-6-302029 Teardown TCP connection id for interface: real-address/real-port to interface: real-address/real-port duration hh:mm:ss bytes bytes [reason] ACE-6-302030 Built UDP connection id for interface: real-address/real-port (mapped-address/mapped-port) to interface: real-address/real-port (mapped-address/mapped-port) ACE-6-302031 Teardown UDP connection id for interface: real-address/real-port to interface: real-address/real-port duration hh:mm:ss bytes bytes ACE-4-313004 Denied ICMP type=icmp_type, from source_address on interface interface_name to dest_address:no matching session ACE-4-410001 Dropped UDP DNS packet_type from source_interface:source_address/source_port to dest_interface:dest_address/dest_port; error_length_type length length bytes exceeds max_length_type limit of maximum_length bytes. 17-58 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Configuring Alarm Notifications on ANM You can specify how you are notified when thresholds are crossed: • Alarm notification, which you view at Monitor > Alarm Notifications > Alarms. • Email notification. • Traps. • Mobile device alarm notification. This method requires ANM 5.1 or later and a supported mobile device with the Cisco ANM Mobile app. For more information about ANM Mobile, see Chapter 19, “Using ANM Mobile.” Note Threshold crossing is detected using periodic polling. If a threshold is crossed between polling cycles, it is possible that ANM License Manager might not issue an alert if the condition recovers before the next polling cycle. Guidelines and Restrictions For certificates that you have loaded on the ACE, you can configure ANM to issue an alarm notification when the certificate expiration date is approaching. ANM performs certificate expiration computations every 24 hours. The computation begins each time ANM is started. Every subsequent computation occurs 24 hours thereafter. Note The Certificates window (Config > Devices > context > SSL > Certificates) contains the Expiry Date field, which displays the certificate expiration date. Due to a known issue with the ACE module and appliance, it is possible that this field displays either “Null” or characters that cannot be parsed or that are unreadable. When this issue occurs, ANM cannot track the certificate expiration date. If the certificate is defined in a threshold group configured for certificate expiration alarm notifications and this issue occurs, ANM may not issue an expiration alarm when expected or it may issue a false alarm. If you encounter this issue, remove the certificate from the ACE, reimport it, and then verify that the correct expiration date appears in the Certificates window. Prerequisites For email notifications, you have specified an SMTP server to use for outgoing emails (see the “Configuring SMTP for Email Notifications” section on page 17-68). Procedure Step 1 Choose Monitor > Alarm Notifications > Threshold Groups, and click Add. Step 2 In the Properties section, enter the name and description for the threshold group. Step 3 In the Threshold Settings section, click Add and then enter the following information shown in Table 17-21. 17-59 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Configuring Alarm Notifications on ANM Table 17-22 provides details for the Category field found in Table 17-21. Table 17-21 Threshold Settings Fields Field Description Device Type Choose the device type to include in the threshold group. VC indicates ACE virtual context. Category Choose a statistic to include in the threshold group. Table 17-22 identifies and describes the types of statistics available for each device type. Note We do not recommend that you include ACL Memory (ACE module and ACE appliance) or Current Application Acceleration Connections (ACE appliance only) as statistics in a threshold group. The values provide through the associated show resource usage CLI command regarding the utilization of these two threshold parameters does not accurately reflect the real usage of these two resources. Assert on Value Enter a value to define the threshold. When the statistic exceeds this value, an alarm is issued. Some values are displayed as percentages as indicated by the percent sign (%). In the case of SSL certificate expiration, assert on value indicates the number of days before certificate expiration. Alarms will be updated daily to indicate the number of days remaining until certificate expiration. If the email is configured, you will be sent email daily alerting you to the number of days left before expiration. Clear Value Enter a value on which to clear the alarm. In the case of SSL certificate expiration, the setting has no relevance. When an expired certificate is deleted, the alarm is removed from ANM on the subsequent certificate evaluation. This happens every 24 hours. Notify on Clear Check the Notify on Clear check box to receive an email notification to the specified address when the alarm is cleared. Severity Choose a severity level for this threshold, which can be Critical, Info, Major, or Minor. 17-60 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Configuring Alarm Notifications on ANM Table 17-22 Monitoring Thresholds by Device Type Category Threshold Description ACE 4710 Appliance ACL Memory Percentage of memory allocated for ACLs. Note We do not recommend that you include ACL Memory as a statistic in a threshold group. The value provided through the associated show resource usage CLI command regarding the utilization of ACL memory does not accurately reflect the real usage of this resource. Bandwidth Percentage of throughput. Concurrent Connections Percentage of simultaneous connections. Current Application Acceleration Connections Percentage of application acceleration connections. Note We do not recommend that you include Current Application Acceleration Connections as a statistic in a threshold group. The value provided through the associated show resource usage CLI command regarding the utilization of application acceleration connections does not accurately reflect the real usage of this resource. Current Connection Rate Percentage of connections of any kind. Current HTTP Compression Rate Percentage of compression for HTTP data. Inspect Connection Rate Percentage of application protocol inspection connections. MAC Miss Rate Percentage of messages destined for the ACE that are sent to the control plane when the encapsulation is not correct in packets. Management Connections Percentage of management connections. Management Traffic Rate Percentage of management traffic connections. Proxy Connections Rate Percentage of proxy connections. Regular Expression Memory Percentage of regular expression memory. SSL Connection Rate Percentage of SSL connections. Syslog Buffer Size Percentage of the syslog buffer. Syslog Message Rate Percentage of syslog messages per second. Translation Entries Percentage of network and port address translations. Device Device Status ACE operating status changes from Up to Down and vice versa. ACE 4710 Appliance VC Application Acceleration Condenser State State of the condenser. 17-61 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Configuring Alarm Notifications on ANM HA Redundancy State ACE virtual context HA or fault tolerance (FT) state changes. Possible FT states are Active, Standby Hot, and Other, which represents all other FT states, including the following: • Non-Redundant—Virtual context is not included in any FT group. • Unknown—Virtual context becomes inaccessible, for example if the ACE that it resides in becomes unresponsive. Interface Interface Operational State Operational state of the interface. Probes Probe Health State Operational health of the health monitoring probe. Real Server1 Real Server Current Connections Number of current connections on a real server. Real Server Operational State Operational state of a real server. SLB Stat Layer 4 Policy Connections Number of Layer 4 policy connections. Layer 7 Policy Connections Number of Layer 7 policy connections. SSL Certificate Management SSL certificate expiration (in days) Number of days left before SSL certificate expires whose value minus one will send a warning email with the specified severity. ANM updates this field daily. Virtual Server1 Virtual Server Current Connections Number of active virtual server connections. Virtual Server Operational State Operational state of a virtual server. Table 17-22 Monitoring Thresholds by Device Type (continued) Category Threshold Description 17-62 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Configuring Alarm Notifications on ANM ACE Module ACL Memory Percentage of memory allocated for ACLs. Note We do not recommend that you include ACL Memory as a statistic in a threshold group. The value provided through the associated show resource usage CLI command regarding the utilization of ACL memory does not accurately reflect the real usage of this resource. Bandwidth Percentage of bandwidth. Concurrent Connections Percentage of simultaneous connections. Current Connection Rate Percentage of connections of any kind. Current HTTP Compression Rate Percentage of compression for HTTP data. This field appears only for an ACE module version A4(1.0) or later. Inspect Connection Rate Percentage of application protocol inspection connections. MAC Miss Rate Percentage of messages destined for the ACE that are sent to the control plane when the encapsulation is not correct in packets. Management Connections Percentage of management connections. Management Traffic Rate Percentage of management traffic connections. Proxy Connections Rate Percentage of proxy connections. Regular Expression Memory Percentage of regular expression memory. SSL Connection Rate Percentage of SSL connections. Syslog Buffer Size Percentage of the syslog buffer. Syslog Message Rate Percentage of syslog messages per second. Throughput Percentage of throughput. Translation Entries Percentage of network and port address translations. Device Device Status ACE operating status changes from Up to Down and vice versa. ACE VC HA Redundancy State ACE virtual context HA or fault tolerance (FT) state changes. Possible FT states are Active, Standby Hot, and Other, which represents all other FT states, including the following: • Non-Redundant—Virtual context is not included in any FT group. • Unknown—Context becomes inaccessible, for example if the ACE that it resides in becomes unresponsive. Interface Interface Operational State Operational state of the interface. Table 17-22 Monitoring Thresholds by Device Type (continued) Category Threshold Description 17-63 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Configuring Alarm Notifications on ANM Probes Probe Health State Operational health of the health monitoring probe. Real Server1 Real Server Current Connections Number of current connections on a real server. Real Server Operational State Operational state of a real server. SLB Stat Layer 4 Policy Connections Number of Layer 4 policy connections. Layer 7 Policy Connections Number of Layer 7 policy connections. SSL Certificate Management SSL certificate expiration (in days) Number of days left before SLL certificate expires whose value minus one will send a warning email with the specified severity. ANM updates this field daily. Virtual Server1 Virtual Server Current Connections Number of active virtual server connections. Virtual Server Operational State Operational state of a virtual server. CSM Module Real Server Real Server Connections Number of real server connections. Real Server Current State Operational state of a real server. SLB Stat Current Opened Connections Number of open connections. Layer 4 Policy Connections Number of Layer 4 policy connections. Layer 7 Policy Connections Number of Layer 7 policy connections. SLB Virtual Server Virtual Server Connections Number of virtual server connections. Virtual Server State Operational state of a virtual server. System CSM Fault Tolerance State Fault tolerance state of the CSM. Device Device Status CSM operating status changes from Up to Down and vice versa. CSS Interface Average TCP Packets Average number of TCP packets. Interface Operational State Operational state of the interface. Max TCP Packets Maximum number of TCP packets. Real Server Active Service Connections Number of active real server connections. Real Server State State of a real server. System CSS Fault Tolerance State Fault tolerance state of the CSS. CSS Module State State of a CSS module. Virtual Server Virtual Server State Current state of a virtual server. Device Device Status CSS operating status changes from Up to Down and vice versa. GSS Device Device Status GSS operating status changes from Up to Down and vice versa. 1. Category choices support mobile device notifications. Table 17-22 Monitoring Thresholds by Device Type (continued) Category Threshold Description 17-64 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Configuring Alarm Notifications on ANM Step 4 Click OK. Step 5 In Device Selection, choose the device type to include in the threshold group. The available devices appear in the Available Items field. Note Make sure that the device type you select in this field is supported by the threshold that you selected in the Category field in Step 3. If the device type you select is not supported by the threshold you selected, you will not receive alarm notifications. Step 6 Click on a device in the Available Items field, and then the arrow (>) to move the device to the Selected Items field. Step 7 In the Notify By section, do the following: a. In the E-mail field, enter the email address that you want to receive notification email. See the “Displaying Email Notifications” section on page 17-66 for information contained in the email notifications. If you do not select this field, you must view alarm notifications by selecting Monitor > Alarm Notifications > Alarm. Note You must configure the required host parameters, IP address and port, to send email notifications. See the “Configuring SMTP for Email Notifications” section on page 17-68. b. Check the Domain sensitive email notification check box to receive filtered email about certificate expirations for the certificates defined in the current domain only. The emails are sent to the email address configured for the RBAC user definition (see the “Managing User Accounts” section on page 18-17). Uncheck this check box to disable this feature. Note This attribute appears only when the selected device type is either the ACE 4710 VC or the ACE VC and the category type is set to SSL Certificate expirations (in days). c. In the Traps field, enter the host IP Address and port number of the machine to which the traps are sent. See the “Displaying Traps” section on page 17-67 for information contained in the traps. d. Check the Mobile Notifications check box to allow ANM to send alarm notifications to supported smart devices that use the ANM Mobile app. This notification option is available when you choose threshold settings in Step 3 for real or virtual servers for device types ACE 4710 VC and ACE VC. See the “Setting Up and Viewing Mobile Device Alarm Notifications” section on page 19-13 for information about setting up alarm notifications on your mobile device. Step 8 Do one of the following: • Click Save to save the threshold group settings. • Click Cancel to cancel the threshold group settings and return to the Threshold Groups page. Related Topics • Configuring SMTP for Email Notifications, page 17-68 • Displaying Alarm Notifications, page 17-65 17-65 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Displaying Alarm Notifications Displaying Alarm Notifications You can display the alarm notification that ANM issues when the value for a statistic exceeds a specified threshold value. Depending on how you specified to be notified when a threshold is crossed, you can view all alarm notifications, email notifications, or alarm traps. Guidelines and Restrictions Threshold crossing is detected using periodic polling. If a threshold is crossed between polling cycles, it is possible that ANM License Manager might not issue an alert if the condition recovers before the next polling cycle. Prerequisites You have configured alarm notifications as described in the “Configuring Alarm Notifications on ANM” section on page 17-57. This section includes the following topics: • Displaying Alarms in ANM, page 17-65. • Displaying Email Notifications, page 17-66. • Displaying Traps, page 17-67. Displaying Alarms in ANM You can display the alarms that ANM issues when the value for a statistic exceeds a specified threshold value. Guidelines and Restrictions This topic includes the following guidelines and restrictions: • ANM displays only the alarms for the devices that are in the domain definition of the RBAC user logged into ANM. • If an alarm has been cleared, it does not appear on the Monitor > Alarm Notifications > Alarms page. This page displays active alarms only. Prerequisites You have configured alarm notifications as described in the “Configuring Alarm Notifications on ANM” section on page 17-57. Procedure Step 1 Choose Monitor > Alarm Notifications > Alarms. The Alarms window appears, displaying the list of alarm notifications issued by ANM. Table 17-23 describes the information displayed for each notification. 17-66 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Displaying Alarm Notifications : Step 2 (Optional) To view a statistical graph of a component with an issue, choose an alarm notification and click Graph The Component With Issue. The Graph popup window appears, showing an analysis of the default statistical units being measured (y-axis) to date and time (x-axis). The component type determines the default statistical units being measured. For example, the units being measured for the real server component type is the number of connections. Note This button can only be used with alarm notifications for the following component types: real server, virtual server, or interface. Related Topics • Configuring SMTP for Email Notifications, page 17-68 • Configuring Alarm Notifications on ANM, page 17-57 • Displaying Email Notifications, page 17-66 Displaying Email Notifications After you configure alarm notifications (see the “Configuring Alarm Notifications on ANM” section on page 17-57) and specify to receive notification email, when the value for a specific statistic rises above the setting you specify, ANM sends an email to alert you. Table 17-24 describes the information contained in the email alarm notification. Table 17-23 ANM Alarm Notification Content Field Description Source ID ANM server IP address that issued the alarm Severity Specified severity level of the threshold, which can be one of the following: • Info • Critical • Major • Minor Origination Time Time the alarm was issued Threshold Group Specified threshold group name Category Alarm name Component Component name, for example, VLAN20 State/Value Specified state or value of the alarm Detail Displays additional information about the alarm. Notes Allows you to add any notes to this alarm. 17-67 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Displaying Alarm Notifications Related Topics • Configuring Alarm Notifications on ANM, page 17-57 • Displaying Alarm Notifications, page 17-65 Displaying Traps After you configure alarm notifications (see the “Configuring Alarm Notifications on ANM” section on page 17-57) and specify to send traps to a trap receiver, when the value for a specific statistic rises above the setting you specify, ANM issues a trap to alert you. Related Topics • Configuring Alarm Notifications on ANM, page 17-57 • Displaying Alarm Notifications, page 17-65 Table 17-24 Email Alarm Notification Content Field Description ANM Server Host Name ANM server host name ANM Server IP Address ANM server IP address Device ID Device name Component Name Component name, for example, VLAN20 Severity Specified severity level of the threshold, which can be one of the following: • Info • Critical • Major • Minor Time Time the alarm was issued Alarm Name Specified name of the alarm Alarm Value Specified value of the alarm Threshold Assert Value Specified value on when to issue the alarm Threshold Group Name Specified threshold group name Alarm State State of the alarm which can be one of the following: • Active • Clear 17-68 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Configuring SMTP for Email Notifications Configuring SMTP for Email Notifications You can specify that email notifications be sent each time a monitoring threshold is crossed. You can request alert emails when configuring a threshold group (Monitor > Alarm Notifications > Threshold Groups) or when enabling the historical data export feature (Monitor > Settings > Historical Data Export). Note You must configure ANM with your SMTP server information to receive email notifications. Assumption You have configured threshold crossing alerts (see the “Configuring Alarm Notifications on ANM” section on page 17-57) or enabled the historical data export feature (see the “Exporting Historical Data” section on page 17-52). Procedure Step 1 Choose Monitor > Settings > SMTP Configuration. Step 2 In the SMTP Server to Send E-mail Notifications field, enter your SMTP server. Step 3 (Optional) In the MAIL FROM for all Email notifications field, enter the source email address to use for email notifications. By default, the Mail From address is anm@hostname. Step 4 Click Deploy Now to apply the SMTP configuration. Related Topics • Exporting Historical Data, page 17-52 • Monitoring Events, page 17-55 • Configuring Alarm Notifications on ANM, page 17-57 • Displaying Email Notifications, page 17-66 Displaying Network Topology Maps This section shows how to display and use the network topology maps that display the nodes on your network based on the virtual or real server that you select. Figure 17-13 shows a sample network topology map. Note The ANM software version that displays across the top of the window varies depending on your version of ANM. 17-69 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Displaying Network Topology Maps Figure 17-13 Sample ANM Topology Map Table 17-25 describes the callouts shown in Figure 17-13. 279805 3 3a 3b 1 2 Table 17-25 Network Topology Map Components Item Description 1 Topology map tool bar that contains the following tools: • Layout—Changes the direction in which the network map appears. Choose one of the following options from the drop-down list: Top to Bottom or Left to Right. • Zoom—Modifies the size of the network map. Click and drag the slide bar pointer to adjust the map size. • Magnifier—Toggle button that enables or disables the magnifier tool. When enabled, moving your mouse over the the topology map magnifies the area that the mouse is over. • Fit Content—Fits the topology map to the window. • Overview—Toggle button that enables or disables the Overview Window tool (see Callout 3). • Undo—Sets the network node icons back to their previous positions. • Redo—Redoes the changes that you made before you clicked Undo. • Print—Sends the topology map to the network printer. • Exit—Closes the topology map and returns to the previous window. 17-70 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Displaying Network Topology Maps Table 17-26 shows the locations in the ANM GUI where you can access the topology maps for real servers and virtual servers. 2 Topology Map—Displays network node mapping. The node icons display the following information related to the node: • Name • IP address (virtual and real servers only) • Port (real servers only) • Operational state (virtual and real servers only) When you hover over a network node icon, the node type appears, for example ACE Virtual Server, Server Farm, or Real Server. Other possible operations when you hover over a network node icon are as follows: • Real servers only—When you have an ACE configured for Dynamic Workload Scaling and you mouseover an associated real server icon, information appears that identifies which data center the real server is located in: local or remote. A timestamp also appears that specifies when the information was obtained. • Server farms only—When you mouseover a server farm icon, the following Dynamic Workload Scaling status information appears: – Local—The ACE is using the server farm’s local real servers only for load balancing. A timestamp specifies when the information was obtained. – Burst—The ACE is bursting traffic to the server farm’s remote real servers because the load of the local real servers has exceeded the specified usage threshold (based on the average CPU and/or memory usage). A timestamp specifies when the information was obtained. – N/A—Not applicable (Dynamic Workload Scaling is not available). For more information about Dynamic Workload Scaling, see the “Dynamic Workload Scaling Overview” section on page 8-4. To view details about a network node, right-click on the node and choose Show Details from the popup menu. To reposition a node in the map, click and drag the node icon to a new position. The node interconnect lines move with the node. 3 Overview Window—Provides a combined functionality of the scroll bars and zoom tool as follows: • Position tool (a)—Click and drag the shaded box to move around the topology map. • Zoom tool (b)—Click and drag the shaded box handle (located in lower right corner) and to zoom in or out of the topology map. Click the Overview toggle button in the map tool bar to display or hide the Overview window. Table 17-25 Network Topology Map Components (continued) Item Description Table 17-26 ANM Topology Map GUI Locations GUI location For more information, see . . . Config > Operations > Real Servers Using the Real Server Topology Map, page 8-23 Config > Operations > Virtual Servers Using the Virtual Server Topology Map, page 7-85 Monitor > Devices > Loadbalancing > Real Servers This section. Monitor > Devices > Loadbalancing > Virtual Servers 17-71 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Testing Connectivity Procedure Step 1 Do one of the following: • Display the list of virtual servers by choosing Monitor > Devices > context > Loadbalancing > Virtual Servers. The Virtual Servers window appears with the table of configured virtual servers. • Display the list of real servers, choose Monitor > Devices > context > Loadbalancing > Real Servers. The Real Servers window appears with the table of configured virtual servers. Step 2 From the servers table, check the check box next to the server whose topology map you want to display. Step 3 From the servers window, click Topology. The ANM Topology window displays the topology map for the selected virtual or real server. For information about using the topology map tools, see Figure 17-13 and Table 17-25. Step 4 (Optional) To close the topology map and return to the previous window, from the ANM Topology window, click Exit. Testing Connectivity You can verify the connectivity (using the ping command) between ANM and the IP address you specify. Note The Ping feature is disabled if you have not imported any devices into the ANM server. Procedure Step 1 Choose Monitor > Tools > Ping. Step 2 From the object selector field, choose the device you want to test. Step 3 Enter the information shown in Table 17-27. Step 4 Click Start to run the connectivity test. Table 17-27 Ping Fields Field Description IP Address Type Choose either IPv4 or IPv6 for the address type of the real server. This field appears only for ACE module and ACE appliance software version A5(1.0) or later, which supports IPv4 and IPv6. IP Address IP address of the real server to which you want to ping. Elapsed Time Elapsed time before the ping request is declared a failure. Repeat Number of times to repeat the test. Datagram Size Value for the argument size (size of the packet) of the ping command. 17-72 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 17 Monitoring Your Network Testing Connectivity After the test completes, the results are displayed. Step 5 Do one of the following: • Click New to enter new parameters and create a new ping test. • Click Restart to rerun the connectivity test. Related Topic Setting Up Devices for Monitoring, page 17-2 CHAPTER 18-1 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 18 Administering the Cisco Application Networking Manager Date: 3/28/12 This chapter describes how to administer, maintain, and manage the ANM management system. Previous topics described how to manage your network devices on ANM, while this topic describes how to perform procedures on the system itself. Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed. If you are using ANM with an ACE module or ACE appliance and you configure a named object at the ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows you to use when configuring a named object. If you use special characters that ANM does not support, you may not be able to import or manage the ACE using ANM. This chapter includes the following sections: • Overview of the Admin Function, page 18-2 • Controlling Access to Cisco ANM, page 18-3 • How ANM Handles Role-Based Access Control, page 18-8 • Configuring User Authentication and Authorization, page 18-9 • Managing User Accounts, page 18-17 • Displaying or Terminating Current User Sessions, page 18-24 • Managing User Roles, page 18-25 • Managing Domains, page 18-32 • Using an AAA Server for Remote User Authentication and Authorization, page 18-38 • Disabling the ANM Login Window Change Password Feature, page 18-50 • Managing ANM, page 18-51 • Administering the ANM Mobile Feature, page 18-67 • Lifeline Management, page 18-72 18-2 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Overview of the Admin Function Overview of the Admin Function Note Some of the Admin options might not be visible to some users; the roles assigned to your login determine which options are available. Table 18-1 describes the options that are displayed when you click Admin. Table 18-1 Admin Menu Options Menu Option Description Reference Role-Based Access Control Organizations Manage organizations, configure remote authentication mechanisms “Configuring User Authentication and Authorization” section on page 18-9 Users Manage users “Managing User Accounts” section on page 18-17 Active Users Display active users “Displaying or Terminating Current User Sessions” section on page 18-24 Roles Manage user roles “Managing User Roles” section on page 18-25 Domains Manage domains “Managing Domains” section on page 18-32 18-3 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Controlling Access to Cisco ANM Controlling Access to Cisco ANM Access to ANM is based on usernames and passwords, which can be authenticated to a local database on the ANM system or to a remote RADIUS, Active Directory/Lightweight Directory Access Protocol (AD/LDAPS), or TACACS+ server. For detailed procedures about remote authentication, see the “Configuring Authentication and Accounting Services” chapter of either the Cisco ACE Module Security Configuration Guide or Cisco ACE 4700 Series Appliance Security Configuration Guide on www.cisco.com. Note ANM supports LDAPS through Active Directory (AD) only. ANM Management ANM Checks the status of the ANM server. “Checking the Status of the ANM Server” section on page 18-52 License Management Views ANM license state, add more licenses, and tracks license information on your ACE “Using ANM License Manager to Manage ANM Server or Demo Licenses” section on page 18-54 Statistics Displays ACE statistics (for example, CPU, disk, and memory usage). “Displaying ANM Server Statistics” section on page 18-56 Statistics Collection Enables ACE server statistics polling. “Configuring ANM Statistics Collection” section on page 18-57 Audit Log Settings Allows you to specify number of audit logs saved and how many days logs are saved. “Configuring Audit Log Settings” section on page 18-58 ANM Change Audit Log Allows you to display audit logs recording any user input. “Displaying Change Audit Logs” section on page 18-61 ANM Auto-Sync Settings Allows you to specify ANM server auto sync settings “Configuring Auto Sync Settings” section on page 18-61 Advanced Settings Allows you to configure the following Advanced Settings functions: • Enable or disable overwrite of the ACE logging device-id while setting up syslog for autosync using Config > Devices > Setup Syslog for Autosync. • Enable or disable write memory on a Config > Operations configuration. “Configuring Advanced Settings” section on page 18-62 Lifeline Management Use this tool to report a problem to the Cisco support line and generate a diagnostic package “Lifeline Management” section on page 18-72 Table 18-1 Admin Menu Options (continued) Menu Option Description Reference 18-4 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Controlling Access to Cisco ANM When a user logs into the system, the specific tasks they can perform and areas of the system that they can use are controlled by organizations, roles, and domains. An organization is a virtual group of users, their roles, and domains managed by a specific server that provides authentication to its users. Each organization has its own set of users. See the “Understanding Organizations” section on page 18-7 for information about organizations. The role assigned to a user defines the tasks that a user can perform and the items in the hierarchy that they can see. Roles are either pre-defined or set up by the system administrator. See the “Understanding Roles” section on page 18-6 for more information. A domain is a collection of managed objects. When a user is given access to a domain, it acts as a filter for a sub-set of objects on the network which are displayed as a virtual context. The types of objects in the system that are domain controlled are as follows: • Chassis (with VLANs) • Virtual contexts • Resource classes • Real servers • Virtual servers Thus, role-based access control ensures that a user or organization can view only the devices or services or perform the actions that are included in the domains to which they have been given access (see Figure 18-1). Figure 18-1 Role-Based Access Control Containment Overview Default Organization System Objects AAA Setup Roles 1 to 1 Users Tasks Network Objects All associations are one to many, reading from topto bottom (unless noted otherwise) Objects contained within an organization Domains 240741 Organization used by service providers to resell management 18-5 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Controlling Access to Cisco ANM The following is an example of RBAC containment. All other user interfaces, such as configuration and monitoring, respect this role-based access control policy: • Roles limit the screens (or functions on those screens) that a user can see. • Domains limit the objects that are listed on any window that the roles allow. • Users (other than the system administrator) can only create subdomains of the domains to which they are assigned. • The system administrator user can see and modify all objects. All other users are subject to the role-based access controls illustrated in Figure 18-1. Related Topics • Types of Users, page 18-5 • Understanding Roles, page 18-6 • Understanding Operations Privileges, page 18-6 • Understanding Domains, page 18-7 • Understanding Organizations, page 18-7 • Managing User Accounts, page 18-17 Types of Users Two types of users configure and monitor the ANM system: • Default users—Individuals associated with the data center or IT department where ANM is installed. The default administrative account (user ID is admin) is a system user account that is preconfigured on ANM. The default administrative password (admin) is also preconfigured on ANM. You can change the password for the admin user account in the same manner as any other user password (see the “Managing User Accounts” section on page 18-17). System roles are defined by the system administrator when ANM is first set up. System roles are specified in terms of resource types and operations privileges. For each system role, the system administrator specifies which resource types a role can work with and what operations a role can perform on each resource type. Organization Webmasters Domains East Coast servers Central servers West Coast servers Role Web server administrator Users User A User B User C Note Each association is one-to-many. Because the organization itself is a collection, it is possible for a role to be used in many organizations. 18-6 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Controlling Access to Cisco ANM • Organization users—Users who work for the customer of a service provider or AAA server that segments your users and to whom you want to grant access to ANM. Organization users automatically have their access limited to the organization to which they belong. Related Topics • Configuring User Authentication and Authorization, page 18-9 • Managing User Accounts, page 18-17 • Using an AAA Server for Remote User Authentication and Authorization, page 18-38 Understanding Roles Roles in ANM are defined by the system administrator. Roles are specified in terms of resource types and operations privileges. For each role, the system administrator specifies which resource types a role can work with and what operations a role can perform on each resource type. When users are created, they are assigned at least one system role and inherit the operations privileges specified for each of the resource types assigned to that role. The options a user sees in the menu are filtered according to that user’s role (see the “Displaying User Roles and Associated Tasks and ANM Menu Privileges” section on page 18-28). Roles can be applied to both default and organization users. All users are strictly limited by the combination of their operations privileges and user access. For example, a user cannot create another user who has greater privileges or access. Related Topics • Configuring User Authentication and Authorization, page 18-9 • Managing User Accounts, page 18-17 • Managing User Roles, page 18-25 Understanding Operations Privileges Operations privileges define what users can do in the designated resource types. For example, each command and function on ANM has an assigned privilege. If a user’s privileges are not sufficient, the command or function will not be available to them. The following operations privileges can be granted: • No Access—The user has no access to this command or function. Note If a user is configured with no access to virtual contexts, it means absolutely no access to them. The most a user with this access can do is activate or suspend real servers. • View—Allows the user to view statistics and specify parameter collection and threshold settings. Gives the user read-only or view access to system objects and information. • Modify—Allows the user to change the persistent information associated with system objects, such as an organization record, or configuration. • Debug—Gives the user read-only or view access to system objects and information. 18-7 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Controlling Access to Cisco ANM • Create—Allows the user to control system objects, for example, creating them, enabling them, or powering up. Also allows the user to control system objects, for example, deleting them, disabling them, or powering down. Note The Create privilege includes the functions associated with the Modify privilege; however, the reverse is not true (a user with Modify privileges cannot create items). Privileges are hierarchical. If a user has Modify privileges, they have View privileges as well. If a user has Create or Debug privileges, they have View privileges as well. Related Topics • How ANM Handles Role-Based Access Control, page 18-8 • Managing User Roles, page 18-25 • Guidelines for Managing User Roles, page 18-25 • Understanding Predefined Roles, page 18-26 • Using an AAA Server for Remote User Authentication and Authorization, page 18-38 Understanding Domains Domains in ANM are defined by the system administrator. A domain is a collection of managed objects to which a user is given access. By setting up a domain, you are filtering for a subset of objects on the network. The user is then given access to this virtual context. The table rows that a user sees in any table are filtered according to the domain to which that user has access. Understanding Organizations An organization allows you to configure AAA server lookup for your users or set up users who work for a service provider customer. Organizations in ANM are defined by the system administrator. When you use an ACE device as a AAA server, you may want to segment them for customer, business, or security reasons. If you use more than one authentication server, then you can use organizations to configure them to authenticate your users. For example, if your company has four servers, one each for local, RADIUS, TACACS+, and LDAPS authentication, then organizations could reflect that. The Default organization in ANM is set up to act as the local server. ANM supports different device types that have unique ways of configuring authentication access, which helps with future device support. ANM can configure which users are authenticated by which authentication servers, but does not act as an AAA server itself because this would be in conflict of its role as a RBAC administrator and allows for the separation of authority that is needed to perform RBAC successfully. Related Topics • Using an AAA Server for Remote User Authentication and Authorization, page 18-38 18-8 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager How ANM Handles Role-Based Access Control How ANM Handles Role-Based Access Control This section describes how and why a system administrator might want to use the ANM RBAC features. ANM supports two distinct, but related RBAC capabilities as follows: • ANM RBAC—ANM acts as a system and network device overseer allowing it to globally implement its use of RBAC. • Device RBAC—ANM devices enforce RBAC. Understanding ANM RBAC ANM is a central place where you can globally set the RBAC for users, roles, and domains (as well as for virtual contexts or device types using device RBAC). As a system administrator, you may need to delegate authority to allow another administrator to perform specific tasks on specific devices, such as activating, suspending, and monitoring traffic flow to specific real servers, yet restrict them from accessing all other capabilities. ANM enables you to accomplish this delegation with more control. For a description of how the roles map to the functions, see “Displaying User Roles and Associated Tasks and ANM Menu Privileges” section on page 18-28. Understanding Device RBAC ANM’s device RBAC allows you to set up device permission levels of a more granular nature. You no longer have to provide “all-or-nothing” roles-based access of devices and device modules. Without ANM, some devices may be open to users who can perform every task on that device or module, regardless of their authorization due to permission level requirements on modules and or switches. ANM provides a central place to grant special access to users you specify. Device users, roles, and domain data are not part of, nor can they be used by ANM. Device RBAC is only for CLI access directly to the context. For example, some users may need level 3 access when direct troubleshooting of ACE hardware is required. You can set up these users with or without ANM, but ANM centralizes the capability to do so. If you want to configure a network engineer with a special role, for example either ACE-Admin or Network-Admin, to provide the level 3 access. ANM accesses the ACE as a level 15 user and an admin supervisor and uses the RBAC to determine the level of access (to device types, segments, elements, subelements, and so on). Some Cisco devices have the ability to configure RBAC directly on the device, for example the ACE. The CSS and CSM are examples of Cisco devices that do not have the capability to have its their own RBAC. When you configure remote authentication (AAA, RADIUS, LDAPS, or TACACs+) for the ACE through ANM, users no longer have to log out to access their device using Telnet. When you manually log into a CSS, the CSS performs user authentication in a Telnet session. Telnet does not provide any domain enforcement, so it is less secure. For an overview of the steps that you perform to configure remote authentication using an AAA server, see the “Using an AAA Server for Remote User Authentication and Authorization” section on page 18-38. If you are an admin using a CSS module outside of the ANM application, then you might have permission to do anything on this switch. If you are using ANM, you can set up better authorization for your administrators for specific devices. Better authorization controls are one of the advantages of using the ANM rather than using only the CLI on the ACE hardware. You can now configure separate access for one function for this user in this domain only. ANM allows this high level of granularity and with it, more control over who does what to your devices. 18-9 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Configuring User Authentication and Authorization Note When configuring device RBAC though Config > Devices, a message displays reminding you that you are configuring RBAC outside of ANM for direct access. Be aware that this may contradict your ANM settings. For more information on centralizing direct access to devices through RBAC on individual devices, see the “Configuring ACE Module and Appliance Role-Based Access Controls” section on page 5-53. Case Example In this example, a CSM device must have a level 15 access which by default makes the admin a supervisor on everything in the switch (and everything in the module). Another way of looking at this is providing read-only access to everything or configuration access to everything. ACE hardware can be configured on a virtual context to perform that task on a subset domain for every individual module, on every context, but this type of configuration must be configured individually. A system administrator might need to configure a network admin to manage two CSM modules, one out of six virtual contexts, and all East Coast web servers. With ANM, the admin could create one configuration set that includes a user account with a Network-Admin role and a domain that includes these objects. ANM then becomes the security window through which this user passes to get to their destination for that domain and for that virtual context. If there were six users, nine domains, and three virtual contexts, there would be 54 entries required into a AAA Server and ACE module. In ANM there is one entry completed for each of the six users. Configuring User Authentication and Authorization In ANM, you can configure authentication for your users by specifying the authentication method to use for specific user; the local method using ANM or a remote method using an AAA servers. You do this through organizations. An organization allows you to configure your local or AAA server lookup for your users, then associate specific users, roles, and domains with those organizations. The following sections describe the organization authentication tasks that you can complete in ANM: • Adding a New Organization, page 18-10 • Configuring AAA Server lookup for your users—See Adding a New Organization, page 18-10 • Changing server passwords—See Changing Authentication Server Passwords, page 18-14 • Modifying Organizations, page 18-14 • Duplicating an Organization, page 18-15 • Displaying Authentication Server Organizations, page 18-16 • Deleting Organizations, page 18-16 The Default organization (in which all users belong) authenticates users through the ANM internal mechanism, which is based on the RBAC security model. This mechanism authenticates users through the local authentication module and a local database of user IDs and passwords. If you choose to use a remote authentication method, you must specify the authentication server and port. Many organizations, however, already have an authentication service. To use your own authentication service instead of the local module, you can choose one of the alternate modules: • TACACS+ • RADIUS 18-10 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Configuring User Authentication and Authorization • AD/LDAPS Note For detailed procedures about remote authentication, see the “Configuring Authentication and Accounting Services” chapter of either the Cisco ACE Module Security Configuration Guide or Cisco ACE 4700 Series Appliance Security Configuration Guide on www.cisco.com. After you configure an organization, all authentication transactions are performed by the authentication service associated with that organization. Users log in with the user ID and password associated with the current authentication module. Related Topics • Managing User Accounts, page 18-17 • Managing User Roles, page 18-25 • Managing Domains, page 18-32 • Using an AAA Server for Remote User Authentication and Authorization, page 18-38 Adding a New Organization You can add organizations, which define the mechanism for authenticating ANM users: local using ANM or remote using RADIUS, TACACS+, or AD/LDAPS. When you configure an organization for remote authentication, users within that organization have their passwords validated using the specified remote AAA server. You can also configure an organization to use a TACACS+ server for remote authorization of ANM users. To use remote authorization, you must also configure the TACACS+ server with the role and domains associated with a user or user group (see the “Configuring Remote User Authorization Using a TACACS+ Server” section on page 18-45). When you use the services of a a remote AAA server, you can configure the organization to fall back to using local authentication and authorization when the remote AAA server becomes unavailable. Procedure Step 1 Choose Admin > Role-Based Access Control > All Organizations. Step 2 Click Add. Step 3 Enter the name of the new organization and notes if required, and click Save. Step 4 Enter the attributes described in Table 18-2. Certain attributes will display when specific options are selected. 18-11 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Configuring User Authentication and Authorization Table 18-2 Organization Attributes Attribute Description Notes Description of the organization or notes to administrator. Organization Name Company, department, or division of the organization that administers the ANM server. This can be different from the organization name above. Default name entered appears. Account Number Account number for the organization. Contact Name Name of the individual who is the contact in the organization. Email Address for the organization’s contact person. Telephone # Telephone number for the organization’s contact person. The format is free text with no embedded spaces. Alternative Telephone # Alternative telephone number for the organization’s contact person. Street Address Street for the organization. City City where the organization is located. Zip Code Zip code for the organization’s address. Country Country where the organization is located. Authentication Mechanism that the system uses to authenticate users. The default authentication mechanism is ANM's internal mechanism (local), which is based on ANM's security model. For remote authentication, you must specify the authentication server and port number. Options are as follows: • Local—Specifies the use of the local database. • RADIUS • TACACS+ • AD/LDAPS (ANM requires that a Domain Controller Server certificate be installed on the Active Directory Server. For a document containing the detailed instructions, see the “Configuring an LDAP Server” section in the “Configuring Authentication and Accounting Services” chapter of either the Cisco ACE Module Security Configuration Guide or Cisco ACE 4700 Series Appliance Security Configuration Guide on www.cisco.com.) Note: The attributes listed below appear only when the Authentication attribute is set to AD/LDAPS, RADIUS, or TACACS+. For detailed instructions about configuring these attributes, see the “Configuring Authentication and Accounting Services” chapter of either the Cisco ACE Module Security Configuration Guide or Cisco ACE 4700 Series Appliance Security Configuration Guide on www.cisco.com. 18-12 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Configuring User Authentication and Authorization Authentication Server Hostname or IP address of a RADIUS, TACACS+, or LDAPS server for remote user authentication. Note Setting the server with this command is mandatory if you set the Authentication attribute to anything other than the default (local). If you select a remote authentication method, you might need to specify a separate user ID for the authentication server. For AD/LDAPS, you must provide the FQDN of the server (which must be in the users authenticating domain). Note ANM supports LDAPS only through Active Directory (AD). Authentication Port (Optional) Destination port for communicating authentication requests to the authentication server as follows: • RADIUS—By default, the RADIUS authentication port is 1812 (as defined in RFC 2138 and RFC 2139). If your RADIUS server uses a port other than 1812, configure ANM for the appropriate port. Valid values are from 1 to 65535. • TACACS+—By default, the TACACS+ authentication port is 49 (as defined in RFC 1492). If your TACACS+ server uses a port other than 49, configure ANM for the appropriate port. Valid values are from 1 to 65535. • LDAPS—By default, the LDAP server port is 636. If your LDAP server uses a port other than 636, configure ANM for the appropriate port. Valid values are from 1 to 65535. Secondary Authentication Server (Optional) Hostname or IP address for the secondary RADIUS, TACACS+, or LDAPS server used for authentication in case the primary server is unavailable. Secondary Authentication Port (Optional) Destination port on the secondary RADIUS, TACACS+, or LDAPS server for communicating authentication requests if the primary server is unavailable. Authentication Secret String used to encrypt the traffic between Cisco ANM and the AAA server. This string must be identical on both servers. Remote Authorization (Optional) Field that appears only when the Authentication attribute is set to TACACS+. Determines whether ANM or the TACACS+ server performs user authorization. Uncheck the check box to have ANM perform user authorization locally (this is the default setting). Check the check box to enable remote authorization by the TACACS+ server. If you enable remote authorization, you must configure the TACACS+ server with the role and domain information associated with each user (see the “Configuring Remote User Authorization Using a TACACS+ Server” section on page 18-45). Note All role and domain definitions are stored locally on ANM (see the “Managing User Roles” section on page 18-25 and the “Managing Domains” section on page 18-32). Table 18-2 Organization Attributes (continued) Attribute Description 18-13 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Configuring User Authentication and Authorization Step 5 Click Save. Related Topics • Managing User Accounts, page 18-17 ANM Unique IDs Field that appears only when the Remote Authorization check box is checked for a TACACS+ server. Enter the value that matches the ANM identifier that you configure on the TACACS+ server (see the “Configuring Remote User Authorization Using a TACACS+ Server” section on page 18-45). The default value is ANM. Depending on how you configure the TACACS+ server for user authorization, you may need to specify multiple, comma-separated ANM IDs in the ANM Unique IDs field as follows: anm_1,anm2,anm3 For example, when configuring ANM user authorization on the TACACS+ server, you can use a maximum of 160 characters to specify an ANM unique ID and associated user role and user domain information. To work around this limitation, on the TACACS+ server you can specify additional domain information for the role by entering multiple ANM identifiers. When multiple ANM organizations share the same TACACS+ server, specify a different ANM identifier for each organization. When multiple ANMs share the same TACACS+ server, specify a different ANM identifier for each ANM. Fallback to Local Enables ANM to use local authentication (and local user authorization for TACACS+ applications) if the remote primary and secondary AAA servers are not available, such as when there is a timeout issue, connectivity issue, wrong IP address, and so forth. Note To use the fallback option, you must configure a local user on ANM that ANM can use when fallback is invoked. When you enable Fallback to Local for RADIUS and AD/LDAP, ANM falls back to local user authentication only when the AAA server is unreachable. If the AAA server is reachable but remote authentication fails, ANM does not fall back to local and the login is rejected. When you enable Fallback to Local for TACACS+, ANM falls back to local user authentication and authorization only when the AAA server is unreachable. If the remote server is reachable but remote authentication fails, ANM does not fall back to local and the login is rejected. If Remote Authorization is not enabled, after remote authentication is complete, ANM performs user authorization by checking the local user for role and domain information. If Remote Authorization is enabled and no valid role or domain information is found on the TACACS+ server, including the ANM IP attributes not being set on the TACACS+ server, ANM does not fall back to the local user and rejects the login (see the “Configuring Remote User Authorization Using a TACACS+ Server” section on page 18-45). Table 18-2 Organization Attributes (continued) Attribute Description 18-14 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Configuring User Authentication and Authorization • Changing the Admin Password, page 18-14 Changing Authentication Server Passwords Note Your user role determines whether you can use this option. You can change the authentication server password. Procedure Step 1 Choose Admin > Role-Based Access Control > Organization. Step 2 Choose the organization that you want to modify and click Edit. Step 3 Change the password attribute in the attributes table (see Table 18-5). Step 4 Click Save. The Edit User Details window appears. Step 5 Make any changes and click Save. Step 6 When all the details are correct, click Cancel. The User Management table is displayed. Related Topics • Managing User Accounts, page 18-17 • Changing the Admin Password, page 18-14 Changing the Admin Password Each ANM has an admin user account built into the device. The root user ID is admin, and the password is set when the system is installed. For information about changing the Admin password, see the “Changing Your Account Password” section on page 1-6. Note For details about resetting the Admin password, see the Installation Guide for Cisco Application Networking Manager 3.0. Modifying Organizations Note Your user role determines whether you can use this option. You can modify an existing organization. 18-15 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Configuring User Authentication and Authorization Assumptions This topic assumes the following: • ANM is installed and running. • The organization exists in the ANM database. • You have reviewed the guidelines for managing customer organizations (see the “Adding a New Organization” section on page 18-10). Procedure Step 1 Choose Admin > Role-Based Access Control > Organizations. Step 2 Choose the organization that you want to modify and click Edit. The Edit Organization window appears. Step 3 In the attributes table of the Edit Organization window, modify any of the attributes in the attributes table (see Table 18-2). Step 4 Click Save. Related Topics • Configuring User Authentication and Authorization, page 18-9 Duplicating an Organization Note Your user role determines whether you can use this option. You can create a new organization from an existing one. Assumptions This topics assumes the following: • ANM is installed and running. • The organization exists in the ANM database. • You have reviewed the guidelines for managing customer organizations (see the “Adding a New Organization” section on page 18-10). Procedure Step 1 Choose Admin > Role-Based Access Control > Organizations. The Organizations window appears. Step 2 In the Organizations window, choose the organization that you want to copy. Step 3 Click Duplicate. A script popup window appears. Step 4 At the prompt in the popup window, enter a name for the new organization. 18-16 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Configuring User Authentication and Authorization Step 5 Click OK. The popup window closes and the new organization copy is added to the Organization window. Step 6 (Optional) Choose the new organization and click Edit to make changes to the organization settings. The Edit Organization window appears. Step 7 In the attributes table of the Edit Organization window, modify any of the attributes in the attributes table (see Table 18-2). Step 8 Click Save. Related Topics • Configuring User Authentication and Authorization, page 18-9 Displaying Authentication Server Organizations Note Your user role determines whether you can use this option. To display the authentication server organizations, choose Admin > Role-Based Access Control > All Organizations. The Organizations window appears with a list of customer organizations. From this window you can create a users, roles, and domains that are associated with this specific organization. You can also access organizations by selecting the organization from the object selector that displays in the top right portion of the content area. Related Topics • Understanding Organizations, page 18-7 • Configuring User Authentication and Authorization, page 18-9 Deleting Organizations Note Your user role determines whether you can use this option. You can delete an organization. Assumptions This topic assumes the following: • ANM is installed and running. • The organization exists in the ANM database. • You have reviewed the guidelines for managing customer organizations (see Adding a New Organization, page 18-10). 18-17 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing User Accounts Procedure Step 1 Choose Admin > Role-Based Access Control > Organizations. The Organizations window appears. Step 2 In the Organizations window, choose the organization to delete. Step 3 Click Delete. All users, domains, and roles within that organization are removed. Related Topics Configuring User Authentication and Authorization, page 18-9 Managing User Accounts You use the User Management feature to specify the people that are allowed to log onto the system. Note You can create users in the organization in which you are a member. You will see users only in the organizations in which you are a member. This section includes the following topics: • Guidelines for Managing User Accounts, page 18-17 • Displaying a List of Users, page 18-18 • Creating User Accounts, page 18-19 • Duplicating a User Account, page 18-20 • Modifying User Accounts, page 18-21 • Resetting Another User’s Password, page 18-22 • Deleting User Accounts, page 18-23 Guidelines for Managing User Accounts This topic includes the following guidelines: • A user cannot log in until they have one domain and one user role associated through an organization. This can be the Default domain but a role must be specified. • Users cannot be moved from one organization to another. Organizations are designed to be separate and distinct. • Only users with create permissions can reset other user's password. See the “Resetting Another User’s Password” section on page 18-22. 18-18 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing User Accounts Displaying a List of Users You can display a list of ANM users, which includes ANM Mobile users if you have ANM configured to use this feature (for more information, see Chapter 19, “Using ANM Mobile”). Guidelines and Restrictions The list of ANM users does not include users that are remotely authenticated and authorized using a AAA server unless ANM is configured as a backup for user authentication and authorization. Procedure Step 1 Choose Admin > Role-Based Access Control > Organization > Active Users. The Users table appears. Table 18-3 describes the default user information that displays. Step 2 (Optional: Mobile ANM users only) To display the list of mobile devices used by a user, choose a user from the list and click Mobile Notifications. The Mobile Devices popup window appears, displaying device-specific information (see Table 18-18). Step 3 (Optional: Mobile ANM users only) To display the list of favorite objects associated with a user, choose the user from the list and click Favorites. The User Favorites popup window appears. Table 18-4 describes the information displayed. Step 4 (Optional) To specify the user information that displays in the Users table, hover over the Customize button ( ) to display and choose one of the following options: • Default—Displays only the fields described in Table 18-3. • Configure—Opens the Users List Configuration popup window that allows you to specify the user information that displays (see the “Customizing Tables” section on page 1-15). Note The list of user fields that you can choose from includes the Available Objects option, which lists the domain objects available to the user. Because the list of available domain objects for a user can be too extensive to display in the User table, the Excel spreadsheet is the only output format that displays this information (see Step 5). Table 18-3 Users Table Default Fields Field Description Login Name Full name of the user. Role Role assigned to the user. Domains Domains to which the user belongs. Table 18-4 Mobile Device User’s Favorites Field Description Object Type ACE object type accessed by the user, such a real server or virtual server. Device Name ACE device (virtual context) name accessed by the user. Object Name Name assigned to the object. 18-19 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing User Accounts Step 5 (Optional) To output the user information as raw data or in an Excel spreadsheet, hover over the Save button ( ) to display and choose one of the following output options: • Raw data—Displays the user information as raw data in a new window. • Excel spreadsheet—Displays user information in an Excel spreadsheet in a new window. Related Topics • Creating User Accounts, page 18-19 • Duplicating a User Account, page 18-20 • Modifying User Accounts, page 18-21 • Resetting Another User’s Password, page 18-22 • Deleting User Accounts, page 18-23 • Displaying Mobile Device Notifications and Testing the Notification Channel, page 18-70 • Chapter 19, “Using ANM Mobile” Creating User Accounts Note Your user role determines whether or not you can use this option. You can create new user accounts for an organization. Procedure Step 1 Choose Admin > Role-Based Access Control > Organization > Users. The Users table appears. Step 2 Click Add. The New Organization User window appears. Step 3 In the New Organization User window, configure the user attributes as described in Table 18-5: Note If your web browser supports the Remember Passwords option and you enable this option, the web browser may fill in the Name and Password fields when the New Organization User window loads. By default, these fields should be empty. You can change the name and password fields from whatever the web browser inserts into the two fields. Table 18-5 User Attributes Field Description Login Name Name by which the user is to be identified in the system (up to 24 characters). Only letters, numbers, underscore (_), and backslash (\) can be used. The field is case sensitive. Name Full name of the user. The format is free text. Password Password for the user account. 18-20 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing User Accounts Step 4 Click Save to save the user account information. Related Topics • Displaying a List of Users, page 18-18 • Duplicating a User Account, page 18-20 • Modifying User Accounts, page 18-21 • Resetting Another User’s Password, page 18-22 • Deleting User Accounts, page 18-23 Duplicating a User Account Note Your user role determines whether you can use this option. You can create a new user account using settings from an existing user. Procedure Step 1 Choose Admin > Role-Based Access Control > Organization > Users. The Users table appears. Step 2 Choose the user account you want to copy and click Duplicate. Confirm Password confirmation for the account. Email Email address for the user. Telephone# Telephone number for the user. The format is free text with no embedded spaces. Role Predefined role from the drop-down list. Domains Domains to which this user belongs. Use the Add and Remove buttons to choose the domains to which this user belongs. Allowed Login IP IP address or a subnetwork from which the user is allowed to log in. You can define up to ten different addresses for a single user. Unless you specifically define IP addresses or subnetworks using this option, the user can log in from any IP address. When you enter an allowed single IP address or an allowed subnet, then the user is only allowed to log in from the specified addresses. To restrict access to a specific subnetwork, enter the IP address and the mask, for example, 10.1.200.60/255.255.255.0. Note IP addresses 1.1.1.1 and 0.0.0.0 cannot be entered in this field. Description Notes about the user. First menu Menu that displays when this user first logs in. Choose one from the drop-down list. Last Login Last time (local time) this user logged in. Table 18-5 User Attributes (continued) Field Description 18-21 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing User Accounts A script popup window appears. Step 3 At the prompt in the popup window, enter a name for the new user account and click OK. The popup window closes and the Users table displays the new user account. Step 4 (Optional) To make changes to the user account, from the Users table, choose the user account and click Edit. The Edit Organization User window appears. Step 5 In the Edit Organization User window, modify the user account settings as described in Table 18-6. Step 6 Click Save to save the user account information. The Users window appears. Related Topics • Displaying a List of Users, page 18-18 • Creating User Accounts, page 18-19 • Modifying User Accounts, page 18-21 • Resetting Another User’s Password, page 18-22 • Deleting User Accounts, page 18-23 Modifying User Accounts Note Your user role determines whether you can use this option. You can modify existing user accounts. Procedure Step 1 Choose Admin > Role-Based Access Control > Organization > Users. The Users table appears. Step 2 Choose the user account you want to modify and click Edit. The Edit Organization User window appears. Step 3 In the Edit Organization User window, modify any of the attributes in the attributes table (see Table 18-6). . Table 18-6 Modify User Attributes Field Description Login Name Name you specified when you created the user you want to duplicate. This is the name by which the user is to be identified in the system (up to 24 characters). Only letters, numbers, and underscore can be used. The field is case sensitive. Name Full name of the user. The format is free text. Email Email address for this user. 18-22 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing User Accounts Step 4 Click Save to save the user account information. Related Topics • Displaying a List of Users, page 18-18 • Creating User Accounts, page 18-19 • Duplicating a User Account, page 18-20 • Resetting Another User’s Password, page 18-22 • Deleting User Accounts, page 18-23 Resetting Another User’s Password Note You must have create permissions in order to reset another user’s password. Use this procedure to reset another users’s password. Step 1 Log in to Cisco License Manager making sure the login username has create permissions. Step 2 Choose Admin > Users. The Users window appears. Step 3 In the Users window, choose the username for which the password needs to be reset and click the Reset Password button. The Reset Password popup window appears with the selected username in the username field. Step 4 Enter and confirm the new password. Telephone# Telephone number for this user. The format is free text with no embedded spaces. Role Predefined role from the list. Domains Domains to which this user belongs. Use the Add and Remove buttons to choose domains to which this user belongs. Allowed Login IP IP address or a subnetwork from which the user is allowed to log in. You can define up to ten different addresses for a single user. Unless you specifically define IP addresses or subnetworks using this option, the user can log in from any IP address. When you enter an allowed single IP address or an allowed subnet, then the user is only allowed to log in from the specified addresses. To restrict access to a specific subnetwork, enter the IP address and the mask, for example, 10.1.200.60/255.255.255.0. Note IP addresses 1.1.1.1 and 0.0.0.0 cannot be entered in this field. Description Notes about the user. First Menu Menu that is displayed when this user first logs in. Choose one from the drop-down list. Last Login Last time (local time) that this user logged in and the IP address that was used. Table 18-6 Modify User Attributes (continued) Field Description 18-23 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing User Accounts Step 5 Click OK to save the password information. The Password has been reset message displays if there are no errors. Related Topics • Displaying a List of Users, page 18-18 • Creating User Accounts, page 18-19 • Duplicating a User Account, page 18-20 • Modifying User Accounts, page 18-21 • Deleting User Accounts, page 18-23 • Displaying or Terminating Current User Sessions, page 18-24 Deleting User Accounts Note Your user role determines whether you can use this option. You can delete a user account. Procedure Step 1 Choose Admin > Role-Based Access Control > Organization > Users. The Users table appears. Step 2 Choose the user account to delete and click Delete. Step 3 The confirmation popup window appears. Step 4 In the confirmation popup window, do one of the following: • Click OK to confirm the deletion request. The user account is removed from the ANM database. • Click Cancel to ignore the deletion request. Related Topics • Displaying a List of Users, page 18-18 • Creating User Accounts, page 18-19 • Duplicating a User Account, page 18-20 • Modifying User Accounts, page 18-21 • Resetting Another User’s Password, page 18-22 18-24 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Displaying or Terminating Current User Sessions Displaying or Terminating Current User Sessions Note Your user role determines whether you can use this option. You can display a list of the users currently logged into the system and end their sessions, if required. You can only display the users in your organization. Procedure Step 1 Choose Admin > Role-Based Access Control > Active Users. The Active User Sessions window displays the following information for each active user who is logged in: Step 2 (Optional) To terminate an active session, click Terminate. When a user session is terminated, the user is logged out of the interface from which the user session was initiated. If the user was making changes to a configuration, the configuration lock is released and any uncommitted configuration change is discarded. If a user session is terminated while an operation is in progress, the current operation is not stopped, but any subsequent operation is denied. For more details on terminating active users, see the “Displaying or Terminating Current User Sessions” section on page 18-24. Related Topics • Controlling Access to Cisco ANM, page 18-3 • Managing User Accounts, page 18-17 Table 18-7 Active User Session Information Column Description Name Name used to log into the Cisco ANM. Type Of Login Method used to log in, for example WEB. User Type Method used to authenticate and authorize the user: • Local—ANM is used to authenticate and/or authorize the user. • Remote— AAA server is used to both authenticate and authorize the user. Login From IP IP address of host. Time Of Login Time user logged in. 18-25 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing User Roles Managing User Roles You use the Roles Management feature to add, modify, and delete user-defined roles and to modify predefined roles.A user’s role determines the tasks the user can access. Each role is associated with permissions or rules that define what feature access this role contains. For example, if you design a role that provides access to virtual servers, the role automatically includes access to all real servers that could be included in the virtual server. ANM provides several predefined user roles that you can modify but not delete. For more information about predefined user roles, including the list of the predefined user roles, see the “Understanding Predefined Roles” section on page 18-26. This section includes the following topics: • Guidelines for Managing User Roles, page 18-25 • Understanding Predefined Roles, page 18-26 • Displaying User Role Relationships, page 18-27 • Displaying User Roles and Associated Tasks and ANM Menu Privileges, page 18-28 • Creating User Roles, page 18-29 • Duplicating a User Role, page 18-31 • Modifying User Roles, page 18-31 • Deleting User Roles, page 18-32 Guidelines for Managing User Roles This topic includes the following guidelines: • System Administrators can view and modify all roles. • Organization administrator users can only see and modify the users, roles, and domains in their organization. • Other users can only view the user, roles, and domains assigned to them. • User-defined roles can be created but follow strict rules about which tasks can be selected or deselected. See the user interface for specific dependencies or the “Displaying User Roles and Associated Tasks and ANM Menu Privileges” section on page 18-28 for role to task mapping information. • You must have the ability to create real servers in your role and at least one virtual context in your domain before you can create real servers. • You must have the ability to create virtual contexts in your role and an Admin context in your domain before you can create virtual contexts. • If you upgrade to ANM 2.2 any custom roles that are migrated retain their associations but have different role definitions. We encourage you to use the ANM 2.2 predefined default roles. 18-26 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing User Roles Understanding Predefined Roles You must have one of the predefined roles in the Admin context in order to use the changeto command, which allows users to visit other contexts. Non-admin/user contexts do not have access to the changeto command; they can only visit their home context. Context administrators, who have access to multiple contexts, must explicitly log in to other contexts to which they have access. The predefined roles and their default privileges are defined in Table 18-8. For information about viewing user role details, see the “Displaying User Roles and Associated Tasks and ANM Menu Privileges” section on page 18-28. For detailed information on RBAC, see either the Cisco Application Control Engine Module Virtualization Configuration Guide or the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide. Table 18-8 ANM Predefined Role Tasks Predefined Role Description Role Tasks/Operation Privileges1 ACE-Admin Access to create virtual contexts and monitor threshold information. • View Threshold • Create Device Events • Create Virtual Context+ ANM-Admin Access to create virtual contexts and monitor threshold information. Provides access to all features and functions. • Create ANM System • Create ANM User Access • Create VM Mapping • Create ANM Inventory+ Network-Admin Admin for L3 (IP and Routes) and L4 VIPs • View Threshold • Create Device Events • Create Switch • Create Routing • Create Interface • Create NAT • Create Connection Network-Monitor Monitoring for all features • View ANM Inventory+ Org-Admin Access to create role-based access control and import and update device data. • Create ANM User • Create VM Mapping • Create ANM Inventory+ Security-Admin Security features • Create AAA • Modify Interface • Create NAT • Create Inspect • Create Connection 18-27 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing User Roles Displaying User Role Relationships Note Your user role determines whether you can use this option. You can display which users are associated to specific roles. Procedure Step 1 Choose Admin > Role-Based Access Control > Organizations > Roles. The Roles table appears. Step 2 In the Roles table, choose a role and click Users. Server-Appln-Maintenance Server maintenance and L7 policy application • View Threshold • View VIP • View Virtual Inservice • Create LoadBalancer+ Server-Maintenance Server maintenance, monitoring, and debugging • View Threshold • View VIP+ • Modify Real Server • Debug Probe • Create Real Inservice SLB-Admin Load-balancing features • View Threshold • Create Building Block • Modify Interface • Create Expert+ SSL-Admin SSL features • Create SSL+ SSL-Cert-Key-Admin SSL certificate and key management features • Import, generate, or delete keys • Import or delete certificates • Generate a certificate signing request (CSR) • Monitor certificate expiration though the dashboard GUI and threshold modifications VM-Mapper Virtual machine (VM) mapping feature • Create VM to real server map 1. Where the plus sign (+) is indicated, all permissions included in this folder are included at the same privilege level, unless otherwise noted. For example, Virtual Contexts tasks are comprised of tasks such as AAA, Building Blocks, and so on. These tasks are depicted as columns in the Roles table. Table 18-8 ANM Predefined Role Tasks (continued) Predefined Role Description Role Tasks/Operation Privileges1 18-28 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing User Roles The Users With Role window appears. From this window you can delete or duplicate a user. For information about how roles map to users, see the “Displaying User Roles and Associated Tasks and ANM Menu Privileges” section on page 18-28. Related Topics • Duplicating a User Account, page 18-20 • Managing User Roles, page 18-25 Displaying User Roles and Associated Tasks and ANM Menu Privileges Note Your user role determines whether you can use this option. You can view the list of predefined and user defined roles and see how each role is configured to manage what a user can do within ANM. Figure 18-2 shows a sample of the role information available for the predefined ANM-Admin role. Each Role Task is assigned a privilege level (No Access, View, Modify, Debug, or Create) that determines what displays in the Resulting Menu Items list on the right. This list indicates which ANM GUI items the role allows a user to access. Figure 18-2 Edit Role Window Procedure Step 1 Choosing Admin > Role-Based Access Control > Organizations > Roles. The Roles table appears, displaying the list of predefined and user defined roles. The table includes the available role tasks and associated privilege level: No Access, View, Modify, Debug, or Create. Step 2 To view the ANM menu items available to a specific user role, choose a user role and click the Edit icon. 18-29 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing User Roles The Edit Role window appears (see Figure 18-2), displaying the Role Task tree and list of Resulting Menu Items, which is based on the privilege levels selected for each role task. Note The information available from the Edit Role window can vary depending on the version of ANM being used. Step 3 (Optional) Click Cancel to return to the Roles table where you can perform the following tasks: • Create a new role (see the “Creating User Roles” section on page 18-29). • View the users assigned to a role (see the “Displaying User Role Relationships” section on page 18-27). • Modify an existing role to which you have access (see the “Modifying User Roles” section on page 18-31). • Duplicate any existing role to which you have access (see the “Duplicating a User Role” section on page 18-31). • Delete any existing role to which you have access (see the “Deleting User Roles” section on page 18-32). Related Topics • Understanding Operations Privileges, page 18-6 • Managing User Roles, page 18-25 Creating User Roles Note Your user role determines whether you can use this option. You can edit the predefined roles, or you can create new, user-defined roles. When you create a new role, you specify a name and description of the new role, then choose the privileges for each task. You can also assign this role to one or more users. Procedure Step 1 Choose Admin > Role-Based Access Control > Organization > Roles. The Roles table appears. Step 2 Click Add. The New Role window appears. 18-30 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing User Roles Step 3 Enter the following attributes as shown in Table 18-9. Step 4 Click Save. The new role is added to the list of user roles. Step 5 (Optional) To assign this new role to one or more users, go to Admin > Organizations > Users. For detailed steps, see the “Modifying User Accounts” section on page 18-21. Related Topics • Understanding Operations Privileges, page 18-6 • Managing User Roles, page 18-25 Table 18-9 Role Attributes Attribute Description Name Name of the role. Description Brief description of the role. Role Tasks Role task tree that defines the operation privileges associated with each task. The tasks are arranged in a hierarchy of parent and subordinate tasks. Click on the + sign of a parent task to display its subordinate tasks as shown in the following example for the ANM Inventory task. – ANM Inventory -->parent task Threshold -->subordinate tasks DNS Answer UDG Device Events Switch + Virtual Context -->subordinate task that has its own set of subordinate tasks as indicated by the + sign You assign one of the following operating privileges to each of the tasks: No Access, View, Modify, Debug, or Create. When you assign an operating privilege to a parent task, by default, the same privilege is assigned the subordinates. You can assign a different operating privilege to the subordinates if needed; however, you can only assign an operating privilege that is greater than or equal to the operating privilege assigned to the parent task. If you set the parent task to Modify or Debug, the Create privilege is the only privilege allowed for the subordinate tasks and by default, is assigned to the subordinate tasks. For more information about operating privileges, see the “Understanding Operations Privileges” section on page 18-6. Resulting Menu Items Synchronized list of features in the form of menus that this role is able to access after setting the role task operation privileges. 18-31 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing User Roles Duplicating a User Role Note Your user role determines whether you can use this option. You can create a new user-defined role from an existing one. Procedure Step 1 Choose Admin > Role-Based Access Control > Organization > Roles. The Roles table appears. Step 2 In the Roles table, choose the role you want to copy and click Duplicate. A script popup window appears. Step 3 At the prompt in the script popup window, enter a name for the new role. Step 4 Click OK. Step 5 The script popup window closes and Roles tables displays the new role. Step 6 (Optional) To make changes to the new role’s attributes, in the Roles table, choose the role and click Edit. The Edit Role window appears. Step 7 Make the required changes and click Save to save the changes. Related Topics • Understanding Operations Privileges, page 18-6 • Managing User Roles, page 18-25 Modifying User Roles Note Your user role determines whether you can use this option. You can modify any user-defined roles. Procedure Step 1 Choose Admin > Role-Based Access Control > Organization > Roles. The Roles table appears. Step 2 Choose the role you want to modify and click Edit. The Edit Role window appears. Step 3 Make the required modifications. 18-32 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing Domains Step 4 Click Save. Related Topics • Understanding Operations Privileges, page 18-6 • Managing User Roles, page 18-25 Deleting User Roles Note Your user role determines whether you can use this option. You can delete any user-defined roles. Procedure Step 1 Choose Admin > Role-Based Access Control > Organization > Roles. The Users table appears. Step 2 Choose the role to delete and click Delete. Step 3 The confirmation popup window appears. Step 4 In the confirmation popup window, click OK to confirm the deletion. Users that have the deleted role no longer have that access. Related Topics Managing User Roles, page 18-25 Managing Domains Network domains provide a means for organizing the devices and their components (physical and logical) in your network and permitting access according to the way your site is organized. You can allow access to a domain by assigning it to an organization. Examples are specific virtual contexts or specific servers within a context. The following sections describe how to manage domains: • Guidelines for Managing Domains, page 18-33 • Displaying Network Domains, page 18-33 • Creating a Domain, page 18-34 • Duplicating a Domain, page 18-35 • Modifying a Domain, page 18-36 • Deleting a Domain, page 18-37 18-33 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing Domains Guidelines for Managing Domains This topic includes the following guidelines: • Domains are logical concepts. You do not delete a member of a domain when you delete the domain. • Domains can include supported Cisco chassis, ACE modules, ACE appliances, and CSS or CSM devices, as well as their virtual contexts, building blocks, resource classes, and real and virtual servers. • Choose the Allow All setting to include current and future device objects in a domain. • Objects must already exist in ANM. To add objects, see the “Importing Network Devices into ANM” section on page 5-10. • You must have the ability to create real servers in your role and at least one virtual context in your domain before you can create real servers. • You must have the ability to create virtual contexts in your role and an Admin context in your domain before you can create virtual contexts. • Domains continue to display device information even after you remove that device from ANM. This allows the domain information to be easily reassociated if you reimport the device. The device name must remain the same for this to work properly. • (GSS domain objects only) ANM does not allow you to add a VIP answer to a domain if the answer contains a space in its name. Caution Domain objects are hierarchical. If you include a parent object in a domain, the child object is also included even though they do not display in the Object selector tree when you add or edit domains. For example: – Inclusion of a Catalyst 6500 series switch includes all cards, virtual contexts, real servers and virtual servers. – Inclusion of an ACE 4710 includes all virtual contexts, real servers, and virtual servers. – Inclusion of a virtual context, CSM module or CSS device includes all associated objects. Related Topics • Creating a Domain, page 18-34 • Modifying a Domain, page 18-36 • Displaying Network Domains, page 18-33 • Duplicating a Domain, page 18-35 • Deleting a Domain, page 18-37 Displaying Network Domains Note Your user role determines whether you can use this option. You can display the network domains and a domain’s attributes. 18-34 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing Domains Procedure Step 1 Choose Admin > Role-Based Access Control > Organization > Domains. The Domains table appears. Step 2 Expand the table until you can see all the network domains. Step 3 Choose a domain from the Domains table to view and click Edit. The Edit Domains window appears, displaying the domain’s attributes. Related Topics • Managing Domains, page 18-32 • Guidelines for Managing Domains, page 18-33 • Creating a Domain, page 18-34 • Duplicating a Domain, page 18-35 • Modifying a Domain, page 18-36 • Deleting a Domain, page 18-37 Creating a Domain Note Your user role determines whether you can use this option. You can create a new domain. Procedure Step 1 Choose Admin > Role-Based Access Control > Organization > Domains. The Domains table appears. Step 2 Click Add. Step 3 Define the domain attributes as described in Table 18-10. Table 18-10 Domain Attributes Field Description Name Name of the domain. Description Description of the domain. 18-35 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing Domains Step 4 Click Save. The Domains Edit window updates and displays the total object number next to the object name. Related Topics • Managing Domains, page 18-32 • Guidelines for Managing Domains, page 18-33 • Displaying Network Domains, page 18-33 • Creating a Domain, page 18-34 • Duplicating a Domain, page 18-35 • Modifying a Domain, page 18-36 • Deleting a Domain, page 18-37 Duplicating a Domain Note Your user role determines whether you can use this option. You can create a new domain from an existing one. Procedure Step 1 Choose Admin > Role-Based Access Control > Organization > Domains. The Domains table appears. Step 2 Choose the domain to copy and click Duplicate. Step 3 A script popup window appears. Allow All Check box that enables all objects within this domain (current and future objects). If this check box is left unchecked, the Objects tree displays. Objects Collection of objects that comprise this domain. Choose an object name and use the arrows to move it from the available to selected column. For example, selecting a virtual context selects all real servers within that virtual context, or selecting a chassis selects the virtual contexts on that chassis. The interface does not explicitly display this in the table, but the objects are, in fact, selected. Note When you add objects such as real servers to a domain on an ACE that has an HA peer, ANM automatically adds the redundant objects from the HA peer to the list of selected objects. See the “Guidelines for Managing Domains” section on page 18-33 for domain rules about creating virtual contexts and real servers. Table 18-10 Domain Attributes (continued) Field Description 18-36 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing Domains Step 4 At the prompt in the script popup window, enter a name for the new domain and click OK. The script popup window closes and the Domains table displays the new domain. Step 5 Click Save. Related Topics • Managing Domains, page 18-32 • Guidelines for Managing Domains, page 18-33 • Displaying Network Domains, page 18-33 • Creating a Domain, page 18-34 • Modifying a Domain, page 18-36 • Deleting a Domain, page 18-37 Modifying a Domain Note Your user role determines whether you can use this option. You can modify the settings in a domain. Procedure Step 1 Choose Admin > Role-Based Access Control > Organization > Domains. The Domains table appears. Step 2 In the Domains table, choose the domain you want to change and click Edit. The Edit Domains window appears. Step 3 In the Edit Domains window, modify the domain settings. For detailed domain attribute descriptions, see Table 18-10 on page 18-34. Step 4 Click Save. Related Topics • Managing Domains, page 18-32 • Guidelines for Managing Domains, page 18-33 • Displaying Network Domains, page 18-33 • Creating a Domain, page 18-34 • Duplicating a Domain, page 18-35 • Deleting a Domain, page 18-37 18-37 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing Domains Deleting a Domain Note Your user role determines whether you can use this option. You can delete a network domain from the systems. You do not delete objects associated with that domain when you delete the domain. Procedure Step 1 Choose Admin > Role-Based Access Control > Organization > Domains. The Domains table appears. Step 2 In the Domains table, choose the domain to delete and click Delete. The confirmation popup window appears. Step 3 In the confirmation popup window, click OK. The domain is removed from the ANM database. Related Topics • Managing Domains, page 18-32 • Guidelines for Managing Domains, page 18-33 • Displaying Network Domains, page 18-33 • Creating a Domain, page 18-34 • Duplicating a Domain, page 18-35 • Modifying a Domain, page 18-36 18-38 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Using an AAA Server for Remote User Authentication and Authorization Using an AAA Server for Remote User Authentication and Authorization ANM allows you to centrally control user authentication and authorization. User authentication, which manages access to ANM, can be performed locally using a database that resides in ANM or remotely using a database that resides on an AAA server, such as an Active Directory (AD) server using LDAPS, RADIUS, or TACACS+. In ANM, you can configure authentication for your users by specifying which AAA servers are used for specific users. You configure authentication through organizations. An organization allows you to configure your AAA server lookup for your users and then associate specific users, roles, and domains with those organizations. User authorization, which manages access to different ANM functionality, can also be performed locally using a database that resides in ANM or remotely using a database that resides on a TACACS+ server. ANM supports the use of a TACACS+ server only for remote authorization. The information provided in this section is intended as a guide to help you ensure proper communication with the AAA server and ANM operating as the AAA client. For details about configuring the Cisco Secure ACS, Active Directory, or another AAA server, see the documentation that is provided with the software. This section includes the following topics: • Information About Using AD/LDAPS for Remote User Authentication, page 18-38 • Configuring Remote User Authentication Using a TACACS+ Server, page 18-39 • Configuring Remote User Authorization Using a TACACS+ Server, page 18-45 Information About Using AD/LDAPS for Remote User Authentication This section describes how ANM uses AD/LDAPS for remote user authentication. ANM performs the following steps to authenticate and authorize a user when configured to use AD/LDAPS for user authentication: 1. ANM verifies that the user organization exists locally on the ANM database. ANM makes this determination based on the part of the user login name that follows the @ character. 2. ANM uses the configured AD server to authenticate the user. 3. ANM authorizes the user locally. ANM verifies that the user’s name is associated with one of the defined roles in the Roles table (Admin > Role-Based Access Control > Organization > Roles). After ANM completes these three steps, the user is permitted access according to their account settings in the Roles table and Domains table (Admin > Role-Based Access Control > Organization > Domains). If any of the authentication and authorization checks fail, ANM logs the error in the audit log (Admin > ANM Management > ANM Change Audit Log). One of the following error messages display depending on when the failure occurs: • If Step 1 fails, the message is as follows: User authentication failed: Organization does not exist. • If Step 2 fails, the message is as follows: User authentication failed: ... , reason=User password check failed - error code XXX - . 18-39 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Using an AAA Server for Remote User Authentication and Authorization This message means that the AD server rejected the user. The list of possible error codes and respective descriptions are as follows: – 525—User is not found – 52e—User credentials are invalid – 530—User is not permitted to log on at this time – 531—User is not permitted to log on from this workstation – 532—Password has expired – 533—Account is disabled – 701—Account has expired – 773—User must reset their password – 775—Account is locked out • If Step 3 fails, the message is as follows: User authorization failed: User is not defined in the organization. Configuring Remote User Authentication Using a TACACS+ Server This section describes how to configure ANM and a TACACS+ server for remote user authentication. Note For background information about configuring an AAA server, see the “Configuring Authentication and Accounting Services” chapter of either the Cisco ACE Module Security Configuration Guide or Cisco ACE 4700 Series Appliance Security Configuration Guide on www.cisco.com. Assumptions This topic assumes the following: • For purposes of this example, assume usage of a Cisco Secure ACS version 4.1 server. • Your user role determines whether you can perform the procedures outlined in this section. • Administrative login rights are required to access the Cisco Secure ACS HTML interface. Table 18-11 provides a high-level overview of the steps required to authenticate ANM users with a TACACS+ server. 18-40 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Using an AAA Server for Remote User Authentication and Authorization Table 18-11 Authenticating ANM Users with a TACACS+ Server Task Procedure Step 1 Create an organization and define the remote TACACS+ server used (ANM) Note Your user role determines whether you can use this option. Remote authentication servers are defined in ANM as organizations. A single server can be used in multiple organizations. To configure authentication for your users by creating an organization and defining TACACS+ as the method of authentication, do the following: a. Choose Admin > Role-Based Access Control > All Organizations. The Organizations window appears. b. Click Add. c. Enter the name of the new organization and notes if required. d. Click Save. e. Choose the new organization and click Edit. f. Enter the attributes as described in Table 18-2. Certain attributes appear when you choose specific options. Include the following organization attributes to authenticate ANM users with a TACACS+ server: – Organization name – TACACS+ as authentication method – IP address of TACACS+ server – Authentication port number – Authentication secret g. Click Save. See the “Adding a New Organization” section on page 18-10 for details about this procedure. Step 2 Creating a role for RBAC (ANM) Note Your user role determines whether you can use this option. You can edit the predefined roles or you can create user-defined roles. When you create a role, you specify a name and description of the new role, and then choose the privileges for each task. You can also assign this role to one or more users. Do the following: a. Choose Admin > Role-Based Access Control > Organization > Roles. The Roles table appears. b. Click Add. The New Role form appears. c. Enter the attributes as described in Table 18-9. d. Click Save. The new role is added to the list of user roles. See the “Creating User Roles” section on page 18-29 for details on this procedure. 18-41 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Using an AAA Server for Remote User Authentication and Authorization Step 3 Create a domain for an RBAC user (ANM) Note Your user role determines whether you can use this option. A domain defines which objects that the RBAC user will have access to. The assigned role defines which actions that user will be able to perform on those objects. To configure a domain for an RBAC user, do the following: a. Choose Admin > Role-Based Access Control > Organization > Domains. The Domains table appears. b. In the Domains table, click Add. c. For the new domain, enter the attributes as described in Table 18-10. Note If you check the Allow All checkbox, this selection enables all objects within this domain (current and future objects). If you leave this check box unchecked, the Objects tree displays. To allow a user to have access to the entire context, highlight the Virtual Contexts folder in the Objects tree, locate the specific user context, and then click the arrow to send it to the Selected box. The context name format is :: d. Click Save when all the objects that you want to allow access to are listed in the Selected box. See the “Creating a Domain” section on page 18-34 for details on this procedure. Step 4 Create an organization user (ANM) Note Your user role determines whether you can use this option. Organization users are users who work for the customer of a service provider or AAA server that segments your users and to whom you want to grant access to ANM. Do the following: a. Choose Admin > Role-Based Access Control > Organization > Users. The Users window appears. b. In the Users window, click Add. c. Enter the attributes as described in Table 18-5. Include the following organization user attributes: – Login name – Predefined role – Domains to which this user belongs d. Click Save. The Users table appears. See the “Creating User Accounts” section on page 18-19 for details on this procedure. Table 18-11 Authenticating ANM Users with a TACACS+ Server (continued) Task Procedure 18-42 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Using an AAA Server for Remote User Authentication and Authorization Step 5 Access the AAA server (Cisco Secure ACS server) Note Administrative login rights are required to access the Cisco Secure ACS HTML interface. To access the Cisco Secure ACS HTML interface, do the following: a. Open a web browser for the URL of the Cisco Secure ACS HTML interface. b. In the Username box, type a valid Cisco Secure ACS administrator name. c. In the Password box, type the password for the administrator name that you specified. d. Click Login. The Cisco Secure ACS HTML interface appears. For details on configuring the Cisco Secure ACS HTML server, see the documentation that is provided with the software. Step 6 Create a network device group (Cisco Secure ACS Server) To create a group of TACACS+ clients and servers on the Cisco Secure ACS HTML server, do the following: a. Go to the Network Configuration section of the Cisco Secure ACS HTML interface. b. In the navigation bar, click the Network Configuration button. The Network Configuration page appears in the Cisco Secure ACS HTML interface. c. Under the Network Device Groups table, click the Add Entry button to create a new group of TACACS+ clients and servers. Type the name of the new group (for example ANM). d. Click Submit. For details on configuring the Cisco Secure ACS HTML server, see the documentation that is provided with the software. Table 18-11 Authenticating ANM Users with a TACACS+ Server (continued) Task Procedure 18-43 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Using an AAA Server for Remote User Authentication and Authorization Step 7 Specify the AAA client setup for ANM (Cisco Secure ACS Server) To define the AAA client setup for ANM on the Cisco Secure ACS HTML server, do the following: a. Click Add Entry below the AAA Clients table. The Add AAA Client window appears. b. In the Add AAA Client window, specify the following attributes: – AAA Client IP Address—Client IP address of ANM that will be used for communicating with the TACACS+ server – Shared Secret—Shared secret specified on ANM – Network Device Group—ANM – Authenticate Using—TACACS+ (Cisco IOS) Note The TACACS+ (Cisco IOS) drop-down item specifies the Cisco TACACS+ authentication function. This selection activates the TACACS+ option when using Cisco Systems access servers, routers, and firewalls that support the TACACS+ authentication protocol, including support for ANM as well. c. Click Submit + Apply. For details on configuring the Cisco Secure ACS HTML server, see the documentation that is provided with the software. Step 8 Specify the AAA server setup (Cisco Secure ACS Server) To define the AAA server setup for ANM on the Cisco Secure ACS HTML server, do the following: a. Click Add Entry below the AAA Servers table. The Add AAA Servers window appears. b. In the Add AAA Servers window, specify the following attributes: – AAA Server IP Address—IP address of the TACACS+ server – Key—Shared secret specified on ANM – Log Update/Watchdog Packets from This Remote AAA Server—Enabled – Network Device Group—ANM – AAA Server Type—TACACS+ – Traffic Type—Inbound/Outbound c. Click Submit + Apply. For details on configuring the Cisco Secure ACS HTML server, see the documentation that is provided with the software. Table 18-11 Authenticating ANM Users with a TACACS+ Server (continued) Task Procedure 18-44 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Using an AAA Server for Remote User Authentication and Authorization Step 9 Create the ANM user on the TACACS+ server (Cisco Secure ACS Server) To create the ANM user on the Cisco Secure ACS HTML server, do the following: a. Click the User Setup button. The User Setup window appears. b. In the User text box of the User Setup window, enter the user name of the organization user that you created in ANM (see Step 3, the Create an domain for a RBAC user task). c. Click the Add/Edit button. d. Specify the following user attributes: – Real Name—Real name of the ANM user. – Description—Brief description of the user for the administrator. – Password Authentication—ACS Internal Database. – Password—Password for this user account. Enter this password a second time in the Confirm Password text box. For details on configuring the Cisco Secure ACS HTML server, see the documentation that is provided with the software. Table 18-11 Authenticating ANM Users with a TACACS+ Server (continued) Task Procedure 18-45 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Using an AAA Server for Remote User Authentication and Authorization Figure 18-3 Example of Authentication Communication Between ANM and a TACACS+ Server Related Topics • Controlling Access to Cisco ANM, page 18-3 • How ANM Handles Role-Based Access Control, page 18-8 • Configuring Remote User Authorization Using a TACACS+ Server, page 18-45 Configuring Remote User Authorization Using a TACACS+ Server You can configure a TACACS+ server to perform remote authorization of ANM users by configuring the authorization settings on the AAA server, which includes a unique ANM identifier, user role, and domain information. After you configure the TACACS+ server and ANM for remote authorization, when ANM authorizes a user, it sends an authorization request to the TACACS+ server, which returns with the names of the role and domains that are assigned to the user and defined on ANM. Guidelines and Restrictions This topic includes the following guidelines and restrictions: • You can configure ANM remote authorization on a TACACS+ server only. This feature is not available for AD/LDAPS or RADIUS. • Cisco has approved the use of Cisco Secure Access Control System (ACS) only for remote authorization (Cisco has not approved the use of other TACACS+ servers for this purpose). The Cisco Secure ACS can accept an authorization request and send the following attribute in the request: Step 10 Log in to ANM using the newly created account To test the new login credentials for user authentication, do the following: a. Log in to ANM by entering the new user account in the ANM login window. Enter the username using the following format: @. b. Click Login. Authentication occurs between ANM and the TACACS+ server (see Figure 18-3). All authentication transactions are performed by the TACACS+ authentication service associated with the associated organization. c. ANM appears with the virtual contexts that you included as part of the domain for the RBAC user in Step 3 (the Create an domain for a RBAC user task). Table 18-11 Authenticating ANM Users with a TACACS+ Server (continued) Task Procedure 18-46 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Using an AAA Server for Remote User Authentication and Authorization ANM_UniqueID=RoleNameDomain1Domain2 . . . ANM/IP should be used as the TACACS_Service/TACACS_Protocol pair for an authorization request and response. • You configure the user authorization attributes on the TACACS+ server using the following format: ANM_UniqueID=RoleNameDomain1Domain2 . . . The number of characters allowed for the ANM identifier, role, and domain information is limited to 160 characters, including spaces. You can use additional characters by adding a new ANM Unique ID entry for domain attributes as follows: ANM_UniqueID_1=RoleNameDomain1Domain2 ANM_UniqueID_2=Domain3Domain4 ANM_UniqueID_3=Domain5 You must assign a different ANM identifier to each entry. Make sure that you configure the ANM organization with each ANM unique ID (see the “Adding a New Organization” section on page 18-10). • You can define user authorization at the user level, user group level, or both. We recommend configuring authorization at the user group level, which allows you to assign a common set of authorization attributes to multiple users. When you configure the authorization attributes at both the user level and user group level, the user attributes take precedence over user group attributes. The procedure in this section includes all three configuration options. • You can configure ANM to revert to local user authorization if the TACACS+ server becomes unavailable (see the “Adding a New Organization” section on page 18-10). Prerequisites ANM has a user organization that is configured for remote authorization (see the “Adding a New Organization” section on page 18-10). This section includes the following topics: • Configuring Remote User Authorization Using Cisco Secure ACS Version 5.1, page 18-46 • Configuring Remote User Authorization Using Cisco Secure ACS Version 4.2, page 18-48 Configuring Remote User Authorization Using Cisco Secure ACS Version 5.1 You can use Cisco Secure ACS Version 5.1 for configuring a remote server to perform remote authorization of ANM users. Note This procedure describes only the ANM-specific attributes for creating user groups and users on Cisco Secure ACS. For information about configuring the other attributes, see the User Guide for Cisco Secure Access Control Server located on Cisco.com. Procedure Step 1 From the Cisco Secure ACS HTML GUI, create a new Device Type to identify requests coming from the ANM server. 18-47 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Using an AAA Server for Remote User Authentication and Authorization Do the following: a. From the sidebar menu, choose Network Device Groups > Device Type. The Device Group General window appears. b. In the Name field, enter ANM. c. (Optional) In the Description Field, enter a description. For example, ANM Server. d. In the Parent field, select All Device Types. e. Click Submit. Step 2 From the sidebar menu, choose Network Device Groups > Network Devices and AAA Clients to add a device. The Network Devices and AAA Clients window appears. Do the following: a. In the Name field, enter ANM. b. From the Network Device Groups pane, do the following: – In the Location field, select All Locations. – In the Device Type field, select All device Types:ANM, which is the device type that you created in Step 1. c. From the IP Address pane, do the following: – Choose the IP Range(s) radio button. – From the IP and Mask fields, enter the IP address and Mask to use and click Add to add the values to the IP/Mask table. d. From the Authentication Options pane, check the TACACS+ check box. e. Click Submit. Step 3 From the sidebar menu, choose Users and Identity Stores > Identity Groups to create an Identity Group, which will be used later to map users to a specific role. The Identity Groups General window appears. Do the following: a. In the Name field, enter a name for the group. For example, ACE-Admin. b. (Optional) In the Description field, enter a description for the group. For example, ACE devices admin. c. In the Parent field, select ALL Groups:ANM-Groups. d. Click Submit. The Identity Groups window appears. e. From the Identity Groups window, drill down and check the check box of an organization division/roll to associate with the group. For example, check the ACE-Groups check box (All Groups > ANM-Groups > ACE-Admin). f. Click Create. g. Repeat Step 3 for every Identity Group that you need to create. Step 4 From the sidebar menu, choose Users and Identity Stores > Internal Identity Stores > Users to create a user. The Users General window appears. Do the following: a. In the Name field, enter a user name. b. From the Status drop-down list, set the status for the user account. For example, Enabled. 18-48 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Using an AAA Server for Remote User Authentication and Authorization c. (Optional) In the Description field, enter a description for the user account. d. In the Identity Group field, select one of the groups created in Step 3 to associate with the user. e. Click Submit. Step 5 From the sidebar menu, choose Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles to create a shell profile for each Identity Group that you created in Step 3. The shell is used to pass the user’s role and domain list to the ANM server. The Shell Profiles window appears. Do the following: a. Click the Custom Attributes tab. b. From the Attribute field, enter the attribute name, which is the ANM unique ID that you configured in the ANM organization on ANM. The ANM unique ID is followed by the role and domain names as a name/value pair (NV Pair) using the following format: ANM_UniqueID=RoleNameDomain1Domain2 . . . For example: ANM=Role1 Domain1 Domain2 Domain6 The ANM_UniqueID variable must match the ANM unique ID that you configured in the ANM organization on ANM (see the “Adding a New Organization” section on page 18-10). This line cannot exceed 254 characters. If you need to use more than 254 characters, add another ANM Unique ID entry to specify the domains associated with the role specified in the first entry (for details, see the Guidelines and Restrictions associated with this topic). c. Click Add. The attribute name is added to the Manually Entered pane. d. Click Submit. Related Topics • Managing User Roles, page 18-25 • Managing Domains, page 18-32 • Adding a New Organization, page 18-10 • Using an AAA Server for Remote User Authentication and Authorization, page 18-38 • Configuring Remote User Authorization Using Cisco Secure ACS Version 4.2, page 18-48 Configuring Remote User Authorization Using Cisco Secure ACS Version 4.2 You can use Cisco Secure ACS Version 4.2 for configuring a remote server to perform remote authorization of ANM users. Note This procedure describes only the ANM-specific attributes for creating user groups and users on Cisco Secure ACS. For information about configuring the other attributes, see the User Guide for Cisco Secure Access Control Server located on Cisco.com. 18-49 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Using an AAA Server for Remote User Authentication and Authorization Procedure Step 1 From the Cisco Secure ACS HTML GUI, configure the interface as follows: a. From the side menu bar, click Interface Configuration. The Interface Configuration window appears. b. From the Advanced Options pane of the Interface Configuration window, check the Per-user TACACS+/RADIUS Attributes check box and click Submit. c. From the New Services pane of the Interface Configuration window, check the Service and Protocol check boxes and add a new service as follows: – In the Service text box, enter ANM. – In the Protocol text box, enter IP. d. Click Submit. Step 2 Do one of the following: • Configure a user group for the users that you create—Go to Step 3. • Configure a user only—Skip to Step 4. Step 3 To configure a user group, do the following: a. From the side menu bar, click Group Setup. The Group Setup window appears. b. From the Group Setup window, create a user group and set the following ANM attributes: – Check the ANM IP service check box. – Check the Custom attributes check box and enter the ANM unique identifier followed by the role and domain names as a name/value pair (NV Pair) in the Custom Attributes pane using the following format: ANM_UniqueID=RoleNameDomain1Domain2 . . . For example: ANM=Role1 Domain1 Domain2 Domain6 The ANM_UniqueID variable must match the ANM unique ID that you configured in the ANM organization on ANM (see the “Adding a New Organization” section on page 18-10). This line cannot exceed 160 characters. If you need to use more than 160 characters, add another ANM Unique ID entry to specify the domains associated with the role specified in the first entry (for details, see the Guidelines and Restrictions associated with this topics). c. Click Submit. The user group is now ready for adding users (go to Step 4). Step 4 Create a user as follows: a. From the side menu bar, click User Setup. The User Setup window appears. b. To assign the user to the user group that you created in Step 3, from the User Setup window, choose the group from the following drop-down list: Group to which the user is assigned. Skip this step if the user is not to be included in a user group. 18-50 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Disabling the ANM Login Window Change Password Feature c. Configure the ANM-specific attributes. Perform this step for either of the following reasons; otherwise, skip this step: – The user is not to be included in a user group. – The user is included in a user group but requires different authorization attributes (user attributes have precedence over user group attributes). To configure the ANM-specific attributes, from the User Setup window, do the following: – Check the ANM IP service check box. – Check the Custom attributes check box, enter the ANM unique ID and role and domain names as NV Pair in the Custom Attributes pane using the following format: ANM_UniqueID=RoleNameDomain1Domain2 . . . For example: ANM=Role1 Domain1 Domain2 Domain6 The ANM_UniqueID variable must match the ANM Unique ID that you configured in the ANM organization (see the “Adding a New Organization” section on page 18-10). This line cannot exceed 160 characters. If you need to use more that 160 characters, add another ANM Unique ID entry to specify the domains associated with the role (for details, see this topic’s Guidelines and Restrictions): d. Click Submit. Related Topics • Managing User Roles, page 18-25 • Managing Domains, page 18-32 • Adding a New Organization, page 18-10 • Using an AAA Server for Remote User Authentication and Authorization, page 18-38 • Configuring Remote User Authorization Using Cisco Secure ACS Version 5.1, page 18-46 Disabling the ANM Login Window Change Password Feature When you log into ANM from the login window, you have the option to change your password at that time. This feature is enabled by default; however, you can disable it by modifying the ANM cs-config.properties file. When disabled, the login window no longer displays the Change Password hyperlink. Procedure Step 1 Disable the Change Password option on the ANM login window as follows: • ANM Server—Open the /opt/CSCOanm/etc/cs-config.properties file in a text editor and change the state of the following line from true to false: changeANMPassword.enable=false 18-51 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing ANM • ANM Virtual Appliance—Enter the following command: anm-property set changeANMPassword.enable false Step 2 Restart ANM as follows: • ANM Server—Enter the following command: /opt/CSCOanm/bin/anm-tool restart • ANM Virtual Appliance—Enter the following command: anm-tool restart Related Topics • Logging In To the Cisco Application Networking Manager, page 1-5 • Changing Your Account Password, page 1-6 Managing ANM When you choose Admin > ANM Management, you can display the following information: • ANM—Allows you to check the status of your ANM server. See the “Checking the Status of the ANM Server” section on page 18-52. • License Management—Displays the ANM license information. See the “Using ANM License Manager to Manage ANM Server or Demo Licenses” section on page 18-54. • Statistics—Displays the ANM server statistics. See the “Displaying ANM Server Statistics” section on page 18-56. • Statistics Collection—Allows you to enable or disable ANM server statistic collection. See the “Configuring ANM Statistics Collection” section on page 18-57. • Audit Log Settings—Allows you to determine how long audit log records are kept. See the “Configuring Audit Log Settings” section on page 18-58. • Change Audit Log—Displays ANM server logs. See the “Displaying Change Audit Logs” section on page 18-61. • Auto Sync Settings—Allows you to allow ANM to automatically sync with CLI when it detects out of band changes between itself and the ACE. See the “Configuring Auto Sync Settings” section on page 18-61. • Advanced Settings—Allows you to set the following advanced settings for ANM: – Enable or disable overwrite of the ACE logging device-id while setting up syslog for autosync using Config > Devices > Setup Syslog for Autosync. – Enable or disable write memory on a Config > Operations configuration. – Enable features for displaying details about real or virtual servers. – Enable mobile notifications from ANM. – Hide syslog buffer details in the Dashboard pane Top 10 Current Resources. – Display all virtual servers that have class-map and policy-map definitions in the monitoring and operations windows. See the “Configuring Advanced Settings” section on page 18-62. 18-52 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing ANM • Virtual Center Plugin Registration—Allows you register the ANM plugin to integrate ANM in a VMware virtual data center environment. See Appendix B, “Using the ANM Plug-In With Virtual Data Centers.” Checking the Status of the ANM Server Note Your user role determines whether you can use this option. You can check if ANM has a backup server and to view the server status. The ANM server can be configured as either of the following: • A non-HA ANM. The non-HA ANM consists of only one host and is referred to as a standalone ANM. • An HA (high availability or fault-tolerant) ANM, which consists of two hosts: an active ANM and a standby ANM. An HA ANM has a virtual IP address that is always assigned to the active ANM. Users log into this virtual IP address—they never log into the real IP addresses of the hosts. In addition, an HA ANM has a secondary NIC and IP address on each host over which “heartbeat” messages are used to arbitrate which host is active and which is standby. Procedure Step 1 Choose Admin > ANM Management > ANM. The ANM Server status window appears. This window contains the following information: Table 18-12 ANM Server Status Information Field Description HA Replication State HA replication state as follows: • OK—This is an HA ANM and is running properly. • Standalone—This is a non-HA ANM; therefore, the HA attributes and operations are not meaningful. • Stopped—This is HA ANM and this state indicates that the active ANM is copying its entire database contents to the standby ANM. This normally happens when the standby ANM initially starts up or it has been stopped and restarted later. This process normally takes a few seconds to a few minutes depending on the size of the ANM configuration data and monitoring data. During this time, the active ANM cannot be stopped, restarted, or failover. • Failed—This is an HA ANM and database replication cannot proceed. Most likely this is because the standby ANM is unresponsive or is unreachable. Version Version of the ANM software. Build Number and Build Timestamp Build identification information. Time Server Started Date and time the ANM server started. 18-53 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing ANM Related Topics • Using ANM License Manager to Manage ANM Server or Demo Licenses, page 18-54 • Displaying ANM Server Statistics, page 18-56 Virtual IP Address Virtual IP address that associates with the active host. This IP address must be on the same subnet as the primary IP addresses of both Node 1 and Node 2. Active Name Name of Node 1, which can be displayed by issuing the uname -n command on the host. Active IP IP address used by Node 1 for normal (non-heartbeat related) communication. This IP address must be on the same subnet as the primary address for Node 2. Active Heartbeat IP IP address associated with the crossover network interface for Node 1. This IP address must be on the same subnet as the Heartbeat IP address for Node 2. Standby Name Name of Node 2, which can be returned by issuing the uname -n command on the host. Standby IP IP address used by Node 2 for normal (non-heartbeat related) communication. This IP address must be on the same subnet as the primary IP address for Node 1. Standby Heartbeat IP IP address associated with the crossover network interface for Node 2. This IP address must be on the same subnet as the Heartbeat IP address for Node 1. License Server State License server state as follows: • OK—There is a valid license on the host. • Invalid—The host either contains an invalid license or there is no license present. • Unknown—It is not possible to communicate with the host's license manager, therefore, the license state is unknown. Note The Unknown and Invalid states will not display for the active (local) ANM. If the standby ANM has an Invalid license state, you should install a valid license. If the standby ANM has an Unknown license state, check that the standby ANM has been installed correctly. • DEMO—Used for the demonstration purposes. It lasts for 30, 60, or 90 days from the issue day of the license. It allows you to use all features. Standby License Server State Standby license server state as follows: • OK—There is a valid license on Node 2. • Invalid—Node 2 either contains an invalid license or there is no license present. • Unknown—It is not possible to communicate with the license manager on Node 2, therefore, the license state is unknown. Note The Unknown and Invalid states will not display for the active (local) ANM. If the standby ANM has an Invalid license state, you should install a valid license. If the standby ANM has an Unknown license state, check that the standby ANM has been installed correctly. • DEMO—Used for the demonstration purposes. It lasts for 30, 60, or 90 days from the issue day of the license. It allows you to use all features. Table 18-12 ANM Server Status Information (continued) Field Description 18-54 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing ANM • Configuring ANM Statistics Collection, page 18-57 Using ANM License Manager to Manage ANM Server or Demo Licenses You can use the ANM License Manager feature to manage to the ANM license required to use ANM beyond the 90-day evaluation period. Note Your user role determines whether you can use this option. Table 18-13 describes the available ANM licenses and their purpose. ANM licenses are available at no charge. When you install the ANM software, you are provided with a 90-day evaluation period that does not require a license; however, to continue using ANM beyond the evaluation period, you must install the ANM server license as follows: • To install the server license before the evaluation period expires, you can use ANM License Manager (see the “Displaying and Adding ANM Licenses to License Management” section on page 18-54). Optionally, you can use the CLI to install the license as described in the next bullet. • To install the server license after the evaluation period expires, you must use the CLI (see the Installation Guide for Cisco Application Networking Manager 5.2 or the Installation Guide for the Cisco Application Networking Manager 5.2 Virtual Appliance for instructions). Note ANM uses TCP port 10444 for the ANM License Manager. For other port numbers, see Appendix A, “ANM Ports Reference.” This section includes the following topics: • Displaying and Adding ANM Licenses to License Management, page 18-54 • Removing an ANM License File, page 18-55 Displaying and Adding ANM Licenses to License Management Note Your user role determines whether you can use this option. You can add a license to the license manager. You need to add a license before the 90-day evaluation period expires or when you convert from a demo license to an ANM server license. Table 18-13 ANM License Descriptions License Name Description ANM-DEMO or DEMO Used for demonstration purposes. It lasts for 90 days from the issue day of the license and allows you to use all features. ANM-SERVER-50-K9 Used to allow access to the ANM server. Beginning with ANM 4.1, ANM does not perform a license version number check; it will accept any version ANM license. 18-55 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing ANM Guidelines and Restrictions The license manager does not display information related to the 90-day evaluation period that allows you to use ANM immediately after you install the software. When there are 10 days or less remaining to the evaluation period, ANM issues daily warnings that the evaluation period is about to expire. You must install the ANM server license to continue using ANM. Procedure Step 1 Choose Admin > ANM Management > License Management. The Licenses table appears. Table 18-14 describes the contents of this table. Step 2 To add new license, from the Licenses table, click Add. The New License window appears. Step 3 In the New License window, click Browse to locate the new license name. Use the browser to choose the license file. Step 4 Click Upload to install the license you added onto the ANM Server or Cancel to exit. The license file appears in the License Files table. From the License Files table you can see the Install Status of the license file and if there are any errors. Related Topics • ANM Licenses, page 1-7 • Managing ACE Licenses, page 6-36 • Using ANM License Manager to Manage ANM Server or Demo Licenses, page 18-54 • Removing an ANM License File, page 18-55 Removing an ANM License File For ANM server, if your license file does not work in ANM due to file errors, you need to remove it from the ANM host and request another license file from Cisco. There is no ANM GUI remove license command. You must remove the license from the operating system by deleting the file. Table 18-14 License Files Field Description File Name Name of the ANM server or demo license file that you have installed on the ANM host. Install Status Status of the license file. Any licensing errors display here. For ANM server, if errors display, see the “Removing an ANM License File” section on page 18-55 for details about how to remove this file and import a working file. You cannot remove a license from ANM Virtual Appliance; however, a license that displays in error is not a probelm as long as a valid license is also installed. 18-56 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing ANM Guidelines and Restrictions You can remove a license file from ANM server; however, you cannot remove a license file from ANM Virtual Appliance. If you are using ANM Virtual Appliance and have a license that displays in error, it is not an issue as long as a valid license is also installed. Procedure Step 1 Log in as the root user. Step 2 To remove the license file, enter the following: rm /opt/CSCOanm/etc/license/ The license file is removed from the ANM host. Step 3 Restart ANM to allow it to update the licenses table data. To restart ANM, see instructions in the Installation Guide forCisco Application Networking Manager 5.2. To request another license from Cisco to replace the one that had errors, open a service request using the TAC Service Request Tool or call the Technical Assistance Center. Add the license into ANM. Related Topics • ANM Licenses, page 1-7 • Using ANM License Manager to Manage ANM Server or Demo Licenses, page 18-54 • Displaying and Adding ANM Licenses to License Management, page 18-54 Displaying ANM Server Statistics You can display ANM statistics (for example, CPU, disk, and memory usage on the ACE). Procedure Step 1 Choose Admin > ANM Management > Statistics. The statistics viewer displays the fields in Table 18-15. 18-57 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing ANM Related Topics • Checking the Status of the ANM Server, page 18-52 • Configuring ANM Statistics Collection, page 18-57 Configuring ANM Statistics Collection You can enable ACE server statistics polling. Procedure Step 1 Choose Admin > ANM Management > Statistics Collection. The Primary Attributes configuration window appears. Step 2 In the Polling Stats field, click Enable to start background polling or Disable to stop background polling. Step 3 In the Background Polling Interval field, choose the polling interval appropriate for your networking environment. Step 4 Click Deploy Now to save your entries. Related Topics • Checking the Status of the ANM Server, page 18-52 • Displaying ANM Server Statistics, page 18-56 Table 18-15 ACE Server Statistics Name Description Owner Process where statistics are collected. Statistic Statistical information, includes the following: • CPU Usage—Overall ACE CPU busy percentage in the last 5-minute period. • Disk Usage—Amount of disk space being used by the ANM server or ACE device. • Memory Usage—Amount of memory being used by the ANM server or ACE hardware. • Process Uptime—Amount of time since this system was last initialized, or the amount of time since the network management portion of the system was last reinitialized. Value Value of the statistic. Description Information that the statistic gathered. 18-58 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing ANM Configuring Audit Log Settings You can determine how long audit logs are kept in the database. Audit Log Purge Settings allow you to specify the following: • How many days the log records in the database will be kept (default is 31). • The maximum of log records that will be stored in the ANM database (default 100,000). Audit Log File Purge Settings allows you to specify the following: • The number of days worth of log record files that will be stored in the ANM database (default 31 days). • The number of daily rolling files that will be stored in the ANM database (default 10 files each day, allowable file size is 2 Megabytes and is not configurable). Procedure Step 1 Choose Admin > ANM Management > Audit Log Settings. The Audit Log Settings configuration window appears. Audit Log Purge Settings fields let you determine whether audit log table entries will be deleted after a certain number of days (default is 31 days) or after the table entries reach a certain size (default is 100 entries). Step 2 Enter the greatest number of days that you would like entries to be retained in the Number of Days field. Step 3 Enter the maximum amount of log records to be stored in the ANM database in the audit log tables in the Number of Entries (Thousand) field (default 100,000). Audit Log File Purge Settings fields let you determine whether to retain log files according by age (default is 31 days) or by amount saved in a given day (default is 10 entries). Step 4 Enter the greatest number of days that you would like entries to be retained in Number of Days field. Step 5 Enter the greatest number of log files that you would like retained in the Number of Daily Rolling Log Files field. Step 6 Do one of the following: • Click Reset to Default to erase changes and restore the default values. • Click Save Now to save your entries. Related Topics • Performing Device Audit Trail Logging, page 18-59 • Displaying Change Audit Logs, page 18-61 18-59 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing ANM Performing Device Audit Trail Logging Certain configuration and deployment changes are logged in the ANM database and available for displaying according to your role, which is restricted by the ACE virtual context as established by RBAC. Log files are located /var/lib/anm/events/date/audit, where date is in YYYYMMDD format (for example, 20091109 for November 9, 2009). The following changes are logged in ANM: • Configuration deployments to devices • Device or virtual context synchronization operations • Device or virtual context import and deletions • Creation/updates/deletion of the to-be-deployed later by the virtual server Procedure Step 1 Choose Config > device(s) to view > Device Audit. ANM displays all operations described above on the specified devices. See Table 18-16 for a description of the displayed information, some of which is extracted from the syslog. You can sort information in the table by clicking on a column heading, adjust the viewable time range using the drop-down list, and export the table for reporting and troubleshooting purposes. 18-60 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing ANM Table 18-16 Config > Device Audit Fields Field Description Time ANM server timestamp when the action is complete. Client IP Source IP address initiating action. User Email address in the following format: username@organization name for example, admin@cisco.com. Device Device or ACE virtual context target of user action. Action The action name of the operation, including the following: • add staging object • allocate vlan • change credential • create • create vc • create vc-template • create-vip • delete • delete-vip • deploy staging object • disable polling • enable polling • export-certificate-key • generate-csr • import device • import-certificate-key • import module • remove device • remove vc • restart monitoring • syncup config • syslog-setup • unmanage module • update • update staging object • update-vip Target Name of the target configuration object (for example, Serverfarm sf1). Status Indicates whether operation succeeded or not. 18-61 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing ANM Related Topics • Configuring Audit Log Settings, page 18-58 • Displaying Change Audit Logs, page 18-61 Displaying Change Audit Logs You can display ANM change audit logs for example, user login attempts, create/update/delete objects such as RBAC, Global Resource Class, Credential, device group, and threshold setting. Any key or change related activities to the ANM server will be logged and viewed according to your role. To display the change audit logs, choose Admin > ANM Management > ANM Change Audit Log. The audit log displays the fields in Table 18-17. Related Topics • Checking the Status of the ANM Server, page 18-52 • Configuring Audit Log Settings, page 18-58 • Performing Device Audit Trail Logging, page 18-59 Configuring Auto Sync Settings You can configure ANM server auto sync settings. Procedure Step 1 Choose Admin > ANM Management > ANM Auto Sync Settings. The Setup ANM Auto-Sync Settings window appears. Step 2 In the ANM Auto-Sync field of the Setup ANM Auto-Sync Settings window, do one of the following: Detail CLI commands sent to the device and/or error messages. ANM truncates the display if the number of characters for the CLI commands exceeds 100,000 characters. You can view the complete audit output in the audit log file. Table 18-16 Config > Device Audit Fields (continued) Field Description Table 18-17 Server Audit Log Name Description Time Server time stamp when user action is complete. Client IP IP address where action originated. User Email address in the following format: username@organization name for example, admin@cisco.com. Message Boilerplate text descriptive of action taken, usually self-explanatory (for example “User authentication succeeded.” 18-62 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing ANM • Click Enable to have the ANM server automatically sync with ACE CLI when it detects out of band changes. • Click Disable to have the ANM server warn but not take independent action when it detects out of band changes between the server and ACE CLI. Step 3 In the Polling Interval field, choose the polling interval you want the ANM server to employ. Step 4 Click OK to save your entries. Related Topic Synchronizing Virtual Context Configurations, page 6-105 Configuring Advanced Settings This section discusses the Advanced Settings window. This section includes the following topics: • Configuring the Overwrite ACE Logging device-id for the Syslog Option, page 18-62 • Configuring the Enable Write Mem on the Config > Operations Option, page 18-63 • Enabling the ACE Real Server Details Popup Window Option, page 18-64 • Enabling the ACE Server Farm Details Popup Window Option for Virtual Servers, page 18-65 • Enable Mobile Notifications from ANM, page 18-66 • Managing the Syslog Buffer Display in the All Devices Dashboard, page 18-66 • Managing the Display of Virtual Servers in the Operations and Monitoring Windows, page 18-66 Configuring the Overwrite ACE Logging device-id for the Syslog Option Yo can overwrite the ACE logging device-id. By default, ANM Autosync relies on the ACE logging device-id to be of type “String.” A device-id setting adds explicit information that is appended to the syslog message and is used by ANM to identify the source of a syslog message. If you configure ANM to manage syslog settings for Autosync on a virtual context (Config > Devices > Setup Syslog for Autosync) and the logging device-id is defined as something other than type “String” for the context, the operation fails and ANM displays “Syslog device is already configured for other purpose.” You can instruct ANM to overwrite the ACE logging device-id when you enable the synchronization of syslog messages setup of syslog for Autosync from the ACE. If any of the contexts that you are trying to set up a syslog the syslog for Autosync has a device-id setup for a type other than string, ANM will override the device-id with the ANM preferred string. Procedure Step 1 Choose Admin > ANM Management > Advanced Settings. The Advanced Settings configuration window appears. Step 2 In the Overwrite ACE Logging Device ID field of the Advanced Settings configuration window, do one of the following: 18-63 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing ANM • Click Enable to overwrite the logging device-id during Setup Syslog for Autosync. • Click Disable to prevent overwriting the existing logging device-id if it has been previously set up with a type other than string. If the selected context from Setup Syslog for Autosync already has a device-id that is set up with a type other than string, then the operation reports an error and ANM does not overwrite this setting. This is the default setting. Step 3 Click OK to accept your entries on the Advanced Settings configuration window. Related Topics • Enabling a Setup Syslog for Autosync for Use With an ACE, page 5-27 Configuring the Enable Write Mem on the Config > Operations Option You can configure the Enable Write Mem on the Config > Operations feature. By default, ANM initiates a write memory command action after you activate or suspend changes on the ACE, CSM, or CSS through the different ANM Operations Pages (Config > Operations). In certain situations, such as those that involve large configurations, a write memory action can take an extended period of time to complete. In this case, the ANM GUI may time out. If a write memory action is not performed before a device reload occurs, the changes will be lost. You can instruct ANM to enable or disable write memory on a Config > Operations configuration. Note The write memory command is the same as the copy running-config startup-config command; both commands save changes to the configuration. Note The CSS Expert mode must be disabled if you wish to disable the Write Mem on Config > Operations feature. The Expert mode allows you to turn the CSS confirmation capability on or off; turning Expert mode on disables the CSS from prompting for confirmation when configuration changes are made. If Expert mode is enabled on the CSS, this function will cause the CSS to perform an implicit write memory action after each operational change. Procedure Step 1 Choose Admin > ANM Management > Advanced Settings. The Advanced Settings configuration window appears. Step 2 In the Enable Write Mem on Config > Operations field of the Advanced Settings configuration window, do one of the following: • Click Enable to instruct ANM to activate the write memory action on the Config > Operations window. This is the default. • Click Disable to deactivate the write memory action on the Config > Operations window. This option will require you to periodically access the CLI for the ACE context, the CSM, or the CSS and enter the write memory command to commit the change to the startup-configuration file. Step 3 Click OK to accept your entries on the Advanced Settings configuration window. 18-64 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing ANM Enabling the ACE Real Server Details Popup Window Option You can enable the ACE real server Details popup window option that displays real server details by issuing the show rserver detail command to the selected ACE in the real servers operation window (Config > Operations > Real Servers). This top level real server show command displays information that includes total statistics about every serverfarm real server associated with the selected rserver. The ACE real server Details popup window feature is disabled by default. Caution When you enable the ACE real server Details popup window option, the information that displays in the Details popup window may exceed the RBAC restrictions assigned to the user. The following example shows how enabling the ACE real server Details popup window option in ANM can display information that may exceed the RBAC restrictions assigned to a user. In the following CLI example, the ACE displays information for rbac-test:80 and rbac-test:443 in response to the show rserver rbac-test detail command: switch/Admin# sh rserver rbac-test detail rserver : rbac-test, type: HOST state : OUTOFSERVICE --------------------------------- ----------connections----------- real weight state current total ---+---------------------+------+------------+----------+-------------------- serverfarm: sf-rbac-test 0.0.0.0:80 8 OUTOFSERVICE 0 0 serverfarm: sf1-rbac-test 0.0.0.0:443 8 OUTOFSERVICE 0 0 switch/Admin(config-sfarm-host-rs)# When you enable the Details option in ANM, the popup window displays the same information even if the user requesting the information is configured in ANM to have access to rbac-test:80 only. Procedure Step 1 Choose Admin > ANM Management > Advanced Settings. The Advanced Settings configuration window appears. Step 2 In the Enable Details popup window for Config > Operations > Real Servers field of the Advanced Settings configuration window, do one of the following: • Click Enable to enable the ACE real server Details popup window option. • Click Disable to disable the ACE real server Details popup window option. This is the default. Step 3 Click OK to accept your entries on the Advanced Settings configuration window. Related Topics • Displaying Real Servers, page 8-18 18-65 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing ANM Enabling the ACE Server Farm Details Popup Window Option for Virtual Servers You can enable the ACE Server Farm Details popup window option that displays details about the server farms associated with a virtual server. When you enable this feature, the server farms listed in the virtual servers operation window (Config > Operations > Virtual Servers) become hyperlinks that open a popup details window. When you click a server farm associated with a virtual server, ANM issues the show serverfarm detail command to the ACE and displays the command output in the popup window. This top level virtual server show command displays information that includes statistical information related to the real servers associated with the server farm. The ACE Server Farm Details popup window feature is disabled by default. Caution When you enable the ACE Server Farm Details popup window option, the information that displays in the popup window may exceed the RBAC restrictions assigned to the user. For example, information related to real severs that a user is not permitted to access may display. The following is an example of the show serverfarm test-sf detail command output: serverfarm : test-sf, type: REDIRECT total rservers : 1 active rservers: 0 description : - state : INACTIVE predictor : ROUNDROBIN failaction : - back-inservice : 0 partial-threshold : 0 num times failover : 0 num times back inservice : 0 total conn-dropcount : 0 --------------------------------- ----------connections----------- real weight state current total failures ---+---------------------+------+------------+----------+----------+--------- rserver: anm-vm-119 0.0.0.0:0 8 OUTOFSERVICE 0 0 0 description : - max-conns : - , out-of-rotation count : - min-conns : - conn-rate-limit : - , out-of-rotation count : - bandwidth-rate-limit : - , out-of-rotation count : - retcode out-of-rotation count : - Procedure Step 1 Choose Admin > ANM Management > Advanced Settings. The Advanced Settings configuration window appears. Step 2 In the “Enable Details popup window for Config > Operations > Virtual Servers” field of the Advanced Settings configuration window, do one of the following: • Click Enable to enable the ACE Server Farm Details popup window option. • Click Disable to disable the ACE Server Farm Details popup window option. This is the default. Step 3 Click OK to accept your entries on the Advanced Settings configuration window. 18-66 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Managing ANM Related Topic “Displaying Virtual Servers” section on page 7-81 Enable Mobile Notifications from ANM You can enable ANM to send alarm notifications to supported mobile devices that are using the ANM Mobile app. By default, this feature is disabled. For details about the enabling this advanced setting, see the “Globally Enabling or Disabling Mobile Device Notifications” section on page 18-69. Related Topics • Globally Enabling or Disabling Mobile Device Notifications, page 18-69 • Configuring Alarm Notifications on ANM, page 17-57 • Administering the ANM Mobile Feature, page 18-67 • Chapter 19, “Using ANM Mobile” Managing the Syslog Buffer Display in the All Devices Dashboard You can choose to show or hide the syslog buffer information that displays in the Top 10 Current Resources pane of the All Devices Dashboard window (Monitor > Devices > Dashboard >All Devices). You may want to hide this information because it will always show 100 percent after the buffer becomes full and starts to wrap. Procedure Step 1 Choose Admin > ANM Management > Advanced Settings. The Advanced Settings configuration window appears. Step 2 Check the Hide 'Syslog Buffer' details in 'Top 10 Current Resources' in Dashboard Pane (All devices dashboard) check box to hide the syslog information. Uncheck the check box to display the syslog information. Step 3 Click OK to accept your entries on the Advanced Settings configuration window. Step 4 (Optional) Choose Monitor > Devices > Dashboard >All Device to view the change to the Top 10 Current Resources pane. For more information, see the “Top 10 Current Resources Table” section on page 17-20. Managing the Display of Virtual Servers in the Operations and Monitoring Windows You can choose to show only ANM recognized virtual servers or all virtual servers in the virtual server windows for Config Operations (Config > Operations > Virtual Servers) and Monitor Devices (Monitor > Devices > Load Balancing > Virtual Servers). ANM recognized virtual servers are virtual servers that match ANM’s virtual server definition (see “Virtual Server Configuration and ANM” section on page 7-2). When you have the display set to display all virtual servers, it includes virtual servers that match ANM’s virtual server definition and those that do not match this definition but that ANM can recognize as virtual servers using SNMP polling 18-67 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Administering the ANM Mobile Feature Procedure Step 1 Choose Admin > ANM Management > Advanced Settings. The Advanced Settings configuration window appears. Step 2 Do one of the following to specify the virtual server types that display in the Operations and Monitor windows for virtual servers: • Check the Display All Virtual Servers in Monitoring & Operations page (Virtual Servers that have class-map/policy-map definitions) check box to display virtual servers that match ANM’s virtual server definition and those that do not match this definition but that ANM can recognize as virtual servers using SNMP polling. When this option is checked, the virtual server windows for Config Operations and Monitor Devices includes a display toggle button ( ) located above the table that allows you to change from viewing all virtual servers to viewing only ANM recognized virtual servers. • Uncheck the check box to display only virtual servers that match ANM’s virtual server definition (see the “Information About Using ANM to Configure Virtual Servers” section on page 7-4. This is the default. Step 3 Click OK to accept your entries on the Advanced Settings configuration window. Step 4 (Optional) Choose Config > Operations > Virtual Servers to view the change. Administering the ANM Mobile Feature ANM Mobile is a mobile device app that allows supported mobile devices to access your ANM server or ANM Virtual Appliance and manage the network objects in much the same way you do from an ANM client as described in Chapter 19, “Using ANM Mobile.” This section describes how to configure ANM to send alarm notifications to ANM Mobile, which requires configuring ANM with a push notification proxy server and globally enabling the mobile notification feature. For remotely authorized users, you must also modify the ANM configuration to allow ANM to send this user type mobile notifications. After you have ANM configured to issue mobile notifications, you can send a test message to test the notification channel between ANM and the mobile device. You can also view a list that shows the last notification that ANM issued to each mobile device. This section includes the following topics: • Configuring ANM with a Proxy Server for ANM Mobile Push Notifications, page 18-67 • Enabling Mobile Device Notifications for Remotely Authorized Users, page 18-69 • Globally Enabling or Disabling Mobile Device Notifications, page 18-69 • Displaying Mobile Device Notifications and Testing the Notification Channel, page 18-70 Configuring ANM with a Proxy Server for ANM Mobile Push Notifications You can modify the ANM properties file for ANM Mobile push (or alarm) notifications. ANM is preconfigured to send ANM Mobile notifications directly to the Cisco proxy service. If your network does not allow direct access to the proxy service, you can configure ANM to send notifications to your proxy server, which in turn forwards the notifications to the Cisco proxy service. 18-68 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Administering the ANM Mobile Feature Prerequisites ANM has alarm threshold groups configured for mobile device alarm notifications (see the “Configuring Alarm Notifications on ANM” section on page 17-57). Procedure Step 1 Specify a proxy server to use as follows: • ANM Server—Open the /opt/CSCOanm/etc/cs-config.properties file in a text editor and modify the following lines: – proxy-type=type Specify a type of either ssl or socks depending on your network requirements. – proxy-server=proxy_IPaddress Specify the IP address of your proxy server. – proxy-server-port=port_number Specify the port to use to communicate with your proxy server. • ANM Virtual Appliance—Enter the following commands: – anm-property set proxy-type type Specify a type of either ssl or socks depending on your network requirements. – anm-property set proxy-server proxy_IPaddress Specify the IP address of your proxy server. – anm-property set proxy-server-port port_number Specify the port to use to communicate with your proxy server. Step 2 Restart ANM as follows: • ANM Server—Enter the following command: /opt/CSCOanm/bin/anm-tool restart • ANM Virtual Appliance—Enter the following command: anm-tool restart Step 3 Allow ANM to send alarm notifications to supported mobile devices. For more information, see the “Globally Enabling or Disabling Mobile Device Notifications” section on page 18-69. Step 4 (Optional) Send a test notification to a mobile device. For more information, see the “Displaying Mobile Device Notifications and Testing the Notification Channel” section on page 18-70. Related Topics • Enabling Mobile Device Notifications for Remotely Authorized Users, page 18-69 • Globally Enabling or Disabling Mobile Device Notifications, page 18-69 • Displaying Mobile Device Notifications and Testing the Notification Channel, page 18-70 • Chapter 19, “Using ANM Mobile” 18-69 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Administering the ANM Mobile Feature Enabling Mobile Device Notifications for Remotely Authorized Users You can modify the ANM configuration when you need to send mobile device alarm notifications to users that are authorized remotely using an AAA server. Guidelines and Restrictions When you enable alarm notifications to remotely authorized users, ANM does not perform any RBAC filtering of alarms to users, which means that remotely authorized users receive all alarm notifications regardless of the roles and domains assigned to them. Procedure Step 1 Enable mobile device notifications for remotely authorized users as follows: • ANM Server—Open the /opt/CSCOanm/etc/cs-config.properties file in a text editor and change the state of the following line from false to true: send.mobile.notifications.to.remote.users=true • ANM Virtual Appliance—Enter the following command: anm-property set send.mobile.notifications.to.remote.users true Step 2 Restart ANM as follows: • ANM Server—Enter the following command: /opt/CSCOanm/bin/anm-tool restart • ANM Virtual Appliance—Enter the following command: anm-tool restart Step 3 Globally enable ANM to send mobile device alarm notifications (see the “Globally Enabling or Disabling Mobile Device Notifications” section on page 18-69). Related Topics • Configuring ANM with a Proxy Server for ANM Mobile Push Notifications, page 18-67 • Globally Enabling or Disabling Mobile Device Notifications, page 18-69 • Displaying Mobile Device Notifications and Testing the Notification Channel, page 18-70 • Chapter 19, “Using ANM Mobile” Globally Enabling or Disabling Mobile Device Notifications You can globally enable or disable mobile device notifications from ANM. Prerequisites This topic includes the following prerequisites: • ANM has alarm threshold groups configured for mobile device alarm notifications (see the “Configuring Alarm Notifications on ANM” section on page 17-57). 18-70 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Administering the ANM Mobile Feature • ANM is allowed to send alarm notifications outside your network to the Cisco proxy service either directly (default) or through a specified proxy server (see the “Configuring ANM with a Proxy Server for ANM Mobile Push Notifications” section on page 18-67). • For remotely authorized users only, you must modify the ANM config.properties file to allow ANM to send notifications to this user type (see the “Enabling Mobile Device Notifications for Remotely Authorized Users” section on page 18-69). Procedure Step 1 Choose Admin > ANM Management > Advanced Settings. The Advanced Settings configuration window appears. Step 2 In the “Enable mobile notifications from ANM” field of the Advanced Settings configuration window, do one of the following: • Click Enable to allow ANM to send alarm notifications to mobile devices using ANM Mobile. • Click Disable to not allow ANM to send alarm notification to mobile devices. This is the default. Step 3 Click OK to accept your entries on the Advanced Settings configuration window. Step 4 (Optional) Send a test notification to a mobile device. For more information, see the “Displaying Mobile Device Notifications and Testing the Notification Channel” section on page 18-70. Related Topics • Configuring Advanced Settings, page 18-62 • Configuring ANM with a Proxy Server for ANM Mobile Push Notifications, page 18-67 • Enabling Mobile Device Notifications for Remotely Authorized Users, page 18-69 • Displaying Mobile Device Notifications and Testing the Notification Channel, page 18-70 • Chapter 19, “Using ANM Mobile” Displaying Mobile Device Notifications and Testing the Notification Channel You can display the list of ANM Mobile alarm notifications and send a customized test message to a mobile device. Guidelines and Restrictions This topic includes the following guidelines and restrictions: • ANM displays only the last notification sent to a mobile device. • You can send a test message to a mobile device even when you have globally disabled mobile device alarm notifications in ANM. For information about managing mobile device alarm notifications, see the “Globally Enabling or Disabling Mobile Device Notifications” section on page 18-69. Procedure Step 1 Choose Admin > Role-Based Access Control > Mobile Notifications. 18-71 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Administering the ANM Mobile Feature The Mobile Notifications window appears. Table 18-18 describes the information displayed. Step 2 (Optional) To manage which fields display in the Mobile Notifications window, do the following: a. Click the Customize button ( ) and choose Configure from the menu that appears. The Mobile Notifications List Configuration popup window appears. b. From the popup window, choose the fields that you want to display and make any other display modifications that you want to see. Be sure to enter a name in the List Customization Name field if you want to assign a name to the customized display. This option allows you to recall the customized display if you return to the default display. c. Do one of the following: – Click Save to save the settings to the name that you provided in the List Customization Name field. – Click Cancel to exit the popup window without making any changes. – Click Apply to apply the changes to the Mobile Notifications window without saving the display settings to a new name. Step 3 (Optional) To test the notification channel between ANM and a mobile device, send the device a test message by doing the following: a. Choose the device from the Mobile Devices window and click Send Test Message. The Send Test Message to Device dialog box appears. b. In the dialog box, enter a message (150 characters maximum) to send the device and click Send. ANM sends the test message, which can be verified on the targeted device. Related Topics • Displaying a List of Users, page 18-18 • Configuring ANM with a Proxy Server for ANM Mobile Push Notifications, page 18-67 • Enabling Mobile Device Notifications for Remotely Authorized Users, page 18-69 • Globally Enabling or Disabling Mobile Device Notifications, page 18-69 • Chapter 19, “Using ANM Mobile” Table 18-18 Mobile Notifications Window Field Description Owner Mobile device owner. UUID Unique ID of the user who last logged in to ANM from the mobile device. Device Type Mobile device type. Device OS Mobile device operating system information. Last Registration Time Last time the mobile device passed a device token to ANM. Time Zone1 1. This field is not shown in the default view of the Mobile Notifications window. See Step 2 to manage which fields display. Time zone associated with the mobile device. Last Notification Time1 Last time that ANM sent an alarm notification to the mobile device. 18-72 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 18 Administering the Cisco Application Networking Manager Lifeline Management Lifeline Management You can use the troubleshooting and diagnostics tools provided by the Lifeline feature to report a critical problem to the Cisco support line and generate a diagnostic package. For more information about this feature, see the “Using Lifeline” section on page 20-7. CHAPTER 19-1 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 19 Using ANM Mobile Date: 3/28/12 This chapter describes Cisco ANM Mobile, which allows you to access your ANM server or ANM Virtual Appliance and manage your devices using a mobile device such as an iPhone or Android smartphone. This chapter contains the following sections: • Information About ANM Mobile, page 19-2 • ANM Mobile Prerequisites and Supported Devices, page 19-4 • Guidelines and Restrictions, page 19-5 • Using ANM Mobile, page 19-5 19-2 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 19 Using ANM Mobile Information About ANM Mobile Information About ANM Mobile ANM Mobile allows supported mobile devices to access to your ANM server or ANM Virtual Appliance and manage the network objects in much the same way you do from an ANM client. Using a mobile device, you can run ANM Mobile as a native application (app) or inside the mobile device browser. Using either the native app or the mobile device browser, you can perform the following tasks: • Activate or suspend a real server, virtual server, VIP answer, or DNS rule. • Access the status and details of a real server, virtual server, VIP answer, or DNS rule. • Change the weight of a real server. • Display a real-time chart of a real or virtual server statistical metric, such as the number of connections. • Display the Operation Summary (similar to the Device Configuration Summary Panel inside the ANM dashboard) by object type (Real Server, Virtual Server, VIP Answer or DNS Rule) in category of healthy, unhealthy, and others. You can drill down to see the list of objects in the selected category and object type. • (Native app only) Receive alarm notifications from ANM when conditions exist that require your attention. • Add frequently accessed objects to the Favorite screen. • Use the search feature to find managed objects, such as a device, real server, virtual server, VIP answer, or DNS rule. • View the alarm summary and details. • Change the real time chart polling interval and connection time out values. • Save your access credentials. • From ANM’s Mobile Devices window (Admin > Role-Based Access Control > Mobile Devices), system administrators can view the list of registered mobile users and send a test push notification message to a user’s mobile device. Table 19-1 shows the main differences between using ANM Mobile as a native app or using it in the mobile device’s browser. Figure 19-1 provides an overview of ANM Mobile, including the components that are available with the native app only. Table 19-1 Major ANM Mobile Differences Between Native App and Mobile Browser Category Native Application Mobile Browser ANM Notification Service (native app only) Supported Not supported Client application (ANM Mobile) download and installation Required Not required1 1. When using a mobile device browser, you enter the ANM server IP address in the browser address bar, at which point you are redirected to ANM Mobile. Upgrade Required download and installation of latest version Part of the ANM server upgrade process 19-3 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 19 Using ANM Mobile Information About ANM Mobile Figure 19-1 ANM Mobile Overview The components in Figure 19-1 are as follows: 1. ANM Mobile app—Obtain the no-cost Cisco ANM Mobile app from the app store or market associated with the mobile device. 2. Mobile device login—Enter ANM IP address, username, and password to log in to ANM server or ANM Virtual Appliance from the mobile device. After a successful login, ANM associates the mobile device with the user (see the “Displaying a List of Users” section on page 18-18). 3. Access ANM—Access ANM functionality to monitor your network and perform operational tasks. For more information, see the “Using ANM Mobile” section on page 19-5. 4. Alarm Notifications—ANM sends alarm notifications to a mobile device (native app required) through a proxy service. For more information, see the “Setting Up and Viewing Mobile Device Alarm Notifications” section on page 19-13. 5. Cisco Proxy Service—Standalone server (managed by Cisco IT) that forwards notification messages from ANM to the Apple or Google Push Notification Service. The proxy service, which is hosted by Cisco and used for alarm notifications, manages the push notification messages that ANM issues by forwarding them to the Apple or Android Push Notification Services. For more information, see the “Configuring ANM with a Proxy Server for ANM Mobile Push Notifications” section on page 18-67. 6. Push notification service—Allows a third-party server, such as the ANM server, to send notification messages securely to a mobile device. The push notification services provided by APPLE and Google are used for alarm notifications and are best effort; therefore, the push notification service provided by Cisco is also best-effort. 19-4 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 19 Using ANM Mobile ANM Mobile Prerequisites and Supported Devices Related Topics • ANM Mobile Prerequisites and Supported Devices, page 19-4 • Guidelines and Restrictions, page 19-5 • Using ANM Mobile, page 19-5 ANM Mobile Prerequisites and Supported Devices This section describes the ANM and mobile device requirements needed to use ANM Mobile. ANM Server and ANM Virtual Appliance Requirements Your ANM server or ANM Virtual Appliance must be using ANM software Version 5.1 or later to access ANM Mobile. To utilize the alarm notification feature, ANM must be configured to send notifications (see the “Administering the ANM Mobile Feature” section on page 18-67). Mobile Device Requirements Table 19-2 shows the mobiles devices that ANM Mobile version 1.0 supports. Use following links to download the ANM Mobile app to your smartphone: • ANM Mobile on iPhone • ANM Mobile on Android • ANM Mobile on Cisco Cius Related Topics • Information About ANM Mobile, page 19-2 • Guidelines and Restrictions, page 19-5 • Using ANM Mobile, page 19-5 Table 19-2 Supported Devices OS Platform Tested Version Native Application Mobile Browser Tested Device Types Apple iOS 4.2 and 4.3 Yes Safari iPhone, iPod, iPad Android 2.2, 2.3.3, 2.3.6 Yes Default Android Browser Tested on the following Android handsets: HTC Inspire 4G, HTC Desire, Google Nexus One, Cisco Cius Note ANM Mobile may also work on other Android devices, but testing was performed on the above-mentioned set of Android handsets. 19-5 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 19 Using ANM Mobile Guidelines and Restrictions Guidelines and Restrictions ANM Mobile includes the following guidelines and restrictions: • Communication guidelines are as follows: – Communication between ANM Mobile and ANM is secure over HTTPS. Note Ensure that your mobile device network setting permits access to ANM. – User authentication is required to access the web services. – The existing ANM user account is used to log in to ANM from the mobile device. – All the existing RBAC (role-based access control) for the login user are enforced. • The alarm notification feature requires access to the Internet. Depending on your network requirements, ANM can communicate directly with the Cisco proxy service or you can configure ANM to use your proxy server when issuing alarm notifications to the proxy service. For more information, see the “Configuring ANM with a Proxy Server for ANM Mobile Push Notifications” section on page 18-67. • The number of ANM Mobile users that can simultaneously connect to a single ANM server or ANM Virtual Appliance is limited to 35. • (Android devices only) When navigating within the ANM Mobile native app, you must use the navigation tools provided by the native app because the native Android navigation tools are not supported. Related Topics • Information About ANM Mobile, page 19-2 • ANM Mobile Prerequisites and Supported Devices, page 19-4 • Using ANM Mobile, page 19-5 Using ANM Mobile This section shows how to log in to ANM Mobile from your mobile device and then use its features to manage your network. If you are using the ANM Mobile app and want to use the alarm notification feature, this section also describes how to configure ANM and the ANM Mobile to enable this feature. This section includes the following topics: • Logging In and Out of ANM Mobile, page 19-6 • Using the Favorites Feature, page 19-6 • Monitoring Managed Object Status, page 19-7 • Modifying an Object’s Operating State or Weight, page 19-10 • Displaying Real Time Charts, page 19-12 • Using the ANM Mobile Setting Feature, page 19-12 • Setting Up and Viewing Mobile Device Alarm Notifications, page 19-13 19-6 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 19 Using ANM Mobile Using ANM Mobile Logging In and Out of ANM Mobile This section shows how to log in to and out of ANM Mobile from your mobile device. Prerequisite If you want to log in and use the native app version of ANM Mobile, you must have the Cisco ANM Mobile app loaded on your mobile device. This no-charge app is available at the application store or market associated with any supported mobile device type. Procedure Step 1 From your mobile device, do one of the following depending on whether you are using a browser to access ANM Mobile or using the ANM Mobile native app: • Browser—Open the browser and in the address box, enter the IP address of the ANM server or ANM VA using the following format: https://ANM_IPaddress The Login window appears. Enter your username and password. • ANM Mobile app—Do the following: a. Click the ANM Mobile app icon to launch the application. The Login window appears. b. From the login window, enter the IP address and port number of the ANM server or ANM Virtual Appliance and your username and password. c. (Optional) Change the Save Credentials setting by doing the following: - Click ON to save your user credentials. This is the default. When set to ON, you just have to click Log In to log back in to ANM Mobile. - Click OFF to not save your user credentials. Step 2 Click Log In. The monitor page appears unless you have at least one favorite object specified, in which case the Favorites windows appears (see the “Using the Favorites Feature” section on page 19-6). Step 3 To log out of ANM Mobile, click Settings and click Log Out. Using the Favorites Feature The favorites feature allows you to create short cuts to ANM objects that you frequently access. When you specify at least one favorite object, the Favorites window becomes the home page that appears when you log in to ANM Mobile. Guidelines and Restrictions • Favorite objects that are no longer available are grayed out. Object may no longer be available for the following reasons: – The object no longer exists in the ANM server because the object or the object’s host Virtual Context was deleted. – An RBAC change was made that prevents access by the user. 19-7 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 19 Using ANM Mobile Using ANM Mobile To remove a grayed out object from the favorites list, you must delete it. • If you are using the ANM Mobile native app and want to receive alarm notifications from ANM, you must specify favorites on ANM Mobile that match the objects that you select for alarm notifications when configuring an alarm threshold group on ANM. For more information, see the “Setting Up and Viewing Mobile Device Alarm Notifications” section on page 19-13. Procedure Step 1 Display the Favorites window by clicking the Favorites button located at the bottom of the window. The Favorites window appears. Step 2 To view a favorite object, click the object from the Favorites list. Step 3 To add an object to the Favorites window, do one of the following: • From the Favorites window, click the Add icon (+) to open the search GUI, from which you can locate and choose the object. To add multiple objects, repeat this step for each object. • From the detailed managed object window, click the Add icon (+). For more information, see the “Monitoring Managed Object Status” section on page 19-7. Step 4 To delete a favorite from the list, do the following: a. Click the favorite to delete and click Edit. The Edit view appears. b. From the Edit view, click the red Delete icon (–) located next to the favorite listing to delete. ANM Mobile removes the favorite from the list. Monitoring Managed Object Status You can monitor the operating status of the managed objects and drill down for details. Figure 19-2 shows a sample of the Device Monitor windows, which can display objects sorted as follows: • Service—Displays objects sorted by the following service types: Real Server, Virtual Servers, VIP Answers, and DNS Rules. • Device—Displays objects sorted by the following device types: ACE Modules, ACE Appliance, CSS, CSM, and GSS. 19-8 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 19 Using ANM Mobile Using ANM Mobile Figure 19-2 ANM Mobile Monitor Windows: Service Type and Device Type Each object type includes three color-coded status function buttons that list the number of object types in each of the following operational states: • Up (green)—Objects in service. • Down (red)—Objects out of service. • Unknown (yellow)—Object operating state cannot be determined by ANM. The status function buttons allow you to display only the objects of the specified object type and operating state. Table 19-3 lists the details that you can view for each object type when you set the monitor display to Service. Table 19-3 Managed Object Details Object Type Attribute Virtual Server Name Policy Map IP address, protocol, and port number Device Admin status Operating status Server Farm Current Connections Connections per second Dropped Connections per second Dynamic Workload Scaling (DWS) Stat Age 19-9 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 19 Using ANM Mobile Using ANM Mobile Guidelines and Restrictions ANM Mobile is limited to approximately 7 KB of memory for the monitored objects list. If you have more than 100 monitored objects, ANM Mobile may exhibit performance issues. To avoid performance issues associated with a large number of monitored objects, do the following: • Do not drill down to the detail list screen from the Monitor home page (see Figure 19-2). To display the detail information or the health status of a monitored object, use the search function from the Monitor home page by clicking the search icon (magnifying glass) and entering the object identifier. Real Server Name IP address Port Server Farm Device Admin status Operating status Weight Current connections Connections per second Dropped connections per second Virtual Machine (indicates if the real server is a virtual machine) Locality (OTV) Statistics Age VIP Answer SLB name VIP answer name IP address Config state PGSSM operation status Answer group Location PGSSM time DNS Rule Device name DNS Rule name Source name Domains Config state Answer group Owner PGSSM time Table 19-3 Managed Object Details (continued) Object Type Attribute 19-10 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 19 Using ANM Mobile Using ANM Mobile If needed, refine your search criteria until the number of objects displayed is reduced to less than 100. When in the search window, limit your use of the drill down (>) option, which can also create performance issues. • For monitored objects that you track frequently, add them to your list of Favorites and access their information from there (see the “Using the Favorites Feature” section on page 19-6). Procedure Step 1 Click Monitor. The View All window appears. Step 2 Click one of the color-coded function buttons associated with an object type to drill down and display a list of objects associated with an object type and operating state (up, down, or unknown). The specified object type details windows appears, displaying a list of the objects in the chosen operating state (up, down, or unknown). Step 3 Do any of the following: • Click a specific object from the list to display details about the object. The information that displays varies depending on the object type (see Table 19-3). From the object details window, you can do the following: – Activate, suspend, or change the weight of an object (see the “Modifying an Object’s Operating State or Weight” section on page 19-10). – Display a real time chart of monitored statistics (see the “Displaying Real Time Charts” section on page 19-12). • Click the Search icon to open the search text box and search for a specific object. Begin entering the search criteria. Object matches display and become more specific as you narrow the search by entering additional search criteria. • Click the Refresh icon to refresh the display. • Click Back to return to the object details window. Related Topics • Modifying an Object’s Operating State or Weight, page 19-10 • Displaying Real Time Charts, page 19-12 Modifying an Object’s Operating State or Weight You can use ANM Mobile to activate or suspend a real server, virtual server, VIP answer or DNS rule. For real servers only, you can change the weight assigned to the server. Procedure Step 1 Use one of the following methods to display the details window of a specific object: 19-11 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 19 Using ANM Mobile Using ANM Mobile • Choose Monitor > Service, choose a specific device type, and drill down (>) to the object details window. • Click Favorites, choose a specific favorite and drill down (>) to the object details window. • Click the Search icon (magnifying glass), enter the device search criteria, choose the device, and drill down (>) to the object details window. • Click Alarm, choose a specific device type and drill down (>) to the object details window. Step 2 From the object details window, do one of the following: • Click Activate to activate an object that s currently suspended. The Activate dialog box appears. In the dialog box, do the following: a. Enter a reason for the change. b. Click Deploy to execute the change or Cancel to ignore the change. • Click Suspend to suspend an object currently activated. The Suspend dialog box appears. In the dialog box, do the following: a. Enter a reason for the change. b. Choose one of the following types of suspend operations from the drop-down list: - Suspend—Takes the object out of service. For a real server, the ACE resets all non-TCP connections to the server. For TCP connections, existing flows are allowed to complete before the ACE takes the real server out of service. No new connections are allowed. The ACE resets all Secure Sockets Layer (SSL) connections to the real server. - Graceful—When executed on a primary server, the ACE gracefully shuts down the server with sticky connections as follows: – Tears down existing non-TCP connections to the server. – Allows current TCP connections to complete. – Allows new sticky connections for existing server connections that match entries in the sticky database. – Load balances all new connections (other than the matching sticky connections mentioned above) to the other servers in the server farm. – When executed on a backup real server, the ACE places the backup server in service standby mode. - Suspend and Clear Connections—The ACE performs the tasks described for Suspend and clears the existing connections to this server. c. Click Deploy to execute the change or Cancel to ignore the change. • (Real server only) Click Change Weight to change weight assigned to a real server. The Change Weight dialog box appears. In the dialog box, do the following: a. Enter a reason for the change. b. Enter the new weight value. The valid range is 1 to 100. c. Click Deploy to execute the change or Cancel to ignore the change. The activity indicator appears for 30 seconds until it is determined that the operation succeeded, failed, or timed out. If the operation is successful, the object detail window is reloaded with the latest data and updated timestamp. 19-12 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 19 Using ANM Mobile Using ANM Mobile Displaying Real Time Charts You can display real time statistical information about the connections of a real server or a virtual server. Information that you can display in chart form are current connections, connections per second, or dropped connections per second. Guidelines and Restrictions The chart never displays more than 5 minutes worth of statistical information. Procedure Step 1 Use one of the following methods to display the details window of a specific real server or a virtual server: • Choose Monitor > Service, choose a specific device type, and drill down (>) to the object details window. • Click Favorites, choose a specific favorite and drill down (>) to the object details window. • Click the Search icon (magnifying glass), enter the device search criteria, choose the device, and drill down (>) to the object details window. • Click Alarm, choose a specific device type and drill down (>) to the object details window. Step 2 From the details window, click the Chart icon located next to the statistic to chart. The chart window appears. Step 3 Do the following: • Click the Refresh icon to refresh the display. • To adjust the polling time, click Settings (see the“Using the ANM Mobile Setting Feature” section on page 19-12). The default polling time is 10 seconds. • Click Back to return to the object details window. Using the ANM Mobile Setting Feature The ANM Mobile Setting feature allows you to do the following: • Display the ANM IP address. • Display ANM Mobile software information. • Adjust the connection timeout value and polling interval. • Enable or disable push notifications, sound, and alerts. • Submit an ANM user feedback form to Cisco. Procedure Step 1 From the All Devices or Favorites window, click Settings. The Settings window appears. Step 2 From the Settings window, do the following: 19-13 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 19 Using ANM Mobile Using ANM Mobile • Click About to do the following: – Display details about the version of ANM Mobile that you are using and the version of ANM software being used by the ANM server or ANM Virtual Appliance that you are accessing. – Click UDID to display the unique device ID (UDID). • Click Advanced to access the Advanced Details window and modify the following settings: – Connection Timeout—Sets the amount of idle time (in seconds) at which the connection closes. Choose 10, 30 (default), or 60. – Polling Interval—Sets the frequency (in seconds) at which real time information, such as graph information, is updated. Choose 5, 10 (default), or 30. • Click the ON/OFF toggle buttons to enable or disable the following features: – Push Notifications—When enabled (ON), allows your mobile device to receive alarm notifications that ANM issues to a push notification service. For more information, see the “Setting Up and Viewing Mobile Device Alarm Notifications” section on page 19-13. – Sound—(Android only) When enabled (ON), your mobile device sounds an alert to let you know that it received an alarm notification from ANM. Note To modify this setting on an iPod, see the “Managing iPod Alarm Notification Sound and Alerts” section on page 19-16. – Alert—(Android only) When enabled (ON), your mobile device displays an alert message to let you know that it received an alarm notification from ANM. Note To modify this setting on an iPod, see the “Managing iPod Alarm Notification Sound and Alerts” section on page 19-16. • Click the Form pen icon ( ) to fill out and submit the ANM user feedback form hosted on www.ciscofeedback.vovici.com. Setting Up and Viewing Mobile Device Alarm Notifications Note The alarm notifications feature requires the ANM Mobile app on your mobile device. You can receive alarm notifications that ANM sends to your mobile device (see Figure 19-1) when specific virtual context alarm thresholds are exceeded. ANM Mobile app users can enable or disable the alarm notification feature, which allows them to choose when to receive alarm notifications from ANM. ANM administrators can enable or disable the alarm notification feature, which allows them to choose when to transmit alarm notifications to the ANM Mobile app. Supported real and virtual server alarm conditions are as follows: • Current connections—ANM can send an alarm notification when the number of active connections to a server exceeds a specific amount. • Operational state—ANM can send an alarm when a server’s operational state changes. 19-14 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 19 Using ANM Mobile Using ANM Mobile Guidelines and Restrictions This topics includes the following guidelines and restrictions: • The ANM objects that you select for alarm notifications when configuring an alarm threshold group must match objects that you select as favorites on ANM Mobile. Alarm threshold groups are configured at the virtual context level; therefore, to receive alarm notifications for an object that you specify as a favorite, the object favorite must be part of the virtual context in the threshold group. • The alarms that ANM Mobile displays depends on how the user is authorized as follows: – Locally authorized users—ANM displays only alarms that are permitted based on the domains and roles assigned to the user account (see the Prerequisites for this topic). – Remotely authorized users—By default, ANM does not send alarm notifications to remotely authorized user accounts; however, you can modify the ANM configuration so that ANM sends all alarm notifications to this user type regardless of the domains and roles assigned to them (see the Prerequisites for this topic). • From ANM, you can do the following: – Enable or disable the alarm notification feature, which allows you to choose when to transmit alarm notifications to the ANM Mobile app (see the “Enabling Alarm Notifications on ANM Mobile” section on page 19-15). – Send a test alarm notification to a mobile device to test the notification channel (see the “Displaying Mobile Device Notifications and Testing the Notification Channel” section on page 18-70). You can send a test message to a mobile device even when you have globally disabled mobile alarm notifications in ANM. Prerequisites The prerequisites for this topic are as follows: • ANM prerequisites: – ANM software Version 5.1 or later. – Alarm threshold groups are configured on ANM for mobile device alarm notifications. For details about creating an alarm threshold group, see the “Configuring Alarm Notifications on ANM” section on page 17-57. – Alarm notifications are enabled globally in ANM. For details, see the “Enable Mobile Notifications from ANM” section on page 18-66. – For locally authorized users, their user account has the required role and domains associated with it. Note The user role must have the anm_threshold attribute set at least to View. For more information, see the “Managing User Accounts” section on page 18-17. – For remotely authorized users, the ANM configuration is modified to enable ANM to send these users alarm notifications. For more information, see the “Enabling Mobile Device Notifications for Remotely Authorized Users” section on page 18-69. • Mobile device prerequisites: – The ANM Mobile app is loaded on your supported mobile device. – ANM objects specified as favorites on your mobile device match the objects in an ANM alarm threshold group. For example, specific real or virtual servers that are favorites on your mobile device are also specified as objects in an ANM alarm threshold group. 19-15 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 19 Using ANM Mobile Using ANM Mobile For information about specifying favorites on your mobile device, see the “Using the Favorites Feature” section on page 19-6. This section includes the following topics: • Enabling Alarm Notifications on ANM Mobile, page 19-15 • Viewing Alarm Notifications from ANM Mobile, page 19-15 Enabling Alarm Notifications on ANM Mobile From your mobile device, you can specify whether to receive or not receive alarm notifications from ANM by using the Setting button to modify the ANM Mobile operational settings. For details about using this button, see the “Using the ANM Mobile Setting Feature” section on page 19-12. Related Topics • Using the ANM Mobile Setting Feature, page 19-12 • Setting Up and Viewing Mobile Device Alarm Notifications, page 19-13 • Viewing Alarm Notifications from ANM Mobile, page 19-15 • Managing iPod Alarm Notification Sound and Alerts, page 19-16 Viewing Alarm Notifications from ANM Mobile From your mobile device, you can view alarm notifications that ANM sends to the device. For each notification, you can drill down to view the device details. Procedure Step 1 Click Alarms. The Alarm Summary window appears, displaying the list of received alarms that you are permitted to view (see the Prerequisites for this topic). Step 2 (Optional) Click the drill-down icon (>) associated with a specific alarm to display details about the alarm. The Alarm Detail window appears, displaying the following information: • Timestamp • Severity • Device • Service • Threshold Group • Category • Stat/Value Step 3 (Optional) From the Service category, click the drill-down (>) icon to display the object Details window related to the real or virtual server associated with the alarm notification. Step 4 (Optional) From the object Details window, do any of the following: 19-16 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 19 Using ANM Mobile Using ANM Mobile • Click View Graph to display the graphs associated the following real server and virtual server items: Current Connections, Connections/Sec, or Dropped Connection/Sec. For more information, see the “Displaying Real Time Charts” section on page 19-12. • Click Activate, Suspend, or Change Weight to change the object’s operating state or weight. For more information, see the “Modifying an Object’s Operating State or Weight” section on page 19-10. Related Topics • Setting Up and Viewing Mobile Device Alarm Notifications, page 19-13 • Enabling Alarm Notifications on ANM Mobile, page 19-15 • Managing iPod Alarm Notification Sound and Alerts, page 19-16 • Using the ANM Mobile Setting Feature, page 19-12 Managing iPod Alarm Notification Sound and Alerts You can manage the alarm notification sound and alert features on your iPod that let you know when an alarm notification is received from ANM. Note To manage the alarm notification sound and alert features on your Android device, see the “Using the ANM Mobile Setting Feature” section on page 19-12. Procedure Step 1 From your IPod Setting window, choose Notifications > ANM Mobile to drill down to the ANM Mobile settings. The Notifications, ANM Mobile window appears. Step 2 From the Notifications, ANM Mobile window, click the ON/OFF toggle buttons to enable or disable the following features: – Sound—When enabled (ON), your iPod sounds an alert to let you know that it received an alarm notification from ANM. – Alert—When enabled (ON), your iPod displays an alert message to let you know that it received an alarm notification from ANM. Related Topics • Enabling Alarm Notifications on ANM Mobile, page 19-15 • Viewing Alarm Notifications from ANM Mobile, page 19-15 CHAPTER 20-1 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 20 Troubleshooting Cisco Application Networking Manager Problems Date: 3/28/12 This chapter describes how to troubleshoot ANM issues. Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed. If you are using ANM with an ACE module or ACE appliance and you configure a named object at the ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows you to use when configuring a named object. If you use special characters that ANM does not support, you may not be able to import or manage the ACE using ANM. This chapter includes the following sections: • Changing ANM Software Configuration Attributes, page 20-1 • Discovering and Adding a Device Does Not Work, page 20-7 • Cisco License Manager Server Not Receiving Syslog Messages, page 20-7 • Using Lifeline, page 20-7 • Backing Up and Restoring Your ANM Configuration, page 20-11 For additional troubleshooting information, see the Installation Guide forCisco Application Networking Manager 5.2 or the Installation Guide forCisco Application Networking Manager 5.2 Virtual Appliance Changing ANM Software Configuration Attributes After you have installed the ANM, you can reconfigure ANM software configuration attributes, such as enabling HTTP(S) for Web Services, or the ports that ANM uses for communication with the network devices. For information about the ports that ANM uses, see Appendix A, “ANM Ports Reference.” This section includes the following topics: • Changing ANM Configuration Properties, page 20-2 • Example ANM Standalone Configuration, page 20-4 • Example ANM HA Configuration, page 20-5 20-2 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 20 Troubleshooting Cisco Application Networking Manager Problems Changing ANM Software Configuration Attributes • Example ANM Advanced Options Configuration Session, page 20-6 Changing ANM Configuration Properties This section shows how to change the ANM configuration properties. The procedure varies slightly depending on the ANM application type; ANM server or ANM Virtual Appliance. Procedure Step 1 Do one of the following depending on the ANM application type: • ANM server: From the Linux command line, log in as the root user. • ANM Virtual Appliance: Log in as administrator using SSH or console. Step 2 Do one of the following: • For a standard configuration change, enter the following depending on the ANM application type: – ANM server: /opt/CSCOanm/bin/anm-tool configure – ANM Virtual Appliance: anm-tool configure • To reconfigure with the advanced-options, enter the following depending on the ANM application type: – ANM server: /opt/CSCOanm/bin/anm-tool --advanced-options=1 configure – ANM Virtual Appliance: anm-tool configure advanced-options • (ANM server only) To switch between an HA and a non-HA system configuration, do one of the following: – To switch from a HA to a non-HA system configuration, enter the following: /opt/CSCOanm/bin/anm-tool --ha=0 configure – To switch from a non-HA to a HA system configuration, enter the following: /opt/CSCOanm/bin/anm-tool --ha=1 configure The Keep existing ANM configuration? [y/n]: prompt appears. Step 3 At the prompt, enter n (no). The current configuration information appears. For each configuration property, the current value is displayed in square brackets. Step 4 Do one of the following: • To accept the current value for a configuration property, press Enter. • To change a configuration property, enter the appropriate information. When reconfiguring ANM using the advanced-options command, the configuration sequence includes prompts applicable to the web server that serves requests for the ANM Web Service API. The Web Service API provides SOAP-based programmatic access to the functionality of ANM. By default, it is disabled. You can enable it using this option. The advanced options attributes and their default setting are as follows: • Enable HTTP for Web Server: false 20-3 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 20 Troubleshooting Cisco Application Networking Manager Problems Changing ANM Software Configuration Attributes Caution Remember that enabling HTTP makes the connection to ANM less secure. • Inbound Port for HTTP traffic to ANM Default: 80 • Enable HTTPS for Web Server: true • Inbound Port for HTTPS traffic to ANM Default: 443 • HTTP Port of Web Services: 8080 • Enable HTTP for Web Services: false • HTTPS Port of Web Services: 8443 • Enable HTTPS for Web Services: false • Idle session timeout in msec: 1800000 The idle session timeout applies to user sessions for the ANM GUI. Users who are idle for an amount of time greater than this value are automatically logged off the application. By default, this setting is 1800000 milliseconds, or 30 minutes. • Change the memory available to ANM process: low Check the available physical memory; if it is less than 3.5 G, then set the memory size to low (1 G), which is the default. If the available physical memory is greater than 3.5 G, set the memory size to high (2 G). Note If you set the memory size to high and ANM determines that there is not enough available physical memory, it sets the memory size to low. Note (ANM server only) When modifying the memory size in an ANM HA configuration, perform the change as follows: a. Stop both ANM servers (active and standby). b. Change the memory size on both ANM servers (Steps 1 to 4 above). c. Restart the ANM server that you want to operate in the active state (Step 5 below). d. Restart the standby ANM server (Step 5 below). After you have accepted or changed all of the configuration property values, a list of all the properties appears and the “Commit these values? [y/n/q]” prompt appears. Step 5 At the Commit prompt, do one of the following: • To accept the value and restart the ANM, enter y (yes). Note If you modified the advanced options, restarting ANM may interfere with active sessions in the ANM web interface. Note If you receive errors when attempting to change the HA properties configuration values, check the node ID to be sure they are not switched. • To go through the list of configuration properties again, enter n (no). 20-4 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 20 Troubleshooting Cisco Application Networking Manager Problems Changing ANM Software Configuration Attributes • To retain the original property values and exit the configuration session, enter q (quit). Example ANM Standalone Configuration This section contains an example of a configuration session for an ANM standalone system.The values shown in the brackets are the currently configured values. /opt/CSCOanm/bin/anm-tool configure Configuring ANM Checking ANM configuration files Keep existing ANM configuration? [y/n]: n Creating config file (/opt/CSCOanm/etc/cs-config.properties) Enable HTTP for Web Server [true]: Inbound Port for HTTP traffic to ANM Default [80]: Enable HTTPS for Web Server [true]: Inbound Port for HTTPS traffic to ANM Default [443]: These are the values: Enable HTTP for Web Server: true Inbound Port for HTTP traffic to ANM Default: 80 Enable HTTPS for Web Server: true Inbound Port for HTTPS traffic to ANM Default: 443 Commit these values? [y/n/q]: y Committing values ... done Keeping existing configuration: /opt/CSCOanm/lib/java/thirdparty/ctm_config.txt Stopping services Stopping monit services (/etc/monit.conf) ... (0) Stopping monit ... Stopped Stopping heartbeat ... Stopped Installing system configuration files Backing up //opt/CSCOanm/etc/my-local.cnf Setting service attributes Enabling mysql for SELinux setsebool: SELinux is disabled. Service monit is started by OS at boot time Starting mysql ... Started mysql status ... Ready Configuring mysql Checking mysql user/password Setting mysql privileges Disabling mysql replication Starting services Starting monit ...Starting monit daemon with http interface at [*:2812] Started 20-5 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 20 Troubleshooting Cisco Application Networking Manager Problems Changing ANM Software Configuration Attributes Example ANM HA Configuration Note The information in this section pertains to the ANM server application only. The following is an example of a configuration session for an ANM HA system. Standalone systems will not contain any HA properties but will include a limited property value configuration. The values shown in the brackets are the currently configured values. /opt/CSCOanm/bin/anm-tool configure Configuring ANM Checking ANM configuration files Keep existing ANM configuration? [y/n]: n Creating config file (/opt/CSCOanm/etc/cs-config.properties) Enable HTTP for Web Server [false]: true Inbound Port for HTTP traffic to ANM Default [80]: 80 Enable HTTPS for Web Server [true]: Inbound Port for HTTPS traffic to ANM Default [443]: Database Password [nI4ewPbmV51S]: passme HA Node 1 UName []: anm49.cisco.com HA Node 2 UName []: anm50.cisco.com HA Node 1 Primary IP [0.0.0.0]: 10.77.240.126 HA Node 2 Primary IP [0.0.0.0]: 10.77.240.100 HA Node 1 HeartBeat IP [0.0.0.0]: 10.10.10.1 HA Node 2 HeartBeat IP [0.0.0.0]: 10.10.10.2 HA Virtual IP [0.0.0.0]: 10.77.240.101 HA Node ID [1 or 2] []: 1 These are the values: Enable HTTP for Web Server: true Inbound Port for HTTP traffic to ANM Default: 80 Enable HTTPS for Web Server: true Inbound Port for HTTPS traffic to ANM Default: 443 Database Password: passme HA Node 1 UName: anm49.cisco.com HA Node 2 UName: anm50.cisco.com HA Node 1 Primary IP: 10.77.240.126 HA Node 2 Primary IP: 10.77.240.100 HA Node 1 HeartBeat IP: 10.10.10.1 HA Node 2 HeartBeat IP: 10.10.10.2 HA Virtual IP: 10.77.240.101 HA Node ID [1 or 2]: 1 Commit these values? [y/n/q]: y Committing values ... done Keeping existing configuration: /opt/CSCOanm/lib/java/thirdparty/ctm_config.txt Stopping services Stopping monit services (/etc/monit.conf) ... (0) Stopping monit ... Stopped Stopping heartbeat ... Stopped Installing system configuration files Setting service attributes Enabling mysql for SELinux Service monit is started by OS at boot time 20-6 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 20 Troubleshooting Cisco Application Networking Manager Problems Changing ANM Software Configuration Attributes Starting mysql ... Started Configuring mysql Checking mysql user/password Setting mysql privileges Enabling mysql replication Setting up database executing /opt/CSCOanm/lib/install/etc/dcmdb.sql ... done Starting services Starting monit ... Started Example ANM Advanced Options Configuration Session The following is an example of a configuration session for an ANM advanced options.The values shown in the brackets are the currently configured values. Note The anm-tool command in the example uses the ANM server version of the command for modifying the advanced options. The ANM Virtual Appliance version of the command is anm-tool configure advanced-options. The information that displays after entering the command is the same for both applications. /opt/CSCOanm/bin/anm-tool --advanced-options=1 configure Configuring ANM Checking ANM configuration files Keep existing ANM configuration? [y/n]: n Creating config file (/opt/CSCOanm/etc/cs-config.properties) Enable HTTP for Web Server [false]: Inbound Port for HTTP traffic to ANM Default [80]: Enable HTTPS for Web Server [true]: Inbound Port for HTTPS traffic to ANM Default [443]: HTTP Port of Web Services [8080]: Enable HTTP for Web Services [false]: HTTPS Port of Web Services [8443]: Enable HTTPS for Web Services [false]: Idle session timeout in msec [1800000]: Change the memory available to ANM process [low|high] [low]: These are the values: Enable HTTP for Web Server: false Inbound Port for HTTP traffic to ANM Default: 80 Enable HTTPS for Web Server: true Inbound Port for HTTPS traffic to ANM Default: 443 HTTP Port of Web Services: 8080 Enable HTTP for Web Services: false HTTPS Port of Web Services: 8443 Enable HTTPS for Web Services: false Idle session timeout in msec: 1800000 20-7 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 20 Troubleshooting Cisco Application Networking Manager Problems Discovering and Adding a Device Does Not Work Change the memory available to ANM process [low|high]: low Commit these values? [y/n/q]: y Committing values ... done Keeping existing configuration: /opt/CSCOanm/lib/java/thirdparty/ctm_config.txt Stopping services Stopping monit services (/etc/monit.conf) ... (0) Discovering and Adding a Device Does Not Work After IP discovery has checked the network and made a list of devices of each type, the device import may have failed when you tried to import the device. The device import may not have worked because IP discovery uses Telnet and SNMP to discover potential devices, while ANM requires SSH to import a device. So it is likely that IP discovery may have found some devices that cannot be imported or may not have found devices that could be imported. To update the device so that it can be imported by ANM, see the “Preparing Devices for Import” section on page 5-4. To add the device, use the Config > Devices > Add method. For detailed procedures, see the “Importing Network Devices into ANM” section on page 5-10. Cisco License Manager Server Not Receiving Syslog Messages Firewall settings are implemented as IP tables with Red Hat Enterprise Linux 5.2, and might drop syslog traffic. If you are not receiving syslog messages even after following the procedure documented in the “Enabling a Setup Syslog for Autosync for Use With an ACE” section on page 5-27, perform the procedure in this section. Procedure Step 1 Update the rules in your IP tables using the command line. Step 2 Make sure the default syslog port 514 is open as noted in Appendix A, “ANM Ports Reference.” Using Lifeline Diagnosing network or system-related problems that happen in real time can consume a considerable amount of time and lead to frustration even for a system expert. When a critical problem occurs within the ANM system or the network components managed by the ANM, you can use the troubleshooting and diagnostics tools provided by the Lifeline feature to report to the Cisco support line and generate a diagnostic package. Support engineers and developers can subsequently reconstruct your system and debug the problem using the comprehensive information captured in the lifeline. 20-8 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 20 Troubleshooting Cisco Application Networking Manager Problems Using Lifeline Lifeline takes a snapshot of the running system configuration, status, buffers, logs, thread dumps, messages, CLI device configuration commands, device show run commands, and so on. It gathers a period of historical network and system events that have been recorded directly preceding the event. If required, Lifeline can back up and package the ANM database or a file subdirectory or trace and package a period of traffic flow packets for a specified virtual context. The following sections describe how to use the Lifeline feature: • Guidelines for Using Lifeline, page 20-8 • Creating a Lifeline Package, page 20-8 • Downloading a Lifeline Package, page 20-9 • Adding a Lifeline Package, page 20-10 • Deleting a Lifeline Package, page 20-11 Guidelines for Using Lifeline Lifelines can be created when unwanted events occur. Under such circumstances, available resources could be extremely low (CPU and memory could be nearly drained). You should be aware of the following: • Create a Lifeline package after you encounter a problem that might require customer support assistance. The package is meant to be viewed by customer support. • Lifeline collects debug data from diagnostic generators based on priority – most important to least important. When the total data size reaches 200 MB, the collector stops collecting, and data from generators with lower priorities can be lost. For details on content, size, time, state, and any dropped data, see the Readme file included in each Lifeline package. • Lifeline collects the last 25 MB of data from the file and truncates the beginning content. • Lifelines are automatically packaged by the system in zip files. The naming convention for a lifeline package is “lifeline-yyMMdd-hhmmss.zip”. For example, lifeline-07062-152140.zip is a Lifeline package created at 3:21:40 PM, June 22, 2007. • Only one Lifeline package is created at a time. The system will reject a second request made before the first Lifeline has been packaged. • Lifeline times out in 60 minutes. • A maximum of 20 Lifeline packages are stored at a time. Creating a Lifeline Package You can create a lifeline package. Assumptions This section assumes the following: • ANM is installed and running. • You have reviewed the guidelines for managing lifelines (see the “Guidelines for Using Lifeline” section on page 20-8). 20-9 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 20 Troubleshooting Cisco Application Networking Manager Problems Using Lifeline • You have opened a case with Cisco technical support. Procedure Note Your user role determines whether you can use this option. Step 1 Choose Admin > Lifeline Management. Step 2 Enter a description for the package (required). The description can include information about why the package is being created, who requested the package, and so forth. Step 3 Click Save. The package is created in the following format: lifeline-yyMMdd-hhmmss.zip, and displays in the Lifelines pane.The package size, name, and generation date display in the New Lifeline window. Note Do not perform any module maintenance until the package is created. Step 4 After the package is created, do one of the following: • Click Download to save the package to a directory on your computer or to view the package contents. See the “Downloading a Lifeline Package” section on page 20-9. • Click Add to add the package to the ANM database. See the “Adding a Lifeline Package” section on page 20-10. • Click Delete to delete the package. See the “Deleting a Lifeline Package” section on page 20-11. Related Topics • Using Lifeline, page 20-7 • Creating a Lifeline Package, page 20-8 • Adding a Lifeline Package, page 20-10 • Downloading a Lifeline Package, page 20-9 Downloading a Lifeline Package Note Your user role determines whether you can use this option. You can download a package for displaying or saving to your local drive. Assumption You have created a package (see the “Creating a Lifeline Package” section on page 20-8). Procedure Step 1 Choose Admin > Lifeline Management. 20-10 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 20 Troubleshooting Cisco Application Networking Manager Problems Using Lifeline Step 2 Choose the package (Lifeline) from the list. Step 3 Click Download. The package is sent to your web browser, with which you can save or view the package. Note Do not perform any module maintenance until the package download to your web browser has completed. Related Topics • Using Lifeline, page 20-7 • Creating a Lifeline Package, page 20-8 • Adding a Lifeline Package, page 20-10 • Deleting a Lifeline Package, page 20-11 Adding a Lifeline Package Note Your user role determines whether you can use this option. You can add a package to the ANM database. Assumption You have created a package (see the “Creating a Lifeline Package” section on page 20-8). Procedure Step 1 Choose Admin > Lifeline Management. The Lifeline Management window appears. Step 2 In the Lifeline Management window, enter a description and click Add. The package is added to the Lifelines list, and the window refreshes. Note Do not perform any module maintenance until the package is added to the list. Related Topics • Using Lifeline, page 20-7 • Creating a Lifeline Package, page 20-8 • Downloading a Lifeline Package, page 20-9 • Deleting a Lifeline Package, page 20-11 20-11 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 20 Troubleshooting Cisco Application Networking Manager Problems Backing Up and Restoring Your ANM Configuration Deleting a Lifeline Package Note Your user role determines whether you can use this option. You can delete a package. Procedure Step 1 Choose Admin > Others > Lifeline Management. The Lifeline Management window appears. Step 2 From the list of lifelines in the Lifeline Management window, choose a lifeline to delete. The details of the lifeline display. Step 3 Click Delete. A confirmation popup window displays that requests you confirm the deletion. Step 4 Click OK to delete the package. The Lifeline Management window display updates. Related Topics • Using Lifeline, page 20-7 • Creating a Lifeline Package, page 20-8 • Adding a Lifeline Package, page 20-10 • Downloading a Lifeline Package, page 20-9 Backing Up and Restoring Your ANM Configuration You can create a backup of your ANM configuration and restore it if necessary. We recommend that you periodically create a backup of ANM. The procedures for creating a backup and restoring your ANM configuration vary depending on which of the following ANM applications you are using: • ANM server: See the Installation Guide forCisco Application Networking Manager 5.2 for the backup and restore procedures. • ANM Virtual Appliance: See the Installation Guide forCisco Application Networking Manager 5.2 Virtual Appliance for the backup and restore procedures. Note For details about using the ACE device backup and restore functions in ANM, see the “Performing Device Backup and Restore Functions” section on page 6-59. The backup and restore functions allow you to back up or restore the configuration and dependencies of an entire ACE or of a particular virtual context. 20-12 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Chapter 20 Troubleshooting Cisco Application Networking Manager Problems Backing Up and Restoring Your ANM Configuration A-1 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 APPENDIX A ANM Ports Reference Date: 3/28/12 ANM uses specific ports for its processes. Figure A-1 illustrates a typical ANM server deployment in a network. This illustration identifies the protocols and ports used by the different network devices in a typical deployment. • Table A-1 lists the ports used for ANM client (browser) or ANM server and ANM high availability communication. • Table A-2 lists the ports used for communication between ANM and managed devices. A-2 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Appendix A ANM Ports Reference Figure A-1 ANM Server Deployment HTTP (TCP:80) or HTTPS (TCP:443) ANM (HA Primary) ANM (HA Secondary) SSH (TCP:22) HA (TCP:10444 & TCP: 10445) GSS Java RMI (TCP:2001 & TCP:3009) CSS DB (TCP: 3306) SSH (TCP:22) or Telnet (TCP:23) SNMP (UDP:161 & UDP:162) ACE module SSH (TCP:22) & HTTPS (TCP:443) SNMP (UDP:161 & UDP:162) SYSLOG (UDP:514) Chassis (C6K switch or 7600 router) SSH (TCP:22) or Telnet (TCP:23) CSM SNMP (UDP:161 & UDP:162) Note: For CSM, all communication is performed with the Chassis (Cat6K or 7600). SMTP (TCP: 25) User Email Gateway External NMS application SNMP (UDP: 162) 199929 ACE appliance SSH (TCP:22) & HTTPS (TCP:10443) SNMP (UDP:161 & UDP:162) SYSLOG (UDP:514) VMware Default HTTPS (TCP:443) vCenter Server A-3 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Appendix A ANM Ports Reference Table A-1 Ports Used by ANM in a Network Deployment1 1. It is highly recommended that you run ANM on a stand-alone device. However, if you run ANM on a shared device, please note that ANM locally opens the following ports for internal communication: TCP Ports: 8980, 10003, 10004, 10023, 10443, 40000, 40001, 40002, 40003 UDP Ports: 6120, 10003 Port Description TCP (80) Default port if ANM is configured for access using HTTP (using anm-installer). TCP (443) Default port if ANM is configured for access using HTTPS (using default install option). TCP (3306) MySQL Database system (ANM HA installation opens this port to communicate with the peer ANM). TCP (10444) and TCP (10445) ANM License Manager (ANM HA installation opens these two ports to communicate with the peer ANM). TCP (25) Port used by ANM server to communicate to Email Gateway through SMTP. UDP (162) Port used by ANM server to send out trap notification to external NMS application. HTTP(8080) and HTTPS (8443) Web service ports. Table A-2 Ports Used by ANM for Communication with Managed Devices Device Type Port Description Chassis (Catalyst 6500 switch or Cisco 7600 router) SSH (TCP:22) or Telnet (TCP:23) Discover chassis configuration. ACE (appliance or module) HTTPS (TCP:443) For ACE module: XML/HTTPS interface on the device used to discover, configure, and monitor using specific show CLI commands. HTTPS (TCP:10443) For ACE appliance: XML/HTTPS interface on the device used to discover, configure, and monitor using specific show CLI commands. SSH (TCP: 22) Discovery and configuration of ACE licenses, certificates/keys (crypto) licensing, scripts, and checkpoints. SNMP (UDP: 161 & UDP:162) Monitor ACE through SNMP requests (UDP: 161) and receive trap notifications (UDP: 162). CSM SNMP (UDP: 161 & UDP:162) Monitor CSM through SNMP requests (UDP: 161) and receive trap notifications (UDP: 162). A-4 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Appendix A ANM Ports Reference CSS SSH (TCP:22) or Telnet (TCP:23) Discover chassis configuration. SNMP (UDP: 161 & UDP:162) Monitor CSS through SNMP requests (UDP: 161) and receive trap notifications (UDP: 162) GSS SSH (TCP:22) Discover chassis configuration and monitoring operational status of DNS rules and VIP answers. RMI (TCP:2001 & TCP:3009) Activate/suspend DNS rules and VIP answers. vCenter Server Default HTTPS (TCP:443) Communicate with the vCenter Server and vSphere Client in a VMware virtual data center environment. For more information about using the plug-in that is available with ANM to integrate ANM with a VMware virtual data center environment, see Appendix B, “Using the ANM Plug-In With Virtual Data Centers.” Table A-2 Ports Used by ANM for Communication with Managed Devices (continued) Device Type Port Description B-1 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 APPENDIX B Using the ANM Plug-In With Virtual Data Centers Date: 3/28/12 This appendix describes how to integrate ANM sever with VMware vCenter Server, which is a third-party product for creating and managing virtual data centers. Using VMware vSphere Client, you can access ANM functionality and manage the ACE real servers that provide load-balancing services for the virtual machines in your virtual data center. Note When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe, and so on), enter an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed. If you are using ANM with an ACE module or ACE appliance and you configure a named object at the ACE CLI, keep in mind that ANM does not support all of the special characters that the ACE CLI allows you to use when configuring a named object. If you use special characters that ANM does not support, you may not be able to import or manage the ACE using ANM. This appendix includes the following sections: • Information About Using ANM With VMware vCenter Server, page B-2 • Information About the Cisco ACE SLB Tab in vSphere Client, page B-3 • Prerequisites for Using ANM With VMware vSphere Client, page B-4 • Guidelines and Restrictions, page B-5 • Registering or Unregistering the ANM Plug-in, page B-5 • Logging In To ANM from VMware vSphere Client, page B-7 • Using the Cisco ACE SLB Tab, page B-8 • Managing ACE Real Servers From vSphere Client, page B-12 • Using the VMware vSphere Plug-in Manager, page B-22 B-2 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Appendix B Using the ANM Plug-In With Virtual Data Centers Information About Using ANM With VMware vCenter Server Information About Using ANM With VMware vCenter Server This section describes how you can integrate ANM server into a VMware virtual data center environment. This feature enables you to access ANM functionality from within the VMware environment to provision the application delivery services that the ACE real servers provide. ANM version 3.1and later includes the ANM plug-in for vCenter Server that enables the integration of ANM with the VMware environment as shown in Figure B-1. Figure B-1 ANM Integrated With VMware vCenter Server and vSphere Client From the ANM GUI, you register the ANM plug-in by specifying a VMware vCenter Server and ANM server attributes that enables ANM to communicate with VMware vCenter Server and vSphere Client using HTTPS and default port 443. When the plug-in is registered, the VMware vSphere Client GUI displays the Cisco ACE SLB tab when you select a virtual machine (VM) from the client GUI. You click on the Cisco ACE SLB tab to log into ANM from the VMware vSphere Client and perform the following tasks: • Define a virtual machine (VM) as a real server on ANM and associate it with an existing ACE virtual context and server farm. • Monitor application traffic flow for virtual machines through the ACE. • Activate and suspend application traffic flows through the ACE for the associated real servers. • Add or delete real servers from the list of servers associated with a VM. VM VM VM 199935 VMware vCenter VMware vSphere Client Cisco Application Control Engine (ACE) Client Client Client Network Infrastructure Cisco ANM Dedicated Server or Virtual Appliance VMware ESX (i) Host VM VM VM VMware ESX (i) Host B-3 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Appendix B Using the ANM Plug-In With Virtual Data Centers Information About the Cisco ACE SLB Tab in vSphere Client Note In addition to ACE devices, the Cisco ACE SLB tab also displays services on the Content Services Switch (CSS) and real servers on the Cisco Content Switching Module (CSM) devices associated with a virtual machine. For these device types, from the Cisco ACE SLB tab, you can activate or suspend the services or real servers but you cannot add or delete these items. For information about how ANM maps real servers to VMware virtual machines, see the “Mapping Real Servers to VMware Virtual Machines” section on page 5-68. For more information about the Cisco ACE SLB tab, see the “Information About the Cisco ACE SLB Tab in vSphere Client” section on page B-3 and “Using the Cisco ACE SLB Tab” section on page B-8. Information About the Cisco ACE SLB Tab in vSphere Client This section describes the components of the Cisco ACE SLB tab that display in vSphere Client when you choose a VM from the VM tree (see Figure B-2). Figure B-2 Cisco ACE SLB Tab in vSphere Client Table B-1 describes the callouts in Figure B-2. B-4 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Appendix B Using the ANM Plug-In With Virtual Data Centers Prerequisites for Using ANM With VMware vSphere Client Prerequisites for Using ANM With VMware vSphere Client The prerequisites for integrating ANM with VMware vCenter Server and vSphere Client are as follows: • You must use ANM version 3.1 or later with VMware vSphere 4 or vSphere 5. • You must register the ANM plug-in from within ANM to enable communication between the two applications (see the “Registering or Unregistering the ANM Plug-in” section on page B-5). • If you are running VMware vSphere Client on a Windows Server 2003 or 2008 operating system, make sure that the following Internet security options (Internet options > Security setting) are enabled: – Allow META REFRESH – Allow scripting of Internet Explorer web browser control These options are not enabled by default. If they are disabled, the ANM plug-in will not allow you to log in to ANM for security reasons or you may encounter refresh problems with the Cisco ACE SLB tab. Note We recommend that you have VMware Tools installed on the guest OS of each VM to allow ANM to match a real server with a VM based on the IP address rather than a server name (see the “Mapping Real Servers to VMware Virtual Machines” section on page 5-68). Table B-1 Cisco ACE SLB Tab Components Item Description 1 Content area that displays the ACE real servers associated with the VM that you select from the VM tree located on the left (see the “Using the Cisco ACE SLB Tab” section on page B-8). 2 Upper set of function buttons that enable you to add or delete real servers from the content area and manage the displayed information (see the “Using the Cisco ACE SLB Tab” section on page B-8). 3 Cisco ACE SLB tab that you click to display and manage the ACE real servers for the selected VM. 4 Session information that provides the following information and functions: • Current user logged into ANM. • Logout link that you click on to close the session. • Help link that you click on to open the ANM online help for the Cisco ACE SLB tab. • ANM server time stamp of when the information displayed in the tab was last updated. 5 Recent Tasks area that displays VMware tasks. 6 Lower set of function buttons that you use to update the information displayed, activate or suspend a real sever, change the weight assigned to a real server, view real server connection information in graph form, view the topology map associated with a real server. For more information about these function buttons, see the following sections: • “Using the Cisco ACE SLB Tab” section on page B-8 • “Managing ACE Real Servers From vSphere Client” section on page B-12). B-5 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Appendix B Using the ANM Plug-In With Virtual Data Centers Guidelines and Restrictions Guidelines and Restrictions Follow these guidelines and restrictions when integrating ANM with VMware vCenter Server and vSphere Client: • There are no shared logins or trust established between ANM and vCenter Server when you open a session between the two servers. • You can configure both ANM and vCenter Server to use Active Directory for authentication. • From ANM, you must register the ANM plug-in before you can see the Cisco ACE SLB tab from VMware vSphere Client (see the “Registering or Unregistering the ANM Plug-in” section on page B-5). When you register the plug-in, the VMware vSphere Client display refreshes and displays the Cisco ACE SLB tab. • ANM supports one registered ANM plug-in instance only, which means that you can register only one plug-in at any given time. For example, if you register the plug-in from ANM Server A and then register the plug-in from ANM Server B, the following actions occur: – The ANM Server A plug-in is unregistered. – Any VMware vSphere Client that was running when the ANM Server B plug-in was registered will continue to display ANM Server A’s information in the Cisco ACE SLB tab. You must restart VMware vSphere Client to access and display ANM Server B’s information. • If you are going to uninstall ANM from the ANM server, make sure that you unregister the ANM plug-in before you uninstall ANM. If you do not unregister the plug-in before the uninstall, from VMware vSphere Client, the plug-in will display as registered but will fail to load. For information about unregistering the ANM plug-in, see the “Registering or Unregistering the ANM Plug-in” section on page B-5. For information about uninstalling ANM, see one of the following guides depending on your ANM application: – Installation Guide for Cisco Application Networking Manager 5.2 – Installation Guide for the Cisco Application Networking Manager 5.2 Virtual Appliance Registering or Unregistering the ANM Plug-in Note This feature requires the admin role for ANM. This section describes how to register the ANM plug-in from ANM, which allows you to access ANM ACE real server functionality from VMware vSphere Client. Registering the plug-in provides the client with a URL to access ANM and retrieve the required XML definition file. ANM uses HTTPS for communication with VMware vCenter Server. You can also unregister the ANM plug-in from ANM. Note Unregistering the ANM plug-in does not prevent access to the ANM server or remove the Cisco ACE SLB tab from any VMware vSphere Client display that was running when you unregistered the plug-in. You must restart the client to remove the Cisco ACE SLB tab from the display. A VMware vSphere Client restart is also required when you unregister a ANM plug-in from one ANM server and register another plug-in from a second ANM server. B-6 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Appendix B Using the ANM Plug-In With Virtual Data Centers Registering or Unregistering the ANM Plug-in Guidelines and Restrictions When registering the ANM plug-in, you specify the VMware vCenter Server and ANM server. If you specify the servers using server names rather than IP addresses, the names must be in DNS and must be consistent throughout the network. If the server names reside only in local /etc/host files, then use IP addresses in place of the server names; otherwise, the ANM server and vCenter Server may not be able to communicate and errors may occur, including the inability to enable the plug-in or the inability for real server mapping (empty tables). Procedure Step 1 From ANM, choose Admin > ANM Management > Virtual Center Plugin Registration. The VMware Virtual Center PlugIn Registration window appears. Step 2 Register or unregister the ANM plug-in using the information in Table B-2. Table B-2 Virtual Center Plugin Registration Field Description Virtual Center Server IP address of the VMware vCenter Server. Note Do not use a DNS name to specify the vCenter Server. Port Port number of the VMware vCenter Server. Virtual Center Server Username VMware vCenter Server username that has the administrator role or an equivalent role that has privilege on “Extension.” Virtual Center Server Password Password that corresponds to the VMware vCenter Server username. ANM Server DNS name or IP address of the ANM server that will be used by VMware vSphere Client. By default, ANM populates this field with the virtual IP address or hostname or all of the available IP addresses. If you enter a DNS name, make sure that the name can be resolved on the VMware vSphere Client side of the network. Note For ANM servers operating in an HA configuration, choose the shared alias IP address or VIP address for the HA pair so that the plug-in can still be used after an HA failover occurs. Status Current status of the registration or unregistration operation. Possible status states are as follows: • Blank (no status displayed)—The registration operation has not been invoked. • Success in registration—ANM has successfully completed the registration operation. • Failure—ANM is unable to complete the registration operation and displays an error message that indicates the problem encountered (see Table B-3). • Registering—ANM is in the process of registering the ANM plug-in. This state displays when you click the Registration button a second time before the process is complete. • Success in unregistration—ANM has successfully completed the unregistration operation. B-7 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Appendix B Using the ANM Plug-In With Virtual Data Centers Logging In To ANM from VMware vSphere Client Step 3 Do one of the following: • Click Register to register the ANM plug-in. ANM can now be accessed through VMware vSphere Client (see the “Logging In To ANM from VMware vSphere Client” section on page B-7). • Click UnRegister to unregister the ANM plug-in. Table B-3 describes the error messages that ANM can display when it encounters a problem with registering the plug-in. Logging In To ANM from VMware vSphere Client This section describes how to log into ANM from VMware vSphere Client and establish a session for accessing ANM functionality. The session remains active unless there is a web timeout, you log out, or there is an ANM or VMware vCenter Server restart. The default web session inactivity timeout is 30 minutes. Prerequisites From ANM, you must have the ANM plug-in registered before you can log into ANM from VMware vSphere Client (see the “Registering or Unregistering the ANM Plug-in” section on page B-5). Guidelines and Restrictions This topic includes the following guidelines and restrictions: • When registering the ANM plug-in, you specify the VMware vCenter Server and ANM server. If you specify the servers using server names rather than IP addresses, the names must be in DNS and must be consistent throughout the network. If the server names reside only in local /etc/host files, then use IP addresses in place of the server names; otherwise, the ANM server and vCenter Server may not be able to communicate and errors may occur, including the inability to enable the plug-in and log in to ANM or the inability for real server mapping (empty tables). For information about registering the plug-in, see the “Registering or Unregistering the ANM Plug-in” section on page B-5. Table B-3 Virtual Center Registration Failure Messages Error Message Root Cause Virtual center is not reachable, please correct value for the virtual center IP address or DNS name. The ANM server is unable to ping the specified VMware vCenter Server DNS name or IP address. Cannot access virtual center web service interface, please make sure that the value of the virtual center server is correct or the virtual server is up and running. The ANM server is able to ping VMware vCenter Server but it cannot connect to the webservice API. Most likely, the specified DNS name or IP address does not have the virtual center server running or the virtual server is not running. Invalid username or password for virtual center, please make sure that the username and password is correct. The specified username or password for VMware vCenter Server is not valid. User does not have permission to register or unregister plugin on virtual center server. The specified username is not the VMware vCenter Server administrator or does not have privilege on extension (plugin register/unregister/update). B-8 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Appendix B Using the ANM Plug-In With Virtual Data Centers Using the Cisco ACE SLB Tab • When logging into ANM from VMware vSphere Client and you have ANM configured to use remote authentication, such as RADIUS, TACACS+, or LDAPS/AD, use the credentials assigned to you for the specific remote authentication method. Procedure Step 1 From VMware vSphere Client, do one of the following: • To access ANM within the VMware vSphere Client window, choose a VM from the VM tree and click the Cisco ACE SLB tab. • To access ANM in a new browser window, right-click on a VM in the VM tree to open the submenu and choose Cisco ACE Activate/Suspend. The Security Alert popup window appears. This popup appears because ANM uses a Cisco self-signed certificate. Step 2 From the Security Alert popup window, click Yes to proceed. The popup window closes and the ANM login window appears. By default, the name of the user currently logged into VMware vSphere Client displays in the User Name field. Step 3 Enter your username (if it is not already displayed) and password. Step 4 Click Login. The Cisco Application Networking Manager window appears in the Cisco ACE SLB tab. For information about what displays in this window, see the “Using the Cisco ACE SLB Tab” section on page B-8. For information about how to use this window to manage the real servers, see the “Managing ACE Real Servers From vSphere Client” section on page B-12. Step 5 (Optional) To log out of ANM, click Logout. The session closes and the ANM login window appears in the Cisco ACE SLB tab. Using the Cisco ACE SLB Tab This section describes the Cisco device information and management functionality that is available when you click the Cisco ACE SLB tab. Note The ACE real server information displays only after you log into ANM from VMware vSphere Client (see the “Logging In To ANM from VMware vSphere Client” section on page B-7). The Cisco ACE SLB tab contains the ACE Reals (real servers) table. Table B-4 describes the real server information available in the table. B-9 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Appendix B Using the ANM Plug-In With Virtual Data Centers Using the Cisco ACE SLB Tab Table B-4 ACE Reals Table Fields Field Description Name Name of real server on the ACE, CSS, CSM, or CSM-S. Although the Cisco ACE SLB tab is primarily used to monitor and manage ACE real servers, you can also monitor, activate, and suspend CSS, CSM, and CSM-S devices from this tab. The real server name is a link that displays the Real Server Details popup window, which provides operating information about the server (see the “Monitoring Real Server Details Using vSphere Client” section on page B-19). IP Address Real server IP address. Port Real server port number. Admin State Administrative state of the real server as follows: • In Service • Out Of Service • In Service Standby. Note For CSM and CSM-S real servers, ANM infers the admin state based on the operational state that it receives through SNMP rather than the CLI, which may result in an admin state display that is not correct. For example, when you change the operational state of a CSM real server from Out of Service to Inservice, the admin state display should also change to In Service; however, the admin state display may remain set to Out of Service. B-10 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Appendix B Using the ANM Plug-In With Virtual Data Centers Using the Cisco ACE SLB Tab Oper State Operational state of the real server as follows: • ARP Failed—Corresponding VLAN interface is not configured for the real server. • Failed—Server has failed and will not be retried for the amount of time specified by its retry timer. • Inband probe failed—Server has failed the inband Health Probe agent. • Inservice—Server is in use as a destination for server load balancing client connections. • Inservice standby—Server is the backup real server, which remains inactive unless the primary real server fails. • Operation wait—Server is ready to become operational but is waiting for the associated redirect virtual server to be in service. • Out of service—Server is not in use by a server load balancer as a destination for client connections. • Probe failed—Server load-balancing probe to this server has failed. No new connections will be assigned to this server until a probe to this server succeeds. • Probe testing—Server has received a test probe from the server load balancer. • Ready to test—Server has failed and its retry timer has expired; test connections will begin flowing to it soon. • Return code failed—Server has been disabled because it returned an HTTP code that matched a configured value. • Test wait—Server is ready to be tested. This state is applicable only when the server is used for HTTP redirect load balancing. • Testing—Server has failed and has been given another test connection. The success of this connection is not known. • Throttle: DFP—DFP has lowered the weight of the server to throttle level; no new connections will be assigned to the server until DFP raises its weight. • Throttle: max clients—Server has reached its maximum number of allowed clients. • Throttle: max connections—Server has reached its maximum number of connections and is no longer being given connections. • Unknown—State of the server is not known. Conns Number of concurrent connections. Weight Weight assigned to the real server. Server Farm Server farm that the real server is associated with. Vserver Name of the Vserver. Table B-4 ACE Reals Table Fields (continued) Field Description B-11 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Appendix B Using the ANM Plug-In With Virtual Data Centers Using the Cisco ACE SLB Tab In the table, N/A indicates that either the information is not available from the database or that it is not being collected through SNMP. The Cisco ACE SLB tab also contains a number of function buttons that enable you to manage the displayed information and the real servers. Figure B-3 shows the function buttons that are located at the top of the ACE Reals table. Figure B-3 Cisco ACE SLB Tab Upper Function Buttons Table B-5 describes each of the function buttons shown in Figure B-3 Device ACE, CSS, CSM, or CSM-S on which the real server is configured. HA Indicators that display when the real server is part of a high availability pair. The indicators are as follows: • Asterisk (*)—The real server is associated with an HA pair and the HA configuration is complete. • Red dash (-)—The real server is associated with an HA pair; however, the HA configuration is incomplete. Typically, the HA pair are not properly configured for HA or only one of the servers has been imported into ANM. Ensure that both servers are imported into ANM and that they are configured as described in the “Configuring ACE High Availability” section on page 13-14. The table displays HA pair real servers together in the same row and they remain together no matter how you sort the information. Table B-4 ACE Reals Table Fields (continued) Field Description 248665 1 2 3 4 5 6 Table B-5 The Cisco ACE SLB Tab Upper Function Button Descriptions Number Function Description 1 Add Adds a real server to the list of servers that can service the VM (see the “Adding a Real Server” section on page B-13). Note This feature is available for ACE devices only. 2 Delete Deletes the selected server from the list of servers that can service the VM (see the “Deleting a Real Server Using vSphere Client” section on page B-14). Note This feature is available for ACE devices only. 3 AutoRefresh Enables the auto refresh feature and sets the refresh cycle time. Values are Off, 30 seconds, 1 minute, 2 minutes, or 5 minutes. 4 Filter Enables the column filter and provides access to saved filters. B-12 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Appendix B Using the ANM Plug-In With Virtual Data Centers Managing ACE Real Servers From vSphere Client Table B-6 describes the function buttons located across the bottom of the Cisco ACE SLB tab. Related Topics • Information About Using ANM With VMware vCenter Server, page B-2 • Logging In To ANM from VMware vSphere Client, page B-7 • Managing ACE Real Servers From vSphere Client, page B-12 • Using the VMware vSphere Plug-in Manager, page B-22 Managing ACE Real Servers From vSphere Client This section describes how to perform real server management tasks from the Cisco ACE SLB tab after you log into ANM from VMware vSphere Client (see the “Logging In To ANM from VMware vSphere Client” section on page B-7). These tasks include adding a VM as a real server to an existing server farm or suspending and activating the operation of a real server associated with a VM. This section includes the following topics: • Adding a Real Server, page B-13 • Deleting a Real Server Using vSphere Client, page B-14 • Activating Real Servers Using vSphere Client, page B-15 • Suspending Real Servers Using vSphere Client, page B-16 • Modifying Real Server Weight Value Using vSphere Client, page B-18 • Monitoring Real Server Details Using vSphere Client, page B-19 5 Refresh Refreshes the window. 6 Filter tool Filters over all columns. Table B-5 The Cisco ACE SLB Tab Upper Function Button Descriptions Number Function Description Table B-6 Cisco ACE SLB Tab Lower Function Button Descriptions Function Description Poll Now Polls the device to update the displayed information (see the “Refreshing the Displayed Real Server Information” section on page B-20. Activate Activates the services of the selected server (see the “Activating Real Servers Using vSphere Client” section on page B-15). Suspend Suspends the services of the selected server (see the “Suspending Real Servers Using vSphere Client” section on page B-16). Change Weight Changes the weight of the selected server (see the “Modifying Real Server Weight Value Using vSphere Client” section on page B-18). Graph Displays connection information for a selected real server in graph form. To exit a graph view and return to the ACE Real Server table, click Exit Graph. Topology Displays a network topology map for a selected real server (see “Displaying Network Topology Maps” section on page 17-68). To exit a topology map and return to the ACE Real Server table, click Exit. B-13 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Appendix B Using the ANM Plug-In With Virtual Data Centers Managing ACE Real Servers From vSphere Client • Refreshing the Displayed Real Server Information, page B-20 Adding a Real Server You can add one or more real servers to the list of ACE real servers associated with a VM. The Cisco ACE SLB tab allows you select a VM and define it as a real server on ANM, associating it with an existing ACE virtual context and server farm. Guidelines and Limitations You can add only one real server at a time. Repeat the procedure in this section for each real server that you want to add. Procedure Step 1 From the VM tree in VMware vSphere Client, do one of the following: • To display the ACE real server information in the current window, click on a VM and then click the Cisco ACE SLB tab. • To display the ACE real server information in a new window, right-click on a VM to open the submenu and choose Cisco ACE Activate/Suspend. The Security Alert popup window appears. This popup window appears because ANM uses a Cisco self-signed certificate. Step 2 From the Security Alert popup window, click Yes to proceed. The popup window closes and the Cisco Application Networking Manager window appears, displaying the ACE Reals table. Step 3 From the ACE Reals table, click Add. The Real Server Configurations dialog box appears. Step 4 From the Real Server Configurations dialog window, configure the real server to add using the information in Table B-7. Table B-7 Real Server Attributes Field Description Real Server Name Unique name for this server. By default, the name of the selected VM is displayed. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters. Real Server IP Address Unique IP address in dotted-decimal format (such as 192.168.11.1). The drop-down list is populated with the IP address or addresses assigned to the selected VM. If no IP addresses were found for the VM, you can manually enter an IP address in this field. Real Server Port Real server port number. Valid entries are from 1 to 65535. Real Server Weight Weight to assign to this real server in a server farm. Valid entries are 1 to 100. The default is 8. B-14 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Appendix B Using the ANM Plug-In With Virtual Data Centers Managing ACE Real Servers From vSphere Client Step 5 Do one of the following: • Click Deploy Now. The Real Server Configurations dialog box closes and ANM adds the real server to the list of servers that can service the VM depending on how you set the Real Server State attribute. • Click Cancel. The Real Server Configurations dialog box closes and no real server is added. Related Topics • Logging In To ANM from VMware vSphere Client, page B-7 • Using the Cisco ACE SLB Tab, page B-8 • Deleting a Real Server Using vSphere Client, page B-14 • Activating Real Servers Using vSphere Client, page B-15 • Suspending Real Servers Using vSphere Client, page B-16 • Modifying Real Server Weight Value Using vSphere Client, page B-18 • Monitoring Real Server Details Using vSphere Client, page B-19 • Refreshing the Displayed Real Server Information, page B-20 Deleting a Real Server Using vSphere Client You can remove a real server from the list of servers that service the VM. Procedure Step 1 From the VM tree in VMware vSphere Client, do one of the following: • To display the ACE real server information in the current window, click on a VM and then click the Cisco ACE SLB tab. • To display the ACE real server information in a new window, right-click on a VM to open the submenu and choose Cisco ACE Activate/Suspend. Real Server State State of the real server: • In Service—ANM places the real server in the in service state when it is added. This is the default setting. • In Service Standby—ANM places the real server in the service standby state when it is added. • Out Of Service—ANM places the real server in the out of service state when it is added. ACE Virtual Context ACE virtual context that has the server farm that the real server is to be associated with. Serverfarm Server farms associated with the selected ACE virtual context. Virtual Servers Virtual server names and VIPs that are associated with the selected server farm. Table B-7 Real Server Attributes (continued) Field Description B-15 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Appendix B Using the ANM Plug-In With Virtual Data Centers Managing ACE Real Servers From vSphere Client The Security Alert popup window appears. This popup window appears because ANM uses a Cisco self-signed certificate. Step 2 From the Security Alert popup window, click Yes to proceed. The popup window closes and the Cisco Application Networking Manager window appears, displaying the ACE Reals table. Step 3 From the ACE Reals table, check the checkbox of each server that you want to delete from the table. Step 4 Click Delete. The confirmation popup window appears requesting you to verify that you want to delete the server. Step 5 In the confirmation popup window, click OK. The popup window closes and ANM removes the selected servers from the list of real servers. Related Topics • Logging In To ANM from VMware vSphere Client, page B-7 • Using the Cisco ACE SLB Tab, page B-8 • Adding a Real Server, page B-13 • Activating Real Servers Using vSphere Client, page B-15 • Suspending Real Servers Using vSphere Client, page B-16 • Modifying Real Server Weight Value Using vSphere Client, page B-18 • Monitoring Real Server Details Using vSphere Client, page B-19 • Refreshing the Displayed Real Server Information, page B-20 Activating Real Servers Using vSphere Client You can activate a real server that services a VM. Note If you are not using the ANM plug-in for vCenter Server to access ANM, see the “Activating Real Servers” section on page 8-14. Procedure Step 1 From the VM tree in VMware vSphere Client, do one of the following: • To display the ACE real server information in the current window, click on a VM and then click the Cisco ACE SLB tab. • To display the ACE real server information in a new window, right-click on a VM to open the submenu and choose Cisco ACE Activate/Suspend. The Security Alert popup window appears. This popup window appears because ANM uses a Cisco self-signed certificate. Step 2 From the Security Alert popup window, click Yes to proceed. The popup window closes and the Cisco Application Networking Manager window appears, displaying the ACE Reals table. B-16 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Appendix B Using the ANM Plug-In With Virtual Data Centers Managing ACE Real Servers From vSphere Client Step 3 From the ACE Reals table, check the check box of the servers that you want to activate and click Activate. The Activate Server window appears. Step 4 In the Reason field of the Activate Server window, enter a reason for this action. You might enter a trouble ticket, an order ticket, or a user message. Note Do not enter a password in this field. Step 5 Do one of the following: • Click OK to activate the server and to return to the ACE Reals table. The server appears in the table with the status Inservice. • Click Cancel to exit this procedure without activating the server and to return to the ACE Reals table. Related Topics • Logging In To ANM from VMware vSphere Client, page B-7 • Using the Cisco ACE SLB Tab, page B-8 • Suspending Real Servers Using vSphere Client, page B-16 • Modifying Real Server Weight Value Using vSphere Client, page B-18 • Monitoring Real Server Details Using vSphere Client, page B-19 • Refreshing the Displayed Real Server Information, page B-20 Suspending Real Servers Using vSphere Client You can suspend a real server that services a VM. Note If you are not using the ANM plug-in for vCenter Server to access ANM, see the “Suspending Real Servers” section on page 8-15. Procedure Step 1 From the VM tree in VMware vSphere Client, do one of the following: • To display the ACE real server information in the current window, click on a VM and then click the Cisco ACE SLB tab. • To display the ACE real server information in a new window, right-click on a VM to open the submenu and choose Cisco ACE Activate/Suspend. The Security Alert popup window appears. This popup window appears because ANM uses a Cisco self-signed certificate. Step 2 From the Security Alert popup window, click Yes to proceed. The popup window closes and the Cisco Application Networking Manager window appears, displaying the ACE Reals table. B-17 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Appendix B Using the ANM Plug-In With Virtual Data Centers Managing ACE Real Servers From vSphere Client Step 3 In the ACE Reals table, check the check box of the servers that you want to suspend and click Suspend. The Suspend Real Servers window appears. Step 4 In the Reason field of the Suspend Real Servers window, enter the reason for this action. You might enter a trouble ticket, an order ticket, or a user message. Note Do not enter a password in this field. Step 5 From the Suspend Real Servers Type drop-down list, choose one of the following: • Graceful—When executed on a primary server, the ACE gracefully shuts down the server with sticky connections as follows: – Tears down existing non-TCP connections to the server – Allows current TCP connections to complete – Allows new sticky connections for existing server connections that match entries in the sticky database – Load balances all new connections (other than the matching sticky connections mentioned above) to the other servers in the server farm When executed on a backup real server, the ACE places the backup server in service standby mode. Note For the CSS, when the device is in the In Service admin state and you perform a graceful suspend operation, ANM saves the last known non-zero service (or real server) weight, and then sets the weight to zero. ANM references the saved weight when performing an Activate operation. If the current weight is zero, and a non-zero weight has been saved for that service (or real server), the Activate operation also sets the weight to the saved value. To allow ANM to save and reset the weight value when gracefully suspending and then activating the CSS, you must have the device configured to permit SNMP traffic. For each device type, see the corresponding configuration guide to configure the device to permit SNMP traffic. When the CSS is in the In Service Standby admin state and you perform a graceful suspend operation, ANM does not set the weight to zero. • Suspend—The ACE resets all non-TCP connections to the server. For TCP connections, existing flows are allowed to complete before the ACE takes the real server out of service. No new connections are allowed. The ACE resets all Secure Sockets Layer (SSL) connections to the real server. • Suspend and Clear Connections—The ACE performs the tasks described for Suspend and clears the existing connections to this server. B-18 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Appendix B Using the ANM Plug-In With Virtual Data Centers Managing ACE Real Servers From vSphere Client Step 6 Do one of the following: • Click Deploy Now to suspend the server and to return to the ACE Reals table. The server appears in the table with the status Out Of Service. • Click Cancel to exit this procedure without suspending the server and to return to the ACE Reals table. Related Topics • Logging In To ANM from VMware vSphere Client, page B-7 • Using the Cisco ACE SLB Tab, page B-8 • Adding a Real Server, page B-13 • Deleting a Real Server Using vSphere Client, page B-14 • Activating Real Servers Using vSphere Client, page B-15 • Modifying Real Server Weight Value Using vSphere Client, page B-18 • Monitoring Real Server Details Using vSphere Client, page B-19 • Refreshing the Displayed Real Server Information, page B-20 Modifying Real Server Weight Value Using vSphere Client You can modify the weight value assigned to a real server that defines the connection capacity of the server in relation to the other real servers. The ACE uses the weight value that you specify for a server in the weighted round-robin and least-connections load-balancing predictors. Servers with a higher configured weight value have a higher priority with respect to connections than servers with a lower weight. For example, a server with a weight of 5 would receive five connections for every one connection for a server with a weight of 1. Note If you are not using the ANM plug-in for vCenter Server to access ANM, see the “Modifying Real Server Weight Value” section on page 8-17. Procedure Step 1 From the VM tree in VMware vSphere Client, do one of the following: • To display the ACE real server information in the current window, click on a VM and then click the Cisco ACE SLB tab. • To display the ACE real server information in a new window, right-click on a VM tree to open the submenu and choose Cisco ACE Activate/Suspend. The Security Alert popup window appears. This popup window appears because ANM uses a Cisco self-signed certificate. Step 2 From the Security Alert popup window, click Yes to proceed. The popup window closes and the Cisco Application Networking Manager window appears, displaying the ACE Reals table. Step 3 In the ACE Reals table, check the check box of the server that you want modify and click Change Weight. B-19 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Appendix B Using the ANM Plug-In With Virtual Data Centers Managing ACE Real Servers From vSphere Client The Change Weight Real Servers window appears. Step 4 In the Change Weight Real Servers window, enter the following information for the selected server: • Reason for change such as trouble ticket, order ticket, or user message. Note Do not enter a password in this field. • Weight value (for allowable ranges for each device type, see Table 8-5). Step 5 Do one of the following: • Click Deploy Now to accept your entries and to return to the ACE Reals table. The server appears in the table with the updated information. • Click Cancel to exit this procedure without saving your entries and to return to the ACE Reals table. Related Topics • Logging In To ANM from VMware vSphere Client, page B-7 • Using the Cisco ACE SLB Tab, page B-8 • Adding a Real Server, page B-13 • Deleting a Real Server Using vSphere Client, page B-14 • Activating Real Servers Using vSphere Client, page B-15 • Monitoring Real Server Details Using vSphere Client, page B-19 • Refreshing the Displayed Real Server Information, page B-20 Monitoring Real Server Details Using vSphere Client You can display detailed operating information about a real server. Procedure Step 1 From the VM tree in VMware vSphere Client, do one of the following: • To display the ACE real server information in the current window, click on a VM and then click the Cisco ACE SLB tab. • To display the ACE real server information in a new window, right-click on a VM to open the submenu and choose Cisco ACE Activate/Suspend. The Security Alert popup window appears. This popup window appears because ANM uses a Cisco self-signed certificate. Step 2 From the Security Alert popup window, click Yes to proceed. The popup window closes and the Cisco Application Networking Manager window appears, displaying the ACE Reals table. Step 3 In the ACE Reals table, click on the name of the real server whose details you want to view. The Real Server Details popup window appears and displays the following ACE statistical information: • Total Connections—Total number of load-balanced connections to this real server in the serverfarm. B-20 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Appendix B Using the ANM Plug-In With Virtual Data Centers Managing ACE Real Servers From vSphere Client • Connections Rate—Connections per second. • Dropped Connections—Total number of dropped connections because the current connection count exceeds the maximum number of allowed connections. • Dropped Connections Rate—Dropped connections per second. • Minimum Connections—Minimum number of connections that need to be supported by the real server in the serverfarm. • Maximum Connections—Maximum number of connections that can be supported by this real server in the serverfarm. Note The statistical information that ANM displays for the CSM and CSM-S is different from the ACE information described above. Also, ANM does not display the Real Server Details popup window for the CSS. Note To close the Real Server Details popup window, you may need to expand the display to access the “X” (close) located in the upper right hand section of the window. Related Topics • Logging In To ANM from VMware vSphere Client, page B-7 • Using the Cisco ACE SLB Tab, page B-8 • Adding a Real Server, page B-13 • Deleting a Real Server Using vSphere Client, page B-14 • Activating Real Servers Using vSphere Client, page B-15 • Suspending Real Servers Using vSphere Client, page B-16 • Modifying Real Server Weight Value Using vSphere Client, page B-18 • Refreshing the Displayed Real Server Information, page B-20 Refreshing the Displayed Real Server Information You can refresh the information that ANM displays for a real server. Procedure Step 1 From the VM tree in VMware vSphere Client, do one of the following: • To display the ACE real server information in the current window, click on a VM and then click the Cisco ACE SLB tab. • To display the ACE real server information in a new window, right-click on a VM to open the submenu and choose Cisco ACE Activate/Suspend. The Security Alert popup window appears. This popup window appears because ANM uses a Cisco self-signed certificate. B-21 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Appendix B Using the ANM Plug-In With Virtual Data Centers Managing ACE Real Servers From vSphere Client Step 2 From the Security Alert popup window, click Yes to proceed. The popup window closes and the Cisco Application Networking Manager window appears, displaying the ACE Reals table. Step 3 In the ACE Reals table, check the checkbox next to the name of the real server whose information you want to refresh. Step 4 Click Poll Now. ANM polls the selected device and updates the displayed information. Related Topics • Logging In To ANM from VMware vSphere Client, page B-7 • Using the Cisco ACE SLB Tab, page B-8 • Adding a Real Server, page B-13 • Deleting a Real Server Using vSphere Client, page B-14 • Activating Real Servers Using vSphere Client, page B-15 • Suspending Real Servers Using vSphere Client, page B-16 • Modifying Real Server Weight Value Using vSphere Client, page B-18 B-22 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Appendix B Using the ANM Plug-In With Virtual Data Centers Using the VMware vSphere Plug-in Manager Using the VMware vSphere Plug-in Manager You can use the VMware vSphere Client Plug-in Manager to verify that the ANM plug-in (Cisco ACE) is registered, view error messages, and enable or disable the plug-in. Procedure Step 1 From the VMware vSphere Client main menu, choose Plug-ins > Manage Plug-ins. The Plug-in Manager window appears. Table B-8 describes the Cisco plug-in information that displays in the Plug-in Manager window. Step 2 (Optional) To enable or disable the plug-in, from the list of plug-ins, right-click on the Cisco ACE plug-in and do one of the following: • Choose Enable. The Cisco ACE SLB tab appears in the VMware vSphere Client content area. This is the default setting. • Choose Disable. The Cisco ACE SLB tab is removed from the VMware vSphere Client content area. Related Topics Registering or Unregistering the ANM Plug-in, page B-5 Table B-8 VMware vSphere Client Plug-in Manager Item Description Plug-in Name Name of the Cisco plug-in, which is Cisco ACE. Vendor This field is blank. The vendor name, Cisco, is included in the plug-in name. Version Plug-in version number. Status Plug-in operating status: Enabled or Disabled. Description Plug-in description, which is Cisco ACE. Progress N/A Errors Errors related to the Cisco ACE plug-in, such as when the VMware vSphere Client cannot find the ANM server because it cannot resolve the server name. GL-1 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 GLOSSARY Date: 3/28/12 A ACE Cisco Application Control Engine, available as a module that resides in a Cisco Catalyst 6500 series chassis, Cisco 7600 series router, or as a standalone appliance. The ACE offers high-performance server load balancing (SLB), routing and bridging configuration, traffic policies, redundancy (high availability), virtualization for resource management, SSL, security features, and application acceleration and optimization. ACL Access Control List. A mechanism in computer security used to enforce privilege separation. An ACL identifies the privileges and access rights a user or client has to a particular object, such as a server, file system, or application. activate Places an entity into the resource pool for load balancing content requests or connections and starts the keepalive function. See also suspend. administrative distance The first criterion a router uses to determine which routing protocol to use if two protocols provide route information for the same destination. Administrative distance is a measure of the trustworthiness of the source of the routing information. Administrative distance has only local significance, and is not advertised in routing updates. The smaller the administrative distance value, the more reliable the protocol. The values range from 0 (zero) for a connected interface and 1 for a static route, to 255 for an unknown protocol. AES Advanced Encryption Standard. One of the possible encryption algorithms available for use in SNMP communications. ANM Mobile ANM feature that allows supported mobile devices to access to your ANM server or ANM Virtual Appliance and manage the network objects in much the same way you do from an ANM client. Using a mobile device, you can run ANM Mobile as a native application (app) or inside the mobile device browser. ANM server Dedicated server with ANM server software and Red Hat Enterprise Linux (RHEL) operating system installed on it. ANM Virtual Appliance VMware virtual appliance with ANM server software and Cisco Application Delivery Engine Operating System (ADE OS) installed on it. Cisco distributes ANM Virtual Appliance in Open Virtual Appliance (.OVA) format. ARP Address Resolution Protocol. Internet protocol used to map an IP address to a MAC address. Defined in RFC 826. Glossary GL-2 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 B building block Reusable configuration attributes that can be applied to virtual contexts for consistent, standardized implementation. BVI Bridge-Group Virtual Interface. Logical Layer 3-only interface associated with a bridge group when integrated routing and bridging (IRB) is configured. C CCM Cisco CallManager. A Cisco product that provides the software-based, call-processing component of the Cisco IP Telephony Solutions for the Enterprise, part of Cisco AVVID (Architecture for Voice, Video, and Integrated Data). CallManager acts as a signaling proxy for call events initiated over other common protocols such as SIP, ISDN (Integrated Services Digital Network), or MGCP (Media Gateway Control Protocol). certificate chain A certificate chain is a hierarchal list of certificates used in SSL that includes the subject’s certificate, the root CA certificate, and any intermediate CA certificates. certificate signing request See CSR. checkpoint A snapshot in time of a known stable ACE running configuration before you begin to modify it. If you encounter a problem with the modifications to the running configuration, you can roll back the configuration to the previous stable configuration checkpoint. Cisco.com Replaces the Cisco Connection Online website. Use this site to access customer service and support. class map A mechanism for classifying types of network traffic. The ANM uses class maps to classify the network traffic that is received and transmitted by the ACE. Types of traffic include Layer 3/Layer 4 traffic that can pass through the ACE, network management traffic that can be received by the ACE, and Layer 7 HTTP load-balancing traffic. CSR Certificate Signing Request. A message sent to a certificate authority, such as VeriSign and Thawte to a apply for a digital identity certificate for use with SSL. The request includes information that identifies the SSL site, such as location and serial number, and a public key that you choose. The request may also provide any additional proof of identity required by the certificate authority. Cisco IOS Software The Cisco system software that allows centralized, integrated, and automated installation and management of internetworks, while ensuring support for a wide variety of protocols, media, services, and platforms. context See virtual context. D DES Data Encryption Standard. One of the possible encryption algorithms available for use in SNMP communications. Glossary GL-3 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 DFP Dynamic Feedback Protocol. A protocol that allows load-balanced servers (both local and remote) to dynamically report changes in their status and their ability to provide services. distinguished name Used for SSL, a set of attributes that provides the certificate authority with the information it needs to authenticate your site. Dynamic Workload Scaling (DWS) ACE feature that permits on-demand access to remote resources, such as VMs, that you own or lease from an Internet service provider or cloud service provider. E event A message from the ANM that informs you of activities on parts of the system, including each virtual context, the management system, and hardware components. event type Alarm, Log, Audit, Attack Log exception A group of related faults. F fault An abnormal condition that occurs when a system component exceeds a performance threshold or is not functioning properly. File Transfer Protocol See FTP. FTP File Transfer Protocol. Application protocol, part of the TCP/IP protocol stack, used for transferring files between network nodes. FTP is defined in RFC 959. H H.323 An umbrella recommendation from the ITU Telecommunication Standardization Sector (ITU-T) that defines the protocols that provide audio-visual communication sessions on any packet network. It is a part of the H.32x series of protocols which also address communications over Integrated Services Digital Network (ISDN), Public switched telephone network (PSTN) or Signaling System 7 (SS7). H.323 is commonly used in Voice over IP (VoIP, Internet Telephony, or IP Telephony) and Internet Protocol (IP)-based videoconferencing.H.323 defines a common set of CODECs, call setup and negotiating procedures, and basic data transport methods. HSRP Hot Standby Router Protocol. A networking protocol that provides network redundancy for IP networks, ensuring that user traffic immediately and transparently recovers from first hop failures in network edge devices or access circuits. Glossary GL-4 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 I ICMP Internet Control Message Protocol. Network layer Internet protocol that reports errors and provides other information relevant to IP packet processing. Documented in RFC 792. Internet Control Message Protocol See ICMP. interface 1. A network connection. 2. A connection between two systems or devices. 3. In telephony, a shared boundary defined by common physical interconnection characteristics, signal characteristics, and meanings of interchanged signals. L load balancing An action that spreads network requests among available servers within a cluster of servers, based on a variety of algorithms. M MD5 Message Digest 5 or Message-Digest Algorithm. One of the possible encryption algorithms available for use in SNMP communications. MIB Database of network management information that is used and maintained by a network management protocol, such as SNMP or CMIP. The value of a MIB object can be changed or retrieved using SNMP or CMIP commands, usually through a GUI network management system. MIB objects are organized in a tree structure that includes public (standard) and private (proprietary) branches. N NAT Name Address Translation. A method of connecting multiple computers to the Internet (or any other IP network) using one IP address. O object group A logical grouping of similar objects, such as servers, clients, services, or networks. Creating an object group allows you to apply common attributes to a number of objects without specifying each object individually. organizations An organization allows you to configure AAA server lookup for your users or set up users who work for a service provider customer. Organizations in the Cisco ANM system are defined by the system administrator. Glossary GL-5 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 P PAT Port Address Translation. A mechanism that allows many devices on a LAN to share one IP address by allocating a unique port address at Layer 4. ping A common method for troubleshooting the accessibility of devices. A ping tests an ICMP echo message and its reply. Because ping is the simplest test for a device, it is the first to be used. If ping fails, try using traceroute. Run ping to view the packets transmitted, packets received, percentage of packet loss, and round-trip time in milliseconds. port 1. An interface on an internetworking device (such as a router); a physical entity. 2. In IP terminology, an upper-layer process that receives information from lower layers. Ports are numbered, and each numbered port is associated with a specific process. For example, SMTP is associated with port 25. A port number is also called a well-known address. 3. To rewrite software or microcode so that it will run on a different hardware platform or in a different software environment than that for which it was originally designed. R RAS Registration, Admission, and Status Protocol. Protocol that is used between endpoints and the gatekeeper to perform management functions. RAS signalling function performs registration, admissions, bandwidth changes, status, and disengage procedures between the VoIP gateway and the gatekeeper. RBAC Role-Based Access Control. A mechanism that allows privileges to be assigned to defined roles. The roles are then assigned to real users, allowing or limiting access to specific features as appropriate for each role. real server A real server is a physical device assigned to a server farm. redundancy In internetworking, the duplication of devices, services, or connections so that, in the event of a failure, the redundant devices, services, or connections can perform the work of those that failed. resource class A defined set of resources and allocations available for use by a device (such as an ACE). Using resource classes prevents a single device from using all available resources. role See user role. RSA Rivest, Shamir, and Adelman Signatures. A public-key cryptographic system used for authentication. RTSP Real Time Streaming Protocol. A client-server multimedia presentation control protocol, designed to address the needs for efficient delivery of streamed multimedia over IP networks. Glossary GL-6 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 S SCCP Skinny Client Control Protocol. A proprietary terminal control protocol owned and defined by Cisco as a messaging set between a skinny client and the Cisco CallManager (CCM). Examples of skinny clients include the Cisco 7900 series of IP phone such as the Cisco 7960, Cisco 7940 and the 802.11b wireless Cisco 7920, along with Cisco Unity voicemail server. See also Skinny. server farm A collection of servers that contain the same content. Server Load Balancer See SLB. service A destination location where a piece of content resides physically. Also referred to in general terms for this release as including content rules, owners, virtual servers, real servers, and so on. Simple Message Transfer Protocol See SMTP. SIP Session Initiation Protocol. Protocol developed by the IETF MMUSIC Working Group as an alternative to H.323. SIP features are compliant with IETF RFC 2543, published in March 1999. SIP equips platforms to signal the setup of voice and multimedia calls over IP networks. Skinny Skinny is a lightweight protocol which allows for efficient communication with Cisco CallManager. See also SCCP. SLB Server Load Balancer. A device that makes load balancing decisions based on application availability, server capacity, and load distribution algorithms, such as round robin or least connections. Using load balancing and server/application feedback, an SLB device determines a real server for the packet flow and sends this information to the requesting forwarding agent. After the optimal destination is decided on, all other packets in the packet flow are directed to a real server by the forwarding agent, increasing packet throughput. special configuration file Managed file resource on an ACE module, such as a piece of a configuration file or a keep-alive script. SMTP Simple Message Transfer Protocol. Internet protocol that provides email services. sticky A feature that ensures that the same client gets the same server for multiple connections. It is used when applications require a consistent and constant connection to the same server. If you are connecting to a system that keeps state tables about your connection, sticky allows you to get back to the same real server again and retain the statefulness of the system. suspend Removes an entity from the resource pool for future load-balancing content requests or connections. Suspending a service or device does not affect existing content flows, but it prevents additional connections from accessing the suspended entity or content. See also activate. T TCP Transport Control Protocol. Connection-oriented transport layer protocol that provides reliable full-duplex data transmission. TCP is part of the TCP/IP protocol stack. template See building block. Glossary GL-7 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 threshold A range in which you expect your network to perform. If a threshold is exceeded or goes below the expected bounds, you examine the areas for potential problems. You can create thresholds for a specific device. traceroute A diagnostic tool that helps you understand why ping fails or why applications time out. Using it, you can view each hop (or gateway) on the route to your device and how long each took. Transport Control Protocol See TCP. U URI Uniform Resource Identifier. Type of formatted identifier that encapsulates the name of an Internet object, and labels it with an identification of the name space, thus producing a member of the universal set of names in registered name spaces and of addresses referring to registered protocols or name spaces. [RFC 1630] user role A mechanism for granting access to features and functionality to a user account. The Cisco Application Networking Manager includes four predefined roles: System Administrator, Server Manager, Network Manager, and Service Provider Customer. V virtual context A concept that allows users to partition an ACE into multiple virtual devices. Each virtual context contains its own set of policies, interfaces, resources, and administrators, allowing administrators to more efficiently manage system resources and services. There are two types of contexts; the Admin context and a user context. The Admin context is the default context that the ACE provides. The Admin context, which contains the basic settings for each virtual device or context, allows a user to configure and manage all contexts. When a user logs into the Admin context, he or she has full system administrator access to the entire ACE and all contexts and objects within it. The Admin context provides access to network-wide resources, for example, a syslog server or context configuration server. All global commands for ACE settings, contexts, resource classes, and so on, are available only in the Admin context. A user context, which is created by a user, has access to the resources in which the context was created. For example, a user context that was created by an administrator while in Admin context, by default, has access to all resources in an ACE device. Any user created by someone in a user-defined context, only has access to the resources within that context. In addition, roles are assigned to users, which determine the commands and resources that are available to that user. VLAN Virtual LAN. Group of devices on one or more LANs that are configured (using management software) so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical instead of physical connections, they are extremely flexible. VLAN Trunking Protocol See VTP. virtual server A virtual server represents groups of real servers and are associated with a real server farm. Glossary GL-8 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 VMware vCenter Server Third-party product for creating and managing virtual data centers, which includes VMware vSphere Client and virtual machines. VTP VLAN Trunking Protocol. A Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs within a VTP domain. VTP minimizes misconfigurations and configuration inconsistencies that can result in a number of problems, such as duplicate VLAN names, incorrect VLAN-type specifications, and security violations. VTP domain Also called a VLAN management domain, a domain composed of one or more network devices that share the same VTP domain name and that are interconnected with trunks. W Web server A machine that contains Web pages that are accessible by others. IN-1 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 INDEX Numerics 7600 series router adding VLANs 5-48 configuring access ports 5-43 interfaces 5-42 primary attributes 5-38 routed ports 5-46 switch virtual interfaces 5-45 trunk ports 5-44 managing 5-66 synchronizing configurations 5-66 viewing all modules 5-79 ports 5-42 VLAN managing 5-48 modifying 5-51 viewing 5-49 A AAA server, authenticating ANM users 18-38 About button 1-9 acceleration configuring 7-53 configuring globally on ACE appliances 15-9 FlashForward 15-2 traffic policies 15-2 typical configuration flow 15-2 access control, configuring on VLAN interfaces 12-14 access control list (ACL) 6-78 access credentials, configuring 5-29 access ports, configuring 5-43 account password 1-6 accounts user, managing 18-17 ACE changing passwords 5-77 class map configuring 14-7 match conditions 14-8 configuration options 6-11 definition GL-1 license ANM license requirements 6-36 details 6-42 managing 6-36 removing 6-39 updating 6-40 viewing 6-36 parameter maps 10-2 policy map configuring 14-32 rules and actions 14-34 traffic policies 14-2 viewing license details 6-42 virtual server protocols 7-11 ACE 1.0 module class maps 14-7 configuration building block 16-6 parameter maps 10-2 policy maps 14-32 traffic policies 14-2 virtual server protocols 7-11 Index IN-2 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 ACE 2.0 module class map types 14-7 configuration building block 16-6 parameter map generic 10-8 RTSP 10-20 SIP 10-21 Skinny 10-23 parameter maps 10-2 policy maps 14-32 sticky types 9-2 traffic policies 14-2 virtual server protocols 7-11 ACE appliance changing passwords 5-75 class maps 14-7 configuration building block 16-6 configuring 5-34 licenses configuration 6-42 statistics 6-42 optimization parameter map 10-12 parameter maps 10-2 policy maps 14-32 synchronizing configurations 5-66 traffic policies 14-2 updating passwords 5-75 virtual server protocols 7-11 ACE appliances SSH, enabling 5-6 ACE license and required ANM licenses 6-36 details 6-42 managing 6-36 removing 6-39 updating 6-40 viewing 6-36 ACE module configuring 5-34 configuring access credentials 5-29 discovery enabling SSH access 5-28 process 5-31 monitoring discovery status 5-33 replace 5-82 synchronizing configurations 5-67 viewing by 7600 series router 5-79 by chassis 5-79 ACE modules ACE 2.0 SNMP polling 5-7 adding to ANM 5-16 HTTPS, enabling 5-6 OK/Pass state requirement 5-16 SSH, enabling 5-6 ACE network topology overview 3-12 ACL configuration overview 6-78 configuring EtherType attributes 6-87 extended ACL attributes 6-82 for VLANs 12-14 object groups 6-89 creating 6-79 deleting 6-100 managing 6-99 objects ICMP service parameters 6-97 IP addresses 6-91 protocols 6-93 subnet objects 6-92 TCP/UDP service parameters 6-94 resequencing 6-87 viewing by context 6-99 ACL object group configuring 6-89 Index IN-3 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 network objects IP addresses 6-91 subnet objects 6-92 service objects ICMP service parameters 6-97 protocols 6-93 TCP/UDP service parameters 6-94 ACLs, creating 6-79 action, setting for policy maps 14-34 action list application acceleration, configuring 14-85, 15-3 configuration options 7-55 HTTP header modify, configuring 14-85 HTTP header modify, SSL header insertion, configuring 14-85 HTTP header modify, SSL URL rewrite, configuring 14-85 activate, definition GL-1 activating DNS rules for GSS 7-75 real servers 8-14, B-15 virtual servers 7-71 adding ACE modules 5-16 CSM 5-19, 5-20 devices to ANM 5-10 domains 5-63 resource classes 6-46 SSL CSR parameters 11-25 parameter map cipher info 11-20 parameter maps 11-18, 11-27 user-defined groups 5-72 Admin context, first virtual context 6-2 administrative distance, definition GL-1 admin password 18-14 advanced editing mode 1-16 AES, definition GL-1 alarms configuring for notification 17-57 viewing 17-65 all-match policy map 14-32 ANM customizing default page 2-4 homepage 2-1, 2-3 ANM applications 1-2 ANM interface logging in 1-5 overview 1-8 password, changing account 1-7 login 1-7 table conventions 1-14 customizing 1-15 ANM server auto-sync settings 18-61 change audit logs 18-61 change audit logs, viewing 18-61 configuring attributes 18-57 license file name 18-54 polling, enabling 18-57 statistics 18-56 ANM template editor edit application template definition 4-18 overview 4-29 application acceleration configuring 7-53 action lists 7-55 globally on ACE appliances 15-9 monitoring 17-43 overview 15-2 traffic policies 15-2 typical configuration flow 15-2 virtual server, additional configuration options 7-57 application definition definitions create 4-20 Index IN-4 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 delete 4-29 export 4-26 import 4-26 test 4-28 application template definitions ANM template editor 4-29 edit 4-15 edit with ANM template editor 4-18 edit with external editor 4-19 managing 4-15 overview 4-1 system template 4-1 user-defined template 4-2 application template instance overview 4-2 application template instances create 4-4 delete deleting application template instance 4-13 deploy 4-7 duplicate 4-10 edit 4-9 list of instances 4-3 managing 4-3 view details 4-12 applying configuration building blocks 16-9 Appscope, configuration options 7-60 ARP definition GL-1 attributes BVI interfaces 12-20 DNS probes 8-57 Echo-TCP probes 8-58 Echo-UDP probes 8-58 Finger probes 8-58 for sticky group types 9-11 FTP probes 8-59 health monitoring 8-53 high availability 13-15 HTTP content sticky group 9-11 HTTP cookie sticky group 9-12 HTTP header sticky group 9-13 HTTP probes 8-60 HTTPS probes 8-61 IMAP probes 8-63 IP netmask sticky group 9-13 Layer 4 payload sticky group 9-14 new device 5-12 parameter map connection 10-3 DNS 10-25 generic 10-8 HTTP 10-10 optimization 10-12 RTSP 10-20 SIP 10-21 Skinny 10-24 POP probes 8-64 predictor method 7-42, 8-40 RADIUS sticky groups 9-14 RADIUS probes 8-65 real servers 8-6, 8-37 resource class 6-45 resource classes 6-45 RTSP header sticky groups 9-15 probes 8-65 scripted probes 8-66 server farms 7-34, 8-31 SIP-TCP probes 8-67 SIP-UDP probes 8-68 SMTP probes 8-69 SNMP 6-27 SNMP probes 8-69 SSL certificate export 11-16 Index IN-5 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 certificate import 11-8, 11-9 CSR parameters 11-25 for virtual servers 7-17 key export 11-17 key pair import 11-12 parameter map cipher info 11-20 parameter maps 11-18, 11-27 sticky group 9-8 TCP probes 8-70 Telnet probes 8-70 UDP probes 8-71 V6 prefix sticky group 9-13 virtual context 6-3, 6-13, 6-14 virtual servers 7-8 VLAN interfaces 12-6 VM probes 8-72 auditing building block configuration 6-101 resource classes 6-49 audit log configuring purge settings 18-58 audit logs ANM server change audit 18-61 audit sync settings configuring 18-61 authenticating ANM users with AAA server 18-38 authorization group certificate, configuring for SSL 11-32 autostate, enabling supervisor VLAN notification 12-5 autosync setting up syslog settings for 6-105 B backup defaults 6-61 bandwidth optimization, configuring 7-53 building block applying 16-9 configuration audit 6-101 changes and version numbers 16-4 options 16-2 primary attributes 16-8 configuring 16-7 creating 16-5 enable feature 16-5 extracting from virtual contexts 16-6 overview 16-1 primary attributes 16-8 tagging 16-4, 16-9 types 16-6 using 16-1 versions 16-4 viewing use 16-11 buttons descriptions 1-11 Graph The Component With Issue 17-66 BVI, definition GL-2 BVI interfaces attributes 12-20 configuring 12-19 viewing by context 12-25 C caching, dynamic 15-2 certificate exporting for SSL 11-15 importing for SSL 11-7 SSL 11-5 certificate chain, definition GL-2 certificate signing request, definition GL-2 chain group certificate, configuring for SSL 11-23 chain group parameters, configuring for SSL 11-23 changing account password 1-7 admin password 18-14 Index IN-6 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 domain information 5-63 login password 1-7 role rules 5-61 user passwords 18-14 chassis adding VLANs 5-48 changing passwords 5-75 configuring 5-34 access credentials 5-29 access ports 5-43 interfaces 5-42 primary attributes 5-38 routed ports 5-46 switch virtual interfaces 5-45 trunk ports 5-44 discovery process 5-31 managing 5-66 monitoring discovery status 5-33 running discovery 5-31 SSH, enabling 5-5 synchronizing configurations 5-66 Telnet default 5-5 viewing all modules 5-79 ports 5-42 VLAN managing 5-48 modifying 5-51 viewing 5-49 checking status of the Cisco ANM server 18-52 checkpoint, configuration creating 6-55 deleting 6-56 displaying 6-57 rolling back to 6-56 Cisco IOS software, definition GL-2 cisco-sample-cert 11-6 cisco-sample-key 11-6 class map ACE device support 14-7, 14-8 configuring 14-6 definition GL-2 deleting 14-6, 14-8 match conditions generic server load balancing 14-23 Layer 3/4 management traffic 14-12 Layer 3/4 network traffic 14-9 Layer 7 FTP command inspection 14-22 Layer 7 HTTP deep packet inspection 14-17 Layer 7 server load balancing 14-14 Layer 7 SIP deep packet inspection 14-30 RADIUS server load balancing 14-25 RTSP server load balancing 14-26 SIP server load balancing 14-27 overview 14-2, 14-3 setting match conditions 14-8 use with real servers 8-3 command inspection, FTP commands 14-22 configuration back up and restore overview 6-59 create a backup 6-62 restore 6-66 configuration attributes Appscope 7-60 delta optimization 7-57 device VLAN 5-48 extended ACL 6-83 health monitoring 8-53 high availability 13-15 HTTP return code maps 8-46 parameter map connection 10-3 DNS 10-25 generic 10-8 HTTP 10-10 optimization 10-12 RTSP 10-20 Index IN-7 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 SIP 10-21 Skinny 10-24 predictor method 7-42, 8-40 probe DNS 8-57 Echo-TCP 8-58 Echo-UDP 8-58 Finger 8-58 FTP 8-59 HTTP 8-60 HTTPS 8-61 IMAP 8-63 POP 8-64 RADIUS 8-65 RTSP 8-65 scripted 8-66 SIP-TCP 8-67 SIP-UDP 8-68 SMTP 8-69 SNMP 8-69 TCP 8-70 Telnet 8-70 UDP 8-71 VM 8-72 real server 8-6, 8-37 resource class 6-45 server farm 7-34, 8-31 SNMP users 6-30 SSL 7-17 sticky group 9-8 sticky type 7-47 syslog 6-20 trunk ports 5-44 virtual context 6-3 virtual server 7-8 configuration building block applying 16-9 configuring 16-7 creating 16-5 options 16-2 overview 16-1 tagging 16-4, 16-9 using 16-1 versions 16-4 configuration checkpoint and rollback service creating configuration checkpoint 6-55 deleting configuration checkpoint 6-56 displaying checkpoint information 6-57 overview 6-54 rolling back configuration 6-56 configuration options building blocks 16-2 by ACE device type 6-11 virtual contexts 6-9 configuration primary attributes virtual context 6-14 configurations synchronizing for ACE modules 5-67 for devices 5-66 for high availability 13-30 for virtual contexts 6-105 configuration synchronization 13-11 configuration template. See building block. configuration values, changing 20-1 configuring 7600 series router 5-34, 5-38 access ports 5-43 interfaces 5-42 switch virtual interfaces 5-45 trunk ports 5-44 acceleration 7-53 access credentials 5-29 access ports 5-43 ACE appliance passwords 5-75 ACE passwords 5-77 ACE SNMP for polling 5-7 ACE syslog messages 5-27, 18-62 Index IN-8 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 ACLs 6-79, 12-14 EtherType 6-87 extended 6-82 object groups 6-89 resequencing 6-87 action lists 7-55 action lists for application acceleration 15-3 action lists for HTTP header modify 14-85 application acceleration action lists 7-55 bandwidth optimization 7-53 building block primary attributes 16-8 building blocks 16-7 BVI interfaces 12-19 chassis 5-34, 5-38 access ports 5-43 interfaces 5-42 trunk ports 5-44 chassis passwords 5-75 class map match conditions generic server load balancing 14-23 Layer 3/4 management traffic 14-12 Layer 3/4 network traffic 14-9 Layer 7 FTP command inspection 14-22 Layer 7 HTTP deep packet inspection 14-17 Layer 7 server load balancing 14-14 Layer 7 SIP deep packet inspection 14-30 RADIUS server load balancing 14-25 RTSP server load balancing 14-26 SIP server load balancing 14-27 class maps 14-6 CSM 5-34 CSS 5-34, 5-35 CSS passwords 5-75 devices 5-34 DNS probe expect address 8-73 gigabit Ethernet interfaces 12-32 global application acceleration on ACE appliances 15-9 optimization on ACE appliances 15-9 GSS 5-36 GSS passwords 5-75 health monitoring general attributes 8-53 high availability groups 13-17, 13-19 host tracking 13-25 interface tracking 13-24 peer host probes 13-28 peers 13-15 synchronization 13-11 tracking and failure detection 13-23 host probes for high availability 13-26 HTTP probe headers 8-74 HTTP retcode maps 8-46 HTTPS probe headers 8-74 latency optimization 7-53 Layer 2 VLANs 5-50 Layer 3 VLANs 5-51 Layer 7 default load balancing 7-50 load balancing real servers 8-5 server farms 8-30 sticky groups 9-7 virtual servers 7-30 NAT 7-63, 12-26 object groups ICMP service parameters 6-97 IP addresses 6-91 protocols 6-93 subnet objects 6-92 TCP/UDP service parameters 6-94 OID for SNMP probes 8-76 optimization 7-53 action lists 7-55 traffic policies 15-6 organization passwords 18-10 parameter maps connection 10-3 DNS 10-25 Index IN-9 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 generic 10-8 HTTP 10-9 optimization 10-12, 15-6 RTSP 10-20 SIP 10-21 Skinny 10-23 PAT 12-27 policy map rules and actions 14-34 generic server load balancing 14-35 Layer 3/4 management traffic 14-39 Layer 3/4 network traffic 14-41 Layer 7 FTP command inspection 14-48 Layer 7 HTTP deep packet inspection 14-51 Layer 7 HTTP optimization 14-57 Layer 7 server load balancing 14-61 Layer 7 SIP deep packet inspection 14-68 Layer 7 Skinny deep packet inspection 14-71 RADIUS server load balancing 14-73 RDP server load balancing 14-75 RTSP server load balancing 14-76 SIP server load balancing 14-79 policy maps 14-32 port channel interfaces 12-35 probe attributes 8-56 probe expect status 8-74 protocol inspection 7-18 real servers 8-17, B-18 resource classes global 6-46 local 6-52 routed ports 5-46 server farm predictor method 8-39 shared objects 7-10 SNMP 6-27 communities 6-28 credentials 5-30 notification 6-33 on virtual contexts 6-27 trap destination hosts 6-32 version 3 users 6-29 SSL chain group parameters 11-23 CSR parameters 11-24 for virtual servers 7-17 OCSP service 11-29 parameter map 11-18 parameter map cipher 11-20 proxy service 11-27 static routes 5-39, 12-28 sticky groups 7-47, 9-7 sticky statics 9-15 switch virtual interfaces 5-45 syslog logging 6-19 log hosts 6-23 log messages 6-24 log rate limits 6-26 Telnet credentials 5-29 Telnet on chassis 5-5 traffic policies 14-1 trunk ports 5-44 virtual context 6-1, 6-8, 6-106 class maps 14-6 global policies 6-35 policy maps 14-32 primary attributes 6-14 resource classes 6-52 system attributes 6-13 virtual server configuration overview 7-2 default load balancing 7-50 Layer 7 load balancing 7-30 NAT 7-63 optimization 15-9 properties 7-11 protocol inspection 7-18 shared objects 7-9 Index IN-10 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 SSL termination service 7-17 VLAN interface access control 12-14 interface policy maps 12-14 interfaces 12-6 Layer 2 5-50 Layer 3 5-51 VLAN groups 5-52 VSS passwords 5-75 connection parameter map attributes 10-3 configuring 10-3 TCP options 10-7 using 8-77 connectivity, testing between devices 17-71 context back up and restore overview 6-59 configuration options 6-9 configuring 6-8 application acceleration 15-1 BVI interfaces 12-19 global policies 6-35 load balancing 7-1 optimization 15-1 primary attributes 6-14 resource classes 6-52 static routes 12-28 traffic policies 14-1 virtual servers 7-1 VLAN interfaces 12-6 create a configuration backup 6-62 creating 6-2 definition GL-7 deleting 6-107 editing 6-106 extracting configurations for building blocks 16-6 modifying 6-106 polling restarting 6-108 viewing status 6-104 restore a configuration 6-66 synchronizing configurations 6-105 sync status 6-103 upgrading 6-107 using for configuration building blocks 16-6 controlling access to Cisco ANM 18-3 conventions in ANM table 1-14 cookie client 9-3 sticky client identification 9-3 copying ACE licenses 6-37 creating ACLs 6-79 application template definition 4-20 application template instance 4-4 building blocks 16-5 domains 18-34 user accounts 18-19 user roles 18-29 virtual contexts 6-2 creating ACLs 6-79 credentials modifying 5-30 SNMP 5-30 Telnet 5-29 CSM adding to ANM 5-19, 5-20 configuring 5-34 primary attributes 5-34 viewing by chassis 5-79 CSR configuring parameters 11-24 definition GL-2 generating for SSL 11-26 CSS changing passwords 5-75 Index IN-11 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 configuring 5-34 primary attributes 5-35 synchronizing configurations 5-66 customizing tables 1-15 D Data Center Interconnect (DCI) overview 1-3 data dictionary 17-53 deep packet inspection HTTP class map match conditions 14-17 policy map rules and actions 14-51 SIP class map match conditions 14-30 policy map rules and actions 14-68 Skinny policy map rules and actions 14-71 default distance values 5-40 deleting ACLs 6-100 application template definition 4-29 class map in use 14-6 device RBAC user accounts 5-56 domains 5-65, 18-37 high availability groups 13-23 host probes for high availability 13-27 organizations 18-16 peer host probes 13-29 resource classes 6-51, 6-53 role rules 5-61 roles or domains 5-54 SSL objects 11-2 user accounts 18-23 user-defined groups 5-75 user roles 5-60, 18-32 virtual contexts 6-107 delta optimization configuration options 7-57 description 15-2 deploying application template instance 4-7 configuration building blocks 16-9 staged virtual servers 7-87 DES, definition GL-2 device adding to ANM 5-10 back up and restore overview 6-59 configuring 5-34 create a configuration backup 6-62 management overview 5-2 managing 5-1 monitoring 17-24 polling restarting 5-78 status 5-79 restore a configuration 6-66 viewing All Devices table 5-78 device audit trail logs monitoring 18-59 device groups, monitoring 17-23 device tree overview 1-10 discovery enabling SSH on ACE modules 5-28 monitoring progress 5-31, 5-33 process 5-31 running 5-31 displaying current user sessions 18-24 list of users 18-18 network domains 18-33 organizations 18-16 user roles 18-28 users who have a selected role 18-29 Index IN-12 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 distinguished name, definition GL-3 DNS configuring protocol inspection 7-19 parameter map attributes 10-25 configuring 10-25 probe attributes 8-57 expect address 8-73 DNS rules, and GSS 7-75 domains deleting 5-54 duplicate application template instance 4-10 duplicating domains 18-35 organizations 18-15 user accounts 18-20 user-defined groups 5-74 user roles 18-31 dynamic caching 15-2 Dynamic Workload Scaling brief summary and illustration 1-3 configure Nexus 7000 8-27 overview 8-26 VM controller 8-29 server farm 7-36, 8-33 E Echo-TCP probe attributes 8-58 Echo-UDP probe attributes 8-58 e-commerce applications, sticky requirements 9-1 using stickiness 9-4 edit application template definition 4-15 application template instance 4-9 role rules 5-61 enabling ACE syslog messages 5-27 setup syslog for Autosync 5-27 SNMP polling from ANM 5-7 write mem on Config > Operations 18-63 Ethernet interfaces, configuring 12-32 EtherType ACL, configuring 6-87 event definition GL-3 monitoring 17-55 event type, definition GL-3 exception, definition GL-3 expert options, for virtual contexts 6-101 export application template definition 4-26 export historical statistics 17-52 exporting SSL certificates 11-15 key 11-17 key pair 11-16 extended ACL configuration options 6-83 resequencing entries 6-87 F failover 13-9 fault, definition GL-3 fault tolerance groups 13-8 task overview 13-14 Feedback button 1-9 filtering tables 1-14 Finger probe attributes 8-58 first-match policy map 14-32 FlashForward object acceleration 15-2 FTP, configuring protocol inspection 7-19 Index IN-13 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 FTP command inspection available commands 14-22 class map match conditions 14-22 policy map rules and actions 14-48 FTP probe attributes 8-59 FTP strict, and RFP standards 14-48 FT VLAN 13-10 G generic parameter map attributes 10-8 configuring 10-8 generic server load balancing class map match conditions 14-23 policy map rules and actions 14-35 global acceleration and optimization, ACE appliances 15-9 global policies, configuring for virtual contexts 6-35 global resource class 6-44 applying to contexts 6-47 auditing 6-49 configuring 6-46 deleting 6-51 deploying 6-48 modifying 6-50 using 6-46 graphs, historical trend and real time 17-48 Graph The Component With Issue button 17-66 groups GSS DNS rules, managing 7-76 GSS VIP answers, managing 7-76 real servers, managing 8-10 virtual servers, managing 7-67 VLAN, assigning 12-4 VLAN, creating 12-3 GSS Answer Table 7-73, 7-75 changing passwords 5-75 DNS rules, activating suspending 7-75 DNS rules groups, managing 7-76 primary attributes 5-36 VIP answer groups, managing 7-76 VIP Answer table, managing 7-73 guided setup ACE hardware setup 3-5 ACE network topology overview 3-12 application setup 3-14 importing devices 3-4 operating considerations 3-4 overview 3-1 tasks and related topics 3-2 virtual context setup 3-10 guidelines for managing domains 18-33 user accounts 18-17 user roles 18-25 H hash load-balancing methods address 8-2 cookie 8-2 header 8-2 url 8-3 header deletion 14-86 insertion 14-85, 14-86 rewrite 14-85, 14-86 health monitoring configuring 8-49 for real servers 8-51 general attributes 8-53 inband 7-37, 8-34 overview 8-49 probe types 8-51 TCL scripts 8-50 heartbeat packets 13-9 Index IN-14 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Help button 1-9 high availability ANM requirements 5-8 clearing links between ACE appliances 13-17 pairs 13-17 configuration attributes 13-15 configuring groups 13-17 host probes 13-26 host tracking process 13-25 interface tracking process 13-24 overview 13-6 peer host probes 13-28 peers 13-15 deleting groups 13-23 host probes 13-27 peer host probes 13-29 failover detection 13-23 importance of synchronizing configurations 13-30 modifying groups 13-19 protocol 13-8 reconciling an SSL certificate/key pair 13-32 switching over a group 13-22 task overview 13-14 tracking status 13-23 historical statistics, export 17-52 historical trend graph 17-48 homepage customizing default page 2-4 link descriptions 2-1 overview 2-1 pages in ANM 2-3 HSRP, definition GL-3 HTTP configuring protocol inspection 7-20 content sticky group attributes 9-11 sticky type 9-3 cookie sticky group attributes 9-12 sticky type 9-3 deep packet inspection class map match conditions 14-17 policy map rules and actions 14-51 header sticky client identification 9-4 sticky group attributes 9-13 sticky type 9-4 load balancing conditions and options 7-32 optimization policy map rules and actions 14-57 parameter map attributes 10-10 configuring 10-9 parameter maps 8-77 probe attributes 8-60 configuring headers 8-74 retcode maps 8-46 return code map configuration options 8-46 protocol inspection conditions and options 7-23 HTTP header deletion 14-86 insertion 14-85, 14-86 rewrite 14-85, 14-86 HTTP header insertion 14-85 HTTPS ACE modules, enabling 5-6 configuring protocol inspection 7-20 load balancing conditions and options 7-32 probe attributes 8-61 configuring headers 8-74 protocol inspection conditions and options 7-23 Index IN-15 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 I ICMP service parameters, for object groups 6-97 IMAP probe attributes 8-63 import application definition definition 4-26 Import Failed, configuration status 6-103, 6-105 importing ACE licenses 6-37 ACE modules 5-16 CSM 5-19, 5-20 device failures 20-7 overview 5-10 SSL certificates 11-7 keys 11-11 inband health monitoring 7-37, 8-34 connection failure count 7-37, 8-34 reset timeout 7-37, 8-34 resume service 7-38, 8-35 installing ACE appliance licenses 6-37 interface ANM 1-8 buttons 1-11 configuring on 7600 series routers 5-42 on chassis 5-42 definition GL-4 gigabit Ethernet, configuring 12-32 table conventions 1-14 IP addresses, for object groups 6-91 IP discovery failure 20-7 IP netmask for sticky client identification 9-4 sticky group attributes 9-13 sticky type 9-4 IPv6 considerations 1-3 IPv6 prefix sticky type 9-4 K key exporting for SSL 11-17 importing for SSL 11-11 SSL 11-10 key pair, generating 11-14 L latency optimization, configuring 7-53 Layer 2 VLANs, configuring 5-50 Layer 3/4 management traffic class map match conditions 14-12 policy map rules and actions 14-39 network traffic class map match conditions 14-9 policy map rules and actions 14-41 Layer 3 VLANs, configuring 5-51 Layer 4 payload sticky group attributes 9-14 sticky type 9-4 Layer 7 configuring load balancing 7-30 default load balancing on virtual servers 7-50 FTP command inspection class map match conditions 14-22 policy map rules and actions 14-48 HTTP deep packet inspection class map match conditions 14-17 policy map rules and actions 14-51 HTTP optimization policy map rules and actions 14-57 load balancing HTTP/HTTPS conditions and options 7-32 setting match conditions 7-31 Index IN-16 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 server load balancing class map match conditions 14-14 policy map rules and actions 14-61 SIP deep packet inspection class map match conditions 14-30 policy map rules and actions 14-68 Skinny deep packet inspection policy map rules and actions 14-71 least bandwidth, load-balancing method 8-3 leastconns, load-balancing method 8-3 least loaded, load-balancing method 8-3 license errors, removing 18-55 managing for ACE devices 6-36 relationship between ANM and ACE licenses 6-36 removing ACE licenses 6-39 updating ACE licenses 6-40 viewing ACE license details 6-42 licenses ANM, removing 18-55 installing 6-37 lifeline guidelines for use 20-8 overview 20-7 lifeline management 18-72 load balancing configuration overview 7-1 configuring real servers 8-1, 8-5 server farms 8-1, 8-30 sticky groups 9-7 virtual servers 7-30 definition GL-4 hash address 8-2 hash cookie 8-2 hash header 8-2 hash url 8-3 least bandwidth 8-3 leastconns 8-3 least loaded 8-3 monitoring on probes 17-40 monitoring on real servers 17-37 monitoring on statistics 17-41 monitoring on virtual servers 17-33 overview 7-1, 8-1 predictors 8-2 response 8-3 roundrobin 8-3 local resource class 6-44 auditing 6-49 configuring 6-52 deleting 6-53 using 6-51 logging, syslog levels 6-19 logging in to ANM 1-5 Logout button 1-9 M managing 7600 series routers 5-66 ACLs 6-99 ANM 18-51 chassis 5-66 devices 5-1 domains 18-32 organizations 18-9 real servers 8-9 resource classes 6-43 user accounts 18-17 user roles 18-25 virtual contexts 6-103 virtual servers 7-66 VLANs 5-48 map real server to vCenter Server 5-68 match condition class map Index IN-17 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 generic server load balancing 14-23 Layer 3/4 management traffic 14-12 Layer 3/4 network traffic 14-9 Layer 7 FTP command inspection 14-22 Layer 7 HTTP deep packet inspection 14-17 Layer 7 server load balancing 14-14 Layer 7 SIP deep packet inspection 14-30 RADIUS server load balancing 14-25 RTSP server load balancing 14-26 SIP server load balancing 14-27 setting for class maps 14-8 Layer 7 load balancing 7-31 optimization 7-54 SIP protocol inspection 7-27 MD5, definition GL-4 menus, understanding 1-9 merged ACL 6-78 MIB, definition GL-4 MIME types, supported 10-26 mobile device registered devices 18-70 modifying deployed virtual servers 7-88 domains 5-65, 18-36 global resource class 6-50 high availability groups 13-19 organizations 18-14 real servers 8-17, B-18 staged virtual servers 7-88 user accounts 5-55, 18-21 user-defined groups 5-73 user roles 5-60, 18-31 virtual contexts 6-106 module configuring access credentials 5-29 discovery process 5-31 monitoring discovery progress 5-31 running discovery 5-31 viewing by chassis 5-79 by router 5-79 monitoring alarms 17-65 device audit trail logs 18-59 devices 17-3 events 17-55 load balancing 17-33, 17-37, 17-40 load balancing statistics 17-41 traffic 17-30 MSFC, adding switched virtual interface to 12-5 multi-match policy map 14-32 N Name Address Translation configuring 12-26 definition GL-4 NAT configuring 12-26 configuring for virtual servers 7-63 definition GL-4 Navigation pane 1-9 network object group configuring 6-89 IP addresses 6-91 subnet objects 6-92 network topology maps 17-68 O object, configuring for virtual servers 7-9 object group configuring for ACLs 6-89 GSS VIP answers and DNS rules 7-76 real servers 8-10 Index IN-18 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 virtual servers 7-67 ICMP service parameters 6-97 IP addresses 6-91 protocols 6-93 subnet objects 6-92 TCP/UDP service parameters 6-94 OCSP service, configuring for SSL 11-29 optimization additional configuration options 7-57 configuration overview 15-6 configuring 7-53 action lists 7-55 globally on ACE appliances 15-9 match conditions 7-54 parameter maps 15-6 traffic policies 15-6 delta optimization 15-2 enabling on virtual servers 15-9 match criteria 7-54 overview 15-2 parameter maps 8-77 traffic policies 15-2 typical configuration flow 15-2 virtual server, additional configuration options 7-57 optimization parameter map attributes 10-12 configuring 10-12 organizations definition GL-4 Out of Sync, configuration status 6-103, 6-105 Overlay Transport Virtualization (OTV) 1-3 overview ACL configuration 6-78 adding supported devices 5-10 admin icon 18-2 application acceleration 15-2 building blocks 16-1 class maps 14-2, 14-3 configuration building blocks 16-1 global and local resource classes 6-44 health monitoring 8-49 importing devices 5-10 load balancing 7-1, 8-1 load-balancing predictors 8-2 managing devices 5-2 optimization 15-2 optimization traffic policies 15-6 parameter maps 10-1 policy maps 14-2, 14-4 protocol inspection 14-6 real server 8-3 resource classes 6-43 server farm 8-3, 8-5 server health monitoring 8-49 server load balancing 8-1 SSL 11-1 stickiness 9-1 sticky group 9-6 sticky table 9-6 traffic policies 14-1 user-defined groups 5-72 using SSL keys and certificates 11-3 virtual server 7-2 P parameter expander functions 7-61, 10-18 parameter map ACE device support 10-2 attributes connection 10-3 DNS 10-25 generic 10-8 HTTP 10-10 optimization 10-12 RTSP 10-20 SIP 10-21 Skinny 10-24 Index IN-19 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 configuring connection 10-3 DNS 10-25 for SSL 11-18 generic 10-8 HTTP 10-9 optimization 10-12, 15-6 RTSP 10-20 SIP 10-21 Skinny 10-23 overview 10-1 types of 10-2 using with Layer 3/Layer 4 policy maps 14-5 policy maps 10-1 using with Layer 3/Layer 4 policy maps 8-77 parameter map cipher, configuring for SSL 11-20 passwords, changing admin 18-14 for accounts 1-7 for ACE appliance 5-75 for chassis 5-75 for CSS 5-75 for GSS 5-75 for the ACE 5-77 for VSS 5-75 in login window 1-7 PAT configuring 12-27 definition GL-5 peers, high availability 13-15 ping between devices 17-71 definition GL-5 policy map 14-34 ACE device support 14-32 associating with VLAN interface 12-14 configuring 14-32 match type all-match 14-32 first-match 14-32 multi-match 14-32 overview 14-2, 14-4 rule and action topic reference 14-34 rules and actions generic server load balancing 14-35 Layer 3/4 management traffic 14-39 Layer 3/4 network traffic 14-41 Layer 7 FTP command inspection 14-48 Layer 7 HTTP deep packet inspection 14-51 Layer 7 HTTP optimization 14-57 Layer 7 server load balancing 14-61 Layer 7 SIP deep packet inspection 14-68 Layer 7 Skinny deep packet inspection 14-71 RADIUS server load balancing 14-73 RDP server load balancing 14-75 RTSP server load balancing 14-76 SIP server load balancing 14-79 setting rules and actions 14-34 polling enabling 18-57 parameters, setting 17-46 restarting for devices 5-78 for virtual contexts 6-108 status for devices 5-79 for virtual contexts 6-104 POP probe attributes 8-64 port number, configuring for probes 8-54 Port Address Translation configuring 12-27 definition GL-5 port channel interfaces attributes 12-37 configuring 12-35 ports Index IN-20 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 ANM, used for ANM client (browser) to ANM server communication A-1 ANM, used for managed device communication A-1 definition GL-5 reference A-1 predictor hash address 8-2 hash cookie 8-2 hash header 8-2 hash url 8-3 least bandwidth 8-3 leastconns 8-3 least loaded 8-3 response 8-3 roundrobin 8-3 predictor method attributes 7-42, 8-40 configuring for server farms 8-39 primary attributes 7600 series routers 5-38 chassis 5-38 configuration building blocks 16-8 CSM 5-34 CSS 5-35 GSS 5-36 virtual contexts 6-14 probe attribute tables 8-56 configuring expect status 8-74 configuring for health monitoring 8-51 configuring SNMP OIDs 8-76 DNS 8-57 Echo-TCP 8-58 Echo-UDP 8-58 Finger 8-58 FTP 8-59 HTTP 8-60 HTTPS 8-61 IMAP 8-63 POP 8-64 port number 8-54 RADIUS 8-65 RTSP 8-65 scripted 8-66 scripting using TCL 8-50 SIP-TCP 8-67 SIP-UDP 8-68 SMTP 8-69 SNMP 8-69 TCP 8-70 Telnet 8-70 types for real server monitoring 8-51 UDP 8-71 VM 8-72 process, for traffic classification 14-3 protocol inspection configuring for virtual servers 7-18 configuring match criteria HTTP and HTTPS 7-22 SIP 7-27 HTTP/HTTPS conditions and options 7-23 overview 14-6 SIP conditions and options 7-28 virtual server options 7-19 protocol names and numbers 6-86 protocols for object groups 6-93 for virtual servers 7-11 proxy service, configuring for SSL 11-27 R RADIUS probe attributes 8-65 server load balancing class map match conditions 14-25 policy map rules and actions 14-73 sticky group attributes 9-14 Index IN-21 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 sticky type 9-5 RBAC, definition GL-5 RDP server load balancing policy map rules and actions 14-75 real server activating 8-14, B-15 adding to server farm 8-37 configuration attributes 8-6, 8-37 configuring 8-5 load balancing service 8-1 definition GL-5 groups 8-10 health monitoring 8-49, 8-51 modifying 8-17, B-18 overview 8-3 suspending 8-15, B-16 viewing all 8-18 real time graph 17-48 redundancy configuration requirements 13-12 configuration synchronization 13-11 definition GL-5 FT VLAN 13-10 protocol 13-8 task overview 13-14 registered mobile device list 18-70 removing ACE license 6-39 ANM license files 18-55 rules from roles 5-61 resource, required for sticky groups 9-7 resource class adding 6-46 allocation constraints 6-44 applying global resource classes 6-47 attributes 6-45 auditing local and global resource classes 6-49 configuring globally 6-46 locally 6-52 definition GL-5 deleting global resource class 6-51 local resource class 6-53 deploying global resource class 6-48 global 6-44 local 6-44 managing 6-43 modifying 6-50 overview 6-43 using global classes 6-46 local classes 6-51 viewing use by contexts 6-54 resources, allocation constraints 6-44 resource usage, viewing 17-26 response load-balancing method 8-3 restarting ANM (see the Installation Guide) 18-56 restarting device polling 5-78 restore defaults 6-61 role definition GL-7 deleting 5-54 role-based access control authenticating ANM users with AA server 18-38 containment overview 18-4 definition GL-5 roundrobin, load-balancing predictor 8-3 routed ports, configuring 5-46 routes, configuring static routes 5-39 RSA, definition GL-5 RTSP header sticky group attributes 9-15 sticky type 9-5 parameter map Index IN-22 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 attributes 10-20 configuring 10-20 probe attributes 8-65 server load balancing class map match conditions 14-26 policy map rules and actions 14-76 rule changing for roles 5-61 setting for policy maps 14-34 S sample SSL certificate and key pair 11-6 screens, understanding 1-9 scripted probe attributes 8-66 overview 8-50 secondary IP addresses 12-14 secondary IP groups 12-14 security ACL 6-78 server activating real 8-14, B-15 virtual 7-71 managing 8-9 suspending real 8-15, B-16 virtual 7-72 server farm adding real servers 8-37 configuration attributes 7-34, 8-31 configuring HTTP return error-code checking 8-46 load balancing 8-1, 8-30 predictor method 8-39 definition GL-6 Dynamic Workload Scaling 7-36, 8-33 health monitoring 8-49 inband health monitoring 7-37, 8-34 overview 8-3, 8-5 predictor method attributes 7-42, 8-40 viewing list of 8-48 Server Load Balancer (SLB), definition GL-6 server load balancing generic class map match conditions 14-23 generic policy map rules and actions 14-35 Layer 7 class map match conditions 14-14 Layer 7 policy map rules and actions 14-61 overview 7-1, 8-1 RADIUS class map match conditions 14-25 RADIUS policy map rules and actions 14-73 RDP policy map rules and actions 14-75 RTSP class map match conditions 14-26 RTSP policy map rules and actions 14-76 SIP class map match conditions 14-27 SIP policy map rules and actions 14-79 service, definition GL-6 service object group configuring 6-89 ICMP service parameters 6-97 protocols 6-93 TCP/UDP service parameters 6-94 setup sequence SSL 11-4 setup syslog for Autosync, enabling 5-27 shared object and deleting virtual servers 7-10 configuring 7-10 configuring for virtual servers 7-9 SIP configuring protocol inspection 7-21 deep packet inspection class map match conditions 14-30 policy map rules and actions 14-68 header sticky type 9-5 parameter map attributes 10-21 configuring 10-21 Index IN-23 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 protocol inspection conditions and options 7-28 server load balancing class map match conditions 14-27 policy map rules and actions 14-79 SIP-TCP probe attributes 8-67 SIP-UDP probe attributes 8-68 Skinny deep packet inspection policy map rules and actions 14-71 parameter map attributes 10-24 configuring 10-23 SMTP configuring for email notifications 17-68 probe attributes 8-69 SNMP configuration attributes 6-27 configuring communities 6-28 for virtual contexts 6-27 notification 6-33 trap destination hosts 6-32 version 3 users 6-29 credentials 5-30 enabling collection 6-108 enabling polling 5-7 probe attributes 8-69 supported versions 5-7 trap destination host configuration 6-32 user configuration attributes 6-30 special characters for matching string expressions 14-84 special configuration file, definition GL-6 SSH ACE appliance, enabling 5-6 ACE modules, enabling 5-6 chassis, enabling 5-5 enabling on ACE modules for discovery 5-28 SSHv2, chassis requirement in ANM 5-6 SSL certificate exporting 11-15 exporting attributes 11-16 importing 11-7 importing attributes 11-8, 11-9 overview 11-3 sample 11-6 using 11-5 configuring authorization group certificates 11-32 chain group certificates 11-23 chain group parameters 11-23 CSR parameters 11-24 for virtual servers 7-17 OCSPservice 11-29 parameter map 11-18 parameter map cipher 11-20 proxy service 11-27 CSR parameters 11-25 editing CSR parameters 11-25 parameter map cipher info 11-20 parameter maps 11-18, 11-27 exporting certificates 11-15 key pairs 11-16 keys 11-17 generating CSR 11-26 key pair 11-14 header insertion, configuring 14-89 importing certificates 11-7 keys 11-11 key exporting 11-17 importing 11-11 overview 11-3 using 11-10 Index IN-24 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 key pair exporting 11-16 generating 11-14 importing attributes 11-12 sample 11-6 objects, deleting 11-2 overview 11-1 parameter map cipher table 11-20 parameter maps 11-18, 11-27 procedure overview 11-3 redirect authentication failure 11-21 sample certificate and key pair 11-6 setup sequence using 11-4 URL rewrite, configuring 14-88 SSL certificate, using 11-5 SSL header insertion, configuring 14-85, 14-89 SSL key, using 11-10 SSL setup sequence, using 11-4 SSL URL rewrite, configuring 14-85 staged virtual server deploying 7-87 viewing all 7-87 static route configuring 5-39, 12-28 statistics ANM server 18-56 status, Cisco ANM server 18-52 Status bar 1-9 stickiness cookie-based 9-3 HTTP content 9-3 HTTP cookie 9-3 HTTP header 9-4 IP netmask 9-4 IPv6 prefix 9-4 Layer 4 payload 9-4 overview 9-1 RADIUS 9-5 RTSP header 9-5 SIP header 9-5 sticky group 9-6 sticky table 9-6 types 9-2 sticky cookies for client identification 9-3 definition GL-6 e-commerce application requirements 9-1 groups 9-6 HTTP header for client identification 9-4 IP netmask for client identification 9-4 overview 9-2 types 9-2 sticky group attributes HTTP content 9-11 HTTP cookie 9-12 HTTP header 9-13 IP netmask 9-13 Layer 4 payload 9-14 RADIUS 9-14 RTSP header 9-15 V6 prefix 9-13 configuration options 7-47, 9-8 configuring load balancing 9-7 sticky statics 9-15 overview 9-6 required resource allocation 9-7 type-specific attributes 9-11 viewing 9-15 sticky statics, configuring for sticky groups 9-15 sticky table overview 9-6 sticky type IP netmask 9-4 HTTP content 9-3 HTTP cookie 9-3 Index IN-25 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 HTTP header 9-4 IPv6 prefix 9-4 Layer 4 payload 9-4 RADIUS 9-5 RTSP header 9-5 SIP header 9-5 string expression, special characters 14-84 subnet objects, for object groups 6-92 supervisor assigning VLAN groups to the ACE 12-4 supervisor module, viewing by chassis 5-79 suspend, definition GL-6 suspending DNS rules for GSS 7-75 real servers 8-15, B-16 virtual servers 7-72 switched virtual interface, adding to MSFC 12-5 switchover 13-9 switch virtual interfaces, configuring 5-45 synchronization of configuration 13-11 synchronizing ACE module configurations 5-67 configurations for high availability 13-30 contexts created in CLI 7-2, 7-4 device configurations 5-66 virtual context configurations 6-105 sync status, virtual contexts 6-103 syslog configuration attributes 6-20 configuring logging 6-19 logging levels 6-19 log hosts 6-23 log messages 6-24 log rate limits 6-26 settings for synchronizing with ACE CLI autosync 6-105 syslog, setup for Autosync 5-27 syslog logging, configuring 6-19 syslog messages enabling ACE 5-27 overwriting the ACE logging device-id 18-62 system templates 4-1 T table conventions 1-14 customizing 1-15 default distance values 5-40 filtering information in 1-14 ICMP type numbers and names 6-98 protocol names and numbers 6-86 topic reference for policy map rules and actions 14-34 table conventions 1-14 tables for probe attributes 8-56 for sticky group attributes 9-11 TACACS+ server, authenticating ANM users 18-38 tagging building blocks 16-4, 16-9 takeover, forcing in high availability 13-22 task overview, redundancy 13-14 TCL script health monitoring 8-50 overview 8-50 TCP options for connection parameter maps 10-7 probe attributes 8-70 service parameters for object groups 6-94 Telnet configuring credentials 5-29 import method for chassis 5-5 probe attributes 8-70 template. See building block. template editor 4-29 edit application template definition 4-18 templates system 4-1 Index IN-26 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 user-defined 4-2 terminating current user sessions 18-24 test application definition definition 4-28 threshold, definition GL-7 topic reference for configuring rules and actions 14-34 topology maps 17-68 traceroute, definition GL-7 traffic, monitoring 17-30 traffic class components 14-4 traffic classification process 14-3 traffic policy ACE device support 14-2 components 14-4 configuring 14-1 for application acceleration 15-2 for optimization 15-2 lookup order 14-5 overview 14-1 troubleshooting importing, ACE module state 5-16 IP discovery 20-7 troubleshooting, using lifeline 20-7 trunk ports, configuring 5-44 types of user 18-5 U UDP probe attributes 8-71 UDP service parameters, for object groups 6-94 understanding domains 18-7 operations privileges 18-6 roles 18-6 user groups 18-7 Unprovisioned, configuration status 6-103, 6-105 updating, configuration values 20-1 updating ACE licenses 6-40 upgrading virtual contexts 6-107 URL rewrite, configuring 14-88 user-defined groups adding 5-72 deleting 5-75 duplicating 5-74 modifying 5-73 overview 5-72 user-defined templates 4-2 user roles, definition GL-7 using ACLs 6-78 building blocks 16-1 virtual contexts 6-2 V V6 prefix sticky group attributes 9-13 versions of building blocks 16-4 view application template instance details 4-12 viewing 18-61 7600 series router VLANs 5-49 ACE license details 6-36 ACLs by context 6-99 all devices 5-78 all real servers 8-18 all server farms 8-48 all sticky groups 9-15 all virtual servers 7-81 building block use 16-11 BVI interfaces by context 12-25 chassis VLANs 5-49 configuration building block use 16-11 current user sessions 18-24 license information 6-42 ports 5-42 resource class use on contexts 6-54 Index IN-27 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 staged virtual servers 7-87 virtual server details 7-81 virtual servers by context 7-65 VLAN interfaces by context 12-18 VIP Answer table, and GSS 7-73 virtual context back up and restore overview 6-59 comparing configuration with building block 6-101 configuration attributes 6-3 audit 6-101 options 6-8, 6-9 primary attributes 6-14 configuring 6-1 BVI interfaces 12-19 class map match conditions 14-8 class maps 14-6 global policies 6-35 load balancing services 7-1 policy map rules and actions 14-34 policy maps 14-32 primary attributes 6-14 resource classes 6-52 SNMP 6-27 static routes 12-28 syslog 6-19 system attributes 6-13 VLAN interfaces 12-6 create a configuration backup 6-62 creating 6-2 definition GL-7 deleting 6-107 description 6-2 expert options 6-101 managing 6-103 modifying 6-106 monitoring resource usage 17-26 polling restarting 6-108 viewing status 6-104 restore a configuration 6-66 synchronizing configurations 6-105 sync status 6-103 syslog setup for autosync 6-105 upgrading 6-107 using for configuration building blocks 16-6 overview 6-2 viewing all contexts 6-103 BVI interfaces 12-25 polling status 6-104 resource class use 6-54 sync status 6-103 VLANS 12-18 virtual data center B-1, B-2 Virtual Local Area Network (VLAN), definition GL-7 virtual server 7-30, 7-57 activating 7-71 additional options 7-3 advanced view properties 7-12 and user roles 7-3 application acceleration 7-53 application acceleration, additional configuration options 7-57 basic view properties 7-16 configuration methods 7-4 recommendations 7-4 configuration subsets 7-8 configuring 7-1, 7-2, 7-7 application acceleration 7-53 default Layer 7 load balancing 7-50 in ANM 7-2 in CLI 7-2, 7-4 Layer 7 load balancing 7-30 NAT 7-63 optimization 7-53, 15-9 Index IN-28 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 properties 7-11 protocol inspection 7-18 shared objects 7-9 SSL 7-17 definition GL-7 deleting and shared objects 7-10 deployed servers, modifying 7-88 deploying staged servers 7-87 groups 7-67 GSS answer table 7-73, 7-75 load balancing default 7-50 Layer 7 7-30 managing 7-66 minimum configuration 7-2 modifying deployed servers 7-88 staged servers 7-88 optimization 7-53 overview 7-2 properties advanced view 7-12 basic view 7-16 protocols 7-11 recommendations for configuring 7-4 shared objects 7-5, 7-9 SSL attributes 7-17 staged servers deploying 7-87 modifying 7-88 viewing 7-87 suspending 7-72 viewing all 7-81 by context 7-65 details 7-81 servers 7-65 staged servers 7-87 VLAN adding to 7600 series router 5-48 adding to chassis 5-48 configuring access control 12-14 ACLs 12-14 Layer 2 VLANs 5-50 Layer 3 VLANs 5-51 NAT 12-26 policy maps 12-14 creating VLAN groups 5-52 definition GL-7 FT VLAN for redundancy 13-10 interface access control 12-14 attributes 12-6 configuring 12-6 NAT pools 12-26 policy maps 12-14 viewing 12-18 managing 5-48 modifying on 7600 series router 5-51 on chassis 5-51 viewing by 7600 series router 5-49 by chassis 5-49 VLAN group, creating 5-52 VLAN interfaces attributes 12-6 configuring 12-6 access control 12-14 for virtual contexts 12-6 policy maps 12-14 viewing by context 12-18 VLANs configuring 12-3 configuring on the supervisor 12-3 enabling autostate supervisor notification 12-5 groups, assigning 12-4 Index IN-29 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 groups, creating 12-3 secondary IP addresses, configuring 12-14 switched virtual interfaces, adding to MSFC 12-5 VLAN Trunking Protocol, definition GL-8 VM probe attributes 8-72 VMware ANM plug-in B-2 Cisco ACE SLB tab details B-3 overview B-3 information about B-2 mananging real servers B-12 map real server to vCenter Server 5-68 vCenter Server B-2 vSphere Client B-2 VSS changing passwords 5-75 VTP, definition GL-8 VTP domain, definition GL-8 W Web server, definition GL-8 weighted roundrobin. See roundrobin write mem on Config > Operations, enabling 18-63 Index IN-30 User Guide for the Cisco Application Networking Manager 5.2 OL-26572-01 Cloud Computing à serviço da Educação Profissional. C A S O D E S U C E S S O www.teltecnetworks.com.br Agilidade no provisionamento de novos serviços de TI; Aumento de disponibilidade dos serviços prestados pela TI; Facilidade da manutenção dos serviços virtualizados; Aumento no desempenho da rede, passando o backbone do datacenter de 1 para 10 Gbps; Redução da complexidade do datacenter; Facilidade de crescimento (escalabilidade); Integração entre hardware (UCS) e software (VMware), permitindo um ganho de desempenho, se comparado a outras soluções de mercado. O SENAI de Santa Catarina tem uma ampla rede de unidades, são 35 escolas distribuídas por todo o Estado, mais de 100.000 alunos matriculados por ano, um total de 900 ambientes de ensino incluindo salas de aula, laboratórios didáticos e bibliotecas. Além disso existem todos os processos administrativos e canais de relacionamento com os estudantes. Tudo isso está amparado numa rede corporativa. Uma infra-estrutura de tecnologia da informação que precisa ter excelente desempenho, confiabilidade e também segurança. Sobre o SENAI/SC Ganhos para o SENAI/SC Implantar uma solução tecnológica que permitisse o atendimento da crescente demanda por novos serviços de TI, através da virtualização de servidores e adequação da infraestrutura de TI para o private cloud computing. Com a necessidade de prover serviços de alta qualidade aos seus clientes, o SENAI/SC precisava aumentar sua estrutura para atendimento das demandas do negócio. Para tal, elegeu a virtualização de seus servidores como a melhor tecnologia para garantir qualidade e disponibilidade dos serviços e a facilidade de crescimento da estrutura (escalabilidade). A solução foi implantada com a arquitetura Cisco UCS – Unified Computing System, Switches Nexus 5000 e Vmware vSphere. O parceiro na implantação da solução foi a TELTEC Networks. Com o objetivo de melhorar o atendimento aos seus clientes, o SENAI/SC elegeu uma nova solução em seu datacenter, que visa: Prover a estrutura necessária para a virtualização de servidores objetivando um uso mais efetivo do hardware adquirido bem como a redução do investimento e do consumo de energia elétrica; Preparar seu ambiente para suportar o cloud computing, dando à solução a flexibilidade e agilidade necessárias para a escalabilidade da estrutura; Agilizar o processo de configuração e implantação de novos servidores, diminuindo o tempo de provisionamento e exigindo menos tempo de trabalho para esta atividade; Uma solução simplificada, de uma única interface de gerenciamento, capaz de crescer sem a necessidade de grandes manobras de cabos dentro do datacenter; Uma solução totalmente integrada com o ambiente de virtualização, permitindo um uso mais efetivo e com maior desempenho dos recursos; Um ambiente que permita, em projetos futuros, a virtualização de desktops. A solução Cisco UCS foi a escolhida por melhor atender os requisitos acima. É uma solução que traz uma nova arquitetura ao datacenter, permitindo integração e flexibilidade para ambientes virtualizados. Além disso traz simplicidade, facilitando as atividades diárias dos administradores da estrutura. Segundo Paulo Alberto Violada, coordenador de TI do SENAI/SC, com a implantação do projeto, o tempo de provisionamento de novos serviços/servidores será reduzido de 8 para 1 uma hora, além da possibilidade de realizar manutenções nos serviços durante o horário comercial, sem degradação na qualidade dos serviços. O tempo de provisionamento e a possibilidade de realizar novas manutenções sem parada nos serviços é de vital importância já que muitos serviços são críticos para a instituição, como sua plataforma de Educação à Distância e seu Sistema de Gestão do Negócio (SGN). Além do rápido provisionamento, a solução permitirá a ampliação da quantidade de servidores nos momentos de divulgação de listas de aprovados, e fechamento de semestres escolares, situações que geram grande carga de acesso aos servidores do SENAI/SC. Nesta etapa, o SENAI pretende migrar todos os servidores para a nova plataforma, virtualizando-os. Com isso conseguirá dar início ao seu projeto de private cloud computing que poderá ter continuidade com projeto de virtualização de desktops. Desafio Virtualização de servidores do Datacenter Equipamentos adquiridos e suas funcionalidades: Cisco UCS B-Series (servidores B-200 M2): os servidores foram utilizados para a virtualização do datacenter. A taxa de virtualização dos sevidores conseguida foi de aproximadamente 7:1 (7 servidores físicos virtualizados em um único servidor UCS). A solução implementa o recurso VN-Link em hardware (característica do UCS B-Series). Cisco Nexus 5020: ampliando a velocidade do backbone do datacenter em 10 vezes (de 1 para 10 Gbps). Os switches Nexus são redundantes, configurados em vPC (Virtual PortChannel) para eliminar a necessidade do spanning-tree na estrutura (simplificando o ambiente e garantindo mais desempenho); Cisco MDS 9148: utilizado para a criação de caminhos redundantes ao ambiente de armazenamento (storage). Dados técnicos da solução: Solução C A S O D E S U C E S S O A-1 Catalyst 6500 Series Switches Installation Guide OL-5781-08 APPENDIX A Power Supply Specifications Revised: April 9, 2015 This appendix describes the Catalyst 6500 series power supplies and provides their specifications. This appendix contains the following sections: • Power Supply Compatibility Matrix, page A-2 • 950 W AC-Input and DC-Input Power Supplies, page A-5 • 1000 W AC-Input Power Supply, page A-10 • 1300 W AC-Input and DC-Input Power Supplies, page A-13 • 1400 W AC-Input Power Supply, page A-18 • 2500 W AC-Input and DC-Input Power Supplies, page A-23 • 2700 W AC-Input and DC-Input Power Supplies, page A-29 • 3000 W AC-Input Power Supply, page A-36 • 4000 W AC-Input and DC-Input Power Supplies, page A-41 • 6000 W AC-Input and DC-Input Power Supplies, page A-46 • 8700 W AC-Input Power Supply, page A-54 • AC Power Cord Illustrations, page A-63 • Power Supply Redundancy, page A-73 Table A-1 lists the currently available Catalyst 6500 series switch power supplies and the power supply description location. Table A-1 Catalyst 6500 Series Power Supplies Power Supply Rating AC-Input Model Product Number DC-Input Model Product Number 950 W1 PWR-950-AC PWR-950-DC 1000 W WS-CAC-1000W Not Available 1300 W WS-CAC-1300W WS-CDC-1300W 1400 W1 PWR-1400-AC Not Available 2500 W WS-CAC-2500W WS-CDC-2500W 2700 W2 PWR-2700-AC/4 PWR-2700-DC/4 A-2 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications Power Supply Compatibility Matrix Note The Catalyst 6500 series switches allow you to mix AC-input and DC-input power supplies in the same chassis. Note Many telco organizations require a –48 VDC power supply to accommodate their power distribution systems. From an operational perspective, the DC-input power supply has the same characteristics as the AC-input version. Power Supply Compatibility Matrix Table A-2 lists the compatibility of the power supplies with the Catalyst 6500 switch chassis. 3000 W WS-CAC-3000W Not Available 4000 W WS-CAC-4000W-US1 WS-CAC-4000W-INT PWR-4000-DC 6000 W WS-CAC-6000W PWR-6000-DC 8700 W WS-CAC-8700W-E Not Available 1. For use with the Catalyst 6503 and Catalyst 6503-E switches only. 2. For use with the Catalyst 6504-E switch only. Table A-1 Catalyst 6500 Series Power Supplies (continued) Power Supply Rating AC-Input Model Product Number DC-Input Model Product Number Table A-2 Catalyst 6500 Series Switch Supported Power Supply Configurations Platform Supported Power Supplies Chassis/Power Supply Restrictions Catalyst 6503 • 950 W AC-input and DC-input • 1400 W AC-input • The 950 W AC-input power supply requires a PEM-15A-AC Power Entry Module (PEM). • The 1400 W AC-input power supply requires a PEM-20A-AC+ Power Entry Module (PEM). Catalyst 6503-E • 950 W AC-input and DC-input • 1400 W AC-input • The 950 W AC-input power supply requires a PEM-15A-AC Power Entry Module (PEM). • The 1400 W AC-input power supply requires a PEM-20A-AC+ Power Entry Module (PEM). Catalyst 6504-E • 2700 W AC-input and DC-input No restrictions A-3 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications Power Supply Compatibility Matrix Catalyst 6506 • 1000 W AC-input • 1300 W AC-input and DC-input • 2500 W AC-input and DC-input • 3000 W AC-input • 4000 W AC-input and DC-input • 6000 W AC-input and DC-input • 8700 W AC-input The 6000 W AC-input, 6000 W DC-input, and the 8700 W AC-input power supplies are limited to 4000 W when they are installed in the Catalyst 6506 switch chassis. Catalyst 6506-E • 2500 W AC-input and DC-input • 3000 W AC-input • 4000 W AC-input and DC-input • 6000 W AC-input and DC-input • 8700 W AC-input No restrictions. Catalyst 6509 • 1000 W AC-input • 1300 W AC-input, and DC-input • 2500 W AC-input and DC-input • 3000 W AC-input • 4000 W AC-input and DC-input • 6000 W AC-input and DC-input • 8700 W AC-input The 6000 W AC-input, 6000 W DC-input, and the 8700 W AC-input power supplies are limited to 4000 W when they are installed in the Catalyst 6509 switch chassis. Catalyst 6509-E • 2500 W AC-input and DC-input • 3000 W AC-input • 4000 W AC-input and DC-input • 6000 W AC-input and DC-input • 8700 W AC-input No restrictions. Catalyst 6509-NEB • 1000 W AC-input • 1300 W AC-input and DC-input • 2500 W AC-input and DC-input • 3000 W AC-input • 4000 W AC-input and DC-input • 6000 W AC-input and DC-input • 8700 W AC-input The 6000 W AC-input, 6000 W DC-input, and the 8700 W AC-input power supplies are limited to 4000 W when they are installed in the Catalyst 6509-NEB switch chassis. Table A-2 Catalyst 6500 Series Switch Supported Power Supply Configurations (continued) Platform Supported Power Supplies Chassis/Power Supply Restrictions A-4 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications Power Supply Compatibility Matrix Catalyst 6509-NEB-A • 2500 W AC-input and DC-input • 3000 W AC-input • 4000 W AC-input and DC-input • 6000 W AC-input and DC-input • 8700 W AC-input The 6000 W AC-input, 6000 W DC-input, and the 8700 W AC-input power supplies are limited to 4500 W maximum output when they are installed in the Catalyst 6509-NEB-A switch chassis. Catalyst 6509-V-E • 2500 W AC-input and DC-input • 3000 W AC-input • 4000 W AC-input and DC-input • 6000 W AC-input and DC-input • 8700 W AC-input No restrictions. Catalyst 6513 • 2500 W AC-input and DC-input • 3000 W AC-input • 4000 W AC-input and DC-input • 6000 W AC-input and DC-input • 8700 W AC-input The 8700 W AC-input power supply is limited to 6000 W maximum output when it is installed in the Catalyst 6513 switch chassis. Catalyst 6513-E • 2500 W DC-input • 3000 W AC-input • 4000 W AC-input and DC-input • 6000 W AC-input and DC-input • 8700 W AC-input No restrictions. Table A-2 Catalyst 6500 Series Switch Supported Power Supply Configurations (continued) Platform Supported Power Supplies Chassis/Power Supply Restrictions A-5 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 950 W AC-Input and DC-Input Power Supplies 950 W AC-Input and DC-Input Power Supplies The 950 W AC-input (PWR-950-AC) and DC-input (PWR-950-DC) power supplies can be installed in the Catalyst 6503 and Catalyst 6503-E switch chassis only. Due to form factor differences, the 950 W AC-input and DC-input power supplies cannot be installed in any other Catalyst 6500 series switch chassis. The 950 W power supplies (see Figure A-1) do not connect directly to source AC or source DC but use Power Entry Modules (PEMs), located on the front of the Catalyst 6503 and Catalyst 6503-E switch chassis, to connect the site power source to the power supply located in the back of the chassis. The form factor is the same for the AC-input and DC-input power supplies. The AC-input PEM (shown in Figure A-2) and DC-input PEM (shown in Figure A-3) provide an input power connection on the front of the switch chassis to connect the site power source to the power supply. You can connect the DC-input power supply to the power source with heavy gauge wiring connected to a terminal block. The actual wire gauge size is determined by local electrical codes and restrictions. Note The system (NEBS) ground serves as the primary safety ground for Catalyst 6503 and Catalyst 6503-E chassis that are equipped with 950 W DC-input power supplies and DC-input PEMs. The DC-input power supplies for these chassis do not have a separate ground. The PEMs have an illuminated power switch (AC-input model only), current protection, surge and EMI suppression, and filtering functions. Figure A-1 950 W AC- and DC-Input Power Supplies Figure A-2 950 W AC-Input PEM (PEM-15A-AC) 63183 INPUT OK FAN OK OUTPUT FAIL Captive installation screws Status LEDs Captive installation screws 130058 IEC 60320 C15 connector AC power switch A-6 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 950 W AC-Input and DC-Input Power Supplies Figure A-3 DC Power Entry Module (PEM) 950 W Power Supply Specifications Table A-3 lists the specifications for the 950 W AC-input power supply. Captive installation screws Catalyst 6503 DC PEM 79980 Table A-3 950 W AC-Input Power Supply Specifications Specification Description AC-input type Autoranging input with power factor correction (PFC) Note Power factor correction is a standard feature on all Catalyst 6500 series AC-input power supplies. PFC reduces the reactive component in the source AC current allowing higher power factors (typically 99 percent or better) and lower harmonic current components. AC-input voltage • Low-line (120 VAC nominal)—90 VAC (min) to 132 VAC (max) • High-line (230 VAC nominal)—170 VAC (min) to 264 VAC (max) AC-input current • 12 A @ 120 VAC • 6 A @ 230 VAC AC-input frequency 50/60 Hz (nominal) A-7 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 950 W AC-Input and DC-Input Power Supplies Branch circuit requirement Each chassis power supply should have its own dedicated, fused-branch circuit: • For North America—15 A • For International—Circuits sized to local and national codes • All Catalyst 6500 series AC-input power supplies require single-phase source AC. • All AC power supply inputs are fully isolated. – Source AC can be out of phase between multiple power supplies in the same chassis, which means that PS1 can be operating from phase A and PS2 can be operating from phase B. – For high-line operation, the power supply operates with the hot conductor wired to a source AC phase and the neutral conductor wired either to ground or to another source AC phase as long as the net input voltage is in the range of 170 to 264 VAC. – Source AC can be out of phase between AC inputs on power supplies that are equipped with multiple AC inputs, which means that power cord 1 can be plugged into phase A and power cord 2 can be plugged into phase B. Power supply output capacity 950 W maximum (100–240 VAC) Power supply output • 15 A @ +1.5 VDC • 2.5 A @ +3.3 VDC • 19.15 A @ +50 VDC Output holdup time 20 ms minimum kVA rating1 1.32 kVA Heat dissipation 4441 BTU/hour (approx.) Weight 8.2 lb (3.7 kg) 1. The kVA rating listed for the power supply should be used as the sizing criteria for both UPS outputs as well as standard circuits and transformers to power a switch. Table A-3 950 W AC-Input Power Supply Specifications (continued) Specification Description A-8 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 950 W AC-Input and DC-Input Power Supplies Table A-4 lists the specifications for the 950 W DC-input power supply. Table A-5 lists the power supply LEDs and their meanings. Table A-4 950 W DC-Input Power Supply Specifications Specification Description DC-input voltage –48 VDC to –60 VDC continuous DC-input current • 28 A @ –48 VDC • 23 A @ –60 VDC Power supply output capacity 950 W Power supply output • 15 A @ +1.5 VDC • 2.5 A @ +3.3 VDC • 19.15 A @ +50 VDC Output holdup time 8 ms Heat dissipation 4632 BTU/hour (approx.) Weight 8.4 lb (3.8 kg) Table A-5 950 W AC-Input and DC-Input Power Supply LEDs LED Meaning INPUT OK AC-input power supplies: • Green—Source AC voltage is OK. (Input voltage is 85 VAC or greater.) • Off—Source AC voltage falls below 70 VAC, is not present, or the PEM is turned off. DC-input power supplies: • Green—Source DC voltage is OK. (–40.5 VDC or greater.) • Off—Source DC voltage falls below –33 VDC or is not present at the PEM. FAN OK Green—Power supply fan is operating properly. Off—Power supply fan failure is detected. OUTPUT FAIL Red—Problem with one or more of the DC-output voltages of the power supply is detected. Off—DC-output voltages within acceptable margins. Note For proper operation of the OUTPUT FAIL LED, systems with single power supplies must be configured with a minimum of one fan tray and one supervisor engine. Systems with dual power supplies must have a minimum configuration of one fan tray, one supervisor engine, and one additional module. Failure to meet these minimum configuration requirements can cause a false power supply output fail signal. A-9 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 950 W AC-Input and DC-Input Power Supplies 950 W Power Supply AC Power Cords Table A-6 lists the 950 W AC-input power supply AC power cords specifications. These power cords plug into the 950 W PEM(PEM-15A-AC), not directly into the power supply. The table includes references to power cord illustrations. Note All 950 W power supply power cords are 8 feet 2 inches (2.5 meters) in length. Note All 950 W power supply power cords have an IEC60320/C15 appliance connector at one end. The appliance connector has a 90° left bend. Table A-6 950 W AC-Input Power Supply Power Cords Locale Power Cord Part Number AC Source Plug Type Cordset Rating Power Cord Reference Illustration Argentina CAB-7KACR= IRAM 2073 10 A, 250 VAC Figure A-25 Australia, New Zealand CAB-AC10A-90L-AU= SAA AS 3112 10 A, 250 VAC Figure A-20 Continental Europe CAB-AC10A-90L-EU= CEE 7/7 10 A, 250 VAC Figure A-21 Italy CAB-AC10A-90L-IT= CEI 23-16/7 10 A, 250 VAC Figure A-22 Japan, North America CAB-AC15A-90L-US= NEMA 5-15 15 A, 125 VAC Figure A-23 United Kingdom CAB-AC10A-90L-UK= BS 13631 1. Plug contains a 13 A fuse. 10 A, 250 VAC Figure A-24 A-10 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 1000 W AC-Input Power Supply 1000 W AC-Input Power Supply The 1000 W AC-input power supply (WS-CAC-1000W) is supported in the following Catalyst 6500 series switches: • Catalyst 6506 • Catalyst 6509 • Catalyst 6509-NEB The 1000 W power supply (shown in Figure A-4) shares the same form factor as the 1300 W, 2500 W, 3000 W, 4000 W, and 6000 W AC-input power supplies. Figure A-4 1000 W AC-Input Power Supply Power switch Cable retention device AC power connection INPUT OK FAN OK OUTPUT FAIL Captive installation screw Status LEDs 16029 I 0 A-11 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 1000 W AC-Input Power Supply 1000 W Power Supply Specifications Table A-7 lists the specifications for the 1000 W AC-input power supply. Table A-7 1000 W Power Supply Specifications Specification Description AC-input type Autoranging input with power factor correction (PFC) Note Power factor correction is a standard feature on all Catalyst 6500 series AC-input power supplies. PFC reduces the reactive component in the source AC current allowing higher power factors (typically 99 percent or better) and lower harmonic current components. AC-input voltage • Low-line (120 VAC nominal)—90 VAC (min) to 132 VAC (max) • High-line (230 VAC nominal)—170 VAC (min) to 264 VAC (max) AC-input current • 12 A @ 120 VAC • 6 A @ 230 VAC AC-input frequency 50/60 Hz (nominal) Branch circuit requirement Each chassis power supply should have its own dedicated, fused-branch circuit: • For North America—15 A or 20 A • For International—Circuits sized to local and national codes • All Catalyst 6500 series AC-input power supplies require single-phase source AC. • All AC power supply inputs are fully isolated. – Source AC can be out of phase between multiple power supplies in the same chassis, which means that PS1 can be operating from phase A and PS2 can be operating from phase B. – For high-line operation, the power supply operates with the hot conductor wired to a source AC phase and the neutral conductor wired either to ground or to another source AC phase as long as the net input voltage is in the range of 170 to 264 VAC. – Source AC can be out of phase between AC inputs on power supplies that are equipped with multiple AC inputs, which means that power cord 1 can be plugged into phase A and power cord 2 can be plugged into phase B. A-12 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 1000 W AC-Input Power Supply Table A-8 list the power supply LEDs and their meanings. Power supply output capacity 1000 W Power supply output • 15 A @ +3.3 VDC • 5 A @ +5 VDC • 6 A @ +12 VDC • 20.3 A @ +42 VDC Output holdup time 20 ms minimum kVA rating1 1.25 kVA Heat dissipation 4213 BTU/hour (approx.) Weight 14.8 lb (6.7 kg) 1. The kVA rating listed for the power supply should be used as the sizing criteria for both UPS outputs as well as standard circuits and transformers to power a switch. Table A-7 1000 W Power Supply Specifications (continued) Specification Description Table A-8 1000 W Power Supply LEDs LED Meaning INPUT OK • Green—Source AC voltage is OK. (Input voltage is 85 VAC or greater.) • Off—Source AC voltage falls below 70 VAC, is not present, or the power supply is turned off. FAN OK • Green—Power supply fan is operating properly. • Off—Power supply fan failure is detected. OUTPUT FAIL • Red—Problem with one or more of the DC-output voltages of the power supply is detected. • Off—DC-output voltage with acceptable margins. Note For proper operation of the OUTPUT FAIL LED, systems with single power supplies must be configured with a minimum of one fan tray and one supervisor engine. Systems with dual power supplies must have a minimum configuration of one fan tray, one supervisor engine, and one additional module. Failure to meet these minimum configuration requirements can cause a false power supply output fail signal. A-13 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 1300 W AC-Input and DC-Input Power Supplies 1000 W Power Supply AC Power Cords Table A-9 lists the specifications for the AC power cords that are available for the 1000 W AC-input power supply. The table includes references to power cord illustrations. Note All 1000 W power supply power cords are 8 feet 2 inches (2.5 meters) in length. Note All 1000 W power supply power cords have an IEC60320/C15 appliance plug at one end. 1300 W AC-Input and DC-Input Power Supplies The 1300 W AC-input power supply (WS-CAC-1300W) and 1300 W DC-input power supply (WS-CDC-1300W) are supported in the following Catalyst 6500 series switches: • Catalyst 6506 • Catalyst 6509 • Catalyst 6509-NEB The 1300 W power supply (see Figure A-5 for the 1300 W AC-input power supply and Figure A-6 for the 1300 W DC-input power supply) shares the same form factor as the 1000 W, 2500 W, 3000 W, 4000 W, and 6000 W AC-input power supplies. Table A-9 1000 W AC-Input Power Supply Power Cords Locale Power Cord Part Number AC Source Plug Type Cordset Rating Power Cord Reference Illustration Argentina CAB-7KACR= IRAM 2073 10 A, 250 VAC Figure A-25 Australia, New Zealand CAB-7KACA= SAA AS 3112 15 A, 250 VAC Figure A-26 Continental Europe CAB-7KACE= CEE 7/7 16 A, 250 VAC Figure A-27 Italy CAB-7KACI= CEI 23-16/7 10 A, 250 VAC Figure A-28 Japan, North America CAB-7KAC-15= NEMA 5-15 15 A, 125 VAC Figure A-29 United Kingdom CAB-7KACU= BS 13631 1. Plug contains a 13 A fuse. 10 A, 250 VAC Figure A-30 A-14 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 1300 W AC-Input and DC-Input Power Supplies Figure A-5 1300 W AC-input Power Supply Figure A-6 1300 W DC-Input Power Supply Power switch Cable retention device AC power connection INPUT OK FAN OK OUTPUT FAIL Captive installation screw Status LEDs 16029 I 0 Terminal block cover Captive installation screw o 16030 INPUT OK FAN OK OUTPUT FAIL A-15 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 1300 W AC-Input and DC-Input Power Supplies 1300 W Power Supply Specifications Table A-11 lists the specifications for the 1300 W AC-input power supply. Table A-10 1300 W AC-Input Power Supply Specifications Specification Description AC-input type Autoranging input with power factor correction (PFC). Note Power factor correction is a standard feature on all Catalyst 6500 series AC-input power supplies. PFC reduces the reactive component in the source AC current allowing higher power factors (typically 99 percent or better) and lower harmonic current components. AC-input voltage • Low-line (120 VAC nominal)—90 VAC (min) to 132 VAC (max) • High-line (230 VAC nominal)—170 VAC (min) to 264 VAC (max) AC-input current • 16 A @ 120 VAC • 8 A @ 230 VAC AC-input frequency 50/60 Hz (nominal) (±3 Hz for full range) Branch circuit requirement Each chassis power supply should have its own dedicated, fused-branch circuit: • For North America—15 A or 20 A • For International—Circuits sized to local and national codes • All Catalyst 6500 series AC-input power supplies require single-phase source AC. • All AC power supply inputs are fully isolated. – Source AC can be out of phase between multiple power supplies in the same chassis, which means that PS1 can be operating from phase A and PS2 can be operating from phase B. – For high-line operation, the power supply operates with the hot conductor wired to a source AC phase and the neutral conductor wired either to ground or to another source AC phase as long as the net input voltage is in the range of 170 to 264 VAC. – Source AC can be out of phase between AC inputs on power supplies that are equipped with multiple AC inputs, which means that power cord 1 can be plugged into phase A and power cord 2 can be plugged into phase B. Power supply output capacity • 1300 W maximum (AC-input) • 1360 W maximum (DC-input) Power supply output • 15 A @ +3.3 VDC • 5 A @ +5 VDC • 6 A @ +12 VDC • 27.46 A @ +42 VDC Output holdup time 20 ms minimum A-16 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 1300 W AC-Input and DC-Input Power Supplies Table A-11 lists the specifications for the 1300 W DC-input power supply. Table A-12 lists the 1300 W power supply LEDS and their meanings. kVA rating1 1.625 kVA Heat dissipation 5478 BTU/hour (approx.) Weight 18.4 lb (8.3 kg) 1. The kVA rating listed for the power supply should be used as the sizing criteria for both UPS outputs as well as standard circuits and transformers to power a switch. Table A-10 1300 W AC-Input Power Supply Specifications (continued) Specification Description Table A-11 1300 W DC-Input Power Supply Specifications Specification Description DC-input voltage –48 VDC to –60 VDC continuous DC-input current • 39 A @ –48 VDC • 31 A @ –60 VDC Power supply output capacity 1360 W maximum (DC-input) Power supply output • 15 A @ +3.3 VDC • 5 A @ +5 VDC • 6 A @ +12 VDC • 28.9 A @ +42 VDC DC input terminal block Accepts 3 AWG to 10 AWG copper conductors. Actual size of the wire needed is determined by the installer or local electrician. Terminal block material is rated at 120°C. Output holdup time 8 ms Heat dissipation 6447 BTU/hour (approx.) Weight 21.0 lb (9.5 kg) A-17 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 1300 W AC-Input and DC-Input Power Supplies 1300 W Power Supply AC Power Cords Table A-13 lists the specifications for the AC power cords that are available for the 1300 W AC-input power supply. The table includes references to power cord illustrations. Note All 1300 W power supply power cords are 14 feet (4.3 meters) in length. Note All 1300 W power supply power cords have an IEC60320/C19 appliance connector at one end. Table A-12 1300 W AC-Input and DC-Input Power Supply LEDs LED Meaning INPUT OK AC-input power supplies: • Green—Source AC voltage is OK. (Input voltage is 85 VAC or greater.) • Off—Source AC voltage falls below 70 VAC, is not present, or the power supply turned off. DC-input power supplies: • Green—Source DC voltage is OK. (Input voltage is –40.5 VDC or greater.) • Off—Source DC voltage falls below –33 VDC, is not present, or the power supply is turned off. FAN OK • Green—Power supply fan is operating properly. • Off—Power supply fan failure is detected. OUTPUT FAIL • Red—Problem with one or more of the DC-output voltages of the power supply is detected. • Off—DC-output voltages within acceptable margins. Note For proper operation of the OUTPUT FAIL LED, systems with single power supplies must be configured with a minimum of one fan tray and one supervisor engine. Systems with dual power supplies must have a minimum configuration of one fan tray, one supervisor engine, and one additional module. Failure to meet these minimum configuration requirements can cause a false power supply output fail signal. A-18 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 1400 W AC-Input Power Supply 1400 W AC-Input Power Supply The 1400 W AC-input power supply (PWR-1400-AC) can be installed in the Catalyst 6503 switch and Catalyst 6503-E switch chassis only. Due to form factor differences, the 1400 W AC-input power supply cannot be installed in any other Catalyst 6500 series switch chassis. The 1400 W power supplies (see Figure A-7) do not connect directly to source AC but use power entry modules (PEMs), located on the front of the Catalyst 6503 and Catalyst 6503-E switch chassis, to connect the site power source to the power supply located in the back of the chassis. The AC-input PEM (PEM-20A-AC+) (shown in Figure A-8) provides an input power connection on the front of the router chassis to connect the site power source to the power supply. The PEMs have an illuminated power switch, current protection, surge and EMI suppression, and filtering functions. Table A-13 1300 W Power Supply AC Power Cords Locale Power Cord Part Number AC Source Plug Type Cordset Rating Power Cord Reference Illustration Argentina CAB-7513ACR= IRAM 2073 10 A, 250 VAC Figure A-31 Australia, New Zealand CAB-7513ACA= SAA AS 3112 15 A, 250 VAC Figure A-32 Continental Europe CAB-7513ACE= CEE 7/7 16 A, 250 VAC Figure A-33 Israel CAB-AC-2500W-ISRL= SI16S3 16 A, 250 VAC Figure A-34 Italy CAB-7513ACI= CEI 23-16/7 16 A, 250 VAC Figure A-35 Japan, North America CAB-7513AC= NEMA 5-201 1. For Japan, ask your local electrical contractor to prepare the NEMA 5-20 power plug. 20 A, 125 VAC Figure A-36 People’s Republic of China CAB-AC16A-CH= GB16C 16 A, 250 VAC Figure A-37 South Africa CAB-7513ACSA= IEC 884-1 16 A, 250 VAC Figure A-38 Switzerland CAB-ACS-10= SEV 1011 10 A, 250 VAC Figure A-39 United Kingdom CAB-7513ACU= BS 13632 2. Plug contains a 13 A fuse. 13 A, 250 VAC Figure A-40 Power Distribution Unit (PDU)3 3. The PDU power cable is designed for users who power their switch from a PDU. The end of the cable that plugs into the chassis power supply has a C19 connector; the other end of the cable that connects to the PDU has a C20 connector. CAB-C19-CBN= IEC 60320 C19 IEC 60320 C20 16 A, 250 VAC Figure A-47 A-19 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 1400 W AC-Input Power Supply Figure A-7 1400 W AC-Input Power Supply (PWR-1400-AC) Figure A-8 1400 W AC-Input PEM (PEM-20A-AC+) 1400 W Power Supply Specifications Table A-14 lists the specifications for the 1400 W AC-input power supply. 63183 INPUT OK FAN OK OUTPUT FAIL Captive installation screws Status LEDs Captive installation screws IEC 60320 C19 connector AC power switch 130057 PEM-20A-AC+ 50-60 Hz 120-240V 15A Table A-14 1400 W AC-Input Power Supply Specifications Specification Description AC-input type Autoranging input with power factor correction (PFC). Note Power factor correction is a standard feature on all Catalyst 6500 series AC-input power supplies. PFC reduces the reactive component in the source AC current allowing higher power factors (typically 99 percent or better) and lower harmonic current components. AC-input voltage • Low-line (120 VAC nominal)—90 VAC (min) to 132 VAC (max) • High-line (230 VAC nominal)—170 VAC (min) to 264 VAC (max) AC-input current • 16 A @ 120 VAC • 8 A @ 230 VAC AC-input frequency 50/60 Hz (nominal) (±3 Hz for full range) A-20 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 1400 W AC-Input Power Supply Table A-15 lists the 1400 W AC-input power supply LEDs and their meanings. Branch circuit requirement Each chassis power supply should have its own dedicated, fused-branch circuit: • For North America—20 A • For International—Circuits sized to local and national codes • All AC power supply inputs are fully isolated. – Source AC can be out of phase between multiple power supplies in the same chassis, which means that PS1 can be operating from phase A and PS2 can be operating from phase B. – For high-line operation, the power supply operates with the hot conductor wired to a source AC phase and the neutral conductor wired either to ground or to another source AC phase as long as the net input voltage is in the range of 170 to 264 VAC. – Source AC can be out of phase between AC inputs on power supplies that are equipped with multiple AC inputs, which means that power cord 1 can be plugged into phase A and power cord 2 can be plugged into phase B. Power supply output capacity 1400 W Power supply output • 15 A @ +1.5 V • 2.5 A @ +3.3 V • 27.4 A @ +50 V Output holdup time 20 ms minimum kVA rating1 1.75 kVA Heat dissipation 5976 BTU/hour (approx.) Weight 7.8 lb (3.5 kg) 1. The kVA rating listed for the power supply should be used as the sizing criteria for both UPS outputs as well as standard circuits and transformers to power a switch. Table A-14 1400 W AC-Input Power Supply Specifications (continued) Specification Description A-21 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 1400 W AC-Input Power Supply 1400 W Power Supply AC Power Cords Table A-16 lists the specifications for the AC power cords that are available for the 1400 W AC-input power supply. These power cords plug into the 1400 W PEM (PEM-20A-AC+); not directly into the power supply. The table includes references to power cord illustrations. Note All 1400 W power supply power cords are 14 feet (4.3 meters) in length. Note All 1400 W power supply power cords have an IEC60320/C19 appliance plug at one end. Table A-15 1400 W AC-Input Power Supply LEDs LED Meaning INPUT OK • Green—Source AC voltage is OK. (Input voltage is 85 VAC or greater.) • Off—Source AC voltage falls below 70 VAC, is not present, or the power supply is turned off. FAN OK • Green—Power supply fan is operating properly. • Off—Power supply fan failure is detected. OUTPUT FAIL • Red—Problem with one or more of the DC-output voltages of the power supply is detected. • DC-output voltages within acceptable margins. Note For proper operation of the OUTPUT FAIL LED, systems with single power supplies must be configured with a minimum of one fan tray and one supervisor engine. Systems with dual power supplies must have a minimum configuration of one fan tray, one supervisor engine, and one additional module. Failure to meet these minimum configuration requirements can cause a false power supply output fail signal. A-22 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 1400 W AC-Input Power Supply Table A-16 1400 W Power Supply AC Power Cords Locale Power Cord Part Number AC Source Plug Type Cordset Rating Power Cord Reference Illustration Argentina CAB-7513ACR= CAB-IR2073-C19-AR= IRAM 2073 16 A, 250 VAC Figure A-31 Australia, New Zealand CAB-7513ACA= SAA AS 3112 15 A, 250 VAC Figure A-32 People’s Republic of China CAB-AC16A-CH= GB16C 16 A, 250 VAC Figure A-37 Continental Europe CAB-7513ACE= CAB-AC-2500W-EU= CEE 7/7 CEE 7/7 16 A, 250 VAC 16 A, 250 VAC Figure A-33 Figure A-41 International CAB-AC-2500W-INT= IEC 309 16 A, 250 VAC Figure A-42 Israel CAB-AC-2500W-ISRL= SI16S3 16 A, 250 VAC Figure A-34 Italy CAB-7513ACI= CEI 23-16/7 16 A, 250 VAC Figure A-35 Japan, North America CAB-7513AC= CAB-AC-2500W-US1= CAB-AC-C6K-TWLK= NEMA 5-201 NEMA 6-202 NEMA L6-203 1. For operation in Japan, ask your local electrical contractor to prepare the NEMA 5-20 power plug. 2. For operation in Japan, ask your local electrical contractor to prepare the NEMA 6-20 power plug. 3. For operation in Japan, ask your local electrical contractor to prepare the NEMA L6-20 power plug. 20 A, 125 VAC 16 A, 250 VAC 16 A, 250 VAC Figure A-36 Figure A-43 Figure A-44 South Africa CAB-7513ACSA= IEC 884-1 16 A, 250 VAC Figure A-38 Switzerland CAB-ACS-10= SEV 1011 10 A, 250 VAC Figure A-39 Switzerland CAB-ACS-16= SEV 5934-2 Type 23 16 A, 250 VAC Figure A-45 United Kingdom CAB-7513ACU= BS 1363 13 A, 250 VAC4 4. Plug contains a 13 A fuse. Figure A-40 Power Distribution Unit (PDU)5 5. The PDU power cable is designed for users who power their switch from a PDU. The end of the cable that plugs into the chassis power supply has a C19 connector; the other end of the cable that connects to the PDU has a C20 connector. CAB-C19-CBN= IEC 60320 C19 IEC 60320 C20 16 A, 250 VAC Figure A-47 A-23 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 2500 W AC-Input and DC-Input Power Supplies 2500 W AC-Input and DC-Input Power Supplies The 2500 W AC-input power supply (WS-CAC-2500W) and 2500 W DC-input power supply (WS-CDC-2500W) are supported in the following Catalyst 6500 series switches: • Catalyst 6506 • Catalyst 6506-E • Catalyst 6509 • Catalyst 6509-E • Catalyst 6509-NEB • Catalyst 6509-NEB-A • Catalyst 6509-V-E • Catalyst 6513 • Catalyst 6513-E (DC-input power supply only) The 2500 W power supplies, shown in Figure A-9 and Figure A-10, share the same form factor as the 1000 W, 1300 W, 3000 W, 4000 W, and 6000 W AC-input power supplies. Note With a fully populated Catalyst 6513 switch, two 2500 W power supplies are not fully redundant. If you operate the 2500 W power supply at the low range input (100 to 120 VAC), it is not redundant in a fully populated Catalyst 6509, Catalyst 6509-E, Catalyst 6509-NEB, Catalyst 6509-NEB-A, or Catalyst 6509-V-E switch. Note The 2500 W AC-input power supply needs 220 VAC to deliver 2500 W of power. When powered with 110 VAC, it delivers only 1300 W. In addition, the power supply needs 16 A, regardless of whether it is plugged into 110 VAC or 220 VAC. Figure A-9 2500 W AC-Input Power Supply Power switch Cable retention device AC power connection INPUT OK FAN OK OUTPUT FAIL Captive installation screw Status LEDs 16029 I 0 A-24 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 2500 W AC-Input and DC-Input Power Supplies Figure A-10 2500 W DC-input Power Supply 2500 W Power Supply Specifications Table A-17 lists the specifications for the 2500 W AC-input and DC-input power supplies. Terminal block cover Captive installation screw o 16030 INPUT OK FAN OK OUTPUT FAIL Table A-17 2500 W AC-Input Power Supply Specifications Specification Description AC-input type Autoranging input with power factor correction (PFC). Note Power factor correction is a standard feature on all Catalyst 6500 series AC-input power supplies. PFC reduces the reactive component in the source AC current allowing higher power factors (typically 99 percent or better) and lower harmonic current components. AC-input voltage • Low-line (120 VAC nominal)—90 VAC (min) to 132 VAC (max) • High-line (230 VAC nominal)—170 VAC (min) to 264 VAC (max) AC-input current 16 A maximum at 230 VAC at 2500 W output 16 A maximum at 120 VAC at 1300 W output AC-input frequency 50/60 Hz (nominal) (±3% for full range) A-25 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 2500 W AC-Input and DC-Input Power Supplies Table A-18 lists the specifications for the 2500 W DC-input power supply. Branch circuit requirement Each chassis power supply should have its own dedicated, fused-branch circuit: • For North America—20 A • For International—Circuits sized to local and national codes • All AC power supply inputs are fully isolated. – Source AC can be out of phase between multiple power supplies in the same chassis, which means that PS1 can be operating from phase A and PS2 can be operating from phase B. – For high-line operation, the power supply operates with the hot conductor wired to a source AC phase and the neutral conductor wired either to ground or to another source AC phase as long as the net input voltage is in the range of 170 to 264 VAC. – Source AC can be out of phase between AC inputs on power supplies that are equipped with multiple AC inputs, which means that power cord 1 can be plugged into phase A and power cord 2 can be plugged into phase B. Power supply output capacity • 1300 W maximum (100–120 VAC) • 2500 W maximum (200–240 VAC) Power supply output • 100/120 VAC operation – 15.5 A @ +3.3 VDC – 5 A @ +5 VDC – 10 A @ +12 VDC – 27.5 A @ +42 VDC • 200/240 VAC operation – 15 A @ +3.3 VDC – 5 A @ +5 VDC – 10 A @ +12 VDC – 55.5 A @ +42 VDC Output holdup time 20 ms minimum kVA rating1 3520 W (total input power) or 3.6 KVA (high-line operation) Heat dissipation 10,939 BTU/hour (approx.) Weight 17.0 lb (7.7 kg) 1. The kVA rating listed for the power supply should be used as the sizing criteria for both UPS outputs as well as standard circuits and transformers to power a switch. Table A-17 2500 W AC-Input Power Supply Specifications (continued) Specification Description A-26 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 2500 W AC-Input and DC-Input Power Supplies Table A-19 lists the power supply LEDs and their meanings. Table A-18 2500 W DC-Input Power Supply Specifications Specification Description DC-input voltage North America: –48 VDC (nominal) (–40.5 VDC to –56 VDC) International: –60 VDC (nominal) (–55 VDC to –72 VDC) DC-input current • 70 A @ –48 VDC • 55 A @ –60 VDC Power supply output capacity 2500 W maximum (–48 to –60 VDC) Power supply output • 15 A @ +3.3 VDC • 5 A @ +5 VDC • 10 A @ +12 VDC • 55.5 A @ +42 VDC DC input terminal block Accepts 2–14 AWG copper conductors. Actual size of the wire needed is determined by the installer or local electrician. Terminal block material rated at 150°C. Output holdup time • 20 ms minimum (AC-input power supply) • 4 ms (DC-input power supply) Heat dissipation • 10,939 BTU/hour (approx.) AC-input power supply • 11,377 BTU/hour (approx.) DC-input power supply Weight 20.2 lb (9.2 kg) A-27 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 2500 W AC-Input and DC-Input Power Supplies Table A-19 2500 W AC-Input and DC-Input Power Supply LEDs LED Meaning INPUT OK AC-input power supplies: • Green—Source AC voltage is OK. (Input voltage is 85 VAC or greater.) • Off—Source AC voltage falls below 70 VAC, is not present, or the power supply is turned off. DC-input power supplies: • Green—Source DC voltage is OK. (Input voltage is –40.5 VDC or greater.) • Off—Source DC voltage falls below –33 VDC, is not present, or the power supply is turned off. FAN OK • Green—Power supply fan is operating properly. • Off—Power supply fan failure is detected. OUTPUT FAIL • Red—Problem with one or more of the DC-output voltages of the power supply. • Off—DC-output voltages within acceptable margins. Note For proper operation of the OUTPUT FAIL LED, systems with single power supplies must be configured with a minimum of one fan tray and one supervisor engine. Systems with dual power supplies must have a minimum configuration of one fan tray, one supervisor engine, and one additional module. Failure to meet these minimum configuration requirements can cause a false power supply output fail signal. A-28 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 2500 W AC-Input and DC-Input Power Supplies 2500 W Power Supply AC Power Cords Table A-20 lists the specifications for the AC power cords that are available for the 2500 W AC-input power supply. The table includes references to power cord illustrations. Note All 2500 W power supply power cords are 14 feet (4.3 meters) in length. Note All 2500 W power supply power cords have an IEC60320/C19 appliance connector at one end. Table A-20 2500 W Power Supply AC Power Cords Locale Power Cord Part Number AC Source Plug Type Cordset Rating Power Cord Reference Illustration Argentina CAB-7513ACR= or CAB-IR2073-C19-AR= IRAM 2073 16 A, 250 VAC Figure A-31 Australia, New Zealand CAB-AC-16A-AUS= AU20S3 16 A, 250 VAC Figure A-46 People’s Republic of China CAB-AC16A-CH= GB16C 16 A, 250 VAC Figure A-37 Continental Europe CAB-AC-2500W-EU= CEE 7/7 16 A, 250 VAC Figure A-41 International CAB-AC-2500W-INT= IEC 309 16 A, 250 VAC Figure A-42 Israel CAB-AC-2500W-ISRL= SI16S3 16 A, 250 VAC Figure A-34 Japan, North America 200–240 VAC operation CAB-AC-2500W-US1= NEMA 6-20 (nonlocking plug) 16 A, 250 VAC Figure A-43 Japan, North America 200–240 VAC operation CAB-AC-C6K-TWLK= NEMA L6-20 (locking plug) 16 A, 250 VAC Figure A-44 Japan, North America 100–120 VAC operation1 1. The 2500 W power supply operating on 110 VAC delivers 1300 W. CAB-7513AC= NEMA 5-20 20 A, 125 VAC Figure A-36 Power Distribution Unit (PDU)2 2. The PDU power cable is designed for users who power their switch from a PDU. The end of the cable that plugs into the chassis power supply has a C19 connector; the other end of the cable that connects to the PDU has a C20 connector. CAB-C19-CBN IEC 60320 C19 IEC 60320 C20 16 A, 250 VAC Figure A-47 Switzerland CAB-ACS-16= SEV 5934-2 Type 23 16 A, 250 VAC Figure A-45 A-29 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 2700 W AC-Input and DC-Input Power Supplies 2700 W AC-Input and DC-Input Power Supplies The 2700 W AC-input power supply (PWR-2700-AC/4) and 2700 W DC-input power supply (PWR-2700-DC/4) are supported only in the Catalyst 6504-E switch. See Figure A-11 for the 2700 W AC-input power supply and Figure A-12 for the 2700 W DC-input power supply. Note The 2700 W AC-input power supply needs 220 VAC to deliver 2700 W of power. When powered with 110 VAC, it delivers only 1350 W. In addition, the power supply needs 16 A, regardless of whether it is plugged into 110 VAC or 220 VAC. Figure A-11 2700 W AC-Input Power Supply 1 Power on/off switch (|/O) 4 Status LEDs 2 Power supply fan 5 AC In receptacle 3 Captive installation screw (4x) 154028 ALL FASTENERS MUST BE FULLY ENGAGED PRIOR TO OPERATING THE POWER SUPPLY PWR-2700-AC/4 1 2 4 5 3 3 A-30 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 2700 W AC-Input and DC-Input Power Supplies Figure A-12 2700 W DC-Input Power Supply 1 Captive installation screw (4x) 7 Fixed cable guide, top half 2 Source DC terminal block 8 Detached cable guide, bottom half 3 Status LEDs 9 Tie-wrap (for source DC cables) 4 Terminal block cover 10 Fixed cable guide, bottom half 5 Detached cable guide, top half 11 Tie-wrap (for ground cable) 6 Ground terminal block 132219 PWR-2700-DC/4 -VE-1 -VE-1 -VE-2 -VE-2 INPUT1 OK 48V-60V =40A INPUT2 OK 48V-60V =40A FAN OK OUTPUT FAIL ALL FASTENERS MUST BE FULLY ENGAGED PRIOR TO OPERATING THE POWER SUPPLY 3 2 6 4 10 1 8 5 7 9 11 A-31 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 2700 W AC-Input and DC-Input Power Supplies 2700 W Power Supply Specifications Table A-22 lists the specifications for the 2700 W AC-input power supply. Table A-21 2700 W AC-Input Power Supply Specifications Specification Description AC-input type Autoranging input with power factor correction (PFC). Note Power factor correction is a standard feature on all Catalyst 6500 series AC-input power supplies. PFC reduces the reactive component in the source AC current allowing higher power factors (typically 99 percent or better) and lower harmonic current components. AC-input voltage • Low-line (120 VAC nominal)—90 VAC (min) to 132 VAC (max) • High-line (230 VAC nominal)—170 VAC (min) to 264 VAC (max) AC-input current • 16 A maximum at 230 VAC at 2700 W output • 16 A maximum at 120 VAC at 1350 W output AC-input frequency 50/60 Hz (nominal) (±3% for full range) Branch circuit requirement Each chassis power supply should have its own dedicated, fused-branch circuit: • For North America—20 A • For International—Circuits sized to local and national codes • All AC power supply inputs are fully isolated. – Source AC can be out of phase between multiple power supplies in the same chassis, which means that PS1 can be operating from phase A and PS2 can be operating from phase B. – For high-line operation, the power supply operates with the hot conductor wired to a source AC phase and the neutral conductor wired either to ground or to another source AC phase as long as the net input voltage is in the range of 170 to 264 VAC. – Source AC can be out of phase between AC inputs on power supplies that are equipped with multiple AC inputs, which means that power cord 1 can be plugged into phase A and power cord 2 can be plugged into phase B. Power supply output capacity • 1350 W maximum (100–120 VAC) • 2700 W maximum (200–240 VAC) A-32 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 2700 W AC-Input and DC-Input Power Supplies Table A-22 lists the 2700 W DC-input power supply specifications. Power supply output • 100/120 VAC operation – 15 A @ +1.5 VDC – 2.5 A @ +3.3 VDC – 27.49 A @ +50 VDC • 200/240 VAC operation – 15 A @ +1.5 VDC – 2.5 A @ +3.3 VDC – 55.61 A @ +50 VDC Output holdup time 20 ms minimum kVA rating1 3.4 KVA (high-line operation) Heat dissipation 10,841 BTU/hour (approx.) Weight 18.5 lb (8.4 kg) 1. The kVA rating listed for the power supply should be used as the sizing criteria for both UPS outputs as well as standard circuits and transformers to power a switch. Table A-21 2700 W AC-Input Power Supply Specifications (continued) Specification Description Table A-22 2700 W DC-Input Power Supply Specifications Specification Description DC-input voltage • –48 VDC @ 37 A for nominal –48 V battery backup system (operating range: –40.5 VDC to –56 VDC) • –60 VDC @ 29 A for nominal –60 V battery backup system (operating range: –55 VDC to –72 VDC) DC-input current (per DC input) • 43 A @ –40.5 VDC • 37 A @ –48 VDC • 29 A @ –60 VDC Note For multiple DC input power supplies, each DC input must be protected by a dedicated circuit breaker or a fuse. The circuit breaker or the fuse must be sized according to the power supply input power rating and any local or national electrical code requirements. Power supply output capacity • 1350 W maximum (–48 to –60 VDC, with one DC input) • 2700 W maximum (–48 to –60 VDC, with two DC inputs) A-33 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 2700 W AC-Input and DC-Input Power Supplies Table A-23 lists the power supply LEDs and their meanings. Power supply output • One DC input operation (1350 W operation) – 15 A @ +1.5 VDC – 5 A @ +3.3 VDC – 27.49 A @ +50 VDC • Two DC inputs operation (2700 W operation – 15 A @ +1.5 VDC – 5 A @ +3.3 VDC – 55.61 A @ +50 VDC DC input terminal block Accepts 2–14 AWG copper conductors. Actual size of the wire needed is determined by the installer or local electrician. Terminal block material rated at 150°C. Output holdup time 4 ms kVA rating1 3.5 KW Heat dissipation 11,968 BTU/hour (approx.) Weight 21.0 lb (9.5 kg) 1. The kVA rating listed for the power supply should be used as the sizing criteria for both UPS outputs as well as standard circuits and transformers to power a switch. Table A-22 2700 W DC-Input Power Supply Specifications (continued) Specification Description A-34 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 2700 W AC-Input and DC-Input Power Supplies Table A-23 2700 W AC-Input and DC-Input Power Supply LEDs LED Meaning INPUT 1 OK INPUT 2 OK (DC-input power supply only) AC-input power supplies: • Green—Source AC voltage is OK. (Input voltage is 85 VAC or greater.) • Off—Source AC voltage falls below 70 VAC, is not present, or the power supply is turned off. DC-input power supplies: • Green—Source DC is OK. (Input voltage is –40.5 VDC or greater.) • Off—Source DC voltage falls below –33 VDC, is not present, or the power supply is turned off. FAN OK • Green—Power supply fan is operating properly. • Off—Power supply fan failure is detected. OUTPUT FAIL • Red—Problem with one or more of the DC-output voltages of the power supply. • Off—DC-output voltages within acceptable margins. Note For proper operation of the OUTPUT FAIL LED, systems with single power supplies must be configured with a minimum of one fan tray and one supervisor engine. Systems with dual power supplies must have a minimum configuration of one fan tray, one supervisor engine, and one additional module. Failure to meet these minimum configuration requirements can cause a false power supply output fail signal. A-35 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 2700 W AC-Input and DC-Input Power Supplies 2700 W Power Supply AC Power Cords Table A-24 lists the specifications for the AC power cords that are available for the 2700 W AC-input power supply. The table includes references to power cord illustrations. Note All 2700 W power supply power cords are 14 feet (4.3 meters) in length. Note All 2700 W power supply power cords have an IEC60320/C19 appliance connector at one end. Table A-24 2700 W Power Supply AC Power Cords Locale Power Cord Part Number AC Source Plug Type Cordset Rating Power Cord Reference Illustration Argentina CAB-7513ACR= or CAB-IR2073-C19-AR= IRAM 2073 16 A, 250 VAC Figure A-31 Australia, New Zealand CAB-AC-16A-AUS= AU20S3 16 A, 250 VAC Figure A-45 People’s Republic of China CAB-AC16A-CH= GB16C 16 A, 250 VAC Figure A-37 Continental Europe CAB-AC-2500W-EU= CEE 7/7 16 A, 250 VAC Figure A-41 International CAB-AC-2500W-INT= IEC 309 16 A, 250 VAC Figure A-42 Israel CAB-AC-2500W-ISRL= SI16S3 16 A, 250 VAC Figure A-34 Italy CAB-7513ACI= CEI 23-16/7 16 A, 250 VAC Figure A-35 Japan, North America 200–240 VAC operation CAB-AC-2500W-US1= NEMA 6-20 (nonlocking plug) 16 A, 250 VAC Figure A-43 Japan, North America 200–240 VAC operation CAB-AC-C6K-TWLK= NEMA L6-20 (locking plug) 16 A, 250 VAC Figure A-44 Japan, North America 100–120 VAC operation CAB-7513AC= NEMA 5-20 20 A, 125 VAC Figure A-36 Power Distribution Unit (PDU)1 1. The PDU power cable is designed for users who power their switch from a PDU. The end of the cable that plugs into the chassis power supply has a C19 connector; the other end of the cable that connects to the PDU has a C20 connector. CAB-C19-CBN= IEC 60320 C19 IEC 60320 C20 16 A, 250 VAC Figure A-47 South Africa CAB-7513ACSA= IEC 884-1 16 A, 250 VAC Figure A-38 Switzerland CAB-ACS-16= SEV 5934-2 Type 23 16 A, 250 VAC Figure A-45 A-36 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 3000 W AC-Input Power Supply 3000 W AC-Input Power Supply The 3000 W AC-input power supply (WS-CAC-3000W) is supported in the following Catalyst 6500 series switches: • Catalyst 6506 • Catalyst 6506-E • Catalyst 6509 • Catalyst 6509-E • Catalyst 6509-NEB • Catalyst 6509-NEB-A • Catalyst 6509-V-E • Catalyst 6513 • Catalyst 6513-E The 3000 W power supply (see Figure A-13) shares the same form factor as the 1000 W, 1300 W, 2500 W, 4000 W, and 6000 W AC-input power supplies. Note The 3000 W AC-input power supply needs 220 VAC to deliver 3000 W of power. When operating with 110 VAC, it delivers only 1400 W. In addition, the power supply needs 16 A, regardless of whether it is plugged into 110 VAC or 220 VAC. Figure A-13 3000 W AC-Input Power Supply INPUT OK FAN OK OUTPUT FAIL OUTPUT 42V /17A 42V /17A OK I INSTALL RUN O 110-120V - 15A 200-240V - 15A 60/50HZ + 105069 Power switch Cable retention device AC power connection Captive installation screw Status LEDs (3) External power connector cover A-37 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 3000 W AC-Input Power Supply 3000 W Power Supply Specifications Table A-25 lists the specifications for the 3000 W AC-input power supply. Table A-25 3000 W Power Supply Specifications Specification Description AC-input type Autoranging input with power factor correction (PFC). Note Power factor correction is a standard feature on all Catalyst 6500 series AC-input power supplies. PFC reduces the reactive component in the source AC current allowing higher power factors (typically 99 percent or better) and lower harmonic current components. AC-input voltage • Low-line (120 VAC nominal)—90 VAC (min) to 132 VAC (max) • High-line (230 VAC nominal)—170 VAC (min) to 264 VAC (max) AC-input current • 16 A @ 200 VAC (3000 W output) • 16 A @ 100 VAC (1400 W output) AC-input frequency 50/60 Hz (nominal) (±3% for full range) Branch circuit requirement Each chassis power supply should have its own dedicated, fused-branch circuit: • For North America—20 A • For International—Circuits sized to local and national codes • All AC power supply inputs are fully isolated. – Source AC can be out of phase between multiple power supplies in the same chassis, which means that PS1 can be operating from phase A and PS2 can be operating from phase B. – For high-line operation, the power supply operates with the hot conductor wired to a source AC phase and the neutral conductor wired either to ground or to another source AC phase as long as the net input voltage is in the range of 170 to 264 VAC. – Source AC can be out of phase between AC inputs on power supplies that are equipped with multiple AC inputs, which means that power cord 1 can be plugged into phase A and power cord 2 can be plugged into phase B. Power supply output capacity • 1400 W maximum (100–120 VAC) • 3000 W maximum (200–240 VAC) A-38 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 3000 W AC-Input Power Supply Table A-26 lists the power supply LEDs and their meanings. Power supply output • 100/120 VAC operation – 25.0 A @ +3.3 V – 5 A @ +5 V – 12 A @ +12 V – 27.89 A @ +42 V • 200/240 VAC operation – 25.0 A @ +3.3 V – 5 A @ +5 V – 12 A @ +12 V – 65.98 A @ +42 V Front panel power connector A two-pin male Molex connector is located in the lower right corner of the power supply front panel. The connector provides 42 VDC at a maximum of 17 A. This connector provides power to the WS-6509-NEB-UPGRD kit fan assembly through a power harness also provided in the kit. A hinged protective flap secured by a captive screw covers the connector when it is not in use. Output holdup time 20 ms minimum kVA rating1 3520 W (total input power) or 3.6 KVA (high-line operation) Heat dissipation 12,046 BTU/hour (approx.) Weight 15.8 lb (7.2 kg) 1. The kVA rating listed for the power supply should be used as the sizing criteria for both UPS outputs as well as standard circuits and transformers to power a switch. Table A-25 3000 W Power Supply Specifications (continued) Specification Description A-39 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 3000 W AC-Input Power Supply Table A-26 3000 W AC-Input Power Supply LEDs LED Meaning INPUT OK • Green—Source AC voltage is OK. (Input voltage is 85 VAC or greater.) • Off—Source AC voltage falls below 70 VAC, is not present, or the power supply is turned off. FAN OK • Green—Power supply fan is operating properly. • Off—Power supply fan failure is detected. OUTPUT FAIL • Red—Problem with one or more of the DC-output voltages of the power supply. • Off—DC-output voltages within acceptable margins. Note For proper operation of the OUTPUT FAIL LED, systems with single power supplies must be configured with a minimum of one fan tray and one supervisor engine. Systems with dual power supplies must have a minimum configuration of one fan tray, one supervisor engine, and one additional module. Failure to meet these minimum configuration requirements can cause a false power supply output fail signal. 42V OK • Green—42 VDC is present at the fan power connector. • Off—42 VDC is not present at the fan power connector. A-40 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 3000 W AC-Input Power Supply 3000 W Power Supply AC Power Cords Table A-27 lists the specifications for the AC power cords that are available for the 3000 W AC-input power supply. The table includes references to power cord illustrations. Note All 3000 W power supply power cords are 14 feet (4.3 meters) in length. Note All 3000 W power supply power cords have an IEC60320/C19 appliance connector at one end. Table A-27 3000 W Power Supply AC Power Cords Locale Power Cord Part Number AC Source Plug Type Cordset Rating Power Cord Reference Illustration Argentina CAB-7513ACR= or CAB-IR2073-C19-AR= IRAM 2073 16 A, 250 VAC Figure A-31 Australia, New Zealand CAB-AC-16A-AUS= AU20S3 16 A, 250 VAC Figure A-46 People’s Republic of China CAB-AC16A-CH= GB16C 16 A, 250 VAC Figure A-37 Continental Europe CAB-AC-2500W-EU= CEE 7/7 16 A, 250 VAC Figure A-41 International CAB-AC-2500W-INT= IEC 309 16 A, 250 VAC Figure A-42 Israel CAB-AC-2500W-ISRL= SI16S3 16 A, 250 VAC Figure A-34 Italy CAB-7513ACI= CEI 23-16/7 16 A, 250 VAC Figure A-35 Japan, North America (nonlocking plug) 200–240 VAC operation CAB-AC-2500W-US1= NEMA 6-20 16 A, 250 VAC Figure A-43 Japan, North America (locking plug) 200–240 VAC operation CAB-AC-C6K-TWLK= NEMA L6-20 16 A, 250 VAC Figure A-44 Japan, North America 100–120 VAC operation1 1. The 3000 W power supply operating on 110 VAC delivers 1400 W. CAB-7513AC= NEMA 5-20 20 A, 125 VAC Figure A-36 Power Distribution Unit (PDU)2 2. The PDU power cable is designed for users who power their switch from a PDU. The end of the cable that plugs into the chassis power supply has a C19 connector; the other end of the cable that connects to the PDU has a C20 connector. CAB-C19-CBN= IEC 60320 C19 IEC 60320 C20 16 A, 250 VAC Figure A-47 Switzerland CAB-ACS-16= SEV 5934-2 Type 23 16 A, 250 VAC Figure A-45 A-41 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 4000 W AC-Input and DC-Input Power Supplies 4000 W AC-Input and DC-Input Power Supplies The 4000 W AC-input and DC-input power supplies, (WS-CAC-4000W-US, WS-CAC-4000W-INT, and PWR-4000-DC) are supported in the following Catalyst 6500 series switches: • Catalyst 6506 • Catalyst 6506-E • Catalyst 6509 • Catalyst 6509-E • Catalyst 6509-NEB • Catalyst 6509-NEB-A • Catalyst 6509-V-E • Catalyst 6513 • Catalyst 6513-E The 4000 W AC-input and DC-input power supplies, shown in Figure A-14 and Figure A-15, share the same form factor as the 1000 W, 1300 W, 2500 W, and 3000 W power supplies. Figure A-14 4000 W AC-Input Power Supply Power switch INPUT OK FAN OK OUTPUT FAIL Captive installation screw Status LEDs 85756 I 0 A-42 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 4000 W AC-Input and DC-Input Power Supplies Figure A-15 4000 W DC-Input Power Supply 4000 W Power Supply Specifications Table A-29 lists the specifications for the 4000 W AC-input power supply. INPUT OK FAN OK OUTPUT FAIL I 0 97297 1 2 3 +VE-1 -VE-1 +VE-2 -VE-2 +VE-3 -VE-3 Table A-28 4000 W AC-Input Power Supply Specifications Specification Description AC-input type High-line input with power factor correction (PFC). Note Power factor correction is a standard feature on all Catalyst 6500 series AC-input power supplies. PFC reduces the reactive component in the source AC current allowing higher power factors (typically 99 percent or better) and lower harmonic current components. AC-input voltage High-line (230 VAC nominal)—170 VAC (min) to 264 VAC (max) AC-input current 23 A AC-input frequency 50/60 Hz (nominal) (±3% for full range) A-43 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 4000 W AC-Input and DC-Input Power Supplies Table A-29 list the specification for the 4000 W DC-input power supply. Branch circuit requirement Each chassis power supply should have its own dedicated, fused-branch circuit: • For North America—30 A • For International—Circuits should be sized according to local and national codes • All AC power supply inputs are fully isolated. – Source AC can be out of phase between multiple power supplies in the same chassis, which means that PS1 can be operating from phase A and PS2 can be operating from phase B. – For high-line operation, the power supply operates with the hot conductor wired to a source AC phase and the neutral conductor wired either to ground or to another source AC phase as long as the net input voltage is in the range of 170 to 264 VAC. – Source AC can be out of phase between AC inputs on power supplies that are equipped with multiple AC inputs, which means that power cord 1 can be plugged into phase A and power cord 2 can be plugged into phase B. Output capacity 4000 W maximum Power supply output • 15 A @ +3.3 VDC • 5 A @ +5 VDC • 10 A @ +12 VDC • 90.36 A @ +42 VDC Output holdup time 20 ms minimum kVA rating1 5.4 kVA maximum Heat dissipation 17,065 BTU/hour (approx.) Weight 22.2 lb (10.1 kg) 1. The kVA rating listed for the power supply should be used as the sizing criteria for both UPS outputs as well as standard circuits and transformers to power a switch. Table A-28 4000 W AC-Input Power Supply Specifications (continued) Specification Description A-44 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 4000 W AC-Input and DC-Input Power Supplies Table A-30 lists the power supply LEDs and their meanings. Table A-29 4000 W DC-Input Power Supply Specifications Specification Description DC-input voltage • –48 VDC @ 37 A for nominal –48 V battery backup system (operating range: –40.5 VDC to –56 VDC) • –60 VDC @ 29 A for nominal –60 V battery backup system (operating range: –55 VDC to –72 VDC) Note The 4000 W DC-input power supply requires two source DC-inputs to be connected; it cannot operate with only one positive (+)/negative (-) source DC terminal pair installed. DC-input current 40 A per each DC input (three inputs) Note For multiple DC input power supplies, each DC input must be protected by a dedicated circuit breaker or a fuse. The circuit breaker or the fuse must be sized according to the power supply input power rating and any local or national electrical code requirements. Power supply output capacity • 4000 W with three inputs active • 2700 W with two inputs active Note The 4000 W power supply cannot operate with only one source DC-input connected. Power supply output • 15 A @ + 3.3 VDC • 5 A @ + 5 VDC • 12 A @ +12 VDC • 90.63 A (three inputs) or 59.68 A (two inputs) @ +42 VDC Note The 4000 W power supply cannot operate with only one source DC-input connected. DC input terminal block Accepts 4 AWG copper conductors. Actual size of the wire needed is determined by the installer or local electrician. Output holdup time 8 ms kVA rating1 1. The kVA rating listed for the power supply should be used as the sizing criteria for both UPS outputs as well as standard circuits and transformers to power a switch. 5.4 kVA maximum Heat dissipation 17,730 BTU/hour (approx.) Weight 30.8 lb (14.0 kg) A-45 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 4000 W AC-Input and DC-Input Power Supplies Table A-30 4000 W AC-Input and DC-Input Power Supplies LEDs LED Meaning INPUT OK AC-input power supplies: • Green—Source AC voltage is OK. (Input voltage is 85 VAC or greater.) • Off—Source AC voltage falls below 70 VAC, is not present, or the power supply is turned off. DC-input power supplies: • Green—Source DC voltage is OK. (Input voltage is –40.5 VDC or greater.) • Off—Source DC voltage falls below –33 VDC, is not present, or the power supply is turned off. FAN OK • Green—Power supply fan is operating properly. • Off—Power supply fan failure is detected. OUTPUT FAIL • Red—Problem with one or more of the DC-output voltages of the power supply. • Off—DC-output voltages within acceptable margins. Note For proper operation of the OUTPUT FAIL LED, systems with single power supplies must be configured with a minimum of one fan tray and one supervisor engine. Systems with dual power supplies must have a minimum configuration of one fan tray, one supervisor engine, and one additional module. Failure to meet these minimum configuration requirements can cause a false power supply output fail signal. A-46 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 6000 W AC-Input and DC-Input Power Supplies 4000 W Power Supply AC Power Cords Table A-31 lists the specifications for the AC power cords that are available for the 4000 W AC-input power supply. Included in the table are references to illustrations of the power cords. Note The AC power cords for the 4000 W AC-input power supply are hardwired directly to the power supply; they do not have an IEC 60320 C19 appliance plug and cannot be removed from the power supply. 6000 W AC-Input and DC-Input Power Supplies Catalyst 6500 series switch support for the 6000 W AC-input (WS-CAC-6000W) and the 6000 W DC-input (PWR-6000-DC) power supplies along with any power supply output restrictions are listed in Table A-32. The 6000 W AC-input power supply, shown in Figure A-16, and the 6000 W DC-input power supply, shown in Figure A-17, share the same form factor as the 1000 W, 1300 W, 2500 W, 3000 W, and 4000 W power supplies. Table A-31 4000 W Power Supply AC Power Cords Locale Power Cord Part Number1 1. This is the part number for the power supply. The AC power cords are hardwired to the 4000 W power supplies. AC Source Plug Type Cordset Rating Power Cord Reference Illustration International WS-CAC-4000W-INT= IEC 60309 32 A, 250 VAC Figure A-48 North America, Japan WS-CAC-4000W-US= NEMA L6-302 2. For Japan, ask your local electrical contractor to prepare the NEMA L6-30 power plug. 30 A, 250 VAC Figure A-49 Table A-32 Chassis Support for the 6000 W AC-Input and DC-Input Power Supplies Catalyst 6500 Series Chassis 6000 W AC-Input Power Supply Restriction 6000 W DC-Input Power Supply Restriction Catalyst 6506 Output limited to 4000 W Output limited to 4000 W Catalyst 6506-E No restrictions No restrictions Catalyst 6509 Output limited to 4000 W Output limited to 4000 W Catalyst 6509-E No restrictions No restrictions Catalyst 6509-NEB Output limited to 4000 W Output limited to 4000 W Catalyst 6509-NEB-A Output limited to 4500 W Output limited to 4500 W Catalyst 6509-V-E No restrictions No restrictions Catalyst 6513 No restrictions No restrictions Catalyst 6513-E No restrictions No restrictions A-47 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 6000 W AC-Input and DC-Input Power Supplies Note Because of form-factor differences, the 6000 W AC-input and the 6000 W DC-input power supplies cannot be installed in the Catalyst 6503, Catalyst 6503-E, and Catalyst 6504-E switch chassis. Figure A-16 6000 W AC-Input Power Supply Figure A-17 6000 W DC-Input Power Supply Power switch Cable retention device INPUT OK INPUT 1 100 - 240V 15A 50/60 Hz INPUT 1 100 - 240V 15A 50/60 Hz FAN OK OUTPUT FAIL Captive installation screw Status LEDs 130056 AC power connection 2 AC power connection 1 I 0 INSTALL RUN 191307 RU I N NSTALL CISCO SYSTEMS, INC 1 2 3 4 INPUT OK FAN OK OUTPUT FAIL A-48 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 6000 W AC-Input and DC-Input Power Supplies 6000 W Power Supply Specifications Table A-34 lists the specifications for the 6000 W AC-input power supply. Table A-33 6000 W AC-Input Power Supply Specifications Specification Description AC-input type 2 AC-inputs per power supply. High-line input with power factor correction (PFC) included. Note Power factor correction is a standard feature on all Catalyst 6500 series AC-input power supplies. PFC reduces the reactive component in the source AC current allowing higher power factors (typically 99 percent or better) and lower harmonic current components. AC-input voltage • Low-line (120 VAC nominal)—90 VAC (min) to 132 VAC (max) • High-line (230 VAC nominal)—170 VAC (min) to 264 VAC (max) AC-input current 16 A each input AC-input frequency 50/60 Hz (nominal) (±3% for full range) A-49 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 6000 W AC-Input and DC-Input Power Supplies Branch circuit requirement Each power supply input should have its own dedicated, fused-branch circuit: • For North America—20 A • For International—Circuits should be sized according to local and national codes • All Catalyst 6500 series AC-input power supplies require single-phase source AC. • All AC power supply inputs are fully isolated. – Source AC can be out of phase between multiple power supplies in the same chassis, which means that PS1 can be operating from phase A and PS2 can be operating from phase B. – For high-line operation, the power supply operates with the hot conductor wired to a source AC phase and the neutral conductor wired either to ground or to another source AC phase as long as the net input voltage is in the range of 170 to 264 VAC. – Source AC can be out of phase between AC inputs on power supplies that are equipped with multiple AC inputs, which means that power cord 1 can be plugged into phase A and power cord 2 can be plugged into phase B. Table A-33 6000 W AC-Input Power Supply Specifications (continued) Specification Description A-50 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 6000 W AC-Input and DC-Input Power Supplies Power supply output capacity The 6000 W power supply can operate at either 2900 W or 6000 W depending on the number of AC power cords attached and the source AC voltage. Note The 6000 W AC-input power supply is limited to 4000 W maximum output when it is installed in a Catalyst 6506, Catalyst 6509, or Catalyst 6509-NEB switch chassis. The power supply is limited to 4500 W maximum output when it is installed in the Catalyst 6509-NEB-A switch chassis. • 2900 W maximum with the following source AC arrangements: – INPUT 1 and INPUT 2 both connected to low-line (120 VAC nominal) – INPUT 1 connected to high-line (230 VAC nominal); INPUT 2 not connected – INPUT 1 not connected; INPUT 2 connected to high-line (230 VAC nominal) – INPUT 1 connected to high-line (230 VAC nominal); INPUT 2 connected to low-line (120 VAC nominal) – INPUT 1 connected to low-line (120 VAC nominal); INPUT 2 connected to high-line (230 VAC nominal) • 6000 W maximum with the following source AC arrangements: – INPUT 1 and INPUT 2 both connected to high-line (230 VAC nominal) Note The 6000 W power supply will not power up if you have only one power cord plugged into either INPUT 1 or INPUT 2 and source AC is low-line (120 VAC nominal). Table A-33 6000 W AC-Input Power Supply Specifications (continued) Specification Description A-51 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 6000 W AC-Input and DC-Input Power Supplies Table A-34 list the specifications for the 6000 W DC-input power supply. Power supply output capacity • 2900 W operation (one 220 VAC source or two 110 VAC sources) – 25 A @ +3.3 VDC – 12 A @ +12 VDC – 63.6 A @ +42 VDC • 6000 W operation (two 220 VAC sources) – 25 A @ +3.3 VDC – 12 A @ +12 VDC – 137.4 A @ +42 VDC Output holdup time 20 ms minimum kVA rating1 7.5 kVA Heat dissipation 23,812 BTU/hour (approx.) System power dissipation 7034 W Weight 25.4 lb (11.5 kg) 1. The kVA rating listed for the power supply should be used as the sizing criteria for both UPS outputs as well as standard circuits and transformers to power a switch. Table A-33 6000 W AC-Input Power Supply Specifications (continued) Specification Description Table A-34 6000 W DC-Input Power Supply Specifications Specification Description Input voltage • –48 VDC nominal @ 37 A in North America (operating range: –40.5 VDC to –56 VDC) • –60 VDC nominal @ 30 A for international (operating range: –55 VDC to –72 VDC) Input current 40 A per DC input @ –48 VDC input voltage (total of 4 inputs) Power supply output capacity The 6000 W DC-input power supply can operate at either: • 2800 W—2 DC inputs active • 4500 W—3 DC inputs active • 6000 W—4 DC inputs active A-52 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 6000 W AC-Input and DC-Input Power Supplies Table A-35 list the 6000 W AC-input and DC-input power supply LEDs and their meanings. Power supply output The 6000 W DC-input power supply can operate at either 2800 W, 4500 W, or 6000 W depending on the number of source DC power cables attached. Note The 6000 W DC-input power supply is limited to 4000 W maximum output when it is installed in a Catalyst 6506, Catalyst 6509, or Catalyst 6509-NEB switch chassis. The power supply is limited to 4500 W maximum output when it is installed in the Catalyst 6509-NEB-A switch chassis. • 2800 W operation (two DC inputs) – 25.0 A @ 3.3 VDC – 12.0 A @ 12 VDC – 61.2 A @ 42 VDC • 4500 W operation (three DC inputs) – 25.0 A @ 3.3 VDC – 12.0 A @ 12 VDC – 101.9 A @ 42 VDC • 6000 W operation (four DC inputs) – 25.0 A @ 3.3 VDC – 12.0 A @ 12 VDC – 137.4 A @ 42 VDC DC input terminal block • Accepts 2-hole copper compression-type lugs. Note The actual size of the wire needed is determined by the power engineer or local electrician in accordance with national or local electrical codes. • Terminal posts accept 1/4-inch-20 hex nuts. Output holdup time 20 ms minimum Weight 35 lbs (16 kg) Table A-34 6000 W DC-Input Power Supply Specifications (continued) Specification Description A-53 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 6000 W AC-Input and DC-Input Power Supplies 6000 W Power Supply AC Power Cords Table A-36 lists the specifications for the AC power cords that are available for the 6000 W AC-input power supply. Included in the table are references to illustrations of the power cords. Table A-35 6000 W AC-Input and DC-Input Power Supply LEDs LED Meaning INPUT OK 1, INPUT OK 2 (AC-input power supply only) • Green—Source voltage is OK. Input voltage is 85 VAC or greater. • Off—Source AC voltage falls below 70 VAC, is not present, or the power supply is turned off. INPUT OK 1, INPUT OK 2, INPUT OK 3, and INPUT OK 4 (DC-input power supply only) • Green—Source DC voltage is greater than or equal to –40.5 VDC. • Off—Source DC voltage is less than or equal to –37.5 VDC. • Green, off, or flashing—Source DC voltage is between –37.5 and –40.5 VDC. FAN OK • Green—Power supply fan is operating properly. • Off—Power supply fan failure is detected. OUTPUT FAIL • Red—Problem with one or more of the DC-output voltages of the power supply. • Off—DC-output voltages within acceptable margins. Note For proper operation of the OUTPUT FAIL LED, systems with single power supplies must be configured with a minimum of one fan tray and one supervisor engine. Systems with dual power supplies must have a minimum configuration of one fan tray, one supervisor engine, and one additional module. Failure to meet these minimum configuration requirements can cause a false power supply output fail signal. Table A-36 6000 W Power Supply AC Power Cords Locale Power Cord Part Number AC Source Plug Type Cordset Rating Power Cord Reference Illustration Argentina CAB-7513ACR= or CAB-IR2073-C19-AR= IRAM 2073 16 A, 250 VAC Figure A-31 Australia, New Zealand CAB-AC-16A-AUS= AU20S3 16 A, 250 VAC Figure A-46 People’s Republic of China CAB-AC16A-CH= GB16C 16 A, 250 VAC Figure A-37 Continental Europe CAB-AC-2500W-EU= CEE 7/7 16 A, 250 VAC Figure A-41 International CAB-AC-2500W-INT= IEC 309 16 A, 250 VAC Figure A-42 Israel CAB-AC-2500W-ISRL= SI16S3 16 A, 250 VAC Figure A-34 Italy CAB-7513ACI= CEI 23-16/7 16 A, 250 VAC Figure A-35 A-54 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 8700 W AC-Input Power Supply 8700 W AC-Input Power Supply Catalyst 6500 series switch support for the 8700 W AC-input (WS-CAC-8700W-E) power supply along with any power supply output restrictions are listed in Table A-37. The 8700 W AC-input power supply, shown in Figure A-18, shares a similar, but not identical, form-factor as the 1000 W, 1300 W, 2500 W, 3000 W, 4000 W, and 6000 W power supplies. Japan, North America (nonlocking plug) 200–240 VAC operation CAB-AC-2500W-US1= NEMA 6-20 16 A, 250 VAC Figure A-43 Japan, North America (locking plug) 200–240 VAC operation CAB-AC-C6K-TWLK= NEMA L6-20 16 A, 250 VAC Figure A-44 Japan, North America 100–120 VAC operation1 CAB-7513AC=2 NEMA 5-20 16 A, 125 VAC Figure A-36 Power Distribution Unit (PDU)3 CAB-C19-CBN= IEC 60320 C19 IEC 60320 C20 16 A, 250 VAC Figure A-47 Switzerland CAB-ACS-16= SEV 5934-2 Type 23 16 A, 250 VAC Figure A-45 1. The 6000 W power supply operating on two 110 VAC inputs delivers 2900 W. 2. When operating with 100–120 VAC, you must use two AC power cords and the power supply output is limited to 2900 W. 3. The PDU power cable is designed for users who power their switch from a PDU. The end of the cable that plugs into the chassis power supply has a C19 connector; the other end of the cable that connects to the PDU has a C20 connector. Table A-36 6000 W Power Supply AC Power Cords (continued) Locale Power Cord Part Number AC Source Plug Type Cordset Rating Power Cord Reference Illustration Table A-37 Chassis Support for the 8700 W Power Supply Catalyst 6500 Series Chassis 8700 W Power Supply Restriction Catalyst 6506 Output limited to 4000 W Catalyst 6506-E No restrictions Catalyst 6509 Output limited to 4000 W Catalyst 6509-E No restrictions Catalyst 6509-NEB Output limited to 4000 W Catalyst 6509-NEB-A Output limited to 4500 W Catalyst 6509-V-E No restrictions Catalyst 6513 Output is limited to 6000 W Catalyst 6513-E No restrictions A-55 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 8700 W AC-Input Power Supply Note Because of the form-factor difference, when you install an 8700 W power supply in a Catalyst 6506, Catalyst 6509, or Catalyst 6509-NEB chassis you must relocate the system ground connection from the chassis ground pad connection to the two system ground studs located on the 8700 W power supply faceplate. Installing an 8700 W power supply in the other Catalyst 6500 series chassis does not require that you move the chassis system ground connection to the power supply. The 8700 W power supply cannot be installed in the Catalyst 6503, Catalyst 6503-E, and Catalyst 6504-E switch chassis. Figure A-18 8700 W AC-Input Power Supply 8700 W Power Supply Specifications Table A-38 lists the specifications for the 8700 W AC-input power supply. Captive installation screw Remote power on/off feature terminal block Remote power on/off feature relay switch Status LEDs o 182076 INPUT OK 1 2 3 CISCO SYSTEMS, INC. FAN OK 220VAC OUTPUT FAIL 1 2 3 DEFAULT NC RELAY NO RELAY Power switch Cable retention device AC power connection 2 AC power connection 1 AC power connection 3 System ground studs Table A-38 8700 W AC-Input Power Supply Specifications Specification Description AC-input type 3 AC-inputs per power supply. High-line input with power factor correction (PFC) included. Note Power factor correction is a standard feature on all Catalyst 6500 series AC-input power supplies. PFC reduces the reactive component in the source AC current allowing higher power factors (typically 99 percent or better) and lower harmonic current components. AC-input voltage (One-phase) • Low-line (120 VAC nominal)—90 VAC (min) to 132 VAC (max) • High-line (230 VAC nominal)—170 VAC (min) to 264 VAC (max) A-56 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 8700 W AC-Input Power Supply AC-input current 16 A each input AC-input frequency 50/60 Hz (nominal) (±3% for full range) Branch circuit requirement Each power supply input should have its own dedicated, fused-branch circuit: • For North America—20 A • For International—Circuits should be sized according to local and national codes • All Catalyst 6500 series AC-input power supplies require single-phase source AC. • All AC power supply inputs are fully isolated. This means that source AC can be out of phase between multiple AC inputs on the same power supply or different AC power supplies that are installed in the same chassis. For the 8700 W power supply, this means that power cord 1 can be plugged into phases A-B, power cord 2 can be plugged into phases B-C, and power cord 3 can be plugged into phases C-A, A-B, or B-C. Table A-38 8700 W AC-Input Power Supply Specifications (continued) Specification Description A-57 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 8700 W AC-Input Power Supply Power supply output capacity The power supply output capacity is dependent on the number of AC power cords (1, 2, or 3) attached and the source AC voltage (110 VAC [low-line] or 220 VAC [high-line]) applied to the power supply inputs. The 8700 W AC-input power supply is limited to reduced wattage ratings when it is installed in the following Catalyst 6500 series chassis: • 4000 W maximum output when it is installed in a Catalyst 6506, Catalyst 6509, or Catalyst 6509-NEB switch chassis. • 4500 W maximum output when it is installed in the Catalyst 6509-NEB-A switch chassis. • 6000 W maximum output when it is installed in the Catalyst 6513 switch chassis. Note The power supply will not power up if you attach only one power cord and the power cord is connected to low-line (110 VAC nominal) source AC. 2800 W operation 2800 W maximum with the following combinations of power cords and source AC voltage applied to the power supply inputs: • Two AC inputs are connected to low-line (110 VAC nominal); the third AC input is not connected. • One AC input is connected to low-line (110 VAC nominal); one AC input is connected to high-line (220 VAC nominal); the third AC input is not connected. • One AC input is connected to high-line (220 VAC nominal); two AC inputs are not connected. 4200 W operation 4200 W maximum with the following combinations of power cords and source AC voltage applied to the power supply inputs: • All three AC inputs are connected to low-line (110 VAC nominal). • Two AC inputs are connected to low-line (110 VAC nominal); one AC input is connected to high-line (220 VAC nominal). 5800 W operation 5800 W maximum with the following combinations of power cords and source AC voltage applied to the power supply inputs: • Two AC inputs are connected to high-line (220 VAC nominal); the third AC input is connected to low-line (110 VAC nominal). • Two AC inputs are connected to high-line (220 VAC nominal); the third AC input is not connected. 8700 W operation 8700 W maximum with the following combinations of power cords and source AC voltage applied to the power supply inputs: • All three AC inputs are connected to high-line (220 VAC nominal). Table A-38 8700 W AC-Input Power Supply Specifications (continued) Specification Description A-58 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 8700 W AC-Input Power Supply Table A-39 lists the power supply LEDs and their meanings. Power supply output • 2800 W operation – 25.0 A @ +3.3 VDC – 12.0 A @ +12 VDC – 61.29 A @ +42 VDC • 4200 W operation – 25.0 A @ +3.3 VDC – 12.0 A @ +12 VDC – 94.62 A @ +42 VDC • 5800 W operation – 25.0 A @ +3.3 VDC – 12.0 A @ +12 VDC – 132.71 A @ +42 VDC • 8700 W operation – 25.0 A @ +3.3 VDC – 12.0 A @ +12 VDC – 201.75 A @ +42 VDC Output holdup time 20 ms minimum kVA rating1 10.4 kVA Heat dissipation • 11,200 BTU/hour @ 2800 W • 16,800 BTU/hour @ 4200 W • 23,200 BTU/hour @ 5800 W • 34,800 BTU/hour @ 8700 W System power dissipation 10,360 W Weight 39.7 lb (18 kg) 1. The kVA rating listed for the power supply should be used as the sizing criteria for both UPS outputs as well as standard circuits and transformers to power a switch. Table A-38 8700 W AC-Input Power Supply Specifications (continued) Specification Description A-59 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 8700 W AC-Input Power Supply Table A-39 8700 W AC-Input Power Supply LEDs LED Meaning INPUT OK 1, INPUT OK 2, and INPUT OK 3 • Green—Source voltage is OK. (Input voltage is 85 VAC or greater.) • Off—Source AC voltage falls below 70 VAC, is not present, or the power supply is turned off. 220VAC 1, 2, and 3 • Green—High-line AC is present on the respective AC inputs. (Input voltage is 170 VAC or higher.) • Off—Source AC voltage falls below 170 VAC (running at low-line voltage), is not present, or the power supply is turned off. FAN OK • Green—Power supply fan is operating properly. • Off—Power supply fan failure is detected. OUTPUT FAIL • Red—One or more of the power supply DC-output voltages is out of the normal operating range: – For +3.3 VDC output: 2.7–3.0 VDC (min); 3.6–3.8 VDC (max) – For +12 VDC output: 10.5–11.5 VDC (min); 12.6–13.0 VDC (max) – For +42 VDC output: 38.0–40.0 VDC (min); 45.0–52.0 VDC (max) • Off—All DC-output voltages are within normal operating ranges. Note For proper operation of the OUTPUT FAIL LED, systems with single power supplies must be configured with a minimum of one fan tray and one supervisor engine. Systems with dual power supplies must have a minimum configuration of one fan tray, one supervisor engine, and one additional module. Failure to meet these minimum configuration requirements can cause a false power supply output fail signal. A-60 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 8700 W AC-Input Power Supply Remote Power Cycling Feature The 8700 W power supply is equipped with a remote power cycling feature that allows you to remotely turn on or turn off the power supply through an external relay controller box. Figure A-19 shows a typical remote power on/off setup. A three-position terminal block and a switch, located on the lower right quadrant of the power supply faceplate (see Figure A-18), provide the interface to the external relay controller box. Figure A-19 Remote Power On/Off Feature Components Terminal Block The terminal block has three contacts labeled 1, 2, and 3. Two control wires from an external relay controller box attach to either positions 1 and 2 or positions 2 and 3. Positions 1 and 2 are used when the relay controller box contains a normally-open (NO) type of relay. Positions 2 and 3 are used when the relay controller box contains a normally-closed (NC) type of relay. Relay Controller Box Switch The relay controller box switch, located next to the terminal block, allows you to match the power supply power control signal’s active state with the type of relay contained in the external relay controller box (either a normally-open type of relay or a normally-closed type of relay). Ferrite Bead A plastic bag containing one ferrite bead and two 4-inch plastic ties is included with the 8700 W power supply AC power cords. The ferrite bead is a passive device that limits high-frequency interference on interface and control cables, and is only required when you install the remote power-cycling feature that is supported by the 8700 Watt power supply. The ferrite bead is installed on the two control wires that come from the relay controller box to the terminal block on the 8700 W power supply. The ferrite bead should be installed as close as possible to the power supply terminal block for the bead to be effective. You do not need the ferrite bead for 8700 Watt power supply installations that do not include the remote power-cycling feature. If you need to install the ferrite bead, refer to “Installing the Ferrite Bead” procedure on page 1-100. 181878 Remote power on/off terminal block Ferrite bead Relay controller 8700 Watt power supply Network Relay controller power A-61 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 8700 W AC-Input Power Supply Remote Power-Cycling Operation This feature allows you to remotely power cycle the Catalyst 6500 series switch using any appropriate third-party relay controller. This eliminates the need for you to have access to the supervisor engine console or CLI to control power cycling. Table A-40 lists the relay controller box relay type, the corresponding power supply terminal block positions, and a description of the power-cycling operation. Table A-40 8700 W Power Supply Relay Controller Switch Settings and Operation External Relay Controller Box Relay Type Power Supply Relay Controller Switch Setting Power Supply Terminal Block Positions Used Remote Power-Cycling Operation Normally open (NO) relay. NO RELAY (DEFAULT) Control wires from the external relay controller box attach to terminal block positions 1 and 2. • Power supply cycled from on to off—The power supply is powered off by energizing the relay (relay contacts go from open to closed) for more than 30 seconds. • Power supply cycled from off to on—The power supply is powered on by deenergizing the relay (relay contacts go from closed to open) for more than 10 seconds. Normally closed (NC) relay. NC RELAY Control wires from the external relay controller box attach to terminal block positions 2 and 3. • Power supply cycles from on to off—The power supply is powered off by energizing the relay (relay contacts go from closed to open) for more than 30 seconds. • Power supply cycles from off to on— The power supply is powered on by deenergizing the relay (relay contacts go from open to closed) for more than 10 seconds. No relay attached. Remote power-cycling feature not installed. NO RELAY (DEFAULT) — — A-62 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications 8700 W AC-Input Power Supply 8700 W Power Supply AC Power Cords Table A-41 lists the specifications for the AC power cords that are available for the 8700 W AC-input power supply. Included in the table are references to illustrations of the power cords. Table A-41 8700 W Power Supply AC Power Cords Locale Power Cord Part Number AC Source Plug Type Cordset Rating Power Cord Reference Illustration Argentina CAB-7513ACR= or CAB-IR2073-C19-AR= IRAM 2073 16 A, 250 VAC Figure A-31 Australia, New Zealand CAB-AC-16A-AUS= AU20S3 16 A, 250 VAC Figure A-46 People’s Republic of China CAB-AC16A-CH= GB16C 16 A, 250 VAC Figure A-37 Continental Europe CAB-AC-2500W-EU= CEE 7/7 16 A, 250 VAC Figure A-41 International CAB-AC-2500W-INT= IEC 309 16 A, 250 VAC Figure A-42 Israel CAB-AC-2500W-ISRL= SI16S3 16 A, 250 VAC Figure A-34 Italy CAB-7513ACI= CEI 23-16/7 16 A, 250 VAC Figure A-35 Japan, North America (nonlocking plug) 200–240 VAC operation CAB-AC-2500W-US1= NEMA 6-20 16 A, 250 VAC Figure A-43 Japan, North America (locking plug) 200–240 VAC operation CAB-AC-C6K-TWLK= NEMA L6-20 16 A, 250 VAC Figure A-44 Japan, North America 100–120 VAC operation CAB-7513AC=1 1. When operating with 100–120 VAC, you must use two or three AC power cords and the power supply output is limited to either 2800 W (2 inputs) or 4200 W (3 inputs). NEMA 5-20 16 A, 125 VAC Figure A-36 Power Distribution Unit (PDU2 2. The PDU power cable is designed for users who power their switch from a PDU. The end of the cable that plugs into the chassis power supply has a C19 connector; the other end of the cable that connects to the PDU has a C20 connector. CAB-C19-CBN= IEC 60320 C19 IEC 60320 C20 16 A, 250 VAC Figure A-47 Switzerland CAB-ACS-16= SEV 5934-2 Type 23 16 A, 250 VAC Figure A-45 A-63 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications AC Power Cord Illustrations AC Power Cord Illustrations This section contains the AC power cord illustrations (see Figures A-19 through A-48). An AC power cord may be used with several power supplies. See the power supply specifications tables for the AC power cord illustrations that are applicable for your power supply. Figure A-20 CAB-AC10A-90L-AU= (Australia and New Zealand) Figure A-21 CAB-AC10A-90L-EU= (Continental Europe) Connector: IEC 60320 C15 Plug: SAA AS 3112 Cordset rating: 10 A, 250 V Length: 8 ft 2 in. (2.5 m) 113341 Connector: IEC 60320 C15 Cordset rating: 10 A, 250 V Plug: CEE 7/7 Length: 8 ft 2 in. (2.5 m) 113342 A-64 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications AC Power Cord Illustrations Figure A-22 CAB-AC10A-90L-IT= (Italy) Figure A-23 CAB-AC15A-90L-US= (Japan and United States) Figure A-24 CAB-AC10A-90L-UK= (United Kingdom) Connector: IEC 60320 C15 Cordset rating: 10 A, 250 V Length: 8 ft 2 in. (2.5 m) Plug: CEI 23-16/7 113343 Connector: IEC 60320 C15 Cordset rating: 15 A, 125 V Length: 8 ft 2 in. (2.5 m) Plug: NEMA 5-15 113344 Connector: IEC 60320 C15 Cordset rating: 10 A, 250 V Length: 8 ft 2 in. (2.5 m) Plug: BS 1363 113345 13 A fuse A-65 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications AC Power Cord Illustrations Figure A-25 CAB-7KACR= (Argentina) Figure A-26 CAB-7KACA= (Australia and New Zealand) Figure A-27 CAB-7KACE= (Continental Europe) Plug: IRAM 2073 Cordset rating: 10 A, 250 V Length: 8 ft 2 in. (2.5 m) 113346 Connector: IEC 60320 C15 Connector: IEC 60320 C15 Cordset rating: 10 A, 250 V Plug: SAA AS 3112 Length: 8 ft 2 in. (2.5 m) 113347 Connector: IEC 60320 C15 Cordset rating: 16 A, 250 V Length: 8 ft 2 in. (2.5 m) Plug: CEE 7/7 113348 A-66 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications AC Power Cord Illustrations Figure A-28 CAB-7KACI= (Italy) Figure A-29 CAB-7KAC-15= (Japan and United States) Figure A-30 CAB-7KACU= (United Kingdom) Plug: CEI 23-16/7 Cordset rating: 10 A, 250 V Length: 8 ft 2 in. (2.5 m) 113349 Connector: IEC 60320 C15 Cordset rating: 15 A, 125 V Length: 8 ft 2 in. (2.5 m) 113350 Connector: IEC 60320 C15 Plug: NEMA 5-15 Cordset rating: 10 A, 250 V Length: 8 ft 2 in. (2.5 m) 113351 Plug: BS 1363 Connector: IEC 60320 C15 13A fuse A-67 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications AC Power Cord Illustrations Figure A-31 CAB-7513ACR= and CAB-IR2073-C19-AR= (Argentina) Figure A-32 CAB-7513ACA= (Australia and New Zealand) Figure A-33 CAB-7513ACE= (Continental Europe) Plug: IRAM 2073 Cordset rating: 10 A, 250 V Length: 14 ft 0 in. (4.26 m) 113352 Connector: IEC 60320 C19 Cordset rating: 15 A, 250 V Length: 14 ft 0 in. (4.26 m) 113353 Connector: IEC 60320 C19 Plug: SAA AS 3112 Cordset rating: 16 A, 250 V Length: 14 ft 0 in. (4.26 m) 113354 Connector: IEC 60320 C19 Plug: CEE 7/7 A-68 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications AC Power Cord Illustrations Figure A-34 CAB-AC-2500W-ISRL (Israel) Figure A-35 CAB-7513ACI= (Italy) Figure A-36 CAB-7513AC= (Japan and United States) Plug: SI16S3 Cordset rating: 16 A, 250 V Length: 14 ft 0 in. (4.26 m) 130113 Connector: IEC 60320 C19 Cordset rating: 16 A, 250 V Plug: CEI 23-16/7 Length: 14 ft 0 in. (4.26 m) 113355 Connector: IEC 60320 C19 Cordset rating: 20 A, 125 V Length: 14 ft 0 in. (4.26 m) 113356 Connector: IEC 60320 C19 Plug: NEMA 5-20 A-69 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications AC Power Cord Illustrations Figure A-37 CAB-AC16A-CH= (People’s Republic of China) Figure A-38 CAB-7513ACSA= (South Africa) Figure A-39 CAB-ACS-10= (Switzerland) 126792 Cordset rating: 16A, 250V Length: 14 ft 0 in. (4.26 m) Plug: GB16C Connector: IEC 60320-1 C19 Cordset rating: 16 A, 250 V Length: 14 ft 0 in. (4.26 m) 113357 Connector: IEC 60320 C19 Plug: IEC 884 Plug: SEV 1011 Cordset rating: 10 A, 250 V Length: 7 ft 0 in. (2.13 m) 113358 Connector: IEC 60320 C19 A-70 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications AC Power Cord Illustrations Figure A-40 CAB-7513ACU (United Kingdom) Figure A-41 CAB-AC-2500W-EU (Continental Europe) Figure A-42 CAB-AC-2500W-INT= (International) Cordset rating: 13 A, 250 V Length: 14 ft 0 in. (4.26 m) 113359 Plug: BS 1363 13A replaceable fuse Connector: IEC 60320 C19 Cordset rating: 16 A, 250 V Length: 14 ft 0 in. (4.26 m) 113360 Connector: IEC 60320 C19 Plug: CEE 7/7 Cordset rating: 16 A, 250 V Length: 14 ft 0 in. (4.26 m) 113361 Connector: IEC 60320 C19 Plug: IEC 309 A-71 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications AC Power Cord Illustrations Figure A-43 CAB-AC-2500W-US1= (Japan and United States) Figure A-44 CAB-AC-C6K-TWLK= (Japan and United States) Cordset rating: 16 A, 250 V Length: 14 ft 0 in. (4.26 m) Cordset rating: 16 A, 250 V Length: 14 ft 0 in. (4.26 m) 187845 Connector: IEC 60320 C19 Connector: IEC 60320 C19 Plug: NEMA L6-20 Alternate plug: NEMA L6-20 The form factor for these two plugs differ but functionally they are the same TURN & PULL A-72 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications AC Power Cord Illustrations Figure A-45 CAB-ACS-16= (Switzerland) Figure A-46 CAB-AC-16A-AUS= (Australia and New Zealand) Figure A-47 CAB-C19-CBN= (PDU) Plug: SEV 5934-2 Type 23 Cordset rating: 16 A, 250 V Length: 8 ft 2 in. (2.5 m) 192844 Connector: IEC 60320 C19 Cordset rating: 16 A, 250 V Length: 14 ft 0 in. (4.26 m) 140586 Connector: IEC 60320 C19 Plug: AU20S3 Cordset rating: 16 A, 250 V Length: 9 ft 0 in. (2.7 m) 140587 Connector: IEC 60320 C19 Connector: IEC 60320 C20 A-73 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications Power Supply Redundancy Figure A-48 WS-CAC-4000W-INT= (International) Figure A-49 WS-CAC-4000W-US= (United States) Power Supply Redundancy Catalyst 6500 series switching modules have different power requirements. Depending upon the wattage of the power supply, certain switch configurations might require more power than a single power supply can provide. Although the power management feature allows you to supply power to all installed modules with two power supplies, redundancy is not supported in this configuration. Redundant and combined power configurations are summarized in Table A-42. The effects of changing the power supply configurations are summarized in Table A-43. Note For proper load-sharing operation in a redundant power supply configuration, you must install two modules in the chassis. If you fail to install two modules, you might receive spurious OUTPUT FAIL indications on the power supply. Note In systems that have two different sized power supplies installed, you may not have true redundancy. If the larger wattage power supply fails, the smaller wattage power supply might not be able to handle the entire load by itself. Cordset rating: 32 A, 250 V Length: 12 ft 0 in. (3.65 m) Plug: IEC 60309 113365 Hardwired to power supply Cordset rating: 30 A, 250 V Length: 12 ft 0 in. (3.65 m) Hardwired to power supply Plug: NEMA L6-30 113366 A-74 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications Power Supply Redundancy Table A-42 Power Supply Redundancy If you have two power supplies of and redundancy is Then Equal wattage Enabled The total power drawn from both supplies is never greater than the capability of one supply. If one supply malfunctions, the other supply can take over the entire system load. Each power supply provides approximately half of the required power to the system. Load sharing and redundancy are enabled automatically; no software configuration is required. Unequal wattage Enabled Both power supplies initially come online. For the Catalyst operating system, if the difference between the two power supply’s output wattage is less than 10 percent of the higher output wattage power supply, redundancy is enabled. If the difference is greater than 10 percent, the lesser wattage power supply is disabled. For Cisco IOS, both power supplies come on. The total available wattage is the output wattage of the higher wattage power supply. Equal or unequal wattage Disabled The total power available to the system is approximately 167 percent of the lower-wattage power supply. The system powers up as many modules as the combined capacity allows. If the higher-wattage power supply fails, the lower-wattage supply might also shut down due to overcurrent protection to prevent damage to the lower-wattage power supply. Table A-43 Effects of Power Supply Configuration Changes Configuration Change Effect Redundant to combined • System log and syslog messages are generated. • System power is increased to approximately 167 percent of the lower-wattage power supply. • The modules marked as power-deny in the show module Status field are powered up if there is sufficient power. Combined to redundant • System log and syslog messages are generated. • System power is the power capability of the higher-wattage supply. • If there is not enough power for all previously powered-up modules, some modules are powered down and marked as power-deny in the show module Status field. Equal wattage power supply is inserted with redundancy enabled • System log and syslog messages are generated. • System power equals the power capability of one supply. (Both supplies provide approximately one half of the total current.) • No change in the module status because the power capability is unchanged. A-75 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications Power Supply Redundancy Equal wattage power supply is inserted with redundancy disabled • System log and syslog messages are generated. • System power is the combined power capability of both supplies. • The modules marked as power-deny in the show module Status field are brought up if there is sufficient power. Higher wattage power supply is inserted with redundancy enabled • System log and syslog messages are generated. • The system disables the lower-wattage power supply; the higher-wattage supply powers the system (Catalyst operating system). • For Cisco IOS, both power supplies come on. The total available wattage is the output wattage of the higher wattage power supply. Lower wattage power supply is inserted with redundancy enabled • System log and syslog messages are generated. • The system disables the lower-wattage power supply; the higher-wattage supply powers the system (Catalyst operating system). • For Cisco IOS, both power supplies come on. The total available wattage is the output wattage of the higher wattage power supply. Higher or lower wattage power supply is inserted with redundancy disabled • System log and syslog messages are generated. • System power is increased to the combined power capability of both supplies. • The modules marked as power-deny in the show module Status field are brought up if there is sufficient power. Power supply is removed with redundancy enabled • System log and syslog messages are generated. • If the power supplies are of equal wattage, there is no change in the module status because the power capability is unchanged. If the power supplies are of unequal wattage and the lower-wattage supply is removed, there is no change in the module status. If the power supplies are of unequal wattage and the higher-wattage supply is removed, the lower-wattage power supply must be turned on manually. (The system had previously turned off the lower-wattage power supply.) Power supply is removed with redundancy disabled • System log and syslog messages are generated. • System power is decreased to the power capability of one supply. • If there is not enough power for all previously powered-up modules, some modules are powered down and marked as power-deny in the show module Status field. Table A-43 Effects of Power Supply Configuration Changes (continued) Configuration Change Effect A-76 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications Power Supply Redundancy When running redundant 4000 W, 6000 W, or 8700 W power supplies in Catalyst 6506 and Catalyst 6509 non-E series systems, if you remove the power supply in bay 1, the total system power will be reduced to 2940 W (70 A at 42 VDC) after 180 seconds (3 minutes). You can avoid this reduction in the total system power by leaving the power supply in bay 1, even in a powered down state. If the total system power usage is greater than 2940 W, the following scenario will apply if a 4000 W, 6000 W, or a 8700 W power supply is removed from bay 1 (these scenarios are specific to only these three power supplies running in redundant mode in either the Catalyst 6506 or Catalyst 6509 non-E series systems). • If the power supplies in bay 1 and bay 2 are running in redundant mode, the total system power will be 4000 W. • If power supply 1 is running and you power off or remove power supply 2, the total system power will be 4000 W. The system will issue a normal power supply 2 down/remove indication warning. • If you power down power supply 1 while power supply 2 is operating, the system will issue a normal power supply 1 down indication warning with another warning asking the user not to remove power supply 1. If power supply 1 is left in the system, even if it is powered off, the total system power will be 4000 W. • If you remove power supply 1 from the system, a major alarm will be issued to warn that the total system power will be reduced to 2940 W and that any modules or PoE devices that cause the system to exceed 2940 W will power down in 180 seconds (3 minutes). If you insert a replacement power supply 1 in the 180-second timeframe, no action will be taken. System is booted with power supplies of different wattage installed and redundancy enabled • System log and syslog messages are generated. • The lower-wattage supply is disabled (Catalyst operating system). • For Cisco IOS, both power supplies come on. The total available wattage is the output wattage of the higher wattage power supply. System is booted with power supplies of equal or different wattage installed and redundancy disabled • System log and syslog messages are generated. • System power equals the combined power capability of both supplies. • The system powers up as many modules as the combined capacity allows. Table A-43 Effects of Power Supply Configuration Changes (continued) Configuration Change Effect A-77 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications Power Supply Redundancy Note In systems that are equipped with two power supplies, if one power supply fails and the other power supply cannot fully power all of the installed modules, system power management will shut down devices in the following order: • Power over Ethernet (PoE) devices— The system will power down PoE devices in descending order, starting with the highest numbered port on the module in the highest numbered slot. • Modules—If additional power savings are needed, the system will power down modules in descending order, starting with the highest numbered slot. Slots containing supervisor engines or Switch Fabric Modules are bypassed and are not powered down. This shut down order is fixed and cannot be changed. You can change the configuration of the power supplies to redundant or combined at any time. If you switch from a redundant to a combined configuration, both power supplies are enabled (even a power supply that was disabled because it was of a lower wattage than the other power supply). If you change from a combined to a redundant configuration, both power supplies are initially enabled, and if they are of the same wattage, they remain enabled. If they are of different wattage, a syslog message displays and the lower wattage supply is disabled. For additional information about the power management feature and individual module power consumption, refer to your software configuration guide. A-78 Catalyst 6500 Series Switches Installation Guide OL-5781-08 Appendix A Power Supply Specifications Power Supply Redundancy 4-1 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 CHAPITRE 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Table des matières • Garantie limitée Cisco d'un an sur le matériel, page 4-2 • Localisation de la référence du produit, page 4-4 • Vérification des éléments livrés avec le routeur, page 4-5 • Routeurs câblés, page 4-7 • Lecture des mises en garde et recommandations relatives à la sécurité, page 4-7 • Connexion de l'antenne au routeur sans fil (opération facultative), page 4-8 • Connexion du module PoE (Power-over-Ethernet) au routeur (opération facultative), page 4-10 • Installations types des gammes de routeurs Cisco 850 et Cisco 870, page 4-12 • Connexion du routeur, page 4-17 • Installation du logiciel SDM et configuration du routeur, page 4-19 • Documentation associée, page 4-20 • Obtention de documentation, page 4-21 Français Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Garantie limitée Cisco d'un an sur le matériel 4-2 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 • Vos commentaires sur la documentation, page 4-22 • Assistance technique, page 4-22 • Obtention de publications et d'informations complémentaires, page 4-25 Garantie limitée Cisco d'un an sur le matériel Des conditions spécifiques s'appliquent à la garantie de votre matériel et aux prestations de services dont vous pouvez bénéficier pendant la période de validité de cette garantie. Votre déclaration formelle de garantie, qui inclut la garantie et les accords de licence applicables aux logiciels Cisco, est disponible sur le site Cisco.com. Pour accéder aux informations Cisco (Cisco Information Packet), à la garantie et aux accords de licence et les télécharger à partir du site Cisco.com, procédez comme suit : 1. Démarrez votre navigateur et accédez à l'URL suivante : http://www.cisco.com/univercd/cc/td/doc/es_inpck/cetrans.htm La page relative aux accords de licence et aux garanties s'affiche. 2. Pour consulter le Cisco Information Packet, procédez comme suit : a. Dans le champ Information Packet Number (Référence des informations), sélectionnez la référence 78-5235-03A0. b. Sélectionnez la langue souhaitée pour le document. c. Cliquez sur Go (Aller à). La page relative à la garantie limitée Cisco et à la licence d'utilisation du logiciel pour la référence sélectionnée s'affiche. d. Vous pouvez alors consulter le document en ligne ou cliquer sur l'icône PDF pour télécharger et imprimer le document au format PDF (Adobe Portable Document Format). Remarque Vous devez disposer d'Adobe Acrobat Reader pour pouvoir afficher et imprimer les fichiers PDF. Ce programme peut être téléchargé à partir du site Web d'Adobe à l'adresse : http://www.adobe.com 4-3 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Garantie limitée Cisco d'un an sur le matériel 3. Pour obtenir une traduction des informations relatives à la garantie s'appliquant à votre produit, procédez comme suit : a. Dans le champ correspondant au numéro du document de la garantie, indiquez la référence suivante : 78-10747-01C0 b. Sélectionnez la langue désirée pour le document. c. Cliquez sur Go (Aller à). La page relative à la garantie Cisco s'affiche. d. Vous pouvez alors consulter le document en ligne ou cliquer sur l'icône PDF pour télécharger et imprimer le document au format PDF (Adobe Portable Document Format). Vous pouvez également vous rendre sur le site Web de l'assistance technique et des services Cisco pour obtenir une aide : http://www.cisco.com/public/Support_root.shtml. Durée de la garantie sur le matériel Un (1) an Procédure de remplacement, réparation ou remboursement du matériel Cisco ou son centre de service sera en mesure d'expédier une pièce de rechange dans un délai de dix (10) jours suivant la réception de la demande d'autorisation de retour de matériel (ARM). Le délai effectif de livraison pourra varier en fonction de la destination. Cisco se réserve le droit de rembourser le prix d'achat comme seule garantie. Pour recevoir un numéro d'autorisation de retour de matériel (ARM) Contactez la société auprès de laquelle vous avez acheté le produit. Si vous avez acheté le produit directement auprès de Cisco, contactez votre responsable des ventes Cisco. Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Localisation de la référence du produit 4-4 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 Complétez les informations ci-dessous et conservez-les comme référence. Localisation de la référence du produit L'étiquette mentionnant la référence du routeur se trouve à l'arrière du châssis, au-dessus des ports réseau Ethernet. (Reportez-vous à la Figure 4-1.) Figure 4-1 Emplacement de la référence du produit Vendeur du produit Numéro de téléphone du vendeur Modèle du produit Référence du produit Numéro du contrat de maintenance 120729, 78-16262-01 Rev A0 G.SHDSL ISDN S/T LAN FE0 FE1 FE2 FE3 Cisco 878 CONSOLE AUX RESET +5,+9 VDC SN: AAANNNNXXXX SN: AAANNNNXXXX 4-5 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Vérification des éléments livrés avec le routeur Vérification des éléments livrés avec le routeur Le Tableau 4-1 répertorie le nombre d'éléments fournis avec chaque modèle de routeur des gammes Cisco 850 et Cisco 870. La Figure 4-2 représente les différents éléments. Assurez-vous que les éléments indiqués dans le Tableau 4-1 ont bien été livrés avec le routeur. Si l'un des éléments manque ou est endommagé, contactez votre service clientèle. Tableau 4-1 Éléments fournis avec les gammes de routeurs Cisco 850 et Cisco 870 Élément Cisco 851 et Cisco 871 Cisco 857 et Cisco 877 Cisco 876 Cisco 878 Câble Ethernet (direct) 1 1 1 1 Câble DSL1 (pour ADSL et G.SHDSL) 1. DSL = ligne d'abonné numérique. Utilisé pour une ligne d'abonné numérique asynchrone (ADSL) ou une ligne d'abonné numérique symétrique haut débit (G.SHDSL). Un câble RJ-11 à RJ-11 est fourni, à moins que le câble RJ-11 à RJ-45 ne soit spécifié. Non applicable Facultatif Facultatif Facultatif Câble de console 1 1 1 1 Adaptateur secteur 1 1 1 1 Cordon d'alimentation2 2. Les cordons d'alimentation sont commandés en fonction du pays ou de la zone géographique. 1 1 1 1 Documentation Cisco3 3. Inclut le document Regulatory Compliance and Safety Information for Cisco 800 Series Routers (Gamme de routeurs Cisco 800 – Informations relatives au respect des réglementations et à la sécurité) ainsi que le présent document Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide. 1 1 1 1 CD Cisco Router and Security Device Manager (SDM) 1111 Antenne doublet pivotante (pour routeurs sans fil uniquement) Cisco 851 : 1 antenne Cisco 871 : 2 antennes Cisco 857 : 1 antenne Cisco 877 : 2 antennes 2 2 Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Vérification des éléments livrés avec le routeur 4-6 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 Figure 4-2 Éléments fournis avec les gammes de routeurs Cisco 850 et Cisco 870 Les câbles ci-après ne sont pas fournis avec le routeur. Vous devez les commander séparément. • Câble modem : permet de connecter le port console du routeur à un modem asynchrone pour doter le routeur de fonctionnalités de sauvegarde et de gestion à distance. • Câble S/T RNIS orange : permet de connecter des périphériques au port S/T RNIS. 1 Câble Ethernet jaune 5 Cordon d'alimentation noir pour adaptateur 2 Câble DSL bleu lavande (facultatif) 6 Documentation produit 3 Câble de console bleu clair 7 CD Cisco SDM 4 Adaptateur secteur du routeur 8 Antenne doublet pivotante (pour routeurs sans fil uniquement) 4-7 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Routeurs câblés Routeurs câblés Le présent document contient des sections non applicables aux modèles câblés des gammes de routeurs Cisco 850 et Cisco 870. Certaines illustrations présentent le routeur doté d'antennes, alors que les routeurs câblés ne sont pas équipés d'antennes ni de connecteurs d'antenne sur le panneau arrière. Toutefois, à l'exception de la section « Connexion de l'antenne au routeur sans fil (opération facultative) », la procédure de connexion des routeurs sans fil est identique à celle des routeurs câblés. Lecture des mises en garde et recommandations relatives à la sécurité Avant d'entreprendre de connecter votre routeur, lisez le document Regulatory Compliance and Safety Information for Cisco 800 Series Routers (Gamme de routeurs Cisco 800 – Informations relatives au respect des réglementations et à la sécurité) fourni avec le routeur. Ce document contient d'importantes mises en garde et recommandations en matière de sécurité. Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Connexion de l'antenne au routeur sans fil (opération facultative) 4-8 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 Connexion de l'antenne au routeur sans fil (opération facultative) Les routeurs sans fil de la gamme Cisco 850 doivent être utilisés avec une seule antenne de 2,4 GHz. (Reportez-vous à la Figure 4-3.) Les routeurs sans fil de la gamme Cisco 870 sont utilisables avec deux antennes de 2,4 GHz. (Reportez-vous à la Figure 4-4.) Figure 4-3 Routeur sans fil Cisco 857 doté d'une seule antenne LAN ADSLoPOTS FE0 FE1 FE2 FE3 Cisco 857W CONSOLE AUX RESET +5,+12 VDC 122242 SN: XXXNNNNXXXX 4-9 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Connexion de l'antenne au routeur sans fil (opération facultative) Figure 4-4 Routeur sans fil Cisco 871 doté de deux antennes Pour connecter une ou plusieurs antennes à un routeur sans fil, procédez comme suit : Étape 1 Fixez chaque antenne à un connecteur Neill-Concelman vissé de polarité inversée (RP-TNC) situé à l'arrière du routeur, puis verrouillez le connecteur manuellement. Étape 2 Après avoir fixé l'antenne à l'arrière du routeur, positionnez-la à la verticale. LAN FE0 FE1 FE2 FE3 Cisco 871W CONSOLE AUX RESET +5,+12 VDC LEFT RIGHT / PRIMARY 1 0 WAN FE4 122241 SN: XXXNNNNXXXX Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Connexion du module PoE (Power-over-Ethernet) au routeur (opération facultative) 4-10 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 Connexion du module PoE (Power-over-Ethernet) au routeur (opération facultative) Si vous avez acheté un module d'alimentation par câble Ethernet (PoE), connectez les quatre câbles Ethernet jaunes du module aux quatre ports Ethernet LAN du routeur. (Reportez-vous à la Figure 4-5.) Assurez-vous de bien connecter les quatre câbles Ethernet. Si les câbles sont trop rapprochés les uns des autres pour cette opération, éloignez le protège-câble en plastique de l'extrémité des câbles équipée des connecteurs. Prudence Pour assurer le bon fonctionnement du module d'alimentation par câble Ethernet (PoE), ne le reliez pas à l'adaptateur secteur avant de l'avoir connecté au routeur. La Figure 4-5 présente le routeur Cisco 871 relié à un module PoE. Notez toutefois que cette connexion fonctionne pour tous les modèles de routeur des gammes Cisco 870. Remarque Lorsque vous connectez un appareil (tel qu'un PC ou un téléphone IP) au module d'alimentation par câble Ethernet (PoE), vous pouvez attendre une à deux secondes avant que le voyant lumineux indique que le port est activé. 4-11 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Connexion du module PoE (Power-over-Ethernet) au routeur (opération facultative) Figure 4-5 Connexion du module PoE au routeur 1 Routeur de la gamme Cisco 870 5 Adaptateur secteur du routeur 2 Câbles Ethernet du module PoE 6 Fiche secteur PoE 3 Module PoE 7 Fiche secteur du routeur 4 Adaptateur secteur PoE 122351 +5,+12 VDC LEFT RIGHT / PRIMARY LAN FE0 FE1 FE2 FE3 Cisco 871W CONSOLE AUX RESET 1 0 WAN FE4 1 2 4 6 To LAN 0 1 2 3 PWR 3 5 7 SN: XXXNNNNXXXX Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Installations types des gammes de routeurs Cisco 850 et Cisco 870 4-12 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 Installations types des gammes de routeurs Cisco 850 et Cisco 870 Les installations types des gammes de routeurs Cisco 850 et Cisco 870 sont illustrées de la Figure 4-6 à la Figure 4-9, dans l'ordre suivant : • routeurs Cisco 851 et Cisco 871 : voir la Figure 4-6 ; • routeurs Cisco 857 et Cisco 87 : voir la Figure 4-7 ; • routeur Cisco 876 : voir la Figure 4-8 ; • routeur Cisco 878 : voir la Figure 4-9. La Figure 4-6 présente l'installation type d'un routeur Cisco 851 ou Cisco 871. Cette figure illustre le panneau arrière d'un routeur Cisco 871, équipé de deux ports USB (Universal Serial Bus). Le routeur Cisco 851 ne comporte aucun port USB ; toutefois, les connexions des autres ports du routeur Cisco 851 sont identiques à celles du routeur Cisco 871. 4-13 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Installations types des gammes de routeurs Cisco 850 et Cisco 870 Figure 4-6 Installation type d'un routeur Cisco 851 ou Cisco 871 1 Connexion Ethernet à un commutateur externe 4 Port console 2 Connexion Ethernet à un PC 5 Adaptateur secteur 3 Connexion WAN (réseau étendu) à Internet à l'aide d'un modem à large bande LAN 4 3 2 1 Cisco 871W CONSOLE AUX RESET +5,+12 VDC LEFT RIGHT / PRIMARY 1 0 WAN FE0 FE1 FE2 FE3 FE4 1X 2X 1X 2X 1 Internet 1 2 3 4 5 122237 SN: XXXNNNNXXXX Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Installations types des gammes de routeurs Cisco 850 et Cisco 870 4-14 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 La Figure 4-7 présente l'installation type d'un routeur Cisco 857 ou Cisco 877. Figure 4-7 Installation type d'un routeur Cisco 857 ou Cisco 877 1 Connexion Ethernet à un commutateur externe 4 Port console 2 Connexion Ethernet à un PC 5 Adaptateur secteur 3 Connexion ADSL sur POTS (service téléphonique traditionnel) RIGHT / PRIMARY ETHERNET LAN ADSLoPOTS 3 2 1 0 Cisco 877W CONSOLE AUX RESET +5,+12 VDC LEFT FE4 FE3 FE2 FE1 1X 2X 1X 2X 1 1 2 3 5 122238 4 SN: XXXNNNNXXXX 4-15 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Installations types des gammes de routeurs Cisco 850 et Cisco 870 La Figure 4-8 présente l'installation type d'un routeur Cisco 876. Figure 4-8 Installation type d'un routeur Cisco 876 1 Connexion Ethernet à un commutateur externe 4 Connexion ADSL sur RNIS 2 Connexion Ethernet à un PC 5 Port console 3 Connexion S/T RNIS 6 Adaptateur secteur LAN ISDN S/T ADSL o ISDN FE0 FE1 FE2 FE3 Cisco 876W CONSOLE AUX RESET +5,+12 VDC LEFT RIGHT / PRIMARY 1X 2X 1X 2X 1 1 2 6 122239 3 4 5 SN: XXXNNNNXXXX Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Installations types des gammes de routeurs Cisco 850 et Cisco 870 4-16 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 La Figure 4-9 présente l'installation type d'un routeur Cisco 878. Figure 4-9 Installation type d'un routeur Cisco 878 1 Connexion Ethernet à un commutateur externe 4 Connexion G.SHDSL 2 Connexion Ethernet à un PC 5 Port console 3 Connexion S/T RNIS 6 Adaptateur secteur LAN ISDN S/T G.SHDSL FE0 FE1 FE2 FE3 Cisco 878W CONSOLE AUX RESET +5,+12 VDC LEFT RIGHT / PRIMARY 1X 2X 1X 2X 1 1 2 3 4 6 122240 5 SN: XXXNNNNXXXX 4-17 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Connexion du routeur Connexion du routeur Connectez le routeur en vous reportant à l'installation type de votre modèle de routeur illustrée à la section « Installations types des gammes de routeurs Cisco 850 et Cisco 870 » la section sur la page 4-12. Procédez comme suit pour connecter le routeur à l'adaptateur secteur, à votre réseau local et au réseau de votre fournisseur d'accès : Étape 1 Modèles sans fil uniquement : vérifiez que les antennes ont été fixées au routeur conformément aux instructions de la section « Connexion de l'antenne au routeur sans fil (opération facultative) » la section sur la page 4-8. Étape 2 Si vous utilisez un module PoE, assurez-vous qu'il est connecté au routeur (reportez-vous à la section « Connexion du module PoE (Power-over-Ethernet) au routeur (opération facultative) » la section sur la page 4-10). Connectez les périphériques Ethernet au module PoE, mais non au routeur. Étape 3 Si vous connectez plus de quatre PC au routeur, raccordez ce dernier à un commutateur ou à un concentrateur à l'aide d'un câble Ethernet jaune, comme illustré de la Figure 4-6 à la Figure 4-9. Étape 4 Connectez un PC directement au routeur, comme illustré de la Figure 4-6 à la Figure 4-9. Mettez le PC hors tension afin qu'il obtienne une adresse IP du routeur lorsqu'il sera remis sous tension. Vous pouvez connecter d'autres PC aux ports Ethernet numérotés restants. Étape 5 Le port console est un port de service auquel vous pouvez connecter un terminal ou un PC pour configurer le logiciel à l'aide de l'interface CLI (interface de ligne de commande) ou pour résoudre les problèmes rencontrés avec le routeur. Si vous avez besoin d'accéder à la console du routeur, connectez un PC ou un terminal au port console. Remarque En connectant le port console à un modem asynchrone à l'aide du câble modem pour routeur disponible en option, vous pouvez doter le routeur de fonctionnalités de sauvegarde et de gestion à distance. Étape 6 Routeurs Cisco 851 et Cisco 871 uniquement : connectez le second câble Ethernet jaune entre le port WAN Ethernet du routeur et un port disponible sur un modem DSL, câblé ou Ethernet LRE (longue portée) déjà installé, comme illustré à la Figure 4-6. Pour choisir le port de connexion sur le modem, suivez les instructions livrées avec votre modem à large bande. Si ce dernier est éteint, mettez-le sous tension. Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Connexion du routeur 4-18 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 Étape 7 Routeur Cisco 871 uniquement : Connectez les périphériques USB pris en charge, tels que des modules de mémoire Flash ou des eTokens, aux deux ports USB. Pour plus d'informations, reportez-vous au document Cisco Access Router USB Flash Module and USB eToken Hardware Installation Guide (Modules Flash USB et eTokens USB pour routeurs d'accès Cisco – Guide d'installation matérielle), puis passez à l'Étape 12. Étape 8 Routeurs Cisco 857 et Cisco 877 uniquement : connectez le port ADSLoPOTS du routeur à la prise téléphonique murale à l'aide du câble DSL bleu lavande. Si la ligne ADSL sert aussi à la communication vocale, vous pouvez empêcher toute interruption de la transmission de données en connectant le routeur à un filtre ADSL ou en installant des microfiltres entre les téléphones ou les télécopieurs et la prise murale. Passez à l'Étape 12. Étape 9 Routeurs Cisco 876 et Cisco 878 uniquement : pour disposer de fonctions de sauvegarde et de gestion à distance, vous pouvez connecter le port S/T RNIS à une terminaison réseau (NT1) ou à un filtre ADSL à l'aide du câble S/T RNIS orange (disponible en option). Passez à l'Étape 10 ou à l'Étape 11, selon le modèle de routeur dont vous disposez. Étape 10 Routeurs Cisco 876 uniquement : branchez le câble DSL sur le port ADSLoRNIS du routeur et sur le filtre ADSL ou sur la prise murale. Si vous utilisez un filtre ADSL, connectez-le à la prise murale à l'aide d'un câble à paire torsadée non blindée de catégorie 5. Passez à l'Étape 12. Étape 11 Routeurs Cisco 878 uniquement : branchez le câble DSL sur le port G.SHDSL du routeur et sur la prise murale. Étape 12 Tous les modèles de routeurs : raccordez le cordon d'alimentation au routeur, puis mettez le routeur sous tension. Assurez-vous d'utiliser l'adaptateur secteur livré avec le routeur. Le routeur n'accepte pas d'autres adaptateurs secteur. Lorsque vous connectez le routeur à une source d'alimentation, le témoin vert OK du panneau avant du routeur doit s'allumer. Le routeur est alors prêt à l'emploi. Si le témoin vert OK ne s'allume pas, reportez-vous au chapitre « Troubleshooting » (« Dépannage ») du document Cisco 850 Series and Cisco 870 Series Routers Hardware Installation Guide (Gammes de routeurs Cisco 850 et Cisco 870 – Guide d'installation matérielle). 4-19 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Installation du logiciel SDM et configuration du routeur Remarque Dans le cas des routeurs Cisco 857, Cisco 876, Cisco 877 et Cisco 878, la ligne DSL doit avoir été fournie par votre fournisseur d'accès et être correctement configurée. Vérifiez l'état de détection de porteuse (CD) indiqué par le témoin CD ADSL ou G.SHDSL du routeur. Si le témoin CD ADSL ou G.SHDSL ne s'allume pas, contactez votre fournisseur d'accès. Étape 13 Si vous avez connecté un module PoE au routeur, branchez l'adaptateur secteur du module PoE sur la prise d'entrée située sur le panneau arrière du module. Le témoin vert situé sur le panneau avant du module PoE s'allume et les périphériques connectés au module sont alimentés. Pour obtenir des instructions de connexion détaillées, reportez-vous au document Cisco 850 Series and Cisco 870 Series Routers Hardware Installation Guide (Gammes de routeurs Cisco 850 et Cisco 870 – Guide d'installation matérielle). Installation du logiciel SDM et configuration du routeur Pour installer le logiciel Cisco SDM permettant de configurer le routeur, procédez comme suit : Étape 1 Connectez un PC à n'importe quel port LAN du routeur, comme illustré de la Figure 4-7, Figure 4-8 et Figure 4-9. Étape 2 Insérez le CD du logiciel Cisco SDM dans le lecteur de CD du PC. Un assistant d'installation s'exécute à partir du CD. Installez le logiciel Cisco SDM en suivant les instructions de l'interface utilisateur de l'assistant d'installation. Étape 3 Utilisez le logiciel Cisco SDM pour configurer le routeur conformément aux instructions du document Cisco Router and Security Device Manager (SDM) Quick Start Guide (Guide de démarrage rapide de SDM). Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Documentation associée 4-20 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 Documentation associée Le présent document décrit les procédures élémentaires de câblage et de configuration des gammes de routeurs Cisco 850 et Cisco 870. Pour plus d'informations, reportez-vous aux documents suivants : • Cisco 850 Series and Cisco 870 Series Access Routers Hardware Installation Guide (Gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide d'installation matérielle) : fournit des informations détaillées concernant le câblage et le matériel des routeurs Cisco 850 et Cisco 870. • Cisco Router and Security Device Manager (SDM) Quick Start Guide (Guide de démarrage rapide de SDM) : fournit des instructions détaillées concernant la configuration du routeur et des fonctionnalités sans fil de ce dernier à l'aide de l'interface utilisateur graphique Cisco SDM. • Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide (Gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de configuration logicielle) : fournit des informations et des exemples de configuration logicielle des routeurs Cisco 850 et Cisco 870. • Cisco Access Router Wireless Configuration Guide (Routeurs d'accès Cisco – Guide de configuration sans fil) : fournit des informations concernant la configuration logicielle sans fil des routeurs d'accès Cisco, englobant les gammes de routeurs Cisco 850 et Cisco 870. • Upgrading Memory in Cisco 800 Series Routers (Routeurs Cisco 800 – Mise à niveau de la mémoire) : fournit des informations sur la mise à niveau de la mémoire des routeurs Cisco 800. • Regulatory Compliance and Safety Information for Cisco 800 Series and SOHO Series Routers (Routeurs des gammes Cisco 800 et SOHO – Informations relatives au respect des réglementations et à la sécurité) : fournit des informations sur les normes de sécurité et les réglementations internationales pour les routeurs des gammes Cisco 800 et SOHO. • Cisco Access Router USB Flash Module and USB eToken Hardware Installation Guide (Modules Flash USB et eTokens USB pour routeurs d'accès Cisco – Guide d'installation matérielle) fournit des informations concernant l'installation de modules de mémoire Flash et d'eTokens USB. 4-21 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Obtention de documentation Ces documents sont tous disponibles sur Internet. La documentation Cisco la plus récente est disponible sur Internet à partir des sites suivants : • http://www.cisco.com • http://www-china.cisco.com • http://www-europe.cisco.com Obtention de documentation La documentation Cisco est disponible sur le site Cisco.com. Cisco propose également divers moyens pour obtenir une assistance technique et d'autres ressources techniques. Les sections qui suivent expliquent comment obtenir des informations techniques de Cisco Systems. Cisco.com Vous pouvez accéder à la documentation Cisco la plus récente à l'adresse suivante : http://www.cisco.com/cisco/web/psa/default.html?mode=prod Vous pouvez accéder au site Web de Cisco à l'adresse suivante : http://www.cisco.com Vous pouvez accéder aux sites Web internationaux de Cisco à l'adresse suivante : http://www.cisco.com/public/countries_languages.shtml Commande de documentation Vous trouverez les instructions de commande de documentation à l'adresse suivante : http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Vos commentaires sur la documentation 4-22 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 Vous pouvez commander de la documentation Cisco en procédant comme suit : • Les utilisateurs inscrits sur Cisco.com (clients directs de Cisco) peuvent commander de la documentation à l'adresse suivante : http://www.cisco.com/en/US/partner/ordering/index.shtml • Les utilisateurs non inscrits sur Cisco.com peuvent se procurer de la documentation par l'intermédiaire d'un représentant de compte local en appelant le siège social de Cisco Systems (Californie, États-Unis) au numéro 408 526-7208 ou, en dehors des États-Unis, en composant le 1 800 553-NETS (6387). Vos commentaires sur la documentation Vous pouvez envoyer vos commentaires sur la documentation technique à l'adresse bug-doc@cisco.com. Pour envoyer vos commentaires par courrier ordinaire, utilisez le coupon-réponse situé au verso de la couverture de votre document ou, à défaut, écrivez à l'adresse suivante : Cisco Systems Attn : Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883 Vos commentaires sont les bienvenus. Assistance technique Pour tous les clients, partenaires, revendeurs et distributeurs en possession de contrats de service Cisco valides, le centre d'assistance technique Cisco propose une assistance hors pair disponible 24 heures sur 24. Le site Web d'assistance technique Cisco sur Cisco.com offre des ressources en ligne très complètes. En outre, le centre d'assistance technique (TAC) Cisco fournit une assistance téléphonique. Si vous ne disposez pas d'un contrat de service Cisco valide, contactez votre revendeur. 4-23 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Assistance technique Site Web d'assistance technique Cisco Ce site propose des documents et outils en ligne pour dépanner et résoudre les problèmes techniques liés aux technologies et produits Cisco. Il est disponible 24 heures sur 24, 365 jours par an, à l'adresse suivante : http://www.cisco.com/techsupport Pour accéder aux outils du site, vous devez être inscrit à Cisco.com et posséder un ID utilisateur ainsi qu'un mot de passe. Si vous êtes en possession d'un contrat de service valide, mais que vous n'avez ni ID utilisateur ni mot de passe, connectez-vous à l'adresse suivante pour vous inscrire : http://tools.cisco.com/RPF/register/register.do Remarque Avant de demander une assistance par Internet ou par téléphone, utilisez l'outil d'identification produit Cisco (CPI) pour déterminer votre référence produit. Pour accéder à l'outil CPI à partir du site Web d'assistance technique Cisco, cliquez sur le lien Tools & Resources (Outils et ressources) sous Documentation & Tools (Documentation et outils). Sélectionnez l'option Cisco Product Identification Tool (Outil d'identification produit Cisco) dans la liste déroulante Alphabetical Index (Index alphabétique), ou cliquez sur le lien Cisco Product Identification Tool sous Alerts & RMAs (Alertes et RMA). L'outil CPI vous propose trois options de recherche : par ID produit ou nom de modèle, par arborescence, ou, dans le cas de certains produits, par copier-coller du résultat de la commande show (afficher). Les résultats de la recherche vous présentent votre produit en mettant en surbrillance l'étiquette mentionnant sa référence. Localisez cette étiquette sur votre produit, puis notez cette information avant d'effectuer votre demande d'assistance. Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Assistance technique 4-24 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 Soumission d'une demande de service L'outil de demande de service en ligne sur le TAC constitue le moyen le plus rapide de soumettre des demandes de service S3 et S4. (Ces demandes correspondent à une dégradation minimale du fonctionnement de votre réseau ou à une demande d'information produit.) Lorsque vous avez décrit la situation, l'outil de demande de service du TAC vous propose les solutions recommandées. Si ces solutions ne permettent pas de résoudre le problème, votre demande de service est affectée à un ingénieur du TAC Cisco. Vous trouverez l'outil de demande de service du TAC à l'adresse suivante : http://www.cisco.com/techsupport/servicerequest Pour les demandes de service S1 ou S2 ou dans le cas où vous n'avez pas d'accès à Internet, contactez le TAC Cisco par téléphone. (Vous soumettez ce type de demandes lorsque votre réseau d'exploitation est très dégradé ou paralysé.) Ces demandes sont immédiatement affectées aux ingénieurs du TAC Cisco pour préserver le bon fonctionnement de vos activités. Pour soumettre une demande de service par téléphone, composez l'un des numéros suivants : Asie-Pacifique : +61 2 8446 7411 (Australie : 1 800 805 227) Zone EMEA : +32 2 704 55 55 États-Unis : 1 800 553-2447 Pour consulter la liste complète des contacts du TAC Cisco, rendez-vous à l'adresse : http://www.cisco.com/techsupport/contacts Définition de la gravité des demandes de service Cisco a défini des niveaux de gravité afin que toutes les demandes de service soient soumises dans un format standard. Gravité 1 (S1) : votre réseau est « paralysé » ou la situation a un impact très négatif sur vos activités professionnelles. Vous et Cisco engagerez 24 heures sur 24 toutes les ressources nécessaires pour résoudre le problème. 4-25 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Obtention de publications et d'informations complémentaires Gravité 2 (S2) : le fonctionnement d'un réseau existant est très dégradé ou des aspects importants de vos activités professionnelles sont affectés par les performances inadéquates des produits Cisco. Vous et Cisco engagerez des ressources à temps plein pendant les heures de bureau normales pour résoudre le problème. Gravité 3 (S3) : les performances de votre réseau sont affectées mais la plupart de vos activités professionnelles restent fonctionnelles. Vous et Cisco engagerez des ressources pendant les heures de bureau normales pour rétablir des niveaux de service satisfaisants. Gravité 4 (S4) : vous avez besoin d'informations ou d'assistance concernant des fonctionnalités, l'installation ou la configuration de produits Cisco. L'impact sur vos activités professionnelles est faible, voire nul. Obtention de publications et d'informations complémentaires Des informations sur les produits, les technologies et les solutions réseau Cisco sont disponibles en ligne et sous forme imprimée. • La boutique Cisco Marketplace offre un grand choix d'ouvrages, de guides de référence et de produits Cisco. Pour la découvrir, rendez-vous à l'adresse suivante : http://www.cisco.com/go/marketplace/ • Le Catalogue des produits Cisco détaille les produits réseau proposés par Cisco Systems, ainsi que les services clients gérant les commandes et les demandes d'assistance. Vous pouvez accéder au Catalogue des produits Cisco à l'adresse suivante : http://cisco.com/univercd/cc/td/doc/pcat/ • Cisco Press publie une large gamme d'ouvrages traitant de l'administration réseau, des formations et des certifications. Les utilisateurs débutants comme les plus expérimentés y trouveront des informations utiles. Pour connaître les dernières publications de Cisco Press et consulter d'autres informations, visitez le site de Cisco Press à l'adresse suivante : http://www.ciscopress.com Chapitre 4 Configuration et câblage des gammes de routeurs d'accès Cisco 850 et Cisco 870 – Guide de démarrage rapide Obtention de publications et d'informations complémentaires 4-26 Cisco 850 Series and Cisco 870 Series Access Routers Cabling and Setup Quick Start Guide 78-16262-04 • Le magazine Packet destiné aux utilisateurs techniques de Cisco Systems détaille comment optimiser les investissements Internet et réseau. Chaque trimestre, il présente les dernières tendances en matière de réseaux, les innovations technologiques ainsi que les produits et solutions Cisco. Il donne des conseils pour le déploiement et le dépannage des réseaux et propose des exemples de configuration, des études de cas relatives à la clientèle, des informations sur les certifications et les formations, ainsi que des liens vers des ressources plus détaillées accessibles en ligne. Vous pouvez accéder au magazine Packet à l'adresse suivante : http://www.cisco.com/packet • Le journal trimestriel Internet Protocol Journal publié par Cisco Systems s'adresse aux ingénieurs concernés par la conception, le développement et l'exploitation de réseaux Internet et intranet publics et privés. Vous pouvez y accéder à l'adresse suivante : http://www.cisco.com/ipj • Cisco propose des formations de niveau international sur les réseaux. Les programmes en vigueur sont présentés à l'adresse suivante : http://www.cisco.com/en/US/learning/index.html