Training ACE

Cisco Application Control Engine

Pravin WankhadeNCE GSP-GTP

April 2012

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Agenda

• Background – Load Balancers and ACE

• Product Overview and Recent Releases

• New Capabilities

• Hardware

• Modular Policy CLI

• Virtualization

• Role Based Access Control

• Security Features

• Redundancy

• Deployment

Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 3

ACE Functionality

What does this thing do?


ACE Function In the Datacenter(In case you didn’t know…)

• ACE is an “Application Delivery Controller” (ADC) or “Load Balancer” (SLB).

• LB/ADC distributes L4-L7 Traffic “Flows” to Application Servers.

• Server Load Balancing (SLB) is critical to *any* scalable application deployment.

Application Server Farm

Clients

• Distributes Traffic Flows

• SSL Offload• Persistence (sticky)• Compression• Virtualization• App / Health Checking

ACE

“ADC” is newer terminology

RADIUS

• DC Site Selection• DNS load balancing• Application Keep-Alive• Geo-DB Intelligence

GSS


ACE In the Datacenter(In case you didn’t know…)

• ACE Uses Nexus 7000 OTV functionality.

• ACE Uses Virtual Contexts to provide isolated, load balancing to applications – Up to 250 VC’s per Module.

• ACE distributes traffic to VM server farms in UCS deployments.

• ACE works with VMware for Manageability and Dynamic Workload Scaling (DWS)

Virtual Contexts

VMs

UCS

vCenter

250


ACE Function In the Datacenter..

• ACE product family including GSS, Module & Appliance and ANM Management provide critical Application Delivery Solutions in the Globally Connected Datacenter.

ClientsDatacenter A

Datacenter C

Datacenter BClients

ACE GSS

ACE GSS Steers traffic Flows to ACE VIPs

ACE Distributes Client Flows in the Datacenter

ANM Provisions, Operates, Monitors and shows end-to-end connectivity


60 Second Detour – Why do We Need It?


Client View Of the Application (Service)

Network

Server

Application (Service) Endpoint

Clients

Client has no knowledge/visibility of the underlying Network

A

A

Such as:


Application on it’s own is not “Robust”

Application Failure

Traffic & Client Load

Business Impact

Per

form

ance

No Load

High Load


ADC View Of the Application

Network

Clients

ADC Scales and enhances the application

S

Application Server Farm

A

A

A

A

AHealth ProbeACE

A

SSL Offload & Health

Monitoring

Virtual IP


The Load Balanced Application Becomes Robust

Application Continuity

Traffic & Client Load

Per

form

ance

Business Continuity

No Load

High Load


CC

Datacenter Expansion Of the Application

Clients

A A A A A

B B B B

vCenter

ACE

CMultiple Apps (Services) are

Virtualized by ACE


The Evolution of L4 to 7 Services

• Infrastructure simplification with L4–7 Services integration • Converged policy creation, management, and troubleshooting• Reduced latency (single TCP termination for all functions)

Today

IntegratedLayer 4

andLayer 7Rules

ApplicationControlEngine


Scalable Application


Application on it’s own is not “Robust”

Application(a.k.a. Service)

Scalability

Reliability

Security

Mobility(virtualization)

Therefore, we use the Load Balancer to enhance the application

…And Distribute traffic to all those UCS Servers and Virtual Machines.

Manageabity


Scalability

Scalability • N + 1 Server Scaling• SNAT• Compression• Persistence


Reliability

Scalability

Reliability

• Health Monitoring• Failover (server

farm)• Validation


Security

Scalability

Reliability

Security

• SSL Offload• DDOS Protection• SNAT


Mobility

Scalability

Reliability

Security


• Virtual IP• Virtual Contexts

(isolation)• VCenter Integration• OTV Integration


Manageability

Scalability

Reliability

Security


Manageabity• ANM Unified View• KPI Monitoring• Role-Based Access

Control (Operations and Provisioning)

• VCenter Plug-In Delegation

• Mobile Application (iPhone/Android..etc)


Application ++

Now the Scalable Application is Enabled

Application ++

Scalability

Reliability

Security


Manageabity


Product Overview&Recent Releases


App Service Delivery Integrates load balancing, server offload,

compression, app optimization & app security

Virtualized Architecture Industry leading virtualized Application Delivery

Controller (ADC)

Investment Protection “Pay as you grow” licensing model. increase

performance & scale without deploying new hw

Established Products Over 30K units deployed world-wide

ACE & ANM: Application Delivery Solution For The Virtualized Data Center

Centralized Management Configuration, operations, and monitoring of ACE

equipment & services

VMWare Integrated Integration with vCenter provides streamlined VM

and ACE provisioning and monitoring

Operations Excellence Secure delegation of service & server tasks for

ACE, CSS, CSM, GSS

IT Agility Granular role based access control with user

activity logging supports managing multi-tenant/use

New ACE30 Module shipping

4–16 Gbps 0.5-4 Gbps


ACE Product PortfolioComplete Application Delivery Solution

Application Networking Manager

Management & Provisioning

Application Delivery ControllersGlobal Load Balancers

ACE GSS20K DNS RPS

System Bundles

ACE30 System Bundles

ACE 4710 0.5-4 Gbps

ACE Appliance

ANM VMWare Plug-In

ACE Module

ACE304–16 Gbps

+

Multi-module

Scaling to 64 Gbps

GSS Appliance

ANM Mobility Application

NewSoftware

NewSoftware

New16G

Bundle

NewSoftware


Recent Product ReleasesSoftware and Management Receive Major Updates

+

ACE SoftwareA4.2.1/ A5.1.0

Application Networking Manager

(ANM) v4/v5

+

Delivers:

Dynamic Workload Scaling

Dual stack IPv4/v6

SLB64 Gateway

HTTP/S support for IPv6

IPv6 certification

OCSP support

Delivers:

Geo-location based GSLB

AAAA record support

IDN support

IPv6 support

DNSSEC ready

Delivers:

Application Templates ANM Mobile App ACE 5.1 IPv6 support Web Services API DWS support vCenter integration Virtual ANM

GSS Softwarev4.1


ACE30 PerformanceIncreased Performance, Capacity and Features

Testing Metric ACE20 ACE30 Compare

L4 CPS 325,000 500,000 54%

SSL TPS 15,000 30,000 100%

SSL Bulk Throughput 3.3 Gbps 6 Gbps 82%

Compression Not Available 6 Gbps + 6 Gbps

ACE30 Only – Not Available on ACE20• Higher performance• Compression• IPv6 dual stack with translation• Nexus OTV integration with Dynamic Workload Scaling• ACE10 and 20 EOS For February 2012 – All Roadmap Now On ACE30


New Capabilities


ACE30 Module – CompressionAccelerating Web Traffic; Improving User Experience

ACE Solution: Small compressed page, small Pipe

Remote UserShared DSL

Roaming User 56k Dial-up

Branch Office128k Leased

line

HTTP Compression

Problem: Big Page + Small Pipe

Benefits: Up to 90% reduction in size of web

objects Improves application response

time Reduces bandwidth costs

Compression Overview Reduces the amount of HTTP traffic

that is sent between client and server ACE30 is utilized at the host site to

compress/decompress traffic Clients leverage compression

technology in existing Web browsers

Challenge: Large amounts of client traffic is being sent over low speed links result in slow performance and poor user experience.


Inband Health CheckingLimiting Server Outage Impact

Internet

ClientACE

Servers

?

ACE Monitors client connection setups

Benefits: Detection moves from seconds

with probes to milliseconds Unlike probes, monitoring has no

impact on server performance Improves the recovery time for

server outages

Inband Health Check Overview ACE proactively monitors TCP and

UDP data to detect server failures. Should be combined with probes to

meet server failure detection SLA’s Internal tracking method to ACE;

does not solicit information from servers

Challenge: Slow detection of server outages results in lost transactions and delayed time to recovery.

Slow

Client

Client


ACE Enabled To Deliver IPv6-based Application Services

All IPv4 Modes are supported in IPv6 (One-arm, Routed, Bridged, ASR)

IPv6 -> IPv4 and IPv4 -> IPv6 translation modes

Solution delivery includes IPv6 on the ACE Module, Appliance, ANM, and Global Site Selector

ComplianceUSGv6IPv6 Ph2 Logo

IPv4 Clients IPv6 Clients

One ArmRoutedBridged

IPv6 Overview

IPv4Server Farm

IPv6Server Farm

IPv4-to-IPv4

IPv6-to-IPv6

IPv6-to-IPv4

IPv4-to-IPv6

New


IPv6 Support on ACE• Dual Stack

IPv4-to-IPv4 and IPv6-to-IPv6

HTTP and DNS inspection for native IPv6-IPv6 traffic

• Translation• SLB64, SLB46 for all the Layer4 load balancing, which

do not need payload modifications or pinholing

• SLB64 and SLB46 support L7 loadbalancing for HTTP and SSL protocols.

• NAT64, NAT46 for all TCP, UDP protocols, which do not need payload modifications or pinholing

• No DNS64 or DNS46 support on ACE

• Mixed v4 &v6 rserver support• Duplicate Address Discovery• Neighbor Discovery• ICMPv6• IPV6 Ph2 Logo Certification• Application Awareness

HTTP, HTTPS and DNS


New Capabilities: ACE Management with ANM

“Linked Operations Continuity in the Virtualized Datacenter “


Introducing ANM 5

Now featuring enhanced

Template, DWS / OTV provisioning


ANM 5.x Highlights• New for Version 5

Application Templates

Simple application deployment

User Export and Modify

IPV6 Support

ACE Module

ACE Appliance

ACE Global Site Selector

ANM Mobile for Mobile Devices

Native iPhone and Android

Mobile Browser

API support for App deployment from templates

Full Provisioning vi API

RBAC for Network and Application sections of template


ANM Visualization Visualizes Complete Application Path

GSS

ACEVM


Hardware


Application Control Engine

Parallel network-processor based hardwarewith separate control and data-path CPUs


SwitchFabric

Interface

SupConnect

16G

100M DaughterCard 1

DaughterCard 2

8G

8G

SSLCrypto

10G

NP1 NP2

10G10G

ControlPlane

ACSW OS

2G

CDESwitch

60Gbps

ACE—Hardware Architecture


2x 700MHz MIPS1 GB Memory

CPU

Control Plane Software

SupervisorConnection

DBUS

16 GbpsBus

RBUS

EOBC

CiscoASIC

100 Mbps

Crypto chip

SSL, IPSec Crypto

8 Gbps

8 Gbps

10 Gbps

10 GbpsClassificationDistribution

Engine

Daughter Card Expansion Slot 2Field upgradeable

1 Gbps

10 Gbps

40K RSA ops

Micro Engines CPU

DRAM1.5 GB

DRAM1.5 GB

Parallel NP’s handle Data Processing16 ME (1.4 GHz)XScale 700MHz1.5 GB RDRAM

32MB SRAM20B ops/s

ACSW OS

NetworkProcessor 1

Micro Engines CPU

60Gbps switching CapacityIPv4, IPv6 Classifications

TCP Checksum GenerationVerification

Variable Load Distribution

Daughter Card Expansion Slot 1Field upgradeable

4 FIFO Interlinks

16 Gbps

CEF720 Linecard

20 Gbps

20 GbpsSwitch Fabric

ACE – Detailed Hardware Architecture

NetworkProcessor 2


Modular Policy CLI


• ACE CLI is based on C3PL (Cisco Common Class-based Policy Language)

• Provides a common CLI framework across security implementations in-order to define consistent CLI across platforms

• The CLI aims at seamless integration in terms of configuring SLB, SSL and Security features

• No need to session in or enter a sub-mode of configuration for the different features

• Traffic classification is the core functionality for all delivery and security features

Modular Policy CLI (MPC) in ACE


Features configurable via Policy CLI

• Features that can be configured via Policy CLI can be grouped as follows:• “through” the box traffic Security access-lists Server Load Balancing Protocol Fix-ups & Application Inspection NAT TCP & IP Normalization• “to” the box (mgmt / control-plane) Restrict access to protocol and/or hosts


Policy CLI Overview

1. Define match criteria

2. Associate actions to match criteria

3. Activate the classification-action rules on either an interface or “globally”

class-map C1 match <criteria>

policy-map P1 class C1 <action>

interface vlanX service-policy input P1


Interface Service-Policy

Management Policy-map

Management Class-map

Apply to any Interface

Match allowed connections for remote access

Management Traffic “to” ACE


Interface Service-Policy

Multi-Match Policy-map

Traffic Class-map

Apply to any Interface

Match VIP connections

LoadBalancing Policy Map

ServerfarmReal

ServerfarmReal

Class for URL1 Class for URL2

GET /example.html

Default Class

ServerfarmReal1 Real2

Only allow Traffic Destined to a VIP

Client Traffic “through” ACE at Layer 7


Virtualization


Models of “Virtualization”

• AbstractionPhysical elements are represented by an abstract entity

HSRP, VRRP

VIP, NAT

• PoolingMultiple physical entities appear and treated as one

Link-bundling (EtherChannel®)

TCP connection pooling

• PartitioningSingle physical entity partitioned as multiple distinct entities

VLANs (data-path only)

VRFs (data-path only)

FWSM virtual contexts (both data- and control-path)


One physical deviceMultiple virtual systems

(dedicated control and data path)

Traditional device

Single configuration file

Single routing table

Limited RBAC

Limited resource allocation

25% 25% 20%15%15%100%

Cisco Application Services Virtualization

Distinct configuration files

Separate routing tables

RBAC with Contexts, Roles, Domains

Management and data resource control

Independent application rule sets

Global administration and monitoring

Service Virtualization – System Separation


Per context Control• Guaranteed resource levels for each context• Support for over-subscription

Service Virtualization – Resource Control

GuaranteedRates

GuaranteedMemory

BandwidthData connections / secManagement connections / secSsl-bandwidthSyslogs / sec

Access ListsRegular ExpressionsData connectionsManagement connectionsSSL connectionsXlatesSticky entries


ACE Virtual Partitioning Deployments1. Isolate departments or customers

Provide direct configuration access

Reduce exposure to critical config components

Provide consistent access across GUI, API, CLI

Dedicated resources

2. Isolate applicationsGuarantee resources to critical applications

Isolate from impact of other app roll outs

Central config file for managing policy change

Reduced complexity of security/application rules

Possiblity to have a parallel test environment with no impact to production


ACE in Action Applications over Multiple Load Balancers

LB

App A

EnterpriseNetwork

LB

App B

LB 2

App D

LB 1

App C

Enterprise with Growing Number of Applications


ACE in Action Applications over Multiple Load Balancers

EnterpriseNetwork

App D

App E

ACE

ACE

App F

App C

App A

App B

Virtual Partition 1

Virtual Partition 2

Virtual Partition 3

Virtual Partition 4

Virtual Partition 1

Virtual Partition 2

Enterprise with Growing Number of Applications


ACE Virtual Patitioning and App Security in ActionMulti-tier Applications

EnterpriseNetwork

DataBaseservers

LB

LB

LB

Applicationservers

Front-endservers

Firewalls

EnterpriseNetwork

Front-endFirewalls

ACEwith

ApplicationInfrastructure

Controland

ApplicationSecurityDataBase

serversApplication

serversFront-endservers

FE virtualpartition

APP virtualpartition

DB virtualpartition


Virtualization in Action

Data-Center Consolidation

N-Tier Applications

Web Servers App Servers DB Servers

Front End Network

N-Tier Applications

Web Servers App Servers DB Servers

Front End Network

Multiple Contexts C2C1 C3 C4 C5 C6

Single ACE Module


Role-Based Access Control


• Fully integrated Role Based Access Control

• Four main levels of actions over categoriesof commands

1. Create

2. Modify

3. Debug

4. Monitor

• Roles are defined by specifying which actions can be performed on the sets of commands

• Pre-defined roles

• New roles can be created to adapt to different organization structures

Role Based Access Control (RBAC)


• AdminAccess to all functions in the context/device.

• SLB-AdminServerfarm, Servers, Health Monitoring

• Security-AdminAccess Contorl, Inspection, AAA, NAT

• Server-MaintenanceServers in/out of rotation, debug of SLB functions

• Server-Application-MaintenanceServers, Health Monitoring, Load Balancing Rules

• Network-AdminInterfaces, Routing, NAT, TCP

• Network-MonitorAccess to all show commands only

Default Roles in the System


Control over user access to instances of objects

Flexible multi-user maintenance operations

Domains

VIP1 VIP3 VIP4VIP2

R1 R2 R3 R4 R5 R6

Domain A Domain B

Context 1


AdminContext

Context Adefinition

Context Bdefinition

Resourceallocation

Adminmanagement

config

Physical module

ContextB

ContextA

VIP1VIP 2Farm1Farm2

VIP3Farm3Farm4SSL

cert1,2

Domain1 Domain2

Admin

Network/Security

Server Admin

Monitor

Management station

Role

AAA

Contexts, Roles, Domains


Security Features


Security Features in ACE

• TCP/IP normalization–Built-in Transport Protocol Security–User Configurable, to meet Security Requirements

• Application Protocol Inspection

• Advanced HTTP Inspection–RFC Compliance–MIME Type Validation–Prevent Tunneling Protocols over HTTP Ports


IP Normalization Address Checking

• Always enabled

• Entirely performed in hardware

• Following packets are dropped

1. src IP == dest IP

2. src IP or dest IP == 127.x.x.x

3. dest IP >= 240.0.0.0

4. src IP == 0.x.x.x

5. src IP >= 224.0.0.0

• src IP == 0.0.0.0 and dest IP == 255.255.255.255 allowed for DHCP requests


Hardware-Based TCP Normalization

Always performedI. src port and dest port != 0

II. Only SYN packet allowed to create connection

III. TCP header >= of 20 bytes

IV. TCP header <= ip->length – ip->header_length

V. urg flag cleared if urg_pointer is zero

VI. If urg flag not presenturg_pointer is cleared

VII. Illegal flags combinations dropped( SYN|RST etc.)

ConfigurableI. reserved bits

allow/clear/drop

II. urg flag allow/clear/drop

III. syn-data allow/drop

IV. exceed-mss allow/drop

V. random-seq-num-disableUser configurable

Random Sequence Numbers

• TCP option processing

• TCP state tracking

• TCP windowchecking

TCP Standard Header Checks


Inspection in ACE

• FTP

• Strict FTP

• RTSP

• ICMP

• DNS

• HTTP/S

Performed on NP CPU

Performed on NP Micro Engines

Protocol-Specific Inspection Supported for:


Redundancy


Redundancy Model

ACE-1

• Redundancy groups (Fault Tolerance, FT groups) are configured based on virtual contexts.

• Two instances of the same context (on two distinct ACE modules) form a redundancy group, one being active and the other standby.

• The peer ACE can be in the same or different Catalyst 6k chassis.

• Both ACE modules can be active at the same time, processing traffic for distinct contexts, and backing-up each other (stateful redundancy)

Example:2 ACE modules4 FT groups4 Virtual Contexts (A,B,C,D)

ACE-2

FT VLAN

AActive

A’Standby

FTgroup 1

BActive

B’Standby

FTgroup 2

CActive

C’Standby

FTgroup 3

DActive

D’Standby

FTgroup 4


Fault Tolerant VLANs

• There is a designated VLAN (FT VLAN) between the ACE pairs

• All Redundancy related traffic are sent over this VLAN

1. TRP protocol packets

2. Heart Beats

3. Configuration sync packets

4. State replication packets


Types of Configuration Sync

• Bulk Sync– The entire configuration gets transferred in bulk from Active to

Standby

– HA is in Active/Standby_config state during Bulk Sync

• Incremental Sync– A line-by-line sync of configuration as it is being configured on

active

– HA is in Active/Standby_hot state during Incremental Sync


Failover Tracking

• HSRP– The Supervisor notifies ACE of all state changes for the HSRP group

• Interface– Supervisor sends UP and DOWN events to ACE

• Host– Multiple Probes may be configured with a priority. The individual probe priorities provide granular control of ACE failover


Deployments


Typical Data Center Design with ACE

EnterpriseCampus Core

Aggregationwith

L4-7 Services

L2 or L3 Access

Mainframe

Data-BaseApplicationServers

Web / Front-end Servers

ACE


ACE Deployed in Router Mode

• Client VLAN and server VLANs on different IP subnets

• Servers’ default gateway is ACE alias IP

• All data VLANs and FT VLAN carried over port-channels

• Each Cisco Catalyst has redundant physical links to each access switch

• Serverfarms can span multiple access switches

• Management access to servers requires access-list

DataPort-Channel

FT ControlPort-Channel

MSFC MSFC


ACE Deployed in Bridge Mode

• Pairs of one client and one server VLAN on the same subnet (BVI used to “merge” the two VLANs)

• Limit of two VLANs in the same subnet

• Servers’ default gateway is MSFC (or other router) HRSP virtual address




• Management access to servers requires access-list

DataPort-Channel


MSFC MSFC


ACE Deployed in One-Arm Mode

• Single VLAN on ACE

• Servers’ default gateway is MSFC HSRP IP




• Management access to servers bypass ACE

DataPort-Channel


MSFC MSFC


ACE Virtual Contexts Mapped to VRFs

• Virtual Contexts can be mapped to VRFs on the MSFC

• Or directly to external routers

• VRF-aware Route Health Injection (add/remove routes to/from MSFC main routing table as well as VRF routing tables)

VRF A VRF B

Co

nte

xt C

Co

nte

xt A

Co

nte

xt B

Further Assistance

Cisco ACE Family Webpagewww.cisco.com/go/ace/

Cisco ACE Applicationshttp://www.cisco.com/go/optimizemyapp

Cisco Validated Designshttp://www.cisco.com/go/cvd

Cisco Design Zonehttp://www.cisco.com/go/srnd

Doc Wikihttp://docwiki.cisco.com/wiki/ACE

PDI Helpdeskwww.cisco.com/go/pdihelpdesk

Further Assistance Internal onlyPDI Helpdeskwww.cisco.com/go/pdihelpdesk/

DCAS KBdcaskb/

DCAS CEC Pagewwwin.cisco.com/dss/adbu/dcas/

DCAS Cisco.com Pagewww.cisco.com/go/ace/

[email protected]

Thank you.


Backup Slides


2x 700MHz MIPS1 GB Memory

Control Plane Software

SupervisorConnection

DBUS

16 GbpsBus

RBUS

EOBC

CiscoASIC

100 Mbps 8 Gbps

8 Gbps

1 Gbps

ACSW OS

60Gbps switching CapacityIPv4, IPv6 Classifications

TCP Checksum Generation/Verification

Variable Load Distribution

Daughter Card 1

16 Gbps

CEF720 Line Card

20 Gbps

20 GbpsSwitch Fabric

ACE30 Detailed Hardware Architecture

CPU

Classification DistributionEngine (CDE)

NetworkProcessor

1

Verni FPGA

DRAM 4 GB

DRAM 4 GB

NetworkProcessor

2

shared memory

Daughter Card 2

NetworkProcessor

3

Verni FPGA

DRAM 4 GB

DRAM 4 GB Network

Processor4shared memory

Cavium Octeon CN5860 (OcteonPlus)16 core, 600 MHz CPUs with 4G DRAM 32k iCache, 16k dCache, 2MB L2 cache

On chip support for Encryption/Decryption Coprocessors for Compression/Decompression


SwitchFabric

Interface

SupConnect

16G

100M

DaughterCard1

8G

8G

NP2

ControlPlane

ACSW OS

1G

CDESwitch60Gbps

ACE30 Simplified Hardware Architecture

NP1

DaughterCard1

NP2NP1


Clients Servers

L7 services can scale until L4 capacity is met

FED Cluster (Active/Standby){Enhanced HA}

BED Cluster – Scaling L7 Services

Initial L7 Services Cluster Topology


Modular Policy CLI

Detailed


Class-maps

Class-maps are used to classify “interesting L3-4/7” trafficThey contain a set of match statements specifying match criteria

Class-maps are ‘typed’ based on the protocol and actions being performed for a given traffic classification.

Support both logical AND (match-all – default) and logical OR (match-any) semantics.

Notion of class-default: well-known class-map that matches any traffic if none of the user specified class-maps match in a policy-map.

Every match statement has a “line” numberEasy deletion/modification of a particular match statement


Nested Class-maps

• A class-map can associate an existing class-map of the same type using the match class statement

• Supported only for L7 class-maps; up to 2 levels of association

• Used to achieve more complex logical expressionsEasy combination of AND and OR statements

class-map type http loadbalance match-any C1match http url “/news”match http url “/sport”

class-map type http loadbalance match-all C2match http header User-Agent header-value FireFoxmatch class C1


Policy-maps

• Policy-maps are ‘typed’ as per the action/feature

• Support policy-maps for both L3-4/L7 actions.The L7 policy-maps are child policies within an L3-L4 policy-map and cannot be applied on interface

• Support for various execution semantics as dictated by the specific feature

• If none of the classification specified in policy-maps match then the default actions specified against “class-default” are executed

• Support for inline match statements for ease of use. These are allowed only for L7 match statements

• Support for flexible class-map ordering, within a policy-map


ACE Policy CLI…(specifying actions)Policy-map Format

[no] policy-map type <main-type> <sub-type>{first-match|all-match|multi-match} <policy-name>

[no] class <cmap-name> action1[no] class class-default

default-action

policy-map type loadbalance first-match SLB-POLICYclass C1 serverfarm SF1class C2 serverfarm SF2class class-default serverfarm BACKUP


Policy Execution Semantics

• first-matchThe class-action pairs within the policy-map are looked up sequentially & the actions listed against first matching class-map in the policy-map are executed.Order of class-maps within policy-map matters.E.g. policy-map of type ‘loadbalance’, ‘management’ &’ftp’

• all-matchAn attempt is made to match traffic against all classes in the policy-map and the actions of all matching classes will be executed.E.g. policy-map of type inspect http

• multi-matchSpecifies that the policy-map supports multiple feature actions and each feature by itself can have only one match (first match). The policy as a whole has multiple matches due to multiple features.


Inline Match Statements

• Support for inline match statements for ease of use, especially if there is only a single match criteria to be specified.Currently allowed only for L7 policy-maps.

• ‘action’ can be specified against only a single match statement in the policy. To specify actions against more than one match statement, use a class-map

class-map type http loadbalance match-any TEST match protocol http header User-Agent header-value *IE* match protocol http url *jpg*

policy-map type loadbalance first-match TESTPOLICYmatch M1 http url ‘/finance’ (inline match command) serverfarm farm1class TEST (pre-defined class-map)

serverfarm farm2


Activating policy

• Policies are activated on an interface or globally using the ‘service-policy’ command

syntax:service-policy [input | output] <policy-name>

• The policy-map can be enabled either on the ‘input’ or ‘output’ or both directions.

• Policy-maps applied globally in a context, are internally applied on all interfaces existing in the context


Policy Lookup Order

• There can be many features applied on a given interface, so feature lookup ordering is important

• The feature lookup order followed by datapath in ACE is as follows:1) Access-control (permit or deny a packet)

2) Management Traffic

3) TCP normalization/Connection parameters

4) Server Load Balancing

5) Fix-ups/Application inspection

6) Source NAT

7) Destination NAT

• The policy lookup order is implicit, irrespective of the order in which the user configures policies on the interface

Documents

Training ACE