Ace virtualization configuration

CH A P T E R 2
Configuring Virtualization

Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise
noted.

This chapter describes how to create and configure virtualization for your ACE. As the global
administrator (SuperUser), you configure and manage all contexts through the Admin context, which
contains the basic settings for each virtual device or context. Each context that you configure contains
its own set of policies, interfaces, resources, and administrators.
This chapter contains the following sections:
• Information About Virtualization
• Guidelines and Restrictions
• Default Settings
• Configuring Virtualization
• Displaying Virtualization Configuration Information
• Displaying Resource Usage Statistics for Contexts
• Configuration Examples for Virtualization

Information About Virtualization
You can operate your Cisco ACE Application Control Engine in a single context or in multiple contexts.
Multiple contexts use virtualization to partition your ACE into multiple virtual devices or contexts. Each
context contains its own set of policies, interfaces, resources, and administrators.
This feature provides you with the tools to more closely and efficiently manage the system resources and
users of the ACE, and the services you provide to your customers.
For a detailed overview on virtualization, see Chapter 1, Overview.

Virtualization Guide, Cisco ACE Application Control Engine
OL-25332-01 2-1

Chapter 2 Configuring Virtualization
Guidelines and Restrictions

This section includes the guidelines and restrictions for virtualization:
• Licensing Requirements for Virtualization
• Throughput and Management Traffic Bandwidth Rate Guidelines
• Resource Minimum Value Guidelines
• Changing the Resource Allocation of a Resource Class Guidelines
• Managed System Resources Guidelines

Licensing Requirements for Virtualization
For the ACE module, by default the ACE module supports an Admin context and five user contexts that
allows you to use multiple contexts if you choose to configure them. To increase the number of user
contexts for the ACE module up to a maximum of 250, you must obtain a separate license from Cisco.
For the ACE appliance, the ACE appliance licensing supports an Admin context and a maximum of 20
user contexts that allows you to use multiple contexts if you choose to configure them.
For details about ACE licensing, see the Administration Guide, Cisco ACE Application Control Engine.

Throughput and Management Traffic Bandwidth Rate Guidelines
This section describes the guidelines and limitations associated with management of ACE
through-traffic and management-traffic bandwidth. Traffic bandwidth capabilities and bandwidth
management are different between the ACE module and the ACE appliance.
This section includes the following topics:
• ACE Module Throughput and Management Traffic Bandwidth Rate Guidelines
• ACE Appliance Throughput and Management Traffic Bandwidth Rate Guidelines

ACE Module Throughput and Management Traffic Bandwidth Rate Guidelines
The maximum bandwidth rate per context is determined by your bandwidth license. By default, the
entry-level ACE module has a 4-Gbps through-traffic bandwidth and a 1-Gbps management-traffic
bandwidth for a total maximum bandwidth of 5 Gbps. You can upgrade the ACE module with an optional
8-Gbps or 16-Gbps bundle license. With the 8-Gbps license, the ACE module has a 8-Gbps
through-traffic bandwidth and a 1-Gbps management-traffic bandwidth for a total maximum bandwidth
of 9 Gbps.
When you configure a minimum bandwidth value for a resource class in the ACE module by using the
limit-resource command (see the “Allocating Resources within a Resource Class” section), the ACE
module subtracts that configured value from the total bandwidth maximum value of all contexts in the
ACE module, regardless of the resource class with which they are associated. The total bandwidth rate
of a context consists of the following two components:
• throughput—Limits through-the-ACE module traffic. This is a derived value (you cannot configure
it directly) and it is equal to the bandwidth rate minus the mgmt-traffic rate for the 4-Gbps and
8-Gbps licenses. With a 16-Gbps license, this value is calculated slightly differently.

2-2 OL-25332-01


• management traffic—Limits management (to-the-ACE module) traffic in bytes per second. This
parameter is independent of the limit-resource all minimum command. To guarantee a minimum
amount of management traffic bandwidth, you must explicitly allocate a minimum percentage to
management traffic using the limit-resource rate mgmt-traffic minimum command. When you
allocate a minimum percentage of bandwidth to management traffic, the ACE module subtracts that
value from the maximum available management traffic bandwidth for all contexts in the ACE
module. By default, management traffic is guaranteed a minimum bandwidth rate of 0 and a
maximum bandwidth rate of 1 Gbps, regardless of which bandwidth license that you install in the
ACE module.
For details about how the ACE module manages bandwidth for throughput and management traffic rates,
see the examples of the show resource-usage command output that follow. For each bandwidth license,
there are examples for the default values, 25 percent minimum allocation to all resources, and both a 25
percent minimum allocation to all resources and a 10 percent minimum allocation to management traffic.
The output has been modified to show only the relevant fields. All values are in bytes per second; to
convert to bits per second, multiply each value by 8.

Example 2-1 ACE Module Default Show Resource Usage Command Output for 4-Gbps License

Allocation
Resource Min Max
bandwidth 0 625000000
throughput 0 500000000
mgmt-traffic rate 0 125000000

Example 2-2 ACE Module Show Resource Usage Command Output for 4-Gbps License with 25
Percent Minimum Allocation for All Resources (continued)

Allocation
Resource Min Max
bandwidth 125000000 625000000
throughput 125000000 500000000

Percent Minimum Allocation for All Resources and 10 Percent Minimum Allocation for
Management Traffic

Allocation
Resource Min Max
bandwidth 137500000 625000000
throughput 125000000 500000000

OL-25332-01 2-3



Allocation
Resource Min Max

Percent Minimum Allocation for All Resources

Allocation
Resource Min Max
bandwidth 250000000 1125000000
throughput 250000000 1000000000

Management Traffic

Allocation
Resource Min Max
bandwidth 262500000 1125000000
throughput 250000000 1000000000


Allocation
Resource Min Max


Allocation
Resource Min Max
bandwidth 500000000 2000000000
throughput 500000000 2000000000

2-4 OL-25332-01


Management Traffic

Allocation
Resource Min Max
bandwidth 512500000 2000000000
throughput 500000000 2000000000

ACE Appliance Throughput and Management Traffic Bandwidth Rate Guidelines
The maximum bandwidth rate per context is determined by your bandwidth license. By default, the
entry-level ACE appliance has a 1-Gbps through-traffic bandwidth and a 1-Gbps management-traffic
bandwidth for a total maximum bandwidth of 2 Gbps. With the 2-Gbps license, the ACE appliance has
a 2-Gbps through-traffic bandwidth and a 1-Gbps management-traffic bandwidth for a total maximum
bandwidth of 3 Gbps. You can upgrade the ACE appliance with either an optional 2-Gbps or 4-Gbps
bandwidth license (see the Administration Guide, Cisco ACE Application Control Engine).
When you configure a minimum bandwidth value for a resource class in the ACE appliance by using the
limit-resource command (see the “Allocating Resources within a Resource Class” section), the ACE
appliance subtracts that configured value from the total bandwidth maximum value of all contexts in the
ACE appliance, regardless of the resource class with which they are associated.
The total bandwidth rate of a context consists of the following two components:
• throughput—Limits through-the-ACE appliance traffic. This is a derived value (you cannot
configure it directly) and it is equal to the bandwidth rate minus the mgmt-traffic rate for the
1-Gbps, 2-Gbps, or 4-Gbps licenses.
• management traffic—Limits management (to-the-ACE appliance) traffic in bytes per second. This
parameter is independent of the limit-resource all minimum command. To guarantee a minimum
amount of management traffic bandwidth, you must explicitly allocate a minimum percentage to
management traffic using the limit-resource rate mgmt-traffic minimum command. When you
allocate a minimum percentage of bandwidth to management traffic, the ACE appliance subtracts
that value from the maximum available management traffic bandwidth for all contexts in the ACE
appliance. By default, management traffic is guaranteed a minimum bandwidth rate of 0 and a
maximum bandwidth rate of 1 Gbps, regardless of the bandwidth license that you install in the ACE
appliance.
For details about how the ACE appliance manages bandwidth for throughput and management traffic
rates, see the examples of the show resource-usage command output that follow. For each bandwidth
license, there are examples for the default values, 25 percent minimum allocation to all resources, and
both a 25 percent minimum allocation to all resources and a 10 percent minimum allocation to
management traffic. The output has been modified to show only the relevant fields. All values are in
bytes per second; to convert to bits per second, multiply each value by 8.

Example 2-10 ACE Appliance Default Show Resource Usage Command Output for 1-Gbps License

Allocation
Resource Min Max

OL-25332-01 2-5


Allocation
Resource Min Max

Example 2-11 ACE Appliance Show Resource Usage Command Output for 1-Gbps License with 25

Allocation
Resource Min Max
bandwidth 31250000 250000000
throughput 31250000 125000000

Management Traffic

Allocation
Resource Min Max
bandwidth 43750000 250000000
throughput 31250000 125000000


Allocation
Resource Min Max


Allocation
Resource Min Max
bandwidth 62500000 375000000
throughput 62500000 250000000

2-6 OL-25332-01


Management Traffic

Allocation
Resource Min Max
bandwidth 75000000 375000000
throughput 62500000 250000000


Allocation
Resource Min Max


Allocation
Resource Min Max
bandwidth 93750000 500000000
throughput 93750000 375000000

Management Traffic

Allocation
Resource Min Max
bandwidth 106250000 500000000
throughput 93750000 375000000
mgmt-traffic rate 1250000o 125000000

Resource Minimum Value Guidelines
When you configure a minimum value for a resource in a particular resource class in the ACE by using
the limit-resource command (see the “Allocating Resources within a Resource Class” section), the ACE
assigns the minimum resources only to the contexts that are members of the resource class. For all
contexts, the ACE subtracts that configured minimum value from the maximum value of that resource,

OL-25332-01 2-7


regardless of the resource class with which the contexts are associated. If the resource class has more
than one context associated with it, the minimum value that the ACE subtracts from the maximum value
is multiplied by the number of contexts in the resource class.
This section provides the following examples:
• ACE Module Minimum Bandwidth Rate Allocation Example
• ACE Appliance Minimum Bandwidth Rate Allocation Example

ACE Module Minimum Bandwidth Rate Allocation Example
This is an example of allocating a minimum bandwidth rate with an ACE module 4-Gbps bandwidth
license. If there are two contexts associated with the resource class and you configure a 25 percent
minimum allocation for the bandwidth rate for the class, each context in the resource class would have
the values that are shown in Example 2-19 for the show resource usage command output for the
bandwidth rate and throughput rate.

Example 2-19 ACE Module show resource usage Command Output for 4-Gbps License with
25 Percent Minimum Allocation for Bandwidth

Allocation
Resource Min Max
bandwidth 125000000 375000000
throughput 125000000 250000000

All other contexts in the ACE module would have the same maximum values as shown in Example 2-19,
but would have zero minimum values. Compare the values in Example 2-19 with the values in
Example 2-2, which represents one context in a resource class.

ACE Appliance Minimum Bandwidth Rate Allocation Example
This is an example of allocating a minimum bandwidth rate with an ACE appliance 2-Gbps bandwidth
license, if there are two contexts associated with the resource class and you configure a 25 percent
minimum allocation for the bandwidth rate for the class, each context in the resource class would have
the values that are shown in Example 2-20 for the show resource usage command output for the
bandwidth rate and throughput rate.

Example 2-20 ACE Appliance show resource usage Command Output for 2-Gbps License with
25 Percent Minimum Allocation for Bandwidth

Allocation
Resource Min Max
bandwidth 62500000 312500000
throughput 62500000 187500000

2-8 OL-25332-01


All other contexts in the ACE appliance would have the same maximum values as shown in
Example 2-20, but would have zero minimum values. Compare the values in Example 2-20 with the
values in Example 2-14, which represents one context in a resource class.

Changing the Resource Allocation of a Resource Class Guidelines
If you (as the global Admin) need to change the resource allocation in a resource class of which two or
more user contexts are members, you may do so at any time by entering the appropriate CLI commands.
For details about allocating resources, see the “Allocating Resources within a Resource Class” section.
However, the shift in resources between the contexts does not take place immediately unless the
appropriate resources are available to accommodate the change. In most cases, to effect a change in
resource allocation, you must inform the context administrators involved to ensure that the new resource
allocation is possible.
For example, suppose that context A is using 100 percent of the available resources of the class and you
want to allocate 50 percent of the resources to context A and 50 percent of the resources to context B.
Although the CLI accepts your resource allocation commands, context B cannot allocate 50 percent of
the resources until context A deallocates 50 percent of its resources. In this case, you must perform the
following:
• Inform the Context A administrator to start deallocating resources
• Inform the Context B administrator to start allocating resources after the Context A administrator
releases the resources
As resources are released from other contexts, the ACE assigns the resources to resource-starved
contexts (contexts where the resource-class minimum allocations have not been met).

Reserving Admin Context Resources
When you are configuring resource allocations for the ACE, it is possible to allocate 100 percent of the
resources to non-Admin contexts. Such resource allocation starves the Admin context of resources so
that it is no longer reachable with ICMP, Telnet, SNMP, or SSH, and can cause other issues as well.
To prevent Admin context resource starvation, the ACE reserves minimum resources for Admin context.
The following Admin context reserved resources are displayed in the output of the show resource usage
command:
Concurrent connections : 100 conns
Management Connections : 100 conns
Throughput Rate : 10 Mbps
Management Traffic rate: 10 Mbps
Connection Rate : 100 conns/sec
The ACE generates the following syslog to warn you when any resource allocation configuration results
in less than the guaranteed allocation to the admin context:
%ACE-4-504004:Admin context is not guaranteed of one or more resources. Admin context
might get starved of these resources, leading to denial of some of the services.

OL-25332-01 2-9


Managed System Resources Guidelines
You can limit these resources per context or for all contexts associated with the resource class by using
the limit-resource command. See the “Allocating Resources within a Resource Class” section.
• ACE Module Managed System Resources Guidelines
• ACE Appliance Managed System Resources Guidelines

ACE Module Managed System Resources Guidelines
Table 2-1 lists the managed system resources of the ACE module.

Table 2-1 ACE Module System Resource Maximum Values

Resource Maximum Value
ACL Memory 78,610,432 bytes.
Buffer Memory (Syslog) 4,000,000 bytes.
Concurrent Connections (Layer 4) 4,000,000 connections. The output of the show resource usage command displays the
maximum number of connection objects (one inbound and one outbound per connection),
which equals a maximum of 8,000,000 connection objects.
Concurrent Connections (SSL) 250,000 connections.
HTTP Compression 1 gigabit per second (Gbps) with the base license.
6 Gbps with the purchase of any optional bundle license. For information about licenses,
see the Administration Guide, Cisco ACE Application Control Engine.
Management Connections 100,000 connections.
Proxy Connections (Layer 7) 1,048,572 connections.
SSL Proxy Connections 250,000 connections.
Rate
Bandwidth 4 gigabits per second (Gbps).
You can upgrade the ACE maximum bandwidth to 8 Gbps or 16 Gbps by purchasing an
optional bundle license from Cisco Systems. For more information, see the
Administration Guide, Cisco ACE Application Control Engine.
Connections 600,000 Layer 4 connections per second (cps). This rate is the absolute maximum for an
ACE30 ACE module with an unequal Layer 4 traffic distribution across four NPs.
200,000 Layer 7 cps.
MAC miss 2000 packets per second (pps).
Management Traffic 1 Gbps.
SSL transactions 1000 transactions per second (TPS) with the base license.
30,000 TPS with any optional bundle license. For information about licenses, see the
Administration Guide, Cisco ACE Application Control Engine.
Syslog For traffic going to the ACE module (control plane), 5000 messages per second.
For traffic going through the ACE module (data plane), 350,000 messages per second.

2-10 OL-25332-01


Table 2-1 ACE Module System Resource Maximum Values (continued)

IPCP traffic from the DP to 5000 pps.
the CP
Regular Expression Memory 1,048,576 bytes.
Sticky Entries 4,194,304 entries.
Xlates (network and port address 1,000,000 translations.
translation entries)

ACE Appliance Managed System Resources Guidelines
Table 2-2 lists the managed system resources of the ACE appliance.

Table 2-2 ACE Appliance System Resource Maximum Values

Application Acceleration Maximum of 105 concurrent connections, nonconfigurable. For details, see the
Connections Application Acceleration and Optimization Guide, Cisco ACE 4700 Series Application
Control Engine Appliance.
ACL Memory 48824320 bytes.
Buffer Memory (Syslog) 4194304 bytes.
Concurrent Connections 2,000,000 connections (Layer 4),
100,000 connections (SSL).
HTTP Compression 100 megabits per second (Mbps). You can upgrade the ACE appliance maximum HTTP
compression rate to 1 Gbps by purchasing a separate license from Cisco Systems. For
more information, see the Administration Guide, Cisco ACE Application Control Engine.
Management Connections 100,000 connections.
Proxy Connections (Layer 7) 256,000 connections.
Rate
Bandwidth 1 gigabits per second (Gbps). You can upgrade the ACE appliance maximum bandwidth
to 2 Gbps by purchasing a separate license from Cisco Systems. For more information,
see the Administration Guide, Cisco ACE Application Control Engine.
Connections (any kind) 100,000 Layer 4 connections per second (cps).
30,000 Layer 7 cps.
MAC miss 2000 packets per second.
Management traffic 1 Gbps.
SSL connections 1000 transactions per second (TPS). You can upgrade the SSL bandwidth to a maximum
of 7500 TPS with a separate license. For more information, see the Administration Guide,
Cisco ACE Application Control Engine.
syslog For traffic going to the ACE appliance (control plane), 3000 messages per second.
For traffic going through the ACE appliance (data plane), 100,000 messages per second.
Regular Expression Memory 1,048,576 bytes.

OL-25332-01 2-11

Default Settings

Table 2-2 ACE Appliance System Resource Maximum Values (continued)

Sticky Entries 819,200 table entries.
Xlates (network and port address 65,535 Xlates (network entries)
translation entries)
1,000,000 Xlates (port address translation entries).

Default Settings
Table 2-3 lists the default settings for the virtualization function.

Table 2-3 Default Virtualization Parameters

Parameters Default
Through-traffic The ACE default through-traffic bandwidth is as follows:
Bandwidth
• (ACE module only) The entry-level ACE has a 4-Gbps through-traffic bandwidth and a 1-Gbps
management-traffic bandwidth for a total maximum bandwidth of 5 Gbps. You can upgrade the
ACE with an optional 8-Gbps or 16-Gbps bandwidth license. With the 8-Gbps license, the ACE
has a 8-Gbps through-traffic bandwidth and a 1-Gbps management-traffic bandwidth for a total
maximum bandwidth of 9 Gbps.
• (ACE appliance only) The entry-level ACE has a 1-Gbps through-traffic bandwidth and a 1-Gbps
management-traffic bandwidth for a total maximum bandwidth of 2 Gbps. With the 2-Gbps
license, the ACE has a 2-Gbps through-traffic bandwidth and a 1-Gbps management-traffic
bandwidth for a total maximum bandwidth of 3 Gbps.
You can upgrade the ACE with either an optional 2-Gbps or 4-Gbps bandwidth license (see the
Administration Guide, Cisco ACE Application Control Engine).
Management-traffic Management traffic is guaranteed a minimum bandwidth rate of 0 and a maximum bandwidth rate of
Bandwidth 1 Gbps, regardless of the bandwidth license that you install in the ACE.
Resource Allocation Minimum: 0 percent.
Maximum: 100 percent.
User Default Role Network-Monitor.
Context Domain Default-domain.
User accounts The ACE default user accounts are as follows:
• (ACE module only) admin and www.
• (ACE appliance only) admin, dm, and www.
User Password Clear text.

• Task Flow for Configuring Virtualization
• Managing ACE Resources

2-12 OL-25332-01


• Configuring a Context
• Configuring User Roles
• Configuring Domains
• Configuring a User
• Logging Out a User
For additional information about the CLI command syntax described in this chapter, see the Command
Reference, Cisco ACE Application Control Engine.

Task Flow for Configuring Virtualization
Follows these steps to configure virtualization.

Step 1 Log in to the ACE as the global administrator using the console. By default, the console comes up with
a single context called Admin.
Step 2 Enter configuration mode.
host1/Admin# config
Enter configuration commands, one per line. End with CNTL/Z.
host1/Admin(config)#

Step 3 Configure a resource class to limit resources used by user contexts. For example, to limit the resources
of a context to 10 percent of the total resources available, enter the following commands:
host1/Admin(config)# resource-class RC1
host1/Admin(config-resource)# limit resource all minimum 10 maximum equal-to-min
host1/Admin(config-resource)# exit

Step 4 Create a new context.
host1/Admin(config)# context C1
host1/Admin(config-context)#

Step 5 Associate an existing VLAN with the context so that the context can receive traffic classified for it.
host1/Admin(config-context)# allocate-interface vlan 100

Step 6 Associate the context with the resource class that you created in Step 3.
host1/Admin(config-context)# member RC1

Step 7 Change to the C1 context that you created in Step 4 and enter configuration mode in that context.
host1/Admin(config-context)# do changeto C1
host1/C1(config-context)# exit
host1/C1(config)#

Step 8 (Optional) Create a domain for the context.
host1/C1(config)# domain D1
host1/C1(config-domain)#

Step 9 Allocate objects (for example, real servers, server farms, probes, ACLs, and so on) to the domain as
needed.
host1/C1(config-domain)# add-object rserver SERVER1

Step 10 (Optional) Create roles to define the object and resource permissions for different groups of users.

OL-25332-01 2-13


host1/C1(config)# role UR1

Step 11 Create rules to define the role permissions.
host1/C1(config-role)# rule 1 permit create feature real
host1/C1(config-role)# rule 2 deny create feature acl

Step 12 Configure users as required and associate roles and domains with the users.
host1/C1(config)# username user1 password 5 MYPASSWORD role UR1 domain D1

Step 13 Verify the virtualization configuration by entering one of the following commands:
host1/C1# show running-config context
host1/C1# show running-config domain
host1/C1# show running-config resource-class
host1/C1# show running-config role

Managing ACE Resources
You can allocate system resources to multiple contexts by creating and defining one or more resource
classes and then associating the contexts with a resource class.
The section contains the following topics:
• Creating a Resource Class for Resource Management
• Allocating Resources within a Resource Class

Creating a Resource Class for Resource Management
You can create a resource class to allocate and manage system resources by one or more contexts by
using the resource-class command in configuration mode.

This configuration topic includes the following guidelines and restrictions:
• The ACE supports a maximum of 100 resource classes.
• When you remove a resource class from the ACE, any contexts that were members of that resource
class automatically become members of the default resource class. The default resource class
allocates a minimum of 0.00 percent to a maximum of 100.00 percent of all ACE resources to each
context. You cannot modify the default resource class.

2-14 OL-25332-01


Detailed Steps

Command Purpose
Step 1 config Enters configuration mode.
Example:
host1/Admin# config
(config)#
Step 2 resource-class name Creates a resource class and accesses the resource configuration
mode.
Example:
host1/Admin(config)# resource-class RC1 For the name argument, enter an unquoted text string with no
host1/Admin(config-resource) spaces and a maximum of 64 alphanumeric characters.
Step 3 no resource-class name

Example: Caution The no resource-class command will remove all
host1/Admin(config)# no resource-class RC1 resources from any context to which the specified
resource class is assigned. Be sure that you want to do
this before you enter the command.

(Optional) Removes a resource class from the configuration and
removes all resources from any context to which the resource
class is assigned.
Step 4 do copy running-config startup-config (Optional) Copies the running configuration to the startup
configuration.
Example:
host1/Admin(config-resource)# do copy
running-config startup-config

Allocating Resources within a Resource Class
You can allocate all resources or individual resources to all member contexts of a resource class. For
example, you can allocate only concurrent connections or sticky table memory. You allocate system
resources to all members (contexts) of a resource class by using the limit-resource command in
resource-class configuration mode.

Prerequisites
When you plan the initial resource allocations for the virtual contexts in your configuration, allocate only
the minimum required or estimated resources. The ACE protects resources that are in use, so to decrease
a context's resources, those resources must be unused. Although it is possible to decrease the resource
allocations in real time, it may require additional management overhead to clear any used resources
before reducing them. Therefore, it is considered a best practice to initially keep as many resources in
reserve as possible and allocate the unused reserved resources as needed.

• To address scaling and capacity planning, we recommend that new ACE installations do not exceed
60 to 80 percent of the ACE's total capacity. To accomplish this goal, create a reserved resource class
with a guarantee of 20 to 40 percent of all the ACE resources. Configure a virtual context dedicated
solely to ensuring that these resources are reserved. Then, you can efficiently distribute such
reserved resources to contexts as capacity demands for handling client traffic increase over time.

OL-25332-01 2-15


• The limit that you set for individual resources when you use the limit-resource command overrides
the limit that you set for all resources when you use the limit-resource all command.
• If you lower the limits for one context (context A) in order to increase the limits of another context
(context B), you may experience a delay in the configuration change because the ACE will not lower
the limits of context A until the resources are no longer being used by the context.

2-16 OL-25332-01


Detailed Steps

Command Purpose
Step 1 limit-resource resources {minimum number} Specifies the system resource that you want to limit. The
{maximum {equal-to-min | unlimited} keywords, arguments, and options are as follows:
Example: • resources—Enter one of the following keywords for the
host1/Admin(config)# resource-class RC1 system resource:
host1/Admin(config-resource)#limit-resource
all minimum 20 maximum equal-to-min – (ACE appliance only) acc-connections— Limits the
number of application acceleration connections.
– acl-memory—Limits memory space allocated for
ACLs.
– all—Limits all resources to the specified value for all
contexts assigned to this resource class, except for
management traffic bandwidth.
– buffer syslog—Limits the number of syslog buffers.
– conc-connections—Limits the number of
simultaneous connections.
– http-comp—Limits the HTTP compression rate.
– mgmt-connections—Limits the number of
management (to-the-ACE) connections.
– proxy-connections—Limits the number of proxy
connections.
– regexp—Limits the amount of regular expression
memory.
– sticky—Limits the number of entries in the sticky
table.
– xlates—Limits the number of network and port
address translations entries.
• minimum number—Specifies the lowest acceptable value
for a resource. Enter an integer from 0.00 to 100.00 percent
(two-decimal places of granularity). The number argument
specifies a percentage value for all contexts that are
members of the resource class.
Note For configuration guidelines on the minimum
keyword, see the “Guidelines and Restrictions”
section.

• maximum {equal-to-min | unlimited}—Specifies the
maximum resource value: either the same values as the
minimum value or no limit.

OL-25332-01 2-17


Command Purpose
Step 2 limit-resource rate rates {minimum number} Limits the resource as a number per second for the specified
{maximum {equal-to-min | unlimited} connections or syslog messages.
Example: • rates—Enter one of the following keywords for the rate:
host1/Admin(config)# resource-class RC1 – bandwidth—Limits the total ACE throughput in bytes
host1/Admin(config-resource)#limit-resource per second for one or more contexts. The maximum
rate bandwidth minimum 20 maximum
equal-to-min
bandwidth rate per context is determined by your
bandwidth license (see the “Licensing Requirements
for Virtualization”section). When you configure a
minimum bandwidth value for a resource class in the
ACE, the ACE subtracts that configured value from
the total bandwidth maximum value of all contexts in
the ACE, regardless of the resource class with which
they are associated.

Note For configuration guidelines on bandwidth, see the
“Guidelines and Restrictions”section.
– connections—Limits the number of connections of
any kind per second.
– inspect conn—Limits the number of application
protocol inspection connections per second for
Domain Name System (DNS), File Transfer Protocol
(FTP), HTTP Deep Packet, Internet Control Message
Protocol (ICMP), Internet Locator Service (ILS),
Real-Time Streaming Protocol (RTSP)Skinny Client
Control Protocol (SCCP), and Session Initiation
Protocol (SIP).
– mac-miss—Limits the ACE traffic sent to the control
plane when the encapsulation is not correct in bytes
per second.
– mgmt-traffic—Limits management (to-the-ACE)
traffic in bytes per second.
– ssl-connections—Limits the number of SSL
connections per second.
– syslog—Limits the number of syslog messages per
second.
– (ACE module only) to-cp-ipcp—Limits the IPCP
traffic from the DP to the CP in packets per second.
This keyword prevents the overwhelming of the CP
under high syslog rate conditions (for example, level 7
messages).
• minimum number—Specifies the lowest acceptable value
for a resource. Enter an integer from 0.00 to 100.00 percent
(two-decimal places of granularity). The number argument
specifies a percentage of the ACE’s maximum vale per
second.
Note For configuration guidelines on the minimum
keyword, see the “Guidelines and Restrictions”
section.
• maximum {equal-to-min | unlimited}—Specifies the
maximum resource value: either the same values as the
minimum value or no limit.
2-18 OL-25332-01


Command Purpose
Step 3 no limit-resource resources | all (Optional) Restores resource allocation to the default values of
0 percent minimum and 100 percent maximum for a resource.
Example:
host1/Admin(config-resource)# no When you enter the no limit-resource all command, all ACE
limit-resource all contexts associated with the resource class are left without
resources that are not separately configured with a minimum
limit in the resource class. The CLI displays the following
message:
Warning: The context(s) associated with this
resource-class will be denied of all the resources
that are not explicitly configured with minimum limit
in this resource-class
Step 4 no limit-resource rate rates (Optional) Restores the resource rate limit to the default values
of 0 percent minimum and 100 percent maximum for a
Example:
host1/Admin(config-resource)# no
resource.
limit-resource rate bandwidth
configuration.
Example:
host1/Admin(config-resource)# do copy
Step 6 exit (Optional) Exits the resource configuration mode.
Example:
host1/Admin(config-resource)# exit

Configuring a Context
A context provides a user view into the ACE and determines the resources available to a user. This
section contains the following topics:
• Creating a Context
• Configuring a Context Description
• Configuring a VLAN for a Context
• Associating a Context with a Resource Class
• Moving Between Contexts

Creating a Context
A context provides a user view into the ACE and determines the resources available to a user. You create
a context by using the context command in configuration mode.

Note When you create a context, the ACE automatically creates a default domain (default-domain) for that
context. You can create a maximum of 63 additional domains in each context. For information about
configuring a domain, see the “Configuring Domains” section.

OL-25332-01 2-19


Detailed Steps

Command Purpose
Example:
host1/Admin# config
(config)#
Step 2 context name Creates a context and accesses the context configuration mode.
Example: For the name argument, enter a unique identifier of the context.
host1/Admin(config)# context C1 Enter an unquoted text string with no spaces and a maximum of
host1/Admin(config-context) 64 alphanumeric characters.
Do not configure a context name that contains opening braces,
closing braces, white spaces, or any of the following characters:
`!$%&*()|;'"<>/?
Do not start the context name with the following characters: - .
#~
Step 3 no context name (Optional) Removes a context from the configuration.
Example:
host1/Admin(config)# no context C1
configuration.
Example:
host1/Admin(config-context)# do copy

Configuring a Context Description
You enter a description for the context by using the description command in context configuration
mode.

Detailed Steps

Command Purpose
Step 1 description text Enters a description for a user context.
Example: For the text argument, enter a description as an unquoted text string
host1/Admin(config-context)# description with a maximum of 240 alphanumeric characters.
context for accounting users
Step 2 no description (Optional) Removes the context description from the configuration.
Example:
host1/Admin(config-context)# no
description
configuration.
Example:

2-20 OL-25332-01


Configuring a VLAN for a Context
The ACE uses class maps and policy maps to classify (filter) traffic and direct it to different interfaces
(VLANs) using a service policy. A context uses VLANs to receive packets classified for that VLAN. You
allocate one or more existing VLANs on which a user context can receive packets by using the
allocate-interface command in context configuration mode in the Admin context. You can enter this
command multiple times to specify multiple VLANs for a user context.

• You can configure an interface directly in a user context, but the state of the interface remains Down
until you enter the allocate-interface command for that interface in the Admin context. You can
configure the interface and allocate the interface in any order.
• If you remove an interface in the Admin context and the same interface is in use in a user context,
the state of the interface becomes Down. Entering the show interface command in the user context
shows the interface as Down and the reason that the interface is no longer allocated in the Admin
context.
• You cannot deallocate a VLAN from a user context if the VLAN is in use in that context.

Detailed Steps

Command Purpose
Step 1 allocate-interface vlan number1 Allocate one or more existing VLANs on which a user context
can receive packets.
Example:
host1/Admin(config-context)# For the number argument, enter the number of an existing VLAN
allocate-interface vlan 100 or a range of VLANs that you want to assign to the context as
integers from 2 to 4094.
Example:
host1/Admin(config-context)#
allocate-interface vlan 100-200
Step 2 no allocate-interface vlan number1 (Optional) Deallocates a VLAN or range of VLANs from a
context.
Example:
allocate-interface vlan 100

Example:
configuration.
Example:

OL-25332-01 2-21


Associating a Context with a Resource Class
Resource classes limit the resources available to one or more contexts. You associate a context with a
resource class or associate the same context with a different resource class by using the member
command in context configuration mode.

Prerequisites
This configuration topic includes the following prerequisites:
• The default resource class allocates a minimum of 0.00 percent to a maximum of 100.00 percent of
all ACE resources to each context. You can associate a context with only one resource class. For
more information about resource classes, see the “Guidelines and Restrictions” section.
• When you remove a context from a resource class, the ACE releases all resources associated with
that context and makes the resources available to other contexts in the class.

• If you do not specify a resource class, the context automatically is a member of the default resource
class.
• You can associate a context with only one resource class. If you try to associate more than one
resource class to the context, the ACE overwrites the existing class.
• When you add a context to a resource class, the ACE adds only those resources that can remain
within their configured limits. If you want to allocate additional resources to the context, you can
do so if the resources are available. Otherwise, you must first release some resources from other
contexts within the resource class. For details about modifying the resource allocation among
contexts, see the “Configuring a Context” section.

Detailed Steps

Command Purpose
Step 1 member class Associates a context with a resource class, or associates the same
context with a different resource class.
Example:
host1/Admin(config-context)# member RC1 For the class argument, enter the name of an existing resource class
as an unquoted text string with no spaces and a maximum of 64
alphanumeric characters. For information about configuring a
resource class, see the “Creating a Resource Class for Resource
Management” section.
Step 2 no member class (Optional) Disassociates a context from a resource class
Example:
host1/Admin(config-context)# no member
RC1

2-22 OL-25332-01


Command Purpose
configuration.
Example:
Step 4 exit (Optional) Exits the context configuration mode.
Example:
host1/Admin(config-context)# exit

Moving Between Contexts
You move between contexts by using the changeto command in Exec mode.

Prerequisites
Context administrators, who have access to multiple contexts, must explicitly log in to the other contexts
to which they have access.

This configuration topic includes the following guidelines restrictions:
• You must have one of the predefined user roles in the Admin context to use the changeto command.
For information about the predefined user roles, see the “Role-Based Access Control” section in
Chapter 1, Overview.
• The user role that is enforced after you enter the changeto command is that of the Admin context
and not that of the non-Admin context.
• You cannot add, modify, or delete objects in a custom domain after you change to a non-Admin
context.
– If you originally had access to the default-domain in the Admin context prior to moving to a
non-Admin context, the ACE allows you to configure any object in the non-Admin context.
– If you originally had access to a custom domain in the Admin context prior to moving to a
non-Admin context, any created objects in the new context will be added to the default-domain.
However, an error message will appear when you attempt to modify existing objects in the
non-Admin context.

OL-25332-01 2-23


Detailed Steps

Command Purpose
Step 1 changeto name Moves from one context on the ACE to another context.
Example: Note You can move between contexts in configuration mode
host1/Admin# changeto C1 by using the do changeto command.
host1/C1#
The name argument specifies the identifier of an existing
context. Enter an unquoted text string with no spaces and a
maximum of 64 alphanumeric characters.
configuration.
Example:
host1/C1# do copy running-config
startup-config
Step 3 exit (Optional) Exits the context and returns to the Admin context.
Example:
host1/C1# exit
host1/Admin#

Configuring User Roles
This section contains the following topics:
• Creating a User Role
• Assigning Privileges to a User Role

Creating a User Role
User roles determine the privileges that a user has, the commands that a user can enter, and the actions
that a user can perform in a particular context. For a list of the predefined roles that the ACE provides,
see Chapter 1, Overview.

Prerequisites
Only the global administrator or a context administrator can configure additional roles.

If you do not assign a role to a new user, the default role is Network-Monitor. For users that you create
in the Admin context, the default scope of access is the entire device. For users that you create in other
contexts, the default scope of access is the entire context. If you need to restrict a user’s access, you must
assign a role-domain pair using the username command (see the “Configuring a User” section).

2-24 OL-25332-01


Detailed Steps

Command Purpose
Example:
host1/Admin# config
(config)#
Step 2 role name Creates a role and accesses the role configuration mode.
Example: Note To display the predefined roles in the CLI, enter the show
host1/C1(config)# role TECHNICIAN role command in Exec mode.
host1/C1(config-role)#
The name argument is an identifier associated with a role. Enter an
unquoted text string with no spaces and a maximum of 64
alphanumeric characters.
Step 3 no role name (Optional) Removes the role from the configuration
Example:
host1/C1(config)# no role TECHNICIAN
configuration.
Example:
host1/C1(config-role)# do copy

OL-25332-01 2-25


Assigning Privileges to a User Role
After you create a user role, you can limit the features that a user has access to and the commands the
user can enter for that feature by configuring rules for that role. You assign privileges per feature to a
role by using the rule command in role configuration mode.

ACE Appliance Guidelines and Restrictions
To allow a user with a customized role to work from the ACE Appliance Device Manager, you must
configure the role with rules that permit the create operation for the config-copy and exec-commands
features.

Detailed Steps

Command Purpose
Step 1 rule number {permit | deny} { create | Specifies whether to allow or disallow operations that can be
modify | debug | monitor} [feature performed by a user, the type of commands that can be permitted or
features]
disallowed by the role, and the ACE feature to use when configuring
Example: the rule. The keywords, arguments, and options are as follows:
host1/C1(config)# role TECHNICIAN
• number—Identifier of the rule and order of precedence. Enter a
host1/C1(config-role)# rule 1 permit
create rserver unique integer from 1 to 16. The rule number determines the
order in which the ACE applies the rules, with a
higher-numbered rule applied after a lower-numbered rule.
• permit—Allows the role to perform the operations defined by
the rest of the command keywords.
• deny—Disallows the role to perform the operations defined by
the rest of the command keywords.
• create—Specifies commands for the creation of new objects or
the deletion of existing objects (includes modify, debug, and
monitor commands).
• modify—Specifies commands for modifying existing
configurations (includes debug and monitor commands).
• debug—Specifies commands for debugging problems (includes
monitor commands).
• monitor—Specifies commands for monitoring resources and
objects (show commands).

2-26 OL-25332-01


Command Purpose
• feature features—(Optional) Specifies an ACE features for
configuring this rule. For the features argument, enter one of the
following keywords for the system resource:
– AAA—Specifies commands for authentication,
authorization, and accounting.
– access-list—Specifies commands for access control lists
(ACLs). Includes ACL configuration, class maps for ACL,
and policy maps that contain ACL class maps.
– changeto—Specifies the changeto command that enables
the user to move between contexts. This command allows a
user-defined role to use the changeto command. Also, users
retain their privileges when accessing different contexts. By
default, this command is disabled for user-defined roles.
– config-copy—Specifies commands for copying the
running-config file to the startup-config file, startup-config
file to the running-config file, and copying both config files
to the flash disk (disk0:) or a remote server.
– connection—Specifies commands for network connections.
– dhcp—Specifies commands for Dynamic Host
Configuration Protocol.
– exec-commands—Specifies the following Exec mode
commands: capture, clear, debug, delete, gunzip, mkdir,
move, rmdir, set, setup, system, tac-pac, telnet, untar,
write, and undebug.
– fault-tolerant—Specifies commands for redundancy.
– inspect—Specifies commands for packet inspection used in
data-center security.
– interface—Specifies all interface commands.
– loadbalance—Specifies commands for load balancing.
Allows adding a load-balancing action in a policy map.
(ACE appliance only) These commands includes the
application acceleration and optimization functions.
– nat—Specifies commands for Network Address Translation
(NAT) associated with a class map in a policy map used in
data-center security.
– pki—Specifies commands for SSL public key infrastructure
(PKI).
– probe—Specifies commands for keepalives for real servers.
– real-inservice—Specifies commands for placing a real
server in service.

OL-25332-01 2-27


Command Purpose
– routing—Specifies all commands for routing, both global
and per interface.
– rserver—Specifies commands for physical servers.
– serverfarm—Specifies commands for server farms.
– ssl—Specifies commands for SSL.
– sticky—Specifies commands for server persistence.
– syslog—Specifies the system logging facility setup
commands.
– vip—Specifies commands for virtual IP addresses and
virtual servers.
Step 2 no rule number {permit | deny} {create | (Optional) Removes the rule from a role.
modify | debug | monitor} [feature
{features}]

Example:
host1/C1(config-role)# no rule 1 permit
create rserver
configuration.
Example:
host1/C1(config-role)# do copy
Step 4 exit (Optional) Exits the role configuration mode.
Example:
host1/Admin(config-role)# exit

Configuring Domains
• Creating a Domain
• Associating Objects With a Domain

Creating a Domain
A domain is the namespace in which a user operates.

• You can create a maximum of 63 additional domains in each context.
• A domain does not restrict the context configuration that you can display using the show
running-config command. You can still display the running configuration for the entire context.
However, a domain can restrict your access to the configurable objects within a context by adding

2-28 OL-25332-01


only a limited subset of all the objects available to a context to the domain. You can further restrict
the operations that a user can perform on those configurable objects by assigning a role to a user.
For information about configuring user roles, see the “Configuring User Roles” section.

Detailed Steps

Command Purpose
Example:
host1/Admin# config
(config)#
Step 2 domain name Creates a domain and access domain configuration mode.
Example: For the name argument, enter an unquoted text string with no
host1/C1(config)# domain D1 spaces and a maximum of 76 alphanumeric characters.
host1/C1(config-domain)#
Step 3 no domain name (Optional) Removes the domain from the configuration.
Example:
host1/C1(config)# no domain D1
configuration.
Example:
host1/C1(config-domain)# do copy

Associating Objects With a Domain
After you create a domain, you can associate configurable objects with that domain (for example, a real
server, server farm, interface, and so on). You associate a configurable object with a domain by using the
add-object command in domain configuration mode.

OL-25332-01 2-29


Detailed Steps

Command Purpose
Step 1 add-object {access-list {ethertype | Specifies the object to be associated with a domain. The
extended} name | all | class-map name | keywords, arguments, and options are as follows:
interface {bvi | vlan} | object_group name
| parameter-map name | policy-map name | • access-list—Specifies an existing access control list (ACL)
probe name | rserver name | script name | that you want to associate with the domain. Enter the
serverfarm name | sticky name}
following:
Example: – ethertype—Specifies an existing EtherType access
host1/C1(config)# domain D1 control list that you want to associate with the domain.
host1/C1(config-domain)# add-object
interface vlan 10 – extended—Specifies an existing extended access
control list that you want to associate with the domain.
– name—Name of the access control list.
• all—Specifies that all existing configuration objects in the
context are added to the domain.
• class-map name—Specifies an existing class map for flow
classification that you want to associate with the domain.
• interface—Specifies an existing interface that you want to
associate with the domain.
– bvi number—Specifies the existing Bridge Group
Virtual Interface that you want to associate with the
domain. Enter an integer from 1 to 4094.
– vlan number—Specifies the existing VLAN that you
want to associate with the domain. Enter an integer from
2 to 4094.
• object-group name—Specifies an existing object group that
you want to associate with the domain.
• parameter-map name—Specifies an existing parameter
map that you want to associate with the domain.
• policy-map name—Specifies an existing policy map that
• probe name—Specifies an existing real server probe
(keepalive) that you want to associate with the domain.
• rserver name—Specifies an existing real server that you
want to associate with the domain.
• script name—Specifies an existing script that you created
with the ACE TCL scripting language.
• serverfarm name—Specifies an existing server farm that
• sticky name—Specifies an existing sticky group that you
want to associate with the domain to maintain persistence
with a server.

2-30 OL-25332-01


Command Purpose
Step 2 no add-object {access-list {ethertype | (Optional) Removes the object from the domain.
extended} name | all | class-map name |
interface {bvi | vlan} | object_group name
| parameter-map name | policy-map name |
probe name | rserver name | script name |
serverfarm name | sticky name}

Example:
host1/C1(config-domain)# no add-object
interface vlan 10
configuration.
Example:
host1/C1(config-domain)# do copy
Step 4 exit (Optional) Exits the domain configuration mode.
Example:
host1/Admin(config-domain)# exit

OL-25332-01 2-31


Configuring a User
You create a user and define the associated role and operating domains by using the username command
in configuration mode.
The ACE creates the following default user accounts at startup:
• admin—The admin user is the global administrator and cannot be deleted.
• www—The ACE uses the www user account for the XML interface.
• dm—(ACE appliance only) The dm user is for accessing the ACE appliance Device Manager GUI
and cannot be deleted. The dm user is an internal user required by the Device Manager GUI; it is
hidden on the ACE appliance CLI.

Note Do not modify the dm user password from the ACE appliance CLI. If the password is
changed, the Device Manager GUI will become inoperative. If this occurs, restart the Device
Manager using the dm reload command (you must be the global administrator to access the
dm reload command). Note that restarting the Device Manager does not impact ACE
appliance functionality; however, it may take a few minutes for the Device Manager to
reinitialize as it reads the ACE appliance CLI configuration.

• The global administrator (admin) assigns one user in each context as the context administrator. The
context administrator can then log in to the context or contexts for which he or she is responsible
and create additional users.
• If you do not assign a role to a new user, the default role is Network-Monitor. For users that you
create in the Admin context, their default scope of access is the entire device. For users that you
create in other contexts, their default scope of access is the entire context. If you need to restrict a
user’s access, you must assign a role-domain pair.

Detailed Steps

Command Purpose
Example:
host1/Admin# config
(config)#

2-32 OL-25332-01


Command Purpose
Step 2 username name1 [password [0 | 5] password] Creates a user or changes the default username and password.
[expire date] [role name2] [domain name3 The keywords, arguments, and options are as follows:
name4 . . . namen]
• name1—Identifier of the user that you are creating. Enter an
Example: unquoted text string with no spaces and a maximum of
host1/C1(config)# username USER2 password
24 alphanumeric characters.
HERSECRET expire 2008-12-31 role Admin
domain default-domain D2 The ACE supports the following non-alphanumeric
characters in a username:
-_@
The ACE does not support the following characters:
$/;!#
Note The “.” character is not supported on the local database
but a username with this character is authenticated when
it is configured on an ACS server.

• password—(Optional) Keyword that indicates that a
password follows.
• 0—(Optional) Specifies a clear text password.
• 5—(Optional) Specifies an MD5-hashed strong encryption
password.
• password—(Optional) Password in clear text or MD5 strong
encryption, depending on the numbered option (0, 5, or 7)
that you enter. If you do not enter a numbered option, the
password is in clear text by default. If you enter the
password keyword, you must enter a password. Enter a
password as an unquoted text string with a maximum of 64
alphanumeric characters. The ACE supports the following
special characters in a password:
,./=+-^@!%~#$*()
Note that the ACE encrypts clear text passwords in the
running-config.

Note If you specify an MD5-hashed strong encryption
password, the ACE considers a password to be weak if it
is less than eight characters in length.

• expire date—(Optional) Specifies the expiration date of the
user account. Enter the expiration date in the format
yyyy-mm-dd. Be aware that the ACE applies the configured
UTC offset to this date.
• role name2—(Optional) Specifies an existing role that you
want to assign to the user.
• domain name3 name4 . . . namen—(Optional) Specifies the
domains in which the user can operate. You can enter
multiple domain names up to a maximum of 10, including
default-domain.

OL-25332-01 2-33

Displaying Virtualization Configuration Information

Command Purpose
Step 3 no username name1 (Optional) Deletes a user from the configuration.
Example:
host1/C1(config)# no username USER2
configuration.
Example:
host1/C1(config)# do copy running-config
startup-config

Logging Out a User
You can force a user to log out and clear the user session by using the clear user command in Exec mode.

Detailed Steps

Command Purpose
clear user name Clears a user session.
Example: For the name argument, enter the name of an existing user as an
host1/Admin# clear user John unquoted text string with no spaces and a maximum of 64
alphanumeric characters.

This section describes the show commands that allow you to display a range of configuration
information for the contexts configured on your ACE.
• Displaying Context Configurations
• Displaying Domain Configurations
• Displaying Resource Class Configurations
• Displaying Role Configurations
• Displaying Context Information
• Displaying Resource Allocation
• Displaying User Roles
• Displaying Domains
• Displaying User Information
For additional information about the CLI command syntax described in this chapter, see the Command
Reference, Cisco ACE Application Control Engine.

2-34 OL-25332-01


Displaying Context Configurations
You display context configurations by using the show running-config context command in Exec mode.

Command Purpose
show running-config context Displays all configured user contexts and their descriptions, resource
classes, and allocated VLANs.

Displaying Domain Configurations
You display domain configurations by using the show running-config domain command in Exec mode.

Command Purpose
show running-config domain Displays all configured domains and their objects (access control lists
[ACLs], class maps, interfaces, and so on).

Displaying Resource Class Configurations
You display resource-class configurations by using the show running-config resource-class command
in Exec mode.

Command Purpose
show running-config resource-class Displays all configured resource classes and their resource allocation
statements.

Displaying Role Configurations
You display role configurations by using the show running-config role command in Exec mode.

Command Purpose
show running-config role Displays all configured roles, their descriptions, and associated rules.

OL-25332-01 2-35


Displaying Context Information
You display information about a context by using the show context command in Exec mode.

Command Purpose
show context [name | Admin] Displays the context information including the context name, configured
description, resource class, and interfaces.
The options are as follows and available only in the Admin context:
• The name argument is the name of the context.
If you do not specify the name argument, this command displays the
information for all contexts including the Admin context.
• The Admin option displays the information for the Admin context
only.

Table 2-4 describes the fields in the show context command output.

Table 2-4 Field Descriptions for the show context Command Output

Field Description
Name Lists identifiers of all configured contexts. If you specify the name argument, the ACE displays the name
of the context that you specify only.
Config Count The number of lines in the running-config for the context (excluding blank lines).
Description Previously configured text description of the context.
Resource-class Resource class of which the context is a member.
VLANs VLANs allocated to a user context from the Admin context.

Displaying Resource Allocation
You view the allocation for each resource across all resource classes and class members by using the
show resource allocation command in Exec mode.

Note The show resource allocation command displays the resource allocation but does not show the actual
resources being used. See the “Displaying Resource Usage Statistics for Contexts” section for more
information about actual resource usage.

Command Purpose
show resource-allocation Displays the allocation for each resource across all resource classes and
class members.

2-36 OL-25332-01


Table 2-5 describes the fields in the show resource allocation command output.

Table 2-5 Field Descriptions for the show resource allocation Command Output

Field Description
Parameter Name of the resource that you can limit. See the “Configuring Virtualization” section for information
about each resource.
Min Minimum percentage of the total system resources that is allocated for a parameter in the specified
resource class. For the default resource class, the minimum value for each resource is 0.00 percent.
Note For the Bandwidth Min value, this field does not display the percentage configured with the limit
resource all command. The ACE includes the management traffic rate in addition to the
throughput rate to calculate the value that appears in this field.
Max Maximum percentage of the total system resources that is allocated to a parameter in the specified resource
class. For the default resource class, the Max value for each resource is equal to the total Max value of all
contexts using the default resource class. For example, if you configure two user contexts and do not
associate them with a resource class, the ACE automatically assigns the default resource class. If the
Admin context also uses the default resource class, the Max value would equal 300% for each resource.
Class Name of the resource class.

Displaying User Roles
You display the user roles by using the show role command.

Command Purpose
show role [name] Displays the configured user roles (predefined and user-configured roles).
For the optional name argument, enter the unique identifier of the role as an
unquoted text string with no spaces and a maximum of 64 alphanumeric
characters. This parameter displays only the named role that you specify. To
display all roles, enter the command without a name.

Table 2-6 describes the fields in the show role command output.

Table 2-6 Field Descriptions for the show role Command Output

Field Description
Role Name of the role (for example, Admin).
Description Text that describes the role (for example, Administrator).
Number of Rules Number of rules associated with the role.
Rule Sequence number of the rule.
Type Type of rule. Possible values are Permit or Deny.
Permission Permission level of the rule. The possible permission values ranked from highest to lowest, are Create,
Modify, Debug, and Monitor.
Feature Software feature associated with the rule (for example, access-list).

OL-25332-01 2-37


Displaying Domains
You display information about the configured domains in the ACE by using the show domain command.

Command Purpose
show domain [name] Displays the information about the configured domains in the ACE.
For the optional name argument, enter the unique identifier of an
existing domain as an unquoted text string with no spaces and a
maximum of 76 alphanumeric characters.

Table 2-7 describes the fields in the show domain command output.

Table 2-7 Field Descriptions for the show domain Command Output

Field Description
Name Unique identifier of the domain.
Object Type List of objects associated with the domain (for example, Class-map).
Object Name Configured identifier of the object.

Displaying User Information
You display user and user account information by using the show users and show user-account
commands.

Command Purpose
show users [name] Displays the information for users that are currently logged in to the ACE.
For the optional name argument, enter the unique identifier of a user as an
characters.
show user-account [name] Displays user account information.
For the optional name argument, enter the unique identifier of a user as an
characters.

Table 2-8 describes the fields in the show users command output.

Table 2-8 Field Descriptions for the show users name Command Output

Field Description
User Name of user.
Context Name of the context associated with the user.
Line Port through which the user connected to the ACE (for example, pts/1).
Login Time Month, day, and time that the user logged in to the ACE (for example, Dec 7 20:11).
Location Location of the user expressed as an IP address.

2-38 OL-25332-01


Table 2-8 Field Descriptions for the show users name Command Output (continued)

Field Description
Role Role assigned to the user (for example, Admin).
Domain(s) Domain associated with the user (for example, default-domain).

Table 2-9 describes the fields in the show user-account command output.

Table 2-9 Field Descriptions for the show user-account Command Output

Field Description
User Name of the user.
Account Expiry Date, if any, when the user account expires. This date is based on Coordinated Universal Time
(UTC/GMT) which the ACE keeps internally. If you use the clock timezone command to configure a UTC
offset, this field displays the UTC date and does not reflect the date with the offset as displayed by the
show clock command.
Roles Role assigned to the user (for example, Admin).
Domain Domain associated with the user (for example, default-domain).
Context Name of the context associated with the user (for example, Admin).

OL-25332-01 2-39

Displaying Resource Usage Statistics for Contexts

You display the resource usage statistics for each context from the Admin context or the current user
context by using the show resource usage command in Exec mode.

Note (ACE module only) When the show resource usage command displays the 100 percent Allocation Min
and Allocation Max values for conc-connections, proxy-connections, and other parameters, these values
display the bidirectional connections (inbound leg and outbound leg) for the four network processors
(NPs) in the ACE module. For example, the maximum number of concurrent connections that the ACE
module supports is 4,000,000. However, the show resource usage command displays a maximum
conc-connection objects value of 8,000,000, which is equal to 2,000,000 unidirectional connection
records for each network processor times four network processors.

Command Purpose
show resource usage Displays the resource usage statistics for each context from the Admin
Example: context or for the current user context.
host1/Admin# show resource usage
show resource usage counter {all | current | Displays the resource usage statistics for the specified counter and threshold,
denied | peak} count_threshold as follows:
Example: Note Entering any of the following keywords without the count_threshold
host1/Admin# show resource counter denied argument displays all resource statistics.
1000
• all—When used with the count_threshold argument, this option
displays the resources that have peak counters that exceed the threshold.
• current—When used with the count_threshold argument, this option
displays the resources that have current counters that exceed the
threshold.
• denied—When used with the count_threshold argument, this option
displays the resources that have denied counters that exceed the
threshold.
• peak—When used with the count_threshold argument, this option
displays the resources that have peak counters that exceed the threshold.
• count_threshold—Threshold number that exceeds the specified counter.
If the usage of the resource is below the number, the resource is not
shown. Enter an integer from 0 to 4294967295. The default is 1. The
value of 0 displays all resources.
show resource usage resource resource | rate Displays usage statistics for a specific resource or rate.
rate [counter {all | current | denied | peak
See Table 2-10 for the descriptions of the resource and rate arguments. See
[count_threshold]}]
the show resource usage counter {all | current | denied | peak}
Example: count_threshold command for the descriptions of the counter keywords
host1/Admin# show resource usage resource and argument.
conc-connections

2-40 OL-25332-01


Command Purpose
show resource usage context name [resource Displays the resource usage for a specific context from the Admin context.
resources | rate rates] [counter [all | current | The name argument is the name of the context for the resources and counters
denied | peak [count_threshold]]] that you want to display. If you do not enter any additional options, this
Example: command displays all resource usage statistics for the context.
host1/Admin# show resource usage context See Table 2-10 for the descriptions of the resource and rate arguments. See
C1 resource conc-connections counter
denied 0
count_threshold command for the descriptions of the counter keywords
and argument.
show resource usage np {current | denied | Displays network processor resource usage as follows:
peak} [all | context name | summary]
• (ACE module only) Displays resource usage for all four network
show resource usage np np_number all processors or the specified network processor (NP). Because the ACE
[counter [all | current | denied | peak divides all resources equally between all four NPs, this command allows
[count_threshold]]] you to monitor the resource usage for each NP independently in case it
show resource usage np np_number [context reaches a limit. When an NP reaches a limit, it can deny a connection
name | summary [resource {resources} | rate even though the limit is not reached in the other NPs.
rates] [counter [all | current | denied | peak • (ACE appliance only) Displays resource usage for its one NP.
[count_threshold]]]
The keywords and arguments are as follows:

Examples: • current—Displays the active concurrent instances or the current rate of
host1/Admin# show resource usage np the resource for the NP.
current summary
• denied—Displays the number of denied uses of the resource for the NP
host1/Admin# show resource usage np 1 all since the resource statistics were last cleared.
counter current
• peak—Displays the peak concurrent instances, or the peak rate of the
host1/Admin# show resource usage np 1 resource for the NP since the statistics were last cleared, either by using
context Admin resource conc-connections the clear resource usage command or because the device rebooted.
counter current
• all—(Optional) Displays the resource usage for all contexts of the NP
from the Admin context.
• context name—(Optional) Displays the resource usage for the specified
context of the NP from the Admin context.
• summary—(Optional) Displays the resource usage summary of the NP
from the Admin context.
• np_number—Number of the network processor. Enter an integer from 1
through 4 (ACE module) or enter 1 (ACE appliance). If you do not enter
any additional options, this command displays all resource usage
statistics for all contexts from the Admin context or for the current user
context.
See Table 2-10 for the descriptions of the resource and rate arguments.
See the show resource usage counter {all | current | denied | peak}
count_threshold command for the descriptions of the counter
keywords and argument.

OL-25332-01 2-41


Command Purpose
show resource usage summary [resource Displays the total resource usage for all contexts from the Admin context.
{resources} | rate rates] [counter [all | current
See Table 2-10 for the descriptions of the resource and rate arguments. See
| denied | peak [count_threshold]]]
Example: count_threshold command for the descriptions of the counter keywords
host1/Admin# show resource usage summary and argument.
resource mgmt-connections counter all
1100
show resource usage top number resource Displays the specified number of contexts for a single resource arranged
resources | rate rates [counter [all | current | from the highest to the lowest percentage of resources used.
denied | peak [count_threshold]]]
For the number argument, enter a number from 1 to 256.

Example: You must specify a resource type. You cannot use the all keyword with
host1/Admin# show resource usage top 4 resource keyword. See Table 2-10 for the descriptions of the resource and
resource conc-connections counter denied rate arguments.
20
See the show resource usage counter {all | current | denied | peak}
count_threshold command for the descriptions of the counter keywords
and argument.

2-42 OL-25332-01


Table 2-10 lists and describes the arguments for the resource and rate options of the show resource
usage command (see the show resource usage resource resource | rate rate [counter {all | current |
denied | peak [count_threshold]}] command).

Table 2-10 Resource and Rate Options for the show resource usage resource command Command

Command Option Description
resource resource Displays statistics for a specified system resource. Enter one of the following keywords for the resource
argument:
• (ACE appliance only) acc-connections—Displays the number of application acceleration
connections.
• acl-memory—Displays the ACL memory usage for both IPv6 and IPv4 ACLs. If a context has fewer
ACL memory resources than the configured Allocation Minimum, the ACE displays the Actual
Minimum value that you can assign to the context.
• all—Displays the resource usage for all resources used by the specified context or contexts.
• conc-connections—Displays the resource usage for the number of simultaneous connections.
• mgmt-connections—Displays the resource usage for the number of management connections.
• probes—Displays the resource usage for the probes.
• proxy-connections—Displays the resource usage for the proxy connections.
• rate—See the rate rate command option in this table.
• regexp—Displays the resource usage for the regular expressions.
If a context has fewer regexp resources than the configured Allocation Minimum, the ACE displays
the Actual Minimum value that you can assign to the context.
• sticky—Displays the resource usage for the sticky entries. If a context has fewer sticky resources
than the configured Allocation Minimum, the ACE displays the Actual Minimum value that you can
assign to the context.
• syslogbuffer—Displays the resource usage for the syslog buffer. The ACE assigns syslog buffers in
increments of 1024. If the resource-class Allocation Minimum value was satisfied, the Current field
of the show resource usage syslogbuffer command would display the highest multiple of 1024 that
is less than the Allocation Min value.
• xlates—Displays the resource usage by Network Address Translation (NAT) and Port Address
Translation (PAT) entries.

OL-25332-01 2-43


Table 2-10 Resource and Rate Options for the show resource usage resource command Command

Command Option Description
rate rate Displays the rate per second for the specified connections or syslog messages. Enter one of the following
keywords for the rate argument:
• bandwidth—Displays the bandwidth in bytes per second. To convert to bits per second, multiply
the displayed value by 8.
• connections—Displays connections per second.
• http-comp—Displays the HTTP compression rate in bytes per second. To convert to bits per second,
multiply the displayed value by 8.
• inspect-conn—Displays all inspection connections per second.
• mac-miss—Displays MAC miss traffic that was punted to the CP packets per second.
• mgmt-traffic—Displays management traffic bytes per second. To convert to bits per second,
multiply the displayed value by 8.
• ssl-connections—Displays Secure Sockets Layer (SSL) connections.
• syslog—Displays the system message rate in messages per second.

Note The syslog message statistics do not include the syslogs generated from the dataplane when
you enable logging of connection setup and teardown syslog messages through the logging
fastpath command.

• to-cp-ipcp—(ACE module only) Displays the IPCP traffic from the DP to the CP in packets per
second.

Table 2-11 describes the fields in the show resource usage command output.

Table 2-11 Field Descriptions for the show resource usage Command Output

Field Description
Resource The name of the limited resource in each context. See the “Configuring Virtualization” section for more
information about each resource name.
(ACE module only) When you use the show resource usage np command to display all network
processors, the ACE module displays the Resource field only.
Current Active concurrent instances or the current rate of the resource.
Peak Highest value of resource usage.
Allocation Allocation minimum value that indicates the resource units that are guaranteed to be available to each
(Min/Max) context. The allocation maximum value equals the minimum value plus the resource units that are be
available to each context and are shared among all contexts from the oversubscription pool. When you
configure the maximum value as equal-to-minimum, the maximum value is automatically equal to the
minimum value.
Denied Number of denied resources because of oversubscription or resource depletion.
Actual Min (ACE appliance only) Minimum ACL, regexp, sticky, or syslog buffer resources that you can allocate to
the context if the resource-class minimum cannot be met.

2-44 OL-25332-01

Configuration Examples for Virtualization

Clearing Resource Usage Statistics
You clear resource usage statistics by using the following commands.

Command Purpose
clear stats resource-usage Resets the resource usage statistics in the Peak and Denied fields to zero for
each context from the Admin context.
clear stats all Clear all statistical information in a context along with the resource usage
counters.

IPv6 Example
The following running-configuration example shows a basic IPv6 virtualization configuration with one
user-defined context, one resource class, one domain, and one user.
resource-class RC1
limit-resource rate syslog minimum 10.00 maximum equal-to-min
limit-resource acl-memory minimum 10.00 maximum unlimited

access-list ACL1 line 10 extended permit ip anyv6 anyv6

rserver host RS1
ip address 2001:DB8:2::251
inservice
rserver host RS2
ip address 2001:DB8:2::252
inservice
serverfarm host SF1
rserver RS1
inservice
rserver RS2
inservice

domain D1
add-object access-list extended ACL1
add-object rserver RS1
add-object serverfarm SF1

role SLB-Admin

context C1
description accounting department
member RC1

username JANE password 5 adropgijaeprgja9erjg2uWgtce1 role SLB-Admin domain D1

IPv4 Example
The following running-configuration example shows a basic IPv4 virtualization configuration with one
user-defined context, one resource class, one domain, and one user.
resource-class RC1

OL-25332-01 2-45


limit-resource rate syslog minimum 10.00 maximum equal-to-min
limit-resource acl-memory minimum 10.00 maximum unlimited

access-list ACL1 line 10 extended permit ip any any

rserver host RS1
ip address 192.168.2.251
inservice
rserver host RS2
ip address 192.168.2.252
inservice
serverfarm host SF1
rserver RS1
inservice
rserver RS2
inservice

domain D1
add-object access-list extended ACL1
add-object serverfarm SF1

role SLB-Admin

context C1
description accounting department
member RC1

username JANE password 5 adropgijaeprgja9erjg2uWgtce1 role SLB-Admin domain D1

2-46 OL-25332-01

Ace virtualization configuration

More Related Content

What's hot (20)

Viewers also liked (19)

Similar to Ace virtualization configuration (20)

Ace virtualization configuration