The configuration we will look at is an ACE module that goes into a 6500 series chassis. It would help if you did some prep work on the 6500 before configuring the ACE. The first step is to create the VLANs; in this example, we will use VLAN 4 and VLAN 67.
vlan 4
name VLAN0004
vlan 67
name VLAN0067The next step is to define an svclc vlan-group. This accomplishes a VLAN group that you can send to a module on the device. We can have one or two VLAN groups for this situation; if we choose to have more than one VLAN in a VLAN group, we need to add a line in our configuration. I will demonstrate the configuration for both. Once we define the vlan-group, we must apply it to a module. Again I will demonstrate the configuration for one or two VLAN groups.
One svclc vlan-group and association
– svclc multiple-vlan-interfaces
– svclc vlan-group 7 4,67 – this creates service vlan group 7 and associates vlan’s 4 and 67
– svclc module 3 vlan-group 7 – we are applying vlan-group 7 to the service module in slot 3
Two svclc vlan-groups and association
– svclc vlan-group 1 4 – this creates service vlan group 1 and associates vlan 4
– svclc vlan-group 2 67 – this creates service vlan group 2 and associates vlan 67
– svclc module 3 vlan-group 1 2 – we are applying vlan-group 1 and 2 to the service module in slot 3
If you have your 6500s configured in VSS, you need to add the following lines to allow both switches to feed both ACES (if the ACEs are in redundant pairs)
| One svclc vlan-group | Two svclc vlan-groups |
svclc switch 1 module 3 vlan-group 4,67
| svclc switch 1 module 3 vlan-group 4 svclc switch 1 module 3 vlan-group 67 |
From here, we can console into the ACE and configure it. We will be going in via the session command. To get to an ACE in Module 3, we will type,
Session switch <#> module <#> pro 0
Now, in the ACE, we can put down a base configuration. Depending on how you want to configure the device, there is one crucial thing to note about the ACE configuration. You have to allow management of the device. All configurations are done in an MQC-style approach, and I will break down each section and how it should be installed. Let’s get the base configuration on; we are going to want to accomplish the following (don’t forget to go to the secondary ACE and set the FT Group as well);
- Give a hostname of ACE_Switch1_Module3-Pri.
- Give a secondary hostname of ACE_Switch1_Module3-Sec.
- Create an FT Interface on VLAN 4 and assign it IPs in the range of 10.10.10.0/30
- Create a context called ACE_Switch1_Module3_Context2 and allocate VLAN67 to it
- Add an FT group for the new context and associate with the FT peer group
This configuration would look like this;
hostname ACE_Switch1_Module3-Pri
peer hostname ACE_Switch1_Module3-Sec
!
context ACE_Switch1_Module3-Pri-CX2
allocate-interface vlan 67
!
ft interface vlan 4
ip address 10.10.10.1 255.255.255.252
peer ip address 10.10.10.2 255.255.255.252
no shutdown
!
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 4
!
ft group 36
peer 1
no preempt
associate-context Admin
inservice
!
ft group 2
peer 1
no preempt
associate-context ACE_Switch1_Module3-Pri-Cx2
inserviceChange to that context and complete the configuration
- Create an SVI on VLAN 67 and assign it IPs in the range of 172.18.10.8/29
- Create a policy that allows the following management protocols for the ACE
- SNMP from hosts 192.168.44.23 and 192.168.44.55
- ICMP from anywhere
- telnet from host 192.168.25.45
- HTTP from host 192.168.25.45
- ssh from subnets 192.168.87.0/24 and 192.168.99.0/23
- https from subnet 192.168.87.0/24
- Create a default route to 172.18.10.1
- Send SNMP version 2c traps to 192.168.44.23 and 192.168.44.55
- Turn on logging and enable timestamps
- Enable logging for the following
- Trap level 5
- Buffered level 2
- Monitor level 2
- Send to host 192.168.44.23
- ID String ACE_Switch1_Module3/ACE_Switch1_Module3_Context2
- Configure an AAA server group called TACACS with the following variables
- TACACS with an ACS server at 192.168.23.44 using key aceandacstacacs
- Apply management policy to VLAN67
This configuration would look like this;
logging enable
logging timestamp
logging trap 5
logging buffered 2
logging monitor 2
logging device-id string ACE_Switch1_Module3/ACE_Switch1_Module3_Context2
logging host 192.168.55.25 udp/514
logging host 192.168.55.55 udp/514
!
tacacs-server key aceandacstacacs
tacacs-server host 192.168.23.44 key aceandacstacacs
!
aaa group server tacacs+ TACACS
server 192.168.23.44
!
aaa authentication login default group TACACS local
aaa authentication login console group TACACS local
!
class-map type management match-any ACE-ACCESS
6 match protocol snmp source-address 172.168.44.23 255.255.255.255
8 match protocol snmp source-address 192.168.44.55 255.255.255.255
21 match protocol ssh source-address 192.168.87.0 255.255.255.0
22 match protocol ssh source-address 192.168.99.0 255.255.255.0
30 match protocol icmp any
31 match protocol telnet source-address 192.168.25.45 255.255.255.255
41 match protocol http source-address 192.168.25.45 255.255.255.255
42 match protocol https source-address 192.168.87.0 255.255.255.0
!
policy-map type management first-match ACE-MGT
class ACE-ACCESS
permit
!
interface vlan 67
ip address 172.18.10.10 255.255.255.128
alias 172.18.10.9 255.255.255.128
peer ip address 172.18.10.11 255.255.255.128
service-policy input ACE-MGT
no shutdown
!
ip route 0.0.0.0 0.0.0.0 172.18.10.1
!
snmp-server contact "MIS"
snmp-server location "CorpDC1"
snmp-server host 192.168.44.23 traps version 2c passwordstring
snmp-server host 192.168.44.55 traps version 2c password stringThe final post is going to be how to configure the ACE for basic load-balancing