ACE: CSS/CSM からの設定移行 Tool

yushimaz · ‎2010-09-24

ACE は CSS/CSM と設定が大幅に異なります。そこで、既存 Cisco Loadbalancer 製品を使用している

お客様が容易に移行できるよう、設定移行 Tool が用意されています。

この Tool は、Web browser で ACE に access することで利用可能です。

ACE に access するためには、下記設定例のように管理用の ip address を設定し、外部からの http

access を許可する必要があります。

ACE20/Admin# sh run

Generating configuration....

hostname ACE20

class-map type management match-any remote-access

description remote-access-traffic-match

2 match protocol telnet any

3 match protocol ssh any

4 match protocol icmp any

5 match protocol http any

6 match protocol https any

7 match protocol snmp any

policy-map type management first-match remote-mgmt

class remote-access

permit

service-policy input remote-mgmt

interface vlan 100

ip address 1.164.0.47 255.0.0.0

no shutdown

設定後、ACE に対して Web browser から access すると、下記のような page が表示されます。

今回は、例として CSS2ACE conversion tool を使用し、CSS の設定を ACE 用の設定に変換してみます。

CSS2ACE conversion tool を click すると、下記のような画面が表示されるので、左側の box に、CSS の

設定を入れ、GETACE Commands を click します。

すると、下記のように ACE の設定が表示されます。

ACE commands:

Configuration    commands for Admin context:
-----------------------------------------

resource-class RC1
limit-resource sticky minimum 10    maximum unlimited

context test
member RC1
allocate-interface vlan 777
allocate-interface vlan 778

Configuration commands for test context:
-----------------------------------------

access-list PERMIT_ALL extended permit ip any any

probe icmp PROBE_SERVICE_ICMP
interval 5
passdetect interval 5

rserver host sv1
inservice
ip address 192.168.78.1
probe PROBE_SERVICE_ICMP
rserver host sv2
inservice
ip address 192.168.78.2
probe PROBE_SERVICE_ICMP

serverfarm host telnet
probe PROBE_SERVICE_ICMP
rserver sv1
    inservice
rserver sv2
    inservice
serverfarm host test
probe PROBE_SERVICE_ICMP
rserver sv2
    inservice
rserver sv1
    inservice
serverfarm host test2
probe PROBE_SERVICE_ICMP
rserver sv1
    inservice
serverfarm host test2_BACKUP
probe PROBE_SERVICE_ICMP
rserver sv2
    inservice
serverfarm host test3
probe PROBE_SERVICE_ICMP
rserver sv2
    inservice

sticky http-cookie ACE_COOKIE test2_STICKY
cookie insert
replicate sticky
serverfarm test2 backup    test2_BACKUP

parameter-map type http CASE_PARAM
case-insensitive
parameter-map type ssl test_1_SSL_SSLTERM
cipher    RSA_EXPORT_WITH_RC4_40_MD5

ssl-proxy service test_1_SSL
   cert oldcert
   key oldkey
   ssl advanced-options    test_1_SSL_SSLTERM

class-map type management match-any TO-CP-POLICY
match protocol icmp any
match protocol telnet any
match protocol snmp any
match protocol ssh any

class-map type http loadbalance match-any test_CLASSURL
   match http url    "[.]*"

class-map match-all test3_CLASS
match virtual-address    192.168.77.100 tcp eq 12345

class-map match-all telnet_CLASS
match virtual-address    192.168.77.100 tcp eq 23

class-map type http loadbalance match-any test2_CLASSURL
   match http url    "/test2*"

class-map match-all ssl_CLASS
match virtual-address    192.168.77.100 tcp eq 443

policy-map type loadbalance first-match test3_POLICY
class class-default
    serverfarm test3

policy-map type loadbalance first-match telnet_POLICY
class class-default
    serverfarm telnet

policy-map type loadbalance first-match ssl_POLICY
class test2_CLASSURL
    sticky-serverfarm    test2_STICKY
class test_CLASSURL
    serverfarm test

policy-map type management first-match TO-CP-POLICY
class TO-CP-POLICY
    permit

policy-map multi-match POLICY
class test3_CLASS
    appl-parameter http    advanced-options CASE_PARAM
    loadbalance vip inservice
    loadbalance vip icmp-reply    active
    loadbalance policy    test3_POLICY
class telnet_CLASS
    appl-parameter http    advanced-options CASE_PARAM
    loadbalance vip inservice
    loadbalance vip icmp-reply    active
    loadbalance policy    telnet_POLICY
class ssl_CLASS
    ssl-proxy server    test_1_SSL
    appl-parameter http    advanced-options CASE_PARAM
    loadbalance vip inservice
    loadbalance vip icmp-reply    active
    loadbalance policy    ssl_POLICY

service-policy input TO-CP-POLICY
service-policy input POLICY

interface vlan 778
ip address 192.168.78.250    255.255.255.0
access-group input    PERMIT_ALL
no shutdown
interface vlan 777
ip address 192.168.77.250    255.255.255.0
access-group input    PERMIT_ALL
no shutdown

CSS commands:

configure

!*************************** GLOBAL ***************************

ssl associate rsakey oldkey    old.p12
ssl associate cert oldcert    old.p12
ssl associate rsakey newkey    new.p12
ssl associate cert newcert    new.p12

ftp-record DEFAULT_FTP 1.160.0.52    root des-password ig5haaufqbnfuarb /tftpboot/webns

!************************* INTERFACE *************************

interface 1/1
bridge vlan 777

interface 1/2
bridge vlan 778

!************************** CIRCUIT **************************

circuit VLAN777
ip address 192.168.77.250    255.255.255.0

circuit VLAN778
ip address 192.168.78.250    255.255.255.0

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list test
ssl-server 1
ssl-server 1 vip address    192.168.77.100
ssl-server 1 cipher    rsa-export-with-rc4-40-md5 192.168.77.100 80
ssl-server 1 rsakey oldkey
ssl-server 1 rsacert    oldcert
active

!************************** SERVICE **************************

service ssl
keepalive type none
slot 3
type ssl-accel
add ssl-proxy-list test
active

service sv1
ip address 192.168.78.1
active

service sv2
ip address 192.168.78.2
active

!*************************** OWNER ***************************

owner test
content ssl
    add service ssl
    vip address    192.168.77.100
    port 443
    protocol tcp
    active

content telnet
    vip address    192.168.77.100
    port 23
    protocol tcp
    add service sv1
    add service sv2
    active

content test
    port 80
    protocol tcp
    url "/*"
    add service sv2
    vip address    192.168.77.100
    add service sv1
    active

content test2
    vip address    192.168.77.100
    advanced-balance    arrowpoint-cookie
    port 80
    protocol tcp
    url "/test2*"
    add service sv1
    primarySorryServer sv2
    arrowpoint-cookie path    "/test2"
    active

content test3
    vip address    192.168.77.100
    port 12345
    protocol tcp
    add service sv2
    active

Unsupported CSS commands:

#    1                configure
#    5                ssl    associate rsakey oldkey old.p12
#    6                ssl    associate cert oldcert old.p12
#    7                ssl    associate rsakey newkey new.p12
#    8                ssl    associate cert newcert new.p12
# 10                ftp-record    DEFAULT_FTP 1.160.0.52 root des-password ig5haaufqbnfuarb    /tftpboot/webns
#    13                interface 1/1
#    14                bridge    vlan 777
#    16                interface 1/2
#    17                bridge    vlan 778
# 35                active
#    39                keepalive    type none
# 40                slot    3

上記設定は、service-policy を global mode で設定する等、最適化は行われてはおりませんが、

一から設定を行うよりも、移行までの時間を短縮することができます。そのため、ACE の設定に

なじみの薄い、既存 CSS/CSM user が ACE に移行する際の Tool としてお勧めのです。

また、CSM からの移行は ACE module を対象としているため、ACE appliance では下記のように

CSS2ACE conversion tool しか実装されていません。

この Tool の使用方法に関する詳細については下記をご参照ください。

# ACE module

Cisco CSM-to-ACE Conversion Tool User Guide

http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/csm_to_ace/user/guide/csmaceug.html

Cisco CSS-to-ACE Conversion Tool User Guide

http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/css_to_ace/user/guide/cssaceug.html

# ACE appliance

Cisco CSS-to-ACE Conversion Tool User Guide

http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/css_to_ace/guide/cssaceug.html