ACE は CSS/CSM と設定が大幅に異なります。 そこで、既存 Cisco Loadbalancer 製品を使用している
お客様が容易に移行できるよう、設定移行 Tool が用意されています。
この Tool は、Web browser で ACE に access することで利用可能です。
ACE に access するためには、下記設定例のように管理用の ip address を設定し、外部からの http
access を許可する必要があります。
ACE20/Admin# sh run Generating configuration.... hostname ACE20 class-map type management match-any remote-access description remote-access-traffic-match 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any 5 match protocol http any 6 match protocol https any 7 match protocol snmp any policy-map type management first-match remote-mgmt class remote-access permit service-policy input remote-mgmt interface vlan 100 ip address 1.164.0.47 255.0.0.0 no shutdown |
設定後、ACE に対して Web browser から access すると、下記のような page が表示されます。
今回は、例として CSS2ACE conversion tool を使用し、CSS の設定を ACE 用の設定に変換してみます。
CSS2ACE conversion tool を click すると、下記のような画面が表示されるので、左側の box に、CSS の
設定を入れ、GETACE Commands を click します。
すると、下記のように ACE の設定が表示されます。
ACE commands: Configuration commands for Admin context: ----------------------------------------- resource-class RC1 limit-resource sticky minimum 10 maximum unlimited context test member RC1 allocate-interface vlan 777 allocate-interface vlan 778 Configuration commands for test context: ----------------------------------------- access-list PERMIT_ALL extended permit ip any any probe icmp PROBE_SERVICE_ICMP interval 5 passdetect interval 5 rserver host sv1 inservice ip address 192.168.78.1 probe PROBE_SERVICE_ICMP rserver host sv2 inservice ip address 192.168.78.2 probe PROBE_SERVICE_ICMP serverfarm host telnet probe PROBE_SERVICE_ICMP rserver sv1 inservice rserver sv2 inservice serverfarm host test probe PROBE_SERVICE_ICMP rserver sv2 inservice rserver sv1 inservice serverfarm host test2 probe PROBE_SERVICE_ICMP rserver sv1 inservice serverfarm host test2_BACKUP probe PROBE_SERVICE_ICMP rserver sv2 inservice serverfarm host test3 probe PROBE_SERVICE_ICMP rserver sv2 inservice sticky http-cookie ACE_COOKIE test2_STICKY cookie insert replicate sticky serverfarm test2 backup test2_BACKUP parameter-map type http CASE_PARAM case-insensitive parameter-map type ssl test_1_SSL_SSLTERM cipher RSA_EXPORT_WITH_RC4_40_MD5 ssl-proxy service test_1_SSL cert oldcert key oldkey ssl advanced-options test_1_SSL_SSLTERM class-map type management match-any TO-CP-POLICY match protocol icmp any match protocol telnet any match protocol snmp any match protocol ssh any class-map type http loadbalance match-any test_CLASSURL match http url "[.]*" class-map match-all test3_CLASS match virtual-address 192.168.77.100 tcp eq 12345 class-map match-all telnet_CLASS match virtual-address 192.168.77.100 tcp eq 23 class-map type http loadbalance match-any test2_CLASSURL match http url "/test2*" class-map match-all ssl_CLASS match virtual-address 192.168.77.100 tcp eq 443 policy-map type loadbalance first-match test3_POLICY class class-default serverfarm test3 policy-map type loadbalance first-match telnet_POLICY class class-default serverfarm telnet policy-map type loadbalance first-match ssl_POLICY class test2_CLASSURL sticky-serverfarm test2_STICKY class test_CLASSURL serverfarm test policy-map type management first-match TO-CP-POLICY class TO-CP-POLICY permit policy-map multi-match POLICY class test3_CLASS appl-parameter http advanced-options CASE_PARAM loadbalance vip inservice loadbalance vip icmp-reply active loadbalance policy test3_POLICY class telnet_CLASS appl-parameter http advanced-options CASE_PARAM loadbalance vip inservice loadbalance vip icmp-reply active loadbalance policy telnet_POLICY class ssl_CLASS ssl-proxy server test_1_SSL appl-parameter http advanced-options CASE_PARAM loadbalance vip inservice loadbalance vip icmp-reply active loadbalance policy ssl_POLICY service-policy input TO-CP-POLICY service-policy input POLICY interface vlan 778 ip address 192.168.78.250 255.255.255.0 access-group input PERMIT_ALL no shutdown interface vlan 777 ip address 192.168.77.250 255.255.255.0 access-group input PERMIT_ALL no shutdown |
CSS commands: configure !*************************** GLOBAL *************************** ssl associate rsakey oldkey old.p12 ssl associate cert oldcert old.p12 ssl associate rsakey newkey new.p12 ssl associate cert newcert new.p12 ftp-record DEFAULT_FTP 1.160.0.52 root des-password ig5haaufqbnfuarb /tftpboot/webns !************************* INTERFACE ************************* interface 1/1 bridge vlan 777 interface 1/2 bridge vlan 778 !************************** CIRCUIT ************************** circuit VLAN777 ip address 192.168.77.250 255.255.255.0 circuit VLAN778 ip address 192.168.78.250 255.255.255.0 !*********************** SSL PROXY LIST *********************** ssl-proxy-list test ssl-server 1 ssl-server 1 vip address 192.168.77.100 ssl-server 1 cipher rsa-export-with-rc4-40-md5 192.168.77.100 80 ssl-server 1 rsakey oldkey ssl-server 1 rsacert oldcert active !************************** SERVICE ************************** service ssl keepalive type none slot 3 type ssl-accel add ssl-proxy-list test active service sv1 ip address 192.168.78.1 active service sv2 ip address 192.168.78.2 active !*************************** OWNER *************************** owner test content ssl add service ssl vip address 192.168.77.100 port 443 protocol tcp active content telnet vip address 192.168.77.100 port 23 protocol tcp add service sv1 add service sv2 active content test port 80 protocol tcp url "/*" add service sv2 vip address 192.168.77.100 add service sv1 active content test2 vip address 192.168.77.100 advanced-balance arrowpoint-cookie port 80 protocol tcp url "/test2*" add service sv1 primarySorryServer sv2 arrowpoint-cookie path "/test2" active content test3 vip address 192.168.77.100 port 12345 protocol tcp add service sv2 active |
Unsupported CSS commands: # 1 configure # 5 ssl associate rsakey oldkey old.p12 # 6 ssl associate cert oldcert old.p12 # 7 ssl associate rsakey newkey new.p12 # 8 ssl associate cert newcert new.p12 # 10 ftp-record DEFAULT_FTP 1.160.0.52 root des-password ig5haaufqbnfuarb /tftpboot/webns # 13 interface 1/1 # 14 bridge vlan 777 # 16 interface 1/2 # 17 bridge vlan 778 # 35 active # 39 keepalive type none # 40 slot 3 |
上記設定は、service-policy を global mode で設定する等、最適化は行われてはおりませんが、
一から設定を行うよりも、移行までの時間を短縮することができます。 そのため、ACE の設定に
なじみの薄い、既存 CSS/CSM user が ACE に移行する際の Tool としてお勧めのです。
また、CSM からの移行は ACE module を対象としているため、ACE appliance では下記のように
CSS2ACE conversion tool しか実装されていません。
この Tool の使用方法に関する詳細については下記をご参照ください。
# ACE module
Cisco CSM-to-ACE Conversion Tool User Guide
Cisco CSS-to-ACE Conversion Tool User Guide
# ACE appliance
Cisco CSS-to-ACE Conversion Tool User Guide