How to create Cisco ACE virtual contexts.

A virtual Context within a Cisco ACE module is similar to what a hypervisor is in VMware or what a VDC is in within Nexus.  Virtual Contexts are nice for all aspects of load balancing since it gives the customer or department a logical seperation for a variety of reasons.  I am one who likes the ACE appliances and ACE blades.  This is for a 4710 appliance.  A blade is very similar where instead of doing your trunking to the port channel to the appliance one would simply have to create the svcgroups in the running config of a 6500.  Here is our very simple Diagram.


I will use VLAN 5 for Management.  Every context will simply receive a management IP via VLAN 5.  VLANs 10,20,30 Will be production or Load balancing VLANs.  100,200,300 will be setup as whats called Fault Tolerance VLANs.  These VLANs simply work in the Context to sync the running config back and forth between each ace device.  These do not have to be routable so you can simply pick and layer 3 subnet that will run back and forth between your switches and ACEs. What is extremely nice about the ACE’s is that you can have a ACE completely tank and the other one will take every session without skipping a beat you can also have the ace track who the hsrp primary is for that vlan in its context to be the primary for the context… yes you can mix and match contexts.  So you can have vlan 10 be the primary for the ace context on the left and vlan 20 the primary for the ace on the right.  I like the ACE devices its a shame that they are going to be EOS here soon.

So the first thing you will want to do is trunk your vlans over from your switch via the port channel on lets say a 6500.  This has to be done on both switches.  Obviously each VLAN has to be allowed via the port channel between the 6500s as well.

interface Port-channel1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 5,10,20,30,100,200,300,500
switchport mode trunk
no ip address
mls qos trust dscp


On Each ACE.

interface gigabitEthernet 1/1
channel-group 1
no shutdown
interface gigabitEthernet 1/2
channel-group 1
no shutdown
interface gigabitEthernet 1/3
channel-group 1
no shutdown
interface gigabitEthernet 1/4
channel-group 1
no shutdown

There it is all of are VLANs are not trunked over.  Next when you first install your ACE you will be dropped into the ADMIN context.  This is where all the magic happens.  Where all the new contexts are created.  Now keep in mind that everything is blocked by default since the ACE shares a similar platform to the FWSM firewall.  So with your management VLAN you will have to tie in a class-map and policy map to allow management traffic.. telnet,ssh,icmp etc.

class-map type management match-any REMOTE_ACCESS_CLASS
2 match protocol icmp any
3 match protocol telnet any
4 match protocol ssh any
5 match protocol snmp any
policy-map type management first-match MGMT-POLICY

interface vlan 5
ip address
peer ip address ( This is needed for FT)
service-policy input MGMT-POLICY
no shutdown

Now to the contexts!  I am going to simply create VLAN 10

Context VLAN10

allocate-interface 10

allocate-interface 5

allocate-interface 100

Now I should be able to see my contexts to switch to VLAN 10

TESTACE/Admin# changeto ?

Next for FT for my management VLAN in the ADMIN context.

ft interface vlan 500
ip address
peer ip address
no shutdown

Next for FT for my VLAN 10 contexts.

ft group 2
peer 1
priority 150
peer priority 110
associate-context VLAN10

Now if I wanted to create a FT group 3 for vlan 20 I could have mix and match priorities making the other the Primary ace.   After doing all the leg work on the primary ace once I put the FT interface and trunk all my VLANs over to the secondary Ace I should get the exact same configuration as well as contexts on the other 4710.




Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: