ACE in mixed L2 - L3 mode

Similar Messages

• ACE card reboots in VSS mode

  Hello, and sorry for the lenghty message.
  Yesterday we implemented VSS in our network and encountered a problem with the ACE module that I am trying to resolve.
  Here's the hardware layout
  two 6509 with the following line cards:
  Mod Ports Card Type                              Model              Serial No.
    1   24  CEF720 24 port 1000mb SFP              WS-X6724-SFP       SAL1329U0TN
    2   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX     SAL1327T950
    3   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX     SAL1325SHWN
    5    5  Supervisor Engine 720 10GE (Active)    VS-S720-10G        SAL1327T9A7
    6   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX     SAL1328TM43
    9    1  Application Control Engine Module      ACE20-MOD-K9       SAD133201AN
    1  Centralized Forwarding Card WS-F6700-CFC       SAL1327TH0F  4.1    Ok
    2  Centralized Forwarding Card WS-F6700-CFC       SAL1317NUCC  4.1    Ok
    3  Centralized Forwarding Card WS-F6700-CFC       SAL1322R6K6  4.1    Ok
    5  Policy Feature Card 3       VS-F6K-PFC3C       SAL1326T3ME  1.0    Ok
    5  MSFC3 Daughterboard         VS-F6K-MSFC3       SAL1326T183  2.0    Ok
    6  Centralized Forwarding Card WS-F6700-CFC       SAL1327TA00  4.1    Ok
  Mod  Online Diag Status
    1  Pass
    2  Pass
    3  Pass
    5  Pass
    6  Pass
    9  Pass --More--
  Switch Number:     2   Role:  Virtual Switch Standby
  Mod Ports Card Type                              Model              Serial No.
    2   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX     SAL1327TG40
    3   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX     SAL1328TM1R
    4   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX     SAL1328TQCP
    5    5  Supervisor Engine 720 10GE (Hot)       VS-S720-10G        SAL1327T9B1
    6   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX     SAL1328TQDS
    8   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX     SAL1324S80K
    9    1  Application Control Engine Module      ACE20-MOD-K9       SAD133201A3
    2  Centralized Forwarding Card WS-F6700-CFC       SAL1327T9ZY  4.1    Ok
    3  Centralized Forwarding Card WS-F6700-CFC       SAL1327T80P  4.1    Ok
    4  Centralized Forwarding Card WS-F6700-CFC       SAL1327TCWJ  4.1    Ok
    5  Policy Feature Card 3       VS-F6K-PFC3C       SAL1327T9X8  1.0    Ok
    5  MSFC3 Daughterboard         VS-F6K-MSFC3       SAL1326T4QY  2.0    Ok
    6  Centralized Forwarding Card WS-F6700-CFC       SAL1326T2GC  4.1    Ok
    8  Centralized Forwarding Card WS-F6700-CFC       SAL1252EA2J  4.1    PwrDown
  Mod  Online Diag Status
    2  Pass
    3  Pass
    4  Pass
    5  Pass
    6  Pass
    8  Not Applicable
    9  Not Applicable
  =================================================
  Here's the problem:
  On the standby switch 2, the ACE module keeps rebooting. I first thought may be the power was not sufficient, so I checked the power utilization, and I have about 425 watts available.
  I shut the power to one of the 10/100/1000 line card and I still had the same problem.
  I moved the ACE module to SW1, trying to see if it would follow the problem and it did not have any issues.
  I shut down two (2) modules on switch 2, and I still have the same problem.
  Here's the log:
  odulee
  sm(cygnus_oir_bay slot9), running yes, state wait_til_online
  Last transition recorded: (disabled)-> stay_disabled (operator_power_on)-> can_p
  ower_on (yes_power)-> powered_on (real_power_on)-> check_power_on (timer)-> chec
  k_power_on (power_on_ok)-> wait_til_online (reset_timer_online)-> wait_til_onlin
  e (reset_timer_online)-> wait_til_online (reset_timer_online)-> wait_til_online
  (reset_timer_online)-> wait_til_online xit
  N-MSFC-VDR1-PRI#
  Dec 19 13:14:50 UTC: %C6KPWR-SW2_SPSTBY-4-DISABLED: power to module in slot 9 se
  t off (Module  Failed SCP dnld)
  Dec 19 13:14:52 UTC: %SYS-5-CONFIG_I: Configured from console by console
  =================================================================
  Does VSS shut down the ACE module because it sees two cards in one virtual switch?
  Also we have no configuration setting on the either one of the ACE module. We are doing this implementation in phases, and I was planning on applying some basic Load-balancing in a couple of weeks.
  I am not sure if this is a Chassis issue or VSS.
  Any help would greatly be appreciated.

  Hi,
  ACE software version A2(1.2) or later and installed in C6k running IOS 12.2(33)SXI or later support VSS.
  If the ACE is running lower version then you could see this issue. To resolve this issue you need to upgrade ACE modules.
  You could follow below process to Upgrade ACE from EOBC,
  You can follow  below process to boot from EOBC where ACE is in Switch 1 , slot 2.
  Make sure ACE A2(1.2) or later image is on flash/disk0 on SUP,
  Step 1: On Switch configure ACE module to boot from Switch disk0
  conf term
  boot device switch 1 module 2 disk0:c6ace-t1k9-mz.A2_1_5a.bin
  end
  Step 2: Power off ACE module in slot 2 by using command,
  (Config t) no power enable switch 1 module 2
  Step 3: To boot ACE module using EOBC
  hw-module switch 1 module 2 boot eobc
  Step 4: Then power on ACE module in slot 2 by using command,
  (Config t) power enable switch 1 module 2
  Step 5: Make sure ACE boots up and has correct version running.
  If ACE is already running support version for VSS or if you need any assistance to upgrade then please raise Service request with TAC.
  Hope this helps,
  Best Regards,
  Rahul

• ACE with cache engine "spoof" mode

  If Cache Engine use spoof mode, how ACE be configured for support this mode. Have it any command add into ACE?

  I am looking into this myself. Can the ACE work in this fashion:
  Clients VLAN 10
  Internet VLAN 20
  Cache Servers VLAN 30
  Traffic that comes in from clients on vlan 10, any of it that is tcp port 80, send to the cache on vlan 30. Traffic coming back from the internet, vlan 20, if its tcp port 80, send to the cache on vlan 30.
  Its basic layer 4 redirection. But when the traffic goes to the cache, the cache is not going to use its own IP to make the internet request, its going to use the clients IP, this is why a map is needed on vlan 10 and vlan 20, to ensure traffic is pipelined thru the ace. Has anyone done this?

• ACS 5.x AD mixed vs native mode

  we are turning off Mixed Mode in our AD environment, a change from which I'm told there is no retreat. Are there any configuration changes that need to be checked to support a 'Native' only AD environment.

  What version of ACS and what version of Windows AD?

• ACE dropped conns problem (Bridged mode)

  Dear all,
  I configured an ACE in bridged mode (inside vlan: 2012, outside vlan: 2021) and I apply the L4 policy on the 2 VLAN interface to loadbalance HTTP incoming request (Virtual IP: 172.22.22.130).
  interface vlan 2112
    bridge-group 1
    access-group input BPDU-Allow
    service-policy input POLICY-LB-HMC-2112
    no shutdown
  interface vlan 2122
    bridge-group 1
    access-group input BPDU-Allow
    service-policy input POLICY-LB-HMC-2112
    no shutdown
  But I need also that some other server connected to the same vlan 2112 and having to send HTTP request on the same VIP but this failed and I get dropped conns.
  Can anyone helps?
  Regards
  Abdelaziz

  Hi Olivier,
  This below the full config, and my need is to make a server in the inside VLAN 2112 (172.22.22.121) to open HTTPS connexion on the VIP (172.22.22.130 for rserver .131 & .132). Trafic from the outside is working well.
  Thanx,
  Abdealziz
  Generating configuration....
  access-list BPDU-Allow ethertype permit bpdu
  probe tcp HTTPS
    port 443
    interval 15
    passdetect interval 15
    passdetect count 1
  probe icmp PING
    interval 5
  rserver host CASHUB131
    ip address 172.22.22.131
    inservice
  rserver host CASHUB132
    ip address 172.22.22.132
    inservice
  serverfarm host SFARM-EXCAS130
    probe HTTPS
    rserver CASHUB131
      inservice
    rserver CASHUB132
      inservice
  parameter-map type connection TCP_IDLE_30min
    set timeout inactivity 1800
  class-map match-all CLASS-L4-VIP-EXCAS130
    2 match virtual-address 172.22.22.130 any
  class-map type management match-any REMOTE-ACCESS
    description management ACE
    10 match protocol telnet any
    20 match protocol ssh any
    30 match protocol icmp any
    31 match protocol https any
    32 match protocol snmp any
  policy-map type management first-match REMOTE-MGT
    class REMOTE-ACCESS
      permit
  policy-map type loadbalance first-match POLICY-L7-VIP-EXCAS130
    class class-default
      serverfarm SFARM-EXCAS130
  policy-map multi-match POLICY-LB-HMC-2112
    class CLASS-L4-VIP-EXCAS130
      loadbalance vip inservice
      loadbalance policy POLICY-L7-VIP-EXCAS130
      loadbalance vip icmp-reply
      connection advanced-options TCP_IDLE_30min
  interface vlan 2112
    bridge-group 1
    access-group input BPDU-Allow
    service-policy input POLICY-LB-HMC-2112
    no shutdown
  interface vlan 2122
    bridge-group 1
    access-group input BPDU-Allow
    service-policy input POLICY-LB-HMC-2112
    no shutdown
  interface bvi 1
    ip address 172.22.22.250 255.255.255.0
    peer ip address 172.22.22.251 255.255.255.0
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.22.22.254

• ACE; Dynamic SNAT in bridge mode without Dnat (VIP) needed

  Hi,
  We are interested about the ACE NAT performance. We would like to use this module just for the SNAT feature and only in bridge mode (to facilitate the ACE integration in the current network).
  the configuration could be similar to this one:
  class-map PrivateSource
  match source-address 10.0.0.0 255.0.0.0
  policy-map multimatch SourceNat
  class PrivateSource
  nat dynamic 1 vlan X
  interface vlan X (incoming traffic from the source)
  bridge-group 1
  service-policy in SourceNat
  nat-pool 1 publicIP netmask A.B.C.D pat
  interface vlan Y
  bridge-group 1
  Could anyone confirm if this feature is supported on the ACE and if the above configuration could be a good one?
  Many thanks for your help.
  Regards/Ludovic.

  Ludovic,
  ACE does not NAT bridged traffic.
  You could catch it with a catch-all-destination class-map
  ie:
  class-map all
  match virtual 0.0.0.0 0.0.0.0 any
  And use a transparent serverfarm sending all traffic to a unique default gateway.
  That would work.
  Gilles.

• ACE SM in a bridge mode

  We're architecting a pair of the ACE SM's and trying to better understand the upside/downside of configuring them in the bridged vs. a routed mode. Also, undr what circumstances  the bridge mode would be superior to the routing mode?
  Thanks..

  If running in bridged mode you are free to use any routing protocol your routers support. The ACE will not interfere with the routing.
  But beware, the ACE bridges only connected networks. Only version A2 3.0 has secondary address support.

• ACE FTP problem in active mode

  Hi everyone,
  i have a problem with active ftp (passive ftp works fine).
  here is my conf :
  access-list ANY line 8 extended permit icmp any any
  access-list ANY line 16 extended permit ip any any
  rserver host ftp1
    ip address 10.0.151.131
    inservice
  rserver host ftp2
    ip address 10.0.151.132
    inservice
  serverfarm host ftp
    transparent
    failaction reassign
    rserver ftp1
      inservice
    rserver ftp2
      inservice
  class-map match-any vip
    2 match virtual-address X.X.X.X tcp eq ftp
  policy-map multi-match LBPOL
    class vip
      loadbalance vip inservice
      loadbalance policy lbpol
      loadbalance vip icmp-reply active
      inspect ftp
  interface vlan 1000
    description public-side
    ip address Y.Y.Y.Y M.M.M.M
    no normalization
    no icmp-guard
    access-group input ANY
    service-policy input REMOTE_MGMT_ALLOW_POLICY
    service-policy input LBPOL
    no shutdown
  interface vlan 100
    description private-side
    ip address 10.0.99.160 255.255.0.0
    service-policy input REMOTE_MGMT_ALLOW_POLICY
    no shutdown
  on both hosts, i added X.X.X.X vip and the good rule/route with iproute2.
  as i said at the beginning, passive ftp is ok. active is not.
  while in active mode, i can connect to the ftp but any list/put/get fails.
  any idea ?
  MA

  One thing I don't understand here is why do you have
  serverfarm host ftp
    transparent
  With this in place the ACE will not rewrite the destination IP and the server will receive a packet destined to the VIP. This is not very common, but it can work. The rest of your config seems to be fine, except the missing lbpol policy.
  Which sw version are you running?

• WRT350N only shows 'mixed' in network mode

  Hi,
  I've got a WRT350N firmware v2.00.19, now all my gear is 802.11n I want to change the network mode on the router to be N only, but the only options I see under this setting are 'Mixed' and 'Disabled'.
  Anyone know how I can set it to N only?

  Hi Scrooge, tried your suggestion, got the power light flashing between green and orange then pulled power to the modem and router, restarted modem first them router. Still only see mixed and disabled in the network mode drop down, i'll try it a couple more times to see if my reboot restart timings makes any difference.
  Do you know the underlying cause of this? reset\reboot\unplug seems like a pretty random method?
  Thanks for your help with this!

• ACE in Direct Server Return mode not working as expected

  Dear all,
  I configured my ACE as I found it here:
  https://supportforums.cisco.com/docs/DOC-22555
  the VIP is working, that means I can ping it, routing is working etc.
  I created a loopback on the win2012 Server with the IP of the VIP. When I try now to test the LB with telnet on port 25 e.g. it is not working. direclty on the server it works, also in my last deployment where I use SNAT/PAT. But we want the real client IPs visible on the Exchange Server.
  Where is my problem ? Any ideas would be great..
  rserver host YY
    description AServer-1
    ip address 10.1.x.2
    inservice
  rserver host XX
    description AServer-2
    ip address 10.1.x.3
     inservice
  serverfarm host Mail
    description Mail
    transparent
    predictor leastconns
    rserver AServer-1
      inservice
    rserver AServer-2
  sticky ip-netmask 255.255.255.255 address both Mail
    timeout 5
    replicate sticky
    serverfarm Mail
  class-map match-all Exchange_ALL
    2 match virtual-address 192.168.1.1 any
  class-map type management match-any remote_access
    2 match protocol xml-https source-address 10.a.b.0 255.255.255.0
    3 match protocol icmp source-address 10.a.b.0 255.255.255.0
    5 match protocol ssh source-address 10.a.b.0 255.255.255.0
    7 match protocol https source-address 10.a.b.0 255.255.255.0
    8 match protocol snmp source-address 10.a.b.0 255.255.255.0
    9 match protocol xml-https source-address 10.d.e.1 255.255.255.255
    10 match protocol icmp source-address 10.d.e.1 255.255.255.255
    11 match protocol ssh source-address 10.d.e.1 255.255.255.255
    12 match protocol https source-address 10.d.e.1 255.255.255.255
    13 match protocol snmp source-address 10.d.e.1 255.255.255.255
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match mail
    class class-default
      sticky-serverfarm Mail
  policy-map multi-match VLAN20
    class Exchange_ALL
      loadbalance vip inservice
      loadbalance policy mail
      loadbalance vip icmp-reply
  interface vlan 2
    ip address 10.a.b.2 255.255.255.0
    access-group input ALL
    service-policy input remote_mgmt_allow_policy
    no shutdown
  interface vlan 20
    description Server
    ip address 10.1.x.20 255.255.255.0
    peer ip address 10.1.x.30 255.255.255.0
    no normalization
    access-group input ALL
    service-policy input VLAN20
    no shutdown
  ft interface vlan 4
    ip address 10.f.g.2 255.255.255.252
    peer ip address 10.f.g.1 255.255.255.252
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 10
    ft-interface vlan 4
  ft group 1
    peer 1
    associate-context Admin
    inservice
  ip route 10.d.e.0 255.255.255.255 10.1.x.1
  ip route 0.0.0.0 0.0.0.0 10.a.b.1

  Oh, I see. Very interesting indeed!
  Do you get the BAD CHECKSUM and IP CHECKSUM OFFLOAD on the remote sites?
  It could be this that is the problem. I read this and it seems as though it causes disconnects just as you experience too.
  or just disable - it worked for some here, but for others, they upgraded the drivers of the NIC:
  http://www.techsupportforum.com/forums/f137/wireshark-question-tcp-checksum-offload-248812.html
  1. Open Device manager (right click "Computer" and click "Manage")
  2. Click on "Device Manager"
  3. Expand "Network Adapters"
  4. Right click your network adapter
  5. click "properties"
  6. click the tab named "Advanced"
  7. Find "IP Checksum Offload" and click it
  8. Put the value to the right to "Disabled"
  9. Find "TCP Checksum offload (IPvX)
  10. Set the value to the right to "Disabled"
  The Wiki Wireshark article had this:
  In Windows, go to Control Panel->Network and Internet Connections->Network Connections, right click the connection to change and choose 'Properties'. Press the 'Configure...' button, choose the 'Advanced' tab to see or modify the "Offload Transmit TCP Checksum" and "Offload Receive TCP Checksum" values.
  It seems like a server side issue rather than Load Balancer problem.
  Hope this helps
  Please rate useful posts and remember to mark any solved questions as answered. Thank you.

• Can VIP and Rservers be in the same subnet in ACE Routed Mode

  Good Day,
  Sorry for the lengthy post.
  Currently I have a 6509s running in VSS mode with ACE30 in each chassis.
  I have 5 vlans, which the VSS is the L3 interface for each. 1 Vlan is for management, the others are the data vlans for the servers.
  The ACE is configured in bridge mode, with all VLANs going to a specific context (non Admin).
  Some of the Host on each VLANs are not utilized for load-balancing. The default gateway for each VLAN is configured on the VSS.
  I would like to setup the ACE in the routed mode, without having to change the IP address of each servers on different VLANs.
  Basically I want to turn off the SVIs on VSS and move the L3 interface on the ACE Context, and let it perform the local routing for all the hosts.
  I was going to add a new /30 L3 interface between the VSS and ACE to be utilized for default route traffic coming from the ACE Context, and static routes from VSS to ACE for traffic destined to host that are being load-balanced and not being load-balanced. Basically force the traffic through the load-balancer in/out.
  For future deployment, I was planning on using different IP address for the VIPs, and Real servers (most likely RFC 1918).
  From most of the examples I have seen the VIP and Rservers are in different Subnets. But because I am trying to not change the IP address of the rservers and VIP, I wanted to know if the VIP and Rservers can be configured to be in the same subnet where the ACE is in routed mode.
  Unfortunately I don't have a spare ACE to test scenario.
  As always any help would greatly be appreciated.
  Regards,
  Raman

  Link-local addresses are usually the self assigned IP address that a device will set when a DHCP server cannot be found. These are the addresses with 169.254.x.x subnet.
  If the router is assigning IP addresses for your network, then they will usually have a different IP subnet, possibly 192.168.0 for D-Link. And this subnet would be for the wired and wireless connections. So it would be more a case of bridging the two network topolgies rather than routing them.
  The network host is busy message could be more to do with the driver and the IP protocol selected when creating the queue than the connection being broken between the Mac and printer. If you were to open Network Utility and select the Ping tab, enter the IP address of the HP and set the pings to 4, pressing the Ping button will soon show if there is a path through the wireless to the printer.
  If you get a response to the ping you could then open Safari and type the ip address as the URL. This would then connect to the internal web page of the printer and possibly let you enable an IP protocol like LPR so that you can use LPD on the Mac instead of Bonjour to connect to the printer.
  As for the driver, you could look at using a Gutenprint driver instead of the HP driver or the hpijs package to get past the limitations that some printer drivers have with network connections.

• Using n80 wlan on mixed mode n/g access point?

  I have a d-link dgl-4500. I use it in mixed mode n/g. My computers can connect just fine.
  If I want to get the n80 to connect, I have to first change the wireless channel to 11 and then change it to channel 1.
  Then and only then will my n80 find the access point.
  If I set my AP to G only, then the wlan fires right up.
  I'm not an expert on wifi. Are there any advanced wifi settings I can change to help my n80 find the AP easier?
  current settings:
  2.4GHz mode
  mixed n/g mode
  2.412 CH. 1
  auto transmission rate
  20MHz channel width
  visible SSID
  beacon 100
  RTS threshold 2346
  fragmentation threshold 2346
  DTIM 1
  short GI yes
  802.11b protection no
  Those are my current settings.
  Thanks for anyone who can help.

  I have a d-link dgl-4500. I use it in mixed mode n/g. My computers can connect just fine.
  If I want to get the n80 to connect, I have to first change the wireless channel to 11 and then change it to channel 1.
  Then and only then will my n80 find the access point.
  If I set my AP to G only, then the wlan fires right up.
  I'm not an expert on wifi. Are there any advanced wifi settings I can change to help my n80 find the AP easier?
  current settings:
  2.4GHz mode
  mixed n/g mode
  2.412 CH. 1
  auto transmission rate
  20MHz channel width
  visible SSID
  beacon 100
  RTS threshold 2346
  fragmentation threshold 2346
  DTIM 1
  short GI yes
  802.11b protection no
  Those are my current settings.
  Thanks for anyone who can help.

• Sharing a VLAN between FWSM and ACE (Routed Mode)

  Anybody in here with experience on sharing a Vlan between an ACE and a FWSM module?
  I have a transfer network between the ACE and the FWSM in the same chassis. FWSM gets several vlans and ACE gets some Vlans.
  I wanted to configure it like this.
  firewall vlan group 10 <FWSM only vlans>
  firewall vlan group 20 <shared FWSM and ACE vlan>
  or
  svclc vlan group 20 <shared FWSM and ACE vlan>
  svclc vlan group 30 <ACE only vlans>
  The design hides the client side network and the server side network for the ACE behind the FWSM module.
  Layout:
  |-- Clients <--> MSFC <--> FWSM <--> ACE <--> Server --|
  So allocation on the 65xx would be like this.
  firewall module n vlan-group 10,20
  svclc module n vlan-group 20,30
  Any obvious issues with this design if you share the vlan(s) referred in group 20 with both modules?
  FWSM and ACE will be in routed mode.
  Thanks for reading...
  Roble

  Never mind...
  Just found the perfect answer for this in a another posting from Syed.
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Data%20Center&topic=SNA%20Data%20Center%20Networking&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dddee0b/0#selected_message
  Roble

• ACE bridge mode , FWSM routed mode

  i have the following senario:
  MSFC ---vlan 777----FWSM----vlan160---ACE----VLAN180
  FWSM is working in routed mode and vlan 777 is shared between the MSFC and FWSM
  ACE is working in bridged mode and vlan 160 is shared between the FWSM and ACE
  vlan 180 is the server side vlan
  i want he FWSM ip address to be the Server gateway while ACE module in
  bridge mode
  i create bvi interface but i can't ping from ACE to FWSM or from FWSM to
  ACE
  if i change ACE to routed mode , i can ping to FWSM
  any body can help me in this issue?

  The config looks good.
  I would look at the arp table on FWSM and ACE when the ping fails and also capture a sniffer trace of ACE tengig interface and see if the ping request goes out - on which vlan - and if we get a response.
  Is evertyhing else working ?
  Like ping through the ACE module ?
  Your config does not show a 'no shutdown' on the vlan interface, but I assume you fixed that already.
  Gilles.

• ACE Module Management IP

  How can I configure ssh management access to the ACE module configured in bridged mode.

  do not mix "domain" name and user "domain".
  The domain name is something like cisco.com or yourcompany.net ...
  But the user domain is what objects is a user allowed to modify/configure/access inside ACE.
  I don't think you need to specify a domain-name to generate the key.
  Here is what I did :
  switch/Admin(config)# ssh key rsa 768
  generating rsa key(768 bits).....
  generated rsa key
  switch/Admin(config)#
  gdufour-cat6k1#ssh -l admin 10.86.213.40
  Password:
  Cisco Application Control Software (ACSW)
  TAC support: http://www.cisco.com/tac
  Copyright (c) 2002-2008, Cisco Systems, Inc. All rights reserved.
  The copyrights to certain works contained herein are owned by
  other third parties and are used and distributed under license.
  Some parts of this software are covered under the GNU Public
  License. A copy of the license is available at
  http://www.gnu.org/licenses/gpl.html.
  User 'www' is disabled.Please change the password to enable the user.
  switch/Admin#
  Just make sure you allow SSH traffic with your management policy.
  Gilles.