ACE vs CSS (or CSM!)

Unanswered Question
Jan 28th, 2009
User Badges:

I really thought that the Cisco EOL CSS and replaced it with ACE.


It seems that CSS is still very much alive and being sold. How would you compare CSS to ACE? Features, Design, Cost, Licensing ..etc


When I compare these two - few things that jump out are:



CSS1500s - up to 40GB throughput

4710 ACE - up to 4GB throughput

Module ACE - up to 64GB throughput


So right away - if I needed appliance that could handle 20GB throughput I would need to go with CSS.


ACE - context supported

CSS - not supported (didn't find it being supported)


So again - if I need an environment with multiple virtual contexts, I would need to go with ACE.


CSS, CSM, ACE .. too many choices!


thoughts?



Thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
veriton Fri, 01/30/2009 - 07:59
User Badges:

Are CSS11500's EOL? Any EOL announcement is not mentioned here:

http://www.cisco.com/en/US/products/hw/contnetw/ps789/prod_eol_notices_list.html or on the CSS 11500 page:

http://www.cisco.com/en/US/products/hw/contnetw/ps792/index.html


The CSS 11500 products have served me well at a number of customers and I think competes well with F5 BIG-IP, certainly at the smaller end of the enterprise market. I can't comment on virtual contexts though.

Collin Clark Fri, 01/30/2009 - 09:39
User Badges:
  • Purple, 4500 points or more

I'm sure the EoL is coming (since the introduction of the ACE), but I have not heard of any dates. We have both in our environment and the ACE blows away the CSS in features, config, etc. We're planning on removing all CSS's and going to just the ACE. The ACE (in our configurations) are quite a bit cheaper. The FO is better, the multiple contexts is just plain cool, even the WebUI (which I normally don't like) is nice and easy, and ACL's actually work with the ACE. I heard that Cisco hired some MAC GUI developers to help in the design of it. My vote is for the ACE, it's not even close.

Gilles Dufour Tue, 02/03/2009 - 05:48
User Badges:
  • Cisco Employee,

There is indeed no EOL annoncement for the CSS11500. Not sure when it will come. Probably not in the next 6 months (but no guarantee).


Indeed the CSS does not have virtualization.

It is also lacking the dynamic cookie stickyness. It does not have the caching and http optimization offered by the ACE appliance. Only limited DoS protection on the CSS vs large Firewall features on ACE.

No HW module required for SSL/Compression support on the ACE appliance.

No HTTP header insert function on the CSS.


G.

vpetracca Tue, 02/10/2009 - 03:51
User Badges:

Hi Gilles.


I'm going to do a migration from CSM to ACE Service Modules.


Before doing it i would like to make a good presentation to the customer on what are the main differences between these two product.


I'm not talking about hardware , capacity virtualization and so on.


Customer would like to know major differences between configuration option like predictor ( new predictor or something like that..), probes , serverfarm options...

etc..


Something that you know it is possible to do with Ace and not with csm and that can be useful for the customer or that can impress ..


Thanks in advance.

Vittorio

Syed Iftekhar Ahmed Tue, 02/10/2009 - 12:22
User Badges:
  • Blue, 1500 points or more

Features Not available in CSM


SIP loadbalancing

Connection rate limiting per VIP and per Real

SNMP based LB decisions (CPU,mem,disk space)

Least bandwisth predictor

Virtualization

TCP Reuse

Http Compression

Http optimzation

TCP/IP Normalization

Http,DNS,Ldap,Rtsp,ICmp,SIP,skinny fixups

Configuration checkpoints


Syed

Syed Iftekhar Ahmed Tue, 02/10/2009 - 13:49
User Badges:
  • Blue, 1500 points or more

Correct.

I mixed up ACE module with ACE appliance.


As per Cisco Http Compression is committed for ACE module.

I am not sure if HTTP optimization will be available on ACE module.


Syed

vpetracca Wed, 02/11/2009 - 00:58
User Badges:

Thanks Syed for the informations.

Another question..


In the actual CSM configuration

that we are going to migrate we use this basic type of configuration for Vservers :


-------------------------------

real name A

ip address x.x.x.x

inservice

real name B

ip address x.x.x.x

inservice

probe TCP tcp

interval 30

retries 4

failed 15

!


serverfarm SF

real name A

inservice

real name B

inservice

probe TCP


vserver VIP

virtual V.V.V.V tcp www

serverfarm SF

advertise active

persistent rebalance

inservice

--------------------------------


So basically we put the tcp port value only on the vserver object . And this is inherited

by all the other objects..


Is it possible to do the same ( or similar) with ACE ?




Syed Iftekhar Ahmed Wed, 02/11/2009 - 01:21
User Badges:
  • Blue, 1500 points or more

Destination ports will not get translated until you use "rserver under Server Farm definition.


Only exception is that in ACE Module you have to define port under probe. If you donot define port it doesn't inherit the port number of the real server.


(The above mentioned functionality is available in ACE appliance.Probe defined in Ace Appliance does inherit port number form real).


Your CSM config will translate into ACE as follows




probe tcp TCP80

port 80

interval 30

faildetect 4

passdetect interval 15

receive 4

open 4



rserver host A

ip address x.x.x.x

inservice


rserver host B

ip address x.x.x.x

inservice



serverfarm host SF

probe TCP80

rserver A

inservice

rserver B

inservice


parameter-map type http VIP_HTTP

persistence-rebalance



class-map match-all VIP

match virtual-address V.V.V.V tcp eq www




policy-map type loadbalance first-match VIP

class class-default

serverfarm SF


policy-map multi-match POLICYxyz

class VIP

loadbalance vip advertise active

appl-parameter http advanced-options VIP_HTTP

loadbalance policy VIP

loadbalance vip inservice

loadbalance vip icmp-reply active


HTH

Syed Iftekhar Ahmed


vpetracca Wed, 02/11/2009 - 02:39
User Badges:

So the only solution with Ace

module is to create many different probes...Correct?

Thanks a lot

Vittorio


Gilles Dufour Wed, 02/11/2009 - 03:42
User Badges:
  • Cisco Employee,

Syed,


man!!! I just discovered the module didn't have inheritance.

I found the code diff that was added to the appliance and indeed it is not in the module.

I will make sure this code is added quickly to the module.

It should work in A2(1.5)


Gilles.

vpetracca Wed, 02/11/2009 - 03:51
User Badges:

Hi Gilles ..

Are you talking only about ACE appliance ? Correct ?

About ACE module "inheritance" will never be possible ?

Customer is using it a lot on CSM...to have a shorter config file..

Thanks

Vittorio

Syed Iftekhar Ahmed Wed, 02/11/2009 - 13:52
User Badges:
  • Blue, 1500 points or more

Yes you need to create probes for each unique port in ACE Module.


Gilles is talking about inheritance in ACE module. After the code mentioned by Gilles, Ace module's probes will be able to inherit port numbers from reals.


Syed Iftekhar Ahmed

vpetracca Thu, 02/12/2009 - 00:48
User Badges:

Hi Syed.

First of all thanks for all the informations your are giving..


We will use 3.0.0_A1_6_3c Ace software version.


So are you telling me that it is possible to use on ACE Service Module inheritance on probes ?


Have a nice day

Vittorio

Syed Iftekhar Ahmed Thu, 02/12/2009 - 01:16
User Badges:
  • Blue, 1500 points or more

Vittorio


We are moving in circles:)


No you got it wrong. Probe inheritance is not a feature in any of the current "ACE Module" code. Gilles promised that it will be available in a future release.


Currently only ACE appliance supports this feature.


In summary


Probe Inheritance is not supported in ACE Module (In future we will get it).


Syed


vpetracca Thu, 02/12/2009 - 01:26
User Badges:

Sorry for the misunderstanding.

Ok Syed.


Great informations from you and Gilles.


Can i make the last question ?


I prefer to ask you before doing it.


Just tell me if i can.


It is about a CSM variable called ROUTE_UNKNOWN_FLOW_PKTS !


Vittorio




Syed Iftekhar Ahmed Thu, 02/12/2009 - 01:42
User Badges:
  • Blue, 1500 points or more


The variable you mentioned is mostly used in one arm mode.It is used to allow the CSM to

handle "server-initiated flows" or "connections which bypass

the CSM" - e.g. when opening an HTTP connection to a real server bypassing the

VIP


for such scenarios "variable ROUTE_UNKNOWN_FLOW_PKTS 2" is used in CSM


If this variable value is not set, the CSM would drop such connections because the initial

SYN was never seen by CSM.

For more details


http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/ServerFarmSec_2.1/5_CSM.pdf






In one-arm mode ACE to achieve this you need to turn off normalization


for e.g


interface vlan xxx

ip address 10.1.1.1 255.255.255.0

alias 10.1.1.3 255.255.255.0

peer ip address 10.1.1.2 255.255.255.0

no normalization <----------------------*****


HTH

Syed Iftekhar Ahmed


vpetracca Thu, 02/12/2009 - 02:01
User Badges:

You perfectly understand my needs.


What you described is the actual CSM configuration.


When we installed the CSM customer preferred to use One-Arm mode with the variable ROUTE_UNKNOWN_FLOW_PKTS 2

because he doesn't want the CSM to be the default-gateway for servers.

So also ACE ( if i don't put NO NORMALIZATION on interface Vlan) will drop connections which initial SYN was never seen by ACE ?



Syed Iftekhar Ahmed Thu, 02/12/2009 - 02:08
User Badges:
  • Blue, 1500 points or more


Correct.

In order to support Asymmetric routing on ACE you need to disable normalization.


Syed



vpetracca Thu, 02/12/2009 - 03:14
User Badges:

I'll be working on lab simulating the migration from CSM to ACE.

All the informations you gave to me will be very useful.


I think i'll will continue this discussion when i'll have some new questions based on direct experience on my lab.


Bye and thanks again.


Vittorio

vpetracca Mon, 02/16/2009 - 07:59
User Badges:

Hi Syed..

I've been starting my lab..


A question :


Two context :


1 - "Production" where there will be the " production VIPs"

2 - "Test" where there will be "testing VIPs"


We will "limit-resource all"


A right or better configuration for for create resource-class:


1) Admin Context

2) Production context

3) Test Context


Basically the question is :


if we don'use Admin context to create Vips how much is better to limit the resource allocated for this context ( minimum e maximum)..


I know that you should know customer enviroment but ..Some hints & trips ?


Thanks a lot

Vittorio

Syed Iftekhar Ahmed Mon, 02/16/2009 - 16:43
User Badges:
  • Blue, 1500 points or more

A common misconfiguration I have seen is that people forget to reserve resources for Admin contexts.

Admin context is assigned to default resource-class

(with no minimal resource defined ) and this makes it suseptible to situations

where there are no resources available for Admin context.


If your Admin context is just for admin purposes (no LB traffic)

then there should be 1% to 5% resources reserved for Admin context.


Its recommended that new ACE installations do not exceed 60 to 80 percent of the module's total capacity.

To accomplish this goal you can create a reserved resource class with a guarantee of 20 to 40 percent of

all the ACE resources and configure a Dummy virtual context dedicated solely to ensuring that these resources are reserved.


With this Dummy context ( Resources assigned but not used) gives you a buffer of resources that can be used

If some of the existing contexts require more resources due to traffic increase.


HTH

Syed Iftekhar Ahmed

vpetracca Wed, 02/18/2009 - 05:12
User Badges:

Hi Syed


I'm continuing my lab and so new questions..


Now I would like to talk about sticky with two question :


1) " sticky-Limits the number of entries in the sticky table. You must configure a minimum value for sticky to allocate resources for sticky entries, because the sticky software receives no resources under the unlimited setting" .


So if I create a resource- class with limit-resource all , sticky have no resource available ?


2) How many sticky group can I create in a context ?


Have a nice day and thanks for all your answers and advises.


Vittorio



vpetracca Fri, 03/06/2009 - 01:36
User Badges:

Hi Syed.


I'm always working on lab , migrating from CSM to ACE Module.


Customer used to do stickyness based on cookie insert by the CSM.


Now i'have a question.


The cookie created by ACE can be a Session cookie ( broowser expires) or can a a validity time.


How can i set the validity time of the cookie in ACE ?


We do it on CSM with a variable..


Thanks Vittorio

Syed Iftekhar Ahmed Tue, 02/17/2009 - 09:41
User Badges:
  • Blue, 1500 points or more

With probe inheritance, you dont need to define port number in probe definition. Probe inherits it from the real server port.


It enables you to create a single probe and assign it to multiple Serverfarms.


Syed Iftekhar Ahmed

Actions

This Discussion