×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

AVS and ACE

Unanswered Question
Aug 7th, 2006
User Badges:
  • Bronze, 100 points or more

I am having some trouble getting the difference of the AVS Appliance vs. the ACE Modul for the Cat6K.


Our ACE Moduls are already about to be shipped so i am looking forward to get my hands on those. Checking the Application Solution Section there is also the "new aquired" AVS Appliance listed.


A: Is the AVS a Supplement to the ACE Modul in Areas of HTTP,SSL Compression etc. and more granular Payload Inspection?


B: Is the AVS a "rival" product with different features?


We have some discussions regarding the enhancement of our Portal-Infrastructure and some guys are always putting Netscaler from Citrix on the Agenda. I am sure it is a nice product but i like to keep my Enviroment as far Cisco as i can.


That's why it would be nice to get some advice on how to rate, position or compare the ACE,AVS vs. the Netscaler Solution. I have the feeling some of the features which are in the mentioned Netscaler are splitted into two Cisco products.


Points of interest are...


+Payload/Packet-Inspection

+Compression


Thanks for reading...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Roble Mumin Tue, 08/08/2006 - 02:10
User Badges:
  • Bronze, 100 points or more

Can anyone Comment on my impressions listed below and also on my problems in the above Posting?


AVS: Security, TCP Multiplexing, Compression and NO Loadblancing.


ACE: Security, Loadbalancing, Virtualization and TCP Multiplexing but NO Compression? Could Compression be added in future SW Releases?


vs.


Netscaler: Security, TCP Multiplexing, Compression and Loadbalancing


C: If you would combine the ACE and AVS are you supposed to put the AVS behind the ACE for the use of its security features or in Front of a Cat6K with ACE Modul?


D: If you put it behind the ACE is the Idea of running it transparent as more less IDS with App-Accelration and Caching an approach?


E: If you use the Security features of both devices you have more or less a double inspection of the Payload with the AVS going into more depth than the ACE?


Would be great if someone had any experience or advice.


Roble


syediahm Thu, 08/17/2006 - 01:55
User Badges:
  • Bronze, 100 points or more

AVS provides performance optimization , monitoring & Security for "WEB based Applications".

AVS is implemented as an Application proxy. This means that beyond simply processing or caching application stream , It maintains intelligence about whats happening on the network. AVS reduces the traffic between enduser and application server.



AVS devices are placed behind loadbalancers. In loadbalanced environments one vip (lets say vip1) is defined for AVS appliances and 2nd vip (vip2) is assigned to APPs servers.


When client makes a request to the application, loadbalancer (ACE/CSM/CSS) forwards the traffic to AVS pool. The selected AVS device then makes a request to vip2 (appsevrer vip).The response from app server is then processed by AVS appliance and sent back to user.





Roble Mumin Fri, 08/18/2006 - 07:22
User Badges:
  • Bronze, 100 points or more

Great!


That makes sense and also sounds like a fairly easy method to implement.

Any hints on the capabilities security wise. The AVS IMHO does inspection of the terminated traffic. And if i am not wrong the ACE does also some type of inspection.

Can you or should or shouldn't you mix those features in a data center enviroment?

My ACE's arrived yesterday so once i get an overview of the new blades my questions probably get a bit more precise.


Anyway thanks a lot for answering.


Roble

syediahm Fri, 08/18/2006 - 11:22
User Badges:
  • Bronze, 100 points or more

AVS Security system blocks following attacks


Cookie/Session Poisoning

Web Port misuse (Port 80, 8080?)

HTTP tunneling

IM/P2P, MIME policy violation

HTTP header integrity violation

SQL, Cmd, LDAP Injection

Format String Attacks

Cross-Site Scripting

Application Reconnaissance

Buffer Overflows

Directory Traversals

Application Fingerprinting

Application Platform Exploits

Parameter Tampering


ACE Security features


Access Control Lists

DOS protection

TCp Normalization

TCP checksum

Http Filtering


AVS is more of a Layer 7 application proxy that

looks deep into the application headers to find

anomalies.


hope it helps

Syed Iftekhar Ahmed

Roble Mumin Fri, 08/18/2006 - 23:12
User Badges:
  • Bronze, 100 points or more

Thanks Ahmed!


Once i have ported the boxes from CSS to the ACE an AVS might be good addition to the current infrastructure. And i can also stay clear of that Netscaler stuff.


Roble



ab_parkhi Mon, 09/18/2006 - 09:07
User Badges:

Hi,


Can i replace CSS with ACE for load balancing.


As we are planning to upgrade CSS.


Thanks


Roble Mumin Tue, 09/19/2006 - 00:33
User Badges:
  • Bronze, 100 points or more

That is what i'm currently working on.

I am testing our ACE Modules with the Portal Application.

Once i have finished that i can give you a bit more info on the transition.

Anyway i think those ACE'es are a nice replacement for the CSS but i have the feeling the SW is still a bit buggy. I have a lot of strange behaviour right now which i can't fully explain so far. Having a look at the Bugtool convinces me of my theory that the SW needs a bit more work. Hope they have a bugfixed Release soon.

Config wise i feel much more comfortable with them compared to the CSS'es.

Sbutzek Sat, 09/23/2006 - 06:08
User Badges:

Hi,


on the ACE Module, there are two slots for adding sub modules on it.


So there will be some enhacements for the ACE aviable later.

I think this will be compression and something similar to the AVS engine.



Actions

This Discussion