Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE vs CSS (or CSM!)

I really thought that the Cisco EOL CSS and replaced it with ACE.

It seems that CSS is still very much alive and being sold. How would you compare CSS to ACE? Features, Design, Cost, Licensing ..etc

When I compare these two - few things that jump out are:

CSS1500s - up to 40GB throughput

4710 ACE - up to 4GB throughput

Module ACE - up to 64GB throughput

So right away - if I needed appliance that could handle 20GB throughput I would need to go with CSS.

ACE - context supported

CSS - not supported (didn't find it being supported)

So again - if I need an environment with multiple virtual contexts, I would need to go with ACE.

CSS, CSM, ACE .. too many choices!

thoughts?

Thank you

26 REPLIES
New Member

Re: ACE vs CSS (or CSM!)

Are CSS11500's EOL? Any EOL announcement is not mentioned here:

http://www.cisco.com/en/US/products/hw/contnetw/ps789/prod_eol_notices_list.html or on the CSS 11500 page:

http://www.cisco.com/en/US/products/hw/contnetw/ps792/index.html

The CSS 11500 products have served me well at a number of customers and I think competes well with F5 BIG-IP, certainly at the smaller end of the enterprise market. I can't comment on virtual contexts though.

Re: ACE vs CSS (or CSM!)

I'm sure the EoL is coming (since the introduction of the ACE), but I have not heard of any dates. We have both in our environment and the ACE blows away the CSS in features, config, etc. We're planning on removing all CSS's and going to just the ACE. The ACE (in our configurations) are quite a bit cheaper. The FO is better, the multiple contexts is just plain cool, even the WebUI (which I normally don't like) is nice and easy, and ACL's actually work with the ACE. I heard that Cisco hired some MAC GUI developers to help in the design of it. My vote is for the ACE, it's not even close.

Cisco Employee

Re: ACE vs CSS (or CSM!)

There is indeed no EOL annoncement for the CSS11500. Not sure when it will come. Probably not in the next 6 months (but no guarantee).

Indeed the CSS does not have virtualization.

It is also lacking the dynamic cookie stickyness. It does not have the caching and http optimization offered by the ACE appliance. Only limited DoS protection on the CSS vs large Firewall features on ACE.

No HW module required for SSL/Compression support on the ACE appliance.

No HTTP header insert function on the CSS.

G.

New Member

Re: ACE vs CSS (or CSM!)

Hi Gilles.

I'm going to do a migration from CSM to ACE Service Modules.

Before doing it i would like to make a good presentation to the customer on what are the main differences between these two product.

I'm not talking about hardware , capacity virtualization and so on.

Customer would like to know major differences between configuration option like predictor ( new predictor or something like that..), probes , serverfarm options...

etc..

Something that you know it is possible to do with Ace and not with csm and that can be useful for the customer or that can impress ..

Thanks in advance.

Vittorio

Re: ACE vs CSS (or CSM!)

Features Not available in CSM

SIP loadbalancing

Connection rate limiting per VIP and per Real

SNMP based LB decisions (CPU,mem,disk space)

Least bandwisth predictor

Virtualization

TCP Reuse

Http Compression

Http optimzation

TCP/IP Normalization

Http,DNS,Ldap,Rtsp,ICmp,SIP,skinny fixups

Configuration checkpoints

Syed

New Member

Re: ACE vs CSS (or CSM!)

I'm pretty sure that the ACE modules do not currently support HTTP compression and Optimization. I know that the ACE 4710 support these features, but has a total thouroughput of 4Gbps, the ACE module supports up to 16Gbps.

John...

Re: ACE vs CSS (or CSM!)

Correct.

I mixed up ACE module with ACE appliance.

As per Cisco Http Compression is committed for ACE module.

I am not sure if HTTP optimization will be available on ACE module.

Syed

New Member

Re: ACE vs CSS (or CSM!)

Thanks Syed for the informations.

Another question..

In the actual CSM configuration

that we are going to migrate we use this basic type of configuration for Vservers :

-------------------------------

real name A

ip address x.x.x.x

inservice

real name B

ip address x.x.x.x

inservice

probe TCP tcp

interval 30

retries 4

failed 15

!

serverfarm SF

real name A

inservice

real name B

inservice

probe TCP

vserver VIP

virtual V.V.V.V tcp www

serverfarm SF

advertise active

persistent rebalance

inservice

--------------------------------

So basically we put the tcp port value only on the vserver object . And this is inherited

by all the other objects..

Is it possible to do the same ( or similar) with ACE ?

Re: ACE vs CSS (or CSM!)

Destination ports will not get translated until you use "rserver under Server Farm definition.

Only exception is that in ACE Module you have to define port under probe. If you donot define port it doesn't inherit the port number of the real server.

(The above mentioned functionality is available in ACE appliance.Probe defined in Ace Appliance does inherit port number form real).

Your CSM config will translate into ACE as follows

probe tcp TCP80

port 80

interval 30

faildetect 4

passdetect interval 15

receive 4

open 4

rserver host A

ip address x.x.x.x

inservice

rserver host B

ip address x.x.x.x

inservice

serverfarm host SF

probe TCP80

rserver A

inservice

rserver B

inservice

parameter-map type http VIP_HTTP

persistence-rebalance

class-map match-all VIP

match virtual-address V.V.V.V tcp eq www

policy-map type loadbalance first-match VIP

class class-default

serverfarm SF

policy-map multi-match POLICYxyz

class VIP

loadbalance vip advertise active

appl-parameter http advanced-options VIP_HTTP

loadbalance policy VIP

loadbalance vip inservice

loadbalance vip icmp-reply active

HTH

Syed Iftekhar Ahmed

New Member

Re: ACE vs CSS (or CSM!)

So the only solution with Ace

module is to create many different probes...Correct?

Thanks a lot

Vittorio

Cisco Employee

Re: ACE vs CSS (or CSM!)

Syed,

man!!! I just discovered the module didn't have inheritance.

I found the code diff that was added to the appliance and indeed it is not in the module.

I will make sure this code is added quickly to the module.

It should work in A2(1.5)

Gilles.

New Member

Re: ACE vs CSS (or CSM!)

Hi Gilles ..

Are you talking only about ACE appliance ? Correct ?

About ACE module "inheritance" will never be possible ?

Customer is using it a lot on CSM...to have a shorter config file..

Thanks

Vittorio

Re: ACE vs CSS (or CSM!)

Yes you need to create probes for each unique port in ACE Module.

Gilles is talking about inheritance in ACE module. After the code mentioned by Gilles, Ace module's probes will be able to inherit port numbers from reals.

Syed Iftekhar Ahmed

New Member

Re: ACE vs CSS (or CSM!)

Hi Syed.

First of all thanks for all the informations your are giving..

We will use 3.0.0_A1_6_3c Ace software version.

So are you telling me that it is possible to use on ACE Service Module inheritance on probes ?

Have a nice day

Vittorio

Re: ACE vs CSS (or CSM!)

Vittorio

We are moving in circles:)

No you got it wrong. Probe inheritance is not a feature in any of the current "ACE Module" code. Gilles promised that it will be available in a future release.

Currently only ACE appliance supports this feature.

In summary

Probe Inheritance is not supported in ACE Module (In future we will get it).

Syed

New Member

Re: ACE vs CSS (or CSM!)

Sorry for the misunderstanding.

Ok Syed.

Great informations from you and Gilles.

Can i make the last question ?

I prefer to ask you before doing it.

Just tell me if i can.

It is about a CSM variable called ROUTE_UNKNOWN_FLOW_PKTS !

Vittorio

Re: ACE vs CSS (or CSM!)

The variable you mentioned is mostly used in one arm mode.It is used to allow the CSM to

handle "server-initiated flows" or "connections which bypass

the CSM" - e.g. when opening an HTTP connection to a real server bypassing the

VIP

for such scenarios "variable ROUTE_UNKNOWN_FLOW_PKTS 2" is used in CSM

If this variable value is not set, the CSM would drop such connections because the initial

SYN was never seen by CSM.

For more details

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/ServerFarmSec_2.1/5_CSM.pdf

In one-arm mode ACE to achieve this you need to turn off normalization

for e.g

interface vlan xxx

ip address 10.1.1.1 255.255.255.0

alias 10.1.1.3 255.255.255.0

peer ip address 10.1.1.2 255.255.255.0

no normalization <----------------------*****

HTH

Syed Iftekhar Ahmed

New Member

Re: ACE vs CSS (or CSM!)

You perfectly understand my needs.

What you described is the actual CSM configuration.

When we installed the CSM customer preferred to use One-Arm mode with the variable ROUTE_UNKNOWN_FLOW_PKTS 2

because he doesn't want the CSM to be the default-gateway for servers.

So also ACE ( if i don't put NO NORMALIZATION on interface Vlan) will drop connections which initial SYN was never seen by ACE ?

Re: ACE vs CSS (or CSM!)

Correct.

In order to support Asymmetric routing on ACE you need to disable normalization.

Syed

New Member

Re: ACE vs CSS (or CSM!)

I'll be working on lab simulating the migration from CSM to ACE.

All the informations you gave to me will be very useful.

I think i'll will continue this discussion when i'll have some new questions based on direct experience on my lab.

Bye and thanks again.

Vittorio

New Member

Re: ACE vs CSS (or CSM!)

Hi Syed..

I've been starting my lab..

A question :

Two context :

1 - "Production" where there will be the " production VIPs"

2 - "Test" where there will be "testing VIPs"

We will "limit-resource all"

A right or better configuration for for create resource-class:

1) Admin Context

2) Production context

3) Test Context

Basically the question is :

if we don'use Admin context to create Vips how much is better to limit the resource allocated for this context ( minimum e maximum)..

I know that you should know customer enviroment but ..Some hints & trips ?

Thanks a lot

Vittorio

Re: ACE vs CSS (or CSM!)

A common misconfiguration I have seen is that people forget to reserve resources for Admin contexts.

Admin context is assigned to default resource-class

(with no minimal resource defined ) and this makes it suseptible to situations

where there are no resources available for Admin context.

If your Admin context is just for admin purposes (no LB traffic)

then there should be 1% to 5% resources reserved for Admin context.

Its recommended that new ACE installations do not exceed 60 to 80 percent of the module's total capacity.

To accomplish this goal you can create a reserved resource class with a guarantee of 20 to 40 percent of

all the ACE resources and configure a Dummy virtual context dedicated solely to ensuring that these resources are reserved.

With this Dummy context ( Resources assigned but not used) gives you a buffer of resources that can be used

If some of the existing contexts require more resources due to traffic increase.

HTH

Syed Iftekhar Ahmed

New Member

Re: ACE vs CSS (or CSM!)

Hi Syed

I'm continuing my lab and so new questions..

Now I would like to talk about sticky with two question :

1) " sticky-Limits the number of entries in the sticky table. You must configure a minimum value for sticky to allocate resources for sticky entries, because the sticky software receives no resources under the unlimited setting" .

So if I create a resource- class with limit-resource all , sticky have no resource available ?

2) How many sticky group can I create in a context ?

Have a nice day and thanks for all your answers and advises.

Vittorio

New Member

Re: ACE vs CSS (or CSM!)

Hi Syed.

I'm always working on lab , migrating from CSM to ACE Module.

Customer used to do stickyness based on cookie insert by the CSM.

Now i'have a question.

The cookie created by ACE can be a Session cookie ( broowser expires) or can a a validity time.

How can i set the validity time of the cookie in ACE ?

We do it on CSM with a variable..

Thanks Vittorio

New Member

Re: ACE vs CSS (or CSM!)

I have a dumb question. What is probe inheritance?

John...

Re: ACE vs CSS (or CSM!)

With probe inheritance, you dont need to define port number in probe definition. Probe inherits it from the real server port.

It enables you to create a single probe and assign it to multiple Serverfarms.

Syed Iftekhar Ahmed

2066
Views
15
Helpful
26
Replies
CreatePlease to create content