CSS v ACE 4710 Performance Comparison

Similar Messages

• ACE 4710 lic'd performance

  With the current (A5) ACE 4710 lic setup, does the "X gigabit per second appliance throughput" that is licensed affect: -
  A)  Only "appliance" i.e. load balancing traffic, any other normal routed traffic is not included in the limit
     or
  B) Is it an overall throughput limit on the interfaces i.e. includes all traffic not only load balancing traffic but also normal routed traffic crossing the appliance
  Looking at a scenario where the lic size I need for HTTP load balanacing would be one size if  A) but would need to be much larger is B) to accomodate out of hours routed backup traffic crossing the ACE 4710
  thanks,
  Sez

  Hi Sez,
  The license applies to the overall throughput, both routed and load-balanced traffic.
  Regards
  Daniel

• Rservers initiated traffic not sourcing the traffic as VIP in Ace 4710

  One of the feature of our application is that our Application Server initiate text message to our devices sourcing from UDP 1120 and device need to see the message come from a specific pubic IP (2.2.2.2) with UDP port 1120 and reply back with the same Public IP (2.2.2.2) with UDP port 1120.The problem is we can make that happen if we have only one server in our ACE Serverfarm when we do a SNAT the real servers with the VIP address (10.1.246.32) but it does not work when we have more than one server in the Serverfarm. Since we have 2 servers, i cannot nat the real servers with the VIP address, if I do a PAT, obviously it is changing the source port of the request.
  Note: This setup is working fine with the Cisco Content Switch module running on chasis 6509. When I sniff the traffic initiated from the server coming the CSM load balancer, it is sourcing the traffic as the VIP and the source port remains the same by default but this is not the case with ACE 4710
  Traffic flow as follows
  ===============
  ACE 4710                                                       FWSM (Firewall static NAT)                    Device ( configured with 2.2.2.2:1120 (udp) to snd/rcv msg)
                                               VIP
  Rserver 1   - 10.1.104.80       10.1.246.32           10.1.246.32  < - > 2.2.2.2                              1.1.1.1
  Rserver 2   - 10.1.104.81c
  ---------------------------------------------------------->           ------------------------------->                      - traffic flow from server to the device when we send msg
  Configs:
  ======
  rserver host server1
    ip address 10.1.104.80
    inservice
  rserver host server2
    ip address 10.1.104.81
    inservice
  serverfarm host SFARM
    failaction purge
    probe ICMP
    rserver server1
      inservice
    rserver server2
      inservice
  access-list TEST-1120 line 8 extended permit udp host 10.1.104.80 eq 1120 any
  access-list TEST-1120 line 16 extended permit udp host 10.1.104.81 eq 1120 any
  parameter-map type connection UDP_TIMEOUT
    set timeout inactivity 3600
  sticky ip-netmask 255.255.255.255 address source STKY-SFARM
    serverfarm SFARM
    timeout 180
    replicate sticky
  class-map match-all CLS-SFARM
    2 match virtual-address 10.1.246.32 udp eq 1120
  class-map match-all SERVERNAT
    2 match access-list TEST-1120
  policy-map type loadbalance first-match POL-SFARM
    class class-default
      sticky-serverfarm STKY-SFARM
  policy-map multi-match POL-LB
  class CLS-SFARM
      loadbalance vip inservice
      loadbalance policy POL-SFARM
      loadbalance vip icmp-reply active
      connection advanced-options UDP_TIMEOUT
  class SERVERNAT
     nat dynamic 1 vlan 244
  int vlan 244
  ip address 10.1.246.2 255.255.255.0
  service-policy input POL-LB
  nat-pool 1 10.1.246.32 10.1.246.32 netmask 255.255.255.255
    mac-sticky enable
    no icmp-guard
  no shut
  interface vlan 2506
  ip address 10.1.104.2 255.255.255.0
  service-policy input POL-LB
    mac-sticky enable
    no icmp-guard
  no shut

  I see in CSS, they are able to nat the source ip address with VIP and port-mapping diabled. How do I implement
  portmap disable in ACE 4710
  Disabling Port Mapping
  By default, the CSS NATs source IP addresses and PATs source ports for a configured source group. If you configure the portmap disablecommand in a source group, the CSS performs NAT on the source IP addresses but does not perform PAT on the source ports of UDP traffic that matches on that source group.
  For UDP applications with high-numbered assigned ports (for example, SIP and WAP), we recommend that you preserve those port numbers by configuring destination services in source groups instead of using the portmap disable command. Destination services cause the CSS to NAT the client source ports, but not the destination ports. For information about configuring destination services,

• ACE 4710 SSL server LB with stickiness

  I will be replacing 11500 CSS which are not doing SSL termination, just load-balancing SSL sessions terminated on servers with ACE 4710.
  On their CSS config, they were doing SSL-sticky. I understand the 4710 doesn't support SSL sticky, but can perform the same function by parsing the HTTP header. Has anyone done this config before and know where/how to parse the header to look for the SSL session# and stick connections to same server?
  THANKS!

  In Ace 2.x code GPP (Generic protocol parsing) was introduced that enables ACE to look into the Layer 4 payload.Which is how this stickiness id achieved.
  details at
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/sticky.html#wp1133923
  I dont think its currently available on ACE appliance yet.
  Syed

• Need help to Configure Cisco ACE 4710 Cluster Deployment

  Dear Experts,
  I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between  two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
  http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
  This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
  This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
  My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
  Thanks....!
  -Amal-

  Dear Kanwal,
  I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
  Following detail required for configuring Oracle EBS Apps tier on HA:
  LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
  Suggested IP and Name for LBR:
  IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
  ebiz.xxxx.lk [on port 80 for http protocol accessibility]
  This LBR IP & name must be resolve and respond on DNS network
  Server Farm detail for LBR Setup
  Following detail will be use for configuring the LBR:
  LBR IP and Name :
  IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
  ebiz.xxxx.lk [on port 80 for http protocol accessibility]
  This LBR IP & name must be resolve and respond on DNS network
  Server Farm Detail for LBR setup:
  Server 1 (EBS App1 Node, ap1ebs):
  IP : 172.25.45.19
  Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
  Protocol: http
  Port: 8000
  Server 2 (EBS App2 Node, ap2ebs):
  IP : 172.25.45.20
  Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
  Protocol: http
  Port: 8000
  Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
  Following are my latest config :
  probe http Get-Method
    description Check to url access /OA_HTML/OAInfo.jsp
    interval 10
    faildetect 2
    passdetect interval 30
    request method get url /OA_HTML/OAInfo.jsp
    expect status 200 200
  probe udp http-8000-iRDMI
    description IRDMI (HTTP - 8000)
    port 8000
  probe http http-probe
    description HTTP Probes
    interval 10
    faildetect 2
    passdetect interval 30
    passdetect count 2
    request method get url /index.html
    expect status 200 200
  probe https https-probe
    description HTTPS traffic
    interval 10
    faildetect 2
    passdetect interval 30
    passdetect count 2
    ssl version all
    request method get url /index.html
  probe icmp icmp-probe
    description ICMP PROBE FOR TO CHECK ICMP SERVICE
  rserver host ebsapp1
    description ebsapp1.xxxx.lk
    ip address 172.25.45.19
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    probe http-probe
    inservice
  rserver host ebsapp2
    description ebsapp2.xxxx.lk
    ip address 172.25.45.20
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    probe http-probe
    inservice
  serverfarm host ebsppsvrfarm
    description ebsapp server farm
    failaction purge
    predictor response app-req-to-resp samples 4
    probe http-probe
    probe icmp-probe
    inband-health check log 5 reset 500
    retcode 404 404 check log 1 reset 3
    rserver ebsapp1 80
      conn-limit max 4000000 min 4000000
      probe icmp-probe
      inservice
    rserver ebsapp2 80
      conn-limit max 4000000 min 4000000
      probe icmp-probe
      inservice
  sticky http-cookie jsessionid HTTP-COOKIE
    cookie insert browser-expire
    replicate sticky
    serverfarm ebsppsvrfarm
  class-map type http loadbalance match-any default-compression-exclusion-mime-type
    description DM generated classmap for default LB compression exclusion mime types.
    2 match http url .*gif
    3 match http url .*css
    4 match http url .*js
    5 match http url .*class
    6 match http url .*jar
    7 match http url .*cab
    8 match http url .*txt
    9 match http url .*ps
    10 match http url .*vbs
    11 match http url .*xsl
    12 match http url .*xml
    13 match http url .*pdf
    14 match http url .*swf
    15 match http url .*jpg
    16 match http url .*jpeg
    17 match http url .*jpe
    18 match http url .*png
  class-map match-all ebsapp-vip
    2 match virtual-address 172.25.45.21 tcp eq www
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match ebsapp-vip-l7slb
    class default-compression-exclusion-mime-type
      serverfarm ebsppsvrfarm
    class class-default
      compress default-method deflate
      sticky-serverfarm HTTP-COOKIE
  policy-map multi-match int455
    class ebsapp-vip
      loadbalance vip inservice
      loadbalance policy ebsapp-vip-l7slb
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 455
  interface vlan 455
    ip address 172.25.45.36 255.255.255.0
    peer ip address 172.25.45.35 255.255.255.0
    access-group input ALL
    nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
    service-policy input remote_mgmt_allow_policy
    service-policy input int455
    no shutdown
  ft interface vlan 999
    ip address 10.1.1.1 255.255.255.0
    peer ip address 10.1.1.2 255.255.255.0
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 10
    ft-interface vlan 999
  ft group 1
    peer 1
    no preempt
    priority 110
    associate-context Admin
    inservice
  ip route 0.0.0.0 0.0.0.0 172.25.45.1
  Hope you will reply me soon
  Thanks....!
  -Amal-

• ACE 4710 and mangled HTTP requests

  After replacing a Cisco CSS/SSL  Accelorator and PIX firewall with an ACE 4710 to do load balancing and  SSL encryption behind an ASA firewall we started seeing mangled HTTP  requests in the Apache access logs for the servers in the server farm.  Here is one example:
  XX.XX.XXX.XXX  - - [21/Oct/2012:01:42:12 -0500]  "heckoutFlag=true&verifyPassword=false&newsletter=false&emailaddress=&email2=&pass1=&pass2=&username=POST /register/LServlet HTTP/1.1" 501 3322 "https://www.ourwebsite.com/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  Rather  than appearing just after the timestamp, the "POST /register/LServlet"  is tacked on to header information that shouldn't even appear in the  log. Also the first letter in that header information is always missing  (heckoutFlag instead of checkoutFlag in this example). 
  The  mangled request always shows up as a 501 HTTP error and shows up late  in the Apache access logs (timestamp is out of chronogical order) and  always appears with several duplicate POSTs:
  XX.XX.XXX.XXX - - [21/Oct/2012:01:42:23 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  XX.XX.XXX.XXX - - [21/Oct/2012:01:44:12 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  XX.XX.XX.XXX  - - [21/Oct/2012:01:42:12 -0500]   "heckoutFlag=true&verifyPassword=false&newsletter=false&emailaddress=&email2=&pass1=&pass2=&username=POST /register/LServlet HTTP/1.1" 501 3322 "https://www.ourwebsite.com/register/CServlet"  "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  XX.XX.XXX.XXX - - [21/Oct/2012:01:44:12 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  This is occurring for several different URLs and not just the one above and for multiple web browsers.
  The ACE load balances to servers running Tomcat 7 with Apache HTTP server v. 2.2.14.
  A recent ACE software upgrade to A5(2.1) has not fixed the problem.
  Has anyone seen this before?
  Thanks for any insight you can provide.
  -Kari

  Hi Kari,
  Do you have a sample of the configuration which you got with the CSS?
  What is the current configuration which you got on the ACE?
  Can you shows this output: # show stats http?
  Jorge

• ACE 4710 Web Optimization Licnesing

  I currently have a 4710 running the 1Gbps package. We are utilizing Application Acceleration and are comg very close to hitting our 10,000 Web Optimization connection limit. I am trying to find out how to upgrade that.
  I see in our license usage an option of ACE-AP-OPT-UP1-K9 but can find no information on this part number. Does anyone know if this is even available and what it brings you connection limit to?
  ACE01/Admin# show license usage
  License                      Ins   Lic    Status   Expiry Date   Comments
                                    Count
  ACE-AP-C-UP1                  No     -    Unused                 -
  ACE-AP-C-UP2                  No     -    Unused                 -
  ACE-AP-C-UP3                  No     -    Unused                 -
  ACE-AP-01-LIC                 No     -    Unused                 -
  ACE-AP-01-UP1                 No     -    Unused                 -
  ACE-AP-02-LIC                 No     -    Unused                 -
  ACE-AP-02-UP1                 No     -    Unused                 -
  ACE-AP-04-LIC                 No     -    Unused                 -
  ACE-AP-04-UP1                 No     -    Unused                 -
  ACE-AP-04-UP2                 No     -    Unused                 -
  ACE-AP-VIRT-5                 No     -    Unused                 -
  ACE-AP-500M-LIC               No     -    Unused                 -
  ACE-AP-VIRT-020               No     -    Unused                 -
  ACE-AP-C-100-LIC              No     -    Unused                 -
  ACE-AP-C-500-LIC              Yes    1    In use   never         -
  ACE-AP-C-500-UP1              No     -    Unused                 -
  ACE-AP-OPT-50-K9              No     -    Unused                 -
  ACE-AP-C-1000-LIC             No     -    Unused                 -
  ACE-AP-C-2000-LIC             No     -    Unused                 -
  ACE-AP-OPT-LIC-K9             Yes    1    In use   never         -
  ACE-AP-OPT-UP1-K9             No     -    Unused                 -
  ACE-AP-SSL-05K-K9             Yes    1    In use   never         -
  ACE-AP-SSL-07K-K9             No     -    Unused                 -
  ACE-AP-SSL-100-K9             No     -    Unused                 -
  ACE-AP-SSL-UP1-K9             No     -    Unused                 -
  ACE-AP-SSLUP-5K-K9            No     -    Unused                 -
  ACE-AP-VIRT-020-UP            No     -    Unused                 -

  Unfortunately, ACE-AP-OPT-LIC-K9 is not available on ACE4710 and
  ACE 4710 cannot handle more than 10,000 concurrent connections..
  When you use the ACE to perform a specific set of application
  acceleration and optimization functions, and the ACE reaches the
  maximum of 10,000 concurrent connections, the appliance stops
  accepting any additional concurrent connections until the count
  drops below 10,000.
  http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/command/reference/optimize.html#wp1048813
  Regards,
  Yuji

• CVP: CSS or ACE

  Could you please help us in answering the below query from the customer,
  Kotak Mahindra Bank currently has one Primary and one Secondary CVP Server on Version 7.X
  Now since they are expanding, we are proposing an additional server MCS-7845-I2-CCE2
  Now for load balancing, do i propose CSS or ACE?
  If CSS, then which model is being currently sold by Cisco?
  If ACE, then how do i select which model of ACE suits best...There  is 0.5Gbps, 1Gbps, 2Gbps and 10Gbps..Which one is more appropriate for  this CC Size?
  The CVP BOM guide suggests an ACE Appliance on CVP 8.0, but for CVP 7.X it suggest CSS 11500 series with WebNS 7.5X...
  Can i chose ACE for CVP 7.X, will it be supported?

  ACE is the direction going forward.
  I have used the CSS pair in the past, but at Cisco Live I spoke to the ACE team in the World of Solutions and ACE pricing was quite similar to CSS (say the ACE 4710 1U model) and it looked to be an effective solution. ACE is also soon available on a Network Module  (ACE30 - could be out now) and that looked great.
  Be aware of the similar restrictions that apply to CSS if you have the pair geographically separated. With ACE, you would need a GSS above.
  Regards,
  Geoff

• CSS to ACE Convertion

  Hello all,
  We will change the CSS's to ACE's plataform's.
  Do u know any aplication wich can convert the basic CSS configuration into ACE configuration?
  Plataform's:
  CSS11501S-C-K9
  ACE 4710
  The certificates installed in the CSS could be migratted to the ACE ?

  Hello,
  The 4710 with the ACE software has a built-in CSS-to-ACE conversion tool accessible through the web interface. See http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/css_to_ace/user/guide/cssaceug.html for example.
  The tool may not convert 100% but it may provide a good starting point.
  I don't see any reason why you can't export the certificates from the CSS (assuming you remember the password) and import them into the ACE.
  HTH
  Cathy

• CSS or ACE

  Hi,
  We would like to load blance  Sharepoint app on two servers in two datacentres.I would like to know which applince is better for this purposes.
  CSS 11501/11503 series or ACE 4710
  Regards.

  Ace is the future.
  It is IPv6 ready and new features are being added every day.
  The CSS is still supported but there is no more development of new features and IPv6 will never be available on that machine.
  Personally, I will go for the appliance.
  Gilles

• ACE 4710 bundle license backup

  Hello,
  Is it possible to backup ACE appliance licenses if product is bought as a bundle?
  ACE-4710-BAS-SK-K9
  Promo Bundle - ACE 4710 HW-1Gbps-1K SSL-100MbpsComp-5VC
  Following is mentioned in the ACE documentation:
  "If you need to replace the ACE, you can copy and install the license file for the license onto the replacement appliance."
  But, when we try to backup licenses, we get following results:
  ACE-1/Admin# sh license
  ACE-1/Admin# copy licenses disk0:mylicenses.tar
  Backing up license... failed: License file not found
  ACE-1/Admin# sh license status
  Licensed Feature Count
  Compression Performance in Mbps 100
  Web Optimization Concurrent Conns. 50
  SSL transactions per second 1000
  Virtualized contexts 5
  Module bandwidth in Gbps 1.0
  ACE-1/Admin# sh license usage
  License Ins Lic Status Expiry Date Comments
  Count
  ACE-AP-C-UP1 No - Unused -
  ACE-AP-C-UP2 No - Unused -
  ACE-AP-C-UP3 No - Unused -
  ACE-AP-01-LIC No - Unused -
  ACE-AP-01-UP1 No - Unused -
  ACE-AP-02-LIC No - Unused -
  ACE-AP-02-UP1 No - Unused -
  ACE-AP-04-LIC No - Unused -
  ACE-AP-04-UP1 No - Unused -
  ACE-AP-04-UP2 No - Unused -
  ACE-AP-VIRT-5 No - Unused -
  ACE-AP-500M-LIC No - Unused -
  ACE-AP-VIRT-020 No - Unused -
  ACE-AP-C-100-LIC No - Unused -
  ACE-AP-C-500-LIC No - Unused -
  ACE-AP-C-500-UP1 No - Unused -
  ACE-AP-OPT-50-K9 No - Unused -
  ACE-AP-C-1000-LIC No - Unused -
  ACE-AP-C-2000-LIC No - Unused -
  ACE-AP-OPT-LIC-K9 No - Unused -
  ACE-AP-OPT-UP1-K9 No - Unused -
  ACE-AP-SSL-05K-K9 No - Unused -
  ACE-AP-SSL-07K-K9 No - Unused -
  ACE-AP-SSL-100-K9 No - Unused -
  ACE-AP-SSL-UP1-K9 No - Unused -
  ACE-AP-SSLUP-5K-K9 No - Unused -
  ACE-AP-VIRT-020-UP No - Unused -
  I suppose licenses cannot be backuped because they are bundled and delivered with the bundle by default, and not installed...
  Does anyone know what would be the procedure for this bundled licenses in case of ACE HW replacement needed?
  Best regards,
  Jasmina

  Hi Jasmina,
  License file management is quite simple for ACE.  Two methods; save original license email or copy from disk0:.
  If you purchased and upgraded license, and followed procedure to generate it, you would have received your license via email.   We recommend per  documentation (License ordering section) that you:
  "Step 5 Save the license key e-mail in a safe place in case you need it in the future (for example, to transfer the license to another ACE). "
  Also,  to apply,  you copy the license file to disk0: on the ACE.  This *.lic file resides on disk0: thereafter.
  So if you did not happen to save the original email when you obtained the license, and the license has been installed, then you can simply copy the *.lic file off the ACE from disk0: to a safe place.  Example copying file from ACE to FTP server:
  Switch/Admin# copy disk0: ftp:
  Enter source filename]? 1ACE2009060306445454.lic
  Enter Address for the ftp server]? 10.2.3.4
  Enter the destination filename]? [1ACE2009060306445454.lic]
  Enter username]? anonymous
  Enter the file transfer mode[bin/ascii]: [bin]
  Enable Passive mode[Yes/No]: [Yes]
  Password:
  Passive mode on.
  Hash mark printing on (1024 bytes/hash mark).
  Switch/Admin#
  Administrator Guide - Licenses on ACE:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/administration/guide/license.html#wp1010344
  Hope this helps.
  -pefrench

• ACE 4710 is not working

  Hi. I'm working on the Cisco ACE 4710 to be able to load balance web Traffic between several web servers. but despite following the steps mentioned on the Cisco configuration guide (specially this link and related docs: http://docwiki.cisco.com/wiki/Cisco_ACE_4700_Series_Appliance_Quick_Start_Guide,_Release_A3(1.0)_--_Creating_a_Virtual_Context) we did not managed to make it. we tested both the "bridged scenario" and "routed scenario" but none of them is working. specifically "configuring Nat" in the above link is very confusing and is not clear; because it's not the same as Cisco IOS, which we used to implement it that way. 
  Routed Scenario:
  ==========================================
  probe http Http_Probe
    description Server Healty Check
    port 80
    request method head url /index.htm
  probe icmp ICMP_Check
    interval 10
    passdetect interval 5
  rserver host NetCad_Server_1
    ip address 172.16.1.100
    probe ICMP_Check
    inservice
  rserver host NetCad_Server_2
    ip address 172.16.1.101
    probe ICMP_Check
    inservice
  rserver host NetCad_Server_3
    ip address 172.16.1.102
    probe ICMP_Check
    inservice
  serverfarm host NetCad_Servers
    probe Http_Probe
    rserver NetCad_Server_1 80
      inservice
    rserver NetCad_Server_2 80
      inservice
    rserver NetCad_Server_3 80
      inservice
  sticky http-cookie Cookie1 1
    serverfarm NetCad_Servers
  class-map match-all VS_NetCad
    2 match virtual-address 192.168.13.162 255.255.252.0 tcp any
  policy-map type management first-match mgmt-pm
    class class-default
      permit
  policy-map type loadbalance first-match VS_NetCad-l7slb
    class class-default
      serverfarm NetCad_Servers
  policy-map multi-match int40
    class VS_NetCad
      loadbalance vip inservice
      loadbalance policy VS_NetCad-l7slb
      loadbalance vip icmp-reply
  interface vlan 40
    description Client Side
    ip address 192.168.13.161 255.255.252.0
    ip options allow
    no normalization
    no icmp-guard
    access-group input Permit_ALL
    service-policy input mgmt-pm
    service-policy input int40
    no shutdown
  interface vlan 41
    description Server Side
    ip address 172.16.1.1 255.255.255.0
    ip options allow
    no normalization
    no icmp-guard
    access-group input Permit_ALL
    nat-pool 1 172.16.1.110 172.16.1.110 netmask 255.255.255.255 pat
    service-policy input mgmt-pm
    no shutdown
  ip route 0.0.0.0 0.0.0.0 192.168.12.1
  ==========================================

  Hi,
  Let me explain you.
  Assuming client IP as 1.1.1.1, VIP as 2.2.2.2 and Real Server as 3.3.3.3
  Consider the simple situation where client needs to access an application hosted on 3.3.3.3. Client sends a request which comes to VIP.
  src 1.1.1.1----->dst------->2.2.2.2. ACE after matching conditions and taking LB decision decides to send  it to 3.3.3.3 real server. Performs destination NAT and forwards the client request to 3.3.3.3. So the above packet L3 header will now look like:
  src 1.1.1.1       dst 3.3.3.3. When reply comes from server, ACE will change src 3.3.3.3 back to 2.2.2.2 and forwards the request to client 1.1.1.1. SIMPLE LB.
  Now comes a situation where let's say you want to hide the client IP from server or let's say server's default GW is not ACE or client and server are in same subnet but need to communicate through VIP on ACE etc.
  Src 1.1.1.1 dst 2.2.2.2
  After LB ace decides to send it to 3.3.3.3 but also policy multi match has nat rule (nat dynamic 1 vlan x). But packet would be forwarded from server vlan where you have NAT pool defined. So let's say pool IP is 3.3.3.4. So ACE will perform both destination as well as src NAT here before forwarding the packet to server and packet L3 header will look like:
  src 3.3.3.4 ----->dst 3.3.3.3
  Now when 3.3.3.3 has to send packet back, ACE will answer ARP for 3.3.3.3 and hence packet will come back to ACE which will again change the L3 header IP's and send it out the client VLAN towards client.
  So NAT is always applied to server side vlan and  that's why pool is  chosen from server side subnet.
  Let me know if you have any questions.
  Regards,
  Kanwal

• Full URL re-direct with ACE 4710

  Is there anyway to perform a redirect on the ACE 4710 so that it will redirect a request sent to the domain mydomain.com be redirected to www.mydomain.com, this is so that an installed SSL certificate will match.
  Thanks

  Thank you for your response, but the redirect would occur before any encyption.. for example today this is what happens
  someone goes to
  http://www.mydomain.com
  and the ACE redirects the connection to
  https://www.mydomain.com
  What I want is for someone to go to
  http://mydomain.com (without the www) and for it to redirect to
  http://www.mydomain.com which will inturn redirect to https://www.mydomain.com
  or it can just redirect to https://www.mydomain.com
  So the encryption will not occur until it is redirected to teh correct websit

• ACE 4710 responds very slow to CLI commands

  I am expericing delayed responses to my CLI commands on the ACE 4710. The delays occur sporadically. I have check the cpu and memory and neither one appeared to show any abnormal behaviour.  Has anybody else experienced unsual delay with your CLI commands? If so, where you able to isolate and correct the problem? If not, any suggestions on where and how to look for the problem?

  I am experiencing the same exact problem. CLI commands are very slow. Although, i dont get any performance issues for my application when i issue the "show run" or "wr mem" commands at CLI  i wait for over 1 minute to receive any output, commands like "show serverfarm" ,"show rserver" "show stats" are working fine. my resource usage is ok and cpu has no problems. The problem exists in all contexts of the specific ACE. I did a test by forcing the standby ace to become active and while the standby ACE had no problem in executing the command when it becomes the active one the problem shows up.  is there a way to troubleshoot this?
  Thank you in advance

• ACE 4710 or CSS11501

  I will buy an appliance with the main funcionality or idea of load balancing of web servers.
  I heard that CSS is an obsolete hardware than goes to EOL and the new hardware is the ACE4710. Is it?
  Could someone tell me the pricipal differences? Or could someone recomend me some of them?

  The CSS was created more than 10 years ago. It does a great job but we have stopped adding new features to it for some time now.
  The Ace 4710 is the new product, designed 2 years ago and with a huge team of developpers still adding new features to it...like ipv6 support coming soon.
  Gilles.