CSS v ACE 4710 Performance Comparison
Am trying to verify performance figures for a CSS 11503 EOL replacement using ACE 4710
Trying to comapre apples with apples (is a CSS SSL TPS the same as a ACE 4710 TPS etc...)
Pulling figures from data sheets, release notes etc I have only come up with the following
Is there any further figures available for the ACE 4710 to fill in the blanks in table?
Am sure that ACE 4710 smokes the CSS but have to do the due diligence
<TR style="HEIGHT: 30pt" mcestyle="height: 30pt;">
<TD style="WIDTH: 170pt; HEIGHT: 30pt" height=40 width=226 mcestyle="width: 170pt; height: 30pt;"> Metric</TD>
<TD style="BORDER-LEFT: medium none; WIDTH: 83pt" width=110 mcestyle="border-left: medium none; width: 83pt;"> CSS 11503
(1xSSL Module)
<TD style="BORDER-LEFT: medium none; WIDTH: 83pt" width=110 mcestyle="border-left: medium none; width: 83pt;"> ACE 4710</TD></TR>
<TR style="HEIGHT: 15pt" mcestyle="height: 15pt;">
<TD style="HEIGHT: 15pt; BORDER-TOP: medium none" height=20 mcestyle="height: 15pt; border-top: medium none;"> SSL - Transactions per second</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 1,400/sec</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;">7,500/sec</TD></TR>
<TR style="HEIGHT: 15pt" mcestyle="height: 15pt;">
<TD style="HEIGHT: 15pt; BORDER-TOP: medium none" height=20 mcestyle="height: 15pt; border-top: medium none;"> SSL - RSA operations per second</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 4,000/sec</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> </TD></TR>
<TR style="HEIGHT: 15pt" mcestyle="height: 15pt;">
<TD style="HEIGHT: 15pt; BORDER-TOP: medium none" height=20 mcestyle="height: 15pt; border-top: medium none;"> SSL - Bulk encryption (ARC4)</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 256 Mbps</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> </TD></TR>
<TR style="HEIGHT: 15pt" mcestyle="height: 15pt;">
<TD style="HEIGHT: 15pt; BORDER-TOP: medium none" height=20 mcestyle="height: 15pt; border-top: medium none;"> Maximum concurrent connections</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 40,000</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> </TD></TR>
<TR style="HEIGHT: 15pt" mcestyle="height: 15pt;">
<TD style="HEIGHT: 15pt; BORDER-TOP: medium none" height=20 mcestyle="height: 15pt; border-top: medium none;"> Compression </TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 500 Mbps</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;">2 Gbps</TD></TR>
<TR style="HEIGHT: 15pt" mcestyle="height: 15pt;">
<TD style="HEIGHT: 15pt; BORDER-TOP: medium none" height=20 mcestyle="height: 15pt; border-top: medium none;"> Sticky Table</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 128K entries</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> </TD></TR>
<TR style="HEIGHT: 15pt" mcestyle="height: 15pt;">
<TD style="HEIGHT: 15pt; BORDER-TOP: medium none" height=20 mcestyle="height: 15pt; border-top: medium none;"> L4 connections/sec</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 22,500</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> </TD></TR>
<TR style="HEIGHT: 15pt" mcestyle="height: 15pt;">
<TD style="HEIGHT: 15pt; BORDER-TOP: medium none" height=20 mcestyle="height: 15pt; border-top: medium none;"> L7 connections/sec</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;"> 10,000</TD>
<TD style="BORDER-LEFT: medium none; BORDER-TOP: medium none" mcestyle="border-left: medium none; border-top: medium none;">
thanks,
Sez
Have reposted this msg, as table format garbled by forum
Sez
Similar Messages
-
With the current (A5) ACE 4710 lic setup, does the "X gigabit per second appliance throughput" that is licensed affect: -
A) Only "appliance" i.e. load balancing traffic, any other normal routed traffic is not included in the limit
or
B) Is it an overall throughput limit on the interfaces i.e. includes all traffic not only load balancing traffic but also normal routed traffic crossing the appliance
Looking at a scenario where the lic size I need for HTTP load balanacing would be one size if A) but would need to be much larger is B) to accomodate out of hours routed backup traffic crossing the ACE 4710
thanks,
SezHi Sez,
The license applies to the overall throughput, both routed and load-balanced traffic.
Regards
Daniel -
Rservers initiated traffic not sourcing the traffic as VIP in Ace 4710
One of the feature of our application is that our Application Server initiate text message to our devices sourcing from UDP 1120 and device need to see the message come from a specific pubic IP (2.2.2.2) with UDP port 1120 and reply back with the same Public IP (2.2.2.2) with UDP port 1120.The problem is we can make that happen if we have only one server in our ACE Serverfarm when we do a SNAT the real servers with the VIP address (10.1.246.32) but it does not work when we have more than one server in the Serverfarm. Since we have 2 servers, i cannot nat the real servers with the VIP address, if I do a PAT, obviously it is changing the source port of the request.
Note: This setup is working fine with the Cisco Content Switch module running on chasis 6509. When I sniff the traffic initiated from the server coming the CSM load balancer, it is sourcing the traffic as the VIP and the source port remains the same by default but this is not the case with ACE 4710
Traffic flow as follows
===============
ACE 4710 FWSM (Firewall static NAT) Device ( configured with 2.2.2.2:1120 (udp) to snd/rcv msg)
VIP
Rserver 1 - 10.1.104.80 10.1.246.32 10.1.246.32 < - > 2.2.2.2 1.1.1.1
Rserver 2 - 10.1.104.81c
----------------------------------------------------------> -------------------------------> - traffic flow from server to the device when we send msg
Configs:
======
rserver host server1
ip address 10.1.104.80
inservice
rserver host server2
ip address 10.1.104.81
inservice
serverfarm host SFARM
failaction purge
probe ICMP
rserver server1
inservice
rserver server2
inservice
access-list TEST-1120 line 8 extended permit udp host 10.1.104.80 eq 1120 any
access-list TEST-1120 line 16 extended permit udp host 10.1.104.81 eq 1120 any
parameter-map type connection UDP_TIMEOUT
set timeout inactivity 3600
sticky ip-netmask 255.255.255.255 address source STKY-SFARM
serverfarm SFARM
timeout 180
replicate sticky
class-map match-all CLS-SFARM
2 match virtual-address 10.1.246.32 udp eq 1120
class-map match-all SERVERNAT
2 match access-list TEST-1120
policy-map type loadbalance first-match POL-SFARM
class class-default
sticky-serverfarm STKY-SFARM
policy-map multi-match POL-LB
class CLS-SFARM
loadbalance vip inservice
loadbalance policy POL-SFARM
loadbalance vip icmp-reply active
connection advanced-options UDP_TIMEOUT
class SERVERNAT
nat dynamic 1 vlan 244
int vlan 244
ip address 10.1.246.2 255.255.255.0
service-policy input POL-LB
nat-pool 1 10.1.246.32 10.1.246.32 netmask 255.255.255.255
mac-sticky enable
no icmp-guard
no shut
interface vlan 2506
ip address 10.1.104.2 255.255.255.0
service-policy input POL-LB
mac-sticky enable
no icmp-guard
no shutI see in CSS, they are able to nat the source ip address with VIP and port-mapping diabled. How do I implement
portmap disable in ACE 4710
Disabling Port Mapping
By default, the CSS NATs source IP addresses and PATs source ports for a configured source group. If you configure the portmap disablecommand in a source group, the CSS performs NAT on the source IP addresses but does not perform PAT on the source ports of UDP traffic that matches on that source group.
For UDP applications with high-numbered assigned ports (for example, SIP and WAP), we recommend that you preserve those port numbers by configuring destination services in source groups instead of using the portmap disable command. Destination services cause the CSS to NAT the client source ports, but not the destination ports. For information about configuring destination services, -
ACE 4710 SSL server LB with stickiness
I will be replacing 11500 CSS which are not doing SSL termination, just load-balancing SSL sessions terminated on servers with ACE 4710.
On their CSS config, they were doing SSL-sticky. I understand the 4710 doesn't support SSL sticky, but can perform the same function by parsing the HTTP header. Has anyone done this config before and know where/how to parse the header to look for the SSL session# and stick connections to same server?
THANKS!In Ace 2.x code GPP (Generic protocol parsing) was introduced that enables ACE to look into the Layer 4 payload.Which is how this stickiness id achieved.
details at
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/sticky.html#wp1133923
I dont think its currently available on ACE appliance yet.
Syed -
Need help to Configure Cisco ACE 4710 Cluster Deployment
Dear Experts,
I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
Thanks....!
-Amal-Dear Kanwal,
I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
Following detail required for configuring Oracle EBS Apps tier on HA:
LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
Suggested IP and Name for LBR:
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm detail for LBR Setup
Following detail will be use for configuring the LBR:
LBR IP and Name :
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm Detail for LBR setup:
Server 1 (EBS App1 Node, ap1ebs):
IP : 172.25.45.19
Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Server 2 (EBS App2 Node, ap2ebs):
IP : 172.25.45.20
Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
Following are my latest config :
probe http Get-Method
description Check to url access /OA_HTML/OAInfo.jsp
interval 10
faildetect 2
passdetect interval 30
request method get url /OA_HTML/OAInfo.jsp
expect status 200 200
probe udp http-8000-iRDMI
description IRDMI (HTTP - 8000)
port 8000
probe http http-probe
description HTTP Probes
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
request method get url /index.html
expect status 200 200
probe https https-probe
description HTTPS traffic
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
ssl version all
request method get url /index.html
probe icmp icmp-probe
description ICMP PROBE FOR TO CHECK ICMP SERVICE
rserver host ebsapp1
description ebsapp1.xxxx.lk
ip address 172.25.45.19
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
rserver host ebsapp2
description ebsapp2.xxxx.lk
ip address 172.25.45.20
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
serverfarm host ebsppsvrfarm
description ebsapp server farm
failaction purge
predictor response app-req-to-resp samples 4
probe http-probe
probe icmp-probe
inband-health check log 5 reset 500
retcode 404 404 check log 1 reset 3
rserver ebsapp1 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
rserver ebsapp2 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
sticky http-cookie jsessionid HTTP-COOKIE
cookie insert browser-expire
replicate sticky
serverfarm ebsppsvrfarm
class-map type http loadbalance match-any default-compression-exclusion-mime-type
description DM generated classmap for default LB compression exclusion mime types.
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
15 match http url .*jpg
16 match http url .*jpeg
17 match http url .*jpe
18 match http url .*png
class-map match-all ebsapp-vip
2 match virtual-address 172.25.45.21 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match ebsapp-vip-l7slb
class default-compression-exclusion-mime-type
serverfarm ebsppsvrfarm
class class-default
compress default-method deflate
sticky-serverfarm HTTP-COOKIE
policy-map multi-match int455
class ebsapp-vip
loadbalance vip inservice
loadbalance policy ebsapp-vip-l7slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 455
interface vlan 455
ip address 172.25.45.36 255.255.255.0
peer ip address 172.25.45.35 255.255.255.0
access-group input ALL
nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input int455
no shutdown
ft interface vlan 999
ip address 10.1.1.1 255.255.255.0
peer ip address 10.1.1.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 999
ft group 1
peer 1
no preempt
priority 110
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 172.25.45.1
Hope you will reply me soon
Thanks....!
-Amal- -
ACE 4710 and mangled HTTP requests
After replacing a Cisco CSS/SSL Accelorator and PIX firewall with an ACE 4710 to do load balancing and SSL encryption behind an ASA firewall we started seeing mangled HTTP requests in the Apache access logs for the servers in the server farm. Here is one example:
XX.XX.XXX.XXX - - [21/Oct/2012:01:42:12 -0500] "heckoutFlag=true&verifyPassword=false&newsletter=false&emailaddress=&email2=&pass1=&pass2=&username=POST /register/LServlet HTTP/1.1" 501 3322 "https://www.ourwebsite.com/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
Rather than appearing just after the timestamp, the "POST /register/LServlet" is tacked on to header information that shouldn't even appear in the log. Also the first letter in that header information is always missing (heckoutFlag instead of checkoutFlag in this example).
The mangled request always shows up as a 501 HTTP error and shows up late in the Apache access logs (timestamp is out of chronogical order) and always appears with several duplicate POSTs:
XX.XX.XXX.XXX - - [21/Oct/2012:01:42:23 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
XX.XX.XXX.XXX - - [21/Oct/2012:01:44:12 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
XX.XX.XX.XXX - - [21/Oct/2012:01:42:12 -0500] "heckoutFlag=true&verifyPassword=false&newsletter=false&emailaddress=&email2=&pass1=&pass2=&username=POST /register/LServlet HTTP/1.1" 501 3322 "https://www.ourwebsite.com/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
XX.XX.XXX.XXX - - [21/Oct/2012:01:44:12 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
This is occurring for several different URLs and not just the one above and for multiple web browsers.
The ACE load balances to servers running Tomcat 7 with Apache HTTP server v. 2.2.14.
A recent ACE software upgrade to A5(2.1) has not fixed the problem.
Has anyone seen this before?
Thanks for any insight you can provide.
-KariHi Kari,
Do you have a sample of the configuration which you got with the CSS?
What is the current configuration which you got on the ACE?
Can you shows this output: # show stats http?
Jorge -
ACE 4710 Web Optimization Licnesing
I currently have a 4710 running the 1Gbps package. We are utilizing Application Acceleration and are comg very close to hitting our 10,000 Web Optimization connection limit. I am trying to find out how to upgrade that.
I see in our license usage an option of ACE-AP-OPT-UP1-K9 but can find no information on this part number. Does anyone know if this is even available and what it brings you connection limit to?
ACE01/Admin# show license usage
License Ins Lic Status Expiry Date Comments
Count
ACE-AP-C-UP1 No - Unused -
ACE-AP-C-UP2 No - Unused -
ACE-AP-C-UP3 No - Unused -
ACE-AP-01-LIC No - Unused -
ACE-AP-01-UP1 No - Unused -
ACE-AP-02-LIC No - Unused -
ACE-AP-02-UP1 No - Unused -
ACE-AP-04-LIC No - Unused -
ACE-AP-04-UP1 No - Unused -
ACE-AP-04-UP2 No - Unused -
ACE-AP-VIRT-5 No - Unused -
ACE-AP-500M-LIC No - Unused -
ACE-AP-VIRT-020 No - Unused -
ACE-AP-C-100-LIC No - Unused -
ACE-AP-C-500-LIC Yes 1 In use never -
ACE-AP-C-500-UP1 No - Unused -
ACE-AP-OPT-50-K9 No - Unused -
ACE-AP-C-1000-LIC No - Unused -
ACE-AP-C-2000-LIC No - Unused -
ACE-AP-OPT-LIC-K9 Yes 1 In use never -
ACE-AP-OPT-UP1-K9 No - Unused -
ACE-AP-SSL-05K-K9 Yes 1 In use never -
ACE-AP-SSL-07K-K9 No - Unused -
ACE-AP-SSL-100-K9 No - Unused -
ACE-AP-SSL-UP1-K9 No - Unused -
ACE-AP-SSLUP-5K-K9 No - Unused -
ACE-AP-VIRT-020-UP No - Unused -Unfortunately, ACE-AP-OPT-LIC-K9 is not available on ACE4710 and
ACE 4710 cannot handle more than 10,000 concurrent connections..
When you use the ACE to perform a specific set of application
acceleration and optimization functions, and the ACE reaches the
maximum of 10,000 concurrent connections, the appliance stops
accepting any additional concurrent connections until the count
drops below 10,000.
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/command/reference/optimize.html#wp1048813
Regards,
Yuji -
Could you please help us in answering the below query from the customer,
Kotak Mahindra Bank currently has one Primary and one Secondary CVP Server on Version 7.X
Now since they are expanding, we are proposing an additional server MCS-7845-I2-CCE2
Now for load balancing, do i propose CSS or ACE?
If CSS, then which model is being currently sold by Cisco?
If ACE, then how do i select which model of ACE suits best...There is 0.5Gbps, 1Gbps, 2Gbps and 10Gbps..Which one is more appropriate for this CC Size?
The CVP BOM guide suggests an ACE Appliance on CVP 8.0, but for CVP 7.X it suggest CSS 11500 series with WebNS 7.5X...
Can i chose ACE for CVP 7.X, will it be supported?ACE is the direction going forward.
I have used the CSS pair in the past, but at Cisco Live I spoke to the ACE team in the World of Solutions and ACE pricing was quite similar to CSS (say the ACE 4710 1U model) and it looked to be an effective solution. ACE is also soon available on a Network Module (ACE30 - could be out now) and that looked great.
Be aware of the similar restrictions that apply to CSS if you have the pair geographically separated. With ACE, you would need a GSS above.
Regards,
Geoff -
Hello all,
We will change the CSS's to ACE's plataform's.
Do u know any aplication wich can convert the basic CSS configuration into ACE configuration?
Plataform's:
CSS11501S-C-K9
ACE 4710
The certificates installed in the CSS could be migratted to the ACE ?Hello,
The 4710 with the ACE software has a built-in CSS-to-ACE conversion tool accessible through the web interface. See http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/css_to_ace/user/guide/cssaceug.html for example.
The tool may not convert 100% but it may provide a good starting point.
I don't see any reason why you can't export the certificates from the CSS (assuming you remember the password) and import them into the ACE.
HTH
Cathy -
Hi,
We would like to load blance Sharepoint app on two servers in two datacentres.I would like to know which applince is better for this purposes.
CSS 11501/11503 series or ACE 4710
Regards.Ace is the future.
It is IPv6 ready and new features are being added every day.
The CSS is still supported but there is no more development of new features and IPv6 will never be available on that machine.
Personally, I will go for the appliance.
Gilles -
ACE 4710 bundle license backup
Hello,
Is it possible to backup ACE appliance licenses if product is bought as a bundle?
ACE-4710-BAS-SK-K9
Promo Bundle - ACE 4710 HW-1Gbps-1K SSL-100MbpsComp-5VC
Following is mentioned in the ACE documentation:
"If you need to replace the ACE, you can copy and install the license file for the license onto the replacement appliance."
But, when we try to backup licenses, we get following results:
ACE-1/Admin# sh license
ACE-1/Admin# copy licenses disk0:mylicenses.tar
Backing up license... failed: License file not found
ACE-1/Admin# sh license status
Licensed Feature Count
Compression Performance in Mbps 100
Web Optimization Concurrent Conns. 50
SSL transactions per second 1000
Virtualized contexts 5
Module bandwidth in Gbps 1.0
ACE-1/Admin# sh license usage
License Ins Lic Status Expiry Date Comments
Count
ACE-AP-C-UP1 No - Unused -
ACE-AP-C-UP2 No - Unused -
ACE-AP-C-UP3 No - Unused -
ACE-AP-01-LIC No - Unused -
ACE-AP-01-UP1 No - Unused -
ACE-AP-02-LIC No - Unused -
ACE-AP-02-UP1 No - Unused -
ACE-AP-04-LIC No - Unused -
ACE-AP-04-UP1 No - Unused -
ACE-AP-04-UP2 No - Unused -
ACE-AP-VIRT-5 No - Unused -
ACE-AP-500M-LIC No - Unused -
ACE-AP-VIRT-020 No - Unused -
ACE-AP-C-100-LIC No - Unused -
ACE-AP-C-500-LIC No - Unused -
ACE-AP-C-500-UP1 No - Unused -
ACE-AP-OPT-50-K9 No - Unused -
ACE-AP-C-1000-LIC No - Unused -
ACE-AP-C-2000-LIC No - Unused -
ACE-AP-OPT-LIC-K9 No - Unused -
ACE-AP-OPT-UP1-K9 No - Unused -
ACE-AP-SSL-05K-K9 No - Unused -
ACE-AP-SSL-07K-K9 No - Unused -
ACE-AP-SSL-100-K9 No - Unused -
ACE-AP-SSL-UP1-K9 No - Unused -
ACE-AP-SSLUP-5K-K9 No - Unused -
ACE-AP-VIRT-020-UP No - Unused -
I suppose licenses cannot be backuped because they are bundled and delivered with the bundle by default, and not installed...
Does anyone know what would be the procedure for this bundled licenses in case of ACE HW replacement needed?
Best regards,
JasminaHi Jasmina,
License file management is quite simple for ACE. Two methods; save original license email or copy from disk0:.
If you purchased and upgraded license, and followed procedure to generate it, you would have received your license via email. We recommend per documentation (License ordering section) that you:
"Step 5 Save the license key e-mail in a safe place in case you need it in the future (for example, to transfer the license to another ACE). "
Also, to apply, you copy the license file to disk0: on the ACE. This *.lic file resides on disk0: thereafter.
So if you did not happen to save the original email when you obtained the license, and the license has been installed, then you can simply copy the *.lic file off the ACE from disk0: to a safe place. Example copying file from ACE to FTP server:
Switch/Admin# copy disk0: ftp:
Enter source filename]? 1ACE2009060306445454.lic
Enter Address for the ftp server]? 10.2.3.4
Enter the destination filename]? [1ACE2009060306445454.lic]
Enter username]? anonymous
Enter the file transfer mode[bin/ascii]: [bin]
Enable Passive mode[Yes/No]: [Yes]
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
Switch/Admin#
Administrator Guide - Licenses on ACE:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/administration/guide/license.html#wp1010344
Hope this helps.
-pefrench -
Hi. I'm working on the Cisco ACE 4710 to be able to load balance web Traffic between several web servers. but despite following the steps mentioned on the Cisco configuration guide (specially this link and related docs: http://docwiki.cisco.com/wiki/Cisco_ACE_4700_Series_Appliance_Quick_Start_Guide,_Release_A3(1.0)_--_Creating_a_Virtual_Context) we did not managed to make it. we tested both the "bridged scenario" and "routed scenario" but none of them is working. specifically "configuring Nat" in the above link is very confusing and is not clear; because it's not the same as Cisco IOS, which we used to implement it that way.
Routed Scenario:
==========================================
probe http Http_Probe
description Server Healty Check
port 80
request method head url /index.htm
probe icmp ICMP_Check
interval 10
passdetect interval 5
rserver host NetCad_Server_1
ip address 172.16.1.100
probe ICMP_Check
inservice
rserver host NetCad_Server_2
ip address 172.16.1.101
probe ICMP_Check
inservice
rserver host NetCad_Server_3
ip address 172.16.1.102
probe ICMP_Check
inservice
serverfarm host NetCad_Servers
probe Http_Probe
rserver NetCad_Server_1 80
inservice
rserver NetCad_Server_2 80
inservice
rserver NetCad_Server_3 80
inservice
sticky http-cookie Cookie1 1
serverfarm NetCad_Servers
class-map match-all VS_NetCad
2 match virtual-address 192.168.13.162 255.255.252.0 tcp any
policy-map type management first-match mgmt-pm
class class-default
permit
policy-map type loadbalance first-match VS_NetCad-l7slb
class class-default
serverfarm NetCad_Servers
policy-map multi-match int40
class VS_NetCad
loadbalance vip inservice
loadbalance policy VS_NetCad-l7slb
loadbalance vip icmp-reply
interface vlan 40
description Client Side
ip address 192.168.13.161 255.255.252.0
ip options allow
no normalization
no icmp-guard
access-group input Permit_ALL
service-policy input mgmt-pm
service-policy input int40
no shutdown
interface vlan 41
description Server Side
ip address 172.16.1.1 255.255.255.0
ip options allow
no normalization
no icmp-guard
access-group input Permit_ALL
nat-pool 1 172.16.1.110 172.16.1.110 netmask 255.255.255.255 pat
service-policy input mgmt-pm
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.12.1
==========================================Hi,
Let me explain you.
Assuming client IP as 1.1.1.1, VIP as 2.2.2.2 and Real Server as 3.3.3.3
Consider the simple situation where client needs to access an application hosted on 3.3.3.3. Client sends a request which comes to VIP.
src 1.1.1.1----->dst------->2.2.2.2. ACE after matching conditions and taking LB decision decides to send it to 3.3.3.3 real server. Performs destination NAT and forwards the client request to 3.3.3.3. So the above packet L3 header will now look like:
src 1.1.1.1 dst 3.3.3.3. When reply comes from server, ACE will change src 3.3.3.3 back to 2.2.2.2 and forwards the request to client 1.1.1.1. SIMPLE LB.
Now comes a situation where let's say you want to hide the client IP from server or let's say server's default GW is not ACE or client and server are in same subnet but need to communicate through VIP on ACE etc.
Src 1.1.1.1 dst 2.2.2.2
After LB ace decides to send it to 3.3.3.3 but also policy multi match has nat rule (nat dynamic 1 vlan x). But packet would be forwarded from server vlan where you have NAT pool defined. So let's say pool IP is 3.3.3.4. So ACE will perform both destination as well as src NAT here before forwarding the packet to server and packet L3 header will look like:
src 3.3.3.4 ----->dst 3.3.3.3
Now when 3.3.3.3 has to send packet back, ACE will answer ARP for 3.3.3.3 and hence packet will come back to ACE which will again change the L3 header IP's and send it out the client VLAN towards client.
So NAT is always applied to server side vlan and that's why pool is chosen from server side subnet.
Let me know if you have any questions.
Regards,
Kanwal -
Full URL re-direct with ACE 4710
Is there anyway to perform a redirect on the ACE 4710 so that it will redirect a request sent to the domain mydomain.com be redirected to www.mydomain.com, this is so that an installed SSL certificate will match.
ThanksThank you for your response, but the redirect would occur before any encyption.. for example today this is what happens
someone goes to
http://www.mydomain.com
and the ACE redirects the connection to
https://www.mydomain.com
What I want is for someone to go to
http://mydomain.com (without the www) and for it to redirect to
http://www.mydomain.com which will inturn redirect to https://www.mydomain.com
or it can just redirect to https://www.mydomain.com
So the encryption will not occur until it is redirected to teh correct websit -
ACE 4710 responds very slow to CLI commands
I am expericing delayed responses to my CLI commands on the ACE 4710. The delays occur sporadically. I have check the cpu and memory and neither one appeared to show any abnormal behaviour. Has anybody else experienced unsual delay with your CLI commands? If so, where you able to isolate and correct the problem? If not, any suggestions on where and how to look for the problem?
I am experiencing the same exact problem. CLI commands are very slow. Although, i dont get any performance issues for my application when i issue the "show run" or "wr mem" commands at CLI i wait for over 1 minute to receive any output, commands like "show serverfarm" ,"show rserver" "show stats" are working fine. my resource usage is ok and cpu has no problems. The problem exists in all contexts of the specific ACE. I did a test by forcing the standby ace to become active and while the standby ACE had no problem in executing the command when it becomes the active one the problem shows up. is there a way to troubleshoot this?
Thank you in advance -
I will buy an appliance with the main funcionality or idea of load balancing of web servers.
I heard that CSS is an obsolete hardware than goes to EOL and the new hardware is the ACE4710. Is it?
Could someone tell me the pricipal differences? Or could someone recomend me some of them?The CSS was created more than 10 years ago. It does a great job but we have stopped adding new features to it for some time now.
The Ace 4710 is the new product, designed 2 years ago and with a huge team of developpers still adding new features to it...like ipv6 support coming soon.
Gilles.
Maybe you are looking for
-
i may have setup an account before on my desktop
-
Value of the goods movement is negative:
Hi All, We are posting GR for Import PO. MIRO for custom has been already done. But at the time of posting GR, system is throwing following error. Value of the goods movement is negative: Message no. M7301 Pls guide. We are not working with sub
-
Can I keep my Lightroom 3 catalog on a PowerMac hard drive with Apple Partition Map
I want to keep my LR3 catalog on a HD in my Power Mac (Intel chip) that I had formatted and used to store my pre-LR3 photo folders on my G5 tower. The 1TB drive is half full, and was formatted as an Apple Partition Map. On swapping the drive into an
-
Killer network settings on Z87-G45
Anyone is having problems imputing the Internet Provider Speed in the Killer Network Manager using decimals? For the life of me, every time I put either 2.5 or 2,5 and hit apply, it turns into 25 Mbps. Only option is to use whole numbers like 2 or 3
-
Help getting rid of pixels on ipod
Ok, I have music videos on my Ipod and when I watch them , there are lots of pixels. I use Videora and if there are settings to reduce the amount of pixels, can someone help me?