ACE vs CSS (or CSM!)

jkanclirz · ‎01-28-2009

I really thought that the Cisco EOL CSS and replaced it with ACE.

It seems that CSS is still very much alive and being sold. How would you compare CSS to ACE? Features, Design, Cost, Licensing ..etc

When I compare these two - few things that jump out are:

CSS1500s - up to 40GB throughput

4710 ACE - up to 4GB throughput

Module ACE - up to 64GB throughput

So right away - if I needed appliance that could handle 20GB throughput I would need to go with CSS.

ACE - context supported

CSS - not supported (didn't find it being supported)

So again - if I need an environment with multiple virtual contexts, I would need to go with ACE.

CSS, CSM, ACE .. too many choices!

thoughts?

Thank you

veriton · ‎01-30-2009

Are CSS11500's EOL? Any EOL announcement is not mentioned here:

http://www.cisco.com/en/US/products/hw/contnetw/ps789/prod_eol_notices_list.html or on the CSS 11500 page:

http://www.cisco.com/en/US/products/hw/contnetw/ps792/index.html

The CSS 11500 products have served me well at a number of customers and I think competes well with F5 BIG-IP, certainly at the smaller end of the enterprise market. I can't comment on virtual contexts though.

Collin Clark · ‎01-30-2009

I'm sure the EoL is coming (since the introduction of the ACE), but I have not heard of any dates. We have both in our environment and the ACE blows away the CSS in features, config, etc. We're planning on removing all CSS's and going to just the ACE. The ACE (in our configurations) are quite a bit cheaper. The FO is better, the multiple contexts is just plain cool, even the WebUI (which I normally don't like) is nice and easy, and ACL's actually work with the ACE. I heard that Cisco hired some MAC GUI developers to help in the design of it. My vote is for the ACE, it's not even close.

Gilles Dufour · ‎02-03-2009

There is indeed no EOL annoncement for the CSS11500. Not sure when it will come. Probably not in the next 6 months (but no guarantee).

Indeed the CSS does not have virtualization.

It is also lacking the dynamic cookie stickyness. It does not have the caching and http optimization offered by the ACE appliance. Only limited DoS protection on the CSS vs large Firewall features on ACE.

No HW module required for SSL/Compression support on the ACE appliance.

No HTTP header insert function on the CSS.

G.

vpetracca · ‎02-10-2009

Hi Gilles.

I'm going to do a migration from CSM to ACE Service Modules.

Before doing it i would like to make a good presentation to the customer on what are the main differences between these two product.

I'm not talking about hardware , capacity virtualization and so on.

Customer would like to know major differences between configuration option like predictor ( new predictor or something like that..), probes , serverfarm options...

etc..

Something that you know it is possible to do with Ace and not with csm and that can be useful for the customer or that can impress ..

Thanks in advance.

Vittorio

Syed Iftekhar Ahmed · ‎02-10-2009

Features Not available in CSM

SIP loadbalancing

Connection rate limiting per VIP and per Real

SNMP based LB decisions (CPU,mem,disk space)

Least bandwisth predictor

Virtualization

TCP Reuse

Http Compression

Http optimzation

TCP/IP Normalization

Http,DNS,Ldap,Rtsp,ICmp,SIP,skinny fixups

Configuration checkpoints

Syed

jteixido · ‎02-10-2009

I'm pretty sure that the ACE modules do not currently support HTTP compression and Optimization. I know that the ACE 4710 support these features, but has a total thouroughput of 4Gbps, the ACE module supports up to 16Gbps.

John...

Syed Iftekhar Ahmed · ‎02-10-2009

Correct.

I mixed up ACE module with ACE appliance.

As per Cisco Http Compression is committed for ACE module.

I am not sure if HTTP optimization will be available on ACE module.

Syed

vpetracca · ‎02-11-2009

Thanks Syed for the informations.

Another question..

In the actual CSM configuration

that we are going to migrate we use this basic type of configuration for Vservers :

-------------------------------

real name A

ip address x.x.x.x

inservice

real name B

ip address x.x.x.x

inservice

probe TCP tcp

interval 30

retries 4

failed 15

!

serverfarm SF

real name A

inservice

real name B

inservice

probe TCP

vserver VIP

virtual V.V.V.V tcp www

serverfarm SF

advertise active

persistent rebalance

inservice

--------------------------------

So basically we put the tcp port value only on the vserver object . And this is inherited

by all the other objects..

Is it possible to do the same ( or similar) with ACE ?

Syed Iftekhar Ahmed · ‎02-11-2009

Destination ports will not get translated until you use "rserver under Server Farm definition.

Only exception is that in ACE Module you have to define port under probe. If you donot define port it doesn't inherit the port number of the real server.

(The above mentioned functionality is available in ACE appliance.Probe defined in Ace Appliance does inherit port number form real).

Your CSM config will translate into ACE as follows

probe tcp TCP80

port 80

interval 30

faildetect 4

passdetect interval 15

receive 4

open 4

rserver host A

ip address x.x.x.x

inservice

rserver host B

ip address x.x.x.x

inservice

serverfarm host SF

probe TCP80

rserver A

inservice

rserver B

inservice

parameter-map type http VIP_HTTP

persistence-rebalance

class-map match-all VIP

match virtual-address V.V.V.V tcp eq www

policy-map type loadbalance first-match VIP

class class-default

serverfarm SF

policy-map multi-match POLICYxyz

class VIP

loadbalance vip advertise active

appl-parameter http advanced-options VIP_HTTP

loadbalance policy VIP

loadbalance vip inservice

loadbalance vip icmp-reply active

HTH

Syed Iftekhar Ahmed

vpetracca · ‎02-11-2009

So the only solution with Ace

module is to create many different probes...Correct?

Thanks a lot

Vittorio

Gilles Dufour · ‎02-11-2009

Syed,

man!!! I just discovered the module didn't have inheritance.

I found the code diff that was added to the appliance and indeed it is not in the module.

I will make sure this code is added quickly to the module.

It should work in A2(1.5)

Gilles.

vpetracca · ‎02-11-2009

Hi Gilles ..

Are you talking only about ACE appliance ? Correct ?

About ACE module "inheritance" will never be possible ?

Customer is using it a lot on CSM...to have a shorter config file..

Thanks

Vittorio

Syed Iftekhar Ahmed · ‎02-11-2009

Yes you need to create probes for each unique port in ACE Module.

Gilles is talking about inheritance in ACE module. After the code mentioned by Gilles, Ace module's probes will be able to inherit port numbers from reals.

Syed Iftekhar Ahmed

vpetracca · ‎02-12-2009

Hi Syed.

First of all thanks for all the informations your are giving..

We will use 3.0.0_A1_6_3c Ace software version.

So are you telling me that it is possible to use on ACE Service Module inheritance on probes ?

Have a nice day

Vittorio