Re: ACE vs CSS (or CSM!) - Page 2

jkanclirz · ‎01-28-2009

I really thought that the Cisco EOL CSS and replaced it with ACE.

It seems that CSS is still very much alive and being sold. How would you compare CSS to ACE? Features, Design, Cost, Licensing ..etc

When I compare these two - few things that jump out are:

CSS1500s - up to 40GB throughput

4710 ACE - up to 4GB throughput

Module ACE - up to 64GB throughput

So right away - if I needed appliance that could handle 20GB throughput I would need to go with CSS.

ACE - context supported

CSS - not supported (didn't find it being supported)

So again - if I need an environment with multiple virtual contexts, I would need to go with ACE.

CSS, CSM, ACE .. too many choices!

thoughts?

Thank you

Syed Iftekhar Ahmed · ‎02-12-2009

Vittorio

We are moving in circles:)

No you got it wrong. Probe inheritance is not a feature in any of the current "ACE Module" code. Gilles promised that it will be available in a future release.

Currently only ACE appliance supports this feature.

In summary

Probe Inheritance is not supported in ACE Module (In future we will get it).

Syed

vpetracca · ‎02-12-2009

Sorry for the misunderstanding.

Ok Syed.

Great informations from you and Gilles.

Can i make the last question ?

I prefer to ask you before doing it.

Just tell me if i can.

It is about a CSM variable called ROUTE_UNKNOWN_FLOW_PKTS !

Vittorio

Syed Iftekhar Ahmed · ‎02-12-2009

The variable you mentioned is mostly used in one arm mode.It is used to allow the CSM to

handle "server-initiated flows" or "connections which bypass

the CSM" - e.g. when opening an HTTP connection to a real server bypassing the

VIP

for such scenarios "variable ROUTE_UNKNOWN_FLOW_PKTS 2" is used in CSM

If this variable value is not set, the CSM would drop such connections because the initial

SYN was never seen by CSM.

For more details

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/ServerFarmSec_2.1/5_CSM.pdf

In one-arm mode ACE to achieve this you need to turn off normalization

for e.g

interface vlan xxx

ip address 10.1.1.1 255.255.255.0

alias 10.1.1.3 255.255.255.0

peer ip address 10.1.1.2 255.255.255.0

no normalization <----------------------*****

HTH

Syed Iftekhar Ahmed

vpetracca · ‎02-12-2009

You perfectly understand my needs.

What you described is the actual CSM configuration.

When we installed the CSM customer preferred to use One-Arm mode with the variable ROUTE_UNKNOWN_FLOW_PKTS 2

because he doesn't want the CSM to be the default-gateway for servers.

So also ACE ( if i don't put NO NORMALIZATION on interface Vlan) will drop connections which initial SYN was never seen by ACE ?

Syed Iftekhar Ahmed · ‎02-12-2009

Correct.

In order to support Asymmetric routing on ACE you need to disable normalization.

Syed

vpetracca · ‎02-12-2009

I'll be working on lab simulating the migration from CSM to ACE.

All the informations you gave to me will be very useful.

I think i'll will continue this discussion when i'll have some new questions based on direct experience on my lab.

Bye and thanks again.

Vittorio

vpetracca · ‎02-16-2009

Hi Syed..

I've been starting my lab..

A question :

Two context :

1 - "Production" where there will be the " production VIPs"

2 - "Test" where there will be "testing VIPs"

We will "limit-resource all"

A right or better configuration for for create resource-class:

1) Admin Context

2) Production context

3) Test Context

Basically the question is :

if we don'use Admin context to create Vips how much is better to limit the resource allocated for this context ( minimum e maximum)..

I know that you should know customer enviroment but ..Some hints & trips ?

Thanks a lot

Vittorio

Syed Iftekhar Ahmed · ‎02-16-2009

A common misconfiguration I have seen is that people forget to reserve resources for Admin contexts.

Admin context is assigned to default resource-class

(with no minimal resource defined ) and this makes it suseptible to situations

where there are no resources available for Admin context.

If your Admin context is just for admin purposes (no LB traffic)

then there should be 1% to 5% resources reserved for Admin context.

Its recommended that new ACE installations do not exceed 60 to 80 percent of the module's total capacity.

To accomplish this goal you can create a reserved resource class with a guarantee of 20 to 40 percent of

all the ACE resources and configure a Dummy virtual context dedicated solely to ensuring that these resources are reserved.

With this Dummy context ( Resources assigned but not used) gives you a buffer of resources that can be used

If some of the existing contexts require more resources due to traffic increase.

HTH

Syed Iftekhar Ahmed

vpetracca · ‎02-18-2009

Hi Syed

I'm continuing my lab and so new questions..

Now I would like to talk about sticky with two question :

1) " sticky-Limits the number of entries in the sticky table. You must configure a minimum value for sticky to allocate resources for sticky entries, because the sticky software receives no resources under the unlimited setting" .

So if I create a resource- class with limit-resource all , sticky have no resource available ?

2) How many sticky group can I create in a context ?

Have a nice day and thanks for all your answers and advises.

Vittorio

vpetracca · ‎03-06-2009

Hi Syed.

I'm always working on lab , migrating from CSM to ACE Module.

Customer used to do stickyness based on cookie insert by the CSM.

Now i'have a question.

The cookie created by ACE can be a Session cookie ( broowser expires) or can a a validity time.

How can i set the validity time of the cookie in ACE ?

We do it on CSM with a variable..

Thanks Vittorio

jteixido · ‎02-17-2009

I have a dumb question. What is probe inheritance?

John...

Syed Iftekhar Ahmed · ‎02-17-2009

With probe inheritance, you dont need to define port number in probe definition. Probe inherits it from the real server port.

It enables you to create a single probe and assign it to multiple Serverfarms.

Syed Iftekhar Ahmed