ACE Introduction

The ACE comes in two formats, either a standalone 1RU appliance, or as a Cat6500 module. The appliance seems to have a faster development cycle and gets the new features early, but the module has more performance in every aspect.

And what amazing performance it is, this thing can perform load balancing at up 16 Gigabits per second, which is about four times more than the F5 8800 (note some conditions apply in the current versions of code, due to ASIC inputs at 8 Gigabits per second but expected to be resolved in future code releases), and at a price about two thirds of an F5 8800. (Note: I accept raw speed is not he only measure of performance see more later)

But not many people are going to need a load balancer at that sort of performance, and the ACE module is a key part of the Cisco SONA strategy. To this end the ACE module can have up to 250 virtual instances, more than 340000 sustained TCP connection, 15000 SSL TPS. SO this thing has high performance across the board.

Power Reduction

A rough rule, one ACE module is ‘performance equivalent’ to at least four F5 6400 units. An F5 6400/8800 chassis uses a maximum of 460W, so lets say its consumes about 300W in real life. One ACE module uses about 220W. The power saving in enormous.Of course, one ACE module uses a lot less space.

Functional Comparison

In my opinion, the F5 has superior functional capability in comparison to the Cisco ACE. The iRules function is powerful, flexible and easy to use. The graphical IDE is a smart piece of work and is really attractive to the GUI-centric folks amongst us (big shout-out to the Windows server people!)

As a networking person, it takes a while to adapt to using a a language like TCL (which F5 iRules uses), but since Cisco IOS has a TCL mode I am becoming comfortable using traditional techniques for programming.The F5 also has some good features relating to certain applications such as MS Sharepoint, SAP, Oracle and so on. If you know about these features you will know why you want an F5 for these.But for web hosting platforms which use TCP, DNS, FTP, HTTP SMTP and so on in the server farms, you will be hard pressed to appreciate the F5 benefits.

Virtualisation

The ACE virtualisation is very similar to the Cisco FWSM. There is full separation between contexts, including AAA, login, SNMP and all network management functions. The F5 uses a partition concept, which involves administrative restrictions, but only a single management instance. This makes security and sharing of Network Management and Monitoring difficult. F5 indicates that they will have some form of virtualisation in the next year or so.

Management

Cisco ACE can be managed using Cisco Application Networking Manager. It provides a tool for GUI configuration of multiple ACE modules. I haven’t seen ANM yet, but a paper review indicates that it has good AAA and full separation of the views.

Interestingly, Cisco ANM comes free with your ACE for two hardware and five contexts, but you need to buy licenses in an odd (and expensive) way. Thus, you need to buy context licenses per device, and thus you have to spend a lot of cash and have unused licenses all over the place. For larger installations make sure you plan this into your upgrade costs.

Futures

When you look at the modules you can see that there is space for two daughter cards. The suggestion is that new features are in the pipeline for Web Acceleration. I suspect that we will see features from the Application Velocity and WAAS platform in the future. Look for dynamic browser cache management, HTML transformation / and protocol management in the hardware over the next year or so.

Conclusion

I believe that for large data centres, you will most likely use F5 LTM where you need it for a specific feature or task, but you would choose to have a ACE module for most load balancing tasks.

You can can create lots of them, use MPLS to make them available anywhere in your network.

I also recommend that you buy the WS-C6509E-ACE20-K9 ACE20 8G 6509E Bundle. This is a Catalyst 6509 chassis, with Sup720 and dual 6000W power supplies, and an ACE module as a single item. The saving is about 20% over buying the items individually, which makes it good value.

Edit: Also check out my rant at F5 about no AAA authorization.

Postscript Oct 2010

Well, my experience with the Cisco ACE is far from good. Over the last couple of years the software has been consistently buggy and prone to crashing. At three different customers, I have found that the software is also prone to leak memory and lock up in a working state but not forwarding data. This occurs when using application inspection for load balancing HTTP and DNS.

On the basis of repeated poor experiences I WOULD NOT recommend using the Cisco ACE except for the simplest of TCP load balancing. Given that Cisco hasn’t been able to fix the problem for the last two years, I would have to say it isn’t fixable and the product should be avoided.