Cisco Application Control Engine (ACE) — Introduction and Comparison With F5
January 25, 2008 by Greg Ferro · 13 Comments
ACE Introduction
The ACE comes in two formats, either a standalone 1RU appliance, or as a Cat6500 module. The appliance seems to have a faster development cycle and gets the new features early, but the module has more performance in every aspect.
And what amazing performance it is, this thing can perform load balancing at up 16 Gigabits per second, which is about four times more than the F5 8800 (note some conditions apply in the current versions of code, due to ASIC inputs at 8 Gigabits per second but expected to be resolved in future code releases), and at a price about two thirds of an F5 8800. (Note: I accept raw speed is not he only measure of performance see more later)
But not many people are going to need a load balancer at that sort of performance, and the ACE module is a key part of the Cisco SONA strategy. To this end the ACE module can have up to 250 virtual instances, more than 340000 sustained TCP connection, 15000 SSL TPS. SO this thing has high performance across the board.
Power Reduction
A rough rule, one ACE module is ‘performance equivalent’ to at least four F5 6400 units. An F5 6400⁄8800 chassis uses a maximum of 460W, so lets say its consumes about 300W in real life. One ACE module uses about 220W. The power saving in enormous.Of course, one ACE module uses a lot less space.
Functional Comparison
In my opinion, the F5 has superior functional capability in comparison to the Cisco ACE. The iRules function is powerful, flexible and easy to use. The graphical IDE is a smart piece of work and is really attractive to the GUI-centric folks amongst us (big shout-out to the Windows server people!)
As a networking person, it takes a while to adapt to using a a language like TCL (which F5 iRules uses), but since Cisco IOS has a TCL mode I am becoming comfortable using traditional techniques for programming.The F5 also has some good features relating to certain applications such as MS Sharepoint, SAP, Oracle and so on. If you know about these features you will know why you want an F5 for these.But for web hosting platforms which use TCP, DNS, FTP, HTTP SMTP and so on in the server farms, you will be hard pressed to appreciate the F5 benefits.
Virtualisation
The ACE virtualisation is very similar to the Cisco FWSM. There is full separation between contexts, including AAA, login, SNMP and all network management functions. The F5 uses a partition concept, which involves administrative restrictions, but only a single management instance. This makes security and sharing of Network Management and Monitoring difficult. F5 indicates that they will have some form of virtualisation in the next year or so.
Management
Cisco ACE can be managed using Cisco Application Networking Manager. It provides a tool for GUI configuration of multiple ACE modules. I haven’t seen ANM yet, but a paper review indicates that it has good AAA and full separation of the views.
Interestingly, Cisco ANM comes free with your ACE for two hardware and five contexts, but you need to buy licenses in an odd (and expensive) way. Thus, you need to buy context licenses per device, and thus you have to spend a lot of cash and have unused licenses all over the place. For larger installations make sure you plan this into your upgrade costs.
Futures
When you look at the modules you can see that there is space for two daughter cards. The suggestion is that new features are in the pipeline for Web Acceleration. I suspect that we will see features from the Application Velocity and WAAS platform in the future. Look for dynamic browser cache management, HTML transformation / and protocol management in the hardware over the next year or so.
Conclusion
I believe that for large data centres, you will most likely use F5 LTM where you need it for a specific feature or task, but you would choose to have a ACE module for most load balancing tasks.
You can can create lots of them, use MPLS to make them available anywhere in your network.
I also recommend that you buy the WS-C6509E-ACE20-K9 ACE20 8G 6509E Bundle. This is a Catalyst 6509 chassis, with Sup720 and dual 6000W power supplies, and an ACE module as a single item. The saving is about 20% over buying the items individually, which makes it good value.
Edit: Also check out my rant at F5 about no AAA authorization.
Please rate this post:
Why Rate Posts?
(2 votes, average: 7.50 out of 10)
Loading ...Probably Related Posts on the Same Topic
Cisco IOS Load Balancing for Blue Coat SGOS
Some time ago I used IOS SLB feature on a C6500 to load balance a pair of Blue Coat ProxySG. Here the confuguration and some notes.
Read the full articleCisco Application Control Engine (ACE) Software Version 2.1.0 Ships
I notice that Cisco has released 2.1.0 for the Cisco ACE today. A quick read of the release notes show lots of fun goodies packed inside. These features are starting to ‘catch up’ with the F5.
I have installed the ANM 1.2 management platform in the last couple of weeks and will post a review soon.
…
Read the full articleNetwork Dictionary — Application Delivery Controller
Application Delivery Controller (ADC) — The new marketing name for a “load balancer”. Someone put a shiny chrome exhaust and new buttons on it and so it needed a new marketing name. Calling my coffee cup a “Liquid Receptacle Device with Enhanced Handling Features” doesn’t change the fact that it holds ocffee.
Note: the Web Application Firewall and Application Acceleration / Optimisation features that are in most ADC are not really load balancing at all. Which is fine, because my router is more a like a switch, or my switch is more like a router and I don’t go around calling it “Enhanced Packet and Frame Silicon Accelerated Data Controller”. No, I just call it a switch or a router. …
Read the full articleWhy Can’t I Ping My ACE Module ? Diatribe on Service-Policy.
Had a problem with an ACE module today. It took two of us a while to realise what was wrong. And musings on service-policy syntax.
Read the full article
Interesting observations. Your power and cost reduction analysis really only hold water if you already have a 6500 available for the ACE module. Otherwise, cost is a wash and the entire Cisco bundle will consume much more power than a standalone f5 8800. If you add the management licenses in for the ACE, you’re cost will far exceed an 8800.
I’m glad you mentioned theoretical throughput does not always equate to real application performance. From the studies I’ve seen, the 8Gbps ACE falls short of an f5 8800 in every respect. Also, consider the ACE does not support HTTP compression, a very important feature for most large enterprises and ISPs and ASPs.
I agree with your view up to a point. In my case,the F5 8800 was more expensive than the complete C6500 with ACE and 48 switch ports. We had no special discounts from either party and I refer to real costs, not list price.
For most data centres, a C6500 is always available. Its hard to regard it as part of the power budget, but I need the MPLS and routing integration for the virtualization, so I regard the C6509 as a benefit, not a platform for just hosting the ACE blade. Note that the ACE 4700 uses less power than the F5 8800 as well.
The F5 BigIP greatest difficulty remains virtualization. The ability to have separate administrative zones with fully separated routing is very valuable.
I disagree on performance. The F5 BigIP loses performance when doing complex manipulations, and, because it is so easy to configure ‘fancy’ load balancing, we do slow it down. I love the interface though.
I am currently configuring Cisco Application Network Manager, I will probably post an article on comparing this with the F5 web interface in a few weeks.
Thanks for your post.
The ACE4700 does use less power than an f5 8800, but the 4700 is more in line with an f5 3400, which is rated at a max power of 300W.
Let’s agree to disagree on the 6500 and a power budget calculation. Sure, most data centers will have a 6500, but is there a slot available, is it running the proper code (still on CatOs or Hybrid?), does it have a Sup720 or better? Any upgrades to any of those components have both hard and soft costs associated with him. Large enterprises and ISPs may not be able afford the outage to any of said components to prepare a switch for the ACE.
No GSLB (GTM) functionality in the ACE is a huge disappointment as well.
Good luck with your install…
My company uses both F5 and ACE for LB. The ACE blade have so far shown to be quite unstable and in need of constant reboots. We have been forced to put our high-end customers on the F5 and I do not believe for a minute that ACE is capable of the advertised throughput. The only saving grace for the ACE is TAC appears to do better job in fielding support calls. In another 2 or 3 years, ACE code may become stable and not inundated with of bugs and until then, mission critical stuff stays on the F5.
Cheers
I have many ACES 14 installed…all my equipment carries sup720 and right code..
so the aces fits right in…i can right away use any vlan without moving a single wire…
I can say by experience that i have seen the ACE handle live 3.5 million sustanined connections
i have seen it handle 990k nat translation sustained
i have seen it push 3.5 gigd sustained…
pure war story…not made up
Now the initial code was buggy…and the replication broke easy…
though upgrades replication is seamless and fails over nicely.
I am a cli type of person and need so see and use text…dont like GUI too much.
now for the bad part…
they do advertise that they can handle 4000 vips..I have 550 and my configuration is very large and complicated ..access-list , nat ‚vips ‚l7.
well with a very big configuration the ACE cannot apply the configuration properly and some config does not apply…it does not happen all the time but it happens and spist out an error message .you dont loose the config but it does not apply.…they are working on this bug.…..but is very bad…
again this is in very large configuration .….
yes the ACE is a workhorse and i can vouch for it..seen it
but at code 2.1.2 they have some configuration size ceiling which sucks…
elpingu
I appreciate your feedback. I have found the later code works much better than the earlier releases, and quite a few new features. Probably on parity with the F5 now (at least for the non-microsoft features anyway).
I’ve been trying to figure out how to use ACE to do loadbalance a set of transparent caches. But still couldn’t figure out the proper way to direct the return traffic (from the internet to the clients) to the exact cache that processed the outgoing traffic. Several Cisco guys pointed that I use the mac-sticky feature, but none provided as how that would solve the problem. Any ideas here ?
mac-sticky is the same as the Distributed Director feature from years ago. Basically the LB remembers the mac-address of the device that the packet was originated from. Then, regardless of ANY other details (like ip routing), it will always send the replay packet from the flow, back to that source.
Effectively this is layer 2 load balancing, perfect for load balancing layer 2 devices.
Our experience with the ACE modules has been abysmal. Performing the simplest function (i.e., uploading an SSL cert) is difficult relative to F5 boxes. We have been working with Cisco TAC for 3 days now to get that little thing accomplished. Their UI is horrible and I can say for certain that there is no hope that our operations team will be able to do the simple things they need to do on their own (ie., move servers in and out of pools).
All the power, throughput and price is useless if I need a CCIE and Cisco TAC to upload a simple certificate. The complexity of Cisco gear continues to be another reason why they will lose marketshare. Command line is great, but seems more like machismo at this point.
I don’t find the CLI a problem, and most networking people are don’t have a problem. People who are server-focussed sometimes have problems if they are not well practiced in using the CLI.
Have you looked at using the Cisco Application Network Manager which is a graphical interface for administering and using the ACE modules ? I found this a lot easier when engaging with people who were used to GUI interfaces and didn’t have much experience with CLI.
We have just purchased several sets of ACE appliances (4710) since Cisco has strongly encouraged us not to deploy their CSS product in new environments. I must say there is quite a difference when contrasted with the CSS and the ease of configuration is not so intuitive. I find the “policy maps” more difficult to work with when creating load balancing rules and the configuration as a whole doesn’t appear as structured as the CSS. I’m not a GUI person since I want to see the “under the hood” pieces of the configuration. I do realize the ACE is more feature rich than the CSS, however. I’m not sure if patience will win out but there has been talk of looking into F5 in the future.
Hi Keith
The Cisco ACE4710 has a GUI console much like the ASDM on ASA, or SDM on IOS. You could use that to do a lot fo the configuration.
If you are struggling to understand the policy/class-map way of configuring, then you might want to do a search for “C3PL” otherwise Cisco Common Classification Policy Language to get an introduction and to help you understand the way this works.
Since I use C3PL is used on all Cisco products (ASA, IOS, and others) I am quite used to used to it, but it did take a while.
With regards to F5, until they support virtualisation (currently projected for NEVER) there is no way I will go back. They are not that great. Funky features, but the same problems as the ACE.