Cisco Application Control Engine (ACE) – introduction and comparison with F5

ACE Introduction

The ACE comes in two formats, either a standalone 1RU appliance, or as a Cat6500 module. The appliance seems to have a faster development cycle and gets the new features early, but the module has more performance in every aspect.

And what amazing performance it is, this thing can perform load balancing at up 16 Gigabits per second, which is about four times more than the F5 8800 (note some conditions apply in the current versions of code, due to ASIC inputs at 8 Gigabits per second but expected to be resolved in future code releases), and at a price about two thirds of an F5 8800. (Note: I accept raw speed is not he only measure of performance see more later)

But not many people are going to need a load balancer at that sort of performance, and the ACE module is a key part of the Cisco SONA strategy. To this end the ACE module can have up to 250 virtual instances, more than 340000 sustained TCP connection, 15000 SSL TPS. SO this thing has high performance across the board.

Power Reduction

A rough rule, one ACE module is ‘performance equivalent’ to at least four F5 6400 units. An F5 6400/8800 chassis uses a maximum of 460W, so lets say its consumes about 300W in real life. One ACE module uses about 220W. The power saving in enormous.Of course, one ACE module uses a lot less space.

Functional Comparison

In my opinion, the F5 has superior functional capability in comparison to the Cisco ACE. The iRules function is powerful, flexible and easy to use. The graphical IDE is a smart piece of work and is really attractive to the GUI-centric folks amongst us (big shout-out to the Windows server people!)

As a networking person, it takes a while to adapt to using a a language like TCL (which F5 iRules uses), but since Cisco IOS has a TCL mode I am becoming comfortable using traditional techniques for programming.The F5 also has some good features relating to certain applications such as MS Sharepoint, SAP, Oracle and so on. If you know about these features you will know why you want an F5 for these.But for web hosting platforms which use TCP, DNS, FTP, HTTP SMTP and so on in the server farms, you will be hard pressed to appreciate the F5 benefits.


The ACE virtualisation is very similar to the Cisco FWSM. There is full separation between contexts, including AAA, login, SNMP and all network management functions. The F5 uses a partition concept, which involves administrative restrictions, but only a single management instance. This makes security and sharing of Network Management and Monitoring difficult. F5 indicates that they will have some form of virtualisation in the next year or so.


Cisco ACE can be managed using Cisco Application Networking Manager. It provides a tool for GUI configuration of multiple ACE modules. I haven’t seen ANM yet, but a paper review indicates that it has good AAA and full separation of the views.

Interestingly, Cisco ANM comes free with your ACE for two hardware and five contexts, but you need to buy licenses in an odd (and expensive) way. Thus, you need to buy context licenses per device, and thus you have to spend a lot of cash and have unused licenses all over the place. For larger installations make sure you plan this into your upgrade costs.


When you look at the modules you can see that there is space for two daughter cards. The suggestion is that new features are in the pipeline for Web Acceleration. I suspect that we will see features from the Application Velocity and WAAS platform in the future. Look for dynamic browser cache management, HTML transformation / and protocol management in the hardware over the next year or so.


I believe that for large data centres, you will most likely use F5 LTM where you need it for a specific feature or task, but you would choose to have a ACE module for most load balancing tasks.

You can can create lots of them, use MPLS to make them available anywhere in your network.

I also recommend that you buy the WS-C6509E-ACE20-K9 ACE20 8G 6509E Bundle. This is a Catalyst 6509 chassis, with Sup720 and dual 6000W power supplies, and an ACE module as a single item. The saving is about 20% over buying the items individually, which makes it good value.

Edit: Also check out my rant at F5 about no AAA authorization.

Postscript Oct 2010

Well, my experience with the Cisco ACE is far from good. Over the last couple of years the software has been consistently buggy and prone to crashing. At three different customers, I have found that the software is also prone to leak memory and lock up in a working state but not forwarding data. This occurs when using application inspection for load balancing HTTP and DNS.

On the basis of repeated poor experiences I WOULD NOT recommend using the Cisco ACE except for the simplest of TCP load balancing. Given that Cisco hasn’t been able to fix the problem for the last two years, I would have to say it isn’t fixable and the product should be avoided.

  • Mikey G

    Interesting observations. Your power and cost reduction analysis really only hold water if you already have a 6500 available for the ACE module. Otherwise, cost is a wash and the entire Cisco bundle will consume much more power than a standalone f5 8800. If you add the management licenses in for the ACE, you’re cost will far exceed an 8800.

    I’m glad you mentioned theoretical throughput does not always equate to real application performance. From the studies I’ve seen, the 8Gbps ACE falls short of an f5 8800 in every respect. Also, consider the ACE does not support HTTP compression, a very important feature for most large enterprises and ISPs and ASPs.

  • Greg Ferro

    I agree with your view up to a point. In my case,the F5 8800 was more expensive than the complete C6500 with ACE and 48 switch ports. We had no special discounts from either party and I refer to real costs, not list price.

    For most data centres, a C6500 is always available. Its hard to regard it as part of the power budget, but I need the MPLS and routing integration for the virtualization, so I regard the C6509 as a benefit, not a platform for just hosting the ACE blade. Note that the ACE 4700 uses less power than the F5 8800 as well.

    The F5 BigIP greatest difficulty remains virtualization. The ability to have separate administrative zones with fully separated routing is very valuable.

    I disagree on performance. The F5 BigIP loses performance when doing complex manipulations, and, because it is so easy to configure ‘fancy’ load balancing, we do slow it down. I love the interface though.

    I am currently configuring Cisco Application Network Manager, I will probably post an article on comparing this with the F5 web interface in a few weeks.

    Thanks for your post.

    • SE

      F5 includes a performance calculation tool in the IRules editor. Use it, it will show what little tweaks can be made to code that will optimize it. Also read the TCL command syntax as they give you an idea as well.

  • Mikey G

    The ACE4700 does use less power than an f5 8800, but the 4700 is more in line with an f5 3400, which is rated at a max power of 300W.

    Let’s agree to disagree on the 6500 and a power budget calculation. Sure, most data centers will have a 6500, but is there a slot available, is it running the proper code (still on CatOs or Hybrid?), does it have a Sup720 or better? Any upgrades to any of those components have both hard and soft costs associated with him. Large enterprises and ISPs may not be able afford the outage to any of said components to prepare a switch for the ACE.

    No GSLB (GTM) functionality in the ACE is a huge disappointment as well.

    Good luck with your install…

  • Pingback: My Etherealmind · Rant: F5 LTM and GTM doesn’t do external AAA authorization()

  • George Smiley

    My company uses both F5 and ACE for LB. The ACE blade have so far shown to be quite unstable and in need of constant reboots. We have been forced to put our high-end customers on the F5 and I do not believe for a minute that ACE is capable of the advertised throughput. The only saving grace for the ACE is TAC appears to do better job in fielding support calls. In another 2 or 3 years, ACE code may become stable and not inundated with of bugs and until then, mission critical stuff stays on the F5.


  • elpingu

    I have many ACES 14 installed…all my equipment carries sup720 and right code..
    so the aces fits right in…i can right away use any vlan without moving a single wire…
    I can say by experience that i have seen the ACE handle live 3.5 million sustanined connections
    i have seen it handle 990k nat translation sustained
    i have seen it push 3.5 gigd sustained…
    pure war story…not made up

    Now the initial code was buggy…and the replication broke easy…
    though upgrades replication is seamless and fails over nicely.

    I am a cli type of person and need so see and use text…dont like GUI too much.

    now for the bad part…
    they do advertise that they can handle 4000 vips..I have 550 and my configuration is very large and complicated ..access-list , nat ,vips ,l7.

    well with a very big configuration the ACE cannot apply the configuration properly and some config does not apply…it does not happen all the time but it happens and spist out an error message .you dont loose the config but it does not apply….they are working on this bug……but is very bad…

    again this is in very large configuration …..

    yes the ACE is a workhorse and i can vouch for it..seen it
    but at code 2.1.2 they have some configuration size ceiling which sucks…

    • Greg Ferro


      I appreciate your feedback. I have found the later code works much better than the earlier releases, and quite a few new features. Probably on parity with the F5 now (at least for the non-microsoft features anyway).

  • thedin

    I’ve been trying to figure out how to use ACE to do loadbalance a set of transparent caches. But still couldn’t figure out the proper way to direct the return traffic (from the internet to the clients) to the exact cache that processed the outgoing traffic. Several Cisco guys pointed that I use the mac-sticky feature, but none provided as how that would solve the problem. Any ideas here ?

    • Greg Ferro

      mac-sticky is the same as the Distributed Director feature from years ago. Basically the LB remembers the mac-address of the device that the packet was originated from. Then, regardless of ANY other details (like ip routing), it will always send the replay packet from the flow, back to that source.

      Effectively this is layer 2 load balancing, perfect for load balancing layer 2 devices.

  • Bob

    Our experience with the ACE modules has been abysmal. Performing the simplest function (i.e., uploading an SSL cert) is difficult relative to F5 boxes. We have been working with Cisco TAC for 3 days now to get that little thing accomplished. Their UI is horrible and I can say for certain that there is no hope that our operations team will be able to do the simple things they need to do on their own (ie., move servers in and out of pools).

    All the power, throughput and price is useless if I need a CCIE and Cisco TAC to upload a simple certificate. The complexity of Cisco gear continues to be another reason why they will lose marketshare. Command line is great, but seems more like machismo at this point.

    • Greg Ferro

      I don’t find the CLI a problem, and most networking people are don’t have a problem. People who are server-focussed sometimes have problems if they are not well practiced in using the CLI.

      Have you looked at using the Cisco Application Network Manager which is a graphical interface for administering and using the ACE modules ? I found this a lot easier when engaging with people who were used to GUI interfaces and didn’t have much experience with CLI.

  • Keith Boblits

    We have just purchased several sets of ACE appliances (4710) since Cisco has strongly encouraged us not to deploy their CSS product in new environments. I must say there is quite a difference when contrasted with the CSS and the ease of configuration is not so intuitive. I find the ìpolicy mapsî more difficult to work with when creating load balancing rules and the configuration as a whole doesnít appear as structured as the CSS. Iím not a GUI person since I want to see the ìunder the hoodî pieces of the configuration. I do realize the ACE is more feature rich than the CSS, however. Iím not sure if patience will win out but there has been talk of looking into F5 in the future.

    • Greg Ferro

      Hi Keith

      The Cisco ACE4710 has a GUI console much like the ASDM on ASA, or SDM on IOS. You could use that to do a lot fo the configuration.

      If you are struggling to understand the policy/class-map way of configuring, then you might want to do a search for “C3PL” otherwise Cisco Common Classification Policy Language to get an introduction and to help you understand the way this works.

      Since I use C3PL is used on all Cisco products (ASA, IOS, and others) I am quite used to used to it, but it did take a while.

      With regards to F5, until they support virtualisation (currently projected for NEVER) there is no way I will go back. They are not that great. Funky features, but the same problems as the ACE.

  • Pingback: Load Balance/Balanceadores de Carga, quem trabalha com WEB sabe a sua import‚ncia. | Coruja de TI()

  • kris


    Why is that we are not able to access VIP from same vlan ?

  • Pingback: Should I Choose Cisco Service Modules for the Future()