[c-nsp] Cisco ACE Web Application Firewall
Dean Smith
dean at eatworms.org.uk
Fri May 16 03:15:22 EDT 2008
I'm not sure the ACE would work well in DSR environment. Its default
behaviour is to terminate the Client TCP session itself and then create a
new connection to the server.
Its been a while since I went through the docs but DSR isn't a natural fit.
(We do have some ACE deployed. Our next load balancing requirement will use
Foundry ServerIron)
It does seem to take a while for the CCO docs to be updated with details for
newer ACE OS.
Dean
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin C. Darby
Sent: 16 May 2008 07:42
To: carl
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco ACE Web Application Firewall
The general specifications on the device indicate it can handle DSR
(we also use DSR at our site but not on ACE), but it does so by
claiming it can do everything IP-SLB does. I'd check with a sales rep
to insure it'll work (all of the documentation related to IP-SLB and
ACE functionality is pretty hard to come by in our experience, they
don't document DSR well at all, dating all the way back to old CSS and
CSM documentation, even though their configuration documents
referenced it).
The ACE has a lot of features you probably wont ever need and that you
will most certainly pay for related to layer 4-7 load balancing,
though. You may want to consider using the IP-SLB functionality
(essentially, a software Content Services Module) in another cisco
product that supports it, e.g. the 7200 for stand alone, or the IP-SLB
features present on the 6500 series switch supervisors. It requires
enterprise IOS licensing, but in our experience, it's a lot cheaper
than the ACE -- and, if any of the things we've heard about the ACE
are true, a lot easier to configure.
Also to keep in mind: The 7201 for example only has about 4Gb of
backplane and only has four GbE links. It might not meet your
performance requirements. Because of the documentation problem, I'd
also keep the device covered under Smartnet, at least for your initial
configuration, so you can work it out with an engineer on the phone if
you've got problems.
Justin
On May 15, 2008, at 7:34 PM, carl wrote:
> Has anyone had a chance to get a hold of one of these devices, if so
> what
> are your thoughts? We currently use Foundry ServerIrons in a DSR
> setup for
> our load balancing method and was wondering if the ACE would work in
> that
> scenario.
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list