[c-nsp] Replacement for Cisco ACE load balancers

Phil Mayers p.mayers at imperial.ac.uk
Mon Feb 4 12:22:20 EST 2013

On 04/02/13 15:13, Matthew Huff wrote:
> We have a pair of Cisco ACE-20 blades in our core 6500 data center
> switches. Since Cisco has EOL the ACE blades and we are retiring our
> 6500s (moving to Nexus 5000), we are looking for a replacement load
> balancing hardware. This is for high-availability rather than
> scalability. Our throughput needs are very low so we are looking at
> the bottom end of vendors appliances.
> We are looking at F5, Foundry (Brocade), and Citrix Netscaler. Anyone
> else go through this and have recommendations/horror stories/info
> they would like to share? Thanks.

We had ACE-20, and went through this decision process. We decided on 
upgrading to ACE-30 in the existing 6500 chassis, and plan on simply 
retaining this in layer-2 when we eventually move the routing to other 

We toyed with F5, A10 and some others, but eventually decided to stick 
with Cisco. The main reason was that we run the ACE in bridged mode 
without source NAT (except in a few special cases) and the ACEs handle 
this well due to their relatively high throughput. It was also basically 
a drop-in replacement, so was fairly easy in terms of planning and manpower.

Many LBs seem to be designed / prefer to run in one-armed scenarios and 
have relatively low packet-shifting performance (we were advised by F5 
to consider their 2x 1Gb port model, for example). This means you either:

  1. run *all* your traffic through a thin pipe, including non-SLB 
traffic (e.g. backups, replication, etc.) - not an option for us.

  2. put SLB backends on different subnets - would have required 
significant work to move to.

  3. use source NAT - would have required X-Forwarded-For: setup for 
HTTP, and no real options for non-HTTP traffic.

However - I can say from our investigations that, had we been willing to 
move to a different setup (probably source NAT) the F5 seems like a 
really nice product. I particularly like the HTTP stuff it can do to 
make your website magically "HTTP caching friendly", which is good if 
you have some crappy web infrastructure that doesn't handle Expires: or 
ETag: well. They also have some really neat stuff with GSSAPI/Kerberos 
S4U, letting clients user non-kerberos auth (e.g. SSL certs) and 
backends "see" Kerberos.

That said, I'm reasonably happy with the ACE-30, including their IPv6 


More information about the cisco-nsp mailing list