[c-nsp] Replacement for Cisco ACE load balancers

Chris Marlatt cmarlatt at rxsec.com
Mon Feb 4 12:56:34 EST 2013

On 02/04/2013 12:22 PM, Phil Mayers wrote:
> On 04/02/13 15:13, Matthew Huff wrote:
>> We have a pair of Cisco ACE-20 blades in our core 6500 data center
>> switches. Since Cisco has EOL the ACE blades and we are retiring our
>> 6500s (moving to Nexus 5000), we are looking for a replacement load
>> balancing hardware. This is for high-availability rather than
>> scalability. Our throughput needs are very low so we are looking at
>> the bottom end of vendors appliances.
>> We are looking at F5, Foundry (Brocade), and Citrix Netscaler. Anyone
>> else go through this and have recommendations/horror stories/info
>> they would like to share? Thanks.
> We had ACE-20, and went through this decision process. We decided on
> upgrading to ACE-30 in the existing 6500 chassis, and plan on simply
> retaining this in layer-2 when we eventually move the routing to other
> devices.
> We toyed with F5, A10 and some others, but eventually decided to stick
> with Cisco. The main reason was that we run the ACE in bridged mode
> without source NAT (except in a few special cases) and the ACEs handle
> this well due to their relatively high throughput. It was also basically
> a drop-in replacement, so was fairly easy in terms of planning and
> manpower.
> Many LBs seem to be designed / prefer to run in one-armed scenarios and
> have relatively low packet-shifting performance (we were advised by F5
> to consider their 2x 1Gb port model, for example). This means you either:
>   1. run *all* your traffic through a thin pipe, including non-SLB
> traffic (e.g. backups, replication, etc.) - not an option for us.
>   2. put SLB backends on different subnets - would have required
> significant work to move to.
>   3. use source NAT - would have required X-Forwarded-For: setup for
> HTTP, and no real options for non-HTTP traffic.
> However - I can say from our investigations that, had we been willing to
> move to a different setup (probably source NAT) the F5 seems like a
> really nice product. I particularly like the HTTP stuff it can do to
> make your website magically "HTTP caching friendly", which is good if
> you have some crappy web infrastructure that doesn't handle Expires: or
> ETag: well. They also have some really neat stuff with GSSAPI/Kerberos
> S4U, letting clients user non-kerberos auth (e.g. SSL certs) and
> backends "see" Kerberos.
> That said, I'm reasonably happy with the ACE-30, including their IPv6
> functionality.

The Foundry/Brocade ServerIron's/ADX line work's quite well in a L2 or 
L3 environment without NAT or being in-line. Enabling DSR (direct server 
return, in an L2 environment) means the LB doesn't have to be within the 
path of the normal switching/routing and their ADX line has support for 
true multi-10Gb throughputs. DSR also means you're not burning up the 
"Application Throughput" limits of the device on other traffic patterns. 
Stability is stellar when it comes to these units, I've some of my 
ServerIron 4G's online for over 1,200 days (1,277 and counting) without 

Each vendor has it's strengths and weaknesses and whereas I'm quite 
pleased with the Foundry/Brocade models the only area I would say they 
need work in a robust API interface to help automate changes. However 
they have made recent improvements in their multi-tendency support.



More information about the cisco-nsp mailing list