AI, ML, Development + Cisco Learning Blog Learning about Machine Learning, Artificial Intelligence, related devlopment topics and formerly Routing and Switching, Datacenter, Security and other topics, CCIE #23664, Frank Wagner

16. Dezember 2007

ACE design / implementation / GNU

Filed under: Bridging + Switching,module types — ocsic @ 19:20

Most difficult thing is to implement the device into the customer network. This needs a lot of planning and discussions about the design and how it should be implemented.

The logic is, that you will mostly try to implement the ACE in between. From one VLAN into the other. The ACE will provide for VIP and VLAN interfaces to be the gateway for traffic back to the clients. Even bypassing the ACE is possible. This should be planned before and it should be clear at what point the device will be implemented.  It might be a good idea to have a good look at grown network struktures. While implementing the ACE it all depends on good understanding of te traffic flow and the current network infrastructure. The best is to communicate possible problems and catches.

ACE booting messages. Here you can see, there is some Linux/GNU code included in the ACE…

Unmounting done…
INIT: Switching to runlevel: 6
INIT: Sending processes the KILL signal
Rebooting… Rest
System Bootstrap, Version 12.2[120],
Copyright (c) 1994-2006 by Cisco Systems, Inc.
Slot 3 : Running DEFAULT rommon image …

ACE platform with 1048576 Kbytes of main memory

Loading disk0:c6ace-t1k9-mz.3.0.0_A1_6_2a.bin. Please wait ….
Uncompressing Linux…
Starting the kernel…
INIT: version 2.78 booting
Mounting Second Ramdisk ….
Second Ramdisk successfully mounted
Starting periodic command scheduler: cron.
Configuring network interfaces.
CF dump: Register callback functions
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
/dev/cf: 8 files, 24304/62532 clusters
FAT FS is ok
Compact Flash size 1000512(in 1k blocks) …
Core file size 204800
Available free size in cf is 611648 (in 1k blocks) …
set_coredump 2.11, 12 Mar 2005, FAT32, LFN
first_cluster = 0x608c num_cluster = 0x40 (64)
inserting procfs
inserting isan_kthread
inserting wiremod
inserting klib
inserting resdrv
inserting tlv
inserting sse
inserting kpss
inserting sdwrap
creating sdwrap device
inserting klm_tl
creating tl device
inserting klm_scp
inserting klm_mts
creating mts0 device
creating mtscfg0 device
inserting utaker
creating utaker0 device
creating utaker1 device
inserting sysmgr-hb
creating sysmgr-hb device
inserting modlock
creating modlock device
inserting bufmgr
inserting pkt_fifo
inserting encdec
creating encdec device
inserting pseudo
inserting drammap mod
creating drammap device
inserting ixp_dnld
creating ixp_dnld device
inserting sysdrv
creating sysdrv device
New registry installed.
INIT: Entering runlevel: 3
inserting i2c module
inserting ssa driver
inserting cde driver
inserting bf_dnld driver
inserting pfm_drv driver
inserting regaccess driver
inserting bf_nvram driver

Firmware compiled 24-Aug-07 17:47 by integ Build [26368]

ACE Daughter boards DB1 not present DB2 not present.
downloading fpga to cde 1

Read 3262456 bytes from ./cde1_core.bit
FPGA Date: 2007/ 9/13 Time: 3:38: 5

CDE 1 download successful
downloading fpga to cde 2

Read 2377744 bytes from ./cde2_core.bit
FPGA Date: 2007/ 8/15 Time: 20:59:47

CDE 2 download successful
FPGA Programming Done

CDE 1 revision ID 0403
CDE 2 revision ID 0402
enabling cde 0 interrupts
finished CDE setup

Configuring NP 1 Memory
Configuring NP 2 Memory
Downloading NP 1 Image
Downloading NP 2 Image
….. 0x40b214 (4239892) bytes downloaded

….. 0x40b214 (4239892) bytes downloaded

Loading Nitrox driver.
Writing register at address 3838 with e00
size = 8148
Ctx memory range(0x0000000-0x10000000)
Cleared 262144 1024-byte blocks in 5 requests.
Writing register at address 3898 with 1
Writing register at address 38b8 with 1


Initializing Nitrox SPI1
configuring using falling clocks
Initializing CDE SPI registers
Nitrox init completed.
inserting IPCP klm
n2_perf_stats loaded
Waiting for NP handshake ……………………………………… Done
inserting IPCP klm
inserting cpu_util klm
Sleeping 10 secs… Done
Waiting for 3 seconds to enter setup mode…
No licenses installed…

Starting sysmgr processes.. Please wait…Done!!!

switch login:

10. November 2007

loadbalancing with the ACE module for the 6500/7600

Filed under: Bridging + Switching,module types — ocsic @ 14:10

We have a customer who ordered the ACE module for the 6500. The installation will be with two 6500 and an 720 sup each. Currently the ace is only as a modul available. Cisco is trying to release a appliance next year in February. It’s a follow-up of the csm and css from cisco. Absolutely new is the virtualisation part. It’s possible to build up to 250 different contexts to build up sort of independent hardware loadbalancerson one machine. The module is about 80.000$ and with a max of 16 Gbps throughput and as a max 345,000 connections per second.

All traffic is send through the module as you define what should become loadbalanced.

The default license comes with 5 contexts and 1000 SSL TPS (transactions per second).

I have be on a three day course for the ace module in Berlin from wednesday this week.It was a very good lab from flane with a bulgarian teacher. We did some labs from with a virtual webserverfarm as linux machines and as clients. Only the ace-module was not virtual :-). All servers/clients have been vmware machines. Quite nice labs to test SSL termination, sticky connections, nat, layer4 balancing, layer7 balancing and other topics.

Seems like the ace module is out for some time and the new ace-20 is overcoming some bugs.

Here is an example config, like one we had in the labs, while vlan 212 is external and vlan 412 is the inernal vlan. The VIP is the virtual ip that represents all webservers. Here are some webservers and a VIP12.16.12.50. With the class-map you define the VIP and what traffic is allowed. Then you also have to setup an access-list on the incoming interface and allow this traffic. Look at this example :


login timeout 0

access-list anyone line 10 extended permit tcp any any

probe icmp pingpong

rserver host d25-lnx1

ip address

rserver host d25-lnx2
ip address
rserver host d25-lnx3
ip address
rserver host d25-lnx4
ip address
rserver host d25-lnx5
ip address

serverfarm host servers1
rserver d25-lnx1
rserver d25-lnx2
rserver d25-lnx3
rserver d25-lnx4
rserver d25-lnx5

class-map match-all VIP-50
2 match virtual-address any
class-map type management match-any remote-access
description remote-access-traffic-match
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any

policy-map type management first-match remote-mgmt
class remote-access

policy-map type loadbalance first-match lb-lo
class class-default
serverfarm servers1

policy-map multi-match client-vips
class VIP-50
loadbalance vip inservice
loadbalance policy lb-lo

interface vlan 212
ip address
access-group input anyone
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface vlan 412
description Servers vlan
ip address
no shutdown


The new thing on the commandline is, that the tab completition does work also for service-policies and class-maps.

The nice thing that juniper already has implemented it the checkpoint feature. It has nothing to do with checkpoint FW1, but its a nice and handy rollbacksystem in the case something went wrong or you want to rollback to an older configuration. It’s no longer necessary to reload the router, just say for example „checkpoint rollback config-name“ and the context will load the configuration and erase the previous one. No need to reload the router to clean up the previous configurations from RAM or running-config. The running-config is replaced completely by the checkpoint previously created. So you can easily go back to the last saved working configuration. Juniper is even more sophisticated, as you can configure on the system and later on say, that this you be implemented now.

Probably this will show up in future IOS versions too.

Nice comparison between the css, csm, ace

17. Juli 2006


Filed under: module types — ocsic @ 23:16

Serial module card

This card could you use to extend your modular 2600’er router. It’s quite cheap on ebay.

Powered by WordPress