loadbalancing with the ACE module for the 6500/7600

We have a customer who ordered the ACE module for the 6500. The installation will be with two 6500 and an 720 sup each. Currently the ace is only as a modul available. Cisco is trying to release a appliance next year in February. It’s a follow-up of the csm and css from cisco. Absolutely new is the virtualisation part. It’s possible to build up to 250 different contexts to build up sort of independent hardware loadbalancerson one machine. The module is about 80.000$ and with a max of 16 Gbps throughput and as a max 345,000 connections per second.

All traffic is send through the module as you define what should become loadbalanced.

The default license comes with 5 contexts and 1000 SSL TPS (transactions per second).

I have be on a three day course for the ace module in Berlin from wednesday this week.It was a very good lab from flane with a bulgarian teacher. We did some labs from labgear.net with a virtual webserverfarm as linux machines and as clients. Only the ace-module was not virtual :-). All servers/clients have been vmware machines. Quite nice labs to test SSL termination, sticky connections, nat, layer4 balancing, layer7 balancing and other topics.

Seems like the ace module is out for some time and the new ace-20 is overcoming some bugs.

Here is an example config, like one we had in the labs, while vlan 212 is external and vlan 412 is the inernal vlan. The VIP is the virtual ip that represents all webservers. Here are some webservers and a VIP12.16.12.50. With the class-map you define the VIP and what traffic is allowed. Then you also have to setup an access-list on the incoming interface and allow this traffic. Look at this example :


login timeout 0

access-list anyone line 10 extended permit tcp any any

probe icmp pingpong

rserver host d25-lnx1

ip address

rserver host d25-lnx2
ip address
rserver host d25-lnx3
ip address
rserver host d25-lnx4
ip address
rserver host d25-lnx5
ip address

serverfarm host servers1
rserver d25-lnx1
rserver d25-lnx2
rserver d25-lnx3
rserver d25-lnx4
rserver d25-lnx5

class-map match-all VIP-50
2 match virtual-address any
class-map type management match-any remote-access
description remote-access-traffic-match
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any

policy-map type management first-match remote-mgmt
class remote-access

policy-map type loadbalance first-match lb-lo
class class-default
serverfarm servers1

policy-map multi-match client-vips
class VIP-50
loadbalance vip inservice
loadbalance policy lb-lo

interface vlan 212
ip address
access-group input anyone
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface vlan 412
description Servers vlan
ip address
no shutdown


The new thing on the commandline is, that the tab completition does work also for service-policies and class-maps.

The nice thing that juniper already has implemented it the checkpoint feature. It has nothing to do with checkpoint FW1, but its a nice and handy rollbacksystem in the case something went wrong or you want to rollback to an older configuration. It’s no longer necessary to reload the router, just say for example „checkpoint rollback config-name“ and the context will load the configuration and erase the previous one. No need to reload the router to clean up the previous configurations from RAM or running-config. The running-config is replaced completely by the checkpoint previously created. So you can easily go back to the last saved working configuration. Juniper is even more sophisticated, as you can configure on the system and later on say, that this you be implemented now.

Probably this will show up in future IOS versions too.


Nice comparison between the css, csm, ace


Leave a Reply