stingray cisco ace sept2012 · b) using iptables/netfilter or similar capability in the underlying...

Repl-ACE Cisco ACE with Stingray

ReplACE Cisco ACE with Stingray Traffic Manager

© 2012 Riverbed Technology. All rights reserved. 2

Contents Are you shifting to a virtual data center, private/public/hybrid cloud? ..................................................... 3

Optimize, secure, and accelerate performance with Stingray products ................................................... 3

Stingray Traffic Manager and Cisco ACE functional comparison ............................................................. 4

Cisco ACE performance figures .................................................................................................................... 6

Deployment ..................................................................................................................................................... 6 Cisco ACE ........................................................................................................................................................ 6 Stingray Traffic Manager .................................................................................................................................. 6

Benefits provided by Stingray (not available with Cisco ACE) .................................................................. 7

Implementing Cisco ACE features with Stingray products ........................................................................ 9

Features not available in Stingray .............................................................................................................. 10

Stingray Traffic Manager Features: Examples and Applications ............................................................. 11

Conclusion .................................................................................................................................................... 11

About Riverbed ............................................................................................................................................. 12



Are you shifting to a virtual data center, private/public/hybrid cloud?

Recently, Cisco announced that they are deprioritizing Cisco ACE — often a prelude to eliminating development on a product line. As a result, many customers want to know what the next step is for their application delivery controller (ADC) strategy. For ACE customers who are shifting to virtual data centers, private clouds, public clouds, and even hybrid clouds, they know an ADC that can easily map to these deployment models is needed. Riverbed® Stingray™ is a family of software and virtual ADCs that provide this capability. While not a one-to-one feature match for Cisco ACE, Stingray provides the right features, and often times more features compared to ACE. This document provides a high-level feature comparison of Riverbed® Stingray™ Traffic Manager software vs. Cisco ACE. You will get enough information to determine if Stingray is right for your environment. Optimize, secure, and accelerate performance with Stingray products

While many developers and operations teams limit their focus to a basic load balancer, Stingray product customers quickly learn that they can get all the benefits of a load balancer and much more with an ADC. Stingray product family includes three core components to optimize, secure, and accelerate performance of online applications:

§ Stingray Traffic Manager software: full-featured software ADC that delivers a faster user experience. It increases server efficiency by up to 3x and boost the throughput of application servers by up to 50 percent, while at the same time reducing response times through dynamic caching, and both local and global load balancing.

§ Stingray Aptimizer: industry-leading web content optimization platform that accelerates web application load times by up to 4x — driving more web transactions, productivity, and user satisfaction.

§ Stingray Application Firewall: sophisticated application firewall that delivers deep application

security.



Stingray Traffic Manager and Cisco ACE functional comparison

Stingray Traffic Manager Cisco ACE

Mode of operation Full Proxy NAT, Full Proxy

Basic Load Balancing Yes Yes

Basic Session Persistence Yes Yes

Basic health monitoring Yes Yes

Fault Tolerance Up to 64 that can be clustered 2 modules which support only HA

SSL acceleration Yes Yes

HTTP optimizations (Keepalives) Yes Only when Layer 7 switching is enabled

HTTP Compression Yes Yes

SSL offload Yes Yes

Content Compression Yes Yes

Advanced health monitors Yes Yes

Scriptable health monitors Yes Limited to just minimal TCL scripting

Content Caching Yes Limited

Web Content Optimization Yes with Aptimizer No

Rate shaping Yes No

Service Level Monitoring Yes No

Bandwidth Shaping* Yes Limited to Server Side only

Integrated XML processing* Yes No

Integrated Web Firewalling* Yes No

Embedded Rules Language Yes No

Full request inspection / rewriting Yes Limited

Full response inspection / rewriting Yes Limited

General-purpose rules language Yes (Java) No



Virtualization Yes

No (limited to virtual context on the hardware

device. No Virtual Appliance for VMware,

KVM, XEN

Web, CLI and API interfaces Yes Devices don't support API

GSLB and SLB integration on Single Platform Yes No

Layer 2-3 ACLs Yes with Service Protection class and IPTables Yes

Auto Config Sync in HA Yes Yes

Consolidated Historical graphing/Reporting Yes Yes

Stateful HA No Only for Layer 4 Traffic

Full NAT control Yes Yes

Bridged, Routed and One Arm Deployment modes

Supports One Armed and Routed Deployment Modes Yes

Direct Server Return support No Yes

Enterprise Manager for Devices Multi-Site Manager included with STM 1000,2000,4000 Yes

Transparent services LB support No Yes

Radius LB support No Yes

MAC –Sticky support No Yes

Reverse-IP sticky support No Yes

RBAC Limited Yes



Cisco ACE performance figures Use this table for the performance numbers of Cisco ACE, numbers based on the published datasheet:

Feature ACE4710 ACE30 Module

Throughput 4 Gbps 16 Gbps

Compression 2 Gbps 6 Gbps

SSL throughput 1 Gbps 6 Gbps

SSL TPS 7500 SSL TPS using 1024-bit keys 30,000 SSL TPS using 1024-bit keys

Deployment Cisco ACE Available as a service module for Catalyst 6500 switches and 7600 routers and as a standalone ACE 4710 appliance, Cisco ACE can be deployed in bridged, routed or one-armed mode for enterprise customers and service providers, depending on architecture requirements.

Stingray Traffic Manager By contrast, Stingray Traffic Manager software operates in full-proxy mode: network deployments can be either one-armed mode or routed mode. However, Stingray Traffic Manager may not be suitable when enterprises are running many transparent services, or for deployments where the network needs to be bridged or routed while load balancing in transparent mode. Your Riverbed Stingray Sales Specialist may be able to advise on specific implementations and deployments. Stingray Traffic Manager software runs without modification on Linux, Solaris operating systems and may be ported with relative ease to other Unix-like platforms. Stingray Traffic Manager ships as a variety of Virtual Appliances for VMware, Xen, Oracle, and Microsoft1 hypervisors, or may simply be run as software.

1 Microsoft HyperV support in beta



Benefits provided by Stingray (not available with Cisco ACE)

• TrafficScript Rules Language: o Unlimited content inspection depth for all TCP/UDP protocols, including high-level protocol-

specific functions for XML/XPath, HTTP, SIP, and RTSP o Analyze and rewrite entire client requests and server responses o Base traffic management decisions on any part of the request and response content o Create location-sensitive traffic management policies o Forward proxy mode allows inspection, manipulation, and routing of outbound traffic to arbitrary

destinations

• Java Extensions: o Full traffic control / manipulation using Java Extensions written to “Servlet” specification o High-performance integration with the Stingray traffic management kernel o Allows for use of any Java class libraries, e.g. database access, XML processing, document

watermarking

• Advanced Health Monitoring: o Predefined and customizable active application health monitors; supports custom monitors in

any executable format o Powerful, customizable actions (including SNMP, email, SYSLOG, SOAP, and custom

executable) in the event of a node failure or other event o Monitor the health and status of traffic managers, servers, and application dependencies

• Advanced Session Persistence:

o Application-specific session persistence methods: JSESSIONID and ASP/ASP.NET o Persistence based on any parameter or value in the request o Automatic session detection dynamically sets up cluster-aware persistence o Resilient session replication across a TrafficCluster

• Connection control:

o Connection draining removes nodes from server pools non-disruptively

• Bandwidth Shaping: o Active, real-time bandwidth management, applied per service, per connection group or per

individual connection o Apply bandwidth classes intelligently using TrafficScript o Bandwidth usage information coordinated across a cluster of Stingray Traffic Managers



• Request Rate Shaping: o Define maximum limits on events, e.g. requests of particular type, globally or per user o Protect application infrastructure from being overwhelmed with requests o Enforce differentiated levels of service per user or per class of users o Prevent individual malicious or greedy clients from impacting shared services

• Service Level Monitoring:

o Set service level performance thresholds on a per-service/per-URL/per-customer basis o Alerting/logging/ remedial actions if performance falls outside of service level limits o Differentiated traffic management policies based on service performance

• Web Content Optimization(Aptimizer):

o Improve web performance for high traffic public-facing web pages, corporate websites, e-commerce sites, business productivity tools, and custom applications by using File Merging capabilities (Merge javascript, style sheets, image spriting, background image in-lining)

o Reduce bandwidth and data-traffic costs ( dynamic gzip/deflate) o Reduce costs of alternative approaches by offloading developers from having to do

optimizations manually ( dynamic page caching, auto URL versioning, dynamic page layout) o Support for mobile browsers on Android, iOS, Blackberry, and Windows Mobile

• Web Application Firewall:

o Full web application firewall providing security to PCI DSS standards o Simultaneous protection (active) and detection (passive) modes o Wizards for easy configuration; expert mode for fine-tuning of policies and rule sets

• Stingray Traffic Manager software provides XML processing capabilities in TrafficScript:

o Use of XPath for parsing XML documents to extract specific data from the XML document, which can then be used to make routing decisions on the traffic.

o Validation of an XML document against a DTD or XML schema. o Perform XSLT transformations on XML document and content.



Implementing Cisco ACE features with Stingray products Using a combination of features available from Stingray products these Cisco ACE capabilities can be implemented.

IP/protocol-based ACLs (access control lists) ACLs (Access Control Lists) are used in the ACE product to filter (allow/deny) traffic based on layer 2 (EtherType) or Layer 3/4 (Extended) packet information. ACLs are less useful when load-balancing in Full Proxy mode (either with ACE or with Stingray Traffic Manager). This is because ‘full proxy’ mode is typically configured in a ‘deny all’ mode (all incoming traffic is ignored), then a proxy is explicitly configured for a particular IP/port/protocol combination. Where this functionality is required in a Stingray Traffic Manager software environment, it is achieved:

a) using Service Protection Policy b) using iptables/netfilter or similar capability in the underlying OS

NAT methods ACE supports several NAT methods: interface-based dynamic NAT, interface-based dynamic PAT, server farm-based dynamic NAT, static NAT, static port redirection. These methods are necessary to tune how NAT-based load balancing methods function. Full-proxy load balancing does not require NAT support by virtue of its mode of operation. Where required, Stingray Traffic Manager software supports two additional NAT capabilities:

• IP Transparency: Stingray Traffic Manager software can spoof the source IP address when connecting to a server, making server-side connection appear to originate from the client. This is a useful capability when the server performs logging or access control based on the client source IP address;

• Interface NAT: Stingray Traffic Manager Virtual Appliance can be configured to route traffic between networks and apply SNAT on nominated interfaces. This is a useful capability when back-end servers on private networks need to route to an external, public network.

Other NAT capabilities may be achieved by configuration of the underlying OS that the Stingray Traffic Manager software runs on, but this is rarely necessary in practice.



Virtual contexts Cisco ACE has the capability to fully virtualize load-balancing services within an ACE Service Module or Appliance (up to 250 virtual contexts in a service module, up to 20 contexts in an appliance). In addition, role-based access control can be configured separately within each virtualized context. Stingray Traffic Manager software can be virtualized in a similar manner using a hypervisor such as VMware, at minimal performance impact compared to running the software natively. This delivers virtualization, sandboxing, resource control, and RBAC. Stingray Traffic Manager software supports additional RBAC. Users are authorized against either an internal database or an external LDAP/TACACS+/RADUIS database and given permissions that define the actions (none/read/write) the user can perform to a high degree of granularity.

Features not available in Stingray Radius Load Balancing Cisco ACE has a set of load balancing capabilities to support Radius protocol, which includes Radius AV pair based persistence. This feature is very critical in Mobile SP deployments where AAA traffic to WAP gateways and billing sub-systems needs to load balanced and persisted. Stingray Traffic Manager software currently does not support Radius Load balancing and advance persistence of Radius traffic based on Radius AV pair.

Asymmetric Server Normalization (a.k.a Direct Server Return) Cisco ACE supports Direct Server Return/Asymmetric Server Normalization modes. This feature is used predominantly when large data needs to be transferred to clients without the Cisco ACE device being the bottleneck for throughput. Stingray Traffic Manager software does not support Direct Server Return mode, but your Riverbed Stingray Sales Specialist may be able to advise on specific implementations and deployments.



Stingray Traffic Manager Features: Examples and Applications

Stingray Traffic Manager software’s advanced traffic management features, customized by TrafficScript and Java Extensions allow an application developer or administrator to construct complex traffic management policies that address deficiencies in the application or add further capabilities to the application. Examples and applications include: • Content Modification: rewrite errors in responses, add dynamic information (page load times, meta

tags, geographic information), enable additional functionality (Google Analytics and other tracking applications), embed information from other data sources (e.g. RSS feeds), watermark content (images, PDF documents), and switch users to low-bandwidth versions of a service.

• Rate Shaping: mitigate the impact of web spiders, apply rate limits dynamically when services slow down and apply rate limits to users who visit from high-traffic referral sites.

• Fixing Application Problems: mask and work around errors such as 404 Not Found / 503 Too Busy, send custom error pages, or offload an entire web site onto the traffic manager.

• Address Security Problems: recent attacks addressed at Bind and IIS, filter out bad requests, authenticate users, rate-shape denial of service attacks, prevent over-usage of usernames and passwords and filter out undesired content in responses (e.g. social security numbers).

• Control of Traffic Management functionality: fine-grained and adaptive control of content caching, selective bandwidth management, detailed session persistence and full control of SNAT (IP address spoofing).

Conclusion Moving to Stingray, as reported by Cisco ACE customers, simultaneously helped them deliver a better application experience while cutting costs and simplifying ADC deployment. Stingray fulfills the most important ADC requirements and provides significant advantages around application integration, advanced functionality, and ease of deployment in virtualized environments. Stingray can scale, speedup, secure your application traffic, and help businesses:

• Accelerate applications and help maximize application performance and capacity to ultimately enhance end-user experience and boost return on infrastructure investment

• Improve the reliability and availability of applications and help organizations scale and deliver services easily and more cost-effectively

• Provide tools that help IT control and secure network traffic, and filter and scrub application requests and responses better

• Help organizations manage their application delivery infrastructure, simplifying application maintenance, upgrades, and migration processes, and enable you to deliver adaptable and agile services faster and more reliably

If you would like more information on migrating from ACE to Stingray, contact Riverbed now to find out about our special incentives to help you make the switch.



About Riverbed Riverbed delivers performance for the globally connected enterprise. With Riverbed, enterprises can successfully and intelligently implement strategic initiatives such as virtualization, consolidation, cloud computing, and disaster recovery without fear of compromising performance. By giving enterprises the platform they need to understand, optimize and consolidate their IT, Riverbed helps enterprises to build a fast, fluid and dynamic IT architecture that aligns with the business needs of the organization. Additional information about Riverbed (NASDAQ: RVBD) is available at www.riverbed.com. © 2012 Riverbed Technology. All rights reserved. Riverbed®, Cloud Steelhead®, Granite™, Interceptor®, RiOS®, Steelhead®, Think Fast®, Virtual Steelhead®, Whitewater®, Mazu®, Cascade®, Cascade Pilot™, Shark®, AirPcap®, SkipWare®, TurboCap®, WinPcap®, Wireshark®, and Stingray™ are trademarks or registered trademarks of Riverbed Technology, Inc. in the United States and other countries. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their respective owners. The trademarks and logos displayed herein cannot be used without the prior written consent of Riverbed Technology or their respective owners. Akamai® and the Akamai wave logo are registered trademarks of Akamai Technologies, Inc. SureRoute is a service mark of Akamai. Apple and Mac are registered trademarks of Apple, Incorporated in the United States and in other countries. Cisco is a registered trademark of Cisco Systems, Inc. and its affiliates in the United States and in other countries. EMC, Symmetrix, and SRDF are registered trademarks of EMC Corporation and its affiliates in the United States and in other countries. IBM, iSeries, and AS/400 are registered trademarks of IBM Corporation and its affiliates in the United States and in other countries. Linux is a trademark of Linus Torvalds in the United States and in other countries. Microsoft, Windows, Vista, Outlook, and Internet Explorer are trademarks or registered trademarks of Microsoft Corporation in the United States and in other countries. Oracle and JInitiator are trademarks or registered trademarks of Oracle Corporation in the United States and in other countries. UNIX is a registered trademark in the United States and in other countries, exclusively licensed through X/Open Company, Ltd. VMware, ESX, ESXi are trademarks or registered trademarks of VMware, Incorporated in the United States and in other countries.

Riverbed Technology, Inc. 199 Fremont Street San Francisco, CA 94105 Tel: (415) 247-8800 www.riverbed.com

Riverbed Technology Ltd. One Thames Valley Wokingham Road, Level 2 Bracknell. RG42 1NG United Kingdom Tel: +44 1344 31 7100

Riverbed Technology Pte. Ltd. 391A Orchard Road #22-06/10 Ngee Ann City Tower A Singapore 238873 Tel: +65 6508-7400

Riverbed Technology K.K. Shiba-Koen Plaza Building 9F 3-6-9, Shiba, Minato-ku Tokyo, Japan 105-0014 Tel: +81 3 5419 1990

stingray cisco ace sept2012 · b) using iptables/netfilter or similar capability in the underlying...

Documents