® ACE Application Control Engine Module for the Cisco Catalyst
® 6500 Series Switches and Cisco 7600 Series Routers represents the next-generation of application switches for increasing the availability, accelerating the performance, and enhancing the security of data center applications. The Cisco ACE Module allows enterprises and service providers to accomplish four primary IT objectives for application delivery:
• Increase application availability
• Accelerate application performance
• Secure the data center and critical business applications
• Facilitate data center consolidation through the use of fewer servers and load balancers
Cisco ACE Module Software Release 2.3.0 includes the following features, summarized in Table 1:
• New management and reporting capabilities
– Secure backup and restore of Cisco ACE Module files
– Enhanced Simple Network Management Protocol (SNMP) MIB support
– Bulk copy for SSL certificate and key files
– Granular reporting of HTTP URL hits on a virtual IP address1
– New syslog messages for Network Address Translation (NAT)1
• Scalability, load-balancing, and networking enhancements
– Enhanced scalability for global server load balancing (GSLB) with Cisco Global Site Selector (GSS) Software1
– Persistence rebalance for HTTP GET requests on the same TCP connection
– Support for secondary IP addresses on an interface VLAN
Table 1. New Features in Cisco ACE Module Software Release 2.3.0
Secure backup and restore of Cisco ACE Module files
The Cisco ACE Module can securely back up and restore the startup configuration, running configuration, checkpoints, license files, and SSL keys and certificate files across multiple virtual devices with a single command, both in administrator and user contexts. An option allows encryption of the backup archive to securely store the SSL keys and certificates.
Provides efficient and administrator-friendly user interface, especially in an environment with multiple contexts, freeing administrators to do more with reduced IT operating budgets
Enhanced SNMP MIB support
The Cisco ACE Module supports additional SNMP MIBs, leading to parity with the MIBs supported on the Cisco ACE 4710.
Enables centralized management of the load balancing infrastructure, improving agility in IT operations
Bulk copy command for SSL certificates and key pairs
The bulk copy command for SSL certificates and key pairs enables the import of multiple SSL certificates and key-pair files at the same time.
Increases productivity by reducing time needed to copy SSL files
Granular reporting of HTTP URL hits on a virtual IP address
The Layer 7 match HTTP URL statement hit count feature allows you to display the number of times that a connection is established (hit count) based on match HTTP URL statements for a class map in a Layer 7 HTTP policy map.
Provides reporting capability for multiple web applications under the same virtual IP address
Syslog reporting for NAT
New syslog messages track the NAT function.
Complies with regulations for service providers to log NAT maps
HTTP header insert for SSL information
The Cisco ACE Module can offload SSL processing from the real server in the web application server farm. In some cases, the web application still requires SSL-related information such as the SSL session parameters, SSL server certificate, and SSL client certificate. With this new feature, the information is provided to the web application through user-defined HTTP protocol headers that are inserted by the Cisco ACE Module during HTTP communication with the real server running the web application.
Efficiently uses expensive real server cycles to process application data and provide a secure single point of management for SSL server certificates on the Cisco ACE Module
HTTP redirect on client authentication failure
The Cisco ACE Module can redirect users in the event of failed client authentication, providing more information such as the reason for the client authentication failure and recommended next steps to restore access to the application.
Efficiently handles client authentication failures, reducing calls to application support and improving the user experience, while providing the benefits of SSL offload
LDAP-based CRL retrieval for SSL offload
The Cisco ACE Module can query the CRL distribution point (CDP) server using the LDAP protocol, both in SSL termination and end-to-end SSL deployment modes.
Enables transparent migration to Cisco ACE SSL offload for environments currently providing access to CDP servers using LDAP
CRL checking of SSL server certificates
The Cisco ACE Module can query the CDP server to verify that an SSL termination point's certificate has not been revoked.
Enables transparent migration to Cisco ACE SSL offload for environments currently verifying SSL server certificates using CRLs
Sample SSL key and certificate
The Cisco ACE Module software image has a sample SSL key and certificate pair to get the user started with SSL offload function testing and integration prior to requesting a third-party-generated SSL key and certificate pair for use in real-world production environments.
Facilitates demonstration and testing of the SSL offload feature
Enhanced scalability for GSLB with Cisco GSS
Cisco ACE Module integration with Cisco GSS now supports up to 4000 virtual IP addresses per Domain Name System (DNS) domain, which scales the Cisco ACE load-balancing solution for large enterprises and service providers.
Scales capacity for a GSLB solution with the Cisco ACE Module and Cisco GSS, leading to investment protection and reduced capital expenditures (CapEx)
Persistence rebalance for HTTP requests on the same TCP connection
The Cisco ACE Module can be configured to load balance each HTTP request on the same TCP connection from a client IP address.
Uniformly distributes HTTP traffic if a significant share of the HTTP requests are from the same client, leading to better resource utilization
Support for secondary IP addresses on an interface VLAN
The Cisco ACE Module supports secondary IP addresses on an interface VLAN in addition to the primary IP address.
Enables transparent migration from load-balancing products that support secondary IP addresses on a VLAN
Table 2 lists the system requirements for the Cisco ACE Module.
Table 2. Cisco Catalyst 6500 and Cisco 7600 Series System Requirements for Cisco ACE Module
All Cisco Catalyst 6500 Series and Cisco 7600 Series chassis
• Cisco Catalyst 6500 Series Supervisor Engine 720 and Virtual Switching Supervisor Engine 720 with 10GE Uplinks
• Cisco 7600 Series Supervisor Engine 720 with Multilayer Switch Feature Card and Route Switch Processor 720 with Multilayer Switch Feature Card
• Cisco Catalyst 6500 Series running Cisco IOS® Software Release 12.2(18)SXF4 or later for Supervisor Engine 720, and Release 12.2(33)SXH or later for Supervisor Engine 720 with 10GE
• Cisco 7600 Series running Cisco IOS Software Release 12.2(18)SXF4 or later and Release 12.2(33)SRB or later for Supervisor Engine 720, and 12.2(33)SRC or later for Route Switch Processor 720
Functions as a fabric-enabled line card
Occupies 1 slot in the chassis
Table 3 provides ordering information for the Cisco ACE Module.
Table 3. Ordering Information
Cisco ACE20 6509E SUP720-10G Bundle with 8Gbps Throughput License
Cisco ACE20 6509 Bundle with 8 Gbps Throughput License
Cisco ACE20 6504 Bundle with 4 Gbps Throughput License
Cisco ACE10 6509 Bundle with 8 Gbps Throughput License
Cisco ACE10 6504 Bundle with 4 Gbps Throughput License
Cisco ACE20 Service Module for Cisco Catalyst 6500 Series and Cisco 7600 Series: Includes 1000 SSL TPS and 5 Virtual Devices
Cisco ACE20 Service Module for Cisco Catalyst 6500 Series and Cisco 7600 Series: Includes 1000 SSL TPS and 5 Virtual Devices (spare)
Cisco ACE10 Service Module for Cisco Catalyst 6500 Series and Cisco 7600 Series, Includes 1000 SSL TPS and 5 Virtual Devices
Cisco ACE10 Service Module for Cisco Catalyst 6500 Series and Cisco 7600 Series, Includes 1000 SSL TPS and 5 Virtual Devices (spare)
16Gbps Throughput License for Cisco ACE20
8-Gbps Throughput License for Cisco ACE 10 and Cisco ACE20
4-Gbps Throughput License for Cisco ACE10 and Cisco ACE20
Upgrade License from 8 Gbps to 16 Gbps for Cisco ACE20
Upgrade License from 4 Gbps to 8 Gbps for Cisco ACE10 and Cisco ACE20
15,000 SSL Transactions per Second License for Cisco ACE10 and Cisco ACE20
10,000 SSL Transactions per Second License for Cisco ACE10 and Cisco ACE20
5,000 SSL Transactions per Second License for Cisco ACE10 and Cisco ACE20
Upgrade license from 10,000 to 15,000 SSL Transactions per Second License for Cisco ACE10 and Cisco ACE20
Upgrade license from 5,000 to 10,000 SSL Transactions per Second License for Cisco ACE10 and Cisco ACE20
250 Virtual Contexts License for Cisco ACE10 and Cisco ACE20
100 Virtual Contexts License for Cisco ACE10 and Cisco ACE20
50 Virtual Contexts License for Cisco ACE10 and Cisco ACE20
20 Virtual Contexts License for Cisco ACE10 and Cisco ACE20
Upgrade License from 100 to 250 Virtual Contexts for Cisco ACE10 and Cisco ACE20
Upgrade License from 50 to 100 Virtual Contexts for Cisco ACE10 and Cisco ACE20
Upgrade License from 20 to 50 Virtual Contexts for Cisco ACE10 and Cisco ACE20
** Cisco ACE bundles do not include I/O modules so that customers can order the I/O modules of their choice.