Converting a Cisco ACE configuration file to F5 BIG-IP Format

 

In September, Cisco announced that it was ceasing development and pulling back on sales of its Application Control Engine (ACE) load balancing modules.  Customers of Cisco’s ACE product line will now have to look for a replacement product to solve their load balancing and application delivery needs.

One of the first questions that will come up when a customer starts looking into replacement products surrounds the issue of upgradability.  Will the customer be able to import their current configuration into the new technology or will they have to start with the new product from scratch.  For smaller businesses, starting over can be a refreshing way to clean up some of the things you’ve been meaning to but weren’t able to for one reason or another.  But, for a large majority of the users out there, starting over from nothing with a new product is a daunting task.

To help with those users considering a move to the F5 universe, DevCentral has included several scripts to assist with the configuration migration process.  In our Codeshare section we created some scripts useful in converting ACE configurations into their respective F5 counterparts.

https://devcentral.f5.com/s/articles/cisco-ace-to-f5-big-ip
https://devcentral.f5.com/s/articles/Cisco-ACE-to-F5-Conversion-Python-3
https://devcentral.f5.com/s/articles/cisco-ace-to-f5-big-ip-via-tmsh

We also have scripts covering Cisco’s CSS (https://devcentral.f5.com/s/articles/cisco-css-to-f5-big-ip ) and CSM products (https://devcentral.f5.com/s/articles/cisco-csm-to-f5-big-ip ) as well.

In this article, I’m going to focus on the ace2f5-tmsh” in the ace2f5.zip script library.

The script takes as input an ACE configuration and creates a TMSH script to create the corresponding F5 BIG-IP objects.

 

ace2f5-tmsh.pl

$ perl ace2f5-tmsh.pl ace_config > tmsh_script

We could leave it at that, but I’ll use this article to discuss the components of the ACE configuration and how they map to F5 objects.

 

ip

The ip object in the ACE configuration is defined like this:

ip route 0.0.0.0 0.0.0.0 10.211.143.1

equates to a tmsh “net route” command.

net route 0.0.0.0-0 { network 0.0.0.0/0 gw 10.211.143.1 }

 

rserver

An “rserver” is basically a node containing a server address including an optional “inservice” attribute indicating whether it’s active or not.

ACE Configuration

rserver host R190-JOEINC0060
  ip address 10.213.240.85
rserver host R191-JOEINC0061
  ip address 10.213.240.86
  inservice
rserver host R192-JOEINC0062
  ip address 10.213.240.88
  inservice
rserver host R193-JOEINC0063
  ip address 10.213.240.89
  inservice

It will be used to find the IP address for a given rserver hostname.

 

serverfarm

A serverfarm is a LTM pool except that it doesn’t have a port assigned to it yet.

ACE Configuration

serverfarm host MySite-JoeInc
  predictor hash url
  rserver R190-JOEINC0060
    inservice
  rserver R191-JOEINC0061
    inservice
  rserver R192-JOEINC0062
    inservice
  rserver R193-JOEINC0063
    inservice

F5 Configuration

ltm pool Insiteqa-JoeInc {
     load-balancing-mode predictive-node
     members { 10.213.240.86:any { address 10.213.240.86 }}
     members { 10.213.240.88:any { address 10.213.240.88 }}
     members { 10.213.240.89:any { address 10.213.240.89 }}
}

 

probe

a “probe” is a LTM monitor except that it does not have a port.

ACE Configuration

probe tcp MySite-JoeInc
  interval 5
  faildetect 2
  passdetect interval 10
  passdetect count 2

will map to the TMSH “ltm monitor” command.

F5 Configuration

ltm monitor Insiteqa-JoeInc {
    defaults from tcp
    interval 5
    timeout 10
    retry 2
}

 

sticky

The “sticky” object is a way to create a persistence profile.  First you tie the serverfarm to the persist profile, then you tie the profile to the Virtual Server.

ACE Configuration

sticky ip-netmask 255.255.255.255 address source MySite-JoeInc-sticky
  timeout 60
  replicate sticky
  serverfarm MySite-JoeInc

 

class-map

A “class-map” assigns a listener, or Virtual IP address and port number which is used for the clientside and serverside of the connection.

ACE Configuration

class-map match-any vip-MySite-JoeInc-12345
  2 match virtual-address 10.213.238.140 tcp eq 12345
class-map match-any vip-MySite-JoeInc-1433
  2 match virtual-address 10.213.238.140 tcp eq 1433
class-map match-any vip-MySite-JoeInc-31314
  2 match virtual-address 10.213.238.140 tcp eq 31314
class-map match-any vip-MySite-JoeInc-8080
  2 match virtual-address 10.213.238.140 tcp eq 8080
class-map match-any vip-MySite-JoeInc-http
  2 match virtual-address 10.213.238.140 tcp eq www
class-map match-any vip-MySite-JoeInc-https
  2 match virtual-address 10.213.238.140 tcp eq https

 

policy-map

a policy-map of type loadbalance simply ties the persistence profile to the Virtual .  the “multi-match” attribute constructs the virtual server by tying a bunch of objects together.

ACE Configuration

policy-map type loadbalance first-match vip-pol-MySite-JoeInc
  class class-default
    sticky-serverfarm MySite-JoeInc-sticky

policy-map multi-match lb-MySite-JoeInc
  class vip-MySite-JoeInc-http
    loadbalance vip inservice
    loadbalance policy vip-pol-MySite-JoeInc
    loadbalance vip icmp-reply
  class vip-MySite-JoeInc-https
    loadbalance vip inservice
    loadbalance vip icmp-reply
  class vip-MySite-JoeInc-12345
    loadbalance vip inservice
    loadbalance policy vip-pol-MySite-JoeInc
    loadbalance vip icmp-reply
  class vip-MySite-JoeInc-31314
    loadbalance vip inservice
    loadbalance policy vip-pol-MySite-JoeInc
    loadbalance vip icmp-reply
  class vip-MySite-JoeInc-1433
    loadbalance vip inservice
    loadbalance policy vip-pol-MySite-JoeInc
    loadbalance vip icmp-reply
  class reals
    nat dynamic 1 vlan 240
  class vip-MySite-JoeInc-8080
    loadbalance vip inservice
    loadbalance policy vip-pol-MySite-JoeInc
    loadbalance vip icmp-reply

F5 Configuration

ltm virtual vip-Insiteqa-JoeInc-12345 {
    destination 10.213.238.140:12345
    pool Insiteqa-JoeInc
    persist my_source_addr
    profiles {
        tcp {}
    }
}

ltm virtual vip-Insiteqa-JoeInc-1433 {
    destination 10.213.238.140:1433
    pool Insiteqa-JoeInc
    persist my_source_addr
    profiles {
        tcp {}
    }
}

ltm virtual vip-Insiteqa-JoeInc-31314 {
    destination 10.213.238.140:31314
    pool Insiteqa-JoeInc
    persist my_source_addr
    profiles {
        tcp {}
    }
}

ltm virtual vip-Insiteqa-JoeInc-8080 {
    destination 10.213.238.140:8080
    pool Insiteqa-JoeInc
    persist my_source_addr
    profiles {
        tcp {}
    }
}

ltm virtual vip-Insiteqa-JoeInc-http {
    destination 10.213.238.140:http
    pool Insiteqa-JoeInc
    persist my_source_addr
    profiles {
        tcp {}
        http {}
    }
}

ltm virtual vip-Insiteqa-JoeInc-https {
    destination 10.213.238.140:https
    profiles {
        tcp {}
}

 

Conclusion

If you are considering migrating from Cicso’s ACE to F5, I’d consider you take a look at the Cisco conversion scripts to assist with the conversion.

 

 

 

 

Published Dec 11, 2012
Version 1.0

Was this article helpful?

6 Comments

  • Joad's avatar
    Joad
    Icon for Nimbostratus rankNimbostratus

    Hello, can I ask some questions?

     

    1. What is the f5 correspondence to "class class-default" in policy-map type loadbalance first-match configuration?
    2. ACE "nat dynamic" matches f5 SNAT automap feature?
    3. ACE "nat pool" matches f5 SNAT pool feature?

    Thank you in advance

     

  • No longer works with 12.x of the F5 . get no errors on the conversion but when importing it fails due to it cannot read the converted file correctly

     

  • Tony Bencivenga I tested and everything was working on 12.1.2 in VE lab. But I have not tested it in production. Also Cisco scripts work like 60,70%. Some of the work have to be done manually.

     

  • The links in the third paragraph are broken, and I don't see anything referencing Cisco or ACE in the clouddocs suggested link on the 404 page. Anybody know where to find the script?

     

    And, BTW, it's "into ITS F5 counterpart" -- no apostrophe, because the use is possessive and not a contraction.