RE: [load balancing] SLB - SSL Accelerator - Web I/O Accelerator evaluation

From: Pete Tenereillo (
Date: Tue Nov 25 2003 - 15:30:36 EST

  • Next message: David Royer: "RE: [load balancing] looking for low cost (inexpensive) commercialLB"



    Just sitting back looking at the list of replies from vendors makes me feel
    relieved I'm not a consumer looking to buy one of these. All of the
    performance numbers look good on paper, and as you've discovered,
    performance tests often conflict, even tests from the same "independent"
    testers. The laundry list of features is about the same too, and for any
    given product if feature xyz isn't there now it's probably promised in the
    next release.


    My $.02 is a) pick a vendor you feel will be not only in business, but in
    this business, for a while and b) "test". For whatever product you do
    choose, make sure you test it yourself (don't let the vendor drive the test,
    that's the oldest trick in the book - you configure it, you do the test), on
    your network, with the actual applications you will use (not test
    applications), and live traffic (not a bit blaster). If you do this, very
    carefully, and also try to incorporate tests that reflect what you believe
    your future plans will entail, and if it works for you, who cares what other
    products have to offer - you will be done. What you read in marketing sheets
    or the fact that another customer site uses it won't help you. There are
    many very real and current cases where a product does indeed have an
    advertised feature, but also has major restrictions on the way it must be
    used (i.e. the intersection of 3 sets: features in a product, combinations
    of features that can be used together within that given product, and
    features that can be used on your network with your applications, may be the
    "null set"). The fact that you plan to use features like SSL offload and TCP
    offload (and no doubt L7) only exacerbates this issue - i.e. it puts you in
    the "high-risk" category.


    Vendors would obviously like you to believe that life is just not that
    complicated and that their product works fine everywhere. Even if it was
    true that, say, only 5% of customers hit a certain problem, you might be in
    that unlucky 5%! The fact is that much of these companies's engineering time
    is spent implementing features/workarounds to real customer problems. If you
    don't believe that - there's an example in this very thread that might
    convince you - F5 has a more advanced way of dealing with TCP offload and
    client IP addresses than one of the smaller vendors. Why? That feature
    wasn't likely the result of some guy scratching his chin and coming up with
    a bright idea, but rather a real solution to a real problem, one that a
    customer reported, i.e. an engineer heard the problem and came up with a
    solution (which is why it's good to go with products that have a big
    installed base - that way you are less likely to be the first to find a
    problem). Now, after years of similar problems and feature additions to
    products, the real differences in architectures and approaches come out.
    Some products have diverged into a total mess, while others have elegantly
    matured. (Unfortunately for me, F5 is one of the few SLBs I've never
    personally had the opportunity to test, so I can't speak as to the usability
    or design of that system).


    As far as one box vs two box - The "one box" solutions in most cases are not
    materially different than the two, i.e. it's the same code (or even the same
    hardware) from the same vendor, just a repackaged module or a PC or a switch
    on a blade that happens to be stuffed into a code load or chassis with some
    other product. The main advantage is that it saves footprint, and maybe some
    power and heat. (But as another post mentions, you lose some flexibility).


    I've dealt with plenty of frustrated customers (even up to the last few
    months) who were shocked and in disbelief that a widely publicized feature
    on a widely deployed product could not be made to work for them (some
    because of a weird and wonderful way that customer needed to use it, and
    some because the feature just plain doesn't work, hasn't for years, and
    no-one noticed). I'd say "good luck" but I hope you can take "luck" out of
    your decision by testing. Whatever time you invest now in evaluations might
    be a small % of the time you spend trying to correct a bad choice.






    From: [] On Behalf Of T Do
    Sent: Monday, November 24, 2003 9:02 AM
    To: LB-Group Newsgroup
    Subject: RE: [load balancing] SLB - SSL Accelerator - Web I/O Accelerator


    Just want to be fair, below is the link to the test on the cisco CSS/CSM



    Interesting though, it is from the same company that tested the F5 products.
    (On my previous post)


    T Do <> wrote:

    Hi All,

    I'm currently looking for a SLB / SSL Accelerator with perhaps some Web I/O
    acceleration. I have gathered information from different vendors products:

    1. F5 - BigIP 5100/2400

    2. Redlines

    3. Ingrian I220

    4. Cisco CSS1150x with SSL Accelerator module


    Based on the information obtained from this forum, it seems that:

    1. There is a huge F5 and Alteon user based.

    2. F5 is an exelent SLB /SSL Accelerator

    3. Cisco CSS seems to be out there but it does not stand out in the crowd


    Following is my impression on different vendor's products:

    1. F5: Excellent SLB. Flexible in deployement due many configuration
    options available. No Modular expansion (SSL, Interface)

    2. Redlines: Good overall since it provides Web I/O acceleration, SSL
    Acceleration and some SLB capabilities.

    3. Ingrian: Some SLB capabilities, excellent in providing SSL
    Acceleration, Cookie protection and back end database encryption. It also
    provides an option to do Compression and caching of HTML traffic.

    4. Cisco CSS: Modular design with SSL Accelerator module (800TPS/mod),
    Interface Module (2G, 16E or 8E port), session acceleration module. It also
    supports session state failover. Good SLB.


    The cisco CSS seems to be a good fit where expandability is important.
    However, I have read a report from F5 in which, cisco CSS seems not to
    perform as well comparing to other products. Well, this may be biased in
    some way though.


    Any information on the above vendors (especially F5 and Cisco CSS) would be
    greately appreciated.

    Thanks in advance






    Do you Yahoo!?
    Free <*http:/>
    Pop-Up Blocker - Get it now


    Do you Yahoo!?
    Free <*http:/>
    Pop-Up Blocker - Get it now

    The Load Balancing Mailing List
    MRTG with SLB:
    Hosted by:

    This archive was generated by hypermail 2.1.4 : Tue Nov 25 2003 - 15:48:37 EST