Converting a Cisco ACE configuration file to F5 BIG-IP Format
In September, Cisco announced that it was ceasing development and pulling back on sales of its Application Control Engine (ACE) load balancing modules. Customers of Cisco’s ACE product line will now have to look for a replacement product to solve their load balancing and application delivery needs.
One of the first questions that will come up when a customer starts looking into replacement products surrounds the issue of upgradability. Will the customer be able to import their current configuration into the new technology or will they have to start with the new product from scratch. For smaller businesses, starting over can be a refreshing way to clean up some of the things you’ve been meaning to but weren’t able to for one reason or another. But, for a large majority of the users out there, starting over from nothing with a new product is a daunting task.
To help with those users considering a move to the F5 universe, DevCentral has included several scripts to assist with the configuration migration process. In our Codeshare section we created some scripts useful in converting ACE configurations into their respective F5 counterparts.
https://devcentral.f5.com/s/articles/cisco-ace-to-f5-big-iphttps://devcentral.f5.com/s/articles/Cisco-ACE-to-F5-Conversion-Python-3
https://devcentral.f5.com/s/articles/cisco-ace-to-f5-big-ip-via-tmsh
We also have scripts covering Cisco’s CSS (https://devcentral.f5.com/s/articles/cisco-css-to-f5-big-ip ) and CSM products (https://devcentral.f5.com/s/articles/cisco-csm-to-f5-big-ip ) as well.
In this article, I’m going to focus on the ace2f5-tmsh” in the ace2f5.zip script library.
The script takes as input an ACE configuration and creates a TMSH script to create the corresponding F5 BIG-IP objects.
ace2f5-tmsh.pl
$ perl ace2f5-tmsh.pl ace_config > tmsh_script
We could leave it at that, but I’ll use this article to discuss the components of the ACE configuration and how they map to F5 objects.
ip
The ip object in the ACE configuration is defined like this:
ip route 0.0.0.0 0.0.0.0 10.211.143.1
equates to a tmsh “net route” command.
net route 0.0.0.0-0 { network 0.0.0.0/0 gw 10.211.143.1 }
rserver
An “rserver” is basically a node containing a server address including an optional “inservice” attribute indicating whether it’s active or not.
ACE Configuration
rserver host R190-JOEINC0060 ip address 10.213.240.85 rserver host R191-JOEINC0061 ip address 10.213.240.86 inservice rserver host R192-JOEINC0062 ip address 10.213.240.88 inservice rserver host R193-JOEINC0063 ip address 10.213.240.89 inservice
It will be used to find the IP address for a given rserver hostname.
serverfarm
A serverfarm is a LTM pool except that it doesn’t have a port assigned to it yet.
ACE Configuration
serverfarm host MySite-JoeInc
predictor hash url
rserver R190-JOEINC0060
inservice
rserver R191-JOEINC0061
inservice
rserver R192-JOEINC0062
inservice
rserver R193-JOEINC0063
inservice
F5 Configuration
ltm pool Insiteqa-JoeInc {
load-balancing-mode predictive-node
members { 10.213.240.86:any { address 10.213.240.86 }}
members { 10.213.240.88:any { address 10.213.240.88 }}
members { 10.213.240.89:any { address 10.213.240.89 }}
}
probe
a “probe” is a LTM monitor except that it does not have a port.
ACE Configuration
probe tcp MySite-JoeInc interval 5 faildetect 2 passdetect interval 10 passdetect count 2
will map to the TMSH “ltm monitor” command.
F5 Configuration
ltm monitor Insiteqa-JoeInc {
defaults from tcp
interval 5
timeout 10
retry 2
}
sticky
The “sticky” object is a way to create a persistence profile. First you tie the serverfarm to the persist profile, then you tie the profile to the Virtual Server.
ACE Configuration
sticky ip-netmask 255.255.255.255 address source MySite-JoeInc-sticky timeout 60 replicate sticky serverfarm MySite-JoeInc
class-map
A “class-map” assigns a listener, or Virtual IP address and port number which is used for the clientside and serverside of the connection.
ACE Configuration
class-map match-any vip-MySite-JoeInc-12345 2 match virtual-address 10.213.238.140 tcp eq 12345 class-map match-any vip-MySite-JoeInc-1433 2 match virtual-address 10.213.238.140 tcp eq 1433 class-map match-any vip-MySite-JoeInc-31314 2 match virtual-address 10.213.238.140 tcp eq 31314 class-map match-any vip-MySite-JoeInc-8080 2 match virtual-address 10.213.238.140 tcp eq 8080 class-map match-any vip-MySite-JoeInc-http 2 match virtual-address 10.213.238.140 tcp eq www class-map match-any vip-MySite-JoeInc-https 2 match virtual-address 10.213.238.140 tcp eq https
policy-map
a policy-map of type loadbalance simply ties the persistence profile to the Virtual . the “multi-match” attribute constructs the virtual server by tying a bunch of objects together.
ACE Configuration
policy-map type loadbalance first-match vip-pol-MySite-JoeInc
class class-default
sticky-serverfarm MySite-JoeInc-sticky
policy-map multi-match lb-MySite-JoeInc
class vip-MySite-JoeInc-http
loadbalance vip inservice
loadbalance policy vip-pol-MySite-JoeInc
loadbalance vip icmp-reply
class vip-MySite-JoeInc-https
loadbalance vip inservice
loadbalance vip icmp-reply
class vip-MySite-JoeInc-12345
loadbalance vip inservice
loadbalance policy vip-pol-MySite-JoeInc
loadbalance vip icmp-reply
class vip-MySite-JoeInc-31314
loadbalance vip inservice
loadbalance policy vip-pol-MySite-JoeInc
loadbalance vip icmp-reply
class vip-MySite-JoeInc-1433
loadbalance vip inservice
loadbalance policy vip-pol-MySite-JoeInc
loadbalance vip icmp-reply
class reals
nat dynamic 1 vlan 240
class vip-MySite-JoeInc-8080
loadbalance vip inservice
loadbalance policy vip-pol-MySite-JoeInc
loadbalance vip icmp-reply
F5 Configuration
ltm virtual vip-Insiteqa-JoeInc-12345 {
destination 10.213.238.140:12345
pool Insiteqa-JoeInc
persist my_source_addr
profiles {
tcp {}
}
}
ltm virtual vip-Insiteqa-JoeInc-1433 {
destination 10.213.238.140:1433
pool Insiteqa-JoeInc
persist my_source_addr
profiles {
tcp {}
}
}
ltm virtual vip-Insiteqa-JoeInc-31314 {
destination 10.213.238.140:31314
pool Insiteqa-JoeInc
persist my_source_addr
profiles {
tcp {}
}
}
ltm virtual vip-Insiteqa-JoeInc-8080 {
destination 10.213.238.140:8080
pool Insiteqa-JoeInc
persist my_source_addr
profiles {
tcp {}
}
}
ltm virtual vip-Insiteqa-JoeInc-http {
destination 10.213.238.140:http
pool Insiteqa-JoeInc
persist my_source_addr
profiles {
tcp {}
http {}
}
}
ltm virtual vip-Insiteqa-JoeInc-https {
destination 10.213.238.140:https
profiles {
tcp {}
}
Conclusion
If you are considering migrating from Cicso’s ACE to F5, I’d consider you take a look at the Cisco conversion scripts to assist with the conversion.
Published Dec 11, 2012
Version 1.0
whswhswhs124_98Nimbostratus
'- Joad
Hello, can I ask some questions?
- What is the f5 correspondence to "class class-default" in policy-map type loadbalance first-match configuration?
- ACE "nat dynamic" matches f5 SNAT automap feature?
- ACE "nat pool" matches f5 SNAT pool feature?
Thank you in advance
Tony_BencivengaNo longer works with 12.x of the F5 . get no errors on the conversion but when importing it fails due to it cannot read the converted file correctly
k_kirchev_28437Tony Bencivenga I tested and everything was working on 12.1.2 in VE lab. But I have not tested it in production. Also Cisco scripts work like 60,70%. Some of the work have to be done manually.
- John_Meggers
The links in the third paragraph are broken, and I don't see anything referencing Cisco or ACE in the clouddocs suggested link on the 404 page. Anybody know where to find the script?
And, BTW, it's "into ITS F5 counterpart" -- no apostrophe, because the use is possessive and not a contraction.
- LiefZimmerman
Admin
A little late getting to this one but...it's fixed now. Thanks !
