Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits
From DocWiki
(Difference between revisions)
m |
m |
||
| Line 303: | Line 303: | ||
| - | <BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>BR><BR><BR><BR><BR> | + | <BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR> |
===Security-Related Limits=== | ===Security-Related Limits=== | ||
| Line 402: | Line 402: | ||
|} | |} | ||
| - | <BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR> | + | <BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR> |
===Management-Related Limits=== | ===Management-Related Limits=== | ||
Revision as of 15:34, 27 April 2010
This article describes the ACE system limits and performance numbers for various resources and configuration objects.
Contents |
ACE Performance Numbers and Resource Limits
The following ACE limits and performance numbers were obtained in a laboratory setting under optimal conditions. These numbers should be used as guidelines only and may vary based on your production-specific environment.
ACE Performance Numbers
| Performance Measurement | ACE Module Maximum Value | ACE Appliance Maximum Value |
| Max number of 10/100 Mbps ports | Catalyst 6500 series switch or Cisco 7600 series router limit | 4 |
| Max number of Gigabit ports | Catalyst 6500 series switch or Cisco 7600 series router limit | 4 |
| Switching Capacity | Catalyst 6500 series switch or Cisco 7600 series router limit | 4 Gbps |
| SLB L4 bps | 4, 8, or 16 Gbps | 1, 2, or 4 Gbps |
| SLB L4 Connections per Second (CPS) | 325,000 | 120,000 |
| SLB L7 Maximum CPS | 133,000 | 40,000 |
| Concurrent L4 Sessions | 4,000,000 | 1,000,000 |
| Concurrent L7 Sessions | 512,000 | 128,000 |
| Packets per Second (PPS) | 4,000,000+ | 1,800,000 @ 64 bytes, 162,000 @ 1500 bytes |
| SSL Bandwidth | 3.3 Gbps | 1 Gbps |
| SSL Transactions per Second (TPS) | 15,000 | 7,500 |
| Concurrent SSL Sessions | 200,000 | 100,000 |
SLB-Related Limits
| SLB-Related Object | ACE Module System Limit | ACE Module Context Limit | ACE Appliance Limit | Additional Information |
| ARP Entries | 32,768 | 32,768 | 32,768 | |
| Bridge Table Entries | 32,768 | 32,768 | 32,768 | A few are reserved for L2 interafces, redundancy, and so on. |
| Bridge-Group Virtual Interfaces (BVIs) | 4096 | 2048 | 512 | |
| Class Maps (L4 and L7) | 8192 | 8192 | 8192 | When load balancing on a specific client's source IP address there is a limit of 16k source address matches. There is a limit of 1000 per class-map. The source-address match limit of 16k is for applied matches. Thus you cannot LB on more than 16K source address matches at any given time. |
| Concurrent Conns L4 (Unproxied) | 4,000,000 | 4,000,000 | 1,000,000 | |
| Concurrent Connections L7 (Proxied) | 512,000 | 512,000 | 128,000 | |
| Domains | 2,500 | 10 (9) | 10 (9 per context) | One is used for the default domain. |
| Domain Objects | None | None | None | Any object within the virtual partition can be added to a domain. |
| Logical Interfaces | 8,192 | 8,192 | 8,192 | |
| Matches Per VIP | 1,024 | 1,024 | 1,024 | A VIP (L4 class map under L4 policy map) can have only 1024 URL, 1024 header, or 1024 cookie matches. The rewrite rules are compiled at the L7 policy level, so to be safe, do not configure more than 1024 header rewrite or deletion rules per action list (delete uses regex also). Header insert is not affected. |
| Policy Maps | 4,096 | 4,096 | 4,096 | Total number of policy maps, including L7, inspection, and all types |
| Probe definitions | 4,096 | 4,096 | 1,024 | |
| Probe Instances | 16,384 | 16,384 | 4,096 | |
| Real Servers | 16,384 | 16,384 | 4,096 | |
| Resource Classes | 100 (99) | 1 | 100 (99) | One is used for the default class. |
| Roles | 4,000 | 16 (8) | 16 (8) per context | Eight are predefined. |
| Server Farms | 16,384 | 16,384 | 1,024 | |
| Service Policies | (4096 interfaces x 128 service policies per interface ) * 251 contexts | 4096 interfaces x 128 service policies per interface | (4096 interfaces x 128 service policies per interface ) * 21 contexts | 128 per interface, 128 globally per context |
| Simultaneous Probes | 2,500 sockets | 2,500 sockets | 2,500 sockets | In ACE software version A2(x), probe sockets have been increased. Use the show resource internal socket command to check them. Increase the probe frequency to ensure that no more sockets are required than what is available for optimal operating conditions. |
| Sticky Groups | 4,096 | 4,096 | 4,096 | |
| Sticky Table Entries | 4,000,000 | 4,000,000 | 800,000 | |
| Virtual Contexts | 251 | N/A | 21 (1 Admin context) | 250 user contexts + 1 Admin context |
| Virtual Server Farms | 4k (4094) | 4k (4094) | 1024 | |
| Virtual Servers (Same IP Addresses) | 4k (4094) | 4k (4094) | 1024 | No limit as on the CSM |
| Virtual Servers (Unique IP Addresses) | 4k (4094) | 4k (4094) | 1024 | No limit as on the CSM |
| VLANs | 4,000 (2-4094) | 4,000 (2-4094) | 4,000 (2-4094) |
Security-Related Limits
| Security Related Object | ACE Module System Limit | ACE Module Context Limit | ACE Appliance Limit | Additional Information |
| ACLs | 8,192 | 1,024 (practical limit) | 8,192 | |
| ACL Entries | 64,000 | 1,024 (practical limit) | 40K | |
| Static NAT Policies | 4096 | 4096 | 4096 | |
| Dynamic NAT Policies | 4096 | 4096 | 4096 | |
| Maximum of addresses in a NAT pool | 64 | 64 | 32 | |
| Maximum of addresses in a PAT pool | 63k | 63k | 63l | |
| PAT Entries | 4,000,000 | 4,000,000 | 1,000,000 | |
| Total NAT Pools | 8,192 | 8,192 | 8,192 | |
| Xlates | 1,000,000 | 1,000,000 | 64,000 | |
| Concurrent SSL Conns | 100,000 | 100,000 | 100,000 | Subset of L7 (proxied) connections |
| RSA key size | up to 2048 bits | up to 2048 bits | up to 2048 bits | Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits |
| SSL Certs/Key files | 3800/3800 | 3800/3800 | 3800/3800 | This number is strictly enforced in A220, A214, and A322 |
Management-Related Limits
| Management-Related Object | ACE Module System Limit | ACE Module Context Limit | ACE Appliance | Additional Information |
| AAA LDAP Servers | 6,144 | 8 (24 total) | 8 | |
| AAA RADIUS Servers | 2K (256*8) | 8 (24 total) | 8 | |
| AAA TACACS+ Servers | 6K (256*24) | 8 (24 total) | 8 | |
| Domains | 2500 | 64 (63) | 64 (63) | One domain is used for the default-domain and cannot be removed |
| Local Users | 7500 | 30 (Admin context: 28) | 31 (including admin, www, and dm) | |
| Objects within a Domain | No limit | No limit | Any object within the virtual partition can be added to a domain | |
| Resource-classes | 252 | Not applicable | 100 | |
| Roles | 4000 | 16 (8) | 16 (8) | Eight are predefined and cannot be altered, leaving eight for you to customize |
| SNMP Hosts | No Limit | 10 | ||
| SSH Sessions | 256 | 4 | 4 | |
| Syslog buffer size | 4 MB | 4 MB | 1 MB | |
| Syslog CP rate | 5,000 per seconds | 5,000 per seconds | 3,000 per seconds | |
| Syslog DP rate | 350,000 per second | 350,000 per second | 120,000 per second | |
| Syslog history table size | 256 x 500 | 500 | ||
| Syslog Hosts | 256 | 2 | 2 | |
| Syslog internal queue size | 10 MB | 10 MB | 8,192 messages | |
| Syslog persistence size | 1M | 1M | ||
| Syslog rate limit table size | 256 x 100 | 100 | 10,000 messages per sec | |
| Telnet Sessions | 256 | 4 | 4 |
