Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

From DocWiki

(Difference between revisions)
Jump to: navigation, search
m
m (Management-Related Limits)
 
(38 intermediate revisions not shown)
Line 4: Line 4:
|align="center"|'''Guide Contents'''
|align="center"|'''Guide Contents'''
|-
|-
-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]]<br>[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]]<br>[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]]<br>[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]]<br>[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]]<br>[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]]<br>[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]]<br>[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]]<br>[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]]<br>[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]]<br>[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]]<br>[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]]<br>[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]]<br>[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]]<br>[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]]<br>[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]]<br>[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]]<br>[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]]<br>
+
|[[Cisco Application Control Engine (ACE) Troubleshooting Guide|Main Article]]<br>[[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Overview of ACE Troubleshooting|Overview of ACE Troubleshooting]]<br>[[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]]<br>[[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Preliminary ACE Troubleshooting|Preliminary ACE Troubleshooting]]<br>[[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]]<br>[[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]]<br>[[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting Connectivity|Troubleshooting Connectivity]]<br>[[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting Ethernet Ports|Troubleshooting ACE Appliance Ethernet Ports]]<br>[[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting Remote Access|Troubleshooting Remote Access]]<br>[[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]]<br>[[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]]<br>[[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]]<br>[[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]]<br>[[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]]<br>[[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting Redundancy|Troubleshooting Redundancy]]<br>[[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting SSL|Troubleshooting SSL]]<br>[[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting Compression|Troubleshooting Compression]]<br>[[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]]<br>[[Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits|ACE Resource Limits]]<br>[[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Managing Resources|Managing ACE Resources]]<br>[[Cisco Application Control Engine (ACE) Troubleshooting Guide -- Show Counter Reference|Show Counter Reference]]<br>
|}
|}
Line 27: Line 27:
-
== ACE Performance Numbers and Resource Limits ==
 
-
The following ACE limits and performance numbers were obtained in a laboratory setting under optimal conditions. These numbers should be used as
 
-
guidelines only and may vary based on your production-specific environment.
 
-
<BR>
 
-
===ACE Performance Numbers===
+
== ACE Performance Numbers and Resource Limits ==
-
{| width=100% align="left" border="1" cellspacing = "0"
+
For the most current performance numbers for the ACE products, always refer to the data sheets for the ACE appliance and the ACE module.
-
|-
+
-
|'''Performance Measurement'''
+
-
|'''ACE Module Maximum Value'''
+
-
|'''ACE Appliance Maximum Value'''
+
-
|-
+
===ACE Appliance Data Sheet===
-
|Max number of 10/100 Mbps ports
+
-
|Catalyst 6500 series switch or Cisco 7600 series router limit
+
-
|4
+
-
|-
+
[http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps7027/Data_Sheet_Cisco_ACE_4710.html ACE appliance data sheet]
-
|Max number of Gigabit ports
+
-
|Catalyst 6500 series switch or Cisco 7600 series router limit
+
-
|4
+
-
|-
+
===ACE Module Data Sheets===
-
|Switching Capacity
+
-
|Catalyst 6500 series switch or Cisco 7600 series router limit
+
-
|4 Gbps
+
-
|-
+
[http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/product_data_sheet0900aecd8045861b.html ACE10/ACE20 module data sheet]
-
|SLB L4 bps
+
-
|4, 8, or 16 Gbps
+
-
|1, 2, or 4 Gbps
+
-
|-
+
[http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/data_sheet_c78_632383.html ACE30 module data sheet]
-
|SLB L4 Connections per Second (CPS)
+
-
|325,000
+
-
|120,000
+
-
 
+
-
|-
+
-
|SLB L7 Maximum CPS
+
-
|133,000
+
-
|40,000
+
-
 
+
-
|-
+
-
|Concurrent L4 Sessions
+
-
|4,000,000
+
-
|1,000,000
+
-
 
+
-
|-
+
-
|Concurrent L7 Sessions
+
-
|512,000
+
-
|128,000
+
-
 
+
-
|-
+
-
|Packets per Second (PPS)
+
-
|4,000,000+
+
-
|1,800,000 @ 64 bytes, 162,000 @ 1500 bytes
+
-
 
+
-
|-
+
-
|SSL Bandwidth
+
-
|3.3 Gbps
+
-
|1 Gbps
+
-
 
+
-
|-
+
-
|SSL Transactions per Second (TPS)
+
-
|15,000
+
-
|7,500
+
-
 
+
-
|-
+
-
|Concurrent SSL Sessions
+
-
|200,000
+
-
|100,000
+
-
 
+
-
|}
+
-
<BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>
+
If you have any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.
===SLB-Related Limits===
===SLB-Related Limits===
 +
'''Scalability Numbers'''
 +
The scalability numbers provided here are intended to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to your deployment, testing with your feature combination is strongly recommended. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.
{| align="left" border="1" cellspacing = "0"
{| align="left" border="1" cellspacing = "0"
Line 136: Line 78:
|512
|512
|
|
-
 
-
|-
 
-
|Class Maps (L4 and L7)
 
-
|8192
 
-
|8192
 
-
|8192
 
-
|When load balancing on a specific client's source IP address there is a limit of 16k source address matches. There is a limit of 1000 per class-map. The source-address match limit of 16k is for applied matches. Thus you cannot LB on more than 16K source address matches at any given time.
 
|-
|-
Line 178: Line 113:
|8,192
|8,192
|  
|  
-
 
-
|-
 
-
|Matches Per VIP
 
-
|1,024
 
-
|1,024
 
-
|1,024
 
-
|A VIP (L4 class map under L4 policy map) can have only 1024 URL, 1024 header, or 1024 cookie matches. The rewrite rules are compiled at the L7 policy level, so to be safe, do not configure more than 1024 header rewrite or deletion rules per action list (delete uses regex also). Header insert is not affected.
 
-
 
-
|-
 
-
|Policy Maps
 
-
|4,096
 
-
|4,096
 
-
|4,096
 
-
|Total number of policy maps, including L7, inspection, and all types
 
-
 
-
|-
 
-
|Probe definitions
 
-
|4,096
 
-
|4,096
 
-
|1,024
 
-
|
 
-
 
-
|-
 
-
|Probe Instances
 
-
|16,384
 
-
|16,384
 
-
|4,096
 
-
|
 
-
 
-
|-
 
-
|Real Servers
 
-
|16,384
 
-
|16,384
 
-
|4,096
 
-
|
 
|-
|-
Line 227: Line 127:
|16 (8) per context
|16 (8) per context
|Eight are predefined.
|Eight are predefined.
-
 
-
|-
 
-
|Server Farms
 
-
|16,384
 
-
|16,384
 
-
|1,024
 
-
|
 
-
 
-
|-
 
-
|Service Policies
 
-
|(4096 interfaces x 128 service policies per interface ) * 251 contexts
 
-
|4096 interfaces x 128 service policies per interface
 
-
|(4096 interfaces x 128 service policies per interface ) * 21 contexts
 
-
|128 per interface, 128 globally per context
 
-
 
-
|-
 
-
|Simultaneous Probes
 
-
|2,500 sockets
 
-
|2,500 sockets
 
-
|2,500 sockets
 
-
|In ACE software version A2(x), probe sockets have been increased. Use the '''show resource internal socket''' command to check them. Increase the probe frequency to ensure that no more sockets are required than what is available for optimal operating conditions.
 
|-
|-
Line 269: Line 148:
|21 (1 Admin context)
|21 (1 Admin context)
|250 user contexts + 1 Admin context  
|250 user contexts + 1 Admin context  
-
 
-
|-
 
-
|Virtual Server Farms
 
-
|4k (4094)
 
-
|4k (4094)
 
-
|1024
 
-
|
 
-
 
-
|-
 
-
|Virtual Servers (Same IP Addresses)
 
-
|4k (4094)
 
-
|4k (4094)
 
-
|1024
 
-
|No limit as on the CSM
 
-
 
-
|-
 
-
|Virtual Servers (Unique IP Addresses)
 
-
|4k (4094)
 
-
|4k (4094)
 
-
|1024
 
-
|No limit as on the CSM
 
|-
|-
Line 301: Line 159:
-
 
+
<BR><BR><BR><BR><BR><BR>
-
 
+
<BR><BR><BR><BR><BR><BR>
-
<BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>
+
<BR><BR><BR><BR><BR><BR>
===Security-Related Limits===
===Security-Related Limits===
 +
'''Scalability Numbers'''
 +
The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.
{| align="left" border="1" cellspacing = "0"
{| align="left" border="1" cellspacing = "0"
Line 314: Line 174:
|'''ACE Appliance Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''
|'''Additional Information'''
-
 
-
|-
 
-
|ACLs
 
-
|8,192
 
-
|1,024 (practical limit)
 
-
|8,192
 
-
|
 
-
 
-
|-
 
-
|ACL Entries
 
-
|64,000
 
-
|1,024 (practical limit)
 
-
|40K
 
-
|
 
|-
|-
Line 387: Line 233:
|-
|-
|RSA key size
|RSA key size
-
|up to 2048 bits
+
|up to 4096 bits
-
|up to 2048 bits
+
|up to 4096 bits
-
|up to 2048 bits
+
|up to 4096 bits
-
|Supported: 512, 786, 1536, 1024, & 2048 bits
+
|Supported: 512, 786, 1536, 1024, 2048, and 4096 (imported public keys only) bits  
-
Not supported: 3072 bits & 4096 bits
+
|-
|-
|SSL Certs/Key files
|SSL Certs/Key files
-
|3800/3800
+
|3800/3800 (A2(3.x) and earlier)
-
|3800/3800
+
4096/4096 (A4(1.0) and later)
-
|3800/3800
+
|3800/3800 (A2(3.x) and earlier)
 +
4096/4096 (A4(1.0) and later)
 +
|3800/3800 (A3(1.x) and earlier)
 +
4096/4096 (A3(2.x) and later, incl. A4(1.0))
|This number is strictly enforced in A220, A214, and A322
|This number is strictly enforced in A220, A214, and A322
Line 405: Line 253:
===Management-Related Limits===
===Management-Related Limits===
 +
'''Scalability Numbers'''
 +
The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.
{| align="left" border="1" cellspacing = "0"
{| align="left" border="1" cellspacing = "0"
Line 502: Line 352:
|350,000 per second  
|350,000 per second  
|350,000 per second
|350,000 per second
-
|120,000 per second
+
|100,000 per second
|
|

Latest revision as of 17:48, 29 March 2011

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

Guide Contents
Main Article
Overview of ACE Troubleshooting
Understanding the ACE Module Architecture and Traffic Flow
Preliminary ACE Troubleshooting
Troubleshooting ACE Boot Issues
Troubleshooting with ACE Logging
Troubleshooting Connectivity
Troubleshooting ACE Appliance Ethernet Ports
Troubleshooting Remote Access
Troubleshooting Access Control Lists
Troubleshooting Network Address Translation
Troubleshooting ACE Health Monitoring
Troubleshooting Layer 4 Load Balancing
Troubleshooting Layer 7 Load Balancing
Troubleshooting Redundancy
Troubleshooting SSL
Troubleshooting Compression
Troubleshooting Performance Issues
ACE Resource Limits
Managing ACE Resources
Show Counter Reference

Contents












ACE Performance Numbers and Resource Limits

For the most current performance numbers for the ACE products, always refer to the data sheets for the ACE appliance and the ACE module.

ACE Appliance Data Sheet

ACE appliance data sheet

ACE Module Data Sheets

ACE10/ACE20 module data sheet

ACE30 module data sheet

If you have any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

SLB-Related Limits

Scalability Numbers The scalability numbers provided here are intended to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to your deployment, testing with your feature combination is strongly recommended. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

SLB-Related Object ACE Module System Limit ACE Module Context Limit ACE Appliance Limit Additional Information
ARP Entries 32,768 32,768 32,768
Bridge Table Entries 32,768 32,768 32,768 A few are reserved for L2 interafces, redundancy, and so on.
Bridge-Group Virtual Interfaces (BVIs) 4096 2048 512
Concurrent Conns L4 (Unproxied) 4,000,000 4,000,000 1,000,000
Concurrent Connections L7 (Proxied) 512,000 512,000 128,000
Domains 2,500 10 (9) 10 (9 per context) One is used for the default domain.
Domain Objects None None None Any object within the virtual partition can be added to a domain.
Logical Interfaces 8,192 8,192 8,192
Resource Classes 100 (99) 1 100 (99) One is used for the default class.
Roles 4,000 16 (8) 16 (8) per context Eight are predefined.
Sticky Groups 4,096 4,096 4,096
Sticky Table Entries 4,000,000 4,000,000 800,000
Virtual Contexts 251 N/A 21 (1 Admin context) 250 user contexts + 1 Admin context
VLANs 4,000 (2-4094) 4,000 (2-4094) 4,000 (2-4094)




















Security-Related Limits

Scalability Numbers The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

Security Related Object ACE Module System Limit ACE Module Context Limit ACE Appliance Limit Additional Information
Static NAT Policies 4096 4096 4096
Dynamic NAT Policies 4096 4096 4096
Maximum of addresses in a NAT pool 64 64 32
Maximum of addresses in a PAT pool 63k 63k 63l
PAT Entries 4,000,000 4,000,000 1,000,000
Total NAT Pools 8,192 8,192 8,192
Xlates 1,000,000 1,000,000 64,000
Concurrent SSL Conns 100,000 100,000 100,000 Subset of L7 (proxied) connections
RSA key size up to 4096 bits up to 4096 bits up to 4096 bits Supported: 512, 786, 1536, 1024, 2048, and 4096 (imported public keys only) bits
SSL Certs/Key files 3800/3800 (A2(3.x) and earlier)

4096/4096 (A4(1.0) and later)

3800/3800 (A2(3.x) and earlier)

4096/4096 (A4(1.0) and later)

3800/3800 (A3(1.x) and earlier)

4096/4096 (A3(2.x) and later, incl. A4(1.0))

This number is strictly enforced in A220, A214, and A322




















Management-Related Limits

Scalability Numbers The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

Management-Related Object ACE Module System Limit ACE Module Context Limit ACE Appliance Additional Information
AAA LDAP Servers 6,144 8 (24 total) 8
AAA RADIUS Servers 2K (256*8) 8 (24 total) 8
AAA TACACS+ Servers 6K (256*24) 8 (24 total) 8
Domains 2500 64 (63) 64 (63) One domain is used for the default-domain and cannot be removed
Local Users 7500 30 (Admin context: 28) 31 (including admin, www, and dm)
Objects within a Domain No limit No limit Any object within the virtual partition can be added to a domain
Resource-classes 252 Not applicable 100
Roles 4000 16 (8) 16 (8) Eight are predefined and cannot be altered, leaving eight for you to customize
SNMP Hosts No Limit 10
SSH Sessions 256 4 4
Syslog buffer size 4 MB 4 MB 1 MB
Syslog CP rate 5,000 per seconds 5,000 per seconds 3,000 per seconds
Syslog DP rate 350,000 per second 350,000 per second 100,000 per second
Syslog history table size 256 x 500 500
Syslog Hosts 256 2 2
Syslog internal queue size 10 MB 10 MB 8,192 messages
Syslog persistence size 1M 1M
Syslog rate limit table size 256 x 100 100 10,000 messages per sec
Telnet Sessions 256 4 4

Rating: 3.9/5 (19 votes cast)

Personal tools