Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

From DocWiki

Revision as of 22:48, 16 April 2010 by Dhuckaby (Talk | contribs)
Jump to: navigation, search

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

Guide Contents
Main Article
Overview of ACE Module Troubleshooting
Understanding the ACE Module Architecture and Traffic Flow
Preliminary ACE Module Troubleshooting
Troubleshooting ACE Boot Issues
Troubleshooting with ACE Logging
Troubleshooting Connectivity
Troubleshooting Remote Access
Troubleshooting Access Control Lists
Troubleshooting Network Address Translation
Troubleshooting ACE Health Monitoring
Troubleshooting Layer 4 Load Balancing
Troubleshooting Layer 7 Load Balancing
Troubleshooting Redundancy
Troubleshooting SSL
Troubleshooting Performance Issues
ACE Module Resource Limits
Managing ACE Resources

Contents



















ACE Performance Numbers and Resource Limits

The following ACE limits and performance numbers were obtained in a laboratory setting under optimal conditions. These numbers should be used as guidelines only and may vary based on your production-specific environment.


ACE Performance Numbers

Performance Measurement ACE Module Maximum Value ACE Appliance Maximum Value
Max number of 10/100 Mbps ports Catalyst 6500 series switch or Cisco 7600 series router limit 4
Max number of Gigabit ports Catalyst 6500 series switch or Cisco 7600 series router limit 4
Switching Capacity Catalyst 6500 series switch or Cisco 7600 series router limit 4 Gbps
SLB L4 bps 4, 8, or 16 Gbps 1, 2, or 4 Gbps
SLB L4 Connections per Second (CPS) 325,000 120,000
SLB L7 Maximum CPS 133,000 40,000
Concurrent L4 Sessions 4,000,000 1,000,000
Concurrent L7 Sessions 512,000 128,000
Packets per Second (PPS) 4,000,000+ 1,800,000 @ 64 bytes, 162,000 @ 1500 bytes
SSL Bandwidth 3.3 Gbps 1 Gbps
SSL Transactions per Second (TPS) 15,000 7,500
Concurrent SSL Sessions 200,000 100,000

























SLB-Related Limits

SLB-Related Object ACE Module System Limit ACE Module Context Limit ACE Appliance Limit Additional Information
ARP Entries 32,768 32,768 32,768
Bridge Table Entries 32,768 32,768 32,768 A few are reserved for L2 interafces, redundancy, and so on.
Bridge-Group Virtual Interfaces (BVIs) 4096 2048 512
Class Maps (L4 and L7) 8192 8192 8192 When load balancing on a specific client's source IP address there is a limit of 16k source address matches. There is a limit of 1000 per class-map. The source-address match limit of 16k is for applied matches. Thus you cannot LB on more than 16K source address matches at any given time.
Concurrent Conns L4 (Unproxied) 4,000,000 4,000,000 1,000,000
Concurrent Connections L7 (Proxied) 512,000 512,000 128,000
Domains 2,500 10 (9) 10 (9 per context) One is used for the default domain.
Domain Objects None None None Any object within the virtual partition can be added to a domain.
Logical Interfaces 8,192 8,192 8,192 -
Matches Per VIP 1,024 1,024 1,024 A VIP (L4 class map under L4 policy map) can have only 1024 URL, 1024 header, or 1024 cookie matches. The rewrite rules are compiled at the L7 policy level, so to be safe, do not configure more than 1024 header rewrite or deletion rules per action list (delete uses regex also). Header insert is not affected.
Policy Maps 4,096 4,096 4,096 Total number of policy maps, including L7, inspection, and all types
Probe definitions 4,096 4,096 1,024
Probe Instances 16,384 16,384 4,096
Real Servers 16,384 16,384 4,096
Resource Classes 100 (99) 1 100 (99) One is used for the default class.
Roles 4,000 16 (8) 16 (8) per context Eight are predefined.
Server Farms 16,384 16,384 1,024
Service Policies (4096 interfaces x 128 service policies per interface ) * 251 contexts 4096 interfaces x 128 service policies per interface 128 per interface, 128 globally per context
Simultaneous Probes 2,500 sockets 2,500 sockets 2,500 sockets In ACE software version A2(x), probe sockets have been increased. Use the show resource internal socket command to check them. Increase the probe frequency to ensure that no more sockets are required than what is available for optimal operating conditions.
Sticky Groups 4,096 4,096 4,096
Sticky Table Entries 4,000,000 4,000,000 800,000
Virtual Contexts 251 N/A 21 (1 Admin context) 250 user contexts + 1 Admin context
Virtual Server Farms 4k (4094) 4k (4094) 1024
Virtual Servers (Same IP Addresses) 4k (4094) 4k (4094) 1024 No limit as on the CSM
Virtual Servers (Unique IP Addresses) 4k (4094) 4k (4094) 1024 No limit as on the CSM
VLANs 4,000 (2-4094) 4,000 (2-4094) 4,000 (2-4094)

























Table 3. Security-Related Limits

Security Related Object ACE Module System Limit ACE Module Context Limit ACE Appliance Limit Additional Information
ACLs 8,192 1,024 (practical limit) 8,192
ACL Entries 64,000 1,024 (practical limit) 40K
Static NAT Policies 4096 4096 4096
Dynamic NAT Policies 4096 4096 4096
Maximum of addresses in a NAT pool 64 64 32
Maximum of addresses in a PAT pool 63k 63k 63l
PAT Entries 4,000,000 4,000,000 1,000,000
Total NAT Pools 8,192 8,192 8,192
Xlates 1,000,000 1,000,000 64,000
Concurrent SSL Conns 100,000 100,000 100,000 Subset of L7 (proxied) connections
RSA key size up to 2048 bits up to 2048 bits up to 2048 bits Supported: 512, 786, 1536, 1024, & 2048 bits

Not supported: 3072 bits & 4096 bits

SSL Certs/Key files 3800/3800 3800/3800 3800/3800 This number is strictly enforced in A220, A214, and A322




















Table 4. Management-Related Limits

Management-Related Object ACE Module System Limit ACE Module Context Limit ACE Appliance Additional Information
AAA LDAP Servers 6,144 8 (24 total) 8
AAA RADIUS Servers 2K (256*8) 8 (24 total) 8
AAA TACACS+ Servers 6K (256*24) 8 (24 total) 8
Domains 2500 64 (63) 64 (63) One domain is used for the default-domain and cannot be removed
Local Users 7500 30 (Admin context: 28) 31 (including admin, www, and dm)
Objects within a Domain No limit No limit Any object within the virtual partition can be added to a domain
Resource-classes 252 Not applicable 100
Roles 4000 16 (8) 16 (8) Eight are predefined and cannot be altered, leaving eight for you to customize
SNMP Hosts No Limit 10
SSH Sessions 256 4 4
Syslog buffer size 4 MB 4 MB 1 MB
Syslog CP rate 5,000 per seconds 5,000 per seconds 3,000 per seconds
Syslog DP rate 350,000 per second 350,000 per second 120,000 per second
Syslog history table size 256 x 500 500
Syslog Hosts 256 2 2
Syslog internal queue size 10 MB 10 MB 8,192 messages
Syslog persistence size 1M 1M
Syslog rate limit table size 256 x 100 100 10,000 messages per sec
Telnet Sessions 256 4 4

Rating: 3.9/5 (18 votes cast)

Personal tools