Cisco Application Control Engine (ACE) Troubleshooting Guide -- Managing Resources

From DocWiki

(Difference between revisions)
Jump to: navigation, search
(Displaying the ACE Resource Allocation and Usage)

Revision as of 21:14, 15 February 2010

This article describes how to manage and control the ACE system resources.

Guide Contents
Main Article
Overview of ACE Module Troubleshooting
Understanding the ACE Module Architecture and Traffic Flow
Preliminary ACE Module Troubleshooting
Troubleshooting ACE Boot Issues
Troubleshooting with ACE Logging
Troubleshooting Connectivity
Troubleshooting Remote Access
Troubleshooting Access Control Lists
Troubleshooting Network Address Translation
Troubleshooting ACE Health Monitoring
Troubleshooting Layer 4 Load Balancing
Troubleshooting Layer 7 Load Balancing
Troubleshooting Redundancy
Troubleshooting SSL
Troubleshooting Performance Issues
ACE Module Resource Limits
Managing ACE Resources


Overview of ACE Resources

Resource classes allow you to manage context access to ACE resources, such as concurrent connections or bandwidth rate. The ACE is preconfigured with a default resource class that it applies to the Admin context and any user context upon creation. The default resource class is configured to allow a context to operate within a range that can vary from no resource access (0 percent) to complete resource access (100 percent).

When you use the default resource class with multiple contexts, you run the risk of oversubscribing ACE resources because the ACE permits all contexts to have full access to all of the resources on a first-come, first-served basis. When a resource is utilized to its maximum limit, the ACE denies additional requests made by any context for that resource.

To avoid oversubscribing resources and to help guarantee access to a resource by any context, the ACE allows you to create customized resource classes that you associate with one or more contexts. A context becomes a member of the resource class when you make the association. Creating a resource class allows you to set limits on the minimum and maximum amounts of each ACE resource that a member context is entitled to use. You define the minimum and maximum values as percentages of all resources. For example, you can create a resource class that allows its member contexts access to no less that 25 percent of the total number of SSL connections that the ACE supports.

You can limit and manage the allocation of the following ACE resources:

  • ACL memory
  • Buffers for syslog messages and TCP out-of-order (OOO) segments
  • Concurrent connections (through-the-ACE traffic)
  • Management connections (to-the-ACE traffic)
  • Proxy connections
  • Set resource limit as a rate (number per second)
  • Regular expression (regexp) memory
  • SSL connections
  • Sticky entries
  • Static or dynamic network address translations (Xlates)

By default, when you create a context, the ACE associates the context with the default resource class. The default resource class provides resources of a minimum of 0 and a maximum of unlimited for all resources except sticky entries. For stickiness to work properly, you must explicitly configure a minimum resource limit for sticky entries by using the limit-resource command.

For more information about managing ACE resources, see the Cisco Application Control Engine Module Virtualization Configuration Guide (Software Version A2(1.0)).

Managing ACE Resources

You can allocate system resources to multiple contexts by creating and defining one or more resource classes and then associating the contexts with a resource class. This section contains the following topics:

ACE Resource Planning

When you plan the initial resource allocations for the virtual contexts in your configuration, allocate only the minimum required or estimated resources. The ACE protects resources that are in use, so to decrease a context's resources, those resources must be unused. Although it is possible to decrease the resource allocations in real time, it may require additional management overhead to clear any used resources before reducing them. Therefore, it is considered a best practice to initially keep as many resources in reserve as possible and allocate the unused reserved resources as needed.

To address scaling and capacity planning, we recommend that new installations do not exceed 60 to 80 percent of the ACE's total capacity. To accomplish this goal, create a reserved resource class with a guarantee of 20 to 40 percent of all the ACE resources and configure a virtual context dedicated solely to ensuring that these resources are reserved. Then, you can efficiently distribute such reserved resources to contexts as capacity demands for handling client traffic increase over time.

Creating a Resource Class for Resource Management

You can create a resource class to allocate and manage system resources by one or more contexts. The ACE supports a maximum of 100 resource classes. After you create and configure the resource class, use the member command in context configuration mode to assign a resource class to the context (see the "Associating a Context with a Resource Class" section). To create a resource class, use the resource-class command in configuration mode. The syntax of the command is as follows:

resource-class name

For the name argument, enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

For example, to create the RC1 resource class, enter the following command:

ACE_module5/Admin(config)# resource-class RC1

To remove the resource class from the configuration, enter the following command:

host1/Admin(config)# no resource-class RC1

When you remove a resource class from the ACE, any contexts that were members of that resource class automatically become members of the default resource class. The default resource class allocates a minimum of 0.00 percent to a maximum of 100.00 percent of all ACE resources to each context. You cannot modify the default resource class.

Allocating Resources Within a Resource Class

You can allocate all resources or individual resources to all member contexts of a resource class. For example, you can allocate only concurrent connections or sticky table memory or management traffic. To allocate system resources to all members (contexts) of a resource class, use the limit-resource command in resource-class configuration mode.

The syntax of this command is as follows:

limit-resource {acl-memory | all | buffer {syslog} | conc-connections | mgmt-connections | proxy-connections | rate {bandwidth | connections | inspect-conn | mac-miss | mgmt-traffic | ssl-bandwidth | syslog} | regexp | sticky | xlates} {minimum number} {maximum {equal-to-min | unlimited}}

Note Note: The limit that you set for individual resources when you use the limit-resource command overrides the limit that you set for all resources when you use the limit-resource all command.

If you lower the limits for one context (context A) in order to increase the limits of another context (context B), you may experience a delay in the configuration change because the ACE will not lower the limits of context A until the resources are no longer being used by the context.

For example, to allocate 20 percent of all resources (minimum and maximum) to all member contexts of the resource class, enter the following command:

(config-resource)# limit-resource all minimum 20% maximum equal-to-min

To restore resource allocation to the default values of 0 percent minimum and 100 percent maximum for all resources to all member contexts, enter the following command:

(config-resource)# no limit-resource all

Table 1 lists the managed system resources of the ACE. You can limit these resources per context or for all contexts associated with the resource class by using the limit-resource command. See the "Allocating Resources within a Resource Class" section.

Table 1. System Resource Maximum Values

Resource Maximum Value
ACL Memory 78,610,432 bytes
Buffer Memory (Syslog) 4,000,000 bytes
Concurrent Connections (Layer 4) 4,000,000 connections
Concurrent Connections (SSL) 200,000
Management Connections 100,000 connections
Proxy Connections (Layer 7) 524,286 connections
SSL Proxy Connections 200,000
---Bandwidth 4 gigabits per second (Gbps)

You can upgrade the ACE maximum bandwidth to 8 Gbps or 16 Gbps by purchasing a separate license from Cisco. For more information, see the Cisco Application Control Engine Module Administration Guide (Software Version A2(1.0)).

---Connections (any kind) 325,000 connections per second (CPS)
---MAC miss 2000 packets per second (PPS)
---Management traffic 1 Gbps
---SSL transactions 1000 transactions per second (TPS), upgradeable to 15000 TPS with a separate license. For more information, see the Cisco Application Control Engine Module Administration Guide (Software Version A2(1.0)).
---Syslog For traffic going to the ACE (control plane), 5000 messages per second

For traffic going through the ACE (data plane), 350,000 messages per second

Regular Expression Memory 1,048,576 bytes
Sticky Entries 4,194,304 entries
Xlates (network and port address translation entries) 524,286 translations

Changing the Resource Allocation of a Resource Class

If you (as the global Admin) need to change the resource allocation in a resource class of which two or more user contexts are members, you may do so at any time by entering the appropriate CLI commands. (For details about allocating resources, see the "Allocating Resources Within a Resource Class" section.) However, the shift in resources between the contexts does not take place immediately unless the appropriate resources are available to accommodate the change. In most cases, to effect a change in resource allocation, you must inform the context administrators involved to ensure that the new resource allocation is possible.

For example, suppose that context A is using 100 percent of the available resources of the class and you want to allocate 50 percent of the resources to context A and 50 percent of the resources to context B. Although the CLI accepts your resource allocation commands, context B cannot allocate 50 percent of the resources until context A deallocates 50 percent of its resources.

In this case, you must perform the following:

  • Inform the Context A administrator to start deallocating resources
  • Inform the Context B administrator to start allocating resources after the Context A administrator releases the resources
Note Note: As resources are released from other contexts, the ACE assigns the resources to resource-starved contexts (contexts where the resource-class minimum allocations have not been met).

Displaying the ACE Resource Allocation and Usage

To view the current resource allocation in your ACE, enter the following command:

ACE_mdule5/Admin# show resource allocation
Parameter                 Min      Max         Class

acl-memory                0.00%    100.00%    default

syslog buffer             0.00%    100.00%    default

conc-connections          0.00%    100.00%    default

mgmt-connections          0.00%    100.00%    default

proxy-connections         0.00%    100.00%    default

bandwidth                 0.00%    100.00%    default

connection rate           0.00%    100.00%    default

inspect-conn rate         0.00%    100.00%    default

syslog rate               0.00%    100.00%    default

regexp                    0.00%    100.00%    default

sticky                    0.00%    100.00%    default

xlates                    0.00%    100.00%    default

ssl-connections rate      0.00%    100.00%    default

mgmt-traffic rate         0.00%    100.00%    default

mac-miss rate             0.00%    100.00%    default

throughput                0.00%    100.00%    default

To view the current resource usage, enter the following command:

ACE_mdule5/Admin# show resource usage
        Resource         Current       Peak        Min        Max       Denied
Context: Admin
  conc-connections              0          0          0    8000000          0
  mgmt-connections              2          8          0     100000          0
  proxy-connections             0          0          0    1048574          0
  xlates                        0          0          0    1048574          0
  bandwidth                  1094      80192          0  625000000          0
    throughput                938      75902          0  500000000          0
    mgmt-traffic rate         156       4290          0  125000000          0
  connection rate               1         28          0    1000000          0
  ssl-connections rate          0          0          0       5000          0
  mac-miss rate                 0          0          0       2000          0
  inspect-conn rate             0          0          0       6000          0
  acl-memory                23776      28616          0   78610432          0
  sticky                        0          0          0          0          0
  regexp                        0          0          0    1048576          0
  syslog buffer                 0          0          0    4194304          0
  syslog rate                   0          0          0     100000          0
Note Note: All bandwidth values are in bytes per second. To convert to bits per second (bps), multiply the values by eight. The ACE guarantees 1 Gbps of bandwidth for management traffic. So, the total bandwidth for a 4-Gbps ACE license is actually 5 Gbps. Throughput is still 4 Gbps.

To display the data plane resource allocation and usage and to cross-check the output of the above two commands, enter the following command:

ACE_module5/Admin# show np 1 me-stats -L0
Resource limts for context :  0
Rate                  Configured     Counters
Policer Name          Min      Max   min-toks max-toks   peak-toks    deny
       bandwidth:       0   ee6b280        0  ee6b0fa     d8a4        0
      throughput:       0   ee6b280        0  ee6b280     d8a4        0
mgmt-traffic rate:      0   3b9aca0        0  3b9aca0      a0e        0
 connection rate:       0     7a120        0    7a120       11        0
ssl-connections rate:   0       9c4        0      9c4        0        0
   mac-miss rate:       0       3e8        0      3e8        0        0
inspect-conn rate:      0       bb8        0      bb8        0        0

Resource              Configured        Counters
Policer Name          Min      Max      Min      Max     peak     deny
conc-connections:       0   3d0900        0        0        0        0
mgmt-connections:       0     c350        0        0        4        0
proxy-connections:      0    7ffff        0        0        0        0
ip-reassemble buffer:   0        0        0        0        0        0
  tcp-ooo buffer:       0        0        0        0        0        0
          regexp:       0        0        0        0        0        0
          xlates:       0    7ffff        0        0        0        0

The Admin context has a context ID of 0. To display the resource allocation and and usage statistics for another context, change the "0" in the "-L<context_id>" parameter to the context ID of another context.

Rating: 4.8/5 (5 votes cast)

Personal tools