Cisco Application Control Engine (ACE) Troubleshooting Guide -- Managing Resources
From DocWiki
m |
m |
||
Line 8: | Line 8: | ||
__TOC__ | __TOC__ | ||
- | |||
Latest revision as of 21:37, 11 March 2011
This article describes how to manage and control the ACE system resources.
Contents |
Overview of ACE Resources
Resource classes allow you to manage context access to ACE resources, such as concurrent connections or bandwidth rate. The ACE is preconfigured with a default resource class that it applies to the Admin context and any user context upon creation. The default resource class is configured to allow a context to operate within a range that can vary from no resource access (0 percent) to complete resource access (100 percent).
When you use the default resource class with multiple contexts, you run the risk of oversubscribing ACE resources because the ACE permits all contexts to have full access to all of the resources on a first-come, first-served basis. When a resource is utilized to its maximum limit, the ACE denies additional requests made by any context for that resource.
To avoid oversubscribing resources and to help guarantee access to a resource by any context, the ACE allows you to create customized resource classes that you associate with one or more contexts. A context becomes a member of the resource class when you make the association. Creating a resource class allows you to set limits on the minimum and maximum amounts of each ACE resource that a member context is entitled to use. You define the minimum and maximum values as percentages of all resources. For example, you can create a resource class that allows its member contexts access to no less that 25 percent of the total number of SSL connections that the ACE supports.
You can limit and manage the allocation of the following ACE resources:
- ACL memory
- Buffers for syslog messages and TCP out-of-order (OOO) segments
- Concurrent connections (through-the-ACE traffic)
- Management connections (to-the-ACE traffic)
- Proxy connections
- Set resource limit as a rate (number per second)
- Regular expression (regexp) memory
- SSL connections
- Sticky entries
- Static or dynamic network address translations (Xlates)
By default, when you create a context, the ACE associates the context with the default resource class. The default resource class provides resources of a minimum of 0 and a maximum of unlimited for all resources except sticky entries. For stickiness to work properly, you must explicitly configure a minimum resource limit for sticky entries by using the limit-resource command.
For more information about managing ACE resources, see the Cisco Application Control Engine Module Virtualization Configuration Guide (Software Version A2(1.0)).
Managing ACE Resources
You can allocate system resources to multiple contexts by creating and defining one or more resource classes and then associating the contexts with a resource class. This section contains the following topics:
- ACE Resource Planning
- Creating a Resource Class for Resource Management
- Allocating Resources within a Resource Class
- Changing the Resource Allocation of a Resource Class
ACE Resource Planning
When you plan the initial resource allocations for the virtual contexts in your configuration, allocate only the minimum required or estimated resources. The ACE protects resources that are in use, so to decrease a context's resources, those resources must be unused. Although it is possible to decrease the resource allocations in real time, it may require additional management overhead to clear any used resources before reducing them. Therefore, it is considered a best practice to initially keep as many resources in reserve as possible and allocate the unused reserved resources as needed.
To address scaling and capacity planning, we recommend that new installations do not exceed 60 to 80 percent of the ACE's total capacity. To accomplish this goal, create a reserved resource class with a guarantee of 20 to 40 percent of all the ACE resources and configure a virtual context dedicated solely to ensuring that these resources are reserved. Then, you can efficiently distribute such reserved resources to contexts as capacity demands for handling client traffic increase over time.
Creating a Resource Class for Resource Management
You can create a resource class to allocate and manage system resources by one or more contexts. The ACE supports a maximum of 100 resource classes. After you create and configure the resource class, use the member command in context configuration mode to assign a resource class to the context (see the "Associating a Context with a Resource Class" section). To create a resource class, use the resource-class command in configuration mode. The syntax of the command is as follows:
resource-class name
For the name argument, enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
For example, to create the RC1 resource class, enter the following command:
ACE_module5/Admin(config)# resource-class RC1 ACE_module5/Admin(config-resource)
To remove the resource class from the configuration, enter the following command:
host1/Admin(config)# no resource-class RC1
When you remove a resource class from the ACE, any contexts that were members of that resource class automatically become members of the default resource class. The default resource class allocates a minimum of 0.00 percent to a maximum of 100.00 percent of all ACE resources to each context. You cannot modify the default resource class.
Allocating Resources Within a Resource Class
You can allocate all resources or individual resources to all member contexts of a resource class. For example, you can allocate only concurrent connections or sticky table memory or management traffic. To allocate system resources to all members (contexts) of a resource class, use the limit-resource command in resource-class configuration mode.
The syntax of this command is as follows:
limit-resource {acl-memory | all | buffer {syslog} | conc-connections | mgmt-connections | proxy-connections | rate {bandwidth | connections | inspect-conn | mac-miss | mgmt-traffic | ssl-bandwidth | syslog} | regexp | sticky | xlates} {minimum number} {maximum {equal-to-min | unlimited}}
![]() | Note: | The limit that you set for individual resources when you use the limit-resource command overrides the limit that you set for all resources when you use the limit-resource all command. |
If you lower the limits for one context (context A) in order to increase the limits of another context (context B), you may experience a delay in the configuration change because the ACE will not lower the limits of context A until the resources are no longer being used by the context.
For example, to allocate 20 percent of all resources (minimum and maximum) to all member contexts of the resource class, enter the following command:
(config-resource)# limit-resource all minimum 20% maximum equal-to-min
To restore resource allocation to the default values of 0 percent minimum and 100 percent maximum for all resources to all member contexts, enter the following command:
(config-resource)# no limit-resource all
Table 1 lists the managed system resources of the ACE. You can limit these resources per context or for all contexts associated with the resource class by using the limit-resource command. See the "Allocating Resources within a Resource Class" section.
Table 1. System Resource Maximum Values
Resource | Maximum Value |
ACL Memory | 78,610,432 bytes |
Buffer Memory (Syslog) | 4,000,000 bytes |
Concurrent Connections (Layer 4) | 4,000,000 connections |
Concurrent Connections (SSL) | 200,000 |
Management Connections | 100,000 connections |
Proxy Connections (Layer 7) | 524,286 connections |
SSL Proxy Connections | 200,000 |
Rate | |
---Bandwidth | 4 gigabits per second (Gbps) You can upgrade the ACE maximum bandwidth to 8 Gbps or 16 Gbps by purchasing a separate license from Cisco. For more information, see the Cisco Application Control Engine Module Administration Guide (Software Version A2(1.0)). |
---Connections (any kind) | 325,000 connections per second (CPS) |
---MAC miss | 2000 packets per second (PPS) |
---Management traffic | 1 Gbps |
---SSL transactions | 1000 transactions per second (TPS), upgradeable to 15000 TPS with a separate license. For more information, see the Cisco Application Control Engine Module Administration Guide (Software Version A2(1.0)). |
---Syslog | For traffic going to the ACE (control plane), 5000 messages per second For traffic going through the ACE (data plane), 350,000 messages per second |
Regular Expression Memory | 1,048,576 bytes |
Sticky Entries | 4,194,304 entries |
Xlates (network and port address translation entries) | 524,286 translations |
Changing the Resource Allocation of a Resource Class
If you (as the global Admin) need to change the resource allocation in a resource class of which two or more user contexts are members, you may do so at any time by entering the appropriate CLI commands. (For details about allocating resources, see the "Allocating Resources Within a Resource Class" section.) However, the shift in resources between the contexts does not take place immediately unless the appropriate resources are available to accommodate the change. In most cases, to effect a change in resource allocation, you must inform the context administrators involved to ensure that the new resource allocation is possible.
For example, suppose that context A is using 100 percent of the available resources of the class and you want to allocate 50 percent of the resources to context A and 50 percent of the resources to context B. Although the CLI accepts your resource allocation commands, context B cannot allocate 50 percent of the resources until context A deallocates 50 percent of its resources.
In this case, you must perform the following:
- Inform the Context A administrator to start deallocating resources
- Inform the Context B administrator to start allocating resources after the Context A administrator releases the resources
![]() | Note: | As resources are released from other contexts, the ACE assigns the resources to resource-starved contexts (contexts where the resource-class minimum allocations have not been met). |
Displaying the ACE Resource Allocation and Usage
To view the current resource allocation in your ACE, enter the following command:
ACE_mdule5/Admin# show resource allocation --------------------------------------------------------------------------- Parameter Min Max Class --------------------------------------------------------------------------- acl-memory 0.00% 100.00% default syslog buffer 0.00% 100.00% default conc-connections 0.00% 100.00% default mgmt-connections 0.00% 100.00% default proxy-connections 0.00% 100.00% default bandwidth 0.00% 100.00% default connection rate 0.00% 100.00% default inspect-conn rate 0.00% 100.00% default syslog rate 0.00% 100.00% default regexp 0.00% 100.00% default sticky 0.00% 100.00% default xlates 0.00% 100.00% default ssl-connections rate 0.00% 100.00% default mgmt-traffic rate 0.00% 100.00% default mac-miss rate 0.00% 100.00% default throughput 0.00% 100.00% default
To view the current resource usage, enter the following command:
ACE_mdule5/Admin# show resource usage Allocation Resource Current Peak Min Max Denied ------------------------------------------------------------------------------- Context: Admin conc-connections 0 0 0 8000000 0 mgmt-connections 2 8 0 100000 0 proxy-connections 0 0 0 1048574 0 xlates 0 0 0 1048574 0 bandwidth 1094 80192 0 625000000 0 throughput 938 75902 0 500000000 0 mgmt-traffic rate 156 4290 0 125000000 0 connection rate 1 28 0 1000000 0 ssl-connections rate 0 0 0 5000 0 mac-miss rate 0 0 0 2000 0 inspect-conn rate 0 0 0 6000 0 acl-memory 23776 28616 0 78610432 0 sticky 0 0 0 0 0 regexp 0 0 0 1048576 0 syslog buffer 0 0 0 4194304 0 syslog rate 0 0 0 100000 0
To display the data plane resource allocation and usage and to cross-check the output of the above two commands, enter the following command:
ACE_module5/Admin# show np 1 me-stats -L0 Resource limts for context : 0 Rate Configured Counters Policer Name Min Max min-toks max-toks peak-toks deny bandwidth: 0 ee6b280 0 ee6b0fa d8a4 0 throughput: 0 ee6b280 0 ee6b280 d8a4 0 mgmt-traffic rate: 0 3b9aca0 0 3b9aca0 a0e 0 connection rate: 0 7a120 0 7a120 11 0 ssl-connections rate: 0 9c4 0 9c4 0 0 mac-miss rate: 0 3e8 0 3e8 0 0 inspect-conn rate: 0 bb8 0 bb8 0 0 Resource Configured Counters Policer Name Min Max Min Max peak deny conc-connections: 0 3d0900 0 0 0 0 mgmt-connections: 0 c350 0 0 4 0 proxy-connections: 0 7ffff 0 0 0 0 ip-reassemble buffer: 0 0 0 0 0 0 tcp-ooo buffer: 0 0 0 0 0 0 regexp: 0 0 0 0 0 0 xlates: 0 7ffff 0 0 0 0
The Admin context has a context ID of 0. To display the resource allocation and and usage statistics for another context, change the "0" in the "-L<context_id>" parameter to the context ID of another context.