DocWiki - User contributions [en]

Session Persistence Using Cookie Insert on the Cisco Application Control Engine Configuration Example

2011-03-04T16:02:17Z

Dhuckaby: /* Hash output Examples */

{{Template:Required Metadata}}
==Goal==
Configure basic load balancing with cookie insert where client traffic enters on one network and is directed to servers residing on a second network. Once the client has entered the site they will remain stuck to a given server based on a HTTP Cookie inserted by ACE.

==Design==
Clients will send application requests through the multilayer switch feature card (MSFC), which routes them to a virtual IP address (VIP) within the Cisco® Application Control Engine (ACE). The VIP used in this example resides in an ACE context, which is configured with a client VLAN and a server VLAN (see figure below). Client requests will arrive at the VIP, and the ACE will check the request to see if it contains a cookie. If it does, the sticky table will be checked to see which server should receive the request. If the cookie entry has expired, or if the client does not have a cookie the ACE will pick the appropriate server to receive the request based on the requested URL. When the server responds ACE will insert a cookie into the HTTP Response to so that upon future requests client persistence to the server will be maintained.

[[Image:SSL Persistence Using Cookie Insert.jpg]]

Within the Cisco ACE sticky resources are finite and are controlled via resource allocation. Before a context can apply session persistence using sticky groups, the context must first be given a sticky allocation. Once this is done, a sticky group is created to define parameters and the serverfarm where client requests will be sent. Recall, the load balancing action tells ACE how to handle traffic which has hit a VIP. Thus the sticky group on ACE is applied within the load balance policy-map. To enable server load-balancing with session persistence based on cookies ACE inserts you need to do the following:

* Allocate sticky resources to the context
* Enable ACLs to allow data traffic through the ACE device, as it is denied by default.
* Configure the IPs of the servers (define rservers)
* Group the real servers (create a serverfarm)
* Create a sticky group
* Define the virtual IP address (VIP)
* Define how traffic is to be handled as it is received (create a policy map for load balancing)
* Apply the sticky group to the load balancing policy
* Associate a VIP to a handling action (create a multimatch policy map [a service policy])
* Create client- and server-facing interfaces
* Apply the VIP and ACL permitting client connections to the interface (apply access group and service policy to interface)

{{note|For brevity only the bold steps are covered in this document. Please review the URL Load Balancing using Routed Mode document for more information on basic URL load balancing and the base configuration.}}

To begin the configuration, allocate sticky resources to the context you will be using In this example a context “routed” has already been defined. Create a resource class, allocate the desired amount of sticky entries, and apply them to the “routed” context.

<pre>ACE-1/Admin# show run | begin routed
context routed
allocate-interface vlan 10
allocate-interface vlan 20
allocate-interface vlan 40

ACE-1/Admin(config)# resource-class sticky
ACE-1/Admin(config-resource)# limit-resource all minimum 0.00 maximum unlimited
ACE-1/Admin(config-resource)# limit-resource sticky minimum 10.00 maximum equal-to-min

ACE-1/Admin(config)# context routed
ACE-1/Admin(config-context)# member sticky</pre>

{{note|At this time sticky resources are a fixed resource outside the other resources. Thus you must use maximum equal-to-min and you must define sticky resources even is all is previously used. This also applies to the Admin context.}}

Once the resources have been allocated a sticky group can be defined. The Cisco ACE can be configured in various ways to apply session persistence using cookies. For this example cookie insert will be used. The cookie name ACE will insert is supplied when the sticky group is created. By default ACE inserts permanent cookies which have a timeout of 24 hours. Using the configuration below ACE will insert a cookie with the name “ACE-Insert”, it will have a timeout of 5 minutes, and use a pre-existing serverfarm named “webfarm”.

<pre>ACE-1/routed(config)# sticky http-cookie ACE-Insert web-sticky
ACE-1/routed(config-sticky-cookie)# cookie insert
ACE-1/routed(config-sticky-cookie)# timeout 5
ACE-1/routed(config-sticky-cookie)# serverfarm webfarm</pre>

{{note|If session cookies (cookies that are removed when the client closes the browser) are preferred then “cookie insert browser-expire” can be configured.}}

The serverfarm within the load balancing policy map must be swapped with the sticky group to apply cookie-insert sticky to new client requests. Based on this example configuration there are two possible actions for handling new client requests. Any requests for images will be sent to the “imagefarm” serverfarm, which does not require persistence. All other requests will be sent to the web servers in the “webfarm” where the clients will use session persistence.

<pre>ACE-1/routed(config)# policy-map type loadbalance http first-match slb-logic
ACE-1/routed(config-pmap-lb-c)# class class-default
ACE-1/routed(config-pmap-lb-c)# no serverfarm webfarm
ACE-1/routed(config-pmap-lb-c)# sticky-serverfarm web-sticky</pre>

{{note|Changing from a serverfarm to a sticky group is potentially service impacting. While current connections will be allowed to finish, new connections will not be accepted during the removal of the serverfarm and applying the sticky group to the load balance policy. }}

When cookie insert is applied permanent entries are inserted into the static sticky database for each real server defined in the serverfarm. In this example there are two entries created.

<pre>ACE-1/routed(config-pmap-lb-c)# do show sticky database static
sticky group : web-sticky
type : HTTP-COOKIE
timeout : 5 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+----------------------+--------------+-------+
16820511103801384579 lnx1:0 never -
sticky group : web-sticky
type : HTTP-COOKIE
timeout : 5 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+----------------------+--------------+-------+
3347854103021350619 lnx2:0 never -</pre>

{{note|The “sticky-entry” is a hash of the cookie-value set by ACE for the real server. It will not appear in a sniffer trace or on the client browser. See the comment section below for determining which server a client is associated to via the cookie value. }}

When a client connects to the VIP they download index.html page from the web servers. At this point the client will get a cookie for the selected server to ensure all future requests will continue to use the same server. While there is no way to see how many clients have a cookie for a given server the common show commands will provide details on the incoming requests and responses and other data stats.

Recall, the Cisco ACE inserts a static entry for each server in a server farm in the sticky group. In this case there is only one sticky group and it uses cookie-insert and the serverfarm contains 2 real servers. Thus the output of the show stats sticky command displays 2 entries, despite the number of clients using the VIP.

<pre>ACE-1/routed# show stats sticky

+------------------------------------------+
+----------- Sticky statistics ------------+
+------------------------------------------+
Total sticky entries reused : 0
prior to expiry
Total active sticky entries : 2
Total active sticky conns : 0
Total static sticky entries : 2</pre>

==Related show commands ==

This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the [https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl Output Interpreter Tool (registered customers only)], which allows you to view an analysis of show command output.

<pre>ACE-1/routed #show sticky database static
ACE-1/routed #show service-policy client-vips
ACE-1/routed #show service-policy client-vips detail
ACE-1/routed #show serverfarm
ACE-1/routed #show rserver
ACE-1/routed #show stats</pre>

==Comments==

The type of cookie ACE will insert depends on if cookie-insert is configured or cookie-insert browser-expire is configured. The sniffer traces below show the difference between the types of cookies ACE will insert.

===ACE configured with “cookie insert”===

<pre>Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Set-Cookie: ACE-Insert=R1005880048; path=/; expires=Thu, 16-Oct-2008
00:08:55 GMT\r\n
Date: Fri, 29 Aug 2008 19:17:35 GMT\r\n
Server: Apache/2.0.52 (Red Hat)\r\n
Accept-Ranges: bytes\r\n
Content-Length: 1112\r\n
VirtualHost: 192.168.1.12\r\n
Connection: close\r\n
Content-Type: text/html; charset=UTF-8\r\n
\r\n</pre>

===ACE configured with “cookie insert browser-expire”===

<pre>Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Set-Cookie: ACE-Insert=R1005881137; path=/\r\n
Date: Fri, 29 Aug 2008 19:31:58 GMT\r\n
Server: Apache/2.0.52 (Red Hat)\r\n
Accept-Ranges: bytes\r\n
Content-Length: 353\r\n
VirtualHost: 192.168.1.11\r\n
Connection: close\r\n
Content-Type: text/html; charset=UTF-8\r\n
\r\n</pre>

Notice the two cookie values do not appear to be related to the sticky-value in the show sticky database static output, displayed below:

<pre> sticky-entry rserver-instance time-to-expire flags
---------------------+----------------------+--------------+-------+
16820511103801384579 lnx1:0 never -
<…snip…>
3347854103021350619 lnx2:0 never -</pre>

This is because the sticky-entry is a hash of the cookie value. In order to determine the server a client is hitting one must mark the server such that it can be distinguished, possibly using a HTTP Header in the server response, or by determining the cookie value ACE uses for each server. The cookie value is a number based on the serverfarm name, rserver name, and rserver port. The following script can be used to determine the values associated with each rserver.

===TCL Script for calculating Cookie Values===
Note: This script works for 32-bit OS only. If you are using this on a 64-bit OS, you will need to modify it to produce a 32-bit unsigned integer.

<pre>[root@host cookie]# ./ace-cookie-value.tcl webfarm lnx1 0
Value: R1005880048
[root@host cookie]# ./ace-cookie-value.tcl webfarm lnx2 0
Value: R1005881137

#!/usr/bin/tclsh

#######################################################################
# #
# Name: ace-cookie-value.tcl #
# #
# This script takes the serverfarm name, the real server name and the #
# port number used by ACE and returns the generated hash that will be #
# used for cookie insertion. #
# #
#######################################################################

if { $argc != 3 } {
puts "[info script] <serverfarm> <realname> <port>"
exit 0
}

set serverFarmName [lindex $argv 0]
set realServerName [lindex $argv 1]
set port [lindex $argv 2]

set hashValue 5381
set hashMultiplier 32

set cookieInsertStr "$serverFarmName:$realServerName:$port"

set len [ string length $cookieInsertStr ]

for { set ix 0 } { $ix < $len } { incr ix } {
set hashValue [expr (($hashValue * $hashMultiplier) + $hashValue) \
+ [scan [string index $cookieInsertStr $ix] %c]]
}

puts [format "Value: R%u" $hashValue]</pre>

===VBA Script for calculating Cookie Values===
The following script was created by an ACE customer and shared for the convenience of all ACE users. We would like to sincerely thank Herve Benattar for his contribution to the ACE Doc Wiki!

<pre>
Dim Result_Cookie As String

Function Calculating_Cookie_Name(ByVal CHAINE1 As String)

' For this script, we need to work with 32 bits unsigned integer.
' VBA does not support unsigned int of 32 bits. An integer is only 16 bits
' and a Long var is 32 bits signed. To simulate a 32 bits unsigned integer,
' we use an double and subtract all numbers with the tops from the 32th bit

Dim Dbl_64bits_Tmp1, Dbl_64bits_Tmp2, hashValue, hashMultiplier As Double
Dim ix As Integer

hashValue = 5381
hashMultiplier = 32
ix = 0

Lng_Chaine = Len(CHAINE1)

For ix = 0 To (Lng_Chaine - 1) Step 1
'MAX Value 4294967295*32+5381 = 137438958821
Dbl_64bits_Tmp2 = hashValue * hashMultiplier + hashValue
'MAX value 127 or 255 with Extended ASCII Codes
Dbl_64bits_Tmp1 = CDbl(Asc(Mid(CHAINE1, ix + 1, 1)))
'MAX 137438958821+255 = 137438959076 = 100000 00000000000000000001010111100100(2)
hashValue = Dbl_64bits_Tmp2 + Dbl_64bits_Tmp1

Try_Again:
Select Case hashValue
'39th bits to 1 (Normaly none use with MAX)
Case Is >= 545460846592#
hashValue = hashValue - 545460846592#
GoTo Try_Again
'38th bits to 1
Case Is >= 270582939648#
hashValue = hashValue - 270582939648#
GoTo Try_Again
'37th bits to 1
Case Is >= 133143986176#
hashValue = hashValue - 133143986176#
GoTo Try_Again
'36th bits to 1
Case Is >= 64424509440#
hashValue = hashValue - 64424509440#
GoTo Try_Again
'35th bits to 1
Case Is >= 30064771072#
hashValue = hashValue - 30064771072#
GoTo Try_Again
'34eme bits to 1
Case Is >= 12884901888#
hashValue = hashValue - 12884901888#
GoTo Try_Again
'33eme bits to 1
Case Is >= 4294967296#
hashValue = hashValue - 4294967296#
GoTo Try_Again
End Select

'MsgBox "Value: R" & hashValue

Next

Result_Cookie = "R" & hashValue

End Function

Private Sub CommandButton1_Click()

ActiveSheet.Range("A2").Select

While (Not IsEmpty(ActiveCell.Value))
serverFarmName = ActiveCell.Value
realServerName = ActiveCell.Offset(0, 1).Value
port = ActiveCell.Offset(0, 2).Value

cookieInsertStr = serverFarmName & ":" & realServerName & ":" & port

Calculating_Cookie_Name (cookieInsertStr)
ActiveCell.Offset(0, 3) = Result_Cookie
ActiveCell.Offset(1, 0).Select
Wend

End Sub
</pre>

==show running-config ==

<pre>ACE-1/routed# show run
Generating configuration....

access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any

rserver host lnx1
ip address 192.168.1.11
inservice
rserver host lnx2
ip address 192.168.1.12
inservice
rserver host lnx3
ip address 192.168.1.13
inservice
rserver host lnx4
ip address 192.168.1.14
inservice

serverfarm host imagefarm
rserver lnx3
inservice
rserver lnx4
inservice
serverfarm host webfarm
rserver lnx1
inservice
rserver lnx2
inservice

sticky http-cookie ACE-Insert web-sticky
cookie insert browser-expire
timeout 5
serverfarm webfarm

class-map type http loadbalance match-all images
2 match http url /images/.*

class-map match-all slb-vip
2 match virtual-address 172.16.1.101 any

policy-map type management first-match remote-access
class class-default
permit

policy-map type loadbalance http first-match slb
class images
serverfarm imagefarm
class class-default
sticky-serverfarm web-sticky

policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb

interface vlan 20
description "Client Side"
ip address 172.16.1.5 255.255.255.0
access-group input everyone
service-policy input client-vips
no shutdown

interface vlan 40
description "Default gateway of real servers"
ip address 192.168.1.1 255.255.255.0
service-policy input remote-access
no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.1.1</pre>

==Related Information==
[http://www.cisco.com/web/psa/products/index.html Technical Support & Documentation - Cisco Systems]

===Hash output Examples===
For the developer we have provided the following outputs as the hash is being calculated to all you to check your code against a working example.

<pre>
[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl WEB-FARM apache1 80
Value: R177660
Value: R5862849
Value: R193474083
Value: R2089677488
Value: R239880438
Value: R3621087223
Value: R3531761449
Value: R584010902
Value: R2092490640
Value: R332714481
Value: R2389643393
Value: R1548820738
Value: R3866444197
Value: R3038607021
Value: R1489783986
Value: R1918231331
Value: R3172091837
Value: R1599815573
Value: R1254306405
Final Value: R1254306405

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl WEB-FARM apache2 80
Value: R177660
Value: R5862849
Value: R193474083
Value: R2089677488
Value: R239880438
Value: R3621087223
Value: R3531761449
Value: R584010902
Value: R2092490640
Value: R332714481
Value: R2389643393
Value: R1548820738
Value: R3866444197
Value: R3038607021
Value: R1489783986
Value: R1918231332
Value: R3172091870
Value: R1599816662
Value: R1254342342
Final Value: R1254342342

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl WEB-FARM iis1 80
Value: R177660
Value: R5862849
Value: R193474083
Value: R2089677488
Value: R239880438
Value: R3621087223
Value: R3531761449
Value: R584010902
Value: R2092490640
Value: R332714489
Value: R2389643650
Value: R1548829237
Value: R3866724614
Value: R3047860736
Value: R1795156536
Value: R3405590888
Final Value: R3405590888

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl WEB-FARM iis2 80
Value: R177660
Value: R5862849
Value: R193474083
Value: R2089677488
Value: R239880438
Value: R3621087223
Value: R3531761449
Value: R584010902
Value: R2092490640
Value: R332714489
Value: R2389643650
Value: R1548829237
Value: R3866724615
Value: R3047860769
Value: R1795157625
Value: R3405626825
Final Value: R3405626825

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl Tier2 App1 80
Value: R177657
Value: R5862786
Value: R193472039
Value: R2089610105
Value: R237656779
Value: R3547706469
Value: R1110196550
Value: R2276747894
Value: R2118236582
Value: R1182330519
Value: R362201521
Value: R3362715657
Value: R3595434329
Final Value: R3595434329

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl Tier2 App2 80
Value: R177657
Value: R5862786
Value: R193472039
Value: R2089610105
Value: R237656779
Value: R3547706469
Value: R1110196550
Value: R2276747894
Value: R2118236582
Value: R1182330520
Value: R362201554
Value: R3362716746
Value: R3595470266
Final Value: R3595470266
</pre>



[[Category:Data Center Application Services Configuration Examples]]

Session Persistence Using Cookie Insert on the Cisco Application Control Engine Configuration Example

2011-03-04T15:47:22Z

Dhuckaby: /* Hash output Examples */

{{Template:Required Metadata}}
==Goal==
Configure basic load balancing with cookie insert where client traffic enters on one network and is directed to servers residing on a second network. Once the client has entered the site they will remain stuck to a given server based on a HTTP Cookie inserted by ACE.

==Design==
Clients will send application requests through the multilayer switch feature card (MSFC), which routes them to a virtual IP address (VIP) within the Cisco® Application Control Engine (ACE). The VIP used in this example resides in an ACE context, which is configured with a client VLAN and a server VLAN (see figure below). Client requests will arrive at the VIP, and the ACE will check the request to see if it contains a cookie. If it does, the sticky table will be checked to see which server should receive the request. If the cookie entry has expired, or if the client does not have a cookie the ACE will pick the appropriate server to receive the request based on the requested URL. When the server responds ACE will insert a cookie into the HTTP Response to so that upon future requests client persistence to the server will be maintained.

[[Image:SSL Persistence Using Cookie Insert.jpg]]

Within the Cisco ACE sticky resources are finite and are controlled via resource allocation. Before a context can apply session persistence using sticky groups, the context must first be given a sticky allocation. Once this is done, a sticky group is created to define parameters and the serverfarm where client requests will be sent. Recall, the load balancing action tells ACE how to handle traffic which has hit a VIP. Thus the sticky group on ACE is applied within the load balance policy-map. To enable server load-balancing with session persistence based on cookies ACE inserts you need to do the following:

* Allocate sticky resources to the context
* Enable ACLs to allow data traffic through the ACE device, as it is denied by default.
* Configure the IPs of the servers (define rservers)
* Group the real servers (create a serverfarm)
* Create a sticky group
* Define the virtual IP address (VIP)
* Define how traffic is to be handled as it is received (create a policy map for load balancing)
* Apply the sticky group to the load balancing policy
* Associate a VIP to a handling action (create a multimatch policy map [a service policy])
* Create client- and server-facing interfaces
* Apply the VIP and ACL permitting client connections to the interface (apply access group and service policy to interface)

{{note|For brevity only the bold steps are covered in this document. Please review the URL Load Balancing using Routed Mode document for more information on basic URL load balancing and the base configuration.}}

To begin the configuration, allocate sticky resources to the context you will be using In this example a context “routed” has already been defined. Create a resource class, allocate the desired amount of sticky entries, and apply them to the “routed” context.

<pre>ACE-1/Admin# show run | begin routed
context routed
allocate-interface vlan 10
allocate-interface vlan 20
allocate-interface vlan 40

ACE-1/Admin(config)# resource-class sticky
ACE-1/Admin(config-resource)# limit-resource all minimum 0.00 maximum unlimited
ACE-1/Admin(config-resource)# limit-resource sticky minimum 10.00 maximum equal-to-min

ACE-1/Admin(config)# context routed
ACE-1/Admin(config-context)# member sticky</pre>

{{note|At this time sticky resources are a fixed resource outside the other resources. Thus you must use maximum equal-to-min and you must define sticky resources even is all is previously used. This also applies to the Admin context.}}

Once the resources have been allocated a sticky group can be defined. The Cisco ACE can be configured in various ways to apply session persistence using cookies. For this example cookie insert will be used. The cookie name ACE will insert is supplied when the sticky group is created. By default ACE inserts permanent cookies which have a timeout of 24 hours. Using the configuration below ACE will insert a cookie with the name “ACE-Insert”, it will have a timeout of 5 minutes, and use a pre-existing serverfarm named “webfarm”.

<pre>ACE-1/routed(config)# sticky http-cookie ACE-Insert web-sticky
ACE-1/routed(config-sticky-cookie)# cookie insert
ACE-1/routed(config-sticky-cookie)# timeout 5
ACE-1/routed(config-sticky-cookie)# serverfarm webfarm</pre>

{{note|If session cookies (cookies that are removed when the client closes the browser) are preferred then “cookie insert browser-expire” can be configured.}}

The serverfarm within the load balancing policy map must be swapped with the sticky group to apply cookie-insert sticky to new client requests. Based on this example configuration there are two possible actions for handling new client requests. Any requests for images will be sent to the “imagefarm” serverfarm, which does not require persistence. All other requests will be sent to the web servers in the “webfarm” where the clients will use session persistence.

<pre>ACE-1/routed(config)# policy-map type loadbalance http first-match slb-logic
ACE-1/routed(config-pmap-lb-c)# class class-default
ACE-1/routed(config-pmap-lb-c)# no serverfarm webfarm
ACE-1/routed(config-pmap-lb-c)# sticky-serverfarm web-sticky</pre>

{{note|Changing from a serverfarm to a sticky group is potentially service impacting. While current connections will be allowed to finish, new connections will not be accepted during the removal of the serverfarm and applying the sticky group to the load balance policy. }}

When cookie insert is applied permanent entries are inserted into the static sticky database for each real server defined in the serverfarm. In this example there are two entries created.

<pre>ACE-1/routed(config-pmap-lb-c)# do show sticky database static
sticky group : web-sticky
type : HTTP-COOKIE
timeout : 5 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+----------------------+--------------+-------+
16820511103801384579 lnx1:0 never -
sticky group : web-sticky
type : HTTP-COOKIE
timeout : 5 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+----------------------+--------------+-------+
3347854103021350619 lnx2:0 never -</pre>

{{note|The “sticky-entry” is a hash of the cookie-value set by ACE for the real server. It will not appear in a sniffer trace or on the client browser. See the comment section below for determining which server a client is associated to via the cookie value. }}

When a client connects to the VIP they download index.html page from the web servers. At this point the client will get a cookie for the selected server to ensure all future requests will continue to use the same server. While there is no way to see how many clients have a cookie for a given server the common show commands will provide details on the incoming requests and responses and other data stats.

Recall, the Cisco ACE inserts a static entry for each server in a server farm in the sticky group. In this case there is only one sticky group and it uses cookie-insert and the serverfarm contains 2 real servers. Thus the output of the show stats sticky command displays 2 entries, despite the number of clients using the VIP.

<pre>ACE-1/routed# show stats sticky

+------------------------------------------+
+----------- Sticky statistics ------------+
+------------------------------------------+
Total sticky entries reused : 0
prior to expiry
Total active sticky entries : 2
Total active sticky conns : 0
Total static sticky entries : 2</pre>

==Related show commands ==

This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the [https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl Output Interpreter Tool (registered customers only)], which allows you to view an analysis of show command output.

<pre>ACE-1/routed #show sticky database static
ACE-1/routed #show service-policy client-vips
ACE-1/routed #show service-policy client-vips detail
ACE-1/routed #show serverfarm
ACE-1/routed #show rserver
ACE-1/routed #show stats</pre>

==Comments==

The type of cookie ACE will insert depends on if cookie-insert is configured or cookie-insert browser-expire is configured. The sniffer traces below show the difference between the types of cookies ACE will insert.

===ACE configured with “cookie insert”===

<pre>Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Set-Cookie: ACE-Insert=R1005880048; path=/; expires=Thu, 16-Oct-2008
00:08:55 GMT\r\n
Date: Fri, 29 Aug 2008 19:17:35 GMT\r\n
Server: Apache/2.0.52 (Red Hat)\r\n
Accept-Ranges: bytes\r\n
Content-Length: 1112\r\n
VirtualHost: 192.168.1.12\r\n
Connection: close\r\n
Content-Type: text/html; charset=UTF-8\r\n
\r\n</pre>

===ACE configured with “cookie insert browser-expire”===

<pre>Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Set-Cookie: ACE-Insert=R1005881137; path=/\r\n
Date: Fri, 29 Aug 2008 19:31:58 GMT\r\n
Server: Apache/2.0.52 (Red Hat)\r\n
Accept-Ranges: bytes\r\n
Content-Length: 353\r\n
VirtualHost: 192.168.1.11\r\n
Connection: close\r\n
Content-Type: text/html; charset=UTF-8\r\n
\r\n</pre>

Notice the two cookie values do not appear to be related to the sticky-value in the show sticky database static output, displayed below:

<pre> sticky-entry rserver-instance time-to-expire flags
---------------------+----------------------+--------------+-------+
16820511103801384579 lnx1:0 never -
<…snip…>
3347854103021350619 lnx2:0 never -</pre>

This is because the sticky-entry is a hash of the cookie value. In order to determine the server a client is hitting one must mark the server such that it can be distinguished, possibly using a HTTP Header in the server response, or by determining the cookie value ACE uses for each server. The cookie value is a number based on the serverfarm name, rserver name, and rserver port. The following script can be used to determine the values associated with each rserver.

===TCL Script for calculating Cookie Values===
Note: This script works for 32-bit OS only. If you are using this on a 64-bit OS, you will need to modify it to produce a 32-bit unsigned integer.

<pre>[root@host cookie]# ./ace-cookie-value.tcl webfarm lnx1 0
Value: R1005880048
[root@host cookie]# ./ace-cookie-value.tcl webfarm lnx2 0
Value: R1005881137

#!/usr/bin/tclsh

#######################################################################
# #
# Name: ace-cookie-value.tcl #
# #
# This script takes the serverfarm name, the real server name and the #
# port number used by ACE and returns the generated hash that will be #
# used for cookie insertion. #
# #
#######################################################################

if { $argc != 3 } {
puts "[info script] <serverfarm> <realname> <port>"
exit 0
}

set serverFarmName [lindex $argv 0]
set realServerName [lindex $argv 1]
set port [lindex $argv 2]

set hashValue 5381
set hashMultiplier 32

set cookieInsertStr "$serverFarmName:$realServerName:$port"

set len [ string length $cookieInsertStr ]

for { set ix 0 } { $ix < $len } { incr ix } {
set hashValue [expr (($hashValue * $hashMultiplier) + $hashValue) \
+ [scan [string index $cookieInsertStr $ix] %c]]
}

puts [format "Value: R%u" $hashValue]</pre>

===VBA Script for calculating Cookie Values===
The following script was created by an ACE customer and shared for the convenience of all ACE users. We would like to sincerely thank Herve Benattar for his contribution to the ACE Doc Wiki!

<pre>
Dim Result_Cookie As String

Function Calculating_Cookie_Name(ByVal CHAINE1 As String)

' For this script, we need to work with 32 bits unsigned integer.
' VBA does not support unsigned int of 32 bits. An integer is only 16 bits
' and a Long var is 32 bits signed. To simulate a 32 bits unsigned integer,
' we use an double and subtract all numbers with the tops from the 32th bit

Dim Dbl_64bits_Tmp1, Dbl_64bits_Tmp2, hashValue, hashMultiplier As Double
Dim ix As Integer

hashValue = 5381
hashMultiplier = 32
ix = 0

Lng_Chaine = Len(CHAINE1)

For ix = 0 To (Lng_Chaine - 1) Step 1
'MAX Value 4294967295*32+5381 = 137438958821
Dbl_64bits_Tmp2 = hashValue * hashMultiplier + hashValue
'MAX value 127 or 255 with Extended ASCII Codes
Dbl_64bits_Tmp1 = CDbl(Asc(Mid(CHAINE1, ix + 1, 1)))
'MAX 137438958821+255 = 137438959076 = 100000 00000000000000000001010111100100(2)
hashValue = Dbl_64bits_Tmp2 + Dbl_64bits_Tmp1

Try_Again:
Select Case hashValue
'39th bits to 1 (Normaly none use with MAX)
Case Is >= 545460846592#
hashValue = hashValue - 545460846592#
GoTo Try_Again
'38th bits to 1
Case Is >= 270582939648#
hashValue = hashValue - 270582939648#
GoTo Try_Again
'37th bits to 1
Case Is >= 133143986176#
hashValue = hashValue - 133143986176#
GoTo Try_Again
'36th bits to 1
Case Is >= 64424509440#
hashValue = hashValue - 64424509440#
GoTo Try_Again
'35th bits to 1
Case Is >= 30064771072#
hashValue = hashValue - 30064771072#
GoTo Try_Again
'34eme bits to 1
Case Is >= 12884901888#
hashValue = hashValue - 12884901888#
GoTo Try_Again
'33eme bits to 1
Case Is >= 4294967296#
hashValue = hashValue - 4294967296#
GoTo Try_Again
End Select

'MsgBox "Value: R" & hashValue

Next

Result_Cookie = "R" & hashValue

End Function

Private Sub CommandButton1_Click()

ActiveSheet.Range("A2").Select

While (Not IsEmpty(ActiveCell.Value))
serverFarmName = ActiveCell.Value
realServerName = ActiveCell.Offset(0, 1).Value
port = ActiveCell.Offset(0, 2).Value

cookieInsertStr = serverFarmName & ":" & realServerName & ":" & port

Calculating_Cookie_Name (cookieInsertStr)
ActiveCell.Offset(0, 3) = Result_Cookie
ActiveCell.Offset(1, 0).Select
Wend

End Sub
</pre>

==show running-config ==

<pre>ACE-1/routed# show run
Generating configuration....

access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any

rserver host lnx1
ip address 192.168.1.11
inservice
rserver host lnx2
ip address 192.168.1.12
inservice
rserver host lnx3
ip address 192.168.1.13
inservice
rserver host lnx4
ip address 192.168.1.14
inservice

serverfarm host imagefarm
rserver lnx3
inservice
rserver lnx4
inservice
serverfarm host webfarm
rserver lnx1
inservice
rserver lnx2
inservice

sticky http-cookie ACE-Insert web-sticky
cookie insert browser-expire
timeout 5
serverfarm webfarm

class-map type http loadbalance match-all images
2 match http url /images/.*

class-map match-all slb-vip
2 match virtual-address 172.16.1.101 any

policy-map type management first-match remote-access
class class-default
permit

policy-map type loadbalance http first-match slb
class images
serverfarm imagefarm
class class-default
sticky-serverfarm web-sticky

policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb

interface vlan 20
description "Client Side"
ip address 172.16.1.5 255.255.255.0
access-group input everyone
service-policy input client-vips
no shutdown

interface vlan 40
description "Default gateway of real servers"
ip address 192.168.1.1 255.255.255.0
service-policy input remote-access
no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.1.1</pre>

==Related Information==
[http://www.cisco.com/web/psa/products/index.html Technical Support & Documentation - Cisco Systems]

===Hash output Examples===
For the developer we have provided the following outputs as the hash is being calculated to all you to check your code against a working example.

<pre>
[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl WEB-FARM apache1 80
Value: R177660
Value: R5862849
Value: R193474083
Value: R2089677488
Value: R239880438
Value: R3621087223
Value: R3531761449
Value: R584010902
Value: R2092490640
Value: R332714481
Value: R2389643393
Value: R1548820738
Value: R3866444197
Value: R3038607021
Value: R1489783986
Value: R1918231331
Value: R3172091837
Value: R1599815573
Value: R1254306405
Final Value: R1254306405

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl WEB-FARM apache2 80
Value: R177660
Value: R5862849
Value: R193474083
Value: R2089677488
Value: R239880438
Value: R3621087223
Value: R3531761449
Value: R584010902
Value: R2092490640
Value: R332714481
Value: R2389643393
Value: R1548820738
Value: R3866444197
Value: R3038607021
Value: R1489783986
Value: R1918231332
Value: R3172091870
Value: R1599816662
Value: R1254342342
Final Value: R1254342342

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl WEB-FARM iis1 80
Value: R177660
Value: R5862849
Value: R193474083
Value: R2089677488
Value: R239880438
Value: R3621087223
Value: R3531761449
Value: R584010902
Value: R2092490640
Value: R332714489
Value: R2389643650
Value: R1548829237
Value: R3866724614
Value: R3047860736
Value: R1795156536
Value: R3405590888
Final Value: R3405590888

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl WEB-FARM iis2 80
Value: R177660
Value: R5862849
Value: R193474083
Value: R2089677488
Value: R239880438
Value: R3621087223
Value: R3531761449
Value: R584010902
Value: R2092490640
Value: R332714489
Value: R2389643650
Value: R1548829237
Value: R3866724615
Value: R3047860769
Value: R1795157625
Value: R3405626825
Final Value: R3405626825

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl Teir2 App1 80
Value: R177657
Value: R5862782
Value: R193471911
Value: R2089605881
Value: R237517387
Value: R3543106533
Value: R958398662
Value: R1562384886
Value: R19093798
Value: R630095383
Value: R3613278513
Value: R3274073993
Value: R670259417
Final Value: R670259417

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl Teir2 App2 80
Value: R177657
Value: R5862782
Value: R193471911
Value: R2089605881
Value: R237517387
Value: R3543106533
Value: R958398662
Value: R1562384886
Value: R19093798
Value: R630095384
Value: R3613278546
Value: R3274075082
Value: R670295354
Final Value: R670295354
</pre>



[[Category:Data Center Application Services Configuration Examples]]

Session Persistence Using Cookie Insert on the Cisco Application Control Engine Configuration Example

2011-03-04T15:46:35Z

Dhuckaby: /* Hash output Examples */

{{Template:Required Metadata}}
==Goal==
Configure basic load balancing with cookie insert where client traffic enters on one network and is directed to servers residing on a second network. Once the client has entered the site they will remain stuck to a given server based on a HTTP Cookie inserted by ACE.

==Design==
Clients will send application requests through the multilayer switch feature card (MSFC), which routes them to a virtual IP address (VIP) within the Cisco® Application Control Engine (ACE). The VIP used in this example resides in an ACE context, which is configured with a client VLAN and a server VLAN (see figure below). Client requests will arrive at the VIP, and the ACE will check the request to see if it contains a cookie. If it does, the sticky table will be checked to see which server should receive the request. If the cookie entry has expired, or if the client does not have a cookie the ACE will pick the appropriate server to receive the request based on the requested URL. When the server responds ACE will insert a cookie into the HTTP Response to so that upon future requests client persistence to the server will be maintained.

[[Image:SSL Persistence Using Cookie Insert.jpg]]

Within the Cisco ACE sticky resources are finite and are controlled via resource allocation. Before a context can apply session persistence using sticky groups, the context must first be given a sticky allocation. Once this is done, a sticky group is created to define parameters and the serverfarm where client requests will be sent. Recall, the load balancing action tells ACE how to handle traffic which has hit a VIP. Thus the sticky group on ACE is applied within the load balance policy-map. To enable server load-balancing with session persistence based on cookies ACE inserts you need to do the following:

* Allocate sticky resources to the context
* Enable ACLs to allow data traffic through the ACE device, as it is denied by default.
* Configure the IPs of the servers (define rservers)
* Group the real servers (create a serverfarm)
* Create a sticky group
* Define the virtual IP address (VIP)
* Define how traffic is to be handled as it is received (create a policy map for load balancing)
* Apply the sticky group to the load balancing policy
* Associate a VIP to a handling action (create a multimatch policy map [a service policy])
* Create client- and server-facing interfaces
* Apply the VIP and ACL permitting client connections to the interface (apply access group and service policy to interface)

{{note|For brevity only the bold steps are covered in this document. Please review the URL Load Balancing using Routed Mode document for more information on basic URL load balancing and the base configuration.}}

To begin the configuration, allocate sticky resources to the context you will be using In this example a context “routed” has already been defined. Create a resource class, allocate the desired amount of sticky entries, and apply them to the “routed” context.

<pre>ACE-1/Admin# show run | begin routed
context routed
allocate-interface vlan 10
allocate-interface vlan 20
allocate-interface vlan 40

ACE-1/Admin(config)# resource-class sticky
ACE-1/Admin(config-resource)# limit-resource all minimum 0.00 maximum unlimited
ACE-1/Admin(config-resource)# limit-resource sticky minimum 10.00 maximum equal-to-min

ACE-1/Admin(config)# context routed
ACE-1/Admin(config-context)# member sticky</pre>

{{note|At this time sticky resources are a fixed resource outside the other resources. Thus you must use maximum equal-to-min and you must define sticky resources even is all is previously used. This also applies to the Admin context.}}

Once the resources have been allocated a sticky group can be defined. The Cisco ACE can be configured in various ways to apply session persistence using cookies. For this example cookie insert will be used. The cookie name ACE will insert is supplied when the sticky group is created. By default ACE inserts permanent cookies which have a timeout of 24 hours. Using the configuration below ACE will insert a cookie with the name “ACE-Insert”, it will have a timeout of 5 minutes, and use a pre-existing serverfarm named “webfarm”.

<pre>ACE-1/routed(config)# sticky http-cookie ACE-Insert web-sticky
ACE-1/routed(config-sticky-cookie)# cookie insert
ACE-1/routed(config-sticky-cookie)# timeout 5
ACE-1/routed(config-sticky-cookie)# serverfarm webfarm</pre>

{{note|If session cookies (cookies that are removed when the client closes the browser) are preferred then “cookie insert browser-expire” can be configured.}}

The serverfarm within the load balancing policy map must be swapped with the sticky group to apply cookie-insert sticky to new client requests. Based on this example configuration there are two possible actions for handling new client requests. Any requests for images will be sent to the “imagefarm” serverfarm, which does not require persistence. All other requests will be sent to the web servers in the “webfarm” where the clients will use session persistence.

<pre>ACE-1/routed(config)# policy-map type loadbalance http first-match slb-logic
ACE-1/routed(config-pmap-lb-c)# class class-default
ACE-1/routed(config-pmap-lb-c)# no serverfarm webfarm
ACE-1/routed(config-pmap-lb-c)# sticky-serverfarm web-sticky</pre>

{{note|Changing from a serverfarm to a sticky group is potentially service impacting. While current connections will be allowed to finish, new connections will not be accepted during the removal of the serverfarm and applying the sticky group to the load balance policy. }}

When cookie insert is applied permanent entries are inserted into the static sticky database for each real server defined in the serverfarm. In this example there are two entries created.

<pre>ACE-1/routed(config-pmap-lb-c)# do show sticky database static
sticky group : web-sticky
type : HTTP-COOKIE
timeout : 5 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+----------------------+--------------+-------+
16820511103801384579 lnx1:0 never -
sticky group : web-sticky
type : HTTP-COOKIE
timeout : 5 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+----------------------+--------------+-------+
3347854103021350619 lnx2:0 never -</pre>

{{note|The “sticky-entry” is a hash of the cookie-value set by ACE for the real server. It will not appear in a sniffer trace or on the client browser. See the comment section below for determining which server a client is associated to via the cookie value. }}

When a client connects to the VIP they download index.html page from the web servers. At this point the client will get a cookie for the selected server to ensure all future requests will continue to use the same server. While there is no way to see how many clients have a cookie for a given server the common show commands will provide details on the incoming requests and responses and other data stats.

Recall, the Cisco ACE inserts a static entry for each server in a server farm in the sticky group. In this case there is only one sticky group and it uses cookie-insert and the serverfarm contains 2 real servers. Thus the output of the show stats sticky command displays 2 entries, despite the number of clients using the VIP.

<pre>ACE-1/routed# show stats sticky

+------------------------------------------+
+----------- Sticky statistics ------------+
+------------------------------------------+
Total sticky entries reused : 0
prior to expiry
Total active sticky entries : 2
Total active sticky conns : 0
Total static sticky entries : 2</pre>

==Related show commands ==

This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the [https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl Output Interpreter Tool (registered customers only)], which allows you to view an analysis of show command output.

<pre>ACE-1/routed #show sticky database static
ACE-1/routed #show service-policy client-vips
ACE-1/routed #show service-policy client-vips detail
ACE-1/routed #show serverfarm
ACE-1/routed #show rserver
ACE-1/routed #show stats</pre>

==Comments==

The type of cookie ACE will insert depends on if cookie-insert is configured or cookie-insert browser-expire is configured. The sniffer traces below show the difference between the types of cookies ACE will insert.

===ACE configured with “cookie insert”===

<pre>Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Set-Cookie: ACE-Insert=R1005880048; path=/; expires=Thu, 16-Oct-2008
00:08:55 GMT\r\n
Date: Fri, 29 Aug 2008 19:17:35 GMT\r\n
Server: Apache/2.0.52 (Red Hat)\r\n
Accept-Ranges: bytes\r\n
Content-Length: 1112\r\n
VirtualHost: 192.168.1.12\r\n
Connection: close\r\n
Content-Type: text/html; charset=UTF-8\r\n
\r\n</pre>

===ACE configured with “cookie insert browser-expire”===

<pre>Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Set-Cookie: ACE-Insert=R1005881137; path=/\r\n
Date: Fri, 29 Aug 2008 19:31:58 GMT\r\n
Server: Apache/2.0.52 (Red Hat)\r\n
Accept-Ranges: bytes\r\n
Content-Length: 353\r\n
VirtualHost: 192.168.1.11\r\n
Connection: close\r\n
Content-Type: text/html; charset=UTF-8\r\n
\r\n</pre>

Notice the two cookie values do not appear to be related to the sticky-value in the show sticky database static output, displayed below:

<pre> sticky-entry rserver-instance time-to-expire flags
---------------------+----------------------+--------------+-------+
16820511103801384579 lnx1:0 never -
<…snip…>
3347854103021350619 lnx2:0 never -</pre>

This is because the sticky-entry is a hash of the cookie value. In order to determine the server a client is hitting one must mark the server such that it can be distinguished, possibly using a HTTP Header in the server response, or by determining the cookie value ACE uses for each server. The cookie value is a number based on the serverfarm name, rserver name, and rserver port. The following script can be used to determine the values associated with each rserver.

===TCL Script for calculating Cookie Values===
Note: This script works for 32-bit OS only. If you are using this on a 64-bit OS, you will need to modify it to produce a 32-bit unsigned integer.

<pre>[root@host cookie]# ./ace-cookie-value.tcl webfarm lnx1 0
Value: R1005880048
[root@host cookie]# ./ace-cookie-value.tcl webfarm lnx2 0
Value: R1005881137

#!/usr/bin/tclsh

#######################################################################
# #
# Name: ace-cookie-value.tcl #
# #
# This script takes the serverfarm name, the real server name and the #
# port number used by ACE and returns the generated hash that will be #
# used for cookie insertion. #
# #
#######################################################################

if { $argc != 3 } {
puts "[info script] <serverfarm> <realname> <port>"
exit 0
}

set serverFarmName [lindex $argv 0]
set realServerName [lindex $argv 1]
set port [lindex $argv 2]

set hashValue 5381
set hashMultiplier 32

set cookieInsertStr "$serverFarmName:$realServerName:$port"

set len [ string length $cookieInsertStr ]

for { set ix 0 } { $ix < $len } { incr ix } {
set hashValue [expr (($hashValue * $hashMultiplier) + $hashValue) \
+ [scan [string index $cookieInsertStr $ix] %c]]
}

puts [format "Value: R%u" $hashValue]</pre>

===VBA Script for calculating Cookie Values===
The following script was created by an ACE customer and shared for the convenience of all ACE users. We would like to sincerely thank Herve Benattar for his contribution to the ACE Doc Wiki!

<pre>
Dim Result_Cookie As String

Function Calculating_Cookie_Name(ByVal CHAINE1 As String)

' For this script, we need to work with 32 bits unsigned integer.
' VBA does not support unsigned int of 32 bits. An integer is only 16 bits
' and a Long var is 32 bits signed. To simulate a 32 bits unsigned integer,
' we use an double and subtract all numbers with the tops from the 32th bit

Dim Dbl_64bits_Tmp1, Dbl_64bits_Tmp2, hashValue, hashMultiplier As Double
Dim ix As Integer

hashValue = 5381
hashMultiplier = 32
ix = 0

Lng_Chaine = Len(CHAINE1)

For ix = 0 To (Lng_Chaine - 1) Step 1
'MAX Value 4294967295*32+5381 = 137438958821
Dbl_64bits_Tmp2 = hashValue * hashMultiplier + hashValue
'MAX value 127 or 255 with Extended ASCII Codes
Dbl_64bits_Tmp1 = CDbl(Asc(Mid(CHAINE1, ix + 1, 1)))
'MAX 137438958821+255 = 137438959076 = 100000 00000000000000000001010111100100(2)
hashValue = Dbl_64bits_Tmp2 + Dbl_64bits_Tmp1

Try_Again:
Select Case hashValue
'39th bits to 1 (Normaly none use with MAX)
Case Is >= 545460846592#
hashValue = hashValue - 545460846592#
GoTo Try_Again
'38th bits to 1
Case Is >= 270582939648#
hashValue = hashValue - 270582939648#
GoTo Try_Again
'37th bits to 1
Case Is >= 133143986176#
hashValue = hashValue - 133143986176#
GoTo Try_Again
'36th bits to 1
Case Is >= 64424509440#
hashValue = hashValue - 64424509440#
GoTo Try_Again
'35th bits to 1
Case Is >= 30064771072#
hashValue = hashValue - 30064771072#
GoTo Try_Again
'34eme bits to 1
Case Is >= 12884901888#
hashValue = hashValue - 12884901888#
GoTo Try_Again
'33eme bits to 1
Case Is >= 4294967296#
hashValue = hashValue - 4294967296#
GoTo Try_Again
End Select

'MsgBox "Value: R" & hashValue

Next

Result_Cookie = "R" & hashValue

End Function

Private Sub CommandButton1_Click()

ActiveSheet.Range("A2").Select

While (Not IsEmpty(ActiveCell.Value))
serverFarmName = ActiveCell.Value
realServerName = ActiveCell.Offset(0, 1).Value
port = ActiveCell.Offset(0, 2).Value

cookieInsertStr = serverFarmName & ":" & realServerName & ":" & port

Calculating_Cookie_Name (cookieInsertStr)
ActiveCell.Offset(0, 3) = Result_Cookie
ActiveCell.Offset(1, 0).Select
Wend

End Sub
</pre>

==show running-config ==

<pre>ACE-1/routed# show run
Generating configuration....

access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any

rserver host lnx1
ip address 192.168.1.11
inservice
rserver host lnx2
ip address 192.168.1.12
inservice
rserver host lnx3
ip address 192.168.1.13
inservice
rserver host lnx4
ip address 192.168.1.14
inservice

serverfarm host imagefarm
rserver lnx3
inservice
rserver lnx4
inservice
serverfarm host webfarm
rserver lnx1
inservice
rserver lnx2
inservice

sticky http-cookie ACE-Insert web-sticky
cookie insert browser-expire
timeout 5
serverfarm webfarm

class-map type http loadbalance match-all images
2 match http url /images/.*

class-map match-all slb-vip
2 match virtual-address 172.16.1.101 any

policy-map type management first-match remote-access
class class-default
permit

policy-map type loadbalance http first-match slb
class images
serverfarm imagefarm
class class-default
sticky-serverfarm web-sticky

policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb

interface vlan 20
description "Client Side"
ip address 172.16.1.5 255.255.255.0
access-group input everyone
service-policy input client-vips
no shutdown

interface vlan 40
description "Default gateway of real servers"
ip address 192.168.1.1 255.255.255.0
service-policy input remote-access
no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.1.1</pre>

==Related Information==
[http://www.cisco.com/web/psa/products/index.html Technical Support & Documentation - Cisco Systems]

===Hash output Examples===
For the developer we have provided the following outputs as the hash is being calculated to all you to check your code against a working example.

<pre>
[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl WEB-FARM apache1 80
Value: R177660
Value: R5862849
Value: R193474083
Value: R2089677488
Value: R239880438
Value: R3621087223
Value: R3531761449
Value: R584010902
Value: R2092490640
Value: R332714481
Value: R2389643393
Value: R1548820738
Value: R3866444197
Value: R3038607021
Value: R1489783986
Value: R1918231331
Value: R3172091837
Value: R1599815573
Value: R1254306405
Final Value: R1254306405

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl WEB-FARM apache2 80
Value: R177660
Value: R5862849
Value: R193474083
Value: R2089677488
Value: R239880438
Value: R3621087223
Value: R3531761449
Value: R584010902
Value: R2092490640
Value: R332714481
Value: R2389643393
Value: R1548820738
Value: R3866444197
Value: R3038607021
Value: R1489783986
Value: R1918231332
Value: R3172091870
Value: R1599816662
Value: R1254342342
Final Value: R1254342342

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl WEB-FARM iis1 80
Value: R177660
Value: R5862849
Value: R193474083
Value: R2089677488
Value: R239880438
Value: R3621087223
Value: R3531761449
Value: R584010902
Value: R2092490640
Value: R332714489
Value: R2389643650
Value: R1548829237
Value: R3866724614
Value: R3047860736
Value: R1795156536
Value: R3405590888
Final Value: R3405590888
[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl WEB-FARM iis2 80
Value: R177660
Value: R5862849
Value: R193474083
Value: R2089677488
Value: R239880438
Value: R3621087223
Value: R3531761449
Value: R584010902
Value: R2092490640
Value: R332714489
Value: R2389643650
Value: R1548829237
Value: R3866724615
Value: R3047860769
Value: R1795157625
Value: R3405626825
Final Value: R3405626825

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl Teir2 App1 80
Value: R177657
Value: R5862782
Value: R193471911
Value: R2089605881
Value: R237517387
Value: R3543106533
Value: R958398662
Value: R1562384886
Value: R19093798
Value: R630095383
Value: R3613278513
Value: R3274073993
Value: R670259417
Final Value: R670259417

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl Teir2 App2 80
Value: R177657
Value: R5862782
Value: R193471911
Value: R2089605881
Value: R237517387
Value: R3543106533
Value: R958398662
Value: R1562384886
Value: R19093798
Value: R630095384
Value: R3613278546
Value: R3274075082
Value: R670295354
Final Value: R670295354
</pre>



[[Category:Data Center Application Services Configuration Examples]]

Session Persistence Using Cookie Insert on the Cisco Application Control Engine Configuration Example

2011-03-04T15:36:57Z

Dhuckaby: /* VBA Script for calculating Cookie Values */

{{Template:Required Metadata}}
==Goal==
Configure basic load balancing with cookie insert where client traffic enters on one network and is directed to servers residing on a second network. Once the client has entered the site they will remain stuck to a given server based on a HTTP Cookie inserted by ACE.

==Design==
Clients will send application requests through the multilayer switch feature card (MSFC), which routes them to a virtual IP address (VIP) within the Cisco® Application Control Engine (ACE). The VIP used in this example resides in an ACE context, which is configured with a client VLAN and a server VLAN (see figure below). Client requests will arrive at the VIP, and the ACE will check the request to see if it contains a cookie. If it does, the sticky table will be checked to see which server should receive the request. If the cookie entry has expired, or if the client does not have a cookie the ACE will pick the appropriate server to receive the request based on the requested URL. When the server responds ACE will insert a cookie into the HTTP Response to so that upon future requests client persistence to the server will be maintained.

[[Image:SSL Persistence Using Cookie Insert.jpg]]

Within the Cisco ACE sticky resources are finite and are controlled via resource allocation. Before a context can apply session persistence using sticky groups, the context must first be given a sticky allocation. Once this is done, a sticky group is created to define parameters and the serverfarm where client requests will be sent. Recall, the load balancing action tells ACE how to handle traffic which has hit a VIP. Thus the sticky group on ACE is applied within the load balance policy-map. To enable server load-balancing with session persistence based on cookies ACE inserts you need to do the following:

* Allocate sticky resources to the context
* Enable ACLs to allow data traffic through the ACE device, as it is denied by default.
* Configure the IPs of the servers (define rservers)
* Group the real servers (create a serverfarm)
* Create a sticky group
* Define the virtual IP address (VIP)
* Define how traffic is to be handled as it is received (create a policy map for load balancing)
* Apply the sticky group to the load balancing policy
* Associate a VIP to a handling action (create a multimatch policy map [a service policy])
* Create client- and server-facing interfaces
* Apply the VIP and ACL permitting client connections to the interface (apply access group and service policy to interface)

{{note|For brevity only the bold steps are covered in this document. Please review the URL Load Balancing using Routed Mode document for more information on basic URL load balancing and the base configuration.}}

To begin the configuration, allocate sticky resources to the context you will be using In this example a context “routed” has already been defined. Create a resource class, allocate the desired amount of sticky entries, and apply them to the “routed” context.

<pre>ACE-1/Admin# show run | begin routed
context routed
allocate-interface vlan 10
allocate-interface vlan 20
allocate-interface vlan 40

ACE-1/Admin(config)# resource-class sticky
ACE-1/Admin(config-resource)# limit-resource all minimum 0.00 maximum unlimited
ACE-1/Admin(config-resource)# limit-resource sticky minimum 10.00 maximum equal-to-min

ACE-1/Admin(config)# context routed
ACE-1/Admin(config-context)# member sticky</pre>

{{note|At this time sticky resources are a fixed resource outside the other resources. Thus you must use maximum equal-to-min and you must define sticky resources even is all is previously used. This also applies to the Admin context.}}

Once the resources have been allocated a sticky group can be defined. The Cisco ACE can be configured in various ways to apply session persistence using cookies. For this example cookie insert will be used. The cookie name ACE will insert is supplied when the sticky group is created. By default ACE inserts permanent cookies which have a timeout of 24 hours. Using the configuration below ACE will insert a cookie with the name “ACE-Insert”, it will have a timeout of 5 minutes, and use a pre-existing serverfarm named “webfarm”.

<pre>ACE-1/routed(config)# sticky http-cookie ACE-Insert web-sticky
ACE-1/routed(config-sticky-cookie)# cookie insert
ACE-1/routed(config-sticky-cookie)# timeout 5
ACE-1/routed(config-sticky-cookie)# serverfarm webfarm</pre>

{{note|If session cookies (cookies that are removed when the client closes the browser) are preferred then “cookie insert browser-expire” can be configured.}}

The serverfarm within the load balancing policy map must be swapped with the sticky group to apply cookie-insert sticky to new client requests. Based on this example configuration there are two possible actions for handling new client requests. Any requests for images will be sent to the “imagefarm” serverfarm, which does not require persistence. All other requests will be sent to the web servers in the “webfarm” where the clients will use session persistence.

<pre>ACE-1/routed(config)# policy-map type loadbalance http first-match slb-logic
ACE-1/routed(config-pmap-lb-c)# class class-default
ACE-1/routed(config-pmap-lb-c)# no serverfarm webfarm
ACE-1/routed(config-pmap-lb-c)# sticky-serverfarm web-sticky</pre>

{{note|Changing from a serverfarm to a sticky group is potentially service impacting. While current connections will be allowed to finish, new connections will not be accepted during the removal of the serverfarm and applying the sticky group to the load balance policy. }}

When cookie insert is applied permanent entries are inserted into the static sticky database for each real server defined in the serverfarm. In this example there are two entries created.

<pre>ACE-1/routed(config-pmap-lb-c)# do show sticky database static
sticky group : web-sticky
type : HTTP-COOKIE
timeout : 5 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+----------------------+--------------+-------+
16820511103801384579 lnx1:0 never -
sticky group : web-sticky
type : HTTP-COOKIE
timeout : 5 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+----------------------+--------------+-------+
3347854103021350619 lnx2:0 never -</pre>

{{note|The “sticky-entry” is a hash of the cookie-value set by ACE for the real server. It will not appear in a sniffer trace or on the client browser. See the comment section below for determining which server a client is associated to via the cookie value. }}

When a client connects to the VIP they download index.html page from the web servers. At this point the client will get a cookie for the selected server to ensure all future requests will continue to use the same server. While there is no way to see how many clients have a cookie for a given server the common show commands will provide details on the incoming requests and responses and other data stats.

Recall, the Cisco ACE inserts a static entry for each server in a server farm in the sticky group. In this case there is only one sticky group and it uses cookie-insert and the serverfarm contains 2 real servers. Thus the output of the show stats sticky command displays 2 entries, despite the number of clients using the VIP.

<pre>ACE-1/routed# show stats sticky

+------------------------------------------+
+----------- Sticky statistics ------------+
+------------------------------------------+
Total sticky entries reused : 0
prior to expiry
Total active sticky entries : 2
Total active sticky conns : 0
Total static sticky entries : 2</pre>

==Related show commands ==

This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the [https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl Output Interpreter Tool (registered customers only)], which allows you to view an analysis of show command output.

<pre>ACE-1/routed #show sticky database static
ACE-1/routed #show service-policy client-vips
ACE-1/routed #show service-policy client-vips detail
ACE-1/routed #show serverfarm
ACE-1/routed #show rserver
ACE-1/routed #show stats</pre>

==Comments==

The type of cookie ACE will insert depends on if cookie-insert is configured or cookie-insert browser-expire is configured. The sniffer traces below show the difference between the types of cookies ACE will insert.

===ACE configured with “cookie insert”===

<pre>Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Set-Cookie: ACE-Insert=R1005880048; path=/; expires=Thu, 16-Oct-2008
00:08:55 GMT\r\n
Date: Fri, 29 Aug 2008 19:17:35 GMT\r\n
Server: Apache/2.0.52 (Red Hat)\r\n
Accept-Ranges: bytes\r\n
Content-Length: 1112\r\n
VirtualHost: 192.168.1.12\r\n
Connection: close\r\n
Content-Type: text/html; charset=UTF-8\r\n
\r\n</pre>

===ACE configured with “cookie insert browser-expire”===

<pre>Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Set-Cookie: ACE-Insert=R1005881137; path=/\r\n
Date: Fri, 29 Aug 2008 19:31:58 GMT\r\n
Server: Apache/2.0.52 (Red Hat)\r\n
Accept-Ranges: bytes\r\n
Content-Length: 353\r\n
VirtualHost: 192.168.1.11\r\n
Connection: close\r\n
Content-Type: text/html; charset=UTF-8\r\n
\r\n</pre>

Notice the two cookie values do not appear to be related to the sticky-value in the show sticky database static output, displayed below:

<pre> sticky-entry rserver-instance time-to-expire flags
---------------------+----------------------+--------------+-------+
16820511103801384579 lnx1:0 never -
<…snip…>
3347854103021350619 lnx2:0 never -</pre>

This is because the sticky-entry is a hash of the cookie value. In order to determine the server a client is hitting one must mark the server such that it can be distinguished, possibly using a HTTP Header in the server response, or by determining the cookie value ACE uses for each server. The cookie value is a number based on the serverfarm name, rserver name, and rserver port. The following script can be used to determine the values associated with each rserver.

===TCL Script for calculating Cookie Values===
Note: This script works for 32-bit OS only. If you are using this on a 64-bit OS, you will need to modify it to produce a 32-bit unsigned integer.

<pre>[root@host cookie]# ./ace-cookie-value.tcl webfarm lnx1 0
Value: R1005880048
[root@host cookie]# ./ace-cookie-value.tcl webfarm lnx2 0
Value: R1005881137

#!/usr/bin/tclsh

#######################################################################
# #
# Name: ace-cookie-value.tcl #
# #
# This script takes the serverfarm name, the real server name and the #
# port number used by ACE and returns the generated hash that will be #
# used for cookie insertion. #
# #
#######################################################################

if { $argc != 3 } {
puts "[info script] <serverfarm> <realname> <port>"
exit 0
}

set serverFarmName [lindex $argv 0]
set realServerName [lindex $argv 1]
set port [lindex $argv 2]

set hashValue 5381
set hashMultiplier 32

set cookieInsertStr "$serverFarmName:$realServerName:$port"

set len [ string length $cookieInsertStr ]

for { set ix 0 } { $ix < $len } { incr ix } {
set hashValue [expr (($hashValue * $hashMultiplier) + $hashValue) \
+ [scan [string index $cookieInsertStr $ix] %c]]
}

puts [format "Value: R%u" $hashValue]</pre>

===VBA Script for calculating Cookie Values===
The following script was created by an ACE customer and shared for the convenience of all ACE users. We would like to sincerely thank Herve Benattar for his contribution to the ACE Doc Wiki!

<pre>
Dim Result_Cookie As String

Function Calculating_Cookie_Name(ByVal CHAINE1 As String)

' For this script, we need to work with 32 bits unsigned integer.
' VBA does not support unsigned int of 32 bits. An integer is only 16 bits
' and a Long var is 32 bits signed. To simulate a 32 bits unsigned integer,
' we use an double and subtract all numbers with the tops from the 32th bit

Dim Dbl_64bits_Tmp1, Dbl_64bits_Tmp2, hashValue, hashMultiplier As Double
Dim ix As Integer

hashValue = 5381
hashMultiplier = 32
ix = 0

Lng_Chaine = Len(CHAINE1)

For ix = 0 To (Lng_Chaine - 1) Step 1
'MAX Value 4294967295*32+5381 = 137438958821
Dbl_64bits_Tmp2 = hashValue * hashMultiplier + hashValue
'MAX value 127 or 255 with Extended ASCII Codes
Dbl_64bits_Tmp1 = CDbl(Asc(Mid(CHAINE1, ix + 1, 1)))
'MAX 137438958821+255 = 137438959076 = 100000 00000000000000000001010111100100(2)
hashValue = Dbl_64bits_Tmp2 + Dbl_64bits_Tmp1

Try_Again:
Select Case hashValue
'39th bits to 1 (Normaly none use with MAX)
Case Is >= 545460846592#
hashValue = hashValue - 545460846592#
GoTo Try_Again
'38th bits to 1
Case Is >= 270582939648#
hashValue = hashValue - 270582939648#
GoTo Try_Again
'37th bits to 1
Case Is >= 133143986176#
hashValue = hashValue - 133143986176#
GoTo Try_Again
'36th bits to 1
Case Is >= 64424509440#
hashValue = hashValue - 64424509440#
GoTo Try_Again
'35th bits to 1
Case Is >= 30064771072#
hashValue = hashValue - 30064771072#
GoTo Try_Again
'34eme bits to 1
Case Is >= 12884901888#
hashValue = hashValue - 12884901888#
GoTo Try_Again
'33eme bits to 1
Case Is >= 4294967296#
hashValue = hashValue - 4294967296#
GoTo Try_Again
End Select

'MsgBox "Value: R" & hashValue

Next

Result_Cookie = "R" & hashValue

End Function

Private Sub CommandButton1_Click()

ActiveSheet.Range("A2").Select

While (Not IsEmpty(ActiveCell.Value))
serverFarmName = ActiveCell.Value
realServerName = ActiveCell.Offset(0, 1).Value
port = ActiveCell.Offset(0, 2).Value

cookieInsertStr = serverFarmName & ":" & realServerName & ":" & port

Calculating_Cookie_Name (cookieInsertStr)
ActiveCell.Offset(0, 3) = Result_Cookie
ActiveCell.Offset(1, 0).Select
Wend

End Sub
</pre>

==show running-config ==

<pre>ACE-1/routed# show run
Generating configuration....

access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any

rserver host lnx1
ip address 192.168.1.11
inservice
rserver host lnx2
ip address 192.168.1.12
inservice
rserver host lnx3
ip address 192.168.1.13
inservice
rserver host lnx4
ip address 192.168.1.14
inservice

serverfarm host imagefarm
rserver lnx3
inservice
rserver lnx4
inservice
serverfarm host webfarm
rserver lnx1
inservice
rserver lnx2
inservice

sticky http-cookie ACE-Insert web-sticky
cookie insert browser-expire
timeout 5
serverfarm webfarm

class-map type http loadbalance match-all images
2 match http url /images/.*

class-map match-all slb-vip
2 match virtual-address 172.16.1.101 any

policy-map type management first-match remote-access
class class-default
permit

policy-map type loadbalance http first-match slb
class images
serverfarm imagefarm
class class-default
sticky-serverfarm web-sticky

policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb

interface vlan 20
description "Client Side"
ip address 172.16.1.5 255.255.255.0
access-group input everyone
service-policy input client-vips
no shutdown

interface vlan 40
description "Default gateway of real servers"
ip address 192.168.1.1 255.255.255.0
service-policy input remote-access
no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.1.1</pre>

==Related Information==
[http://www.cisco.com/web/psa/products/index.html Technical Support & Documentation - Cisco Systems]

===Hash output Examples===
For the developer we have provided the following outputs as the hash is being calculated to all you to check your code against a working example.

<pre>
[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl zzzzzzz zzzzzz 65535
Value: R177695
Value: R5864057
Value: R193514003
Value: R2090994925
Value: R283355911
Value: R760810593
Value: R3631913211
Value: R3889019029
Value: R3783576495
Value: R303972873
Value: R1441170339
Value: R313981053
Value: R1771440279
Value: R2622954481
Value: R658152011
Value: R244179937
Value: R3762970678
Value: R3918948139
Value: R476269758
Value: R2832000179
Final Value: R2832000179

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl FARM-SIEBEL-INTEGR ppclsrobj
web1 80
Value: R177643
Value: R5862284
Value: R193455454
Value: R2089062763
Value: R219594488
Value: R2951650891
Value: R2915198964
Value: R1712285369
Value: R670842395
Value: R662962624
Value: R402930188
Value: R411794361
Value: R704312098
Value: R1767462832
Value: R2491698692
Value: R621678281
Value: R3335514160
Value: R2697784962
Value: R3127557884
Value: R130195180
Value: R1473756
Value: R48634047
Value: R1604923659
Value: R1422873310
Value: R4005146384
Value: R3320811903
Value: R2212610497
Value: R1702475
Value: R56181794
Value: R1853999303
Value: R1052434953
Value: R370615130
Value: R3640364756
Value: R4167920012
Value: R102406972
Final Value: R102406972

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl FARM-SIEBEL-INTEGR ppclsrobj
web2 80
Value: R177643
Value: R5862284
Value: R193455454
Value: R2089062763
Value: R219594488
Value: R2951650891
Value: R2915198964
Value: R1712285369
Value: R670842395
Value: R662962624
Value: R402930188
Value: R411794361
Value: R704312098
Value: R1767462832
Value: R2491698692
Value: R621678281
Value: R3335514160
Value: R2697784962
Value: R3127557884
Value: R130195180
Value: R1473756
Value: R48634047
Value: R1604923659
Value: R1422873310
Value: R4005146384
Value: R3320811903
Value: R2212610497
Value: R1702475
Value: R56181794
Value: R1853999303
Value: R1052434953
Value: R370615131
Value: R3640364789
Value: R4167921101
Value: R102442909
Final Value: R102442909

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl FARM-DAISY-METIER_80 INDAMET
01 80
Value: R177643
Value: R5862284
Value: R193455454
Value: R2089062763
Value: R219594488
Value: R2951650876
Value: R2915198461
Value: R1712268774
Value: R670294777
Value: R644891250
Value: R4101542111
Value: R2206903564
Value: R4108340945
Value: R2431265093
Value: R2922336814
Value: R1947834419
Value: R4148993765
Value: R3772808164
Value: R4243585180
Value: R2599357516
Value: R4174419462
Value: R316888847
Value: R1867397437
Value: R1494573345
Value: R2076280194
Value: R4092737039
Value: R1916336180
Value: R3109551880
Value: R3830964280
Value: R1867769705
Value: R1506858179
Value: R2481679707
Value: R291051755
Final Value: R291051755

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl FARM-DAISY-METIER_80 INDAMET
02 80
Value: R177643
Value: R5862284
Value: R193455454
Value: R2089062763
Value: R219594488
Value: R2951650876
Value: R2915198461
Value: R1712268774
Value: R670294777
Value: R644891250
Value: R4101542111
Value: R2206903564
Value: R4108340945
Value: R2431265093
Value: R2922336814
Value: R1947834419
Value: R4148993765
Value: R3772808164
Value: R4243585180
Value: R2599357516
Value: R4174419462
Value: R316888847
Value: R1867397437
Value: R1494573345
Value: R2076280194
Value: R4092737039
Value: R1916336180
Value: R3109551880
Value: R3830964280
Value: R1867769706
Value: R1506858212
Value: R2481680796
Value: R291087692
Final Value: R291087692

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl FARM-DAISY-METIER_80 INDAMET
03 80
Value: R177643
Value: R5862284
Value: R193455454
Value: R2089062763
Value: R219594488
Value: R2951650876
Value: R2915198461
Value: R1712268774
Value: R670294777
Value: R644891250
Value: R4101542111
Value: R2206903564
Value: R4108340945
Value: R2431265093
Value: R2922336814
Value: R1947834419
Value: R4148993765
Value: R3772808164
Value: R4243585180
Value: R2599357516
Value: R4174419462
Value: R316888847
Value: R1867397437
Value: R1494573345
Value: R2076280194
Value: R4092737039
Value: R1916336180
Value: R3109551880
Value: R3830964280
Value: R1867769707
Value: R1506858245
Value: R2481681885
Value: R291123629
Final Value: R291123629

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl FARM-DAISY-METIER_80 INDAMET
04 80
Value: R177643
Value: R5862284
Value: R193455454
Value: R2089062763
Value: R219594488
Value: R2951650876
Value: R2915198461
Value: R1712268774
Value: R670294777
Value: R644891250
Value: R4101542111
Value: R2206903564
Value: R4108340945
Value: R2431265093
Value: R2922336814
Value: R1947834419
Value: R4148993765
Value: R3772808164
Value: R4243585180
Value: R2599357516
Value: R4174419462
Value: R316888847
Value: R1867397437
Value: R1494573345
Value: R2076280194
Value: R4092737039
Value: R1916336180
Value: R3109551880
Value: R3830964280
Value: R1867769708
Value: R1506858278
Value: R2481682974
Value: R291159566
Final Value: R291159566

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl FARM-DAISY-METIER_80 INDAMET
05 80
Value: R177643
Value: R5862284
Value: R193455454
Value: R2089062763
Value: R219594488
Value: R2951650876
Value: R2915198461
Value: R1712268774
Value: R670294777
Value: R644891250
Value: R4101542111
Value: R2206903564
Value: R4108340945
Value: R2431265093
Value: R2922336814
Value: R1947834419
Value: R4148993765
Value: R3772808164
Value: R4243585180
Value: R2599357516
Value: R4174419462
Value: R316888847
Value: R1867397437
Value: R1494573345
Value: R2076280194
Value: R4092737039
Value: R1916336180
Value: R3109551880
Value: R3830964280
Value: R1867769709
Value: R1506858311
Value: R2481684063
Value: R291195503
Final Value: R291195503
</pre>



[[Category:Data Center Application Services Configuration Examples]]

Session Persistence Using Cookie Insert on the Cisco Application Control Engine Configuration Example

2011-03-04T14:49:30Z

Dhuckaby: /* VBA Script for calculating Cookie Values */

{{Template:Required Metadata}}
==Goal==
Configure basic load balancing with cookie insert where client traffic enters on one network and is directed to servers residing on a second network. Once the client has entered the site they will remain stuck to a given server based on a HTTP Cookie inserted by ACE.

==Design==
Clients will send application requests through the multilayer switch feature card (MSFC), which routes them to a virtual IP address (VIP) within the Cisco® Application Control Engine (ACE). The VIP used in this example resides in an ACE context, which is configured with a client VLAN and a server VLAN (see figure below). Client requests will arrive at the VIP, and the ACE will check the request to see if it contains a cookie. If it does, the sticky table will be checked to see which server should receive the request. If the cookie entry has expired, or if the client does not have a cookie the ACE will pick the appropriate server to receive the request based on the requested URL. When the server responds ACE will insert a cookie into the HTTP Response to so that upon future requests client persistence to the server will be maintained.

[[Image:SSL Persistence Using Cookie Insert.jpg]]

Within the Cisco ACE sticky resources are finite and are controlled via resource allocation. Before a context can apply session persistence using sticky groups, the context must first be given a sticky allocation. Once this is done, a sticky group is created to define parameters and the serverfarm where client requests will be sent. Recall, the load balancing action tells ACE how to handle traffic which has hit a VIP. Thus the sticky group on ACE is applied within the load balance policy-map. To enable server load-balancing with session persistence based on cookies ACE inserts you need to do the following:

* Allocate sticky resources to the context
* Enable ACLs to allow data traffic through the ACE device, as it is denied by default.
* Configure the IPs of the servers (define rservers)
* Group the real servers (create a serverfarm)
* Create a sticky group
* Define the virtual IP address (VIP)
* Define how traffic is to be handled as it is received (create a policy map for load balancing)
* Apply the sticky group to the load balancing policy
* Associate a VIP to a handling action (create a multimatch policy map [a service policy])
* Create client- and server-facing interfaces
* Apply the VIP and ACL permitting client connections to the interface (apply access group and service policy to interface)

{{note|For brevity only the bold steps are covered in this document. Please review the URL Load Balancing using Routed Mode document for more information on basic URL load balancing and the base configuration.}}

To begin the configuration, allocate sticky resources to the context you will be using In this example a context “routed” has already been defined. Create a resource class, allocate the desired amount of sticky entries, and apply them to the “routed” context.

<pre>ACE-1/Admin# show run | begin routed
context routed
allocate-interface vlan 10
allocate-interface vlan 20
allocate-interface vlan 40

ACE-1/Admin(config)# resource-class sticky
ACE-1/Admin(config-resource)# limit-resource all minimum 0.00 maximum unlimited
ACE-1/Admin(config-resource)# limit-resource sticky minimum 10.00 maximum equal-to-min

ACE-1/Admin(config)# context routed
ACE-1/Admin(config-context)# member sticky</pre>

{{note|At this time sticky resources are a fixed resource outside the other resources. Thus you must use maximum equal-to-min and you must define sticky resources even is all is previously used. This also applies to the Admin context.}}

Once the resources have been allocated a sticky group can be defined. The Cisco ACE can be configured in various ways to apply session persistence using cookies. For this example cookie insert will be used. The cookie name ACE will insert is supplied when the sticky group is created. By default ACE inserts permanent cookies which have a timeout of 24 hours. Using the configuration below ACE will insert a cookie with the name “ACE-Insert”, it will have a timeout of 5 minutes, and use a pre-existing serverfarm named “webfarm”.

<pre>ACE-1/routed(config)# sticky http-cookie ACE-Insert web-sticky
ACE-1/routed(config-sticky-cookie)# cookie insert
ACE-1/routed(config-sticky-cookie)# timeout 5
ACE-1/routed(config-sticky-cookie)# serverfarm webfarm</pre>

{{note|If session cookies (cookies that are removed when the client closes the browser) are preferred then “cookie insert browser-expire” can be configured.}}

The serverfarm within the load balancing policy map must be swapped with the sticky group to apply cookie-insert sticky to new client requests. Based on this example configuration there are two possible actions for handling new client requests. Any requests for images will be sent to the “imagefarm” serverfarm, which does not require persistence. All other requests will be sent to the web servers in the “webfarm” where the clients will use session persistence.

<pre>ACE-1/routed(config)# policy-map type loadbalance http first-match slb-logic
ACE-1/routed(config-pmap-lb-c)# class class-default
ACE-1/routed(config-pmap-lb-c)# no serverfarm webfarm
ACE-1/routed(config-pmap-lb-c)# sticky-serverfarm web-sticky</pre>

{{note|Changing from a serverfarm to a sticky group is potentially service impacting. While current connections will be allowed to finish, new connections will not be accepted during the removal of the serverfarm and applying the sticky group to the load balance policy. }}

When cookie insert is applied permanent entries are inserted into the static sticky database for each real server defined in the serverfarm. In this example there are two entries created.

<pre>ACE-1/routed(config-pmap-lb-c)# do show sticky database static
sticky group : web-sticky
type : HTTP-COOKIE
timeout : 5 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+----------------------+--------------+-------+
16820511103801384579 lnx1:0 never -
sticky group : web-sticky
type : HTTP-COOKIE
timeout : 5 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+----------------------+--------------+-------+
3347854103021350619 lnx2:0 never -</pre>

{{note|The “sticky-entry” is a hash of the cookie-value set by ACE for the real server. It will not appear in a sniffer trace or on the client browser. See the comment section below for determining which server a client is associated to via the cookie value. }}

When a client connects to the VIP they download index.html page from the web servers. At this point the client will get a cookie for the selected server to ensure all future requests will continue to use the same server. While there is no way to see how many clients have a cookie for a given server the common show commands will provide details on the incoming requests and responses and other data stats.

Recall, the Cisco ACE inserts a static entry for each server in a server farm in the sticky group. In this case there is only one sticky group and it uses cookie-insert and the serverfarm contains 2 real servers. Thus the output of the show stats sticky command displays 2 entries, despite the number of clients using the VIP.

<pre>ACE-1/routed# show stats sticky

+------------------------------------------+
+----------- Sticky statistics ------------+
+------------------------------------------+
Total sticky entries reused : 0
prior to expiry
Total active sticky entries : 2
Total active sticky conns : 0
Total static sticky entries : 2</pre>

==Related show commands ==

This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the [https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl Output Interpreter Tool (registered customers only)], which allows you to view an analysis of show command output.

<pre>ACE-1/routed #show sticky database static
ACE-1/routed #show service-policy client-vips
ACE-1/routed #show service-policy client-vips detail
ACE-1/routed #show serverfarm
ACE-1/routed #show rserver
ACE-1/routed #show stats</pre>

==Comments==

The type of cookie ACE will insert depends on if cookie-insert is configured or cookie-insert browser-expire is configured. The sniffer traces below show the difference between the types of cookies ACE will insert.

===ACE configured with “cookie insert”===

<pre>Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Set-Cookie: ACE-Insert=R1005880048; path=/; expires=Thu, 16-Oct-2008
00:08:55 GMT\r\n
Date: Fri, 29 Aug 2008 19:17:35 GMT\r\n
Server: Apache/2.0.52 (Red Hat)\r\n
Accept-Ranges: bytes\r\n
Content-Length: 1112\r\n
VirtualHost: 192.168.1.12\r\n
Connection: close\r\n
Content-Type: text/html; charset=UTF-8\r\n
\r\n</pre>

===ACE configured with “cookie insert browser-expire”===

<pre>Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Set-Cookie: ACE-Insert=R1005881137; path=/\r\n
Date: Fri, 29 Aug 2008 19:31:58 GMT\r\n
Server: Apache/2.0.52 (Red Hat)\r\n
Accept-Ranges: bytes\r\n
Content-Length: 353\r\n
VirtualHost: 192.168.1.11\r\n
Connection: close\r\n
Content-Type: text/html; charset=UTF-8\r\n
\r\n</pre>

Notice the two cookie values do not appear to be related to the sticky-value in the show sticky database static output, displayed below:

<pre> sticky-entry rserver-instance time-to-expire flags
---------------------+----------------------+--------------+-------+
16820511103801384579 lnx1:0 never -
<…snip…>
3347854103021350619 lnx2:0 never -</pre>

This is because the sticky-entry is a hash of the cookie value. In order to determine the server a client is hitting one must mark the server such that it can be distinguished, possibly using a HTTP Header in the server response, or by determining the cookie value ACE uses for each server. The cookie value is a number based on the serverfarm name, rserver name, and rserver port. The following script can be used to determine the values associated with each rserver.

===TCL Script for calculating Cookie Values===
Note: This script works for 32-bit OS only. If you are using this on a 64-bit OS, you will need to modify it to produce a 32-bit unsigned integer.

<pre>[root@host cookie]# ./ace-cookie-value.tcl webfarm lnx1 0
Value: R1005880048
[root@host cookie]# ./ace-cookie-value.tcl webfarm lnx2 0
Value: R1005881137

#!/usr/bin/tclsh

#######################################################################
# #
# Name: ace-cookie-value.tcl #
# #
# This script takes the serverfarm name, the real server name and the #
# port number used by ACE and returns the generated hash that will be #
# used for cookie insertion. #
# #
#######################################################################

if { $argc != 3 } {
puts "[info script] <serverfarm> <realname> <port>"
exit 0
}

set serverFarmName [lindex $argv 0]
set realServerName [lindex $argv 1]
set port [lindex $argv 2]

set hashValue 5381
set hashMultiplier 32

set cookieInsertStr "$serverFarmName:$realServerName:$port"

set len [ string length $cookieInsertStr ]

for { set ix 0 } { $ix < $len } { incr ix } {
set hashValue [expr (($hashValue * $hashMultiplier) + $hashValue) \
+ [scan [string index $cookieInsertStr $ix] %c]]
}

puts [format "Value: R%u" $hashValue]</pre>

===VBA Script for calculating Cookie Values===
The following script was created by an ACE customer and shared for the convenience of all ACE users. We would like to sincerely thank Herve Benattar for his contribution to the ACE Doc Wiki!

<pre>
Dim Result_Cookie As String

Function Calculating_Cookie_Name(ByVal CHAINE1 As String)

' For this script, we need to work with 32 bits unsigned integer.
' VBA does not support unsigned int of 32 bits. An integer is only 16 bits
' and a Long var is 32 bits signed. To simulate a 32 bits unsigned integer,
' we use an double and subtract all numbers with the tops from the 32th bit
' Thanks for Derek Huckaby and Paul Zimmerman from Cisco for their helps
' Herve Benattar AXA TECH GNSD

Dim Dbl_64bits_Tmp1, Dbl_64bits_Tmp2, hashValue, hashMultiplier As Double
Dim ix As Integer

hashValue = 5381
hashMultiplier = 32
ix = 0

Lng_Chaine = Len(CHAINE1)

For ix = 0 To (Lng_Chaine - 1) Step 1
'MAX Value 4294967295*32+5381 = 137438958821
Dbl_64bits_Tmp2 = hashValue * hashMultiplier + hashValue
'MAX value 127 or 255 with Extended ASCII Codes
Dbl_64bits_Tmp1 = CDbl(Asc(Mid(CHAINE1, ix + 1, 1)))
'MAX 137438958821+255 = 137438959076 = 100000 00000000000000000001010111100100(2)
hashValue = Dbl_64bits_Tmp2 + Dbl_64bits_Tmp1

Try_Again:
Select Case hashValue
'39th bits to 1 (Normaly none use with MAX)
Case Is >= 545460846592#
hashValue = hashValue - 545460846592#
GoTo Try_Again
'38th bits to 1
Case Is >= 270582939648#
hashValue = hashValue - 270582939648#
GoTo Try_Again
'37th bits to 1
Case Is >= 133143986176#
hashValue = hashValue - 133143986176#
GoTo Try_Again
'36th bits to 1
Case Is >= 64424509440#
hashValue = hashValue - 64424509440#
GoTo Try_Again
'35th bits to 1
Case Is >= 30064771072#
hashValue = hashValue - 30064771072#
GoTo Try_Again
'34eme bits to 1
Case Is >= 12884901888#
hashValue = hashValue - 12884901888#
GoTo Try_Again
'33eme bits to 1
Case Is >= 4294967296#
hashValue = hashValue - 4294967296#
GoTo Try_Again
End Select

'MsgBox "Value: R" & hashValue

Next

Result_Cookie = "R" & hashValue

End Function

Private Sub CommandButton1_Click()

ActiveSheet.Range("A2").Select

While (Not IsEmpty(ActiveCell.Value))
serverFarmName = ActiveCell.Value
realServerName = ActiveCell.Offset(0, 1).Value
port = ActiveCell.Offset(0, 2).Value

cookieInsertStr = serverFarmName & ":" & realServerName & ":" & port

Calculating_Cookie_Name (cookieInsertStr)
ActiveCell.Offset(0, 3) = Result_Cookie
ActiveCell.Offset(1, 0).Select
Wend

End Sub
</pre>

==show running-config ==

<pre>ACE-1/routed# show run
Generating configuration....

access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any

rserver host lnx1
ip address 192.168.1.11
inservice
rserver host lnx2
ip address 192.168.1.12
inservice
rserver host lnx3
ip address 192.168.1.13
inservice
rserver host lnx4
ip address 192.168.1.14
inservice

serverfarm host imagefarm
rserver lnx3
inservice
rserver lnx4
inservice
serverfarm host webfarm
rserver lnx1
inservice
rserver lnx2
inservice

sticky http-cookie ACE-Insert web-sticky
cookie insert browser-expire
timeout 5
serverfarm webfarm

class-map type http loadbalance match-all images
2 match http url /images/.*

class-map match-all slb-vip
2 match virtual-address 172.16.1.101 any

policy-map type management first-match remote-access
class class-default
permit

policy-map type loadbalance http first-match slb
class images
serverfarm imagefarm
class class-default
sticky-serverfarm web-sticky

policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb

interface vlan 20
description "Client Side"
ip address 172.16.1.5 255.255.255.0
access-group input everyone
service-policy input client-vips
no shutdown

interface vlan 40
description "Default gateway of real servers"
ip address 192.168.1.1 255.255.255.0
service-policy input remote-access
no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.1.1</pre>

==Related Information==
[http://www.cisco.com/web/psa/products/index.html Technical Support & Documentation - Cisco Systems]

===Hash output Examples===
For the developer we have provided the following outputs as the hash is being calculated to all you to check your code against a working example.

<pre>
[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl zzzzzzz zzzzzz 65535
Value: R177695
Value: R5864057
Value: R193514003
Value: R2090994925
Value: R283355911
Value: R760810593
Value: R3631913211
Value: R3889019029
Value: R3783576495
Value: R303972873
Value: R1441170339
Value: R313981053
Value: R1771440279
Value: R2622954481
Value: R658152011
Value: R244179937
Value: R3762970678
Value: R3918948139
Value: R476269758
Value: R2832000179
Final Value: R2832000179

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl FARM-SIEBEL-INTEGR ppclsrobj
web1 80
Value: R177643
Value: R5862284
Value: R193455454
Value: R2089062763
Value: R219594488
Value: R2951650891
Value: R2915198964
Value: R1712285369
Value: R670842395
Value: R662962624
Value: R402930188
Value: R411794361
Value: R704312098
Value: R1767462832
Value: R2491698692
Value: R621678281
Value: R3335514160
Value: R2697784962
Value: R3127557884
Value: R130195180
Value: R1473756
Value: R48634047
Value: R1604923659
Value: R1422873310
Value: R4005146384
Value: R3320811903
Value: R2212610497
Value: R1702475
Value: R56181794
Value: R1853999303
Value: R1052434953
Value: R370615130
Value: R3640364756
Value: R4167920012
Value: R102406972
Final Value: R102406972

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl FARM-SIEBEL-INTEGR ppclsrobj
web2 80
Value: R177643
Value: R5862284
Value: R193455454
Value: R2089062763
Value: R219594488
Value: R2951650891
Value: R2915198964
Value: R1712285369
Value: R670842395
Value: R662962624
Value: R402930188
Value: R411794361
Value: R704312098
Value: R1767462832
Value: R2491698692
Value: R621678281
Value: R3335514160
Value: R2697784962
Value: R3127557884
Value: R130195180
Value: R1473756
Value: R48634047
Value: R1604923659
Value: R1422873310
Value: R4005146384
Value: R3320811903
Value: R2212610497
Value: R1702475
Value: R56181794
Value: R1853999303
Value: R1052434953
Value: R370615131
Value: R3640364789
Value: R4167921101
Value: R102442909
Final Value: R102442909

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl FARM-DAISY-METIER_80 INDAMET
01 80
Value: R177643
Value: R5862284
Value: R193455454
Value: R2089062763
Value: R219594488
Value: R2951650876
Value: R2915198461
Value: R1712268774
Value: R670294777
Value: R644891250
Value: R4101542111
Value: R2206903564
Value: R4108340945
Value: R2431265093
Value: R2922336814
Value: R1947834419
Value: R4148993765
Value: R3772808164
Value: R4243585180
Value: R2599357516
Value: R4174419462
Value: R316888847
Value: R1867397437
Value: R1494573345
Value: R2076280194
Value: R4092737039
Value: R1916336180
Value: R3109551880
Value: R3830964280
Value: R1867769705
Value: R1506858179
Value: R2481679707
Value: R291051755
Final Value: R291051755

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl FARM-DAISY-METIER_80 INDAMET
02 80
Value: R177643
Value: R5862284
Value: R193455454
Value: R2089062763
Value: R219594488
Value: R2951650876
Value: R2915198461
Value: R1712268774
Value: R670294777
Value: R644891250
Value: R4101542111
Value: R2206903564
Value: R4108340945
Value: R2431265093
Value: R2922336814
Value: R1947834419
Value: R4148993765
Value: R3772808164
Value: R4243585180
Value: R2599357516
Value: R4174419462
Value: R316888847
Value: R1867397437
Value: R1494573345
Value: R2076280194
Value: R4092737039
Value: R1916336180
Value: R3109551880
Value: R3830964280
Value: R1867769706
Value: R1506858212
Value: R2481680796
Value: R291087692
Final Value: R291087692

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl FARM-DAISY-METIER_80 INDAMET
03 80
Value: R177643
Value: R5862284
Value: R193455454
Value: R2089062763
Value: R219594488
Value: R2951650876
Value: R2915198461
Value: R1712268774
Value: R670294777
Value: R644891250
Value: R4101542111
Value: R2206903564
Value: R4108340945
Value: R2431265093
Value: R2922336814
Value: R1947834419
Value: R4148993765
Value: R3772808164
Value: R4243585180
Value: R2599357516
Value: R4174419462
Value: R316888847
Value: R1867397437
Value: R1494573345
Value: R2076280194
Value: R4092737039
Value: R1916336180
Value: R3109551880
Value: R3830964280
Value: R1867769707
Value: R1506858245
Value: R2481681885
Value: R291123629
Final Value: R291123629

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl FARM-DAISY-METIER_80 INDAMET
04 80
Value: R177643
Value: R5862284
Value: R193455454
Value: R2089062763
Value: R219594488
Value: R2951650876
Value: R2915198461
Value: R1712268774
Value: R670294777
Value: R644891250
Value: R4101542111
Value: R2206903564
Value: R4108340945
Value: R2431265093
Value: R2922336814
Value: R1947834419
Value: R4148993765
Value: R3772808164
Value: R4243585180
Value: R2599357516
Value: R4174419462
Value: R316888847
Value: R1867397437
Value: R1494573345
Value: R2076280194
Value: R4092737039
Value: R1916336180
Value: R3109551880
Value: R3830964280
Value: R1867769708
Value: R1506858278
Value: R2481682974
Value: R291159566
Final Value: R291159566

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl FARM-DAISY-METIER_80 INDAMET
05 80
Value: R177643
Value: R5862284
Value: R193455454
Value: R2089062763
Value: R219594488
Value: R2951650876
Value: R2915198461
Value: R1712268774
Value: R670294777
Value: R644891250
Value: R4101542111
Value: R2206903564
Value: R4108340945
Value: R2431265093
Value: R2922336814
Value: R1947834419
Value: R4148993765
Value: R3772808164
Value: R4243585180
Value: R2599357516
Value: R4174419462
Value: R316888847
Value: R1867397437
Value: R1494573345
Value: R2076280194
Value: R4092737039
Value: R1916336180
Value: R3109551880
Value: R3830964280
Value: R1867769709
Value: R1506858311
Value: R2481684063
Value: R291195503
Final Value: R291195503
</pre>



[[Category:Data Center Application Services Configuration Examples]]

Session Persistence Using Cookie Insert on the Cisco Application Control Engine Configuration Example

2011-03-04T14:46:31Z

Dhuckaby:

{{Template:Required Metadata}}
==Goal==
Configure basic load balancing with cookie insert where client traffic enters on one network and is directed to servers residing on a second network. Once the client has entered the site they will remain stuck to a given server based on a HTTP Cookie inserted by ACE.

==Design==
Clients will send application requests through the multilayer switch feature card (MSFC), which routes them to a virtual IP address (VIP) within the Cisco® Application Control Engine (ACE). The VIP used in this example resides in an ACE context, which is configured with a client VLAN and a server VLAN (see figure below). Client requests will arrive at the VIP, and the ACE will check the request to see if it contains a cookie. If it does, the sticky table will be checked to see which server should receive the request. If the cookie entry has expired, or if the client does not have a cookie the ACE will pick the appropriate server to receive the request based on the requested URL. When the server responds ACE will insert a cookie into the HTTP Response to so that upon future requests client persistence to the server will be maintained.

[[Image:SSL Persistence Using Cookie Insert.jpg]]

Within the Cisco ACE sticky resources are finite and are controlled via resource allocation. Before a context can apply session persistence using sticky groups, the context must first be given a sticky allocation. Once this is done, a sticky group is created to define parameters and the serverfarm where client requests will be sent. Recall, the load balancing action tells ACE how to handle traffic which has hit a VIP. Thus the sticky group on ACE is applied within the load balance policy-map. To enable server load-balancing with session persistence based on cookies ACE inserts you need to do the following:

* Allocate sticky resources to the context
* Enable ACLs to allow data traffic through the ACE device, as it is denied by default.
* Configure the IPs of the servers (define rservers)
* Group the real servers (create a serverfarm)
* Create a sticky group
* Define the virtual IP address (VIP)
* Define how traffic is to be handled as it is received (create a policy map for load balancing)
* Apply the sticky group to the load balancing policy
* Associate a VIP to a handling action (create a multimatch policy map [a service policy])
* Create client- and server-facing interfaces
* Apply the VIP and ACL permitting client connections to the interface (apply access group and service policy to interface)

{{note|For brevity only the bold steps are covered in this document. Please review the URL Load Balancing using Routed Mode document for more information on basic URL load balancing and the base configuration.}}

To begin the configuration, allocate sticky resources to the context you will be using In this example a context “routed” has already been defined. Create a resource class, allocate the desired amount of sticky entries, and apply them to the “routed” context.

<pre>ACE-1/Admin# show run | begin routed
context routed
allocate-interface vlan 10
allocate-interface vlan 20
allocate-interface vlan 40

ACE-1/Admin(config)# resource-class sticky
ACE-1/Admin(config-resource)# limit-resource all minimum 0.00 maximum unlimited
ACE-1/Admin(config-resource)# limit-resource sticky minimum 10.00 maximum equal-to-min

ACE-1/Admin(config)# context routed
ACE-1/Admin(config-context)# member sticky</pre>

{{note|At this time sticky resources are a fixed resource outside the other resources. Thus you must use maximum equal-to-min and you must define sticky resources even is all is previously used. This also applies to the Admin context.}}

Once the resources have been allocated a sticky group can be defined. The Cisco ACE can be configured in various ways to apply session persistence using cookies. For this example cookie insert will be used. The cookie name ACE will insert is supplied when the sticky group is created. By default ACE inserts permanent cookies which have a timeout of 24 hours. Using the configuration below ACE will insert a cookie with the name “ACE-Insert”, it will have a timeout of 5 minutes, and use a pre-existing serverfarm named “webfarm”.

<pre>ACE-1/routed(config)# sticky http-cookie ACE-Insert web-sticky
ACE-1/routed(config-sticky-cookie)# cookie insert
ACE-1/routed(config-sticky-cookie)# timeout 5
ACE-1/routed(config-sticky-cookie)# serverfarm webfarm</pre>

{{note|If session cookies (cookies that are removed when the client closes the browser) are preferred then “cookie insert browser-expire” can be configured.}}

The serverfarm within the load balancing policy map must be swapped with the sticky group to apply cookie-insert sticky to new client requests. Based on this example configuration there are two possible actions for handling new client requests. Any requests for images will be sent to the “imagefarm” serverfarm, which does not require persistence. All other requests will be sent to the web servers in the “webfarm” where the clients will use session persistence.

<pre>ACE-1/routed(config)# policy-map type loadbalance http first-match slb-logic
ACE-1/routed(config-pmap-lb-c)# class class-default
ACE-1/routed(config-pmap-lb-c)# no serverfarm webfarm
ACE-1/routed(config-pmap-lb-c)# sticky-serverfarm web-sticky</pre>

{{note|Changing from a serverfarm to a sticky group is potentially service impacting. While current connections will be allowed to finish, new connections will not be accepted during the removal of the serverfarm and applying the sticky group to the load balance policy. }}

When cookie insert is applied permanent entries are inserted into the static sticky database for each real server defined in the serverfarm. In this example there are two entries created.

<pre>ACE-1/routed(config-pmap-lb-c)# do show sticky database static
sticky group : web-sticky
type : HTTP-COOKIE
timeout : 5 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+----------------------+--------------+-------+
16820511103801384579 lnx1:0 never -
sticky group : web-sticky
type : HTTP-COOKIE
timeout : 5 timeout-activeconns : FALSE
sticky-entry rserver-instance time-to-expire flags
---------------------+----------------------+--------------+-------+
3347854103021350619 lnx2:0 never -</pre>

{{note|The “sticky-entry” is a hash of the cookie-value set by ACE for the real server. It will not appear in a sniffer trace or on the client browser. See the comment section below for determining which server a client is associated to via the cookie value. }}

When a client connects to the VIP they download index.html page from the web servers. At this point the client will get a cookie for the selected server to ensure all future requests will continue to use the same server. While there is no way to see how many clients have a cookie for a given server the common show commands will provide details on the incoming requests and responses and other data stats.

Recall, the Cisco ACE inserts a static entry for each server in a server farm in the sticky group. In this case there is only one sticky group and it uses cookie-insert and the serverfarm contains 2 real servers. Thus the output of the show stats sticky command displays 2 entries, despite the number of clients using the VIP.

<pre>ACE-1/routed# show stats sticky

+------------------------------------------+
+----------- Sticky statistics ------------+
+------------------------------------------+
Total sticky entries reused : 0
prior to expiry
Total active sticky entries : 2
Total active sticky conns : 0
Total static sticky entries : 2</pre>

==Related show commands ==

This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the [https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl Output Interpreter Tool (registered customers only)], which allows you to view an analysis of show command output.

<pre>ACE-1/routed #show sticky database static
ACE-1/routed #show service-policy client-vips
ACE-1/routed #show service-policy client-vips detail
ACE-1/routed #show serverfarm
ACE-1/routed #show rserver
ACE-1/routed #show stats</pre>

==Comments==

The type of cookie ACE will insert depends on if cookie-insert is configured or cookie-insert browser-expire is configured. The sniffer traces below show the difference between the types of cookies ACE will insert.

===ACE configured with “cookie insert”===

<pre>Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Set-Cookie: ACE-Insert=R1005880048; path=/; expires=Thu, 16-Oct-2008
00:08:55 GMT\r\n
Date: Fri, 29 Aug 2008 19:17:35 GMT\r\n
Server: Apache/2.0.52 (Red Hat)\r\n
Accept-Ranges: bytes\r\n
Content-Length: 1112\r\n
VirtualHost: 192.168.1.12\r\n
Connection: close\r\n
Content-Type: text/html; charset=UTF-8\r\n
\r\n</pre>

===ACE configured with “cookie insert browser-expire”===

<pre>Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Set-Cookie: ACE-Insert=R1005881137; path=/\r\n
Date: Fri, 29 Aug 2008 19:31:58 GMT\r\n
Server: Apache/2.0.52 (Red Hat)\r\n
Accept-Ranges: bytes\r\n
Content-Length: 353\r\n
VirtualHost: 192.168.1.11\r\n
Connection: close\r\n
Content-Type: text/html; charset=UTF-8\r\n
\r\n</pre>

Notice the two cookie values do not appear to be related to the sticky-value in the show sticky database static output, displayed below:

<pre> sticky-entry rserver-instance time-to-expire flags
---------------------+----------------------+--------------+-------+
16820511103801384579 lnx1:0 never -
<…snip…>
3347854103021350619 lnx2:0 never -</pre>

This is because the sticky-entry is a hash of the cookie value. In order to determine the server a client is hitting one must mark the server such that it can be distinguished, possibly using a HTTP Header in the server response, or by determining the cookie value ACE uses for each server. The cookie value is a number based on the serverfarm name, rserver name, and rserver port. The following script can be used to determine the values associated with each rserver.

===TCL Script for calculating Cookie Values===
Note: This script works for 32-bit OS only. If you are using this on a 64-bit OS, you will need to modify it to produce a 32-bit unsigned integer.

<pre>[root@host cookie]# ./ace-cookie-value.tcl webfarm lnx1 0
Value: R1005880048
[root@host cookie]# ./ace-cookie-value.tcl webfarm lnx2 0
Value: R1005881137

#!/usr/bin/tclsh

#######################################################################
# #
# Name: ace-cookie-value.tcl #
# #
# This script takes the serverfarm name, the real server name and the #
# port number used by ACE and returns the generated hash that will be #
# used for cookie insertion. #
# #
#######################################################################

if { $argc != 3 } {
puts "[info script] <serverfarm> <realname> <port>"
exit 0
}

set serverFarmName [lindex $argv 0]
set realServerName [lindex $argv 1]
set port [lindex $argv 2]

set hashValue 5381
set hashMultiplier 32

set cookieInsertStr "$serverFarmName:$realServerName:$port"

set len [ string length $cookieInsertStr ]

for { set ix 0 } { $ix < $len } { incr ix } {
set hashValue [expr (($hashValue * $hashMultiplier) + $hashValue) \
+ [scan [string index $cookieInsertStr $ix] %c]]
}

puts [format "Value: R%u" $hashValue]</pre>

===VBA Script for calculating Cookie Values===
The following script was created by an ACE customer and shared for the convenience of all ACE users. We would like to thank Nerve Benattar for his contribution to the ACE Doc Wiki!

<pre>
Dim Result_Cookie As String

Function Calculating_Cookie_Name(ByVal CHAINE1 As String)

' For this script, we need to work with 32 bits unsigned integer.
' VBA does not support unsigned int of 32 bits. An integer is only 16 bits
' and a Long var is 32 bits signed. To simulate a 32 bits unsigned integer,
' we use an double and subtract all numbers with the tops from the 32th bit
' Thanks for Derek Huckaby and Paul Zimmerman from Cisco for their helps
' Herve Benattar AXA TECH GNSD

Dim Dbl_64bits_Tmp1, Dbl_64bits_Tmp2, hashValue, hashMultiplier As Double
Dim ix As Integer

hashValue = 5381
hashMultiplier = 32
ix = 0

Lng_Chaine = Len(CHAINE1)

For ix = 0 To (Lng_Chaine - 1) Step 1
'MAX Value 4294967295*32+5381 = 137438958821
Dbl_64bits_Tmp2 = hashValue * hashMultiplier + hashValue
'MAX value 127 or 255 with Extended ASCII Codes
Dbl_64bits_Tmp1 = CDbl(Asc(Mid(CHAINE1, ix + 1, 1)))
'MAX 137438958821+255 = 137438959076 = 100000 00000000000000000001010111100100(2)
hashValue = Dbl_64bits_Tmp2 + Dbl_64bits_Tmp1

Try_Again:
Select Case hashValue
'39th bits to 1 (Normaly none use with MAX)
Case Is >= 545460846592#
hashValue = hashValue - 545460846592#
GoTo Try_Again
'38th bits to 1
Case Is >= 270582939648#
hashValue = hashValue - 270582939648#
GoTo Try_Again
'37th bits to 1
Case Is >= 133143986176#
hashValue = hashValue - 133143986176#
GoTo Try_Again
'36th bits to 1
Case Is >= 64424509440#
hashValue = hashValue - 64424509440#
GoTo Try_Again
'35th bits to 1
Case Is >= 30064771072#
hashValue = hashValue - 30064771072#
GoTo Try_Again
'34eme bits to 1
Case Is >= 12884901888#
hashValue = hashValue - 12884901888#
GoTo Try_Again
'33eme bits to 1
Case Is >= 4294967296#
hashValue = hashValue - 4294967296#
GoTo Try_Again
End Select

'MsgBox "Value: R" & hashValue

Next

Result_Cookie = "R" & hashValue

End Function

Private Sub CommandButton1_Click()

ActiveSheet.Range("A2").Select

While (Not IsEmpty(ActiveCell.Value))
serverFarmName = ActiveCell.Value
realServerName = ActiveCell.Offset(0, 1).Value
port = ActiveCell.Offset(0, 2).Value

cookieInsertStr = serverFarmName & ":" & realServerName & ":" & port

Calculating_Cookie_Name (cookieInsertStr)
ActiveCell.Offset(0, 3) = Result_Cookie
ActiveCell.Offset(1, 0).Select
Wend

End Sub
</pre>

==show running-config ==

<pre>ACE-1/routed# show run
Generating configuration....

access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any

rserver host lnx1
ip address 192.168.1.11
inservice
rserver host lnx2
ip address 192.168.1.12
inservice
rserver host lnx3
ip address 192.168.1.13
inservice
rserver host lnx4
ip address 192.168.1.14
inservice

serverfarm host imagefarm
rserver lnx3
inservice
rserver lnx4
inservice
serverfarm host webfarm
rserver lnx1
inservice
rserver lnx2
inservice

sticky http-cookie ACE-Insert web-sticky
cookie insert browser-expire
timeout 5
serverfarm webfarm

class-map type http loadbalance match-all images
2 match http url /images/.*

class-map match-all slb-vip
2 match virtual-address 172.16.1.101 any

policy-map type management first-match remote-access
class class-default
permit

policy-map type loadbalance http first-match slb
class images
serverfarm imagefarm
class class-default
sticky-serverfarm web-sticky

policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb

interface vlan 20
description "Client Side"
ip address 172.16.1.5 255.255.255.0
access-group input everyone
service-policy input client-vips
no shutdown

interface vlan 40
description "Default gateway of real servers"
ip address 192.168.1.1 255.255.255.0
service-policy input remote-access
no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.1.1</pre>

==Related Information==
[http://www.cisco.com/web/psa/products/index.html Technical Support & Documentation - Cisco Systems]

===Hash output Examples===
For the developer we have provided the following outputs as the hash is being calculated to all you to check your code against a working example.

<pre>
[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl zzzzzzz zzzzzz 65535
Value: R177695
Value: R5864057
Value: R193514003
Value: R2090994925
Value: R283355911
Value: R760810593
Value: R3631913211
Value: R3889019029
Value: R3783576495
Value: R303972873
Value: R1441170339
Value: R313981053
Value: R1771440279
Value: R2622954481
Value: R658152011
Value: R244179937
Value: R3762970678
Value: R3918948139
Value: R476269758
Value: R2832000179
Final Value: R2832000179

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl FARM-SIEBEL-INTEGR ppclsrobj
web1 80
Value: R177643
Value: R5862284
Value: R193455454
Value: R2089062763
Value: R219594488
Value: R2951650891
Value: R2915198964
Value: R1712285369
Value: R670842395
Value: R662962624
Value: R402930188
Value: R411794361
Value: R704312098
Value: R1767462832
Value: R2491698692
Value: R621678281
Value: R3335514160
Value: R2697784962
Value: R3127557884
Value: R130195180
Value: R1473756
Value: R48634047
Value: R1604923659
Value: R1422873310
Value: R4005146384
Value: R3320811903
Value: R2212610497
Value: R1702475
Value: R56181794
Value: R1853999303
Value: R1052434953
Value: R370615130
Value: R3640364756
Value: R4167920012
Value: R102406972
Final Value: R102406972

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl FARM-SIEBEL-INTEGR ppclsrobj
web2 80
Value: R177643
Value: R5862284
Value: R193455454
Value: R2089062763
Value: R219594488
Value: R2951650891
Value: R2915198964
Value: R1712285369
Value: R670842395
Value: R662962624
Value: R402930188
Value: R411794361
Value: R704312098
Value: R1767462832
Value: R2491698692
Value: R621678281
Value: R3335514160
Value: R2697784962
Value: R3127557884
Value: R130195180
Value: R1473756
Value: R48634047
Value: R1604923659
Value: R1422873310
Value: R4005146384
Value: R3320811903
Value: R2212610497
Value: R1702475
Value: R56181794
Value: R1853999303
Value: R1052434953
Value: R370615131
Value: R3640364789
Value: R4167921101
Value: R102442909
Final Value: R102442909

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl FARM-DAISY-METIER_80 INDAMET
01 80
Value: R177643
Value: R5862284
Value: R193455454
Value: R2089062763
Value: R219594488
Value: R2951650876
Value: R2915198461
Value: R1712268774
Value: R670294777
Value: R644891250
Value: R4101542111
Value: R2206903564
Value: R4108340945
Value: R2431265093
Value: R2922336814
Value: R1947834419
Value: R4148993765
Value: R3772808164
Value: R4243585180
Value: R2599357516
Value: R4174419462
Value: R316888847
Value: R1867397437
Value: R1494573345
Value: R2076280194
Value: R4092737039
Value: R1916336180
Value: R3109551880
Value: R3830964280
Value: R1867769705
Value: R1506858179
Value: R2481679707
Value: R291051755
Final Value: R291051755

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl FARM-DAISY-METIER_80 INDAMET
02 80
Value: R177643
Value: R5862284
Value: R193455454
Value: R2089062763
Value: R219594488
Value: R2951650876
Value: R2915198461
Value: R1712268774
Value: R670294777
Value: R644891250
Value: R4101542111
Value: R2206903564
Value: R4108340945
Value: R2431265093
Value: R2922336814
Value: R1947834419
Value: R4148993765
Value: R3772808164
Value: R4243585180
Value: R2599357516
Value: R4174419462
Value: R316888847
Value: R1867397437
Value: R1494573345
Value: R2076280194
Value: R4092737039
Value: R1916336180
Value: R3109551880
Value: R3830964280
Value: R1867769706
Value: R1506858212
Value: R2481680796
Value: R291087692
Final Value: R291087692

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl FARM-DAISY-METIER_80 INDAMET
03 80
Value: R177643
Value: R5862284
Value: R193455454
Value: R2089062763
Value: R219594488
Value: R2951650876
Value: R2915198461
Value: R1712268774
Value: R670294777
Value: R644891250
Value: R4101542111
Value: R2206903564
Value: R4108340945
Value: R2431265093
Value: R2922336814
Value: R1947834419
Value: R4148993765
Value: R3772808164
Value: R4243585180
Value: R2599357516
Value: R4174419462
Value: R316888847
Value: R1867397437
Value: R1494573345
Value: R2076280194
Value: R4092737039
Value: R1916336180
Value: R3109551880
Value: R3830964280
Value: R1867769707
Value: R1506858245
Value: R2481681885
Value: R291123629
Final Value: R291123629

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl FARM-DAISY-METIER_80 INDAMET
04 80
Value: R177643
Value: R5862284
Value: R193455454
Value: R2089062763
Value: R219594488
Value: R2951650876
Value: R2915198461
Value: R1712268774
Value: R670294777
Value: R644891250
Value: R4101542111
Value: R2206903564
Value: R4108340945
Value: R2431265093
Value: R2922336814
Value: R1947834419
Value: R4148993765
Value: R3772808164
Value: R4243585180
Value: R2599357516
Value: R4174419462
Value: R316888847
Value: R1867397437
Value: R1494573345
Value: R2076280194
Value: R4092737039
Value: R1916336180
Value: R3109551880
Value: R3830964280
Value: R1867769708
Value: R1506858278
Value: R2481682974
Value: R291159566
Final Value: R291159566

[root@atl-tme-linux cookie]# ./ace-cookie-value.tcl FARM-DAISY-METIER_80 INDAMET
05 80
Value: R177643
Value: R5862284
Value: R193455454
Value: R2089062763
Value: R219594488
Value: R2951650876
Value: R2915198461
Value: R1712268774
Value: R670294777
Value: R644891250
Value: R4101542111
Value: R2206903564
Value: R4108340945
Value: R2431265093
Value: R2922336814
Value: R1947834419
Value: R4148993765
Value: R3772808164
Value: R4243585180
Value: R2599357516
Value: R4174419462
Value: R316888847
Value: R1867397437
Value: R1494573345
Value: R2076280194
Value: R4092737039
Value: R1916336180
Value: R3109551880
Value: R3830964280
Value: R1867769709
Value: R1506858311
Value: R2481684063
Value: R291195503
Final Value: R291195503
</pre>



[[Category:Data Center Application Services Configuration Examples]]

Session Persistence Using Cookie Insert on the Cisco Application Control Engine Configuration Example

2011-01-31T22:58:14Z

Dhuckaby: /* ACE configured with “cookie insert browser-expire” */

Session Persistence Using Cookie Insert on the Cisco Application Control Engine Configuration Example

2011-01-31T22:57:14Z

Dhuckaby: /* ACE configured with “cookie insert” */

Basic Load Balancing Using One Arm Mode with Source NAT on the Cisco Application Control Engine Configuration Example

2010-10-03T14:53:48Z

Dhuckaby:

{{Template:Required Metadata}}
==Goal==

Configure basic load balancing (Layer 3) where client traffic enters on one VLAN and Network Address Translation (NAT) is used when sending the client request out the same VLAN to the servers. The servers will respond to the Cisco® Application Control Engine (ACE), where the server’s IP is replaced with the VIP and the response message is sent to the client via the multilayer switch feature card (MSFC).

==Design==

Clients will send application requests through the MFSC, which routes them to a virtual IP address (VIP) within ACE. The VIP used in this example resides in an ACE context, which is configured with a single VLAN to handle client and server communication (Figure 1.). Client requests will arrive at the VIP and the Cisco ACE will pick the appropriate server to handle the request. ACE will rewrite the destination IP to that of the rserver and rewrite the source IP with one from a nat-pool. Once the client request is fully NAT’d it will be sent to the server over the same VLAN which it was originally received. The server will respond to the Cisco ACE, based on the source IP of the request. The Cisco ACE will receive the response, change the source IP to be the VIP, and send it to the MSFC. The MSFC will forward the response to the client.

[[Image:Basic Load Balancing Using Bridged Mode on ACE.jpg]]

==Configuration==

The Cisco ACE needs to be configured via access control lists (ACLs) to allow traffic into the Cisco ACE data plane. After the ACL checks are made, a service policy, which is applied to the interface, is used to classify traffic destined for the VIP. The VIP is associated with a load-balancing action within the multimatch policy. The load-balancing action tells the Cisco ACE how to handle traffic that has been directed to a VIP. In this example, all traffic is sent to a server farm, where it is distributed in round-robin fashion to one of five real servers. The Cisco ACE configuration occurs in layers, such that it builds from the real IPs to applying the VIP on an interface. Due to this layered structure, it is optimal to create the configuration by working backward from the way the flow is processed. Thus, to enable server load balancing you need to do the following:

* Enable ACLs to allow data traffic through the Cisco ACE device, as it is denied by default.
* Configure the IPs of the servers (define rservers).
* Group the real servers (create a server farm).
* Define the virtual IP address (VIP).
* Define how traffic is to be handled as it is received (create a policy map for load balancing).
* Associate a VIP to a handling action (create a multimatch policy map [a service policy])
* Create client- and server-facing interfaces.
* Apply the VIP and ACL permitting client connections to the interface (apply access group and service policy to interface).

To begin the configuration, create an access list for permitting client connections.

<pre>ACE-1/onearm(config)# access-list everyone extended permit ip any any
ACE-1/onearm(config)# access-list everyone extended permit icmp any any</pre>

{{note|Although this example shows a “permit any any,” it is recommended that ACLs be used to permit only the traffic you want allow through the Cisco ACE. In the past, server load-balancing (SLB) devices have used the VIP and port alone to protect servers. Within the Cisco ACE, ACLs are processed first, and thus dropping traffic using an ACL requires fewer resources than dropping it once it passes the ACLs and reaches the VIP. }}

The Cisco ACE needs to know the IP address of the servers available to handle client connections. The rserver command is used to define the IP address of the service. In addition, each rserver must be place in service for it to be used. The benefit of this design is that no matter how many applications or services an rserver hosts, the entire real server can be completely removed from the load-balancing rotation by issuing a single “no inservice” or “no inservice-standby” command at the rserver level. This is very beneficial for users needing to upgrade or patch an rserver, because they no longer have to go to each application and remove each instance of the rserver.

<pre>ACE-1/onearm(config)# rserver lnx1
ACE-1/onearm(config-rserver-host)# ip add 192.168.1.11
ACE-1/onearm(config-rserver-host)# inservice
ACE-1/onearm(config-rserver-host)# rserver lnx2
ACE-1/onearm(config-rserver-host)# ip add 192.168.1.12
ACE-1/onearm(config-rserver-host)# inservice
ACE-1/onearm(config-rserver-host)# rserver lnx3
ACE-1/onearm(config-rserver-host)# ip add 192.168.1.13
ACE-1/onearm(config-rserver-host)# inservice
ACE-1/onearm(config-rserver-host)# rserver lnx4
ACE-1/onearm(config-rserver-host)# ip add 192.168.1.14
ACE-1/onearm(config-rserver-host)# inservice
ACE-1/onearm(config-rserver-host)# rserver lnx5
ACE-1/onearm(config-rserver-host)# ip add 192.168.1.15
ACE-1/onearm(config-rserver-host)# inservice</pre>

Now group the rservers to be used to handle client connections into a server farm. Again, the rserver must be placed in service. This allows a single instance of an rserver to be manually removed from rotation.

<pre>ACE-1/onearm(config-cmap)# serverfarm web
ACE-1/onearm(config-sfarm-host)# rserver lnx1
ACE-1/onearm(config-sfarm-host-rs)# inservice
ACE-1/onearm(config-sfarm-host-rs)# rserver lnx2
ACE-1/onearm(config-sfarm-host-rs)# inservice
ACE-1/onearm(config-sfarm-host-rs)# rserver lnx3
ACE-1/onearm(config-sfarm-host-rs)# inservice
ACE-1/onearm(config-sfarm-host-rs)# rserver lnx4
ACE-1/onearm(config-sfarm-host-rs)# inservice
ACE-1/onearm(config-sfarm-host-rs)# rserver lnx5
ACE-1/onearm(config-sfarm-host-rs)# inservice</pre>

Use a class map to define the VIP to which clients will send their requests. In this example, the VIP is considered L3 (Layer 3) because there is a match on any port. If the VIP were to match only HTTP traffic, the match would be bound to port 80 and considered an L4 (Layer 4) VIP. (For example, “match virtual-address 172.16.1.100 tcp eq 80”).

<pre>ACE-1/onearm(config)# class-map slb-vip
ACE-1/onearm(config-cmap)# match virtual-address 172.16.5.100 any</pre>

Next define the action to take when a new client request arrives. In this case, all traffic will be sent to the “web” serverfarm. This type of load balancing is considered L4 since only class-default is used.

<pre>ACE-1/onearm(config)# policy-map type loadbalance first-match slb
ACE-1/onearm(config-pmap-lb)# class class-default
ACE-1/onearm(config-pmap-lb-c)# serverfarm web</pre>

Since the VIPs and load-balancing actions are defined independently, they must be associated so that the Cisco ACE knows how to handle traffic destined for a VIP. The association is made using a multimatch policy map. Keep in mind that multimatch policy maps are applied to interfaces as service policies. “nat dynamic” is configured to make the Cisco ACE source NAT all client requests. The nat-pool will be defined in a later step.

<pre>ACE-1/onearm(config)# policy-map multi-match client-vips
ACE-1/onearm(config-pmap)# class slb-vip
ACE-1/onearm(config-pmap-c)# loadbalance policy slb
ACE-1/onearm(config-pmap-c)# loadbalance vip inservice
ACE-1/onearm(config-pmap-c)# nat dynamic 5 vlan 50</pre>

At this point the interface VLAN can be created to interconnect the Cisco ACE to the network.

<pre>ACE-1/onearm(config)# interface vlan 50
ACE-1/onearm(config-if)# description “Client-Sever VLAN”
ACE-1/onearm(config-if)# ip address 172.16.5.5 255.255.255.0
ACE-1/onearm(config-if)# no shutdown</pre>

The last step is to apply the ACL and service policy (policy-map multi-match) to the client side interface. Both the access group and service policy are applied on the input side of the interface. The nat-pool is also created, for use in the multi-match policy.

<pre>ACE-1/onearm(config)# interface vlan 50
ACE-1/onearm(config-if)# access-group input everyone
ACE-1/onearm(config-if)# service-policy input client-vips
ACE-1/onearm(config-if)# nat-pool 5 172.16.5.200 172.16.5.209 netmask 255.255.255.0 pat</pre>

{{note|There is no need to add an access group to the server side, as the Cisco ACE automatically creates pinholes to allow server response traffic to pass back to the client.}}

==Related show Commands ==

This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the [https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl Output Interpreter Tool (registered customers only)], which allows you to view an analysis of show command output.

<pre>ACE-1/onearm #show arp
ACE-1/onearm #show acl
ACE-1/onearm #show service-policy client-vips
ACE-1/onearm #show serverfarm
ACE-1/onearm #show rserver
ACE-1/onearm #show stats</pre>

==Comments==

Once you’ve completed the configuration, verify that the Cisco ACE has an Address Resolution Protocol (ARP) response for each rserver and the default route to the client. Check the ACL hits to ensure that client connections are being accepted. Check the service policy output to see the client connection hits, and verify that the server is responding with response packets. The “show” command for serverfarm and rserver can be used to display the exact rserver handling the connection and the amount of work the entire server farm has handled. The “show stats” command provides a higher level of monitoring of ACE load balancing, inspection, probes, and other important metrics.

==show running-config ==

<pre>ACE-1/onearm# sho run
Generating configuration....

access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any

rserver host lnx1
ip address 192.168.1.11
inservice
rserver host lnx2
ip address 192.168.1.12
inservice
rserver host lnx3
ip address 192.168.1.13
inservice
rserver host lnx4
ip address 192.168.1.14
inservice
rserver host lnx5
ip address 192.168.1.15
inservice

serverfarm host web
rserver lnx1
inservice
rserver lnx2
inservice
rserver lnx3
inservice
rserver lnx4
inservice
rserver lnx5
inservice

class-map match-all slb-vip
2 match virtual-address 172.16.5.100 any

policy-map type management first-match remote-access
class class-default
permit

policy-map type loadbalance first-match slb
class class-default
serverfarm web

policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb
nat dynamic 5 vlan 50

interface vlan 50
description "Client-Server VLAN"
ip address 172.16.5.5 255.255.255.0
access-group input everyone
service-policy input client-vips
service-policy input remote-access
nat-pool 5 172.16.5.200 172.16.5.209 netmask 255.255.255.0 pat
no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.5.1</pre>

==Related Information==
[http://www.cisco.com/web/psa/products/index.html Technical Support & Documentation - Cisco Systems]



[[Category:Data Center Application Services Configuration Examples]]

File:Basic Load Balancing Using Bridged Mode on ACE.jpg

2010-10-03T14:53:31Z

Dhuckaby:

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-06-29T20:11:39Z

Dhuckaby: /* ACE Performance Numbers */

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

== ACE Performance Numbers and Resource Limits ==

'''Datasheet Numbers'''
The performance numbers presented here have been obtained under very specific controlled conditions. The configurations
and traffic profiles used were chosen to maximize the performance outcome for the given test. Customer environments where configuration combinations and traffic profiles are much more complex may not produce the same results.
In order to obtain performance numbers specific to a particular customer, testing with that customer’s feature combination and traffic profile is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

 

===ACE Performance Numbers===

{| width=100% align="left" border="1" cellspacing = "0"
|-
|SLB L4 bps
|4, 8, or 16 Gbps
|.5, 1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

 

===SLB-Related Limits===
'''Scalability Numbers'''
The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|128,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Sticky Groups
|4,096
|4,096
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|

|}

 
 
 

===Security-Related Limits===
'''Scalability Numbers'''
The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

{| align="left" border="1" cellspacing = "0"
|-
|'''Security Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|Static NAT Policies
|4096
|4096
|4096
|

|-
|Dynamic NAT Policies
|4096
|4096
|4096
|

|-
|Maximum of addresses in a NAT pool
|64
|64
|32
|

|-
|Maximum of addresses in a PAT pool
|63k
|63k
|63l
|

|-
|PAT Entries
|4,000,000
|4,000,000
|1,000,000
|

|-
|Total NAT Pools
|8,192
|8,192
|8,192
|

|-
|Xlates
|1,000,000
|1,000,000
|64,000
|

|-
|Concurrent SSL Conns
|100,000
|100,000
|100,000
|Subset of L7 (proxied) connections

|-
|RSA key size
|up to 2048 bits
|up to 2048 bits
|up to 2048 bits
|Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits

|-
|SSL Certs/Key files
|3800/3800
|3800/3800
|3800/3800
|This number is strictly enforced in A220, A214, and A322

|}

 

===Management-Related Limits===
'''Scalability Numbers'''
The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-06-29T20:07:28Z

Dhuckaby: /* ACE Performance Numbers */

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

== ACE Performance Numbers and Resource Limits ==

'''Datasheet Numbers'''
The performance numbers presented here have been obtained under very specific controlled conditions. The configurations
and traffic profiles used were chosen to maximize the performance outcome for the given test. Customer environments where configuration combinations and traffic profiles are much more complex may not produce the same results.
In order to obtain performance numbers specific to a particular customer, testing with that customer’s feature combination and traffic profile is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

 

===ACE Performance Numbers===

{| width=100% align="left" border="1" cellspacing = "0"
|-
|SLB L4 bps
|4, 8, or 16 Gbps
|1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

 

===SLB-Related Limits===
'''Scalability Numbers'''
The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|128,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Sticky Groups
|4,096
|4,096
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|

|}

 
 
 

===Security-Related Limits===
'''Scalability Numbers'''
The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

{| align="left" border="1" cellspacing = "0"
|-
|'''Security Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|Static NAT Policies
|4096
|4096
|4096
|

|-
|Dynamic NAT Policies
|4096
|4096
|4096
|

|-
|Maximum of addresses in a NAT pool
|64
|64
|32
|

|-
|Maximum of addresses in a PAT pool
|63k
|63k
|63l
|

|-
|PAT Entries
|4,000,000
|4,000,000
|1,000,000
|

|-
|Total NAT Pools
|8,192
|8,192
|8,192
|

|-
|Xlates
|1,000,000
|1,000,000
|64,000
|

|-
|Concurrent SSL Conns
|100,000
|100,000
|100,000
|Subset of L7 (proxied) connections

|-
|RSA key size
|up to 2048 bits
|up to 2048 bits
|up to 2048 bits
|Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits

|-
|SSL Certs/Key files
|3800/3800
|3800/3800
|3800/3800
|This number is strictly enforced in A220, A214, and A322

|}

 

===Management-Related Limits===
'''Scalability Numbers'''
The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-06-29T02:12:30Z

Dhuckaby: /* SLB-Related Limits */

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

== ACE Performance Numbers and Resource Limits ==

'''Datasheet Numbers'''
The performance numbers presented here have been obtained under very specific controlled conditions. The configurations
and traffic profiles used were chosen to maximize the performance outcome for the given test. Customer environments where configuration combinations and traffic profiles are much more complex may not produce the same results.
In order to obtain performance numbers specific to a particular customer, testing with that customer’s feature combination and traffic profile is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

 

===ACE Performance Numbers===

{| width=100% align="left" border="1" cellspacing = "0"
|-
|'''Performance Measurement'''
|'''ACE Module Maximum Value'''
|'''ACE Appliance Maximum Value'''

|-
|Max number of 10/100 Mbps ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Max number of Gigabit ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Switching Capacity
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4 Gbps

|-
|SLB L4 bps
|4, 8, or 16 Gbps
|1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

 

===SLB-Related Limits===
'''Scalability Numbers'''
The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|128,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Sticky Groups
|4,096
|4,096
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|

|}

 
 
 

===Security-Related Limits===
'''Scalability Numbers'''
The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

{| align="left" border="1" cellspacing = "0"
|-
|'''Security Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|Static NAT Policies
|4096
|4096
|4096
|

|-
|Dynamic NAT Policies
|4096
|4096
|4096
|

|-
|Maximum of addresses in a NAT pool
|64
|64
|32
|

|-
|Maximum of addresses in a PAT pool
|63k
|63k
|63l
|

|-
|PAT Entries
|4,000,000
|4,000,000
|1,000,000
|

|-
|Total NAT Pools
|8,192
|8,192
|8,192
|

|-
|Xlates
|1,000,000
|1,000,000
|64,000
|

|-
|Concurrent SSL Conns
|100,000
|100,000
|100,000
|Subset of L7 (proxied) connections

|-
|RSA key size
|up to 2048 bits
|up to 2048 bits
|up to 2048 bits
|Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits

|-
|SSL Certs/Key files
|3800/3800
|3800/3800
|3800/3800
|This number is strictly enforced in A220, A214, and A322

|}

 

===Management-Related Limits===
'''Scalability Numbers'''
The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-06-29T02:12:14Z

Dhuckaby: /* SLB-Related Limits */

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

== ACE Performance Numbers and Resource Limits ==

'''Datasheet Numbers'''
The performance numbers presented here have been obtained under very specific controlled conditions. The configurations
and traffic profiles used were chosen to maximize the performance outcome for the given test. Customer environments where configuration combinations and traffic profiles are much more complex may not produce the same results.
In order to obtain performance numbers specific to a particular customer, testing with that customer’s feature combination and traffic profile is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

 

===ACE Performance Numbers===

{| width=100% align="left" border="1" cellspacing = "0"
|-
|'''Performance Measurement'''
|'''ACE Module Maximum Value'''
|'''ACE Appliance Maximum Value'''

|-
|Max number of 10/100 Mbps ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Max number of Gigabit ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Switching Capacity
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4 Gbps

|-
|SLB L4 bps
|4, 8, or 16 Gbps
|1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

 

===SLB-Related Limits===
'''Scalability Numbers'''
The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|128,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Sticky Groups
|4,096
|4,096
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|

|}

 
 
 

===Security-Related Limits===
'''Scalability Numbers'''
The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

{| align="left" border="1" cellspacing = "0"
|-
|'''Security Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|Static NAT Policies
|4096
|4096
|4096
|

|-
|Dynamic NAT Policies
|4096
|4096
|4096
|

|-
|Maximum of addresses in a NAT pool
|64
|64
|32
|

|-
|Maximum of addresses in a PAT pool
|63k
|63k
|63l
|

|-
|PAT Entries
|4,000,000
|4,000,000
|1,000,000
|

|-
|Total NAT Pools
|8,192
|8,192
|8,192
|

|-
|Xlates
|1,000,000
|1,000,000
|64,000
|

|-
|Concurrent SSL Conns
|100,000
|100,000
|100,000
|Subset of L7 (proxied) connections

|-
|RSA key size
|up to 2048 bits
|up to 2048 bits
|up to 2048 bits
|Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits

|-
|SSL Certs/Key files
|3800/3800
|3800/3800
|3800/3800
|This number is strictly enforced in A220, A214, and A322

|}

 

===Management-Related Limits===
'''Scalability Numbers'''
The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-06-29T02:11:56Z

Dhuckaby: /* SLB-Related Limits */

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

== ACE Performance Numbers and Resource Limits ==

'''Datasheet Numbers'''
The performance numbers presented here have been obtained under very specific controlled conditions. The configurations
and traffic profiles used were chosen to maximize the performance outcome for the given test. Customer environments where configuration combinations and traffic profiles are much more complex may not produce the same results.
In order to obtain performance numbers specific to a particular customer, testing with that customer’s feature combination and traffic profile is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

 

===ACE Performance Numbers===

{| width=100% align="left" border="1" cellspacing = "0"
|-
|'''Performance Measurement'''
|'''ACE Module Maximum Value'''
|'''ACE Appliance Maximum Value'''

|-
|Max number of 10/100 Mbps ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Max number of Gigabit ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Switching Capacity
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4 Gbps

|-
|SLB L4 bps
|4, 8, or 16 Gbps
|1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

 

===SLB-Related Limits===
'''Scalability Numbers'''
The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|128,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Sticky Groups
|4,096
|4,096
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|

|}

 
 
 

===Security-Related Limits===
'''Scalability Numbers'''
The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

{| align="left" border="1" cellspacing = "0"
|-
|'''Security Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|Static NAT Policies
|4096
|4096
|4096
|

|-
|Dynamic NAT Policies
|4096
|4096
|4096
|

|-
|Maximum of addresses in a NAT pool
|64
|64
|32
|

|-
|Maximum of addresses in a PAT pool
|63k
|63k
|63l
|

|-
|PAT Entries
|4,000,000
|4,000,000
|1,000,000
|

|-
|Total NAT Pools
|8,192
|8,192
|8,192
|

|-
|Xlates
|1,000,000
|1,000,000
|64,000
|

|-
|Concurrent SSL Conns
|100,000
|100,000
|100,000
|Subset of L7 (proxied) connections

|-
|RSA key size
|up to 2048 bits
|up to 2048 bits
|up to 2048 bits
|Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits

|-
|SSL Certs/Key files
|3800/3800
|3800/3800
|3800/3800
|This number is strictly enforced in A220, A214, and A322

|}

 

===Management-Related Limits===
'''Scalability Numbers'''
The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-06-29T02:11:26Z

Dhuckaby: /* SLB-Related Limits */

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

== ACE Performance Numbers and Resource Limits ==

'''Datasheet Numbers'''
The performance numbers presented here have been obtained under very specific controlled conditions. The configurations
and traffic profiles used were chosen to maximize the performance outcome for the given test. Customer environments where configuration combinations and traffic profiles are much more complex may not produce the same results.
In order to obtain performance numbers specific to a particular customer, testing with that customer’s feature combination and traffic profile is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

 

===ACE Performance Numbers===

{| width=100% align="left" border="1" cellspacing = "0"
|-
|'''Performance Measurement'''
|'''ACE Module Maximum Value'''
|'''ACE Appliance Maximum Value'''

|-
|Max number of 10/100 Mbps ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Max number of Gigabit ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Switching Capacity
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4 Gbps

|-
|SLB L4 bps
|4, 8, or 16 Gbps
|1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

 

===SLB-Related Limits===
'''Scalability Numbers'''
The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|128,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Sticky Groups
|4,096
|4,096
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|

|}

 

===Security-Related Limits===
'''Scalability Numbers'''
The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

{| align="left" border="1" cellspacing = "0"
|-
|'''Security Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|Static NAT Policies
|4096
|4096
|4096
|

|-
|Dynamic NAT Policies
|4096
|4096
|4096
|

|-
|Maximum of addresses in a NAT pool
|64
|64
|32
|

|-
|Maximum of addresses in a PAT pool
|63k
|63k
|63l
|

|-
|PAT Entries
|4,000,000
|4,000,000
|1,000,000
|

|-
|Total NAT Pools
|8,192
|8,192
|8,192
|

|-
|Xlates
|1,000,000
|1,000,000
|64,000
|

|-
|Concurrent SSL Conns
|100,000
|100,000
|100,000
|Subset of L7 (proxied) connections

|-
|RSA key size
|up to 2048 bits
|up to 2048 bits
|up to 2048 bits
|Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits

|-
|SSL Certs/Key files
|3800/3800
|3800/3800
|3800/3800
|This number is strictly enforced in A220, A214, and A322

|}

 

===Management-Related Limits===
'''Scalability Numbers'''
The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-06-29T02:09:42Z

Dhuckaby:

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

== ACE Performance Numbers and Resource Limits ==

'''Datasheet Numbers'''
The performance numbers presented here have been obtained under very specific controlled conditions. The configurations
and traffic profiles used were chosen to maximize the performance outcome for the given test. Customer environments where configuration combinations and traffic profiles are much more complex may not produce the same results.
In order to obtain performance numbers specific to a particular customer, testing with that customer’s feature combination and traffic profile is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

 

===ACE Performance Numbers===

{| width=100% align="left" border="1" cellspacing = "0"
|-
|'''Performance Measurement'''
|'''ACE Module Maximum Value'''
|'''ACE Appliance Maximum Value'''

|-
|Max number of 10/100 Mbps ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Max number of Gigabit ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Switching Capacity
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4 Gbps

|-
|SLB L4 bps
|4, 8, or 16 Gbps
|1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

 

===SLB-Related Limits===
'''Scalability Numbers'''
The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|128,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Sticky Groups
|4,096
|4,096
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|

|}

 

===Security-Related Limits===
'''Scalability Numbers'''
The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

{| align="left" border="1" cellspacing = "0"
|-
|'''Security Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|Static NAT Policies
|4096
|4096
|4096
|

|-
|Dynamic NAT Policies
|4096
|4096
|4096
|

|-
|Maximum of addresses in a NAT pool
|64
|64
|32
|

|-
|Maximum of addresses in a PAT pool
|63k
|63k
|63l
|

|-
|PAT Entries
|4,000,000
|4,000,000
|1,000,000
|

|-
|Total NAT Pools
|8,192
|8,192
|8,192
|

|-
|Xlates
|1,000,000
|1,000,000
|64,000
|

|-
|Concurrent SSL Conns
|100,000
|100,000
|100,000
|Subset of L7 (proxied) connections

|-
|RSA key size
|up to 2048 bits
|up to 2048 bits
|up to 2048 bits
|Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits

|-
|SSL Certs/Key files
|3800/3800
|3800/3800
|3800/3800
|This number is strictly enforced in A220, A214, and A322

|}

 

===Management-Related Limits===
'''Scalability Numbers'''
The scalability numbers provided here are meant to provide guidelines related to configuration scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular customer, testing with that customer’s feature combination is strongly recommended before any commitment on ACE performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-04-16T23:03:24Z

Dhuckaby: /* Management-Related Limits */

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

== ACE Performance Numbers and Resource Limits ==

The following ACE limits and performance numbers were obtained in a laboratory setting under optimal conditions. These numbers should be used as
guidelines only and may vary based on your production-specific environment.

 

===ACE Performance Numbers===

{| width=100% align="left" border="1" cellspacing = "0"
|-
|'''Performance Measurement'''
|'''ACE Module Maximum Value'''
|'''ACE Appliance Maximum Value'''

|-
|Max number of 10/100 Mbps ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Max number of Gigabit ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Switching Capacity
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4 Gbps

|-
|SLB L4 bps
|4, 8, or 16 Gbps
|1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|Packets per Second (PPS)
|4,000,000+
|1,800,000 @ 64 bytes, 162,000 @ 1500 bytes

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

 

===SLB-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Class Maps (L4 and L7)
|8192
|8192
|8192
|When load balancing on a specific client's source IP address there is a limit of 16k source address matches. There is a limit of 1000 per class-map. The source-address match limit of 16k is for applied matches. Thus you cannot LB on more than 16K source address matches at any given time.

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|128,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
|

|-
|Matches Per VIP
|1,024
|1,024
|1,024
|A VIP (L4 class map under L4 policy map) can have only 1024 URL, 1024 header, or 1024 cookie matches. The rewrite rules are compiled at the L7 policy level, so to be safe, do not configure more than 1024 header rewrite or deletion rules per action list (delete uses regex also). Header insert is not affected.

|-
|Policy Maps
|4,096
|4,096
|4,096
|Total number of policy maps, including L7, inspection, and all types

|-
|Probe definitions
|4,096
|4,096
|1,024
|

|-
|Probe Instances
|16,384
|16,384
|4,096
|

|-
|Real Servers
|16,384
|16,384
|4,096
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Server Farms
|16,384
|16,384
|1,024
|

|-
|Service Policies
|(4096 interfaces x 128 service policies per interface ) * 251 contexts
|4096 interfaces x 128 service policies per interface
|(4096 interfaces x 128 service policies per interface ) * 21 contexts
|128 per interface, 128 globally per context

|-
|Simultaneous Probes
|2,500 sockets
|2,500 sockets
|2,500 sockets
|In ACE software version A2(x), probe sockets have been increased. Use the '''show resource internal socket''' command to check them. Increase the probe frequency to ensure that no more sockets are required than what is available for optimal operating conditions.

|-
|Sticky Groups
|4,096
|4,096
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|Virtual Server Farms
|4k (4094)
|4k (4094)
|1024
|

|-
|Virtual Servers (Same IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|Virtual Servers (Unique IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|

|}

 

===Security-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Security Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ACLs
|8,192
|1,024 (practical limit)
|8,192
|

|-
|ACL Entries
|64,000
|1,024 (practical limit)
|40K
|

|-
|Static NAT Policies
|4096
|4096
|4096
|

|-
|Dynamic NAT Policies
|4096
|4096
|4096
|

|-
|Maximum of addresses in a NAT pool
|64
|64
|32
|

|-
|Maximum of addresses in a PAT pool
|63k
|63k
|63l
|

|-
|PAT Entries
|4,000,000
|4,000,000
|1,000,000
|

|-
|Total NAT Pools
|8,192
|8,192
|8,192
|

|-
|Xlates
|1,000,000
|1,000,000
|64,000
|

|-
|Concurrent SSL Conns
|100,000
|100,000
|100,000
|Subset of L7 (proxied) connections

|-
|RSA key size
|up to 2048 bits
|up to 2048 bits
|up to 2048 bits
|Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits

|-
|SSL Certs/Key files
|3800/3800
|3800/3800
|3800/3800
|This number is strictly enforced in A220, A214, and A322

|}

 

===Management-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-04-16T23:02:46Z

Dhuckaby:

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

== ACE Performance Numbers and Resource Limits ==

The following ACE limits and performance numbers were obtained in a laboratory setting under optimal conditions. These numbers should be used as
guidelines only and may vary based on your production-specific environment.

 

===ACE Performance Numbers===

{| width=100% align="left" border="1" cellspacing = "0"
|-
|'''Performance Measurement'''
|'''ACE Module Maximum Value'''
|'''ACE Appliance Maximum Value'''

|-
|Max number of 10/100 Mbps ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Max number of Gigabit ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Switching Capacity
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4 Gbps

|-
|SLB L4 bps
|4, 8, or 16 Gbps
|1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|Packets per Second (PPS)
|4,000,000+
|1,800,000 @ 64 bytes, 162,000 @ 1500 bytes

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

 

===SLB-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Class Maps (L4 and L7)
|8192
|8192
|8192
|When load balancing on a specific client's source IP address there is a limit of 16k source address matches. There is a limit of 1000 per class-map. The source-address match limit of 16k is for applied matches. Thus you cannot LB on more than 16K source address matches at any given time.

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|128,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
|

|-
|Matches Per VIP
|1,024
|1,024
|1,024
|A VIP (L4 class map under L4 policy map) can have only 1024 URL, 1024 header, or 1024 cookie matches. The rewrite rules are compiled at the L7 policy level, so to be safe, do not configure more than 1024 header rewrite or deletion rules per action list (delete uses regex also). Header insert is not affected.

|-
|Policy Maps
|4,096
|4,096
|4,096
|Total number of policy maps, including L7, inspection, and all types

|-
|Probe definitions
|4,096
|4,096
|1,024
|

|-
|Probe Instances
|16,384
|16,384
|4,096
|

|-
|Real Servers
|16,384
|16,384
|4,096
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Server Farms
|16,384
|16,384
|1,024
|

|-
|Service Policies
|(4096 interfaces x 128 service policies per interface ) * 251 contexts
|4096 interfaces x 128 service policies per interface
|(4096 interfaces x 128 service policies per interface ) * 21 contexts
|128 per interface, 128 globally per context

|-
|Simultaneous Probes
|2,500 sockets
|2,500 sockets
|2,500 sockets
|In ACE software version A2(x), probe sockets have been increased. Use the '''show resource internal socket''' command to check them. Increase the probe frequency to ensure that no more sockets are required than what is available for optimal operating conditions.

|-
|Sticky Groups
|4,096
|4,096
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|Virtual Server Farms
|4k (4094)
|4k (4094)
|1024
|

|-
|Virtual Servers (Same IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|Virtual Servers (Unique IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|

|}

 

===Management-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-04-16T23:01:48Z

Dhuckaby:

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

== ACE Performance Numbers and Resource Limits ==

The following ACE limits and performance numbers were obtained in a laboratory setting under optimal conditions. These numbers should be used as
guidelines only and may vary based on your production-specific environment.

===ACE Performance Numbers===

{| width=100% align="left" border="1" cellspacing = "0"
|-
|'''Performance Measurement'''
|'''ACE Module Maximum Value'''
|'''ACE Appliance Maximum Value'''

|-
|Max number of 10/100 Mbps ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Max number of Gigabit ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Switching Capacity
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4 Gbps

|-
|SLB L4 bps
|4, 8, or 16 Gbps
|1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|Packets per Second (PPS)
|4,000,000+
|1,800,000 @ 64 bytes, 162,000 @ 1500 bytes

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

 

===SLB-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Class Maps (L4 and L7)
|8192
|8192
|8192
|When load balancing on a specific client's source IP address there is a limit of 16k source address matches. There is a limit of 1000 per class-map. The source-address match limit of 16k is for applied matches. Thus you cannot LB on more than 16K source address matches at any given time.

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|128,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
|

|-
|Matches Per VIP
|1,024
|1,024
|1,024
|A VIP (L4 class map under L4 policy map) can have only 1024 URL, 1024 header, or 1024 cookie matches. The rewrite rules are compiled at the L7 policy level, so to be safe, do not configure more than 1024 header rewrite or deletion rules per action list (delete uses regex also). Header insert is not affected.

|-
|Policy Maps
|4,096
|4,096
|4,096
|Total number of policy maps, including L7, inspection, and all types

|-
|Probe definitions
|4,096
|4,096
|1,024
|

|-
|Probe Instances
|16,384
|16,384
|4,096
|

|-
|Real Servers
|16,384
|16,384
|4,096
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Server Farms
|16,384
|16,384
|1,024
|

|-
|Service Policies
|(4096 interfaces x 128 service policies per interface ) * 251 contexts
|4096 interfaces x 128 service policies per interface
|(4096 interfaces x 128 service policies per interface ) * 21 contexts
|128 per interface, 128 globally per context

|-
|Simultaneous Probes
|2,500 sockets
|2,500 sockets
|2,500 sockets
|In ACE software version A2(x), probe sockets have been increased. Use the '''show resource internal socket''' command to check them. Increase the probe frequency to ensure that no more sockets are required than what is available for optimal operating conditions.

|-
|Sticky Groups
|4,096
|4,096
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|Virtual Server Farms
|4k (4094)
|4k (4094)
|1024
|

|-
|Virtual Servers (Same IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|Virtual Servers (Unique IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|

|}

===Security-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Security Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ACLs
|8,192
|1,024 (practical limit)
|8,192
|

|-
|ACL Entries
|64,000
|1,024 (practical limit)
|40K
|

|-
|Static NAT Policies
|4096
|4096
|4096
|

|-
|Dynamic NAT Policies
|4096
|4096
|4096
|

|-
|Maximum of addresses in a NAT pool
|64
|64
|32
|

|-
|Maximum of addresses in a PAT pool
|63k
|63k
|63l
|

|-
|PAT Entries
|4,000,000
|4,000,000
|1,000,000
|

|-
|Total NAT Pools
|8,192
|8,192
|8,192
|

|-
|Xlates
|1,000,000
|1,000,000
|64,000
|

|-
|Concurrent SSL Conns
|100,000
|100,000
|100,000
|Subset of L7 (proxied) connections

|-
|RSA key size
|up to 2048 bits
|up to 2048 bits
|up to 2048 bits
|Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits

|-
|SSL Certs/Key files
|3800/3800
|3800/3800
|3800/3800
|This number is strictly enforced in A220, A214, and A322

|}

 

===Management-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-04-16T23:00:38Z

Dhuckaby: /* SLB-Related Limits */

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

 


== ACE Performance Numbers and Resource Limits ==

The following ACE limits and performance numbers were obtained in a laboratory setting under optimal conditions. These numbers should be used as
guidelines only and may vary based on your production-specific environment.

===ACE Performance Numbers===

{| width=100% align="left" border="1" cellspacing = "0"
|-
|'''Performance Measurement'''
|'''ACE Module Maximum Value'''
|'''ACE Appliance Maximum Value'''

|-
|Max number of 10/100 Mbps ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Max number of Gigabit ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Switching Capacity
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4 Gbps

|-
|SLB L4 bps
|4, 8, or 16 Gbps
|1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|Packets per Second (PPS)
|4,000,000+
|1,800,000 @ 64 bytes, 162,000 @ 1500 bytes

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

 

===SLB-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Class Maps (L4 and L7)
|8192
|8192
|8192
|When load balancing on a specific client's source IP address there is a limit of 16k source address matches. There is a limit of 1000 per class-map. The source-address match limit of 16k is for applied matches. Thus you cannot LB on more than 16K source address matches at any given time.

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|128,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
|

|-
|Matches Per VIP
|1,024
|1,024
|1,024
|A VIP (L4 class map under L4 policy map) can have only 1024 URL, 1024 header, or 1024 cookie matches. The rewrite rules are compiled at the L7 policy level, so to be safe, do not configure more than 1024 header rewrite or deletion rules per action list (delete uses regex also). Header insert is not affected.

|-
|Policy Maps
|4,096
|4,096
|4,096
|Total number of policy maps, including L7, inspection, and all types

|-
|Probe definitions
|4,096
|4,096
|1,024
|

|-
|Probe Instances
|16,384
|16,384
|4,096
|

|-
|Real Servers
|16,384
|16,384
|4,096
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Server Farms
|16,384
|16,384
|1,024
|

|-
|Service Policies
|(4096 interfaces x 128 service policies per interface ) * 251 contexts
|4096 interfaces x 128 service policies per interface
|(4096 interfaces x 128 service policies per interface ) * 21 contexts
|128 per interface, 128 globally per context

|-
|Simultaneous Probes
|2,500 sockets
|2,500 sockets
|2,500 sockets
|In ACE software version A2(x), probe sockets have been increased. Use the '''show resource internal socket''' command to check them. Increase the probe frequency to ensure that no more sockets are required than what is available for optimal operating conditions.

|-
|Sticky Groups
|4,096
|4,096
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|Virtual Server Farms
|4k (4094)
|4k (4094)
|1024
|

|-
|Virtual Servers (Same IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|Virtual Servers (Unique IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|

|}

===Security-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Security Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ACLs
|8,192
|1,024 (practical limit)
|8,192
|

|-
|ACL Entries
|64,000
|1,024 (practical limit)
|40K
|

|-
|Static NAT Policies
|4096
|4096
|4096
|

|-
|Dynamic NAT Policies
|4096
|4096
|4096
|

|-
|Maximum of addresses in a NAT pool
|64
|64
|32
|

|-
|Maximum of addresses in a PAT pool
|63k
|63k
|63l
|

|-
|PAT Entries
|4,000,000
|4,000,000
|1,000,000
|

|-
|Total NAT Pools
|8,192
|8,192
|8,192
|

|-
|Xlates
|1,000,000
|1,000,000
|64,000
|

|-
|Concurrent SSL Conns
|100,000
|100,000
|100,000
|Subset of L7 (proxied) connections

|-
|RSA key size
|up to 2048 bits
|up to 2048 bits
|up to 2048 bits
|Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits

|-
|SSL Certs/Key files
|3800/3800
|3800/3800
|3800/3800
|This number is strictly enforced in A220, A214, and A322

|}

 

===Management-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-04-16T22:50:17Z

Dhuckaby: /* SLB-Related Limits */

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

 


== ACE Performance Numbers and Resource Limits ==

The following ACE limits and performance numbers were obtained in a laboratory setting under optimal conditions. These numbers should be used as
guidelines only and may vary based on your production-specific environment.

===ACE Performance Numbers===

{| width=100% align="left" border="1" cellspacing = "0"
|-
|'''Performance Measurement'''
|'''ACE Module Maximum Value'''
|'''ACE Appliance Maximum Value'''

|-
|Max number of 10/100 Mbps ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Max number of Gigabit ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Switching Capacity
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4 Gbps

|-
|SLB L4 bps
|4, 8, or 16 Gbps
|1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|Packets per Second (PPS)
|4,000,000+
|1,800,000 @ 64 bytes, 162,000 @ 1500 bytes

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

 

===SLB-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Class Maps (L4 and L7)
|8192
|8192
|8192
|When load balancing on a specific client's source IP address there is a limit of 16k source address matches. There is a limit of 1000 per class-map. The source-address match limit of 16k is for applied matches. Thus you cannot LB on more than 16K source address matches at any given time.

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|128,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
| -

|-
|Matches Per VIP
|1,024
|1,024
|1,024
|A VIP (L4 class map under L4 policy map) can have only 1024 URL, 1024 header, or 1024 cookie matches. The rewrite rules are compiled at the L7 policy level, so to be safe, do not configure more than 1024 header rewrite or deletion rules per action list (delete uses regex also). Header insert is not affected.

|-
|Policy Maps
|4,096
|4,096
|4,096
|Total number of policy maps, including L7, inspection, and all types

|-
|Probe definitions
|4,096
|4,096
|1,024
|

|-
|Probe Instances
|16,384
|16,384
|4,096
|

|-
|Real Servers
|16,384
|16,384
|4,096
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Server Farms
|16,384
|16,384
|1,024
|

|-
|Service Policies
|(4096 interfaces x 128 service policies per interface ) * 251 contexts
|4096 interfaces x 128 service policies per interface
|
|128 per interface, 128 globally per context

|-
|Simultaneous Probes
|2,500 sockets
|2,500 sockets
|2,500 sockets
|In ACE software version A2(x), probe sockets have been increased. Use the '''show resource internal socket''' command to check them. Increase the probe frequency to ensure that no more sockets are required than what is available for optimal operating conditions.

|-
|Sticky Groups
|4,096
|4,096
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|Virtual Server Farms
|4k (4094)
|4k (4094)
|1024
|

|-
|Virtual Servers (Same IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|Virtual Servers (Unique IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|
|}

 

===Security-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Security Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ACLs
|8,192
|1,024 (practical limit)
|8,192
|

|-
|ACL Entries
|64,000
|1,024 (practical limit)
|40K
|

|-
|Static NAT Policies
|4096
|4096
|4096
|

|-
|Dynamic NAT Policies
|4096
|4096
|4096
|

|-
|Maximum of addresses in a NAT pool
|64
|64
|32
|

|-
|Maximum of addresses in a PAT pool
|63k
|63k
|63l
|

|-
|PAT Entries
|4,000,000
|4,000,000
|1,000,000
|

|-
|Total NAT Pools
|8,192
|8,192
|8,192
|

|-
|Xlates
|1,000,000
|1,000,000
|64,000
|

|-
|Concurrent SSL Conns
|100,000
|100,000
|100,000
|Subset of L7 (proxied) connections

|-
|RSA key size
|up to 2048 bits
|up to 2048 bits
|up to 2048 bits
|Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits

|-
|SSL Certs/Key files
|3800/3800
|3800/3800
|3800/3800
|This number is strictly enforced in A220, A214, and A322

|}

 

===Management-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-04-16T22:49:51Z

Dhuckaby: /* Security-Related Limits */

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

 


== ACE Performance Numbers and Resource Limits ==

The following ACE limits and performance numbers were obtained in a laboratory setting under optimal conditions. These numbers should be used as
guidelines only and may vary based on your production-specific environment.

===ACE Performance Numbers===

{| width=100% align="left" border="1" cellspacing = "0"
|-
|'''Performance Measurement'''
|'''ACE Module Maximum Value'''
|'''ACE Appliance Maximum Value'''

|-
|Max number of 10/100 Mbps ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Max number of Gigabit ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Switching Capacity
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4 Gbps

|-
|SLB L4 bps
|4, 8, or 16 Gbps
|1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|Packets per Second (PPS)
|4,000,000+
|1,800,000 @ 64 bytes, 162,000 @ 1500 bytes

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

 

===SLB-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Class Maps (L4 and L7)
|8192
|8192
|8192
|When load balancing on a specific client's source IP address there is a limit of 16k source address matches. There is a limit of 1000 per class-map. The source-address match limit of 16k is for applied matches. Thus you cannot LB on more than 16K source address matches at any given time.

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|128,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
| -

|-
|Matches Per VIP
|1,024
|1,024
|1,024
|A VIP (L4 class map under L4 policy map) can have only 1024 URL, 1024 header, or 1024 cookie matches. The rewrite rules are compiled at the L7 policy level, so to be safe, do not configure more than 1024 header rewrite or deletion rules per action list (delete uses regex also). Header insert is not affected.

|-
|Policy Maps
|4,096
|4,096
|4,096
|Total number of policy maps, including L7, inspection, and all types

|-
|Probe definitions
|4,096
|4,096
|1,024
|

|-
|Probe Instances
|16,384
|16,384
|4,096
|

|-
|Real Servers
|16,384
|16,384
|4,096
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Server Farms
|16,384
|16,384
|1,024
|

|-
|Service Policies
|(4096 interfaces x 128 service policies per interface ) * 251 contexts
|4096 interfaces x 128 service policies per interface
|
|128 per interface, 128 globally per context

|-
|Simultaneous Probes
|2,500 sockets
|2,500 sockets
|2,500 sockets
|In ACE software version A2(x), probe sockets have been increased. Use the '''show resource internal socket''' command to check them. Increase the probe frequency to ensure that no more sockets are required than what is available for optimal operating conditions.

|-
|Sticky Groups
|4,096
|4,096
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|Virtual Server Farms
|4k (4094)
|4k (4094)
|1024
|

|-
|Virtual Servers (Same IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|Virtual Servers (Unique IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|

|}

 



===Security-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Security Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ACLs
|8,192
|1,024 (practical limit)
|8,192
|

|-
|ACL Entries
|64,000
|1,024 (practical limit)
|40K
|

|-
|Static NAT Policies
|4096
|4096
|4096
|

|-
|Dynamic NAT Policies
|4096
|4096
|4096
|

|-
|Maximum of addresses in a NAT pool
|64
|64
|32
|

|-
|Maximum of addresses in a PAT pool
|63k
|63k
|63l
|

|-
|PAT Entries
|4,000,000
|4,000,000
|1,000,000
|

|-
|Total NAT Pools
|8,192
|8,192
|8,192
|

|-
|Xlates
|1,000,000
|1,000,000
|64,000
|

|-
|Concurrent SSL Conns
|100,000
|100,000
|100,000
|Subset of L7 (proxied) connections

|-
|RSA key size
|up to 2048 bits
|up to 2048 bits
|up to 2048 bits
|Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits

|-
|SSL Certs/Key files
|3800/3800
|3800/3800
|3800/3800
|This number is strictly enforced in A220, A214, and A322

|}

 

===Management-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-04-16T22:49:32Z

Dhuckaby: /* SLB-Related Limits */

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

 


== ACE Performance Numbers and Resource Limits ==

The following ACE limits and performance numbers were obtained in a laboratory setting under optimal conditions. These numbers should be used as
guidelines only and may vary based on your production-specific environment.

===ACE Performance Numbers===

{| width=100% align="left" border="1" cellspacing = "0"
|-
|'''Performance Measurement'''
|'''ACE Module Maximum Value'''
|'''ACE Appliance Maximum Value'''

|-
|Max number of 10/100 Mbps ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Max number of Gigabit ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Switching Capacity
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4 Gbps

|-
|SLB L4 bps
|4, 8, or 16 Gbps
|1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|Packets per Second (PPS)
|4,000,000+
|1,800,000 @ 64 bytes, 162,000 @ 1500 bytes

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

 

===SLB-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Class Maps (L4 and L7)
|8192
|8192
|8192
|When load balancing on a specific client's source IP address there is a limit of 16k source address matches. There is a limit of 1000 per class-map. The source-address match limit of 16k is for applied matches. Thus you cannot LB on more than 16K source address matches at any given time.

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|128,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
| -

|-
|Matches Per VIP
|1,024
|1,024
|1,024
|A VIP (L4 class map under L4 policy map) can have only 1024 URL, 1024 header, or 1024 cookie matches. The rewrite rules are compiled at the L7 policy level, so to be safe, do not configure more than 1024 header rewrite or deletion rules per action list (delete uses regex also). Header insert is not affected.

|-
|Policy Maps
|4,096
|4,096
|4,096
|Total number of policy maps, including L7, inspection, and all types

|-
|Probe definitions
|4,096
|4,096
|1,024
|

|-
|Probe Instances
|16,384
|16,384
|4,096
|

|-
|Real Servers
|16,384
|16,384
|4,096
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Server Farms
|16,384
|16,384
|1,024
|

|-
|Service Policies
|(4096 interfaces x 128 service policies per interface ) * 251 contexts
|4096 interfaces x 128 service policies per interface
|
|128 per interface, 128 globally per context

|-
|Simultaneous Probes
|2,500 sockets
|2,500 sockets
|2,500 sockets
|In ACE software version A2(x), probe sockets have been increased. Use the '''show resource internal socket''' command to check them. Increase the probe frequency to ensure that no more sockets are required than what is available for optimal operating conditions.

|-
|Sticky Groups
|4,096
|4,096
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|Virtual Server Farms
|4k (4094)
|4k (4094)
|1024
|

|-
|Virtual Servers (Same IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|Virtual Servers (Unique IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|

|}

 

===Security-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Security Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ACLs
|8,192
|1,024 (practical limit)
|8,192
|

|-
|ACL Entries
|64,000
|1,024 (practical limit)
|40K
|

|-
|Static NAT Policies
|4096
|4096
|4096
|

|-
|Dynamic NAT Policies
|4096
|4096
|4096
|

|-
|Maximum of addresses in a NAT pool
|64
|64
|32
|

|-
|Maximum of addresses in a PAT pool
|63k
|63k
|63l
|

|-
|PAT Entries
|4,000,000
|4,000,000
|1,000,000
|

|-
|Total NAT Pools
|8,192
|8,192
|8,192
|

|-
|Xlates
|1,000,000
|1,000,000
|64,000
|

|-
|Concurrent SSL Conns
|100,000
|100,000
|100,000
|Subset of L7 (proxied) connections

|-
|RSA key size
|up to 2048 bits
|up to 2048 bits
|up to 2048 bits
|Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits

|-
|SSL Certs/Key files
|3800/3800
|3800/3800
|3800/3800
|This number is strictly enforced in A220, A214, and A322

|}

 

===Management-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-04-16T22:49:10Z

Dhuckaby: /* Table 4. Management-Related Limits */

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

 


== ACE Performance Numbers and Resource Limits ==

The following ACE limits and performance numbers were obtained in a laboratory setting under optimal conditions. These numbers should be used as
guidelines only and may vary based on your production-specific environment.

===ACE Performance Numbers===

{| width=100% align="left" border="1" cellspacing = "0"
|-
|'''Performance Measurement'''
|'''ACE Module Maximum Value'''
|'''ACE Appliance Maximum Value'''

|-
|Max number of 10/100 Mbps ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Max number of Gigabit ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Switching Capacity
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4 Gbps

|-
|SLB L4 bps
|4, 8, or 16 Gbps
|1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|Packets per Second (PPS)
|4,000,000+
|1,800,000 @ 64 bytes, 162,000 @ 1500 bytes

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

 

===SLB-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Class Maps (L4 and L7)
|8192
|8192
|8192
|When load balancing on a specific client's source IP address there is a limit of 16k source address matches. There is a limit of 1000 per class-map. The source-address match limit of 16k is for applied matches. Thus you cannot LB on more than 16K source address matches at any given time.

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|128,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
| -

|-
|Matches Per VIP
|1,024
|1,024
|1,024
|A VIP (L4 class map under L4 policy map) can have only 1024 URL, 1024 header, or 1024 cookie matches. The rewrite rules are compiled at the L7 policy level, so to be safe, do not configure more than 1024 header rewrite or deletion rules per action list (delete uses regex also). Header insert is not affected.

|-
|Policy Maps
|4,096
|4,096
|4,096
|Total number of policy maps, including L7, inspection, and all types

|-
|Probe definitions
|4,096
|4,096
|1,024
|

|-
|Probe Instances
|16,384
|16,384
|4,096
|

|-
|Real Servers
|16,384
|16,384
|4,096
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Server Farms
|16,384
|16,384
|1,024
|

|-
|Service Policies
|(4096 interfaces x 128 service policies per interface ) * 251 contexts
|4096 interfaces x 128 service policies per interface
|
|128 per interface, 128 globally per context

|-
|Simultaneous Probes
|2,500 sockets
|2,500 sockets
|2,500 sockets
|In ACE software version A2(x), probe sockets have been increased. Use the '''show resource internal socket''' command to check them. Increase the probe frequency to ensure that no more sockets are required than what is available for optimal operating conditions.

|-
|Sticky Groups
|4,096
|4,096
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|Virtual Server Farms
|4k (4094)
|4k (4094)
|1024
|

|-
|Virtual Servers (Same IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|Virtual Servers (Unique IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|

|}

 

 

===Security-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Security Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ACLs
|8,192
|1,024 (practical limit)
|8,192
|

|-
|ACL Entries
|64,000
|1,024 (practical limit)
|40K
|

|-
|Static NAT Policies
|4096
|4096
|4096
|

|-
|Dynamic NAT Policies
|4096
|4096
|4096
|

|-
|Maximum of addresses in a NAT pool
|64
|64
|32
|

|-
|Maximum of addresses in a PAT pool
|63k
|63k
|63l
|

|-
|PAT Entries
|4,000,000
|4,000,000
|1,000,000
|

|-
|Total NAT Pools
|8,192
|8,192
|8,192
|

|-
|Xlates
|1,000,000
|1,000,000
|64,000
|

|-
|Concurrent SSL Conns
|100,000
|100,000
|100,000
|Subset of L7 (proxied) connections

|-
|RSA key size
|up to 2048 bits
|up to 2048 bits
|up to 2048 bits
|Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits

|-
|SSL Certs/Key files
|3800/3800
|3800/3800
|3800/3800
|This number is strictly enforced in A220, A214, and A322

|}

 

===Management-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-04-16T22:48:40Z

Dhuckaby: /* Table 3. Security-Related Limits */

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

 


== ACE Performance Numbers and Resource Limits ==

The following ACE limits and performance numbers were obtained in a laboratory setting under optimal conditions. These numbers should be used as
guidelines only and may vary based on your production-specific environment.

===ACE Performance Numbers===

{| width=100% align="left" border="1" cellspacing = "0"
|-
|'''Performance Measurement'''
|'''ACE Module Maximum Value'''
|'''ACE Appliance Maximum Value'''

|-
|Max number of 10/100 Mbps ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Max number of Gigabit ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Switching Capacity
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4 Gbps

|-
|SLB L4 bps
|4, 8, or 16 Gbps
|1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|Packets per Second (PPS)
|4,000,000+
|1,800,000 @ 64 bytes, 162,000 @ 1500 bytes

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

 

===SLB-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Class Maps (L4 and L7)
|8192
|8192
|8192
|When load balancing on a specific client's source IP address there is a limit of 16k source address matches. There is a limit of 1000 per class-map. The source-address match limit of 16k is for applied matches. Thus you cannot LB on more than 16K source address matches at any given time.

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|128,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
| -

|-
|Matches Per VIP
|1,024
|1,024
|1,024
|A VIP (L4 class map under L4 policy map) can have only 1024 URL, 1024 header, or 1024 cookie matches. The rewrite rules are compiled at the L7 policy level, so to be safe, do not configure more than 1024 header rewrite or deletion rules per action list (delete uses regex also). Header insert is not affected.

|-
|Policy Maps
|4,096
|4,096
|4,096
|Total number of policy maps, including L7, inspection, and all types

|-
|Probe definitions
|4,096
|4,096
|1,024
|

|-
|Probe Instances
|16,384
|16,384
|4,096
|

|-
|Real Servers
|16,384
|16,384
|4,096
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Server Farms
|16,384
|16,384
|1,024
|

|-
|Service Policies
|(4096 interfaces x 128 service policies per interface ) * 251 contexts
|4096 interfaces x 128 service policies per interface
|
|128 per interface, 128 globally per context

|-
|Simultaneous Probes
|2,500 sockets
|2,500 sockets
|2,500 sockets
|In ACE software version A2(x), probe sockets have been increased. Use the '''show resource internal socket''' command to check them. Increase the probe frequency to ensure that no more sockets are required than what is available for optimal operating conditions.

|-
|Sticky Groups
|4,096
|4,096
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|Virtual Server Farms
|4k (4094)
|4k (4094)
|1024
|

|-
|Virtual Servers (Same IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|Virtual Servers (Unique IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|

|}

 

 

===Security-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Security Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ACLs
|8,192
|1,024 (practical limit)
|8,192
|

|-
|ACL Entries
|64,000
|1,024 (practical limit)
|40K
|

|-
|Static NAT Policies
|4096
|4096
|4096
|

|-
|Dynamic NAT Policies
|4096
|4096
|4096
|

|-
|Maximum of addresses in a NAT pool
|64
|64
|32
|

|-
|Maximum of addresses in a PAT pool
|63k
|63k
|63l
|

|-
|PAT Entries
|4,000,000
|4,000,000
|1,000,000
|

|-
|Total NAT Pools
|8,192
|8,192
|8,192
|

|-
|Xlates
|1,000,000
|1,000,000
|64,000
|

|-
|Concurrent SSL Conns
|100,000
|100,000
|100,000
|Subset of L7 (proxied) connections

|-
|RSA key size
|up to 2048 bits
|up to 2048 bits
|up to 2048 bits
|Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits

|-
|SSL Certs/Key files
|3800/3800
|3800/3800
|3800/3800
|This number is strictly enforced in A220, A214, and A322

|}

 

===Table 4. Management-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-04-16T22:48:17Z

Dhuckaby: /* SLB-Related Limits */

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

 


== ACE Performance Numbers and Resource Limits ==

The following ACE limits and performance numbers were obtained in a laboratory setting under optimal conditions. These numbers should be used as
guidelines only and may vary based on your production-specific environment.

===ACE Performance Numbers===

{| width=100% align="left" border="1" cellspacing = "0"
|-
|'''Performance Measurement'''
|'''ACE Module Maximum Value'''
|'''ACE Appliance Maximum Value'''

|-
|Max number of 10/100 Mbps ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Max number of Gigabit ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Switching Capacity
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4 Gbps

|-
|SLB L4 bps
|4, 8, or 16 Gbps
|1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|Packets per Second (PPS)
|4,000,000+
|1,800,000 @ 64 bytes, 162,000 @ 1500 bytes

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

 

===SLB-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Class Maps (L4 and L7)
|8192
|8192
|8192
|When load balancing on a specific client's source IP address there is a limit of 16k source address matches. There is a limit of 1000 per class-map. The source-address match limit of 16k is for applied matches. Thus you cannot LB on more than 16K source address matches at any given time.

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|128,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
| -

|-
|Matches Per VIP
|1,024
|1,024
|1,024
|A VIP (L4 class map under L4 policy map) can have only 1024 URL, 1024 header, or 1024 cookie matches. The rewrite rules are compiled at the L7 policy level, so to be safe, do not configure more than 1024 header rewrite or deletion rules per action list (delete uses regex also). Header insert is not affected.

|-
|Policy Maps
|4,096
|4,096
|4,096
|Total number of policy maps, including L7, inspection, and all types

|-
|Probe definitions
|4,096
|4,096
|1,024
|

|-
|Probe Instances
|16,384
|16,384
|4,096
|

|-
|Real Servers
|16,384
|16,384
|4,096
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Server Farms
|16,384
|16,384
|1,024
|

|-
|Service Policies
|(4096 interfaces x 128 service policies per interface ) * 251 contexts
|4096 interfaces x 128 service policies per interface
|
|128 per interface, 128 globally per context

|-
|Simultaneous Probes
|2,500 sockets
|2,500 sockets
|2,500 sockets
|In ACE software version A2(x), probe sockets have been increased. Use the '''show resource internal socket''' command to check them. Increase the probe frequency to ensure that no more sockets are required than what is available for optimal operating conditions.

|-
|Sticky Groups
|4,096
|4,096
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|Virtual Server Farms
|4k (4094)
|4k (4094)
|1024
|

|-
|Virtual Servers (Same IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|Virtual Servers (Unique IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|

|}

 

===Table 3. Security-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Security Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ACLs
|8,192
|1,024 (practical limit)
|8,192
|

|-
|ACL Entries
|64,000
|1,024 (practical limit)
|40K
|

|-
|Static NAT Policies
|4096
|4096
|4096
|

|-
|Dynamic NAT Policies
|4096
|4096
|4096
|

|-
|Maximum of addresses in a NAT pool
|64
|64
|32
|

|-
|Maximum of addresses in a PAT pool
|63k
|63k
|63l
|

|-
|PAT Entries
|4,000,000
|4,000,000
|1,000,000
|

|-
|Total NAT Pools
|8,192
|8,192
|8,192
|

|-
|Xlates
|1,000,000
|1,000,000
|64,000
|

|-
|Concurrent SSL Conns
|100,000
|100,000
|100,000
|Subset of L7 (proxied) connections

|-
|RSA key size
|up to 2048 bits
|up to 2048 bits
|up to 2048 bits
|Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits

|-
|SSL Certs/Key files
|3800/3800
|3800/3800
|3800/3800
|This number is strictly enforced in A220, A214, and A322

|}

 


===Table 4. Management-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-04-16T22:47:44Z

Dhuckaby: /* ACE Performance Numbers */

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

 


== ACE Performance Numbers and Resource Limits ==

The following ACE limits and performance numbers were obtained in a laboratory setting under optimal conditions. These numbers should be used as
guidelines only and may vary based on your production-specific environment.

===ACE Performance Numbers===

{| width=100% align="left" border="1" cellspacing = "0"
|-
|'''Performance Measurement'''
|'''ACE Module Maximum Value'''
|'''ACE Appliance Maximum Value'''

|-
|Max number of 10/100 Mbps ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Max number of Gigabit ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Switching Capacity
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4 Gbps

|-
|SLB L4 bps
|4, 8, or 16 Gbps
|1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|Packets per Second (PPS)
|4,000,000+
|1,800,000 @ 64 bytes, 162,000 @ 1500 bytes

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

 

===SLB-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Class Maps (L4 and L7)
|8192
|8192
|8192
|When load balancing on a specific client's source IP address there is a limit of 16k source address matches. There is a limit of 1000 per class-map. The source-address match limit of 16k is for applied matches. Thus you cannot LB on more than 16K source address matches at any given time.

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|128,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
| -

|-
|Matches Per VIP
|1,024
|1,024
|1,024
|A VIP (L4 class map under L4 policy map) can have only 1024 URL, 1024 header, or 1024 cookie matches. The rewrite rules are compiled at the L7 policy level, so to be safe, do not configure more than 1024 header rewrite or deletion rules per action list (delete uses regex also). Header insert is not affected.

|-
|Policy Maps
|4,096
|4,096
|4,096
|Total number of policy maps, including L7, inspection, and all types

|-
|Probe definitions
|4,096
|4,096
|1,024
|

|-
|Probe Instances
|16,384
|16,384
|4,096
|

|-
|Real Servers
|16,384
|16,384
|4,096
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Server Farms
|16,384
|16,384
|1,024
|

|-
|Service Policies
|(4096 interfaces x 128 service policies per interface ) * 251 contexts
|4096 interfaces x 128 service policies per interface
|
|128 per interface, 128 globally per context

|-
|Simultaneous Probes
|2,500 sockets
|2,500 sockets
|2,500 sockets
|In ACE software version A2(x), probe sockets have been increased. Use the '''show resource internal socket''' command to check them. Increase the probe frequency to ensure that no more sockets are required than what is available for optimal operating conditions.

|-
|Sticky Groups
|4,096
|4,096
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|Virtual Server Farms
|4k (4094)
|4k (4094)
|1024
|

|-
|Virtual Servers (Same IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|Virtual Servers (Unique IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|

|}

 

===Table 3. Security-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Security Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ACLs
|8,192
|1,024 (practical limit)
|8,192
|

|-
|ACL Entries
|64,000
|1,024 (practical limit)
|40K
|

|-
|Static NAT Policies
|4096
|4096
|4096
|

|-
|Dynamic NAT Policies
|4096
|4096
|4096
|

|-
|Maximum of addresses in a NAT pool
|64
|64
|32
|

|-
|Maximum of addresses in a PAT pool
|63k
|63k
|63l
|

|-
|PAT Entries
|4,000,000
|4,000,000
|1,000,000
|

|-
|Total NAT Pools
|8,192
|8,192
|8,192
|

|-
|Xlates
|1,000,000
|1,000,000
|64,000
|

|-
|Concurrent SSL Conns
|100,000
|100,000
|100,000
|Subset of L7 (proxied) connections

|-
|RSA key size
|up to 2048 bits
|up to 2048 bits
|up to 2048 bits
|Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits

|-
|SSL Certs/Key files
|3800/3800
|3800/3800
|3800/3800
|This number is strictly enforced in A220, A214, and A322

|}

 


===Table 4. Management-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-04-16T22:47:24Z

Dhuckaby: /* Table 2. SLB-Related Limits */

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

 


== ACE Performance Numbers and Resource Limits ==

The following ACE limits and performance numbers were obtained in a laboratory setting under optimal conditions. These numbers should be used as
guidelines only and may vary based on your production-specific environment.

===ACE Performance Numbers===

{| width=100% align="left" border="1" cellspacing = "0"
|-
|'''Performance Measurement'''
|'''ACE Module Maximum Value'''
|'''ACE Appliance Maximum Value'''

|-
|Max number of 10/100 Mbps ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Max number of Gigabit ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Switching Capacity
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4 Gbps

|-
|SLB L4 bps
|4, 8, or 16 Gbps
|1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|Packets per Second (PPS)
|4,000,000+
|1,800,000 @ 64 bytes, 162,000 @ 1500 bytes

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

 

===SLB-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Class Maps (L4 and L7)
|8192
|8192
|8192
|When load balancing on a specific client's source IP address there is a limit of 16k source address matches. There is a limit of 1000 per class-map. The source-address match limit of 16k is for applied matches. Thus you cannot LB on more than 16K source address matches at any given time.

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|128,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
| -

|-
|Matches Per VIP
|1,024
|1,024
|1,024
|A VIP (L4 class map under L4 policy map) can have only 1024 URL, 1024 header, or 1024 cookie matches. The rewrite rules are compiled at the L7 policy level, so to be safe, do not configure more than 1024 header rewrite or deletion rules per action list (delete uses regex also). Header insert is not affected.

|-
|Policy Maps
|4,096
|4,096
|4,096
|Total number of policy maps, including L7, inspection, and all types

|-
|Probe definitions
|4,096
|4,096
|1,024
|

|-
|Probe Instances
|16,384
|16,384
|4,096
|

|-
|Real Servers
|16,384
|16,384
|4,096
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Server Farms
|16,384
|16,384
|1,024
|

|-
|Service Policies
|(4096 interfaces x 128 service policies per interface ) * 251 contexts
|4096 interfaces x 128 service policies per interface
|
|128 per interface, 128 globally per context

|-
|Simultaneous Probes
|2,500 sockets
|2,500 sockets
|2,500 sockets
|In ACE software version A2(x), probe sockets have been increased. Use the '''show resource internal socket''' command to check them. Increase the probe frequency to ensure that no more sockets are required than what is available for optimal operating conditions.

|-
|Sticky Groups
|4,096
|4,096
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|Virtual Server Farms
|4k (4094)
|4k (4094)
|1024
|

|-
|Virtual Servers (Same IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|Virtual Servers (Unique IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|

|}

 

===Table 3. Security-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Security Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ACLs
|8,192
|1,024 (practical limit)
|8,192
|

|-
|ACL Entries
|64,000
|1,024 (practical limit)
|40K
|

|-
|Static NAT Policies
|4096
|4096
|4096
|

|-
|Dynamic NAT Policies
|4096
|4096
|4096
|

|-
|Maximum of addresses in a NAT pool
|64
|64
|32
|

|-
|Maximum of addresses in a PAT pool
|63k
|63k
|63l
|

|-
|PAT Entries
|4,000,000
|4,000,000
|1,000,000
|

|-
|Total NAT Pools
|8,192
|8,192
|8,192
|

|-
|Xlates
|1,000,000
|1,000,000
|64,000
|

|-
|Concurrent SSL Conns
|100,000
|100,000
|100,000
|Subset of L7 (proxied) connections

|-
|RSA key size
|up to 2048 bits
|up to 2048 bits
|up to 2048 bits
|Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits

|-
|SSL Certs/Key files
|3800/3800
|3800/3800
|3800/3800
|This number is strictly enforced in A220, A214, and A322

|}

 


===Table 4. Management-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-04-16T22:46:29Z

Dhuckaby: /* Table 1. ACE Performance Numbers */

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

 


== ACE Performance Numbers and Resource Limits ==

The following ACE limits and performance numbers were obtained in a laboratory setting under optimal conditions. These numbers should be used as
guidelines only and may vary based on your production-specific environment.

===ACE Performance Numbers===

{| width=100% align="left" border="1" cellspacing = "0"
|-
|'''Performance Measurement'''
|'''ACE Module Maximum Value'''
|'''ACE Appliance Maximum Value'''

|-
|Max number of 10/100 Mbps ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Max number of Gigabit ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Switching Capacity
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4 Gbps

|-
|SLB L4 bps
|4, 8, or 16 Gbps
|1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|Packets per Second (PPS)
|4,000,000+
|1,800,000 @ 64 bytes, 162,000 @ 1500 bytes

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

===Table 2. SLB-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Class Maps (L4 and L7)
|8192
|8192
|8192
|When load balancing on a specific client's source IP address there is a limit of 16k source address matches. There is a limit of 1000 per class-map. The source-address match limit of 16k is for applied matches. Thus you cannot LB on more than 16K source address matches at any given time.

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|128,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
| -

|-
|Matches Per VIP
|1,024
|1,024
|1,024
|A VIP (L4 class map under L4 policy map) can have only 1024 URL, 1024 header, or 1024 cookie matches. The rewrite rules are compiled at the L7 policy level, so to be safe, do not configure more than 1024 header rewrite or deletion rules per action list (delete uses regex also). Header insert is not affected.

|-
|Policy Maps
|4,096
|4,096
|4,096
|Total number of policy maps, including L7, inspection, and all types

|-
|Probe definitions
|4,096
|4,096
|1,024
|

|-
|Probe Instances
|16,384
|16,384
|4,096
|

|-
|Real Servers
|16,384
|16,384
|4,096
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Server Farms
|16,384
|16,384
|1,024
|

|-
|Service Policies
|(4096 interfaces x 128 service policies per interface ) * 251 contexts
|4096 interfaces x 128 service policies per interface
|
|128 per interface, 128 globally per context

|-
|Simultaneous Probes
|2,500 sockets
|2,500 sockets
|2,500 sockets
|In ACE software version A2(x), probe sockets have been increased. Use the '''show resource internal socket''' command to check them. Increase the probe frequency to ensure that no more sockets are required than what is available for optimal operating conditions.

|-
|Sticky Groups
|4,096
|4,096
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|Virtual Server Farms
|4k (4094)
|4k (4094)
|1024
|

|-
|Virtual Servers (Same IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|Virtual Servers (Unique IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|

|}

 


===Table 3. Security-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Security Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ACLs
|8,192
|1,024 (practical limit)
|8,192
|

|-
|ACL Entries
|64,000
|1,024 (practical limit)
|40K
|

|-
|Static NAT Policies
|4096
|4096
|4096
|

|-
|Dynamic NAT Policies
|4096
|4096
|4096
|

|-
|Maximum of addresses in a NAT pool
|64
|64
|32
|

|-
|Maximum of addresses in a PAT pool
|63k
|63k
|63l
|

|-
|PAT Entries
|4,000,000
|4,000,000
|1,000,000
|

|-
|Total NAT Pools
|8,192
|8,192
|8,192
|

|-
|Xlates
|1,000,000
|1,000,000
|64,000
|

|-
|Concurrent SSL Conns
|100,000
|100,000
|100,000
|Subset of L7 (proxied) connections

|-
|RSA key size
|up to 2048 bits
|up to 2048 bits
|up to 2048 bits
|Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits

|-
|SSL Certs/Key files
|3800/3800
|3800/3800
|3800/3800
|This number is strictly enforced in A220, A214, and A322

|}

 


===Table 4. Management-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-04-16T22:46:00Z

Dhuckaby:

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

 


== ACE Performance Numbers and Resource Limits ==

The following ACE limits and performance numbers were obtained in a laboratory setting under optimal conditions. These numbers should be used as
guidelines only and may vary based on your production-specific environment.

===Table 1. ACE Performance Numbers===

{| width=100% align="left" border="1" cellspacing = "0"
|-
|'''Performance Measurement'''
|'''ACE Module Maximum Value'''
|'''ACE Appliance Maximum Value'''

|-
|Max number of 10/100 Mbps ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Max number of Gigabit ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Switching Capacity
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4 Gbps

|-
|SLB L4 bps
|4, 8, or 16 Gbps
|1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|Packets per Second (PPS)
|4,000,000+
|1,800,000 @ 64 bytes, 162,000 @ 1500 bytes

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

 


===Table 2. SLB-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Class Maps (L4 and L7)
|8192
|8192
|8192
|When load balancing on a specific client's source IP address there is a limit of 16k source address matches. There is a limit of 1000 per class-map. The source-address match limit of 16k is for applied matches. Thus you cannot LB on more than 16K source address matches at any given time.

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|128,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
| -

|-
|Matches Per VIP
|1,024
|1,024
|1,024
|A VIP (L4 class map under L4 policy map) can have only 1024 URL, 1024 header, or 1024 cookie matches. The rewrite rules are compiled at the L7 policy level, so to be safe, do not configure more than 1024 header rewrite or deletion rules per action list (delete uses regex also). Header insert is not affected.

|-
|Policy Maps
|4,096
|4,096
|4,096
|Total number of policy maps, including L7, inspection, and all types

|-
|Probe definitions
|4,096
|4,096
|1,024
|

|-
|Probe Instances
|16,384
|16,384
|4,096
|

|-
|Real Servers
|16,384
|16,384
|4,096
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Server Farms
|16,384
|16,384
|1,024
|

|-
|Service Policies
|(4096 interfaces x 128 service policies per interface ) * 251 contexts
|4096 interfaces x 128 service policies per interface
|
|128 per interface, 128 globally per context

|-
|Simultaneous Probes
|2,500 sockets
|2,500 sockets
|2,500 sockets
|In ACE software version A2(x), probe sockets have been increased. Use the '''show resource internal socket''' command to check them. Increase the probe frequency to ensure that no more sockets are required than what is available for optimal operating conditions.

|-
|Sticky Groups
|4,096
|4,096
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|Virtual Server Farms
|4k (4094)
|4k (4094)
|1024
|

|-
|Virtual Servers (Same IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|Virtual Servers (Unique IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|

|}

 


===Table 3. Security-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Security Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ACLs
|8,192
|1,024 (practical limit)
|8,192
|

|-
|ACL Entries
|64,000
|1,024 (practical limit)
|40K
|

|-
|Static NAT Policies
|4096
|4096
|4096
|

|-
|Dynamic NAT Policies
|4096
|4096
|4096
|

|-
|Maximum of addresses in a NAT pool
|64
|64
|32
|

|-
|Maximum of addresses in a PAT pool
|63k
|63k
|63l
|

|-
|PAT Entries
|4,000,000
|4,000,000
|1,000,000
|

|-
|Total NAT Pools
|8,192
|8,192
|8,192
|

|-
|Xlates
|1,000,000
|1,000,000
|64,000
|

|-
|Concurrent SSL Conns
|100,000
|100,000
|100,000
|Subset of L7 (proxied) connections

|-
|RSA key size
|up to 2048 bits
|up to 2048 bits
|up to 2048 bits
|Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits

|-
|SSL Certs/Key files
|3800/3800
|3800/3800
|3800/3800
|This number is strictly enforced in A220, A214, and A322

|}

 


===Table 4. Management-Related Limits===

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-04-16T22:44:28Z

Dhuckaby:

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

 


== ACE Performance Numbers and Resource Limits ==

The following ACE limits and performance numbers were obtained in a laboratory setting under optimal conditions. These numbers should be used as
guidelines only and may vary based on your production-specific environment.

'''''Table 1. ACE Performance Numbers'''''

{| width=100% align="left" border="1" cellspacing = "0"
|-
|'''Performance Measurement'''
|'''ACE Module Maximum Value'''
|'''ACE Appliance Maximum Value'''

|-
|Max number of 10/100 Mbps ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Max number of Gigabit ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Switching Capacity
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4 Gbps

|-
|SLB L4 bps
|4, 8, or 16 Gbps
|1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|Packets per Second (PPS)
|4,000,000+
|1,800,000 @ 64 bytes, 162,000 @ 1500 bytes

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

 


'''''Table 2. SLB-Related Limits'''''

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Class Maps (L4 and L7)
|8192
|8192
|8192
|When load balancing on a specific client's source IP address there is a limit of 16k source address matches. There is a limit of 1000 per class-map. The source-address match limit of 16k is for applied matches. Thus you cannot LB on more than 16K source address matches at any given time.

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|128,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
| -

|-
|Matches Per VIP
|1,024
|1,024
|1,024
|A VIP (L4 class map under L4 policy map) can have only 1024 URL, 1024 header, or 1024 cookie matches. The rewrite rules are compiled at the L7 policy level, so to be safe, do not configure more than 1024 header rewrite or deletion rules per action list (delete uses regex also). Header insert is not affected.

|-
|Policy Maps
|4,096
|4,096
|4,096
|Total number of policy maps, including L7, inspection, and all types

|-
|Probe definitions
|4,096
|4,096
|1,024
|

|-
|Probe Instances
|16,384
|16,384
|4,096
|

|-
|Real Servers
|16,384
|16,384
|4,096
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Server Farms
|16,384
|16,384
|1,024
|

|-
|Service Policies
|(4096 interfaces x 128 service policies per interface ) * 251 contexts
|4096 interfaces x 128 service policies per interface
|
|128 per interface, 128 globally per context

|-
|Simultaneous Probes
|2,500 sockets
|2,500 sockets
|2,500 sockets
|In ACE software version A2(x), probe sockets have been increased. Use the '''show resource internal socket''' command to check them. Increase the probe frequency to ensure that no more sockets are required than what is available for optimal operating conditions.

|-
|Sticky Groups
|4,096
|4,096
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|Virtual Server Farms
|4k (4094)
|4k (4094)
|1024
|

|-
|Virtual Servers (Same IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|Virtual Servers (Unique IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|

|}

 


'''''Table 3. Security-Related Limits'''''

{| align="left" border="1" cellspacing = "0"
|-
|'''Security Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ACLs
|8,192
|1,024 (practical limit)
|8,192
|

|-
|ACL Entries
|64,000
|1,024 (practical limit)
|40K
|

|-
|Static NAT Policies
|4096
|4096
|4096
|

|-
|Dynamic NAT Policies
|4096
|4096
|4096
|

|-
|Maximum of addresses in a NAT pool
|64
|64
|32
|

|-
|Maximum of addresses in a PAT pool
|63k
|63k
|63l
|

|-
|PAT Entries
|4,000,000
|4,000,000
|1,000,000
|

|-
|Total NAT Pools
|8,192
|8,192
|8,192
|

|-
|Xlates
|1,000,000
|1,000,000
|64,000
|

|-
|Concurrent SSL Conns
|100,000
|100,000
|100,000
|Subset of L7 (proxied) connections

|-
|RSA key size
|up to 2048 bits
|up to 2048 bits
|up to 2048 bits
|Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits

|-
|SSL Certs/Key files
|3800/3800
|3800/3800
|3800/3800
|This number is strictly enforced in A220, A214, and A322

|}

 


'''''Table 4. Management-Related Limits'''''

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-04-16T22:44:04Z

Dhuckaby: /* ACE Performance Numbers and Resource Limits */

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

 


== ACE Performance Numbers and Resource Limits ==

The following ACE limits and performance numbers were obtained in a laboratory setting under optimal conditions. These numbers should be used as
guidelines only and may vary based on your production-specific environment.

'''''Table 1. ACE Performance Numbers'''''

{| width=100% align="left" border="1" cellspacing = "0"
|-
|'''Performance Measurement'''
|'''ACE Module Maximum Value'''
|'''ACE Appliance Maximum Value'''

|-
|Max number of 10/100 Mbps ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Max number of Gigabit ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Switching Capacity
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4 Gbps

|-
|SLB L4 bps
|4, 8, or 16 Gbps
|1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|Packets per Second (PPS)
|4,000,000+
|1,800,000 @ 64 bytes, 162,000 @ 1500 bytes

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

 


'''''Table 2. SLB-Related Limits'''''

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Class Maps (L4 and L7)
|8192
|8192
|8192
|
|When load balancing on a specific client's source IP address there is a limit of 16k source address matches. There is a limit of 1000 per class-map. The source-address match limit of 16k is for applied matches. Thus you cannot LB on more than 16K source address matches at any given time.

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|128,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
| -

|-
|Matches Per VIP
|1,024
|1,024
|1,024
|A VIP (L4 class map under L4 policy map) can have only 1024 URL, 1024 header, or 1024 cookie matches. The rewrite rules are compiled at the L7 policy level, so to be safe, do not configure more than 1024 header rewrite or deletion rules per action list (delete uses regex also). Header insert is not affected.

|-
|Policy Maps
|4,096
|4,096
|4,096
|Total number of policy maps, including L7, inspection, and all types

|-
|Probe definitions
|4,096
|4,096
|1,024
|

|-
|Probe Instances
|16,384
|16,384
|4,096
|

|-
|Real Servers
|16,384
|16,384
|4,096
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Server Farms
|16,384
|16,384
|1,024
|

|-
|Service Policies
|(4096 interfaces x 128 service policies per interface ) * 251 contexts
|4096 interfaces x 128 service policies per interface
|
|128 per interface, 128 globally per context

|-
|Simultaneous Probes
|2,500 sockets
|2,500 sockets
|2,500 sockets
|In ACE software version A2(x), probe sockets have been increased. Use the '''show resource internal socket''' command to check them. Increase the probe frequency to ensure that no more sockets are required than what is available for optimal operating conditions.

|-
|Sticky Groups
|4,096
|4,096
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|Virtual Server Farms
|4k (4094)
|4k (4094)
|1024
|

|-
|Virtual Servers (Same IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|Virtual Servers (Unique IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|

|}

 


'''''Table 3. Security-Related Limits'''''

{| align="left" border="1" cellspacing = "0"
|-
|'''Security Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ACLs
|8,192
|1,024 (practical limit)
|8,192
|

|-
|ACL Entries
|64,000
|1,024 (practical limit)
|40K
|

|-
|Static NAT Policies
|4096
|4096
|4096
|

|-
|Dynamic NAT Policies
|4096
|4096
|4096
|

|-
|Maximum of addresses in a NAT pool
|64
|64
|32
|

|-
|Maximum of addresses in a PAT pool
|63k
|63k
|63l
|

|-
|PAT Entries
|4,000,000
|4,000,000
|1,000,000
|

|-
|Total NAT Pools
|8,192
|8,192
|8,192
|

|-
|Xlates
|1,000,000
|1,000,000
|64,000
|

|-
|Concurrent SSL Conns
|100,000
|100,000
|100,000
|Subset of L7 (proxied) connections

|-
|RSA key size
|up to 2048 bits
|up to 2048 bits
|up to 2048 bits
|Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits

|-
|SSL Certs/Key files
|3800/3800
|3800/3800
|3800/3800
|This number is strictly enforced in A220, A214, and A322

|}

 


'''''Table 4. Management-Related Limits'''''

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-04-16T19:46:39Z

Dhuckaby:

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

 


== ACE Performance Numbers and Resource Limits ==

The following ACE limits and performance numbers were obtained in a laboratory setting under optimal conditions. These numbers should be used as
guidelines only and may vary based on your production-specific environment.

'''''Table 1. ACE Performance Numbers'''''

{| width=100% align="left" border="1" cellspacing = "0"
|-
|'''Performance Measurement'''
|'''ACE Module Maximum Value'''
|'''ACE Appliance Maximum Value'''

|-
|Max number of 10/100 Mbps ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Max number of Gigabit ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Switching Capacity
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4 Gbps

|-
|SLB L4 bps
|4, 8, or 16 Gbps
|1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|Packets per Second (PPS)
|4,000,000+
|1,800,000 @ 64 bytes, 162,000 @ 1500 bytes

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

 


'''''Table 2. SLB-Related Limits'''''

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Class Maps (L4 and L7)
|8192
|8192
|8192
|
|When load balancing on a specific client's source IP address there is a limit of 16k source address matches. There is a limit of 1000 per class-map. The source-address match limit of 16k is for applied matches. Thus you cannot LB on more than 16K source address matches at any given time.

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|128,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
| -

|-
|Matches Per VIP
|1,024
|1,024
|1,024
|A VIP (L4 class map under L4 policy map) can have only 1024 URL, 1024 header, or 1024 cookie matches. The rewrite rules are compiled at the L7 policy level, so to be safe, do not configure more than 1024 header rewrite or deletion rules per action list (delete uses regex also). Header insert is not affected.

|-
|Policy Maps
|4,096
|4,096
|4,096
|Total number of policy maps, including L7, inspection, and all types

|-
|Probe definitions
|4,096
|4,096
|1,024
|

|-
|Probe Instances
|16,384
|16,384
|4,096
|

|-
|Real Servers
|16,384
|16,384
|4,096
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Server Farms
|16,384
|16,384
|1,024
|

|-
|Service Policies
|(4096 interfaces x 128 service policies per interface ) * 251 contexts
|4096 interfaces x 128 service policies per interface
|
|128 per interface, 128 globally per context

|-
|Simultaneous Probes
|2,500 sockets
|2,500 sockets
|2,500 sockets
|In ACE software version A2(x), probe sockets have been increased. Use the '''show resource internal socket''' command to check them. Increase the probe frequency to ensure that no more sockets are required than what is available for optimal operating conditions.

|-
|Sticky Groups
|4,096
|
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|Virtual Server Farms
|4k (4094)
|4k (4094)
|1024
|

|-
|Virtual Servers (Same IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|Virtual Servers (Unique IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|

|}

 


'''''Table 3. Security-Related Limits'''''

{| align="left" border="1" cellspacing = "0"
|-
|'''Security Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ACLs
|8,192
|1,024 (practical limit)
|
|

|-
|ACL Entries
|64,000
|1,024 (practical limit)
|40K
|

|-
|Concurrent SSL Conns
|100,000
|100,000
|100,000
|Subset of L7 (proxied) connections

|-
|Dynamic NAT IPs
|4096 policies
|4096 policies
|c
|Maximum of 63,000 addresses in a NAT pool

|-
|Dynamic NAT Ports (PAT)
|4096 policies
|4096 policies
|
|Maximum of 32 addresses in a PAT pool

|-
|PAT Entries
|4,000,000
|4,000,000
|1,000,000
|

|-
|RSA key size
|up to 2048 bits
|up to 2048 bits
|up to 2048 bits
|Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits

|-
|SSL Certs/Key files
|3800/3800
|3800/3800
|3800/3800
|This number is strictly enforced in A220, A214, and A322

|-
|Static NAT IPs
|4096 policies
|4096 policies
|
|Maximum of 63,000 addresses in a NAT pool

|-
|Static NAT Ports (PAT)Maximum of 32 addresses in a PAT pool
|4096 policies
|4096 policies
|
|Maximum of 32 addresses in a PAT pool

|-
|Total NAT Pools
|8,192
|8,192
|8,192
|

|-
|Xlates
|1,000,000
|1,000,000
|64,000
|

|}

 


'''''Table 4. Management-Related Limits'''''

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits

2010-04-16T10:25:58Z

Dhuckaby: /* ACE Performance Numbers and Resource Limits */

This article describes the ACE system limits and performance numbers for various resources and configuration objects.

{| align="right" border="1" cellspacing = "0"
|align="center"|'''Guide Contents'''
|-
|[[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x)|Main Article]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Overview of ACE Module Troubleshooting|Overview of ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Understanding the ACE Module Architecture and Traffic Flow|Understanding the ACE Module Architecture and Traffic Flow]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Preliminary ACE Module Troubleshooting|Preliminary ACE Module Troubleshooting]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Boot Issues|Troubleshooting ACE Boot Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting with ACE Logging|Troubleshooting with ACE Logging]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Connectivity|Troubleshooting Connectivity]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Remote Access|Troubleshooting Remote Access]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Access Control Lists|Troubleshooting Access Control Lists]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Network Address Translation|Troubleshooting Network Address Translation]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting ACE Health Monitoring|Troubleshooting ACE Health Monitoring]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 4 Load Balancing|Troubleshooting Layer 4 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Layer 7 Load Balancing|Troubleshooting Layer 7 Load Balancing]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Redundancy|Troubleshooting Redundancy]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting SSL|Troubleshooting SSL]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Troubleshooting Performance Issues|Troubleshooting Performance Issues]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- ACE Module Resource Limits|ACE Module Resource Limits]] [[Cisco Application Control Engine (ACE) Module Troubleshooting Guide, Release A2(x) -- Managing Resources|Managing ACE Resources]] 
|}

__TOC__

 


== ACE Performance Numbers and Resource Limits ==

The following ACE limits and performance numbers were obtained in a laboratory setting under optimal conditions. These numbers should be used as
guidelines only and may vary based on your production-specific environment.

'''''Table 1. ACE Performance Numbers'''''

{| width=100% align="left" border="1" cellspacing = "0"
|-
|'''Performance Measurement'''
|'''ACE Module Maximum Value'''
|'''ACE Appliance Maximum Value'''

|-
|Max number of 10/100 Mbps ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Max number of Gigabit ports
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4

|-
|Switching Capacity
|Catalyst 6500 series switch or Cisco 7600 series router limit
|4 Gbps

|-
|SLB L4 bps
|4, 8, or 16 Gbps
|1, 2, or 4 Gbps

|-
|SLB L4 Connections per Second (CPS)
|325,000
|120,000

|-
|SLB L7 Maximum CPS
|133,000
|40,000

|-
|Concurrent L4 Sessions
|4,000,000
|1,000,000

|-
|Concurrent L7 Sessions
|512,000
|128,000

|-
|Packets per Second (PPS)
|4,000,000+
|1,800,000 @ 64 bytes, 162,000 @ 1500 bytes

|-
|SSL Bandwidth
|3.3 Gbps
|1 Gbps

|-
|SSL Transactions per Second (TPS)
|15,000
|7,500

|-
|Concurrent SSL Sessions
|200,000
|100,000

|}

 


'''''Table 2. SLB-Related Limits'''''

{| align="left" border="1" cellspacing = "0"
|-
|'''SLB-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ARP Entries
|32,768
|32,768
|32,768
|

|-
|Bridge Table Entries
|32,768
|32,768
|32,768
|A few are reserved for L2 interafces, redundancy, and so on.

|-
|Bridge-Group Virtual Interfaces (BVIs)
|4096
|2048
|512
|

|-
|Class Maps (L4 and L7)
|8192
|8192
|8192
|
|When load balancing on a specific client's source IP address there is a limit of 16k source address matches. There is a limit of 1000 per class-map. The source-address match limit of 16k is for applied matches. Thus you cannot LB on more than 16K source address matches at any given time.

|-
|Concurrent Conns L4 (Unproxied)
|4,000,000
|4,000,000
|1,000,000
|

|-
|Concurrent Connections L7 (Proxied)
|512,000
|512,000
|256,000
|

|-
|Domains
|2,500
|10 (9)
|10 (9 per context)
|One is used for the default domain.

|-
|Domain Objects
|None
|None
|None
|Any object within the virtual partition can be added to a domain.

|-
|Logical Interfaces
|8,192
|8,192
|8,192
| -

|-
|Matches Per VIP
|1,024
|1,024
|1,024
|A VIP (L4 class map under L4 policy map) can have only 1024 URL, 1024 header, or 1024 cookie matches. The rewrite rules are compiled at the L7 policy level, so to be safe, do not configure more than 1024 header rewrite or deletion rules per action list (delete uses regex also). Header insert is not affected.

|-
|Policy Maps
|4,096
|4,096
|4,096
|Total number of policy maps, including L7, inspection, and all types

|-
|Probe definitions
|4,096
|4,096
|1,024
|

|-
|Probe Instances
|16,384
|16,384
|4,096
|

|-
|Real Servers
|16,384
|16,384
|4,096
|

|-
|Resource Classes
|100 (99)
|1
|100 (99)
|One is used for the default class.

|-
|Roles
|4,000
|16 (8)
|16 (8) per context
|Eight are predefined.

|-
|Server Farms
|16,384
|16,384
|1,024
|

|-
|Service Policies
|(4096 interfaces x 128 service policies per interface ) * 251 contexts
|4096 interfaces x 128 service policies per interface
|
|128 per interface, 128 globally per context

|-
|Simultaneous Probes
|2,500 sockets
|2,500 sockets
|2,500 sockets
|In ACE software version A2(x), probe sockets have been increased. Use the '''show resource internal socket''' command to check them. Increase the probe frequency to ensure that no more sockets are required than what is available for optimal operating conditions.

|-
|Sticky Groups
|4,096
|
|4,096
|

|-
|Sticky Table Entries
|4,000,000
|4,000,000
|800,000
|

|-
|Virtual Contexts
|251
|N/A
|21 (1 Admin context)
|250 user contexts + 1 Admin context

|-
|Virtual Server Farms
|4k (4094)
|4k (4094)
|1024
|

|-
|Virtual Servers (Same IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|Virtual Servers (Unique IP Addresses)
|4k (4094)
|4k (4094)
|1024
|No limit as on the CSM

|-
|VLANs
|4,000 (2-4094)
|4,000 (2-4094)
|4,000 (2-4094)
|

|}

 


'''''Table 3. Security-Related Limits'''''

{| align="left" border="1" cellspacing = "0"
|-
|'''Security Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance Limit'''
|'''Additional Information'''

|-
|ACLs
|8,192
|1,024 (practical limit)
|
|

|-
|ACL Entries
|64,000
|1,024 (practical limit)
|40K
|

|-
|Concurrent SSL Conns
|100,000
|100,000
|100,000
|Subset of L7 (proxied) connections

|-
|Dynamic NAT IPs
|4096 policies
|4096 policies
|c
|Maximum of 63,000 addresses in a NAT pool

|-
|Dynamic NAT Ports (PAT)
|4096 policies
|4096 policies
|
|Maximum of 32 addresses in a PAT pool

|-
|PAT Entries
|4,000,000
|4,000,000
|1,000,000
|

|-
|RSA key size
|up to 2048 bits
|up to 2048 bits
|up to 2048 bits
|Supported: 512, 786, 1536, 1024, & 2048 bits
Not supported: 3072 bits & 4096 bits

|-
|SSL Certs/Key files
|3800/3800
|3800/3800
|3800/3800
|This number is strictly enforced in A220, A214, and A322

|-
|Static NAT IPs
|4096 policies
|4096 policies
|
|Maximum of 63,000 addresses in a NAT pool

|-
|Static NAT Ports (PAT)Maximum of 32 addresses in a PAT pool
|4096 policies
|4096 policies
|
|Maximum of 32 addresses in a PAT pool

|-
|Total NAT Pools
|8,192
|8,192
|8,192
|

|-
|Xlates
|1,000,000
|1,000,000
|64,000
|

|}

 


'''''Table 4. Management-Related Limits'''''

{| align="left" border="1" cellspacing = "0"
|-
|'''Management-Related Object'''
|'''ACE Module System Limit'''
|'''ACE Module Context Limit'''
|'''ACE Appliance'''
|'''Additional Information'''

|-
|AAA LDAP Servers
|6,144
|8 (24 total)
|8
|

|-
|AAA RADIUS Servers
|2K (256*8)
|8 (24 total)
|8
|

|-
|AAA TACACS+ Servers
|6K (256*24)
|8 (24 total)
|8
|

|-
|Domains
|2500
|64 (63)
|64 (63)
|One domain is used for the default-domain and cannot be removed

|-
|Local Users
|7500
|30 (Admin context: 28)
|31 (including admin, www, and dm)
|

|-
|Objects within a Domain
|No limit
|No limit
|
|Any object within the virtual partition can be added to a domain

|-
|Resource-classes
|252
|Not applicable
|100
|

|-
|Roles
|4000
|16 (8)
|16 (8)
|Eight are predefined and cannot be altered, leaving eight for you to customize

|-
|SNMP Hosts
|No Limit
|10
|
|

|-
|SSH Sessions
|256
|4
|4
|

|-
|Syslog buffer size
|4 MB
|4 MB
|1 MB
|

|-
|Syslog CP rate
|5,000 per seconds
|5,000 per seconds
|3,000 per seconds
|

|-
|Syslog DP rate
|350,000 per second
|350,000 per second
|120,000 per second
|

|-
|Syslog history table size
|256 x 500
|500
|
|

|-
|Syslog Hosts
|256
|2
|2
|

|-
|Syslog internal queue size
|10 MB
|10 MB
|8,192 messages
|

|-
|Syslog persistence size
|1M
|1M
|
|

|-
|Syslog rate limit table size
|256 x 100
|100
|10,000 messages per sec
|

|-
|Telnet Sessions
|256
|4
|4
|

|}

File:Connection-teardown-4way4.jpg

2010-04-08T20:48:04Z

Dhuckaby: uploaded a new version of "Image:Connection-teardown-4way4.jpg"

File:Connection-teardown-4way3.jpg

2010-04-08T20:47:38Z

Dhuckaby: uploaded a new version of "Image:Connection-teardown-4way3.jpg"

File:Connection-teardown-4way2.jpg

2010-04-08T20:47:27Z

Dhuckaby: uploaded a new version of "Image:Connection-teardown-4way2.jpg"

File:Connection-teardown-4way1.jpg

2010-04-08T20:47:14Z

Dhuckaby: uploaded a new version of "Image:Connection-teardown-4way1.jpg"

File:Connection-teardown-3way3.jpg

2010-04-08T20:47:01Z

Dhuckaby: uploaded a new version of "Image:Connection-teardown-3way3.jpg"

File:Connection-teardown-3way2.jpg

2010-04-08T20:46:50Z

Dhuckaby: uploaded a new version of "Image:Connection-teardown-3way2.jpg"

File:Connection-teardown-3way1.jpg

2010-04-08T20:44:54Z

Dhuckaby: uploaded a new version of "Image:Connection-teardown-3way1.jpg"

File:Connection-teardown-3way1.jpg

2010-04-08T20:42:55Z

Dhuckaby: uploaded a new version of "Image:Connection-teardown-3way1.jpg"

File:Connection-teardown-RST.jpg

2010-04-01T09:25:53Z

Dhuckaby:

File:Connection-teardown-4way4.jpg

2010-04-01T09:25:41Z

Dhuckaby:

File:Connection-teardown-4way3.jpg

2010-04-01T09:25:26Z

Dhuckaby:

File:Connection-teardown-4way2.jpg

2010-04-01T09:25:03Z

Dhuckaby:

File:Connection-teardown-4way1.jpg

2010-04-01T09:24:45Z

Dhuckaby:

File:Connection-teardown-3way3.jpg

2010-04-01T09:23:49Z

Dhuckaby:

File:Connection-teardown-3way2.jpg

2010-04-01T09:23:37Z

Dhuckaby:

File:Connection-teardown-3way1.jpg

2010-04-01T09:23:27Z

Dhuckaby: