ACE system stability with multi-context

Unanswered Question
Apr 24th, 2010

Question... if the ACE module is configured with multiple contexts, and one of the contexts hits its max resource limitations for a given resource thereby resulting in dropping excess resources, will this cost the entire ACE system, or is it limited only to the one context?

For example, if a context configured for a max of 3000 connections/second receives 300000000 connections/second due to a virus outbreak/DoS attack, will this attack affect other contexts, or will the dropping of the excess connections be seamless to other contexts? Also, does the ACE drop the excess traffic in hardware, or must it be examined by a cpu?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
UHansen1976 Sun, 04/25/2010 - 08:10

Generally, the individual contexts operate independently from one another. So if one context reaches it's upper defined limit, that affects only that context.

The ACE has hardware-based support for many of it's operations, and to the best of my knowledge, connection processing is handled by one of its 16 ME's (MicroEngine). I've never seen a benchmark test that shows how e.g a DoS-attacks affects the entire module, nor have I tried it myself, but maybe someone else here at the forum can provide you with some information on that.

BTW, try and check out theese to links. The first one describes the ACE hardware architecture, including the ME's and how they're used for processing traffic. The other one is a test conducted by Miercom on the ACE module, maybe this can provide you with some information on how the ACE handles a sudden increase in traffic during an attack.



lxcollin1 Sun, 04/25/2010 - 18:24

Thanks for your reply Ulrich!

My question stems from my experience with FWSMs. FWSMs expose blade-wide issues when a single context has a host that is able to introduce a high number of pps across the FWSM. I am looking for a solution that does not allow a single host, within a single context, to affect an entire firewall.

Any experience here??



Gilles Dufour Mon, 04/26/2010 - 01:59

Like any device, in order to apply resource limit, the box needs to be able to store the packet and then apply a decision.

For that, the packet needs to made it to the ACE.

And for that it means the BW between the cat6k and ACE is not overloaded.

So, if your single device can send 16Gbps of traffic, it will consume all the BW between c6k and ACE.

ACE will correctly drop this traffic, but anyway the BW being full, other traffic will suffer from this.

There is no device in the work that can prevent this.

The only solution is to work upstream to rate-limit the traffic.

But if your host can't achieve 16Gbps, all traffic will make it to ACE and ACE can then drops the un-wanted one.



This Discussion