Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
594
Views
5
Helpful
4
Replies

ACE system stability with multi-context

lxcollin1
Level 1
Level 1

‎04-24-2010 04:40 PM

Question... if the ACE module is configured with multiple contexts, and one of the contexts hits its max resource limitations for a given resource thereby resulting in dropping excess resources, will this cost the entire ACE system, or is it limited only to the one context?

For example, if a context configured for a max of 3000 connections/second receives 300000000 connections/second due to a virus outbreak/DoS attack, will this attack affect other contexts, or will the dropping of the excess connections be seamless to other contexts? Also, does the ACE drop the excess traffic in hardware, or must it be examined by a cpu?

Thanks!!


-Lee

Labels:
0 Helpful
4 Replies 4

UHansen1976
Level 1
Level 1

‎04-25-2010 08:10 AM

Generally, the individual contexts operate independently from one another. So if one context reaches it's upper defined limit, that affects only that context.

The ACE has hardware-based support for many of it's operations, and to the best of my knowledge, connection processing is handled by one of its 16 ME's (MicroEngine). I've never seen a benchmark test that shows how e.g a DoS-attacks affects the entire module, nor have I tried it myself, but maybe someone else here at the forum can provide you with some information on that.

BTW, try and check out theese to links. The first one describes the ACE hardware architecture, including the ME's and how they're used for processing traffic. The other one is a test conducted by Miercom on the ACE module, maybe this can provide you with some information on how the ACE handles a sudden increase in traffic during an attack.

http://www.cisco.com/en/US/customer/prod/collateral/modules/ps2706/ps6906/White_Paper_Connection_Handling_within_the_Cisco_Application_Control_Engine_Module_Hardware.html

http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/prod_brochure0900aecd806d1c90.pdf

hth

/Ulrich

lxcollin1
Level 1
Level 1
In response to UHansen1976

‎04-25-2010 06:24 PM

Thanks for your reply Ulrich!

My question stems from my experience with FWSMs. FWSMs expose blade-wide issues when a single context has a host that is able to introduce a high number of pps across the FWSM. I am looking for a solution that does not allow a single host, within a single context, to affect an entire firewall.

Any experience here??

Thanks,

Lee

0 Helpful

UHansen1976
Level 1
Level 1
In response to lxcollin1

‎04-25-2010 11:55 PM

Found this thread, looks a lot like your question - https://supportforums.cisco.com/message/467988#467988

hth

/Ulrich

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to lxcollin1

‎04-26-2010 01:59 AM

Like any device, in order to apply resource limit, the box needs to be able to store the packet and then apply a decision.

For that, the packet needs to made it to the ACE.

And for that it means the BW between the cat6k and ACE is not overloaded.

So, if your single device can send 16Gbps of traffic, it will consume all the BW between c6k and ACE.

ACE will correctly drop this traffic, but anyway the BW being full, other traffic will suffer from this.

There is no device in the work that can prevent this.

The only solution is to work upstream to rate-limit the traffic.

But if your host can't achieve 16Gbps, all traffic will make it to ACE and ACE can then drops the un-wanted one.

Gilles.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents