Configuring Resource Management; Resource Limits - Cisco PIX 500 Series Configuration Manual

Configuring Resource Management

Resource Limits

When you create a class, the security appliance does not set aside a portion of the resources for each
context assigned to the class; rather, the security appliance sets the maximum limit for a context. If you
oversubscribe resources, or allow some resources to be unlimited, a few contexts can "use up" those
resources, potentially affecting service to other contexts.
You can set the limit for individual resources, as a percentage (if there is a hard system limit) or as an
absolute value.
You can oversubscribe the security appliance by assigning more than 100 percent of a resource across
all contexts. For example, you can set the Bronze class to limit connections to 20 percent per context,
and then assign 10 contexts to the class for a total of 200 percent. If contexts concurrently use more than
the system limit, then each context gets less than the 20 percent you intended. (See
Figure 6-1
Max. 20%
(199,800)
(159,984)
(119,988)
(79,992)
(39,996)
If you assign an absolute value to a resource across all contexts that exceeds the practical limit of the
security appliance, then the performance of the security appliance might be impaired.
The security appliance lets you assign unlimited access to one or more resources in a class, instead of a
percentage or absolute number. When a resource is unlimited, contexts can use as much of the resource
as the system has available or that is practically available. For example, Context A, B, and C are in the
Silver Class, which limits each class member to 1 percent of the connections, for a total of 3 percent; but
the three contexts are currently only using 2 percent combined. Gold Class has unlimited access to
connections. The contexts in the Gold Class can use more than the 97 percent of "unassigned"
connections; they can also use the 1 percent of connections not currently in use by Context A, B, and C,
even if that means that Context A, B, and C are unable to reach their 3 percent combined limit. (See
Figure
have less control over how much you oversubscribe the system.
Cisco Security Appliance Command Line Configuration Guide
6-2
Resource Oversubscription
Total Number of System Connections = 999,900
16%
12%
8%
4%
1 2 3 4
Contexts in Class
6-2.) Setting unlimited access is similar to oversubscribing the security appliance, except that you
Chapter 6
5 6 7 8 9
Adding and Managing Security Contexts
Figure
Maximum connections
allowed.
Connections in use.
Connections denied
because system limit
was reached.
10
6-1.)
OL-12172-03