Filter
Top Products
10-11
Cisco ASDM User Guide
OL-16647-01
Chapter 10 Configuring Security Contexts
Configuring Resource Classes
Classes and Class Members Overview
The security appliance manages resources by assigning contexts to resource classes. Each context uses
the resource limits set by the class. This section includes the following topics:
• Resource Limits, page 10-11
• Default Class, page 10-12
• Class Members, page 10-13
Resource Limits
When you create a class, the security appliance does not set aside a portion of the resources for each
context assigned to the class; rather, the security appliance sets the maximum limit for a context. If you
oversubscribe resources, or allow some resources to be unlimited, a few contexts can “use up” those
resources, potentially affecting service to other contexts.
You can set the limit for individual resources, as a percentage (if there is a hard system limit) or as an
absolute value.
You can oversubscribe the security appliance by assigning more than 100 percent of a resource across
all contexts. For example, you can set the Bronze class to limit connections to 20 percent per context,
and then assign 10 contexts to the class for a total of 200 percent. If contexts concurrently use more than
the system limit, then each context gets less than the 20 percent you intended. (See Figure 10-6.)
Figure 10-6 Resource Oversubscription
If you assign an absolute value to a resource across all contexts that exceeds the practical limit of the
security appliance, then the performance of the security appliance might be impaired.
The security appliance lets you assign unlimited access to one or more resources in a class, instead of a
percentage or absolute number. When a resource is unlimited, contexts can use as much of the resource
as the system has available or that is practically available. For example, Context A, B, and C are in the
Silver Class, which limits each class member to 1 percent of the connections, for a total of 3 percent; but
the three contexts are currently only using 2 percent combined. Gold Class has unlimited access to
connections. The contexts in the Gold Class can use more than the 97 percent of “unassigned”
connections; they can also use the 1 percent of connections not currently in use by Context A, B, and C,
even if that means that Context A, B, and C are unable to reach their 3 percent combined limit. (See
Figure 10-7.) Setting unlimited access is similar to oversubscribing the security appliance, except that
you have less control over how much you oversubscribe the system.
Total Number of System Connections = 999,900
Maximum connections
allowed.
Connections denied
because system limit
was reached.
Connections in use.
12345678910
Max. 20%
(199,800)
16%
(159,984)
12%
(119,988)
8%
(79,992)
4%
(39,996)
Contexts in Class
104895