Re: Crypto call admission - % based

Documentation implies that the calculation is done differently depending on
the platform. For the lower level platforms the value is (multiplier *
current usage ) /100, and in higher level platforms, it lists (multiplier *
current usage). Some of the confusion stems from the lower platforms still
having the range up to 100,000, which is a value that their calculations
will not achieve.

So, with a multiplier value (call admission load) that has a maximum value
of 1000 (default value of 100), the highest possible value on the higher
platform would be 100,000 (1000 * 100). Some of the higher level platforms
also have the command syntax options "call admission new-model" and "call
admission cpu-limit 75"

With a lower level platform, the highest value possible is 1000, since the
number is divided by 100.

The current metric value on the device can be viewed with "show call
admission statistics" If you are below the limit configured you will be
able to attempt the connection. With the default multiplier of 100, and the
calculated value being divided by 100, limiting to a specific resource level
would be matching that same resource level, for example "call admission
limit 40".

To generate load on a router, you can ping a loopback with fragmented
traffic. In a batch of testing a while back, I found that a ping of 3600
bytes would sustain a CPU level of 40%, and a ping size of 8000 would
sustain a CPU of 80%. (repeat count of roughly 2 billion to keep things
running for a while) Also the load value is calculated based on CPU /
buffers / etc, so will not correlate exactly to specific CPU values, when
comparing the values for "show proc cpu hist" and "show call admission
statistics"

Regards,
Marvin Greenlee, CCIE #12237

--------------------------------------------------
From: "Sadiq Yakasai" <sadiqtanko_at_gmail.com>
Sent: Saturday, June 12, 2010 1:27 PM
To: "Cisco certification" <security_at_groupstudy.com>; "Cisco certification"
<ccielab_at_groupstudy.com>
Subject: Crypto call admission - % based

> Guys,
>
> Just a quick question on crypto call admission, based on percentage
> please.
> This is yet another area where the DocCD is just not very clear. If I had
> to
> configured CAC for IKE based on system resource usage in percentage, how
> would you go about this?
>
> Would you tune the load parameter? Or would you used the default value of
> 10000 charge units, and configure the "call admission limit 7500"?
>
> Please let me know. Thanks as usual,
>
> Sadiq
>
> --
> CCIE #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sun Jun 13 2010 - 00:28:03 ART