ACS Performance & Scale
思科ACS目前还能支持的可能就是ACS5.8版本了,该版本也将于2020年停止支持,关于ACS信息会逐步退出大家的视野。该文档是Cisco论坛thomas在2016年总结的。个人感觉非常有用。
ACS Deployment Scale & Limits
|
Attribute |
System Maximum / Limits |
|---|---|
|
ACS Instances |
22 |
| Hosts |
200,000 for 35xx appliance |
|
Users |
400,000 for 35xx appliance |
| Identity Groups | 1,000 |
| Active Directory Group Retrieval | 1,500 |
|
Network Devices |
150,000 on 35xx appliance |
|
Network Device Groups (NDGs) Unique, Top-Levels |
12 |
|
Network Device Group Hierarchical Levels |
6 |
| Network Device Group Locations | 10,000 |
| Network Device Group Device Types | 350 |
| Services | 25 |
| Authorization Rules | 320 |
| Conditions | 8 |
| Authorization Profile | 600 |
| Service Selection Policy (SSP) | 50 |
| Network Conditions (NARs) | 3,000 |
| ACS Admins |
50 9 static roles |
| dACLs | 600 dACL with 100 ACEs each |
ACS Hardware Platforms
VMs must have the equivalent of the hardware platforms or better.
VM resources must be dedicated to ACS and not shared with other VMs.
|
Hardware Platform |
ACS |
Processor |
RAM |
Hard Disk |
RAID |
Ethernet NIC |
EoS |
|---|---|---|---|---|---|---|---|
| Cisco SNS 3595 | 5.8.1 | Dual socket Intel Xeon E5-2640 v3 series CPU @ 2.60GHz, 8 total cores, 8*2 total threads | 64GB |
4 x 600-GB 10k SAS HDDs (1200 GB total) |
RAID 10 | 6 x Integrated Gigabit NICs | - |
| Single socket Intel Xeon E5-2620 v3 series CPU @ 2.40GHz, 6 total cores, 6*2 total threads | 16GB |
1 x 600-GB 10k SAS HDD (600 GB total) |
No | 6 x Integrated Gigabit NICs | - | ||
|
(Large UCS) |
Cisco UCS C220 M3 2 x Quad-Core Intel Xeon CPU E5-2609 @ 2.40 GHz, 8 total cores, 8 total threads |
32 GB | 2 x 600-GB disks | RAID 0+1 | 4 GE network interfaces | 07-Oct-2016 | |
|
(Small UCS) |
Cisco UCS C220 M3 Single socket Intel E5-2609 2.4Ghz CPU 4 total cores, 4 total threads |
16 GB | 1 x 600-GB disk | Embedded Software RAID 0 | 4 GE network interfaces | 07-Oct-2016 | |
|
Cisco 1121 Secure Access Control System Hardware (CSACS-1121) |
Intel Core 2 Duo 2.4-GHz processor with an 800-MHz front side bus (FSB) and 2 MB of Layer 2 cache. | 4GB SDRAM | 2 x 250-GB SATA disks | - | 4 x 1 GB network interface | 27-Aug-2013 | |
| Cisco 1120 Secure Access Control System Hardware (CSACS-1120) |
5.0.x 4.2 |
? | ? | ? | ? | ? | ? |
|
Cisco Secure ACS-VM (VMware)
|
Minimum: 2 CPUs (dual CPU, Xeon, Core2 Duo or 2 single CPUs) |
4GB minimum 64 GB maximum |
60GB minimum 1.2TB maximum |
NIC—1 GB NIC interface required (You can install up to 4 NICs.) | ? |
ACS TACACS+ Performance
SNS-34xx and 35xx appliance performance was done with ACS 5.8 patch 1 as a dedicated authentication node.
Recommend dedicating resources for VM performance equivalent to hardware.
|
Authorization Method |
Identity Store |
Cisco SNS-3415 (Auth/Second) |
Cisco SNS-3495 (Auth/Second) |
Cisco SNS-3515 (Auth/Second) |
Cisco SNS-3595 (Auth/Second) |
|
T+ PAP |
Internal |
1114 |
1869 |
2215 |
2563 |
|
T+ CHAP |
Internal |
1116 |
1872 |
2328 |
2472 |
|
Accounting |
1234 |
1226 |
1646 |
1956 |
|
|
Authorization(session) |
900 |
1961 |
2726 |
2710 |
|
|
Ms-chap |
1138 |
1972 |
2456 |
2580 |
ACS RADIUS Performance
SNS-34xx and 35xx appliance performance was done with ACS 5.8 patch 1 as a dedicated authentication node.
Recommend dedicating resources for VM performance equivalent to hardware.
|
Authentication Method |
Identity Store |
Cisco SNS-3415 (Auth / second) |
Cisco SNS-3495 (Auth/ second) |
(Auth/ second) |
(Auth / second) |
|
PEAP (MSCHAPv2) |
Internal |
1214 |
1876 |
1203 |
3869 |
|
PEAP (MSCHAPv2) |
Active Directory |
162 |
241 |
201 |
354 |
|
PAP |
Internal |
1310 |
1911 |
2857 |
3891 |
|
PAP |
Active Directory |
549 |
574 |
622 |
784 |
|
EAP-TLS |
Internal |
935 |
1024 |
963 |
1998 |
|
EAP-FAST (MSCHAPv2) |
Internal |
1011 |
1263 |
1773 |
2435 |
|
EAP-FAST (MSCHAPv2) |
Active Directory |
224 |
368 |
433 |
586 |
|
EAP-FAST (GTC) |
Internal |
1001 |
1223 |
1689 |
2345 |
|
EAP-FAST (GTC) |
Active Directory |
221 |
376 |
414 |
510 |
原文链接:https://community.cisco.com/t5/security-documents/acs-performance-scale/ta-p/3617787