Manage crypto capacity 编辑

Starting with release 12.1 48.13, the interface to manage crypto capacity has changed. The Management Service provides asymmetric crypto units (ACUs), symmetric crypto units (SCUs), and crypto virtual interfaces to denote SSL capacity on the Citrix ADC SDX appliance. Earlier crypto capacity was assigned in units of SSL chips, SSL cores, and SSL virtual functions. See the Legacy SSL chips to ACU and SCU conversion table for more information about how legacy SSL chips translate into ACU and SCU units.

By using the Management Service GUI, you can allocate crypto capacity to the Citrix ADC VPX instance in units of ACU and SCU.

The following table provides brief descriptions about ACUs, SCUs, and crypto virtual instances.

Table. Unit crypto units

New crypto unitsDescription
Asymmetric crypto unit (ACU)1 ACU = 1 operation per second (ops) of (RSA) 2 K (2048-bit key size) decryption. For further details, see ACU to PKE resource conversion table.
Symmetric crypto unit (SCU)1 SCU = 1 Mbps of AES-128-CBC + SHA256-HMAC @ 1024B. This definition is applicable for all SDX platforms.
Crypto virtual interfacesAlso known as virtual functions, crypto virtual interfaces represent the basic unit of the SSL hardware. After these interfaces are exhausted, the SSL hardware cannot be further assigned to a VPX instance. Crypto virtual interfaces are read-only entities, and the SDX appliance automatically allocates these entities.

View crypto capacity of the SDX appliance

You can view the crypto capacity of the SDX appliance in the dashboard of the SDX GUI. The dashboard displays the used and available ACUs, SCUs, and virtual interfaces on the SDX appliance. To view the crypto capacity, navigate to Dashboard > Crypto Capacity.

View crypto capacity

Allocate crypto capacity while provisioning the VPX instance

While provisioning a VPX instance on the SDX appliance, under Crypto Allocation, you can allocate the number of ACUs and SCUs for the VPX instance. For instructions to provision a VPX instance, see Provisioning Citrix ADC instances.

To allocate crypto capacity while provisioning a VPX instance, follow these steps.

  1. Log on to the Management Service.

  2. Navigate to Configuration > Citrix ADC > Instances, and click Add.

  3. Under Crypto Allocation, you can view the available ACUs, SCU, and crypto virtual interfaces. The way to allocate ACUs and SCUs differs depending on the SDX appliance:

    a. For the appliances listed in the Minimum value of an ACU counter available for different SDX appliances, you can assign ACUs in multiples of a specified number. SCUs are automatically allocated and the SCU allocation field is not editable. You can increase ACU allocation in the multiples of the minimum ACU available for that model. For example, if the minimum ACU is 4375, the ACU increment is 8750, 13125, and so on.

    Example. Crypto allocation where SCUs are automatically assigned, and ACUs are assigned in multiples of a specified number.

    Crypto allocation

Minimum value of an ACU counter available for different SDX appliances

SDX platformACU counter minimum value
22040, 22060, 22080, 22100, 22120, 24100, 24150 (36 ports2187
8400, 8600, 8010, 80152812
17500, 19500, 215002812
17550, 19550, 20550, 215502812
11500, 13500, 14500, 16500, 18500, 205002812
11515, 11520, 11530, 11540, 115424375
14xxx4375
14xxx 40S4375
14xxx 40G4375
14xxx FIPS4375
25xxx4375
25xxx A4575

b. For the rest of the SDX platforms, which are not listed in the preceding table, you can freely assign ACUs and SCUs. The SDX appliance automatically allocates crypto virtual interfaces.

Example. Crypto allocation where both ACU and SCUs are freely assigned

Crypto allocation 8900

4./ Complete all the steps for provisioning the VPX instance, and click Done. For more information, see Provisioning Citrix ADC instances.

View crypto hardware health

In Management Service, you can view the health of the crypto hardware provided with the SDX appliance. The health of the crypto hardware is represented as Crypto Devices and Crypto Virtual Functions. To view the health of the crypto hardware, navigate to Dashboard > Resources.

Crypto devices and virtual functions

Points to note

Keep the following points in mind when you upgrade the SDX appliance to the latest version.

  • Only the SDX user interface gets upgraded, but the hardware capacity of the appliance remains the same.

  • The crypto allocation mechanism remains the same, and only the representation on the SDX GUI changes.

  • Crypto interface is backward compatible, and it does not affect any existing automation mechanism that uses the NITRO interface to manage the SDX appliance.

  • Upon SDX appliance upgrade, the crypto assigned to the existing VPX instances does not change; only its representation on the Management Service changes.

ACU to PKE resource conversion table

SDX platformACURSA-RSA1KRSA-RSA2KRSA-RSA4KECDHE-RSAECDHE-ECDSA
22040, 22060, 22080, 22100, 22120, 24100, 24150 (36 ports)2187124972187312256190
8400, 8600, 8010, 80152812170002812424330N/A
11515, 11520, 11530, 11540, 115424375250004375625512381
22040, 22060, 22080,22100, 22120 (24 ports)4375250004375625512381
17500, 19500, 215002812170002812424330N/A
17550, 19550, 20550, 215502812170002812424330N/A
11500, 13500, 14500, 16500, 18500, 205002812170002812424330N/A
14000, 14000-40G, 25000, 25000A4375250004375625512381
14000 FIPS4375250004375625512381
14000-40S4375250004375625512381
*8900 (8910, 8920, 8930)100046151000136397494
*9100 (9110, 9120, 9130)100046151000136397494
*26000-100G (26100, 26160, 26200, and 26250)100046151000136397494
*15000100046151000136397494
*15000-50G100046151000136397494
*26000-50S100046151000136397494

*On these platforms the PKE numbers are the minimum guaranteed values.

How to read the ACU to PKE resource conversion table

The ACU to PKE resource conversion table is based on the following points:

  • Management Service helps allocate Crypto Resources to each individual VPX. Management Service cannot allocate or promise performance.

  • Actual performance varies depending on packet size, cipher/Keyex/HMAC (or their variations) used, and so on

The following example helps you understand how to read and apply the ACU to the PKE resource conversion table.

Example. ACU to PKE resource conversion for the SDX 22040 platform

Allocation of 2187 ACUs to a VPX instance on an SDX 22040 platform allocates crypto resource equivalent to 256 ECDHE-RSA operations or 2187 RSA-2K operations and so on.

Legacy SSL chips to ACU and SCU conversion table

For more information about how legacy SSL chips are converted to ACU and SCU, see the following table.

ACU and SCU conversion table

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:78 次

字数:11757

最后编辑:6 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文