50-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 50 Configuring Hostname, Resources, User Accounts, and SLAs
Resource Management on Multi-context FWSMs
Field Reference
Resource Management on Multi-context FWSMs
By default, all security contexts on a multiple-context Firewall Services Module (FWSM) have unlimited
access to the resources of the FWSM, except where maximum limits per context are enforced. However,
if you find that one or more contexts use too many resources, and they cause other contexts to be denied
connections, for example, then you can configure resource management to limit the use of resources per
context.
Note The FWSM does not limit the bandwidth per context; however, the switch containing the FWSM can
limit bandwidth per VLAN. See the switch documentation for more information.
The FWSM manages resources by assigning contexts to resource classes. Each context uses the resource
limits set by its class. When you create a class, the FWSM does not set aside a portion of the resources
for each context assigned to the class; rather, the FWSM sets the maximum limit for a context. If you
oversubscribe resources, or allow some resources to be unlimited, a few contexts can “use up” those
resources, potentially affecting service to other contexts.
You can set the limit for all resources together as a percentage of the total available for the device. Also,
you can set the limit for individual resources as a percentage or as an absolute value.
You can oversubscribe the FWSM by assigning more than 100 percent of the resources across all
contexts. For example, you can set up a class to limit connections to 20 percent per context, and then
assign 10 contexts to the class for a total of 200 percent. If contexts concurrently use more than the
system limit, then each context gets less than the 20 percent you intended.
The FWSM also lets you assign unlimited access to one or more resources in a class, instead of a
percentage or absolute number. When a resource is unlimited, contexts can use as much of the resource
as the system has available. For example, contexts A, B, and C are assigned to class “Onepercent,” which
limits each class member to one percent of the system inspections per second, for a total of three percent;
but the three contexts are currently only using two percent combined. On the other hand, class “Nolimit
has unlimited access to inspections. The contexts in Nolimit can use more than the 97 percent of
“unassigned” inspections; they can also use the one percent of inspections not currently in use by
contexts A, B, and C, even if that means that contexts A, B, and C are unable to reach their three percent
combined limit. Setting unlimited access is similar to oversubscribing the FWSM, except that you have
less control over how much you oversubscribe the system.
Table50-1 Hostname Page
Element Description
Host Name Enter a unique device name to help you differentiate among devices; for
example, PIX-510-A.
Note We recommend that you use a unique host name for each device
you manage. The device name can be up to 63 alphanumeric
(U.S. English) characters and can include any of the following
special characters: ` ( ) + - , . / : =.
Domain Name Optionally, enter a valid Domain Name System (DNS) domain name
for the device; for example, cisco.com.