You can install multiple instances of the Acoustic™ Tealeaf CX Passive Capture Application.
Use the following formula and associated notes as a guideline when configuring multiple instances of the PCA. Use them to estimate your requirements and be prepared to make adjustments based on traffic patterns and CPU usage.
# of PCA instances = # of physical cores - # of PCA pipelines - 1
For example, if your environment has 16 physical cores, you can expect to have as many as 15 PCA instances to use.
For each additional PCA pipeline within a PCA application instance, you must deduct one from the maximum number of PCA instances, as indicated in the previous formula.
Do not count hyper-threaded virtual processors as available cores. Hyper-threaded processing provides little performance enhancement to highly CPU-intensive PCA processing and is not be counted in the expected usage.
The above limit assumes that each PCA core is using over 60% capacity. If the cores are using significantly less than this capacity, you can increase the number of PCA instances over this limit.
If you are using an accelerator card, you can increase this maximum number, as the impact is offloaded to the card's hardware.
Note: When offloading encryption to an SSL accelerator card, you can need a larger number of instances to effectively capture and process the traffic load.
Segmenting traffic across multiple PCA instances
You can add PCA instances through the PCA Web Console. The PCA supports multiple methods of traffic segmentation:
- Web Server Host IP/Port Addresses Filtering: The typical and preferred method for segmenting traffic by PCA instance is to filter on web server host IP/Port addresses.
- TCP Client Port Segmentation Filtering: TCP client port segmentation can be used when the capture traffic is presented as a single virtual web IP address (VIP).
PCA instances are IP/Port sensitive. Do not add PCA instances if you lack the IP addresses or ports to segregate your capture traffic.
If you do not have IP/port segregation enabled in your environment with multiple CPUs, at least you can create two PCA instances. The first instance handles non-SSL traffic on port 80, while the second handles SSL transactions on port 443. This arrangement does not take much advantage of any SSL accelerator cards.
- Move the point of capture after any load balancers.
- Use client-side IP addresses to segregate traffic in multiple instances. If you have a reasonable number of NAT IP addresses, you can group incoming addresses in netmask blocks or discretely based on IP addresses to deliver to the appropriate handler.
For TLB PCA instances:
When TLB mode is enabled, the process of determining how to segment the network capture traffic is no longer needed. Network capture traffic is automatically segmented and distributed to create a transparent load balanced environment. TLB mode does not require as much configuration to your network interface as non-TLB mode.