07-09-2010 04:52 PM - edited 03-11-2019 11:09 AM
Cisco famously quotes max firewall throughput specs on all ASA models, but how do you tell if your firewall is reaching this maximum throughput?
For example, there is a 300Mbps max throughput number on the asa 5510 in the spec sheet. How do I know if firewall resources are nearing max capacity? Will CPU go first? Is internal data plane limited in code somewhere?
There is an interface called Internal-Data0/0. If I watch this utilization, will it show me what I want?
07-10-2010 06:11 PM
You can first start gathering information of your firewall and create sort of a baseline to compare and learn what type of traffic traverses firewall , there are ways you can gather firewall performance info through snmp and snmp/traps polling tools to give you clear picture of your firewall health during the course of X amount of time.
I would first look into implemeting some monitoring tools ,
Firewall performance/resources depends on may factors, for example types of encryptopm methods used in Ipsec and numbers of tunnels and traffic traversing the tunnels will also put load on the firewalls possibly degrading performance if firewall type is not meant to cope with that load, you can collect all this information using snmp monitoring tools to capture all angles of the firewall performance .
You can also retreave real time performance information from command line, start with this link bellow .
There are other tools you can use like netflow introduced in code 8.2, again these are simply tools to use and gather information to look at and determined the health of firewall performance and its resources .
http://www.cisco.com/en/US/partner/docs/security/asa/asa82/netflow/netflow.html#wp1028493
HTH
Regards
07-10-2010 11:34 PM
Hey HTH, thx for reply, i guess that is a little vague, but my questions was a little vague. I want to specifically know how Cisco gets the maximum throughput number. Is there some sort of code-based throttle built-in? If it is just based on some likely real-world test, then what are the test parameters? I was also wondering what this internal "network" interfaces really are and is it worthwhile to watch them. The specific ASA in question doesn't have an interface or CPU bottleneck, but the Internal-Data0/0 interface is running pretty high in utilization. So I was wondering what that is?
thx,
Will
07-11-2010 08:39 AM
Hi Will,
In short to answer your question I have not come accross a link here detailing what Cisco used to measure their Firewalls performance throughput reports , I'll let that part of your question to someone else who may have a link answer . There may be however more than one third party companies out there that have conducted benchmark reports for a variety of firewall vendors.. for example http://www.miercom.com/?url=reports/&v=16&tf=0&st=v provides benchmark test with details on what they used for the test on ASA5580 model .
As for your other question about the interface
"I was also wondering what this internal "network" interfaces really are and is it worthwhile to watch them. The specific ASA in question doesn't have an interface or CPU bottleneck, but the Internal-Data0/0 interface is running pretty high in utilization. So I was wondering what that is?"
Where are you seeing this? can you post or attached a screen shot of this .
Like I said before , to spod an issue on the firewall as you said interface or CPU issues you have the look at the firewall as a whole , did you bother to look at the link provided ? here is the link again, http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009491c.shtml
Regards
Jorge
BTW HTH means ( Hope to help , or Hope this helps )
07-12-2010 01:44 PM
Jorge, I am using a graphing utility, which scans some preset SNMP OIDS to determine what are all the ASA interfaces. It pick up two interfaces, which are not normally exposed when you do "sh int" for example.
Internal-Data0/0 | Ip: | Eth: 00-00-00-01-00-02
Virtual254'-interface' | Ip: | Eth: 00-00-00-00-00-00
So I do not know what these are, only that Cisco has then embedded into the OS, and they are useful for something. I am almost thinking that Data0/0 is the backplane of the 4 port Ethernet module in the ASA. It seems like its aggregating everything into that variable, WRT to speeds.
07-13-2010 06:33 AM
The internal Data interfaces are the backplane interfaces of the ASA. You should view them as the interfaces that pass data internally for processing. Practically they will aggregate traffic.
Now as for the test, there are various tests that are run. The name values are run using very few UDP connection with 1500byte packets. But the "real-world" numbers in the specs that are a little lower are with regular http and "everyday traffic" benchmarks with smaller packets.
I hope it helps a little bit.
PK
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: