06-08-2012 08:14 AM - edited 03-11-2019 04:17 PM
When do you know it is time to upgrade to a new firewall? From the Cisco Podcast #7 "Monitoring Firewall Performance", the speakers said when the CPU usage consistently is at 50% or higher, that is the time to upgrade. They gave their reasons which made sense. And I can check the CPU usage with a show cpu usage command.
Are there any other signs beside CPU usage that it is time to upgrade the firewall?
Thanks.
J
06-08-2012 12:28 PM
J,
I assume you mean hardware not software upgrade.
If you are not running any additional features (like threat detection, inspections, various proxies) and are reaching 50% you might consider an upgrade indeed, especially if you're seeing spiky load.
However before making a decision like this, I would run this by TAC. Don't get me wrong, TAC does not perform capacity planning, but will at least tell you about features that consume CPU, which you might not be using/needing.
M.
06-09-2012 03:54 PM
A couple of reasons should prompt an hardware or plafform upgrade:
1. When your performance demands exceed the capacity of your current system
2. When you want to avail yourself of services that your current device does not support
3. When your current device has exceeded its support lifetime (typically five years after end of sales for Cisco products).
Hope this helps
06-10-2012 03:04 AM
1) Yes. If your device is reaching 50 % of the cpu usage then you may need to upgrade for the consistent performance.
but the cpu usage increase may be due to other issues as well. But if everything is normal and cpu usage is crossing 50% then you may need to upgrade. This is one of the reason only. there are lot other.
2) Depends on your future expansion / requirement you may need for an upgrade in the model.
Feature | Cisco ASA 5505 | Cisco ASA 5510 | Cisco ASA 5520 | Cisco ASA 5540 | Cisco ASA 5550 | |
Users/Nodes | 10, 50, or unlimited | Unlimited | Unlimited | Unlimited | Unlimited | |
Firewall Throughput | Up to 150 Mbps | Up to 300 Mbps | Up to 450 Mbps | Up to 650 Mbps | Up to 1.2 Gbps | |
Maximum Firewall and IPS Throughput | • Up to 150 Mbps with AIP-SSC-5 | • Up to 150 Mbps with AIP-SSM-10 • Up to 300 Mbps with AIP-SSM-20 | • Up to 225 Mbps with AIP-SSM-10 • Up to 375 Mbps with AIP-SSM-20 • Up to 450 Mbps with AIP-SSM-40 | • Up to 500 Mbps with AIP-SSM-20 • Up to 650 Mbps with AIP-SSM-40 | Not available | |
3DES/AES VPN Throughput*** | Up to 100 Mbps | Up to 170 Mbps | Up to 225 Mbps | Up to 325 Mbps | Up to 425 Mbps | |
IPsec VPN Peers | 10; 251 | 250 | 750 | 5000 | 5000 | |
Premium AnyConnect VPN Peers* (Included/Maximum) | 2/25 | 2/250 | 2/750 | 2/2500 | 2/5000 | |
Concurrent Connections | 10,000; 25,000* | 50,000; 130,000* | 280,000 | 400,000 | 650,000 | |
New Connections/Second | 4000 | 9000 | 12,000 | 25,000 | 33,000 | |
Integrated Network Ports | 8-port Fast Ethernet switch (including 2 PoE ports) | 5 Fast Ethernet ports; 2 Gigabit Ethernet + 3 Fast Ethernet ports* | 4 Gigabit Ethernet, 1 Fast Ethernet | 4 Gigabit Ethernet, 1 Fast Ethernet | 8 Gigabit Ethernet, 4 SFP Fiber, 1 Fast Ethernet | |
Virtual Interfaces (VLANs) | 3 (no trunking support)/20 (with trunking support)* | 50/100* | 150 | 200 | 400 | |
Security Contexts (Included/Maximum)* | 0/0 | 0/0 (Base); 2/5 (Security Plus) | 2/20 | 2/50 | 2/50 | |
High Availability | Not supported; stateless Active/Standby and redundant ISP support* | Not supported; Active/Active and Active/Standby** | Active/Active and Active/Standby | Active/Active and Active/Standby | Active/Active and Active/Standby | |
Expansion Slot | 1, SSC | 1, SSM | 1, SSM | 1, SSM | 0 | |
User-Accessible Flash Slot | 0 | 1 | 1 | 1 | 1 | |
USB 2.0 Ports | 3 (1 on front, 2 on rear) | 2 | 2 | 2 | 2 | |
Serial Ports | 1 RJ-45 console | 2 RJ-45, console and auxiliary | 2 RJ-45, console and auxiliary | 2 RJ-45, console and auxiliary | 2 RJ-45, console and auxiliary | |
Rack-Mountable | Yes, with rack-mount kit (available in the future) | Yes | Yes | Yes | Yes | |
Wall-Mountable | Yes, with wall-mount kit (available in the future) | Not available | Not available | Not available | Not available | |
Security Lock Slot (for Physical Security) | Yes | Not available | Not available | Not available | Not available | |
Technical Specifications | ||||||
Memory | 512 MB | 1 GB | 2 GB | 2 GB | 4 GB | |
Minimum System Flash | 128 MB | 256 MB | 256 MB | 256 MB | 256 MB | |
System Bus | Multibus architecture | Multibus architecture | Multibus architecture | Multibus architecture | Multibus architecture | |
the above table shows the maximum capability of the ASA firewalls. when the requirement needs upgrade you have to go for that.
3) When it comes for end of support from Cisco tech.
these are the major factors for an upgrade.
do rating if the info is helpful.
cheers
Karthik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide