Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA throughput

Quick question (hopefully) - in looking at the data sheet for our 5520 ASA it lists max throughput as 450Mbps.  So if we were to upgrade to 1Gbps service with our Internet provider, we'd be bottlenecked by the firewall I assume?

What would be the best remedy for this - an new ASA or a second 5520 to load balance?

Thanks!

Rob

Everyone's tags (1)
3 REPLIES
Hall of Fame Super Blue

Re: ASA throughput

Rob

If you think you are going to go above the 5520 limit ie. just because you have 1Gbps doesn't mean you will get that, then it really depends on how you want to setup the firewalls but the main issue is how you would direct traffic so it shared between the firewalls -

1) in active/standby obviously you cannot load-balance the traffic.

2) in active/active you could have each firewall active for one context but this assumes that you are running at least 2 contexts which you may well not be. If you only have one context then you cannot run active/active. Note also that this would assume the traffic is split fairly evenly between contexts ie. 600Mbps and 200Mbps between contexts really wouldn't work for you.

3) run each firewall separately. This assumes you have an ISP router that terminates the 1Gbps connection then the internal of the ISP and the 2 firewalls connect to a common LAN. To load-balance though you would need to use PBR on both the ISP router and the L3 device(s) internally to send specific traffic to specific firewalls. This can be a significant overhead and i doubt the ISP would allow PBR on their router.

The advantage of buying another 5520 is that you can have redundant firewalls if you run active/active. However like i say, even if you did run multiple contexts the traffic would still need to be fairly evenly balanced per context. And that also assumes this traffic split will always be the same per context.

In my opinion it would be a lot simpler to just upgrade your firewall so it can handle that throughput.

Jon

Community Member

Re: ASA throughput

Thanks Jon,

The topology is:

ISP router ---> Our Router ---> Firewall ---> Inside network

Assuming I had another L3 device on the inside...it's a 3750X stack right now, but not doing any L3...depending on the routing used, it should load balance based on equal cost, should it not?

Rob

Hall of Fame Super Blue

Re: ASA throughput

Rob

Both your router and the 3750X (if ip routing is enabled) will do equal cost load-balancing if you have 2 default-routes. The switch will only be able to do per destination load-balancing whereas the router will probably be able to do per packet as well. However with firewalls you should definitely use per destination.

So you could just have 2 separate 5520s and use equal cost load-balancing. That would work fine outbound ie. for your internal users going to the internet as long as you NAT the internal IPs to the relevant firewalls outside IP so the return traffic from the internet is sent to the right firewall.

Where you will have an issue is with any internal or DMZ servers you have that are accessed from the internet. You would need to choose which firewall was responsible for which servers. It may be you could split those up in a way that meant you had roughly 50/50 split between firewalls. With this and equal cost routes for outbound it then you could well use 2 x 5520 either in active/active or as completely separate firewalls.

The advantage would be redundancy for outbound traffic and if one firewall crashed you could simply transfer the statics from the failed firewall. 

The disadvantage as mentioned before is that you need to balance out the traffic and this amy take a lot of extra work. Even with per destination load-balancing this does not necessarily mean 50/50 because one destination may be a large FTP transfer and another may simply be an http page.

Pros and cons to both really.

Jon

877
Views
4
Helpful
3
Replies
CreatePlease to create content