Cisco ASA performance?

ryabutler · ‎10-19-2010

Hi,

For the Cisco ASA 5540 the advertised throughput for that model is up to 650Mbps.

Does this mean the firewall natively can handle Firewall throughput up to 650Mbps without AIP-SSM modules?

Or is the AIP-SSM modules required to support up to 650Mbps where the firewall (and IPS) workload is off-loaded to the SSM module?

Thank you!

- rya

mirober2 · ‎10-19-2010

Hi Rya,

650 Mbps is the 5540's native max throughput. With the AIP SSM-20 installed this drops a bit to about 500 Mbps, however using an AIP SSM-40 will support up to 650 Mbps throughput as well. This document has more details (see Table 4):

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

Keep in mind, though, that these numbers are only achievable in very ideal cases. In real world scenarios with varying traffic profiles, your throughput may be considerably lower.

Hope that helps.

-Mike

Jon Marshall · ‎10-19-2010

ryabutler wrote:

Hi,

For the Cisco ASA 5540 the advertised throughput for that model is up to 650Mbps.

Does this mean the firewall natively can handle Firewall throughput up to 650Mbps without AIP-SSM modules?

Or is the AIP-SSM modules required to support up to 650Mbps where the firewall (and IPS) workload is off-loaded to the SSM module?

Thank you!

- rya

From the datasheet -

Firewall Throughput	Up to 650 Mbps
Maximum Firewall and IPS Throughput	• Up to 500 Mbps with AIP SSM-20 • Up to 650 Mbps with AIP SSM-40

so the 650Mbps is pure firewalling throughput on cleartext traffic. If you want to use combine IPS with your firewall then you can use an AIP SSM card and then the combined firewall/IPS throughput is either 500 or 650Mbps.

Jon

ryabutler · ‎10-19-2010

Thanks, that makes sense so FW+IPS throughput can be handled on the SSM.

What about VPN using AES. A single site VPN tunnel. The ASA 5540 supports up to 325Mbps throughput when using AES/3DES.

I'm assuming this is handled natively on the ASA since I do see anywhere that the SSM offload VPN encryption/descyption operations?

So if I am running all three of those services is my best possible throughput through that ASA model at least 325Mbps?

Thank you!

- rya

mirober2 · ‎10-20-2010

Hi Rya,

The SSM is not used to offload processing and boost throughput. The reason that there are different throughput numbers when using an SSM is because the added packet processing adds a bit of delay to the connection (the packets go through extra security checks by the AIP module, in addition to the ones done by the ASA, and this takes time). Likewise, throughput drops a bit when using VPN/encryption because of the added overhead of encrypting/decrypting the packets for the tunnel.

As I mentioned though, these numbers are only an ideal value. So if you are encrypting/decrypting traffic for a VPN and inspecting it with an SSM, your throughput will likely be much lower than the advertised ideal values. Just be sure that you plan for this in your deployment and choose the hardware and configuration that will give you room to scale in the future.

Hope that helps.

-Mike