Difference in performance between ASA SVI or dedicated Interface routing
I am intertested in knowing if there are any differences in the following configurations in terms of performance especially, security, functional restriction etc.
ASA 5550 HA Pair running 8.4
1. Creating a port-channel using 5 physical interfaces. Then creating SVI's (vlan ports) out of that single port-channel interface and routing between them based on a firewall policy, The other end would be connected to a 3750 stack VLAN trunk port.
2. Creating 5 single dedicated interfaces (layer 3) and routing bertween them based on a firewall policy.
The other end would be connected to a 3750 stack VLAN trunk port.
Difference in performance between ASA SVI or dedicated Interface
In terms of security, there is no difference.
As for performance, the answer would depend heavily on the traffic profile through the ASA. The goal would be to choose the option that offers the most optimal load balancing of traffic across the physical interfaces. With a port-channel, all subnets would theoretically share all of the physical interfaces in the bundle, but the load can fluctuate due to the load balancing algorithm. Using dedicated physical interfaces means that all hosts in a subnet would share the same physical interface. Again, this may or may not be desirable depending on how even the traffic profile is across all interfaces.
Also, keep in mind that with a 5550 you can only use the on-board NICs in a port-channel (gig0/x). The SSM ports in slot 1 (gig1/x) cannot be used in a port-channel.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...