Our customer is experimenting really bad performance when runing 10Gig traffic through FWSM on C6509. Test with1 Gig traffic are providing find result perfromance as expected in this document: https://supportforums.cisco.com/docs/DOC-12668. I have made a simple drawing so everyone can understand the setup:
The issue is when running 10 Gig traffic between Netapp servers. This traffic is going though the FWSM and the perfomance are really bad: around 50 Mbit/sec. If the traffic is not going though the FWSM ther performance are around 900 Mbit/s.
The customer and I think that the issue is releated the buffer in the C6509 and the FWSM which has big trouble managing 10G to 1G traffic convertering between C6509 and FWSM 6 G etherchannel connection.
When running 10G traffic through FWSM the number of output drops are increasing as you can see on the output bellow. The last thing which is wired a is that the speed is showing 1000 Mbits and not 6000Mbits :
Unfortunately, the FWSM is simply not capable of processing 10 Gbps of traffic. As you noted, the port-channel between the FWSM and the 6500 backplane is only a 6 Gbps bundle, so even under the most ideal conditions it will not be capable of handling 10 Gbps.
If this level of throughput is required for your environment, I would recommend talking with your Cisco account team or partner about the ASA or ASA-SM platforms and get some design assistance from them to integrate those into your network.
The thing is when running "normal" TCP traffic through FWSM performance are good (around 600 Mbit/s) but as soon as we run Netapp traffic through FWSM the performance are really realyy low (around 13 Mbit/s). So there is something wrong with the Netapp traffic.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :