cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4940
Views
5
Helpful
7
Replies

Cisco ASA throughput calculation

secureIT
Level 4
Level 4

 

 

I have one doubt, do I have to clear the interface statistcis "clear traffic" and then take the output of "show traffic" or its to take without clearing the traffic.

Below chart displays the throughput calculated without clearing the traffic rates - clear interfaces.

And this shows that ASA 5540 supports upto 650Mbps.
As per the calculation, 1 min average is 930 Mbps and 5 mins average is 765 Mbps -  all calculated in bits per second.

Please confirm on this.

 

Interfaces1 min rate5 min rate
GigabitEthernet0/0 input rate 5818544047736515
GigabitEthernet0/0 output rate31972782663940
GigabitEthernet0/1 input rate 17284401430846
GigabitEthernet0/1 output rate 5662919946081438
GigabitEthernet0/2 input rate 737171727164
GigabitEthernet0/2 output rate 12398781421490
GigabitEthernet0/3 input rate 146469115973
GigabitEthernet0/3 output rate 147639124430
   
Total in bytes122011514100301796
in MB116.359247295.65524673
in Mbps930.8739777765.2419739
ASA 5540 supportsUp to 650 Mbps 
7 Replies 7

I think your calculation is wrong. You can't summ up all input and output rates because with that you counted all traffic twice.. If you sum up all input *or* output rates you get what your ASA is processing. And that is about 384 MBit/s on the 5 Min. interval.

 

Hi Karsten,

Your comments contradicts with the below thread posted by me long back.

https://supportforums.cisco.com/discussion/11542616/device-throughput

Could you please confirm me the exact procedure to get the current throughput of an ASA firewall.

Just think about the following scenario:

PC1 ---100M --- ASA --- 100M --- PC2

Now you send a constant UDP-stream that fully saturates the Link from PC1 to PC2. In your calculation you would have a throughput of 200 MBit/s (100 incoming on one interface, 100 outgoing on the other interface).

I got your point.

But kindly look into the below threads as well.

https://supportforums.cisco.com/discussion/11359916/throughput-across-asa

Assume firewall has 3 interfaces. So according to you, it must be either the sum of all inbound traffic (1 minute interval) or the sum of all outbound traffic (1 minute interval), or the biggest of inbound or outbound.

I think this should be the one best practice to calculate the current throughput of the ASA firewall or any other device.

Please correct me if I am wrong.

Hi Karsten,

Could you revert - this is a one time doubt. So far we were doing wrong calculation..!! You reply to my previously posted comments are appreciated.

I was hoping that someone else would jump in with some additional insight. I know that your calculation is also done, but up to now I only knew it from marketing-slides. I still think that you only can sum up all inbound *or* all outbound rates.

I hope I'm meeting your hope after almost 4 years this thread was quiet :)

 

It's the first time I write on community forum and it's only because we just had a discussion around ASA VPN throughput internally. I fully agree with you that summing up traffic from all interfaces makes no sense. So my suggestion would be to divide ASA's VPN throughput into 2 categories:

 

  1. Encrypted throughput – this is a summary of Inbound and Outbound traffic on Outside interface(s)
  2. Unencrypted throughput - this is a summary of Inbound and Outbound traffic on Inside interface(s)

Management traffic is usually negligible and is not interesting, but if someone needs, can also add a calculation for that.

If you're using ASA as a firewall without any additional encryption on Outside interface, then summary of traffic on Inside interfaces would be enough.

 

Best regards, Pavel.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: