Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
0
Helpful
0
Replies

ASA 1GBs vs 10Gbs (ASA 5585-X with SSP20 - 5 Gb max)

Vern Brinkman
Level 1
Level 1

‎06-12-2017 09:05 AM - edited ‎03-12-2019 02:29 AM

We are setting up a new active/standby pair of 

ASA 5585-X with SSP20 - 8-port 10/100/1000 and 2-port 10 GE

Since the total multi-protocol throughput is 5 Gb, there are various cabling options being discussed.

I have seen setups where they make the two 10GBs inside/outside and use the two 1 GB for separate state and fail.

First, This goes against Cisco recommendation of the failover link being as fast the data (1 GB vs up to 5 GB).

Would it be better if  a 8 x 1GB subinterfaced portchannel was used for inside/outside, and the 10 GBs were used for failover/state (shared vlan or subinterfaced).

All traffic (inside and out) is spread out, if the firewall was maxed out at 5 GB, each link would be at 62.5% if various flows.   The firewall baseline will be much lower, lets say 25%, so any legitimate big flow that is hashed to link, will have about 750Mb, which is plenty in this environment.

Additional benefit - A DDOS attack on an IP would be hashed to one of the links - saturating it, but the other 7 would be up (87.5% up) and if static route to the outside interface, you don't have to hope the control plane data isn't on the saturated link.  I have seen firewalls get overwhelmed because a DDOS attack saturates the 10 GB link, and the backplane can only handle 5Gb.

Will the use of 1 GB links for traffic offer a layer of protection that isn't there when using the 10Gb?  Or is there some other issue that will come up?  Besides consuming a few more ports on the switch?

The 1 GB links can not be bundled together to increase bw for the state/fail since they are point to points and will be hashed on the same link, but would provide redundancy.

Is there a clear winner that is redundant, and is better at withstanding attacks?

Traffic

10gb inside, 10gb outside

2x10GB subinterfaced inside/outside portchannel - could easily add a DMZ if needed

8x1GB  subinterfaced portchannel

something else?

State and Failover

1 gb state/1 gb fail

2x1 gb state, 2x1 gb fail (port-channels for redundancy - 4 ports, 2 vlans)

2x1 gb shared vlan (redundancy with 2 ports, 1 vlan)

2x1 gb sub interfaced (2 ports, 2 vlans - 50% chance the traffic will on separate links - but Cisco is fine with shared vlan).

something else?

Thanks

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card