Solved: ASA 5510 Performance

gnaveen · ‎10-21-2010

On Cisco website it says that the Maximum Firewall throughput (Mbps) on a ASA 5510 is 300 Mbps.

- How can I measure this?

Thanks,

NG

Panos Kampanakis · ‎12-11-2010

No.

I am not sure how you are getting these numbers and if they are ingress or egress but the throughput is not the aggregate of all the interfaces.

For example for

outside - 16 MB

inside - 12 MB

If the inside 12Mbps are going to the outside then we have 12Mbps throughput plus 4Mbps on the outside that are dropped or sent to other interfaces. So, in that case the throughput is about 16Mbps.

But also the direction is important. In other words you would need to know if the traffic is ingress or egress and what interfaces it are traversing in order to find the throughput..

I hope it makes sense.

PK

View solution in original post

Panos Kampanakis · ‎10-21-2010

Put 10 hosts inside and one host on the outside that can server as a tftp server. Open ACLs inbound and outbound Each host must have 100Mbps links. Start 10 simultaneous TFTP transfers from the inside hosts. The total aggregate throughput will be close to 300Mbps.

I hope it helps.

PK

ma77smith · ‎10-22-2010

I have used iperf with success before, it generates traffic and measure throughput. You can tune the traffic type too (tcp/udp/packet size etc) so it gives you a bit more information than just a plain 'download'.

Regards

gnaveen · ‎11-23-2010

If you have sub-interface how can you measure the total throughput?

If you want to use iperf how can you use this, can you give an example?

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 2xx.2xx.1xx.x 255.255.255.xxx standby 2xx.2xx.1xx.x

!

interface Ethernet0/1

no nameif

no security-level

no ip address

!

interface Ethernet0/1.11

vlan 11

nameif inside

security-level 100

ip address 10.4x.xx.20 255.255.255.0 standby 10.4x.xx.21

!

interface Ethernet0/1.12

vlan 12

nameif LISTENER

security-level 75

ip address 10.4x.xx.20 255.255.255.0 standby 10.4x.xx.21

!

interface Ethernet0/1.13

vlan 13

nameif WEB

security-level 25

ip address 10.4x.xx.20 255.255.255.0 standby 10.4x.xx.21

!

-NG

gnaveen · ‎12-10-2010

Looking at the ASA inside, outside, LISTENER, WEB interfaces:

outside - 16 MB

inside - 12 MB

LISTENER - 8 MB

WEB - 10 MB

!
interface Ethernet0/0
nameif outside
!
interface Ethernet0/1
!
interface Ethernet0/1.11
nameif inside
!
interface Ethernet0/1.12

nameif LISTENER
!
interface Ethernet0/1.13
nameif WEB
!

Does it mean that the total throughput of my ASA is 16 MB + 12 MB + 8 MB + 10 MB = 46 MB

-NG

Panos Kampanakis · ‎12-11-2010

No.

I am not sure how you are getting these numbers and if they are ingress or egress but the throughput is not the aggregate of all the interfaces.

For example for

outside - 16 MB

inside - 12 MB

If the inside 12Mbps are going to the outside then we have 12Mbps throughput plus 4Mbps on the outside that are dropped or sent to other interfaces. So, in that case the throughput is about 16Mbps.

But also the direction is important. In other words you would need to know if the traffic is ingress or egress and what interfaces it are traversing in order to find the throughput..

I hope it makes sense.

PK

gnaveen · ‎12-17-2010

Thanks!

I am getting confused now with number of people in my Org telling differently. Let me put this one more time in simple words.

(inside) Eth0/1 -- [ASA 5510] -- Eth0/0 (outside)

Ingress - Traffic coming TO port Eth0/0 from outside

Egress - Traffic leaving FROM port Eth0/0 for outside

-NG