cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

565
Views
0
Helpful
15
Replies
Highlighted
Contributor

ASA-5585-X SSP20

Dear Experts

 

I am replacing the 5585-X firewall with the newest NGFW,, actually i want to know the current throughput ( i am not mentioning  sh cpu history information which will display the how much high the cpu went in peak hrs  ) on 5585-X SSP20 instead a command that will show me throughput currently the firewall is utilizing.

 

Awaiting expert advise

15 REPLIES 15
Highlighted
VIP Mentor

Re: ASA-5585-X SSP20

#show traffic - show you the traffic on an interface,

 

if you have any NMS and you monitoring the ASA interface that also gives you historic information.

BB
*** Rate All Helpful Responses ***
Highlighted
Contributor

Re: ASA-5585-X SSP20

Dear Balaji

 

Thanks for the reply,

 

lets assume the interface utilization for all FW interface for a 12 months  is 25% then what will be your suggestion i should reduced the sizing of the firewall???

 

Apart from the sh cpu history i was also having interface utilization summary as well in my mind  but i m looking for one command output to show the throughput , i m just asking on fly i am not sure it is available in Cisco thats the reason i m  looking for experts advise.

Highlighted
Hall of Fame Guru

Re: ASA-5585-X SSP20

The "show traffic" command that @balaji.bandi mentioned is the best cli command we have available for this purpose. It's only a snapshot though so an NMS graph is generally a much better indicator.

If you have a good feel for the current and expected overall throughput needed we (partners or Cisco SEs) can plug it into a tool to tell you which model is recommended.

Highlighted
VIP Mentor

Re: ASA-5585-X SSP20

lets assume the interface utilization for all FW interface for a 12 months  is 25% then what will be your suggestion i should reduced the sizing of the firewall???

May not be the case the way you thinking, we need to see always Peak point when we look performance point of view (rather average) - this is what i will be thinking right approach, But different people have different approaches.

 

As @Marvin Rhoads  suggested here, if you are not sure about  new model is not right choice,Contacting  Local Cisco SE probably best person for you to suggest the model, since they understand your network and requirement.

 

we only suggest based on the input you provided, some time may not be workable for you. Best to protect your investment buying new models, involve your cisco partner.

 

BB
*** Rate All Helpful Responses ***
Highlighted
Contributor

Re: ASA-5585-X SSP20

Dear Balaji and Marvin

 

Thanks for the reply.

 

you both are on the leaders board and have good experience for me you both are the online cisco SE , can you tell me what will the questionnaire that will  be asked to me (customer) by an local SE for proposing the Core firewall.

 

Please advise.

Highlighted
Hall of Fame Guru

Re: ASA-5585-X SSP20

The primary inputs are overall throughput and enabled features.

Here's the tool's input section FYI:

ngfwpe input.PNG

Highlighted
Contributor

Re: ASA-5585-X SSP20

Dear Marvin

 

Can you share the link for the sizing, i will try to get access from my local cisco.

Highlighted
Hall of Fame Guru

Re: ASA-5585-X SSP20

@adamgibs7 the tool is restricted to users with staff or partner level access only. It uses your cisco.com credentials (CCO ID) to confirm.

It is at https://ngfwpe.cisco.com

Highlighted
Contributor

Re: ASA-5585-X SSP20

Dear Marvin 

 

thanks for the reply and link 

 

one question in my my mind if I have 10 web server in my DMZ the uplink from these DMZ switches should be 10G or 1G, on basis of what factors this is been decided. Pls correct me if I m wrong one factor is that hence my internet bandwidth

 is 500mbps so is it 10G connection from DMZ switches to firewall make sense??? Also I would like to understand we shld not forget that my internal users will also  access web server so is it good to keep 10G. 
Also remembering the thumb of rule Cisco says when u have 48 port switch the uplink shld be of mathematics 20:1 that means 20 user port than 1G uplink is sufficient.so if we have 48 port switch than 3G uplink is more than enough.

 

pls advise

Highlighted
Hall of Fame Guru

Re: ASA-5585-X SSP20

If the primary users of your web servers are Internet-based and your Internet link is 500 Mbps then a 1 Gbps uplink from your DMZ switch is more than enough. If the internal users are the primary users then you might want to consider making the DMZ switch to firewall uplink 10 Gbps (and the inside network to DMZ as well). Ideally you would have a baseline of current traffic (like from an NMS like PRTG or SolarWinds Orion NPM) to better inform your design decisions going forward.

Highlighted
Contributor

Re: ASA-5585-X SSP20

Dear Marvin

Thanks for the reply,, Please share your experience. One last query and then i will marked as answered

 

Does in real world scenario the front end web servers on DMZ are accessible from internal users as well ??? or for internal  corporate users organization can have a different front end server with different  server IP address but with same html web page contents but in back end the DMZ web server and the internal Web Server are hitting to the same application server and then the database server.

 

As per the attached Diagram what is the key factors that has to be considered when deciding the interfaces ( speed 10G or 1G)  between the DC firewall and intermediate switch and from intermediate switch to the perimeter firewall.

 

thanks

Highlighted
Hall of Fame Guru

Re: ASA-5585-X SSP20

How the servers are laid out depends a lot on what the application and services architecture looks like. Security best practices would have public-facing servers in a DMZ serving only external users.

In the "real world". whether or not they serve content to both internal and external users varies. Smaller organizations may not have the resources for separate servers. Some designs may require internal and external users access the same content on the same servers.

Highlighted
Contributor

Re: ASA-5585-X SSP20

Dear Marvin

 

you missed my 2nd question in my previous post.

 

As per the attached Diagram what is the key factors that has to be considered when deciding the interfaces ( speed 10G or 1G)  between the DC firewall and intermediate switch and from intermediate switch to the perimeter firewall.

Highlighted
Hall of Fame Guru

Re: ASA-5585-X SSP20

The key factor when choosing interface type and number in a design is the required throughput, both current and including margin for anticipated growth during the expected lifetime of the design.

Secondary factors include budget, existing available interfaces (if any), physical constraints (availability of fiber runs, expansion capacity of the devices etc.), logical constraints (i.e. do both sides of a link support Etherchannels, how might that work with any HA scheme also in the design) etc.