Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
712
Views
0
Helpful
2
Replies

ASA minimum throughput

Go to solution
lcaruso
Level 6
Level 6

‎05-11-2011 04:07 PM - edited ‎03-11-2019 01:32 PM

Hi,

I need a firewall that has an absolutely worst case throughput of 500Mb/s sustained with all security features enabled.I'm looking at the 5550 platform as meeting this requirement, but would like comments.

Does the way Cisco specs their throughput with vpn throughput accurately represent this worst case?

If the 5550 vpn throughput is 425Mb/s, does that mean if all traffic was vpn traffic that is what I'd be guranteed to get?

Do they mean that worst case is when all connections are vpn?

Appreciate if someone can clear me up on the worst case throughput specification. Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎05-11-2011 04:33 PM

Hi,

I would suggest you to contact your Account manager from Cisco that can provide you the best option, based on tested scenarios and so on. Here is an extract of what I consider, by far the best document that explains causes of oversubscription

"....Let's use the ASA5510 as an example. Its name throughput is 300Mbps, as  we see on the table above. So the question is, "if my ASA5510 sees about  280Mbps should it be 100% CPU or not?". A quick answer would be "No".  Though, we must not forget that there are many factors involved in this  question. In the network industry name speeds of devices come out under  certain tests. These tests are repeated and an average is presented as  the maximum speed. Though, not always is "real-world" traffic the same  traffic as the one used in the tests. We could use the aforementioned  ASA5510 for example. Usually, the name speed tests involve stateless  protocols with big packets. For a TCP web browsing application though,  the packets are much smaller and TCP uses ACKs and is a "synchronized"  protocol by nature. That would add more load to the firewall itself,  which would make its maximum throughput value drop. On top of that, if  the ASA has http inspection configured (which will do deep packet  inspection for http) then we understand that its maximum processing  throughput would be less than 280Mbps. It is obvious that even though  300Mbps is indeed the throughput the device can achieve, its real-world  throughput, based on applications, traffic nature and configuration  could practically be less. That is why in our performance documents we  also try to provide other metrics. These include the "packets per  seconds" (pps) and what is often seen as "real-world HTTP". For example  in the ASA table we can see that the 5510 can do 190K pps (small 64-byte  packets). These metrics could also be used against the interface  statistics collected from the device in order to decide if the box is  pusehd to its limits...."

https://supportforums.cisco.com/docs/DOC-12439

My point is, not because it is documented, it means that is going to support that amount of traffic, it does have a number of variables that need to be taken in consideraration.

Cheers.

Mike

Mike

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎05-11-2011 04:33 PM

Hi,

I would suggest you to contact your Account manager from Cisco that can provide you the best option, based on tested scenarios and so on. Here is an extract of what I consider, by far the best document that explains causes of oversubscription

"....Let's use the ASA5510 as an example. Its name throughput is 300Mbps, as  we see on the table above. So the question is, "if my ASA5510 sees about  280Mbps should it be 100% CPU or not?". A quick answer would be "No".  Though, we must not forget that there are many factors involved in this  question. In the network industry name speeds of devices come out under  certain tests. These tests are repeated and an average is presented as  the maximum speed. Though, not always is "real-world" traffic the same  traffic as the one used in the tests. We could use the aforementioned  ASA5510 for example. Usually, the name speed tests involve stateless  protocols with big packets. For a TCP web browsing application though,  the packets are much smaller and TCP uses ACKs and is a "synchronized"  protocol by nature. That would add more load to the firewall itself,  which would make its maximum throughput value drop. On top of that, if  the ASA has http inspection configured (which will do deep packet  inspection for http) then we understand that its maximum processing  throughput would be less than 280Mbps. It is obvious that even though  300Mbps is indeed the throughput the device can achieve, its real-world  throughput, based on applications, traffic nature and configuration  could practically be less. That is why in our performance documents we  also try to provide other metrics. These include the "packets per  seconds" (pps) and what is often seen as "real-world HTTP". For example  in the ASA table we can see that the 5510 can do 190K pps (small 64-byte  packets). These metrics could also be used against the interface  statistics collected from the device in order to decide if the box is  pusehd to its limits...."

https://supportforums.cisco.com/docs/DOC-12439

My point is, not because it is documented, it means that is going to support that amount of traffic, it does have a number of variables that need to be taken in consideraration.

Cheers.

Mike

Mike
0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to Maykol Rojas

‎05-11-2011 05:20 PM

Many thanks for your help on this!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card