01-23-2012 05:45 AM - edited 03-11-2019 03:17 PM
Hi,
I am intertested in knowing if there are any differences in the following configurations in terms of performance especially, security, functional restriction etc.
ASA 5550 HA Pair running 8.4
1. Creating a port-channel using 5 physical interfaces. Then creating SVI's (vlan ports) out of that single port-channel interface and routing between them based on a firewall policy, The other end would be connected to a 3750 stack VLAN trunk port.
2. Creating 5 single dedicated interfaces (layer 3) and routing bertween them based on a firewall policy.
The other end would be connected to a 3750 stack VLAN trunk port.
Thanks in advance
01-26-2012 12:24 PM
Hi Jake,
In terms of security, there is no difference.
As for performance, the answer would depend heavily on the traffic profile through the ASA. The goal would be to choose the option that offers the most optimal load balancing of traffic across the physical interfaces. With a port-channel, all subnets would theoretically share all of the physical interfaces in the bundle, but the load can fluctuate due to the load balancing algorithm. Using dedicated physical interfaces means that all hosts in a subnet would share the same physical interface. Again, this may or may not be desirable depending on how even the traffic profile is across all interfaces.
Also, keep in mind that with a 5550 you can only use the on-board NICs in a port-channel (gig0/x). The SSM ports in slot 1 (gig1/x) cannot be used in a port-channel.
-Mike
01-31-2012 07:22 AM
Thanks alot for the information, very helpful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide