Difference in performance between ASA SVI or dedicated Interface routing

Conrad Laus · ‎01-23-2012

Hi,

I am intertested in knowing if there are any differences in the following configurations in terms of performance especially, security, functional restriction etc.

ASA 5550 HA Pair running 8.4

1. Creating a port-channel using 5 physical interfaces. Then creating SVI's (vlan ports) out of that single port-channel interface and routing between them based on a firewall policy, The other end would be connected to a 3750 stack VLAN trunk port.

2. Creating 5 single dedicated interfaces (layer 3) and routing bertween them based on a firewall policy.

The other end would be connected to a 3750 stack VLAN trunk port.

Thanks in advance

mirober2 · ‎01-26-2012

Hi Jake,

In terms of security, there is no difference.

As for performance, the answer would depend heavily on the traffic profile through the ASA. The goal would be to choose the option that offers the most optimal load balancing of traffic across the physical interfaces. With a port-channel, all subnets would theoretically share all of the physical interfaces in the bundle, but the load can fluctuate due to the load balancing algorithm. Using dedicated physical interfaces means that all hosts in a subnet would share the same physical interface. Again, this may or may not be desirable depending on how even the traffic profile is across all interfaces.

Also, keep in mind that with a 5550 you can only use the on-board NICs in a port-channel (gig0/x). The SSM ports in slot 1 (gig1/x) cannot be used in a port-channel.

-Mike

Conrad Laus · ‎01-31-2012

Thanks alot for the information, very helpful.