Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1627
Views
5
Helpful
2
Replies

Firepower 2110 & 2120 IPS throughput

Go to solution
blazeoptimus
Level 1
Level 1

‎02-14-2022 01:22 PM - edited ‎02-14-2022 01:23 PM

I'm working to validate the speeds through our Firepower 2110 & 2120 devices (running 7.0.1 snort3). We recently bumped the speed on our internet connection to 1gig, but these two devices don't seem to be able to handle the throughput.  As it stands, we have our devices configured in transparent mode using BVIs.  The primary allow rule has IPS configured on it. IPS is set to balanced security vs connection.

 

If i take two machines and put them side by side, and file transfer or use iperf, I get full gigabit speed (roughly 800-900Mbits). As soon as I introduce one of the above models to the mix, the speed drops to roughly 350Mbits. I've found the following settings improve the speed:

 

Done in this order:
Remove IPS:                                                 500Mbits acheived

Switch to inline/passive transparent mode:    700-750Mbits Acheived

Implemented prefilter allow all with fastpas:   850Mbits (or full speed) acheived

 

Ideally I'd like to have IPS still enabled and be able to get better than 10-15% the rated IPS capabilities. Is there something silly I'm missing with this that would improve the throughput?

I've tried switching them to routed mode, and backing them up to snort2, plus a long list of disabling and enabling different settings and the above are the only things I could see that affected the throughput in anyway. 

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-14-2022 11:12 PM

The rated performance for the devices is aggregate, assuming a mix of traffic from multiple clients. A single flow between 2 devices will only use a single Snort process running on a single core. That is what Cisco calls an "elephant flow". Elephant flows will never achieve the same performance of the overall device rating.

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/200420-Processing-of-Single-Stream-Large-Sessio.html

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-14-2022 11:12 PM

The rated performance for the devices is aggregate, assuming a mix of traffic from multiple clients. A single flow between 2 devices will only use a single Snort process running on a single core. That is what Cisco calls an "elephant flow". Elephant flows will never achieve the same performance of the overall device rating.

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/200420-Processing-of-Single-Stream-Large-Sessio.html

0 Helpful

Go to solution
blazeoptimus
Level 1
Level 1
In response to Marvin Rhoads

‎02-15-2022 08:14 AM

Thank you for the link - this explains a good deal.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card