Understanding Throughput Numbers on ASA5585-X series

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-17-2012 12:22 PM - edited 03-11-2019 05:38 PM
I'm in the evalation process to upgrade from an ASA5580, which at peak is handling 5 Gbps download and 2 Gbps upload I want to be sure I'm understanding the numbers on the ASA5585-X data sheet correctly. Looking at the ASA5585-S40 for example, these numbers are listed:
Statistic | Value |
---|---|
Firewall Througput (Max) | 20 Gbps |
Firewall Througput (Multi-Protocol) | 10 Gbps |
Maximum Firewall Connections | 4,000,000 |
Maximum Firewall Connections/Second | 200,000 |
Max Packets per second (64-byte) | 6,000,0000 |
The "Maximizing Firewall Performance" presentation at Cisco Live also mentioned a "Real-World Throughput" of 12 Gbps, but I'm not sure how they came to this number.
My questions are as follows:
- Is "throughput" the combined inbound and outbound traffic? Would a 8 Gbps download and 2 Gbps upload be considered 10 Gbps throughput, or only 8?
- What is "Multi-Protocol" and how does that influence the numbers? If the firewall will only pass tcp/80 with no inspection, what is the throughput?
- The 5580 platform has a bus limit of 16 Gbps. Does the 5585-X series have any such limit?
- Labels:
-
NGFW Firewalls

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-27-2012 01:09 PM
Anyone?
I understanding the "real world" throughput is based mostly on packet size, but is it a single direction number or combined input and output?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-27-2012 01:39 PM
Hi,
Can't really give any specific information myself.
To my understanding the "Multi-Protocol" section should be value to look when comparing a new devices performance to your current or future network throughtput needs. I'd imagine the Max value is the maximum throughtput the device could "push through" in ideal conditions which would lead to believe that it wouldnt be a good value to use.
Then theres ofcourse VPN and IPS which usually have their own section in the max throughput charts.
But as I said, I'm not really the best person to answer about these questions.
Thought I would still link this document/post/blog I ran into today but havent still read it through. And perhaps I should
Maybe it could be of some help while waiting for an answer from someone.
Maybe some other section of these very forums might have people that could give you more specific answer. Sections which have people participating that have to handle these things in everyday work.
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-28-2012 10:49 AM
I've scanned through similar discussions and mostly see chatter that throughput depends on packet size. Well, duh! The link states that the 20 Gbps number for the 5585-40 is with Jumbo frames, so that's good to know. But what I'm really trying to figure out is what the throughput would be for large but non-Jumbo frames, roughly 1200 Bytes. I would guestimate it in the 12-15 Gbps range, but since a need a firewall speced for 14 Gbps, it's really cutting it close.
I think the only way to get at these numbers is lab environment with packet generator, so I can go that route. Just seeing if anyone else has done it already. In a nutshell, I'm trying to fill out charts like this below for the 5585-40.
Packet Size (Bytes) | Max PPS | Throughput (Gbps) |
---|---|---|
9000 | 277,777 | 20 |
1500 | ||
1200 | ||
512 | ||
64 | 5,000,000 | 2.56 |
