Hey, I'm trying to figure out ways to get the most bandwidth out of our security appliances. Right now, we use the M1 (management port) for both management traffic and data traffic in/out. The S370 has 2 data ports P1 & P2, and the manual says that it can be configured such that ingress data traffic (from the internal network) can be configured for P1, and P2 can be configured for outbound data traffic (to the firewall). Our ASA currently has WCCP redirection, so traffic hits the firewall, redirects to the S370, and then passing traffic goes back to the firewall. This is all done over one 1 Gbps connection.
My question is this: by splitting ingress/egress traffic between P1/P2, will this improve data throughput? Has anyone done before and after comparisons?
I have not seen any metrics if this configuration using the P1 & P2 improve data throughput. My honest feelings are if your splitting ingress and egress to seperate interfaces then your increasing the availible bandwidth to and from the WSA. now whether this will result in improved performance is another question. I will do some research to find out if anyone has seen this improve throughout.
WSA Cisco Forums Moderator
Brian ( and Erik ),
I would not split the traffic flow.
I currently have 2 IP S360s with the M1 & P1 interfaces in use. I am getting ready to possibly move this to just the M1 interfaces because our concern is that the M1 link could be up but the P1 link could be unable to deliver traffic to the Internet.
If however I can communicate via WCCP over the M1 link it is probably a safe bet that the M1 link can communicate to the Internet back through the same router/switch the WCCP trafic came from.
Yes we could work around this with an EEM script ( ping P1, if down shut down the M1 link ) or GLBP/HSRP for P1 gateway but without interface teaming on the P1 links there will most always be a chance to blackhole traffic.
Now in 4 ( ? ) years this has neven happened ... I do wish that some sort of dynamic route health check was implemented in the Ironport code.
We use the interfaces P1 and P2 to pass traffic through our S370. We have never experienced any noticeable delay. However, we have been using this construct for a few months (with around 2000 users).
We use route tracking to improve reliability. The WSA is connected to a Catalyst 6500 with WCCP towards the P1 interface. The P2 has the default route back to the same router. We track the IP address of P2 using IP SLA, negate the result and add a tracked null route for the ip address of the P1 interface. If P2 does not respond to ping the router adds a route that suppresses the communication with P1 and WCCP will go in bypass.
It is however not possible to negate the IP SLA result with an ASA.