cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3630
Views
0
Helpful
6
Replies

Ironport S370-advantage to using P1 & P2 config?

bkoch1
Level 1
Level 1

Hey, I'm trying to figure out ways to get the most bandwidth out of our security appliances. Right now, we use the M1 (management port) for both management traffic and data traffic in/out. The S370 has 2 data ports P1 & P2, and the manual says that it can be configured such that ingress data traffic (from the internal network) can be configured for P1, and P2 can be configured for outbound data traffic (to the firewall). Our ASA currently has WCCP redirection, so traffic hits the firewall, redirects to the S370, and then passing traffic goes back to the firewall. This is all done over one 1 Gbps connection.

My question is this: by splitting ingress/egress traffic between P1/P2, will this improve data throughput? Has anyone done before and after comparisons?

6 Replies 6

Erik Kaiser
Cisco Employee
Cisco Employee

Hi Brian,

I have not seen any metrics if this configuration using the P1 & P2 improve data throughput. My honest feelings are if your splitting ingress and egress to seperate interfaces then your increasing the availible bandwidth to and from the WSA. now whether this will result in improved performance is another question. I will do some research to find out if anyone has seen this improve throughout.

Sincerely,

Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator

Sincerely, Erik Kaiser WSA CSE WSA Cisco Forums Moderator

Brian ( and Erik ),

  I would not split the traffic flow. 

  I currently have 2 IP S360s with the M1 & P1 interfaces in use.  I am getting ready to possibly move this to just the M1 interfaces because our concern is that the M1 link could be up but the P1 link could be unable to deliver traffic to the Internet. 

If however I can communicate via WCCP over the M1 link it is probably a safe bet that the M1 link can communicate to the Internet back through the same router/switch the WCCP trafic came from.

Yes we could work around this with an EEM script ( ping P1, if down shut down the M1 link ) or GLBP/HSRP for P1 gateway but without interface teaming on the P1 links there will most always be a chance to blackhole traffic.

Now in 4 ( ? ) years this has neven happened ... I do wish that some sort of dynamic route health check was implemented in the Ironport code.

What is the security risk if using M1 port for both mgmt and data traffic??

Or that the Ironports understood LACP ? or spanning tree.

Single homed boxes are not really 201x level technology.

Did you ever find this out Erik ?

Hi Brian,

We use the interfaces P1 and P2 to pass traffic through our S370. We have never experienced any noticeable delay. However, we have been using this construct for a few months (with around 2000 users).

We use route tracking to improve reliability. The WSA is connected to a Catalyst 6500 with WCCP towards the P1 interface. The P2 has the default route back to the same router. We track the IP address of P2 using IP SLA, negate the result and add a tracked null route for the ip address of the P1 interface. If P2 does not respond to ping the router adds a route that suppresses the communication with P1 and WCCP will go in bypass.

It is however not possible to negate the IP SLA result with an ASA.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: