[c-nsp] ASA Throughput mess

Peter Rathlev peter at rathlev.dk
Thu Feb 17 15:32:37 EST 2011


On Thu, 2011-02-17 at 11:25 -0600, cisconsp at secureobscure.com wrote:
> The answer to that question is entirely dependant on how the device is
> configured. How many lines in how many ACLs applied to how many interfaces
> with what kinds of inspection and services enabled. Everything you enable
> subtracts from total system throughput.
> 
> For example, we maxed out a 5550 doing ~600meg inside->outside with PAT.
> Then with logging enabled it dropped, and ACLs added it dropped, and
> inspection configured and it dropped... Now it maxes out the CPU around
> 350mbps. Its all completely dependant on the individual situation and
> configuration.

I'm not able to test a lot right now, but traffic just short of 200
Mbps / 15 kpps makes our 5550 run at ~19% CPU (5 min avg, constant
traffic rate). We have a 774 element inbound ACL on the inside interface
and the test traffic matched line 114. All this traffic was using PAT.
The box "idles" at ~5%, i.e. from "normal" traffic before I did this
test.

I'm guessing traffic that has to be inspected might not perform very
well; my test was FTP but the data channels aren't inspected.

-- 
Peter




More information about the cisco-nsp mailing list