Guest

Cisco PIX 500 Series Security Appliances

Field Notice: FN - 14504 - PIX 535 Interface Configuration/Performance Considerations


Revised October 26, 2005

August 2, 2001


NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Products Affected

Product

Comments

PIX-535

All bundles and interface configurations

Problem Description

The PIX 535 platform introduced a high speed, multiple bus architecture in conjunction with a line rate Gigabit interface card. There are many possible combinations to install the available PIX interface cards into the 535 chassis. Some combinations may drastically limit the potential throughput of the firewall, as well as prevent state data from passing between a failover pair.

Background

The PIX 535 has nine interface slots spread over three separate buses: one 32-bit/33 MHz bus with five interface slots and two 64-bit/66 MHz buses with two interface slots each. Use the following table and figure as references for the bus and interface slot configuration on the PIX 535:

PIX 535 Buses and Interface Slots

Interface Slots

Bus

Maximum Bus Bandwidth/Speed

Slots 0 and 1

Bus 0

64-bit/66 MHz

Slots 2 and 3

Bus 1

64-bit/66 MHz

Slots 4 to 8

Bus 2

32-bit/33 MHz

PIX 535 Back Panel Detail

fn14504_ggbwa2.gif

The cards supported by the PIX 535 have different maximum bus speeds. Use the following table as a reference for the interface cards bus speed:

PIX 535 Supported Cards

Interface Card

Maximum Bus Speed

PIX-1FE

32-bit/33 MHz

PIX-4FE

32-bit/33 MHz

PIX-4FE-66

64-bit/66 MHz

PIX-1GE

64-bit/33 MHz

PIX-1GE-66

64-bit/66 MHz

PIX-VPN-ACCEL

32-bit/33 MHz

PIX-VAC-PLUS

64-bit/66 MHz

The 32-bit/33 MHz bus will always operate at 32-bit/33 MHz. The two 64-bit/66 MHz buses will operate at the speed of the slowest interface card installed in it. However, bandwidth is determined on a card by card basis, so a 64-bit card will always operate at full bandwidth in a 64-bit bus, even if the bus is limited to 33 MHz speed by another installed card.

Problem Symptoms

When a 66 MHz card is installed in a 32-bit/33 MHz bus, its potential performance will be severely limited. When a 66 MHz card is installed in a 64-bit/66 MHz bus in conjunction with any 33 MHz card, its potential throughput is limited, although not as severely because it still operates at 64-bit bandwidth.

Note that any performance degradation due to the configurations described above would only be noticeable on PIX 535 systems with relatively heavy traffic or when larger packets sizes are involved.

Workaround/Solution

These practices must be followed in order to achieve the best possible system performance on the PIX 535:

  1. 66 MHz cards should be installed first in the 64-bit/66 MHz buses before they are installed in the 32-bit/33 MHz bus. If more than four 66 MHz cards are needed, they may be installed in the 32-bit/33 MHz bus, but with limited potential performance.

  2. 33 MHz cards should be installed first in the 32-bit/33 MHz bus before they are installed in the 64-bit/66 MHz buses. If more than five 33 MHz cards are needed, they may be installed in a 64-bit/66 MHz bus, but doing so will lower that bus speed and limit the potential throughput of any 66 MHz cards installed in that bus.

  3. When using more than four 66 MHz cards in a PIX 535, the four most active cards should be installed in the 64-bit/66 MHz buses. For example, if you have four 1GE-66 cards supporting four network segments that burst up to full line rate and you have a VAC-PLUS card that is under-subscribed, all four 1GE-66 cards should be installed in the 64-bit/66 MHz buses and the VAC-PLUS should be installed in the 32-bit/33 MHz bus. However, if the primary purpose of this PIX 535 is to terminate high volume IPSec tunnels and one or more of the 1GE-66 cards are always under-subscribed, then the VAC-PLUS card should be placed in a 64-bit/66 MHz bus in place of one of the 1GE-66 cards.

  4. The PIX-4FE-66 card will have equivalent performance to the PIX-4FE card when installed in a 33 MHz bus. However, if the card is heavily utilized the system will perform better if it is installed in an available 66 MHz bus.

    Use the following table to determine how to achieve the best performance from a PIX 535 using 66 MHz cards. The perfomance potential is relative to each card. The PIX-1GE-66 card will be most impacted if installed in a slower bus.

    66 MHz Card Combinations

    Interface Card Combination

    Installed In Interface Slot Numbers

    Potential Throughput

    One to four 66 MHx cards

    0 through 3 (66 MHz)

    Best

    66 MHz cards combined with 33 MHz cards

    0 through 3 (66 MHz)

    Degraded

    Any 66 MHz card

    4 through 8 (33 MHz)

    Severely degraded

    These caveats must be followed:

  5. The PIX-4FE and PIX-VPN-ACCEL cards can only be installed in the 32-bit/33 MHz bus and must never be installed in a 64-bit/66 MHz bus. Installation of these cards in a 64-bit/66 MHz bus may cause the system to hang at boot time.

  6. If stateful failover is enabled, the interface card and bus used for the stateful failover LAN port must be equal to or faster than the fastest card used for the network interface ports. For example, if the inside and outside interfaces are PIX-1GE-66 cards installed in bus 0, then the stateful failover interface must be a PIX-1GE-66 card installed in bus 1. A PIX-1GE or PIX-1FE card cannot be used in this case, nor can a PIX-1GE-66 card installed in bus 2 or sharing bus 1 with a slower card. Although using the PIX-1GE card in the PIX 535 is supported, this practice is strongly discouraged since potential system performance is much lower than that afforded by the PIX-1GE-66 card.

How To Identify Hardware Levels

To determine what interface cards are installed, perform the following command from the command line:

PIX535# show interface
     interface ethernet0 "outside" is up, line protocol is up
     Hardware is i82559 ethernet, address is 0002.b304.0eab
     .
     .
     .

The type of interface card installed is identified by the hardware type. Reference the following table to determine their mapping:

PIX 535 Supported Interface Cards

Interface Card

Hardware Type

PIX-1GE-66

i82543

PIX-1GE

i82542

PIX-4FE

i82558

PIX-4FE-66

i82559

PIX-1FE

i82558, i82559

Notes:

  1. The PIX-1FE card with hardware type i82557 is not supported by the PIX 535.

  2. To differentiate between the PIX-1FE card and PIX-4FE/4FE-66 cards with identical hardware types, you may check for four sequential MAC addresses or visually inspect whether one or four RJ-45 ports are present on the card.

  3. To physically differentiate between the PIX-1GE and PIX-1GE-66 cards, visually inspect their primary ASIC. The PIX-1GE is labeled "LSI L2A1157" and the PIX-1GE-66 is labeled "INTEL TL82543GC".

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.