Cisco ASA 5580 Getting Started Guide, 8.2
Maximizing Throughput on the ASA 5580
Download this chapter
Maximizing Throughput on the ASA 5580Maximizing Throughput on the ASA 5580
Download the complete book
Cisco ASA 5580 Getting Started GuideCisco ASA 5580 Getting Started Guide (PDF - 4 MB)
give_us_feedback

Table Of Contents

Maximizing Throughput on the ASA 5580

Network Interfaces

About the Network Interfaces

Expansion Boards

Supported PCI Cards

Optimizing Performance

What to Do Next


Maximizing Throughput on the ASA 5580

The Cisco ASA 5580 adaptive security appliance is designed to deliver maximum throughput when configured according to the guidelines described in this chapter.

This chapter includes the following sections:

Network Interfaces

Optimizing Performance

What to Do Next

Network Interfaces

This section includes the following topics:

About the Network Interfaces

Expansion Boards

Supported PCI Cards

About the Network Interfaces

The ASA 5580 has two built-in Gigabit Ethernet network ports and nine expansion slots. The network ports are numbered 0 through 4 from the top to the bottom. The expansion slot numbers increase from right to left.

The two built-in Gigabit Ethernet ports are used for management and are called Management0/0 and Management0/1.

The ASA 5580 has nine interface expansion slots. Slots 1, 2, and 9 are reserved. Slot 1 is populated by the crypto accelerator and is not available for use by network interface cards. Slot 2 is reserved to future use.

You can populate slots 3 through 8 with supported network interface cards.

The adaptive security appliance has two I/O bridges and the I/O slots connect to one of the two buses. The management ports and adapters in slot 3, slot 4, slot 5, and slot 6 are on I/O bridge 1 and slot 7 and slot 8 are on I/O bridge 2.

Figure 2-1 shows the embedded ports and slots on the ASA 5580.

Figure 2-1 Embedded Ports and Slots on the ASA 5580

1

Power supply

2

Interface expansion slots

3

Power supply

4

T-15 Torx screwdriver

5

USB ports

6

Reserved slot

7

Example of a populated slot

8

Reserved slot

9

Console port

10

Management ports


Expansion Boards

Slot 1, slot 2, and slot 9 are reserved. Slots 3 through 9 are PCI-Express slots.

The adaptive security appliance has two internal I/O bridges providing copper Gigabit Ethernet and fiber Gigabit Ethernet connectivity.

Slots 5, 7, and 8 utilize a high-capacity bus (PCIe x8) and slot 3, slot 4, and slot 6 utilize a PCIe x4 bus for slots.

Figure 2-2 shows the interface expansion slots available on the ASA 5580.

Slot
Description

1

PCI-X non-hot-plug reserved slot, 64-bit/100-MHz

2

PCI-X non-hot-plug reserved slot, 64-bit/100-MHz

3

PCI Express x4 non-hot-plug expansion slot

4

PCI Express x4 non-hot-plug expansion slot

5

PCI Express x8 non-hot-plug expansion slot

6

PCI Express x4 non-hot-plug expansion slot

7

PCI Express x8 non-hot-plug expansion slot

8

PCI Express x8 non-hot-plug expansion slot

9

PCI Express x4 non-hot-plug reserved slot


Figure 2-2 Interface Expansion Slots

1, 3

Power supply

4, 5, 7

Fans

6

Diagnostic panel


Supported PCI Cards

The ASA 5580 supports the following PCI cards:

4-Port Gigabit Ethernet Copper PCI card

Provides four 10/100/1000BASE-T interfaces, which allow up to 24 total Gigabit Ethernet interfaces. Figure 2-3 shows the Gigabit Ethernet interface card.

Figure 2-3 4-Port Gigabit Ethernet Copper PCI Card

2-Port 10-Gigabit Ethernet Fiber PCI card

Provides two 10000BASE-SX (fiber) interfaces (allowing up to 12 total 10-Gigabit Ethernet fiber interfaces in a fully populated chassis).

The card ports require a multi-mode fiber cable with an LC connector to connect to the SX interface of the sensor. Figure 2-4 shows the 2-Port 10-Gigabit Ethernet Fiber PCI card.

Figure 2-4 2-Port 10-Gigabit Ethernet Fiber PCI Card

4-Port Gigabit Ethernet Fiber PCI card

Provides four 10000BASE-SX (fiber) interfaces (allowing up to 24 total Gigabit Ethernet fiber interfaces in a fully populated chassis).

The card ports require a multi-mode fiber cable with an LC connector to connect to the SX interface of the sensor.

Note The Gigabit Ethernet Fiber PCI cards with SR optics has a distance capability of 300 meters. The cards are designed to support short distances over deployed multi-mode fiber cabling with a range of between 26 metres (85 ft) and 82 metres (270 ft) depending on cable type.
The card also supports 300 metres (980 ft) operation over new, 50 µm 2000 MHz·km OM3 multi-mode fiber (MMF). The transmitter can be implemented with a VCSEL (Vertical Cavity Surface Emitting Laser).

Optimizing Performance

To maximize traffic throughput, ensure that the traffic flow and the hardware configuration of the adaptive security appliance matches the following guidelines:

Ideal performance is achieved when traffic enters and exits ports on the same adapter or ports on adapters serviced by the same I/O bridge.

The ASA 5580 has two I/O bridges and the I/O slots connect to one of the two I/O bridges. The adapters in slot 3, slot 4, slot 5, and slot 6 are on one I/O bridge and slot 7 and slot 8 are on the other I/O bridge.

The optimal performance will be achieved if traffic does not traverse both I/O bridges. Specifically, the traffic should flow between ports on adapters on the same bus.

Configure traffic to traverse the ports on the adapters in slot 7 and 8 for optimal performance for that traffic. Configure traffic to remain on ports on adapters in slots 3 through 6. See Figure 2-5 for an example of traffic configured to traverse ports on slot 7 and slot 8 on the high-capacity I/O bridge (PCIe x8).

If using 10-Gigabit Ethernet adapters, which require optimal performance from the adapters, place the adapters in a slot on the high-capacity I/O bridge (PCIe X8)—slot 5, slot 7, and slot 8.

Note A 10-Gigabit Ethernet adapter and port can deliver 10-Gigabit Ethernet full-duplex on one port given the right traffic profile. The bus bandwidth limits the 10-Gigabit Ethernet two-port performance on the same adapter to under 16 Gbps full-duplex.

Four-port adapters can be placed in any slot, but the bus might be a bottleneck if each port has 1 Gigabit full duplex worth of traffic. The bus bandwidth on the normal speed bus limits the aggregate bandwidth on one adapter to under 8 Gbps.

Note You can use the show io-bridge command to see the traffic throughput over each bus. For more information about using the command, see the Cisco ASA 5500 Series Command Reference.

The management ports are capable of passing through traffic by removing the management-only command. However, the management only ports have not been optimized to pass data traffic and will not perform as well as the ports on the adapters.

Figure 2-5 shows an example of traffic configured to traverse ports on slot 7 and slot 8 on the high-capacity I/O bridge (PCIe x8).

Figure 2-5 Example of Traffic Flow for Optimum Performance

What to Do Next

Continue with Chapter 3, "Installing the ASA 5580."