Guest

Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.5

Book Contents
Find Matches in This Book
Available Languages

Results

Updated:
February 3, 2016

Chapter: Introduction to the Cisco ASAv

Introduction to the Cisco ASAv

The Cisco Adaptive Security Virtual Appliance (ASAv) brings full firewall functionality to virtualized environments to secure data center traffic and multi-tenant environments.

You can manage and monitor the ASAv using ASDM or CLI. Other management options may be available.

Prerequisites for the ASAv

For hypervisor support, see Cisco ASA Compatibility.

Guidelines for the ASAv

Context Mode Guidelines

Supported in single context mode only. Does not support multiple context mode.

Failover Guidelines

For failover deployments, make sure that the standby unit has the same model license; for example, both units should be ASAv30s.

Unsupported ASA Features

The ASAv does not support the following ASA features:

  • Clustering
  • Multiple context mode
  • Active/Active failover
  • EtherChannels
  • Shared AnyConnect Premium Licenses

Guidelines, Features, and Limitations for the ASAv5

  • Jumbo frames are not supported.
  • Deployed on VMware, KVM, and Hyper-V with 1 GB of memory.

To run with 1 GB of memory, the ASAv5 VM must be re-provisioned with the 9.5.1.200 image. Only ASAvs running 9.5.1.200 can operate on 1 GB of memory. If you try to downgrade to a previous version, you must increase the memory to 2 GB.

  • Throughput of 100 Mbps.

The ASAv5 will begin drop packets soon after the threshold of 100 Mbps is reached (there is some headroom so that you get the full 100 Mbps). The ASAv5 is intended for users who require a small memory footprint and small throughput, so that you can deploy larger numbers of ASAv5s without using unnecessary memory.

  • Supports 8000 connections per second, 35 maximum VLANs, 50,000 concurrent session, and 50 VPN sessions.

ASAv Rate Limiter

Note: The ASAv Rate Limiter enforces throughput performance for the ASAv5 with some extra headroom to match entitlement and the built-in Lab Edition mode ASAv platforms.

License Entitlement shows the compliant resources scenarios that match license entitlement for the ASAvs.

Table 1 License Entitlement

 

 

License Entitlement

vCPU/RAM

Throughput

Rate Limiter Enforced
Lab Edition Mode (no license)
All Platforms
100Kbps
Yes
ASAv5 (100M)
1vCPU/1GB
100Mbps
Yes
ASAv10 (1G)
1vCPU/2GB
vCPU/RAM constrained
No
ASAv30 (2G)
4vCPU/8 GB
vCPU/RAM constrained
No

ASAv States and Messages shows the ASAv states and messages connected to resources and entitlement for the ASAvs.

Table 2 ASAv States and Messages

 

State

Resources vs. Entitlement

Actions and Messages
Compliant
Resource = Entitlement limits
(vCPU, GB, RAM)
Appliances optimally resourced
ASAv5 (1vCPU,1G), ASAv10 (1vCPU,2G), ASAv30 (4vCPU,8G)
No actions, no messages
Resources < Entitlement limits
Under-provisioned
No actions while Warning messages are logged that ASAv cannot run at licenses throughput
Non-compliant
Resources > Entitlement limits
Over-provisioned
ASAv5 rate limiter engages to limit performance and log Warnings on the console.
ASAv10 and ASAv30 reboot after logging Error messages on the console.

Licensing for the ASAv

The ASAv uses Cisco Smart Software Licensing. For detailed information, see Smart Software Licensing for the ASAv.

 

Model

License Requirement

ASAv5

Standard license

See the following specifications:

  • 100 Mbps Throughput
  • 1 vCPU
  • 1GB RAM
  • 50,000 concurrent firewall connections
  • Does not support AWS
  • Supports Azure on a Standard D3 instance

ASAv10

Standard license

See the following specifications:

  • 1 Gbps Throughput
  • 1 vCPU
  • 2 GB RAM
  • 100,000 concurrent firewall connections
  • Supports AWS on a c3.large instance
  • Supports Azure on a Standard D3 instance

ASAv30

Standard license

See the following specifications:

  • 2 Gbps Throughput
  • 4 vCPUs
  • 8 GB RAM
  • 500,000 concurrent firewall connections
  • Supports AWS on a c3.xlarge instance
  • Does not support Azure for Beta testing

Note: You must install a smart license on the ASAv. Until you install a license, throughput is limited to 100 Kbps so you can perform preliminary connectivity tests. A smart license is required for regular operation.

ASAv Interfaces and Virtual NICs

As a guest on a virtualized platform, the ASAv utilizes the network interfaces of the underlying physical platform. Each ASAv interface maps to a virtual NIC (vNIC).

ASAv Interfaces

The ASAv includes the following Gigabit Ethernet interfaces:

  • Management 0/0

For Azure, Management 0/0 can be a traffic-carrying “outside” interface.

  • GigabitEthernet 0/0 through 0/8. Note that the GigabitEthernet 0/8 is used for the failover link when you deploy the ASAv as part of a failover pair.
  • Hyper-V supports up to eight interfaces. Management 0/0 and GigabitEthernet 0/0 through 0/6. You can use GigabitEthernet as a failover link.

Supported vNICs

The ASAv supports the following vNICs:

 

vNIC Type

Hypervisor Support

ASAv Version

Notes

VMware

KVM
e1000
Yes
Yes
9.2(1) and later
VMware default.
Virtio
No
Yes
9.3(2.200) and later
KVM default.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

Related Support Community Discussions