Maximizing Throughput (ASA 5550)
The ASA 5550 has two internal buses providing
copper Gigabit Ethernet and fiber Gigabit Ethernet connectivity. For Slot 1 (Bus
1), you can use either the copper ports or the fiber ports. The copper ports are
enabled by default.
For maximum throughput, configure the ASA so that traffic is
distributed equally between the two buses. Lay out the network so that traffic
enters through one bus and exits through the other.
For example, the following figure shows the ASA configured so
that traffic from the unsecure network and the secure network is evenly
distributed between Bus 0 and Bus 1. Traffic from hosts on the secured network
flows through interface 0/0 on Bus 0 to hosts on the unsecured network. Traffic
from hosts on the unsecured network flows through interface 1/0 on Bus 1 to
hosts on the secured network.
http://www.cisco.com/en/US/docs/security/asa/quick_start/5500/5500_quick_start.html#wp35995
On the ASA you can issue the show traffic command and near the end of the output you will see the following output. Ideally you would want this to be balance. In this case, both of the oversubscribed interfaces were both on Slot 0.
----------------------------------------
Per Slot Throughput Profile (1 minute)
----------------------------------------
Packets-per-second profile:
Slot 0: 12654 89%|********************************************
Slot 1: 1603 11%|*****
Bytes-per-second profile:
Slot 0: 1649003 76%|**************************************
Slot 1: 511183 24%|************
On the interface level, you would see the Underruns counter increment along with the Overruns counter (See below). To try and alleviate or resolve this issue move one of the ports to Gi1/X and mmonitor it over a few days.
Per Cisco:
Interface overruns, no buffer
and underruns often show that the firewall cannot process all the traffic it is
receiving on its NIC. Overruns and no buffers indicate that input traffic is
too much on a given interface. The interface maintains a receive ring where
packets are stored before they are processed by the ASA. If the NIC is
receiving traffic faster than the ASA can pull them off the receive ring, the
packet will be dropped and either the no buffer or overrun counter will
increment. Underruns behavior similarly but deal with the transmit ring
instead.
ASA5550/act# show interface gigabitEthernet 0/0
Interface GigabitEthernet0/0 "HH", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: 6509
MAC address 6400.f182.6770, MTU 1500
IP address 192.168.168.2, subnet mask 255.255.255.248
56937880 packets input, 12657181986 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
831 input errors, 0 CRC, 0 frame, 831 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
33686564 packets output, 5457717040 bytes, 577125 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/0)
Traffic Statistics for "HH":
56937881 packets input, 11616408550 bytes
34263689 packets output, 5097504222 bytes
12365 packets dropped
Interface GigabitEthernet0/0 "HH", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: 6509
MAC address 6400.f182.6770, MTU 1500
IP address 192.168.168.2, subnet mask 255.255.255.248
56937880 packets input, 12657181986 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
831 input errors, 0 CRC, 0 frame, 831 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
33686564 packets output, 5457717040 bytes, 577125 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/0)
Traffic Statistics for "HH":
56937881 packets input, 11616408550 bytes
34263689 packets output, 5097504222 bytes
12365 packets dropped
ASA5550/act# show interface gigabitEthernet 0/1
Interface GigabitEthernet0/1 "HM", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: 6509
MAC address 6400.f182.6771, MTU 1500
IP address 192.168.1.1 subnet mask 255.255.255.0
24794625 packets input, 4336231091 bytes, 0 no buffer
Received 4648 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
40981082 packets output, 3012528711 bytes, 1614642 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/0)
Traffic Statistics for "HM":
23737668 packets input, 3724976676 bytes
42595724 packets output, 2342955016 bytes
6597 packets dropped
No comments:
Post a Comment