I recently got the new Cisco 5506-X and I thought to benchmark the WAN speed on it and see what it can actually push. I got 3 x 100mb WAN links and connected them in and assigned 3 outside interfaces and decided to run a 5GB speedtest file on each link terminating. I used the PBR (Policy Based Routing) on the device to and some access lists to forward traffic where I wanted it to go.
Here are some of the specs of the 5506-X using show version:
Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Upon testing and maxing the speed at 300mbit across 3 interfaces, the CPU on the device reached to 67%. This is only with the firewall on, and no other features turned on such as the Firepower. Upon looking at the Cisco documentation they mention at minimum it will do is 750mbit for firewall performance. If 3 WAN links @300mbit already reach 67% CPU, if I did add another link it, the CPU will nearly be maxed out at 400mbits. In my opinion, I think the 750mbits will not be reached or very difficult to get to as the CPU on the device will be quite high and packets might start getting dropped. Anyone else done speedtesting on it? Let me know your thoughts!
Here is a screenshot of the WAN performance of the ASA 5506-X @ 300mbit.
Just found your posts after quite a bit of searching on NBN bonding and load balancing capabilities for multiple lines. Even more fortuitously, you’re also using a 5506-X.
As of yet, we’re still in the deepest, black areas of fraudband no-man’s land, but rumour has it we’ll be getting fixed wireless Q1/2017. Not holding my breath for that date, but at least we’re on the roll-out plan.
Some questions, if I may: from your post – and also your Fiber is Active post, I take it, you’re only doing PBR right now? No etherchannel bonding, or even IP-based load balancing?
Also, with your above-mentioned hitting of CPU limits, are you running the most recent ASA firmware?
Wish me luck – I also plan on getting multiple fixed wireless and hope it’s a case of Need For Speed luxury and not Must Get Because Tower Is In Another Valley And All We Get Is Reflections Off The Athmosphere.
Hi Mike, thanks for visiting my blog on the world wide web 🙂
To answer some of your questions, yes I am only doing PBR right now. Its not possible to do ether channel bonding because I have no access or configurational rights to the NBN NTU box on the wall to etherchannel 4 ports accross 4 different ISPS back to the ASA, so no this isn’t possible.
However, IP based load balancing is possible, in my scenario because im using Internode and Telstra, I preconfigured the ASA with all the internode addresses/IPs which are unmetered so any traffic which is unmetered goes directly over Internode, and rest of the traffic keeps on Telstra. Another thing I did is put in my own IP’s or subnets which Id like to route via the ISPs. You could setup this scenario to use anything 0.0.0.0 – 128.0.254.254 to use Telstra and anything 129.0.0.0 – 254.0.254.254 for example to use Internode , so this way you have half the traffic split up between the ISPs.
In theory you could setup 4 different ISPs so youd get 4 x 100M/40M on the NTU box, have them going into the ASA and setup PBR. Then you can setup your own custom based Subnet/Ip load balancing youd like to achieve accross them.
In terms of the CPU hitting its limits i believe the ASA 5506-X is only capable of about 400mbit WAN throughput without turning on all the features like VPN, tunneling, or web filtering etc, and this would go further down if you turn on more features. Its just a hardware based limitation.. which then forces you to upgrade to the next models up which have more CPU power.
I hope you manage to get your wireless working well when it comes to your place, I assume you’re interested in purchasing a Cisco ASA or router for this purpose ?
Hi!
Actually I already have the ASA. For now it’s simply the firewall and otherwise just routing and segregating my home LAN (DMZ for servers, separate subnets for PCs and another for Wifi – total overkill, I know 🙂
Interesting that you’d have to get etherchannel enabled on the NTD box – would it be possible to transparently arrange this on the RSP/ISP side? Though you’d obviosly need to use the same one for both accounts.
I read on whirlpool that some people have managed to get IP-based round-robin LB working with pfsense and multiple NBN accounts, but haven’t looked into the IOS config on the ASA.
Also, it looks like currently rolled out gear only allows a TOTAL bandwidth of 75mbps for a FW ODU, regardless of the 100mbps each capability of the IDU.
Tables 2 and 3 on this link seem to indicate the limitations may be even tighter:
http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html
Ah well, it’s a problem I would love to have right now!
Hi Mike,
I dont think you will be able to get the NTD as a etherchannel as its quite complex, and i doubt the NTD supports something that advanced. Also because you have 4 different ISPs’ , each ISP you will get a public IP address, and you wont be able to assign 4 public IPs on an etherchannel on a ASA etc.
I havent seen the ASA the ability to support round robin or load balancing, purely PBR, so if you want to use round robin or load balancing you might have to consider other solutions.
As per the tables, yes the limitations are tighter if you turn on more features on the ASA and significantly reduces the throughput, hover i was able to reach comfortably 300mbit with just the firewall turned on.
Hopefully this helps and see how you go 🙂
I have a 500/500Mbps connection connected by a 1Gb WAN uplink. I can get around 530Mbps of download and upload. I am thinking in buying a Cisco ASA 5506-X. I was very excited to read the title of your post, until I read your 300Mbps limit.
Without using the FIREpower services; Do you think it can handle at least 500Mbps?
Hello Boudewijn, thanks for visiting my site.
During my specific tests I had 300mbit throughput which generated 67% CPU load. If this was pushed to 500mbit, it would be reaching 90%+ CPU utilisation in my personal opinion. The device might perform fine during high CPU Utilisation 90%+ doing 500mb throughput, however probably not recommended for long periods.
My recommendation for such speeds would be to try go for the 5508-X or 5515-X.
If you look at
http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html
it lists the 5506-X at 750mbps for stateful inspection, but in reality i believe this is more closer to the 400-500 max mark before the CPU is used quite highly.
The 5508-X is rated at 1GBps, and 5516-X at 1.8Gbps, which would probably suit better as they have a faster CPU.
I hope this helps 🙂
I worked with a 5515-x and 5512-X and even the 5512-X does it with ease. I don’t mind buying a 5508-X, but the thing is; it has a built-in fan which makes to much noise. I don’t like that at all.