Jkratky at 21:34, 18 November 2011

2011-11-18T21:34:54Z

← Older revision		Revision as of 21:34, 18 November 2011
Line 259:		Line 259:

	'''Avalanche Load Specifications''' [[Image:TCP Throughput Setup 7.jpg]]		'''Avalanche Load Specifications''' [[Image:TCP Throughput Setup 7.jpg]]
-	[[Category: Configuration Examples]]	+	[[Category: Security and VPN Configuration Examples]]

Jkratky: 1 revision

2010-07-27T19:33:32Z

1 revision

← Older revision

Revision as of 19:33, 27 July 2010

Jkratky: /* Procedures */

2010-07-27T19:29:28Z

Procedures

New page

{| border="2" rules="all" cellpadding="5" rules="all"
|-
{| border="2" rules="all" cellpadding="5" rules="all"
| class="Heading" colspan="2" | Test Details '''Test Details'''
|-
|Goal of Test
|
The purpose of this test is to get the maximum throughput the ASA can process using HTTP traffic. This traffic model is more close to the real world traffic.

In order to produce the TCP traffic the Spirent Avalanche 2900 was used ( 4, 2900's with 1 ten-gigabit interface each). When looking at the diagram the numbers 155, 156, 157, 158 are the individual 2900 chassis. To produce bi-directional traffic through the ASA one client port is placed on the outside pulling a 512K byte object from one server port on the inside, and one client port is placed on the inside pulling a 512K byte object form one server port on the outside. The Avalanche Tool is configured with 10672 clients and 16 servers. This comes down to 667 clients each pointing to one of the 16 servers. Each client walks an action list of 10 gets to the servers address. With HTTP 1.1 with persistence this results in 10 transactions per tcp connection. For each get the server responds with a 512K byte object. Below are screen shots of the test tool setup.

|-
|Data to Record
|
1. ''show cpu'' 
2. ''show conn count'' 
3. ''show io-bridge'' 
4. Capture results from the test tool

|-
|Estimated Time Needed
|60 minutes
|}
=== Topology ===

[[Image:TCP_Throughput_4ports.jpg]]

=== Procedures ===

DESCRIPTION

1. On the client side configure (Avalanche Clients): 

a. 1500 SimUsers for the load on each avalanche 2900

b. 16 subnets, with 667 hosts (10.100 to 12.254) pointing to one server on the reflector and assign one to each port.

c. 10 GETs on the action profile

2. On the server side, configure:

a. One server per port

b. 512k Object size

3. Bidirectional traffic is used (Clients from the inside to the outside and vice-versa) 
4. While traffic is at steady state take a screen shot of the live Client Stats.

=== Configurations ===

<pre>ares# sh run
: Saved
:
ASA Version 8.1(1)
!
hostname ares
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
interface Management0/1
shutdown
no nameif
no security-level
no ip address
management-only
!
interface GigabitEthernet3/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3/3
shutdown
no nameif
no security-level
no ip address
!
interface TenGigabitEthernet5/0
nameif outside_gi_1

security-level 0
ip address 10.22.0.1 255.255.0.0
!
interface TenGigabitEthernet5/1
nameif inside_gi_1
security-level 100
ip address 10.32.0.1 255.255.0.0
!
interface TenGigabitEthernet7/0

nameif inside_gi_2

security-level 100
ip addresss 10.20.0.1 255.255.0.0
!
interface TenGigabitEthernet7/1
nameif outside_gi_2
security-level 0
ip address 10.30.0.1 255.255.0.0
!
ftp mode passive
access-list in extended permit ip any any
access-list out extended permit ip any any
pager lines 24
logging enable
logging buffered warnings
mtu inside_gi 1500
mtu outside_gi 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside_gi
icmp permit any echo-reply inside_gi
icmp permit any echo outside_gi
icmp permit any echo-reply outside_gi
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
access-group out in interface inside_gi_1
access-group out in interface outside_gi_1
access-group out in interface inside_gi_2
access-group out in interface outside_gi_2

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
no threat-detection basic-threat
no threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
prompt hostname context
Cryptochecksum:03cbf5e0557d3c2abac442316f5900b1
: end

</pre>

=== Results ===

<pre>19,554.443 Mbps incoming to the clients and 299.43Mbps outgoing from the clients.
A total of 19853.873 of HTTP Throughput were achieved.

Remember that half the clients were connected on the inside of the ASA, and half the clients on the outside of the ASA, so througput was roughly 9.7 Gig in each direction. !TCP_Throughput_4ports_Results1.JPG|width=32,height=32!\\

ares# sh cpu
CPU utilization for 5 seconds = *79%*; 1 minute: 62%; 5 minutes: 21%
ares# sh conn count
*1044 in use*, 1049 most used
ares# sh conn count
*1044 in use*, 1049 most used
ares# sh io-bridge
I/O Bridge-0 slot usage
&nbsp; Slot 00: 0 pps, 0 bps
&nbsp; Slot 01: Ignored
&nbsp; Slot 02: Ignored
&nbsp; Slot 03: 0 pps, 0 bps
&nbsp; Slot 04: Ignored
&nbsp; *Slot 05: 2264848 pps, 19678943960 bps*
&nbsp; Slot 06: Ignored

I/O Bridge-1 slot usage
&nbsp; *Slot 07: 2252144 pps, 19602570400 bps*
&nbsp; Slot 08: Ignored

Load distribution - Packets-per-second (10 seconds)
&nbsp; I/0 Bridge 00:&nbsp; 50%\|************************\*
&nbsp; I/0 Bridge 01:&nbsp; 50%\|************************\*

Load distribution - Bits-per-second (10 seconds)
&nbsp; I/0 Bridge 00:&nbsp; 50%\|************************\*
&nbsp; I/0 Bridge 01:&nbsp; 50%\|************************\*

Legend:
&nbsp; bps - bits per second
&nbsp; pps - packets per second&nbsp;

</pre>

=== Screenshots ===

Test Tool Setup 
'''Spirent Avalanche Network configuration''' 
Client Network Tab [[Image:TCP Throughput Setup 1.jpg]]

Server Network Tab [[Image:TCP Throughput Setup 2.jpg]]

'''Spirent Avalanche Client Configuration'''

Client Associations [[Image:TCP Throughput Setup 3.jpg]]
Client Action List [[Image:TCP Throughput Setup 4.jpg]]

'''Spirent Avalanche Server Configuration'''

Server Association [[Image:TCP Throughput Setup 5.jpg]]

Server Transactions [[Image:TCP Throughput Setup 6.jpg]]

'''Avalanche Load Specifications''' [[Image:TCP Throughput Setup 7.jpg]]
[[Category: Configuration Examples]]

ASA5580-40 TCP Throughput Performance Single Context 4 Interfaces Configuration Example - Revision history

Jkratky at 21:34, 18 November 2011

Jkratky: 1 revision

Jkratky: /* Procedures */