Техническая Спецификация для Cisco Cisco ASA 5585-X Adaptive Security Appliance

Page 4 of 6

Figure 4. Traffic Load Balancing in an ASA 5585-X MAC

The internal switch fabric uses a hash of the source and destination IP addresses and transport ports to select the

specific 10 Gigabit Ethernet CPU-complex uplink as well as the RX ring. When the transport ports are not

available, only the source and destination IP addresses are used to compute the hash. For all non-IP traffic, the

first RX ring of the first 10 Gigabit Ethernet MAC interface is selected. Certain network control traffic is

automatically prioritized into a separate dedicated RX ring in order to eliminate any contention with the data

connections. By nature of the hash, all packets in a single direction of a connection always land on the same 10

Gigabit Ethernet CPU-complex uplink and the RX ring. This load-balancing approach allows the ASA to effectively

and fairly direct processing resources to all of the transit flows and head-drop frames at the RX ring level if

necessary. In the worst possible scenario, the oversubscription impact from a single offending flow is limited to a

single RX ring. This allows the ASA to handle the majority of transit connections even when subjected to a packet-

flood attack.

CPU Complex

The Cisco ASA 5585-X general-purpose CPU complex uses multiple threads to process transit traffic flows in

parallel. All but one core run data path processes, which continuously scan the memory for new packets, carry out

the entire set of the SoftNP security checks, and release the permitted packets back into the network. One of the

cores always runs a dedicated control plane process that handles management and network control traffic as well

as more complex application inspection functions. All CPU-complex cores take turns in running the control plane

process in order to achieve the best resource use. Since the control plane process typically inspects a very small

portion of the transit flows, data path processes are the primary consumers of the CPU-complex resources.

Each data path process works on packets received from one interface RX ring at a time. Since the ASA 5585-X

platform aligns the number of RX rings across all 10 Gigabit Ethernet CPU-complex uplinks to the available cores,

the CPU complex never ends up in a situation where some data path processes are starved for new work. Different

cores periodically take turns attaching to different RX rings, which increases the overall capacity-use efficiency. To

preserve the packet order and help ensure accurate state checking, each stateful flow can be processed by only

one CPU core at any given time. To make the resource distribution across connections even fairer, the data path

processes load-balance the incoming packets across 32,000 CPU work-dispatch queues. The same source and

destination IP address and transport port hash is used as when load-balancing traffic across the MAC uplinks in

the NIC subsystem. All packets for a single flow always select the same work-dispatch queue, and this mechanism

is used to further contain the damage from packet-flood attacks. If a particular stateful flow is generating packets at

an unreasonably high rate, the ASA will limit the impact to the particular associated work-dispatch queue. Once the