Техническая Спецификация для Cisco Cisco ASA 5585-X Adaptive Security Appliance
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 4 of 6
Figure 4. Traffic Load Balancing in an ASA 5585-X MAC
The internal switch fabric uses a hash of the source and destination IP addresses and transport ports to select the
specific 10 Gigabit Ethernet CPU-complex uplink as well as the RX ring. When the transport ports are not
available, only the source and destination IP addresses are used to compute the hash. For all non-IP traffic, the
first RX ring of the first 10 Gigabit Ethernet MAC interface is selected. Certain network control traffic is
automatically prioritized into a separate dedicated RX ring in order to eliminate any contention with the data
connections. By nature of the hash, all packets in a single direction of a connection always land on the same 10
Gigabit Ethernet CPU-complex uplink and the RX ring. This load-balancing approach allows the ASA to effectively
and fairly direct processing resources to all of the transit flows and head-drop frames at the RX ring level if
necessary. In the worst possible scenario, the oversubscription impact from a single offending flow is limited to a
single RX ring. This allows the ASA to handle the majority of transit connections even when subjected to a packet-
flood attack.
CPU Complex
The Cisco ASA 5585-X general-purpose CPU complex uses multiple threads to process transit traffic flows in
parallel. All but one core run data path processes, which continuously scan the memory for new packets, carry out
the entire set of the SoftNP security checks, and release the permitted packets back into the network. One of the
cores always runs a dedicated control plane process that handles management and network control traffic as well
as more complex application inspection functions. All CPU-complex cores take turns in running the control plane
process in order to achieve the best resource use. Since the control plane process typically inspects a very small
portion of the transit flows, data path processes are the primary consumers of the CPU-complex resources.
Each data path process works on packets received from one interface RX ring at a time. Since the ASA 5585-X
platform aligns the number of RX rings across all 10 Gigabit Ethernet CPU-complex uplinks to the available cores,
the CPU complex never ends up in a situation where some data path processes are starved for new work. Different
cores periodically take turns attaching to different RX rings, which increases the overall capacity-use efficiency. To
preserve the packet order and help ensure accurate state checking, each stateful flow can be processed by only
one CPU core at any given time. To make the resource distribution across connections even fairer, the data path
processes load-balance the incoming packets across 32,000 CPU work-dispatch queues. The same source and
destination IP address and transport port hash is used as when load-balancing traffic across the MAC uplinks in
the NIC subsystem. All packets for a single flow always select the same work-dispatch queue, and this mechanism
is used to further contain the damage from packet-flood attacks. If a particular stateful flow is generating packets at
an unreasonably high rate, the ASA will limit the impact to the particular associated work-dispatch queue. Once the