The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Cisco Adaptive Security Virtual Appliance (ASAv) brings full firewall functionality to virtualized environments to secure data center traffic and multi-tenant environments.
You can manage and monitor the ASAv using ASDM, REST API, or CLI. Other management options may be available.
For hypervisor support, see Cisco ASA Compatibility.
Supported in single context mode only. Does not support multiple context mode.
For failover deployments, make sure that the standby unit has the same model license; for example, both units should be ASAv30s.
Guidelines, Features, and Limitations for the ASAv5
Guidelines, Features, and Limitations for the ASAv50
The specific hardware used for ASAv deployment can vary, depending on size and usage requirements. Smart License Entitlements shows the compliant resources scenarios that match license entitlement for the different ASAv platforms. In addition, SR-IOV Virtual Functions require specific system resources.
SR-IOV support and VF drivers are available for:
The ASAv with SR-IOV interfaces is currently supported on the following hypervisors:
This section describes hardware guidelines for SR-IOV support. Although these are guidelines, not requirements, using hardware that does not meet these guidelines may result in functionality problems or poor performance.
A server that supports SR-IOV is required in addition to an SR-IOV capable PCIe adapter. You must be aware of the following hardware considerations:
You should consult your manufacturer's documentation for SR-IOV support on your system.
Note: We tested the ASAv with the Cisco UCS C-Series Rack Server. Note that the Cisco UCS-B server does not support the ixgbe-vf vNIC.
–Intel Sandy Bridge or later (Recommended)
Note: We tested the ASAv on Intel's Broadwell CPU (E5-2699-v4) at 2.3GHz.
–Minimum of 8 physical cores per CPU socket
–The 8 cores must be on a single socket.
Note: CPU pinning is recommended to achieve full throughput rates on the ASAv50; see Increasing Performance on ESXi Configurations and Increasing Performance on KVM Configurations.
SR-IOV requires support in the BIOS as well as in the operating system instance or hypervisor that is running on the hardware. Check your system BIOS for the following settings:
We recommend that you verify the process with the vendor documentation because different systems have different methods to access and change BIOS settings.
Cisco Smart Software Licensing lets you purchase and manage a pool of licenses centrally. Unlike product authorization key (PAK) licenses, smart licenses are not tied to a specific serial number. You can easily deploy or retire ASAs without having to manage each unit’s license key. Smart Software Licensing also lets you see your license usage and needs at a glance.
Note: The ASAv product identifier (PID) is “ASAv”. When you deploy the ASAv, it’s important that you use a unique hostname to identify your ASAv. A hostname cannot be the same as the PID when using Smart Software Licensing.
For complete information about Smart Software Licensing for the ASAv, see the “Guidelines for Smart Software Licensing” and “Defaults for Smart Software Licensing” sections of the Cisco ASA Series General Operations Configuration Guide.
See the following tables for information about ASAv licensing entitlements, resources, and model specifications:
Note: The ASAv uses Cisco Smart Software Licensing. A smart license is required for regular operation. Until you install a license, throughput is limited to 100 Kbps so you can perform preliminary connectivity tests. For more information, see Smart Software Licensing for the ASAv.
Table 1 Smart License Entitlements
Table 3 ASAv Model Descriptions and Specifications
See the following specifications: Minimum of 8 physical cores per CPU socket required (cannot be provisioned across multiple CPU sockets) |
As a guest on a virtualized platform, the ASAv utilizes the network interfaces of the underlying physical platform. Each ASAv interface maps to a virtual NIC (vNIC).
The ASAv includes the following Gigabit Ethernet interfaces:
For AWS and Azure, Management 0/0 can be a traffic-carrying “outside” interface.
The ASAv supports the following vNICs:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Single Root I/O Virtualization (SR-IOV) allows multiple VMs running a variety of guest operating systems to share a single PCIe network adapter within a host server. SR-IOV allows a VM to move data directly to and from the network adapter, bypassing the hypervisor for increased network throughput and lower server CPU burden. Recent x86 server processors include chipset enhancements, such as Intel VT-d technology, that facilitate direct memory transfers and other operations required by SR-IOV.
The SR-IOV specification defines two device types:
SR-IOV is defined and maintained by the Peripheral Component Interconnect Special Interest Group ( PCI SIG), an industry organization that is chartered to develop and manage the PCI standard. For more information about SR-IOV, see the PCI-SIG SR-IOV Primer: An Introduction to SR-IOV Technology.
Provisioning SR-IOV interfaces on the ASAv requires some planning, which starts with the appropriate operating system level, hardware and CPU, adapter types, and adapter settings.