LAN-to-LAN with ASA55xx or routers

Discussion in 'Cisco' started by sisko, May 14, 2006.

  1. sisko

    sisko Guest

    we're renting 100Mbit/s LAN-to-LAN connections from one sentral site to
    about 10 remote offices.

    When upgrading the network equipment we can't decide if we should use:

    1) routers (e.g. 2811) at the branch offices, and a larger router or an
    ASA5520 at the sentral site.
    or
    2) ASA5510 at the branch offices and a larger (e.g. ASA5520) at the
    sentral site.

    Will the 2811 have enough throughput to compete with the ASA?

    Is 2) a wise choice or is it not neccessary to use ASAs in both end?

    We don't need any advanced routing at our sites, and I understand that
    the ASAs wil do basic routing. Is that correct?

    Thanks a lot for any answers!
     
    sisko, May 14, 2006
    #1
    1. Advertisements

  2. Will the links be point-to-point, and you only need basic routing,
    or will you be creating Virtual Private Networks between the sites?

    Your link will be nominally 100 megabit per second, but what actual
    throughput do you need?

    The ASA5510 and ASA 5510 Security Plus are not able to support VPNs
    at 100 megabits per second *full duplex* (a total of 200 megabits/s):
    they are only rated to 170 megabits/s encryption. If you need to
    be able to sustain more than ~85 megabits/s simultaneously in each
    direction, then you will need at least a 5520, which is rated to
    225 megabits/s of encryption.

    There is no model of ASA which is rated to be able to handle
    VPNs at 10 x 100 = 1 gigabit/s (half duplex to all 10 sites), and
    certainly not 2 gigabit/s (full duplex to all 10 sites).
    The largest ASA, the 5550, supports 425 megabits/s of encryption
    (an average of only about 21 megabits per second full duplex to
    each of the 10 sites).

    If you need to be able to support 2 gigabits/s total encryption,
    then your central site will need a Cisco 6500/7600 with a
    VPNSM (VPN Service Module). The VPNSM is rated at 1.6 to 1.9 Gbps
    (depending on packet sizes and traffic mix); you would be looking at
    a WS-C6503-E-VPN-K9 or WS-C6506-E-VPN-K9, starting from about $US45500.

    If you are not using VPNs, then you should reconsider whether the
    ASA is an appropriate series for you.

    The ASAs will do basic routing, where "basic routing" is static
    routing or being able to *listen* to RIP or OSPF (but not actively
    participate in either.). If you have 10 remote offices all counting on a single
    central device, you should be considering solutions that incorporate
    redundancy, so that the failure of a single device does not take
    down your entire operation.


    The only 2800 series model that is able to handle even 100 megabits/s
    half duplex is the 2851, rated at 112.64 megabits/s. If you were
    trying to operate at full duplex, you would only be getting about
    55% of your link speed.

    The smallest Cisco router able to handle 100 megabits/s full duplex
    is the 3845, rated at 256 megabits/s; after that, you need to get into
    the 7200.

    On the HQ end, to handle the 2 gigabit/s aggregate throughput of
    the 10 offices, you would need at least a 6500/7600, 10000, or 12000.

    http://www.cisco.com/warp/public/765/tools/quickreference/routerperformance.pdf


    The maximum number of 100+ megabit/s ports supported by any of the ASA
    series is 5 for the ASA5540, 8 for the ASA 5550 [which is too new
    to appear in some of the comparison charts.)

    Depending on exactly what you want to do between nodes, you should
    consider a Cisco PIX 535 Unrestricted at the central office: it supports
    more interfaces than you need, and a maximum of 495 megabits/s of
    encryption (which is faster than any of the ASA models.) The PIX has
    the same routing abilities as the ASA.


    How far away are those remote offices? My suspicion is that they
    are more than 100 metres. If so, then you are going to need to
    go fibre, probably LX, and you are going to need to terminate that
    fibre on something. It is possible to get 100Base-FX to 100Base-TX
    media convertors, but those aren't always the best of ideas; you
    would usually be better off with direct fibre or GBIC or SFP connections.
    The only ASA model that supports fibre is the new ASA 5500, at
    about $US17000 (hmmm, less than the PIX-535-UR-BUN, especially after
    you add the cost of the extra interfaces for the 535.)

    http://www.cisco.com/en/US/products/ps6120/products_data_sheet0900aecd802930c5.html
     
    Walter Roberson, May 15, 2006
    #2
    1. Advertisements

  3. sisko

    sisko Guest

    The actual throughput is far from 100 mbit/s. Actually it will be quite
    low but I want to be sure that I have enough speed at file transfers
    etc. Will these devices give me 100mbit/s file transfer?

    The links are through the MPLS-network of our ISP.
    I actually plan to have 2 ASAs for redundancy. Is that possible if I
    want to use the ASA in virtual mode (2 firewalls in each box)?
    My ISP gives me one gigabit interface for all my VPNs so I dont need any
    more interfaces than the ASA has

    Thanks a lot for your answer!
     
    sisko, May 22, 2006
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.