LAN-to-LAN with ASA55xx or routers
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||
|
Posted by sisko on May 14, 2006, 6:14 pm
Please log in for more thread options about 10 remote offices. When upgrading the network equipment we can't decide if we should use: 1) routers (e.g. 2811) at the branch offices, and a larger router or an ASA5520 at the sentral site. or 2) ASA5510 at the branch offices and a larger (e.g. ASA5520) at the sentral site. Will the 2811 have enough throughput to compete with the ASA? Is 2) a wise choice or is it not neccessary to use ASAs in both end? We don't need any advanced routing at our sites, and I understand that the ASAs wil do basic routing. Is that correct? Thanks a lot for any answers! | ||||||||||||||||
|
Posted by Walter Roberson on May 14, 2006, 8:10 pm
Please log in for more thread options >When upgrading the network equipment we can't decide if we should use:
>1) routers (e.g. 2811) at the branch offices, and a larger router or an
>ASA5520 at the sentral site. >or >2) ASA5510 at the branch offices and a larger (e.g. ASA5520) at the >sentral site. >Will the 2811 have enough throughput to compete with the ASA?
Will the links be point-to-point, and you only need basic routing, or will you be creating Virtual Private Networks between the sites? Your link will be nominally 100 megabit per second, but what actual throughput do you need? The ASA5510 and ASA 5510 Security Plus are not able to support VPNs at 100 megabits per second *full duplex* (a total of 200 megabits/s): they are only rated to 170 megabits/s encryption. If you need to be able to sustain more than ~85 megabits/s simultaneously in each direction, then you will need at least a 5520, which is rated to 225 megabits/s of encryption. There is no model of ASA which is rated to be able to handle VPNs at 10 x 100 = 1 gigabit/s (half duplex to all 10 sites), and certainly not 2 gigabit/s (full duplex to all 10 sites). The largest ASA, the 5550, supports 425 megabits/s of encryption (an average of only about 21 megabits per second full duplex to each of the 10 sites). If you need to be able to support 2 gigabits/s total encryption, then your central site will need a Cisco 6500/7600 with a VPNSM (VPN Service Module). The VPNSM is rated at 1.6 to 1.9 Gbps (depending on packet sizes and traffic mix); you would be looking at a WS-C6503-E-VPN-K9 or WS-C6506-E-VPN-K9, starting from about $US45500. If you are not using VPNs, then you should reconsider whether the ASA is an appropriate series for you. >Is 2) a wise choice or is it not neccessary to use ASAs in both end?
>We don't need any advanced routing at our sites, and I understand that
>the ASAs wil do basic routing. Is that correct? The ASAs will do basic routing, where "basic routing" is static routing or being able to *listen* to RIP or OSPF (but not actively participate in either.). If you have 10 remote offices all counting on a single central device, you should be considering solutions that incorporate redundancy, so that the failure of a single device does not take down your entire operation. The only 2800 series model that is able to handle even 100 megabits/s half duplex is the 2851, rated at 112.64 megabits/s. If you were trying to operate at full duplex, you would only be getting about 55% of your link speed. The smallest Cisco router able to handle 100 megabits/s full duplex is the 3845, rated at 256 megabits/s; after that, you need to get into the 7200. On the HQ end, to handle the 2 gigabit/s aggregate throughput of the 10 offices, you would need at least a 6500/7600, 10000, or 12000. http://www.cisco.com/warp/public/765/tools/quickreference/routerperformance.pdf The maximum number of 100+ megabit/s ports supported by any of the ASA series is 5 for the ASA5540, 8 for the ASA 5550 [which is too new to appear in some of the comparison charts.) Depending on exactly what you want to do between nodes, you should consider a Cisco PIX 535 Unrestricted at the central office: it supports more interfaces than you need, and a maximum of 495 megabits/s of encryption (which is faster than any of the ASA models.) The PIX has the same routing abilities as the ASA. How far away are those remote offices? My suspicion is that they are more than 100 metres. If so, then you are going to need to go fibre, probably LX, and you are going to need to terminate that fibre on something. It is possible to get 100Base-FX to 100Base-TX media convertors, but those aren't always the best of ideas; you would usually be better off with direct fibre or GBIC or SFP connections. The only ASA model that supports fibre is the new ASA 5500, at about $US17000 (hmmm, less than the PIX-535-UR-BUN, especially after you add the cost of the extra interfaces for the 535.) http://www.cisco.com/en/US/products/ps6120/products_data_sheet0900aecd802930c5.html | ||||||||||||||||
|
Posted by sisko on May 22, 2006, 3:49 pm
Please log in for more thread options Walter Roberson wrote:
>
>>we're renting 100Mbit/s LAN-to-LAN connections from one sentral site to
>>about 10 remote offices. >
> >>When upgrading the network equipment we can't decide if we should use:
>
> >>1) routers (e.g. 2811) at the branch offices, and a larger router or an
>>ASA5520 at the sentral site. >>or >>2) ASA5510 at the branch offices and a larger (e.g. ASA5520) at the >>sentral site. >
> >>Will the 2811 have enough throughput to compete with the ASA?
>
The actual throughput is far from 100 mbit/s. Actually it will be quite
> > Will the links be point-to-point, and you only need basic routing, > or will you be creating Virtual Private Networks between the sites? > > Your link will be nominally 100 megabit per second, but what actual > throughput do you need? > low but I want to be sure that I have enough speed at file transfers etc. Will these devices give me 100mbit/s file transfer? The links are through the MPLS-network of our ISP. >
> If you are not using VPNs, then you should reconsider whether the > ASA is an appropriate series for you. > > > >>Is 2) a wise choice or is it not neccessary to use ASAs in both end?
>
> >>We don't need any advanced routing at our sites, and I understand that
>>the ASAs wil do basic routing. Is that correct? >
I actually plan to have 2 ASAs for redundancy. Is that possible if I
> > The ASAs will do basic routing, where "basic routing" is static > routing or being able to *listen* to RIP or OSPF (but not actively > participate in either.). If you have 10 remote offices all counting on a single > central device, you should be considering solutions that incorporate > redundancy, so that the failure of a single device does not take > down your entire operation. > > want to use the ASA in virtual mode (2 firewalls in each box)? >
http://www.cisco.com/warp/public/765/tools/quickreference/routerperformance.pdf
> >
My ISP gives me one gigabit interface for all my VPNs so I dont need any
> > Depending on exactly what you want to do between nodes, you should > consider a Cisco PIX 535 Unrestricted at the central office: it supports > more interfaces than you need, and a maximum of 495 megabits/s of > encryption (which is faster than any of the ASA models.) The PIX has > the same routing abilities as the ASA. > more interfaces than the ASA has Thanks a lot for your answer! | ||||||||||||||||
| Similar Threads | Posted |
| LAN-to-LAN with ASA55xx or routers | May 14, 2006, 6:14 pm |
| Managing ASA55xx with additional software | August 8, 2006, 11:28 am |
| 2 routers one lan | June 29, 2005, 4:44 pm |
| NAT-T and routers. | October 3, 2006, 12:09 pm |
| No NAT between two routers | June 28, 2007, 1:21 pm |
| VTP across routers | March 6, 2008, 11:11 pm |
| Using RIP v2 between two routers | December 20, 2008, 10:17 pm |
| Help with used Cisco Routers | September 17, 2005, 3:30 pm |
| 2610XM routers and VPN | September 26, 2005, 5:44 pm |
| 802.11i for Cisco 870 routers | December 26, 2005, 4:41 pm |
| ACL layer 2 on routers. | January 24, 2006, 6:14 am |
| VPN termination on routers. | January 31, 2006, 4:58 am |
| splitting ATM PVC between different routers | April 19, 2006, 6:51 pm |
| routers and certificates | May 30, 2006, 8:20 am |
| LAN<-->WAN<-->LAN ; L3 switches or Routers?? | July 12, 2006, 3:37 am |
>about 10 remote offices.