LAN-to-LAN with ASA55xx or routers

Will the links be point-to-point, and you only need basic routing, or will you be creating Virtual Private Networks between the sites?

Your link will be nominally 100 megabit per second, but what actual throughput do you need?

The ASA5510 and ASA 5510 Security Plus are not able to support VPNs at 100 megabits per second *full duplex* (a total of 200 megabits/s): they are only rated to 170 megabits/s encryption. If you need to be able to sustain more than ~85 megabits/s simultaneously in each direction, then you will need at least a 5520, which is rated to

There is no model of ASA which is rated to be able to handle VPNs at 10 x 100 = 1 gigabit/s (half duplex to all 10 sites), and certainly not 2 gigabit/s (full duplex to all 10 sites). The largest ASA, the 5550, supports 425 megabits/s of encryption (an average of only about 21 megabits per second full duplex to each of the 10 sites).

If you need to be able to support 2 gigabits/s total encryption, then your central site will need a Cisco 6500/7600 with a VPNSM (VPN Service Module). The VPNSM is rated at 1.6 to 1.9 Gbps (depending on packet sizes and traffic mix); you would be looking at a WS-C6503-E-VPN-K9 or WS-C6506-E-VPN-K9, starting from about $US45500.

If you are not using VPNs, then you should reconsider whether the ASA is an appropriate series for you.

The ASAs will do basic routing, where "basic routing" is static routing or being able to *listen* to RIP or OSPF (but not actively participate in either.). If you have 10 remote offices all counting on a single central device, you should be considering solutions that incorporate redundancy, so that the failure of a single device does not take down your entire operation.

The only 2800 series model that is able to handle even 100 megabits/s half duplex is the 2851, rated at 112.64 megabits/s. If you were trying to operate at full duplex, you would only be getting about

The smallest Cisco router able to handle 100 megabits/s full duplex is the 3845, rated at 256 megabits/s; after that, you need to get into the 7200.

On the HQ end, to handle the 2 gigabit/s aggregate throughput of the 10 offices, you would need at least a 6500/7600, 10000, or 12000.

The maximum number of 100+ megabit/s ports supported by any of the ASA series is 5 for the ASA5540, 8 for the ASA 5550 [which is too new to appear in some of the comparison charts.)

Depending on exactly what you want to do between nodes, you should consider a Cisco PIX 535 Unrestricted at the central office: it supports more interfaces than you need, and a maximum of 495 megabits/s of encryption (which is faster than any of the ASA models.) The PIX has the same routing abilities as the ASA.

How far away are those remote offices? My suspicion is that they are more than 100 metres. If so, then you are going to need to go fibre, probably LX, and you are going to need to terminate that fibre on something. It is possible to get 100Base-FX to 100Base-TX media convertors, but those aren't always the best of ideas; you would usually be better off with direct fibre or GBIC or SFP connections. The only ASA model that supports fibre is the new ASA 5500, at about $US17000 (hmmm, less than the PIX-535-UR-BUN, especially after you add the cost of the extra interfaces for the 535.)

The actual throughput is far from 100 mbit/s. Actually it will be quite low but I want to be sure that I have enough speed at file transfers etc. Will these devices give me 100mbit/s file transfer?

The links are through the MPLS-network of our ISP.

I actually plan to have 2 ASAs for redundancy. Is that possible if I want to use the ASA in virtual mode (2 firewalls in each box)?

My ISP gives me one gigabit interface for all my VPNs so I dont need any more interfaces than the ASA has

Thanks a lot for your answer!