So here is the proposed build, this is for my home network but I like to tinker a lot and I'm working towards my CCNP Security so some practical experience with ZBFW and ACLs can't hurt.

Originally I was using the 881w as my mine device for my house providing wireless to my wireless clients and also to my desktop wired into it directly. I was using the CBAC on it which was doing ok but the wireless was having issues due to multiple neighbors having wifi as well and the 2.4 band was very congested.

To remedy the issue I picked up a new Asus RT-AC68R which has been a tremendous consumer grade router/wifi with 5ghz but the 881w was a lot of money so I'd like to find a use for it, hence the ZBF on it.

My first question would be how do I go about setting up the 881 with the wireless disabled. My cable modem is in bridged mode so it will assign a dynamic IP to fa4 on the 881 but then how would I configure the Asus. Just disable the dhcp and spi firewall on it and bridge it as well? Or do I configure dhcp server on the 881 and plug the internet port on the Asus to the 881 and have it pull an ip from the 881? I feel like that might be sloppy since I would be in essence running 2 routers, the 881 would be routing/natting between the internet and the asus and the asus would be routing/natting between the 'internet' as it saw it but would really be the private ip assigned by the 881 and the wireless network it was serving.

Any tips?

What you could do is put the Asus in AP mode where it will only act as an AP.  I have an older Asus wi-fi router that allows for that configuration.

You could then create a wireless network, a wired network, etc. and use the ZBF to control traffic between the 2 internal networks for your studies and then once you've completed your studies then put both networks in the inside zone of the ZBF for simplicity. (Your choice, I personally keep my wired and wireless separate in my home network)

You could then run DHCP on the 881w for both your wired and wireless networks. 

Thanks,

Jeff

That's what I was thinking but the issue is if the wifi and wired network are on seperate networks I'm gonna have to do routing so my ipad can talk to my tivo and my sonos play 5 can talk to the bridge. Are you routing betweeny your wireless and wired?

Yes, I do route between my wired and wireless networks.  The default gateway for both networks is my edge FW. 

I had a similar setup before I put Meraki in my house and it worked like this:

881 was my CE

2 networks

10.0.0.0/24 for wired

10.1.0.0/24 for wireless

DGW for both networks on 881

10.0.0.1 wired

10.1.0.1 wireless

Both networks were on the Inside zone of my ZBF and traffic was allowed between wired and wireless on the ZBF.

1 default route on the 881 to my ISP learned via DHCP from ISP.

My Asus was in AP mode and installed on the wireless network.

DHCP was running on both networks on the 881.  The AP was doing L2 only and all L3 was running on the 881.

That sounds easy enough. So you had 2 ports configured on the 881 one facing the wired network and one facing the AP. did you use vlans or just a straight layer 3 approach?

I used VLANs because I had a 12 port 2950 for L2 connectivity for the wired networks.  I created a VLAN on the L2 switch for the wired network and a DGW of the wired network on the 881.

I had a couple of sub-interfaces, one on Fa0/1 and one on Fa0/2.  One sub-interface in the wired network VLAN and one in the wireless network VLAN.