cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


256
Views
0
Helpful
3
Replies
Highlighted
Beginner

Implementing Security Context

I have a ASA 5510 and planning to implement multiple context in a 2  tier security level and vrf-lite. meaning I have 2xASA facing the  internet and below that a 2x3560 switch for our extranet and below that  is another 2xASA for intranet. See diagram below. In this kind of  network I want to know how it would impact the total throughput and  resources of the ASA using multiple context?

      INTERNET

        |          |

        |          |

2811A         2811B

    |                  |

    |                  |     (OUTSIDE)

ASA_A-------ASA_B

    |                  |     (INSIDE)

    |                  |   

3560A---------3560B

    |                  |    

    |                  |    (INSIDE)

ASA_C--------ASA_D

    |                  |

    |                  |    (OUTSIDE)

3560C----------3560B

    |                  |

INTERNAL NETWORK

3 REPLIES 3

Implementing Security Context

Hello John,

Pretty nice network design!

Well my first recommendation is to be aware of the features you will loose when going to multiple context, then the applicance throughput will be split into the multiple contexts. same thing with the ASA resources but you can configure this manually on each context.

As an example:

http://www.howfunky.com/2010/05/cisco-asa-resource-allocation-for.html

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Beginner

Implementing Security Context

Hi jcarvaja,

thanks. this is the first time i will implement this kind of design. you're correct that it will split all the resources and the throughput. i want to know the best practice of configuring the resources.

Implementing Security Context

Hello John,

Well that will depend on how many traffic will go across one specific context ( If A has more, then allocate more resouces to that one) You will be the one knowing your network and determining what is the best resoruce class configuration

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC