Implementing Security Context

john.dejesus · ‎10-30-2012

I have a ASA 5510 and planning to implement multiple context in a 2 tier security level and vrf-lite. meaning I have 2xASA facing the internet and below that a 2x3560 switch for our extranet and below that is another 2xASA for intranet. See diagram below. In this kind of network I want to know how it would impact the total throughput and resources of the ASA using multiple context?

INTERNET

| |

2811A 2811B

| |

| | (OUTSIDE)

ASA_A-------ASA_B

| | (INSIDE)

| |

3560A---------3560B

| |

| | (INSIDE)

ASA_C--------ASA_D

| |

| | (OUTSIDE)

3560C----------3560B

| |

INTERNAL NETWORK

Julio Carvajal · ‎10-30-2012

Hello John,

Pretty nice network design!

Well my first recommendation is to be aware of the features you will loose when going to multiple context, then the applicance throughput will be split into the multiple contexts. same thing with the ASA resources but you can configure this manually on each context.

As an example:

http://www.howfunky.com/2010/05/cisco-asa-resource-allocation-for.html

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

john.dejesus · ‎10-30-2012

Hi jcarvaja,

thanks. this is the first time i will implement this kind of design. you're correct that it will split all the resources and the throughput. i want to know the best practice of configuring the resources.

Julio Carvajal · ‎10-30-2012

Hello John,

Well that will depend on how many traffic will go across one specific context ( If A has more, then allocate more resouces to that one) You will be the one knowing your network and determining what is the best resoruce class configuration

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC