Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
862
Views
20
Helpful
5
Replies

Large Internet Circuit ASA Design Question

lovedam
Level 1
Level 1

‎08-12-2011 10:04 AM - edited ‎03-11-2019 02:11 PM

I will be installing a 10Gb Ethernet direct Internet access circuit, of which we will be using between 1-3 Gbps on average.  We will have a set of static public IPs routed to the WAN IP address.  The application we will be supporting is a HTTP based streaming application.  Almost all of the bandwidth will be outbound.

I am wondering if whether it would make more sense just to plug the circuit directly into a big ASA box or front end it with a router. 

When you look at the prices for a 7600 or ASR1000 to front end the 10Gb Ethernet it can get very expensive.  The ASA will be expensive enough

I know just based on the numbers I will need something like the ASA-5580 or ASA-5585-X.

Besides the one outside interface, I will have 4 internal interfaces.  the HTTP based streaming application will all come from one interface and the other three will need a strict amount of bandwidth carved out of the total Internet circuit.  Each will need around 50Mbps.

The other three are real-time streaming applications and I cannot have them crushed by the bursty nature of the HTTP streaming application.

Can i reliably ensure (by policing, shaping, etc.) that the 3 other interfaces can actually get their needed bandwidth protected on the ASA?  I've read the documentation and it looks to be there, but not as robust as the IOS features.  I will need to police based on Interface and also by source/destination IP.

Would it make more sense to trust an IOS router in front of the firewall to really police/shape the traffic?

Thanks,
Damon

Labels:
0 Helpful
5 Replies 5

Mohamed Sobair
Level 7
Level 7

‎08-12-2011 12:06 PM

Hi Damon,

The decision of termination a WAN Internet Link to an ASA or a router would solicitly based on your criteria and budget, However, if its a choice , I would always suggest terminating Internet Link to an Edge router.

The ASA is not primarily designed to be a router , its a Security FW appliance , and there are some reasons why an Edge router is recommended for certain Scenarios where you have different WAN medias can be installed and where you can have more bet on QoS for example and loadbalancing/redundancy for future requirement and design.

But, if you require a Single Internet Link from one provider with Ethernet Hands Off, its still possible to have it on the ASA like 5580 or 5585. just  make sure this Scenario is exactly what would be in the future (No real changes in the design in the near future) and it could be implemented.

Regards,

Mohamed

Collin Clark
VIP Alumni
VIP Alumni

‎08-12-2011 12:27 PM

I agree with Mohamed, terminate the link on a router.

lovedam
Level 1
Level 1
In response to Collin Clark

‎08-12-2011 12:36 PM

Well, that's what I thought   what router would guys recommend?  I don't need a lot of ports.  maybe the 7603 with RP720? or ASR10001?

Thanks for the advice.

Damon

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to lovedam

‎08-12-2011 12:54 PM

I personally like the ASR's. The 1002 is scalable to 10Gbps if you want to buy a box that will cover your circuit speed. The ASR 1001 is scalable to 5Gbps and the ASR 1002-Fixed scales to 2.5Gbps. Check the link for more info.

http://www.cisco.com/en/US/products/ps9343/prod_models_comparison.html

Mohamed Sobair
Level 7
Level 7
In response to lovedam

‎08-12-2011 12:56 PM

You have one of the following options:

1- CIsco ASR 1000 Series 10-N-GBPS ESP

http://www.cisco.com/en/US/prod/collateral/routers/ps9343/data_sheet_c78-450070.html

2- Cisco 7600 Series (7603) router

http://www.cisco.com/en/US/products/hw/routers/ps368/ps370/index.html

Regards,

Mohamed

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card