1) Yes those part numbers are fine. With a little extra investment, you could get the ASA5505-SEC-BUN-K9 bundle. This includes the 'Security Plus' license. It's slightly more expensive, because it includes 'unlimited' users instead of 50 users.
2) I have no experience with this product line, so would rather not comment further.
3.) It's best you read the data sheet yourself to ensure it's fit for purpose as you understand all your requirements. You can check your country is supported by the 'E' region here:
As mentioned previously, it requires a controller (i.e. it's the 'lightweight' version). If you want a controller-less option (i.e. 'autonomous' version), then the part code for the same region is AIR-SAP2602I-E-K9.
4.) A controller will provide various benefits including centralised management. You do not have to purchase one provided you use autonomous APs instead of lightweight APs. Without it you must configure and manage each autonomous AP individually.
Importantly, a controller provides security benefits such as detection of rogue APs. It will also prevent your clients associating with one. It can also plot any rogue APs on a floor plan.
Have a read through the relavent data sheets for management information.
Thanks for your answer, I see now clearly what I need for ASA and WiFi.
To finalize, I just need now :
1) Confirmation for the use of 300-series.
2) Confirmation about the use of W2K8 server as DCHP for 15 VLAN (how can the server know which VLAN is asking for an IP ?).
For the 300 series Small Business switches, Looks like they will do just fine, Quite a feature Rich switch, with .1Q support for trunking and VLAN tagging etc..
You can use a windows server as a DHCP server per the ip help-address command. Plenty on Cisco's documentation on this. Or for an ASA it's the DHCP relay command
A free, open source network device configuration management tool, customizable to your needs!
You might want to check the 300 series switch can police tenant traffic. Otherwise, one tenant might regularly comsume most of the bandwidth, resulting in a poor service for the remaining tenants.
If so, check if the policing will be granular enough to meet your requirements. If your entire ISP link is only 10Mbps, then it's no good a switch offering steps of 10Mbps . Also, bear in mind that you might wish to place your inbound or outbound policing on a Switch Virtual Interface instead of a physical interface. If so, then check that's possible too, or maybe requires a feature set upgrade.
as I mentioned above this solution will work but in the future if you want to add new office/network or perform any change will be not any easy job as it is not a very scalable solution
However if you find implementing VRFs is not an easy job then just go with firewall approach
Sent from Cisco Technical Support iPhone App
I will check the bandwith requirements for each type of VLAN and by type of traffic.
VRF seems difficult to implement (for me), and there is no extension of the offices planned in the mid-term.
But I have now another question.
Is it possible to implement load-balancing over 2 ISP, using 2 ASA ?
- the routers are provided by the ISP (we therefore don't have any management access on them)
- VPN is not needed
- which model (and options) of ASA are required ?
Thanks for your help.
Yes, you can load balance across two ISPs. The method I've used requires Provider Independent IPs and you might struggle to obtain these now, due to the IPv4 shortage.
Despite not using a VPN, I would perform load balancing ahead of the ASAs and setup the firewalls in active/standby operation.
I always stick to HSRP and static routing on the ASAs. This will require a pair of your own routers or layer-3 switches between ASAs and ISP routers. If opting for routers, then I would add a switchport EHWIC to each router in order to maintain the broadcast domain for HSRP operation, rather than bridge across two LAN interfaces.
You can perform outbound load balancing using per-destination IP CEF with static default routing tied to IP SLA echo. I would expect this to suit a multi-tenant environment with straight forward Internet access. I don't think you have any other option for inbound load balancing other than natural BGP operation which is not very granular, but always worth checking with the ISP. You could also look at PfR, but I've not tried it myself.
Here in the UK, the cost of Internet bandwidth has dropped to a point where it's sometimes cheaper, and less complex, to just pay for additional bandwidth and leave the second circuit as a standby only (or perhaps just for ISP Bs customers) - i.e. don't rely on the combined bandwidth of the two circuits. This also means tenants won't experience a reduced service during a link failure.
ASA 5505 series firewalls can perform active/standby operation, but will not failover state information reference any existing connections. You need 5510 for stateful failover. If you want this feature, then you're better off going for the latest generation ASA, called the 5500-X series appliance.
I know you like your part numbers, so you'd be looking at 'ASA5515-K9'. The slightly cheaper ASA 5512-X needs the 'Security Plus' license for HA functionality, so works out the same list price as 5515-X which doesn't require any license upgrade. The ASA 5510 'Security Plus' bundle is slightly cheaper than the 5515-X, but it's not worth the saving in my opinion. The 5512-X is a lot more powerful than the 5510 and incorporates six 10/100/1000 interfaces. Plus, I wouldn't be surprised if Cisco end-of-life the 5500 series next year.
If you trying to load balance using static route and per destination load balance as suggested above ASA firewall can do it only if the both next hope IPs are reachable via same firewall interface and with a shared subnet
Hsrp in the routers side with ip sla object reacting is a good option for active/standby solution
Sent from Cisco Technical Support iPhone App
I'm going to refine my question :
- the ISPs will provide a local (10.x.x.x) for the frist ISP and a official (unknown at this time) for the second ISP at the end of their router.
- I want to load-balance all the outgoing traffic (if possible), whatever the destination is
- I also need to know how the ingoing access (for remote management) will be done (which official IP should I use - or both ?)
- How will the vrtual IP be defined (internal and external) ?
- What is the overall schema ? WAN -> ISP router -> ASA -> Switch ? With cross-links betwwen ASA and switches ?
Sorry for all these questions, but I'm a noob in this domain...
Why is your ISP handing off a private IP to you? Have you purchased a managed service where they firewall the traffic for you or is it just NAT?
Will your two WAN circuits be similar bandwidth?
Yes, VDSL lines with fixed IP are provided with managed service (Belgacom)... However, it is possible to ask them to disable the firewall.
No, the 2 lines will probably have different bandwith (we don't have chosen the second ISP yet).
Too many unknowns at the moment.
If I were you, I'd first check if Provider Independent IPv4 addressing can be obtained from RIPE along with a public ASN: -