@Cristian Matei I did ASA's clustering and advanced 802.1x features (like IBNS 2.0) virtually all on server no physical hardware need at all. The only thing i see in long run is FTD multi-instance for this to learn you need a physical hardware.

Thanks to you both,

 

I am running Server 2012 with a reasonable spec to comfortably run a number of Virtual Machines on top of a few other services. A few extra Network cards have been installed to connect VM's to different points of my lab. I appreciate the recommend on Virtual tools, they are being installed now.

 

While I primarily use packet tracer, the lab has been useful physically deploying, learning products/reference features and maintaining as my home network. Basically, the firewall will be to tie my 2 FTTC routers together and run my internal network/lab because i loose 30 Mbps of bandwidth with ZBF enabled on my 88VA's. Therefore I will be getting a firewall but won't push my budget for features I am more than likely not going to utilize. 

 

Your comments have been useful, thanks.

 

 

Hi,

   

    ASAv does not support multiple context (the commands are not even there), as for clustering, even though commands are there, it doesn't really work. How did you test these features in virtual? As for IBNS 2.0, there are many features which are supported only by the hardware switches.

 

Regards,

Cristian Matei.

Hi Christian,

I haven't been able to download ASAv so no virtual testing. This is because I have been unable to get any type of support contract for logging into the Cisco Software center. Therefore I am limited to the hardware in my lab and the options available via the installed OS, Packet Tracer and any network tools I get my hand on. Thanks again for the recommendations.

My current setup is an 887VA connected to each of my FTTC broadband circuits which connect to a 2960 (S1) switch for connecting my home network. A cable from S1 to S2 (another 2960) which provides connectivity to my lab that consists of:
Switches: 2 x 3750 and 3850
Routers: 2 x 2801
Firewall: ASA 5510 with no module.

When looking at ASA configuration documentation and examples, I could configure multiple INSIDE and OUTSIDE interfaces. This would allow me to connect my wireless AP / switch (S1) to the Firewall and remove ZBF from each of my 887VA. If I cannot do this, then I have the 5510 which I can get an SSM 10 module at some point. I just thought getting a newer firewall with Firepower would give me options and late, I could see about a second 5510 for active/active/standby configs but, I am back to licencing difficulties for a Sec Plus licence.

Ultimately, my aim is to do away with S1 and have my Firewall run my network by filtering traffic, DHCP and routing a few vlans to either 887VA. Maybe I need to go back to have a rethink because I have changed direction a few times when learning hardware/knowledge limits.

Your insight is appreciated.

Do not mean to hijack this. but if you search around you can see there are images which can be install in eve-ng and on GNS3. which include the multi context and even asa clustering. there two image run in eve-ng/gns3 and give you a feel like you working on an actual hardware. (having said that, there are limitation on throughput but as long as you want to learn and polish your skill-set this is a great tool). on the other hand you have virtural ISE/WSA/FMC/FTD. even you can do a ZBFW in eve-ng/GNS3.

 

I was a fun of hardware but end of the day if i am learning I have to look my budget (electric cost/hardware etc). if you can afford hardware thats good. but if you need alternative there is always a way. it depends how to want to use your resources. 

 

there is a difference between a learner and working in production network. when you are a learner you always try to find a way which is cost saving as we can not afforad cisco expensive kit. for example even i can not afforad buying ASA5512 with lic. too much cost. Cisco itself understand and kind to learn to give us 90 day trail lic for FTD/FMC/ISE etc.

 

as i said earlier and i stick with it if i where at your i would build my all lab virtual instead of physical. during my ccie day i always relay on virtual instead of going physical (as physical always cost me more). 

 

i hope you understand what i am trying to say.

Your comments are certainly welcome Sheraz,

In the main I learn using virtual tools as I do a bit of travelling but always have an eye out for anything within budget - you can beat hands on bare mental! I now have new tools to work through.
I think I will probably invest in a ASA 5500 series but no rush so time to find a deal. I wouldn't mind a POE access point for no WLC.

Continuing the balance the learning again resource. . . . time is the problem with workload so apologies for the delay in responding.

Thanks,
John