Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
934
Views
0
Helpful
5
Replies

Advice on where to terminate WAN

Go to solution
bryankrausen
Level 1
Level 1

‎04-29-2010 06:11 PM - edited ‎03-04-2019 08:19 AM

I have a new 20Mb internet being put in soon. The new ISP will be putting a 15000 series router in our facility, and will be giving me the Internet in an Ethernet handoff. I have heard from a few different Cisco people about where to terminate, but wanted to get some opinions on here.

Should I purchase a 2911 to terminate the connection, or terminate it straight into the ASA5520? I currently have just 2 T1 lines going into a 2821 router, then into the ASA(through a segregated vlan on the core).

I actually have two different spots where I need to make this decision on. One is the corporate office, the other is a DR site, which will also have an ethernet handoff from the same provider.

Thanks in advance.

Bryan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to bryankrausen

‎04-30-2010 06:58 AM 

bryankrausen wrote:
Thanks guys. I personally wanted to move to the router option, but had two people state their opinions on being able to terminate on the ASA since its an ethernet handoff.
Anybody else? I just want to be sure I get this correct the first time, since it'll be in place for many years to come.

The ASA does support traffic shaping so you could in theory connect the handoff directly into your firewall. However it really does depend on what else your firewall will be doing. As Reza says, often it is best left to get on with securing traffic rather than doing things traditionally done by a router. Traffic shaping does have an overhead that comes with it and if your firewall has a large rule base, is doing a lot of NAT, some deep packet inspection and possibly URL filtering/IPS then i would hand off managing traffic flow to a router.

As with most things like this it can often come down to cost. So yes the ASA has the functionality to do it but with a 20Mb internet connection it may well be very busy doing what it is designed to do without having the additional overhead of traffic shaping.

Edit - also note that in terms of QOS and feature interaction/compatability you have far more options on a router than you do on an ASA.

Jon

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎04-29-2010 07:34 PM

Hi Bryan,

I would keep the functions separate and let the firewall does its job of blocking unwanted traffic.  The 2900 is pretty good router for terminating an ISP connection and depending on the number of routes you are getting from the service provide you may want go with a 3900.

HTH

Reza

0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎04-30-2010 06:30 AM

Your handoff will be 20Mbps which means it's a subrate 100Mbps connection hence you need QoS to buffer excess traffic.

The ASA won't do this function for you so my recommendation is to place the router at the perimeter.

Regards

Edison

0 Helpful

Go to solution
bryankrausen
Level 1
Level 1

‎04-30-2010 06:44 AM

Thanks guys. I personally wanted to move to the router option, but had two people state their opinions on being able to terminate on the ASA since its an ethernet handoff.

Anybody else? I just want to be sure I get this correct the first time, since it'll be in place for many years to come.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to bryankrausen

‎04-30-2010 06:58 AM 

bryankrausen wrote:
Thanks guys. I personally wanted to move to the router option, but had two people state their opinions on being able to terminate on the ASA since its an ethernet handoff.
Anybody else? I just want to be sure I get this correct the first time, since it'll be in place for many years to come.

The ASA does support traffic shaping so you could in theory connect the handoff directly into your firewall. However it really does depend on what else your firewall will be doing. As Reza says, often it is best left to get on with securing traffic rather than doing things traditionally done by a router. Traffic shaping does have an overhead that comes with it and if your firewall has a large rule base, is doing a lot of NAT, some deep packet inspection and possibly URL filtering/IPS then i would hand off managing traffic flow to a router.

As with most things like this it can often come down to cost. So yes the ASA has the functionality to do it but with a 20Mb internet connection it may well be very busy doing what it is designed to do without having the additional overhead of traffic shaping.

Edit - also note that in terms of QOS and feature interaction/compatability you have far more options on a router than you do on an ASA.

Jon

0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to Jon Marshall

‎04-30-2010 08:12 AM 

The ASA does support traffic shaping

I stand corrected.

0 Helpful
Related community topics
Customers Also Viewed These Support Documents
Top