cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
866
Views
0
Helpful
4
Replies

Subinterfaces vs Physical Interfaces on ASA for LANs with VPN Tunnel

dbuckley77
Level 1
Level 1

We are in the process of moving one of our departments to a new location where we will need to create a point to point VPN tunnel using an ASA-5505 at the far end and a Palo Alto at our core location.  I am much more familiar with configuring the PA than the Cisco ASA and would  appreciate some advice.  We need to create three new LAN's that will be vlanned out at the new location.  Would it be more advantageous to separate these networks by using logical subinterfaces one a single interface or would it be better to use a separate physical interface for each network?  What are the pros and cons of one way vs the other?  Also we have a cisco voip system with call manager and will be deploying phones to the new location.  Anything that should be noted for routing the traffic across the tunnel?  -Thanks

4 Replies 4

Joseph W. Doherty
Hall of Fame
Hall of Fame
I cannot really offer advice on your basic question, however, concerning running VoIP across an Internet VPN tunnel, I can suggest, as I would with any other connection, provide the VoIP traffic prioritization for its bearer component and a bandwidth guarantee for its control component.

Although the Internet doesn't support QoS, the Internet "cloud", and most ISPs, have sufficient "cloud" bandwidth that Internet interface congestion is often not an issue. However, your links to the Internet are often bottlenecks and often need QoS policies to insure VoIP obtains what it needs to for its SLAs.

Many Cisco devices support some form of egress QoS support that would provide the service "guarantees" needed by VoIP.

However, what's often a problem is congestion on the link from the Internet to your site (as ISP will almost always not provide any QoS policy). That, though, can be dealt with by 1) not using that Internet connection for traffic other than you VPN traffic (if you want to provide general Internet access, use another link for that), and 2) insuring you don't send traffic from one site (or sites) that would oversubscribe the bandwidth.

For example given a hub with 10 Mbps and four branches each with 2 Mbps, the hub would insure traffic to each branch is shaped for 2 Mbps (to each branch). Or, if hub, again, had 10 Mbps, and you had six branches, each, again, with 2 Mbps, you would need to insure the aggregate of the branches does not exceed 10 Mbps (your choice how you divide the 10 Mbps bandwidth between sites). (BTW, if branches had a physical interface more than 2 Mbps, you would also need to shape to insure not exceed the allocated bandwidth cap of 2 Mbps, each.)

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @dbuckley77 ,

for the LAN interfaces the best option is to use a port channel with two member interfaces and having Vlan based subinterfaces of the port channel.

In this way you avoid the single point of failure of a single interface dedicated to a subnet.

For security reason the interface going to the "outside" world should be on a separate interface dedicated to this purpose.

This is recommended to avoid to have the Internet facing Vlan/subnet connected to internal switches.

 

As a final note you need to check the license of the ASA, three Vlans should not be an issue, the basic license should provide 5. But if you want to add more Vlans later  you may need to verify the max Vlan limit .

 

Hope to help

Giuseppe

 

It just occurred to me that the ASA only has 10/100 intefaces and our ISP circuit will be 600Mbps.  How much bandwidth is recommended to run Cisco voip across a vpn?

Hello @dbuckley77 ,

you will need a DMZ switch to land the ISP circuit .

 

For VOIP calls you need to consider roughly 100 Kbps of traffic for the bearer channel not encrypted.

The VOIP RTP packets are really small so you can consider that encryption can double the rate you will need 1 Mbps for every 5 simultaneus VOIP calls.

So bandwidth is not an issue in your case if this is a branch office with only 20-30 IP phones.

 

The real issue  I see is that the ASA 5505 is likely not able to use all this bandwidth 600 Mbps  for IPSec encrypted traffic bidirectional.

So on the long term you may want to change it with a newer more powerful firewall.

 

Hope to help

Giuseppe

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco