Migrating ASA 5505 to 5506 with SG300-10 Switch

newmindeye · ‎07-16-2016

Hi, we're moving to a new data center and will be upgrading to an ASA 5506.

Given that switchport functionality present in the 5505 has for some reason been removed in the 5506, it seems that we need an L2 switch thrown into the mix. Fair enough, would prefer it otherwise, but no other choice so am looking to purchase an SG300 10 port L2/L3 switch.
Questions:

1) looking at the dimensions of the ASA (7.871" x 9.23" 1.72") and switch (11.0" x 6.7" x 1.45") it seems that they will fit in 1U of rack space (in fact, they have to, as the server will consume the other 1U of available rack space). If yes, can I rack mount the devices? Data center has said they can just plunk the devices on top of the server (Dell R430), but would prefer they sit in a rack if possible.

2) power: what amperage (or wattage) will the devices consume on average on a 110V line? Running a bit tight with just 2 amps available (not sure if data center charges for spikes above 2 amps or if we're billed on monthly average). Won't be a particularly bandwidth or compute heavy setup but there will be periods of high load over time so would like to know how much power networking end of the spectrum will consume under load vs. idle.

3) config: assume that when I purchase SmartNET for the ASA they won't be able to help configure the switch. To replicate ASA 5505 switchport behavior should I just run the switch in L2 mode? i.e. will that automagically replicate the standard 5505 3 VLan setup of In, Out, and DMZ? Or, can I go L3 and take advantage of advanced switch features without too much hassle? (can get around the CLI and do basic/intermediate-ish configuration given what I've learned from previous SmartNET tech support sessions).

Thanks for some feedback here before pulling the trigger on proposed 5506 + SG300 purchase!

Philip D'Ath · ‎07-16-2016

1. There is a rack mount bracket for an ASA 5506 - but if you use it you wont have space to put your switch next to it.

2. The ASA 5506 has a 30W power supply. So at 110V what works out at 0.27A.

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html

The SG300-10 appears to use 10W at 110V. So 0.09A.

http://www.cisco.com/c/en/us/products/collateral/switches/small-business-smart-switches/data_sheet_c78-610061.html

3. I would leave the switch in layer 2 mode. If you have devices on the 5506 that only need a single port I would plug them directly into the 5506. I would only use the SG300 when you need more than 1 device in the same zone. With any luck that will only be one zone, so you wont need to use VLANs.

newmindeye · ‎07-17-2016

Thanks for the reply, very helpful.

re: rackspace, fair enough, sounds like without the rackmount bracket the firewall and switch can sit side-by-side within 1U of space directly on the server (have had this type of "informal" setup for years in current data center; nothing has melted yet).

re: power, according to Dell's Energy Smart Solution tool our R430 configuration will consume 1.8 amps at 40% server load. We'll rarely go over that*, but clearly in lifecycle of the server we'll exceed 2 amps with proposed setup

*reboot/power cycle will likely exceed the limit.

re: layer 2 vs layer 3 mode, I'd like to have a separate subnet independent of the ASA, which will be used for backups and large database transactions between virtual machines (in other words, not load the ASA with bandwidth/traffic it doesn't need to handle/know about). For this I believe I'll need L3 capabilities of the switch, no?

As for plugging ASA ports directly to the server, sure, there's a dedicated management NIC port on the server that doesn't need to be relayed through the switch, but otherwise all other NIC ports will live on a vlan.

Thanks again!

Philip D'Ath · ‎07-17-2016

You only have to have a separate subnet from the ASA if you want to. The servers will be plugged into the same switch either way, and in both cases server-to-server traffic in the same subnet does not go through the ASA.