Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
583
Views
0
Helpful
1
Replies

VPN Design

Go to solution
Thomas Yarger
Level 1
Level 1

‎06-02-2021 08:44 AM

Hello All, 

 

I'm looking at validating a potential solution and wanted some general input. The requirements are below. I will confirm licensing soon. This is being built on a Cisco ASA 5508. 

 

  • Configure 1 Gb DIA as the main circuit for general web browsing and SaaS access.  In an event of an outage, this traffic will failover to the AT&T ATVPN 20Mb circuit using SLA/Track. In addition, web browsing and SaaS traffic will be throttled to 5Mb by applying policing and rate-limiting. 
  • Implement an IPSec tunnel to colo, via the 1 Gb DIA circuit.
    • In the event of an outage on the AT&T ATVPN, the IPSec tunnel will form allowing connectivity back to the colo with auto fallback.

Thank you for your feedback and time! Best. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎06-02-2021 08:57 AM - edited ‎06-02-2021 09:04 AM

@Thomas Yarger 

Well the datasheets does say the ASA 5508 supported 1Gb, but I usually take that with a pinch of salt. It depends on what features you require, the more NGFW features you enable the less throughput/performance.

 

IPSec throughput is only 175Mbps, so no where near the capacity of your DIA circuit.

 

ASA supports multi-peer so you can failover using IP SLA, as per your requirements.

 

The ASA hardware is not the latest nor greatest, I'd recommend the newer Firepower hardware such as the 1000 series, you can run either ASA or FTD software. https://www.cisco.com/c/en/us/products/collateral/security/firepower-1000-series/datasheet-c78-742469.html

 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Rob Ingram
VIP
VIP

‎06-02-2021 08:57 AM - edited ‎06-02-2021 09:04 AM

@Thomas Yarger 

Well the datasheets does say the ASA 5508 supported 1Gb, but I usually take that with a pinch of salt. It depends on what features you require, the more NGFW features you enable the less throughput/performance.

 

IPSec throughput is only 175Mbps, so no where near the capacity of your DIA circuit.

 

ASA supports multi-peer so you can failover using IP SLA, as per your requirements.

 

The ASA hardware is not the latest nor greatest, I'd recommend the newer Firepower hardware such as the 1000 series, you can run either ASA or FTD software. https://www.cisco.com/c/en/us/products/collateral/security/firepower-1000-series/datasheet-c78-742469.html

 

0 Helpful
Customers Also Viewed These Support Documents