SA520W -vs- 891W -vs- ASA5505 IPS & Wireless 802.11n bridging

Unanswered Question
Jan 20th, 2010
User Badges:

here's our current setup


50Mbps Docsis 3.0 cable -->ASA5505 -->SMC 802.11n bridge --->Cisco AP1252 -->2960G 8 port -  with a 24 port unmanaged daisychained to it ...right now clients only connect on the 5ghz only using  MSRADIUS PEAP for client connects to MS WIN2008 PDC & Wireless bridge is WPA2-PSK on 2.4GHZ


obviously not the best setup...  some things are monitored with CNA others ASDM


the first question is 891w -vs- SA520W  main differances in IPS functionality performance/throughput etc..  the ASA5505 appears to have lower specs in VPN/Firewall throughput (150mbps & 50mbps for VPN ) -vs- the SA520W at 200 & 65....   The IPS module for the asa5505 what additional things does it cover  ... the SA520W appears to have all 100/1000 ports -vs- the more expensive 891w  which only has 10/100 ports...  while it's true the WAN is only 50mbps Docsis 3.0 does support up to 300 it appears that the new 890 routers are almost outdated and should have included 100/1000 ports.


can the 520W wireless bridge using WPA2-PSK to either an AP1252 or an AP541N


we are thinking of the following setup


Cable modem --->SA520W --->AP541N -->ESW540-24P-K9  (or use the AP1252 Dual Radio's... would it support Standard POE with this ESW switch ? or require MCS be turned down in power to support both radios.?. or just be able to use a single Radio?  as we were told a 3750G switch would be needed for full 18.5W POE


instead of using 2.4ghz for the bridge & 5ghz for the clients.. (since the AP541N only support 2.4 or 5GHZ switchable not both) can both the clients & bridge all use MS Radius PEAP to Win2008 PDC or would we be forced to use WPA2-PSK


can this all be managed using a single tool...?  and if so  what are the differances between CCA & CNA as they  basically appear to do the same thing?


our other thoughts were   an intergrated router with Cable modem 802.11N & Gigabit in a single box.

we looked at the 1941W problem is it doesn't support a Docsis 3.0 HWIC and it's much more expensive.


thanks again for your assistance as Cisco appears to have many overlapping products.


Kevin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
chriscarson Wed, 02/03/2010 - 09:07
User Badges:

Kevin,


I'm also interested in a good answer from someone about this issue. I don't really have any answers.


We have about 150 ASA5505 deployed and have had rock solid performance. I haven't had a single DOA and can only remember 2 or 3 devices with reboots that firmware didn't fix.  I am looking at some SA500 series boxes, but the issues I'm seeing in the community forums is not too encouraging.  I rather stick with Cisco Enterprise products cut down for SMB as opposed to Consumer(Linksys) products developed for SMB.


The only issue I can see with the ASA5505 moving foward is bandwidth. Luckily our cable speeds around here top out at 25Mbit at the moment.


Best Regards,

Chris Carson



Here are some quotes I've seen that aren't very enlightening.


These units are just Linux machines Cisco is polishing it upfor a specific segment, and a specific set of network functions to cater to small businesses.To expect it to do everything a normal IOS router (or vpn device, or firewall) is reallyunrealistic. These are meant for branch offices mostly, of under 100 users.”



“The web interface has some noticable bugs. Looks like they hacked it together prettyquickly. I attached a screen shot of the web ike and vpn policy”


My advice... throw the SA520 in the garbage and either go buy a cheaper linksys, or buildyour own custom router using Openswan (that's what I'm doing). I had tickets open withCisco support and the guy from support told me he Cisco professional client doesn't evenwork with the SA520. Only their QuickVPN client works (only on Windows). He said SSLVPN works but you have to pay $30/license!”


“Yea, these units are definitely different than any other Cisco device. I think they're meantto be in a class all of their own. From the looks of it, the remote access vpn option is solelythe ssl vpn.”































kevinfor Thu, 02/04/2010 - 01:04
User Badges:

just an update & some feedback on Cisco Support..


we did purchase the SA520W and got the following working

CABLE -->SA520W --(WPA2-PSK --Bridge--->SMCWEB-N Bridge --->2960G 8 port -->WIN2008 PDC replaced the standard Cisco Antenna's with 7db Dlink ANT24-0700   - We never got a reply from Cisco support on any 802.11n bridging questions either in this newsgroups or via phone..


We uploaded the latest firmware,  but could never get the IPS license files cisco emailed us to load... (others have been having issues with SSL license loading) so I think a bug exists here see https://www.myciscocommunity.com/message/33776#33776    We contacted Cisco SMB support on 01/20/2010 opened a case.. the tech was polite said he needed to escalate and we Never got a callback... opened a second case with another Tech... she was also polite, put me on hold for 3mins... asked me to send log files + screen shoots etc... also Never called me back...  I called back today and was told the case had been escalated given this tech's name/number... call him, left Vmail and never got a callback

Steven Smith Thu, 02/04/2010 - 10:16
User Badges:
  • Gold, 750 points or more

Hi Kevin,

Could you send me the case numbers?  I would like to get to the bottom of why this problem happened.  I have escalated this internally and would like to you get your problems fixed and the system fixed so other customers don't have this issue.


Can you post your unanswered questions and I will get you the answers you are looking for.

Thanks

Steven Smith

kevinfor Fri, 02/05/2010 - 02:44
User Badges:

case# 613450009 & 613528479


issue #1

we can't get the IPS license file to load ... here are the license files + screen shot + Log files attached

please explain why we can't load the IPS files and what the firewall errors are -thanks


issue #2

see my first post... but to recap... really simple.. wireless bridging

Cable -->SA520W ---WPA2-PSK..*** or **** PEAP TO MSRADIUS/CERT (nice but not required). (what Cisco product to **insert*** here) -->ESW-540P-24-K9


Can the AP541N be a slave (workgroup bridge -no client connections or show up as a client) to the SA520W...if we insert an AP1252 can it be a slave to the SA520W (or can the SA520W be a wireless client bridge to the AP1252) I assume the ESW-540P can run the AP541N through POE no issues... I've been told the AP1252 can run single radio to 802.1af POE , or dual radios to a standard POE switch if you turn down the radio power


any other Cisco products that can act as wireless bridge to the above... our Idea is removal antenna's  or have you tested the Cisco WET610N


the technical problems with our current setup using SMC Wireless N bridge to SA520W is that in order to get it to work... we need to set the SMC to WPA/WPA2 mode with AES/TKIP  and must brodcast SSID) and no removable antenna's ...if we attempt to lock down any tighter to WPA2/AES MAC filtering ... or Not Brodcast the SSID ... things break - I know this isn't a Cisco issue... that's why we are looking for an 100% Cisco solution..( my understanding is that no IETF or RFC Internet standard for wireless bridging it's vendor specific ) that way if issues exist we can open feature or bug requests



while I'm at it... what do you have 2 products CNA (cisco Network assistant) and CCA (cisco config assistant) they appear to be the same darn product ..except half the products work with CNA the other CCA...   we can't really seem to config the SA500 series through CCA... The graphical topology looks cool..


if you can get answers to the IPS issue, we will be happy for now.. I will also try calling the support SE again

Attachment: 
Steven Smith Fri, 02/05/2010 - 13:29
User Badges:
  • Gold, 750 points or more

Thanks for responding with case numbers.  I am forwarding that along.


Issue 1

The license file ending 3550 appears to be incorrect.  The PID there shows SA520W-K9:DNI1344A295, which incorrect.  It should be SA520W-K9.  The second file appears correct and the logs look like the IPS license installed correctly.  If this is not the case, let me know.


(log file)

Fri Feb 5 01:23:38 2010(GMT -0800) INFO System PLATFORM     cslLicenseFileInstall: Status of license install for license: 0 is No Error 

Fri Feb 5 01:23:38 2010(GMT -0800) INFO System PLATFORM     cslLicenseFileInstall: successful: 1, failed: 0, existing: 0 

Fri Feb 5 01:23:39 2010(GMT -0800) INFO System PLATFORM     cslUpdateStatus: Store /flash/store/pri/lservrc.pri found at index 0 

Fri Feb 5 01:23:39 2010(GMT -0800) INFO System PLATFORM     cslUpdateStatus: License at index 0 on store at index 0 

Fri Feb 5 01:23:39 2010(GMT -0800) INFO System PLATFORM     cslUpdateStatus: Store /flash/store/eval/eval_license found at index 1 


On the firewall logs, do you have some rules that have logging turned on?  If so, that would explain why you are seeing them.  We are working on cleaning up the logs so that CDP messages that are fine don't show up at some basic log levels.


Issue 2


The SA520W cannot be configured in a bridge mode.  It can only accept clients.  The AP541N can do bridging, but cannot be configured as a client.


The AP1252 can be configured in bridge mode and client mode.  If you want to use the wireless on the SA520W, I would recommend the AP1252.

http://cisco.com/en/US/docs/wireless/access_point/12.4_3g_JA/configuration/guide/s43hot.html#wp1040354


I have not personally tested the WET610N.  I am sure it would work as well, but if you are using an ESW540P on one side of it, I might be a little concerned with through put with the WET610N.


The SA520W supports WPA2 with Radius.


Alternatively, you could use 2 AP541N with bridging if you wanted to. 



I can't give you the exact reasons why there is CNA and CCA.  CCA focus on the voice configurations, and can do very complicated voice configurations.  CNA doesn't go into that as much.  It is two different development teams that work each product.



Let me know if you have any further questions or if I missed something.

kevinfor Sat, 02/06/2010 - 23:52
User Badges:

issue #1

Reloading the correct license resolved issue -  there have been others who have had the same issue & this could be a call generator https://www.myciscocommunity.com/message/27894#27894  the feature request for newer firmware would be that instead of having the end user type (or cut & past) PID etc into a webpage...  that when you click "buy license" or free trial etc.  the device would sent this info to the correct registration page, through https// or however it does it


issue #2

SA520W-->AP1252 tested last night & works ok

The feature request here is that Cisco provide some type of Client Bridging solution for SMB... ideally this would be a firmware update to the AP541N as the device supports POE & removable antenna's  rather then forcing SMB to the consumer WET610N or to buy the more expensive 1252


I understand you have more important issues to fix right now...  you can close the cases & this thread..


thanks Again

Kevin

David Hornstein Sun, 02/07/2010 - 01:51
User Badges:
  • Gold, 750 points or more

Hi Kevin,


We do have a bridging solution for bridging a single vlan if you use the WAP200 or WAP2000 product.


I must admit I prefer the WAP200E , as there is only a single N-Type antenna connector that bypasses the internal diversity antenans when it is connected.


It is POE enabled with no facility for a DC power pack.  So it must be powered from a POE injector or a POE switch.


The illustration below , shows one topology, but grid or yagi' antennas  can be connected to the WAP200E for long distance comms.


There is the WAP200, WAP2000 and WET200 that can bridge, but these three use SMA antennas.  You can connect a external antenna( when looking at the rear) to the left hand antenna post. But please check their manuals for capabilities. 


111.JPG

kevinfor Tue, 02/09/2010 - 02:38
User Badges:

problem is the models you list Above are all 802.11G not N... time for Cisco to upgrade the line I guess..


I believe an Error exists in your Cisco spec sheet... take a quick look at page 6  it seems to say the AP541N & WAP4410N Supports Multiple modes, including "AP , Bridge, Repeater, & "Client" so is Steve's answer above incorrect...?  Client does NOT mean ... end user laptops etc.. otherwise the other Wireless products would have this feature in the spec sheet... please clarify


http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps10047/Cisco-Wireless-Access-Point-Brochure.pdf

David Hornstein Tue, 02/09/2010 - 06:58
User Badges:
  • Gold, 750 points or more

Hi Kevin,


Kevin,  when i ordered my SA500 I only wanted a non wireless version (SA520), as personally i would prefer adding external access points to the network, as it would give me more flexability with wireless deployement  and options. ie.  Bridging, repeating or just in AP mode.  But the wireless can originate from somewhere other than my  security appliance.


I know that with my wireless G WAP200's, I can bridge long distance  around 20Mb/sec , and these AP's are inexpensive.  (but I can only attach GRID or Yagi antennas to the right antenna post , when looking from the front of the unit).   Is there anything really bad  with 20Mbit/sec link between bridged AP's , much faster than a E1 or T1 link :D.


The screen shot of the wireless management interface of the WAP200 may help explain that functionality.


regards Dave



111.JPG

Actions

This Discussion