Advice on where to terminate WAN

Answered Question
Apr 29th, 2010
User Badges:

I have a new 20Mb internet being put in soon. The new ISP will be putting a 15000 series router in our facility, and will be giving me the Internet in an Ethernet handoff. I have heard from a few different Cisco people about where to terminate, but wanted to get some opinions on here.


Should I purchase a 2911 to terminate the connection, or terminate it straight into the ASA5520? I currently have just 2 T1 lines going into a 2821 router, then into the ASA(through a segregated vlan on the core).


I actually have two different spots where I need to make this decision on. One is the corporate office, the other is a DR site, which will also have an ethernet handoff from the same provider.


Thanks in advance.

Bryan

Correct Answer by Jon Marshall about 7 years 8 hours ago

bryankrausen wrote:


Thanks guys. I personally wanted to move to the router option, but had two people state their opinions on being able to terminate on the ASA since its an ethernet handoff.


Anybody else? I just want to be sure I get this correct the first time, since it'll be in place for many years to come.


The ASA does support traffic shaping so you could in theory connect the handoff directly into your firewall. However it really does depend on what else your firewall will be doing. As Reza says, often it is best left to get on with securing traffic rather than doing things traditionally done by a router. Traffic shaping does have an overhead that comes with it and if your firewall has a large rule base, is doing a lot of NAT, some deep packet inspection and possibly URL filtering/IPS then i would hand off managing traffic flow to a router.


As with most things like this it can often come down to cost. So yes the ASA has the functionality to do it but with a 20Mb internet connection it may well be very busy doing what it is designed to do without having the additional overhead of traffic shaping.


Edit - also note that in terms of QOS and feature interaction/compatability you have far more options on a router than you do on an ASA.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Reza Sharifi Thu, 04/29/2010 - 19:34
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 LAN

Hi Bryan,


I would keep the functions separate and let the firewall does its job of blocking unwanted traffic.  The 2900 is pretty good router for terminating an ISP connection and depending on the number of routes you are getting from the service provide you may want go with a 3900.


HTH

Reza

Edison Ortiz Fri, 04/30/2010 - 06:30
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Your handoff will be 20Mbps which means it's a subrate 100Mbps connection hence you need QoS to buffer excess traffic.

The ASA won't do this function for you so my recommendation is to place the router at the perimeter.


Regards


Edison

bryankrausen Fri, 04/30/2010 - 06:44
User Badges:

Thanks guys. I personally wanted to move to the router option, but had two people state their opinions on being able to terminate on the ASA since its an ethernet handoff.


Anybody else? I just want to be sure I get this correct the first time, since it'll be in place for many years to come.

Correct Answer
Jon Marshall Fri, 04/30/2010 - 06:58
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

bryankrausen wrote:


Thanks guys. I personally wanted to move to the router option, but had two people state their opinions on being able to terminate on the ASA since its an ethernet handoff.


Anybody else? I just want to be sure I get this correct the first time, since it'll be in place for many years to come.


The ASA does support traffic shaping so you could in theory connect the handoff directly into your firewall. However it really does depend on what else your firewall will be doing. As Reza says, often it is best left to get on with securing traffic rather than doing things traditionally done by a router. Traffic shaping does have an overhead that comes with it and if your firewall has a large rule base, is doing a lot of NAT, some deep packet inspection and possibly URL filtering/IPS then i would hand off managing traffic flow to a router.


As with most things like this it can often come down to cost. So yes the ASA has the functionality to do it but with a 20Mb internet connection it may well be very busy doing what it is designed to do without having the additional overhead of traffic shaping.


Edit - also note that in terms of QOS and feature interaction/compatability you have far more options on a router than you do on an ASA.


Jon

Edison Ortiz Fri, 04/30/2010 - 08:12
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The ASA does support traffic shaping


I stand corrected.

Actions

This Discussion