Cisco

Choosing the right product for a branch office: Cisco ASA or IOS Router?

CCIE Brandon Carroll compares the Cisco ASA and an IOS Router for connecting a small branch office. Here is the criteria he evaluates and the product that he thinks works best.

Have you ever had to make a decision between an ASA or a Cisco IOS Router at a smaller branch office? This sounds like it would be an easy task, but it's not. The ASA puts up a good case for being the device of choice. Then again, so does the Cisco IOS router. So the decision usually comes down to what an admin is more comfortable with. In this post I'm going to share why I would chose a router, even though I'm a huge fan of the ASA.

Note: For purposes of simplicity I'll be comparing the Cisco 891 Integrated Services Routers to the Cisco ASA 5505 but most of the features discussed relate to most Branch Routers running Cisco IOS version 12.4 or 15.x.

Interfaces

Let's start with interfaces. The Cisco 891 has an 8-port 10/100 Fast Ethernet managed switch with VLAN support and 4-port support for Power over Ethernet (PoE) (optional) to power IP phones or external access point. The Cisco ASA 5505 has 8 port 10/100 switch with only 2 PoE ports.

The Cisco 891 has Metro Ethernet features which include one 1000BASE-T Gigabit Ethernet WAN port, one 10/100BASE-T Fast Ethernet WAN port, or one 1-port Gigabit Ethernet (GE) Small Form-Factor Pluggable (SFP) socket for WAN connectivity however only the 1000BASE-T Gigabit Ethernet WAN or the SFP can be operational at any given time.

The Cisco ASA 5505 doesn't have any of this functionality, therefore this round goes to the Cisco 891.

QoS

Next, let's talk about QoS features. The Cisco ASA is capable of some QOS features configurable with the Modular Policy Framework. This includes policing on inbound and outbound as well as the ability to configure a priority queue in addition to the single best effort queue. Matching capabilities are still immature on the Cisco ASA OS. The Cisco 891 is feature-rich with QoS being capable of multiple classification methods, multiple queuing methods, traffic policing, traffic shaping, and even auto qos. When it comes to QoS, the Cisco 891 wins again.

The Cisco 891 supports a number of protocols based around Metro Ethernet but since the ASA doesn't support them, there is no use in mentioning them.

The Cisco 891 also has an optional integrated secure 802.11a/g/n access point that's based on the draft 802.11n standard as well as dual-band radios for mobility and support for autonomous or Cisco Unified WLAN architectures. This is another area where the Cisco ASA 5505 can't touch the router.

You may also want to consider routing functionality when making a decision like this. While the ASA 5505 does in fact support routing protocols, it by no means compares to the routing capability of the Cisco IOS.

But you may be interested in security, since that's the primary function of the 5505. While the 5505 certainly is capable of everything a firewall can be and then some, there is a "not-so-common" feature of the Cisco IOS called Zone Based Policy Firewalls. This is a very feature-packed firewall capability. I can pretty much do anything with the Zone Based Firewalls that I can do with an ASA.

And finally to round things off with VPN capability, I again have to go with a Cisco Router. The main reason for this is DMVPN. There is simply no DMVPN capability in the ASA, probably because it doesn't support GRE tunnels. DMVPN is a great solution for connecting branches using the central site as the hub and only building the tunnels between branches on the fly when they are needed. With an ASA the tunnel would need to remain up, or you would have to hairpin via the central site in which you'd need a little more configuration on the central site to allow the hairpinning.

So while I stress the fact that I am a fan of the Cisco ASA platform, I'd take a Cisco Router at the branch any day. What other criteria would you use to make a similar decision?

About

Brandon Carroll, CCIE #23837, is an IT Director, Blogger, Podcaster, and Mac Enthusiast. Brandon has nearly 15 years in the networking industry consulting for large and small enterprise and service provider networks.

37 comments
agredon
agredon

One thing I didn't see mentioned, but that is extremely important - how do they compare when it comes to throughput.


According to  Cisco's Router Performance chart (http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf), the 890 is only capable of an anemic 51.20 Mbps with no services enabled.


The ASA 5505 claims 150 Mbps (with SPI), though I can't see how that is possible given that it only has Fast Ethernet. Perhaps, they are measuring with traffic going in both directions?


Anyone have any apples to apples throughput comparisons? I'm interested in Mbps with SPI and Mbps with AES-256

JoeBeckner
JoeBeckner

I too prefer the 880, 890, 1900, 2900 over the ASA particularly for branch office networks, The IOS routers have greater flexibility for controlling traffic, controlling interfaces to multiple ISPs and backup connections, better QOS, better site-site VPN,  The Zone Based Firewall is as good.   The only thing the ASA has over the IOS router is that support for Remote Access VPN, SSL and Anyconnect is a lot easier to manage.   For some of my clients I have been deploying both:  IOS routers for branch office networks, along with an ASA for Remote Access.

DEPillow
DEPillow

I have a new ASA 5505 and it works just fine for my small business. I trust Cisco as a leading provider of security hardware and I will continue with them in the future. I am using ASDm to manage my 5505 and it is a very robust interface to work with.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

I have had issues with not being able to establish a VPN with an ASA 5510 (VPN service has been up and running for over a year). After rebooting the ASA it suddenly works again. This is my first experience with rebooting a Cisco device and having it fix the issue. This doesn't make me happy and is one of the things I was trying to avoid by purchasing cisco. The article didn't cover the user interface for managing either of the two devices. I know that the ASA has the ASDM as a GUI configuration tool, but does the 891 have a similar interface? Bill

medfordmel
medfordmel

Routing is another feature that lends itself - not surprisingly - to a router. I definitely prefer ASA's for VPN's & firewall functionality. However, if you have multiple routes in & out, the ASA is not your friend. An ASA is not a router. To make this point more emphatic, Cisco does not allow ASA's to pass traffic in and back out the same interface, so no "router on a stick" with an ASA. These quirks mean that if you do choose an ASA, you may ALSO need a router, and/or you may need your ISP to do some routing for you.

howard_davis
howard_davis

Actually, I am trying to figure out for our new building what is best. Small Charter School, approx. 70 computers. Going to have 2 ISP's to separate admin from students (long story, lots of better ways but this is what worked out). Never messed with something like this AT ALL. Assuming I will need two separate networks (at least AD's), but I am trying to figure out foresting. Anyways, do I have to use two separate routers, or can I use a dual port that will separate the traffic?

El_Guapo
El_Guapo

I've haven't used a cisco 891 router so i'm not to familiar with them. I do have a cisco 5510 connected to a 5505. No problems firewalls and NAT easy to use and easy to setup. Have a little trouble with site-to-site vpn but once i got the figured out, worked great!. The new 8.3ver object oriented setup is great. Saves a me a ton of time and much easier to use then the old way. The only issue i do have is licensing, everything costs to upgrade. SSL, WEBVPN, interfaces, anyconnect, etc. all costs extra. Now can the same be said for an cisco 891?

ron
ron

To me its a no brainier, I would also choose the Cisco 891. My reason are simple. Most of our customers work from home. the PoE ports (it's best feature)along with the VPN/QOS features allow me to hook connect (dare I say) an Avaya or a Cisco call manger (the later being the popular choice) I'd choose the ASA 5505 for offices of a dozen or more and the company as devices that need to be accessible from the net. IE Web Site. A good example is a realestate or doctor's office. rstaples www.configbytes.com

pneumoboy
pneumoboy

The Cisco ASA is a bug ridden failure. I cannot calculate the amount of time we have wasted with the ASA5505s, 5510s, and 5520s in our environment. We are constantly identifying code issues that Cisco acknowledges. We have some devices that needed to be DOWNgraded to older code to fix bugs, which opens it to the vulnerabilities in that code version. But we need connectivity to our sites. Every code release fixes one thing and breaks something else. We have Juniper Firewalls protecting our core services and never had any issues that compare to the Cisco ASA. We are now looking at Juniper for our routing and switching needs. Oh... and good luck with that Cisco licensing... If you think you are going to buy an ASA5505 for an offsite, be warned the standard license only allows you to have 10 hosts connected (and 10 tunnels). Anything more requires a license purchase. And with an unlimited license you need a memory upgrade on 8.3 or better. So your $500 ASA5505 will cost you closer to $900. Have fun!

GDoC
GDoC

Cisco products and their GUI interfaces are notorious. As an initial implementation step using the GUI does permit for generation of a baseline configuration quickly, but in order to tune/tweek it in you have to be comfortable with the CLI. To answer your question more directly, yes all IOS products do support a http/s interface for configuration/monitoring, but almost EVERY Cisco Engineer will turn them off as a best practice security policy. Grab the IOS PDFs for your particular version to get the specifics of turning on this capability. Typically the command in global configuration mode is "ip http secure-server". But keep in mind that the IOS version/feature set has to support encryption and a certificate be made available prior to enabling this.

BrandonCarroll
BrandonCarroll

Actually, you can hairpin on an ASA and it also supports sub-interfaces with 802.1q tagging.

Sensor Guy
Sensor Guy

I worked a year ago on a high profile Federal account, and the budget had been fixed price via a bid with a major 3-letter integrator. Unfortunately, the bid had just enough budget for only a router or an ASA, so I was forced to choose ASA 5520 for 3 remote locations and a 5550 for the central sites because of the security requirements. There wasn't much routing needed (5 locations)but boy was getting the routing to work a pain! One of the few cases I told the client that now that it's operational, don't call me to change it in any way! The extra adapters for the 5520 ate up any of the free loose change in that budget item. Boy, do you pay a premium for adapters on those ASAs. Funny, once I got it working Cisco CCIE's from support called up under the cover of warranty support and wanted me to give them copies of the configurations, since I had spent lots of time carefully documenting each statement and what it did, since the object oriented pretty interface tool had failed to do the job. BTW, in this bid, Cisco no bid their call manager. They were afraid of the press if it didn't work or even dropped any calls. Life critical systems, where a dropped call meant a life lost, most probably.

BrandonCarroll
BrandonCarroll

I have the same situation in some of my locations. We have different ISPs for different traffic. We use VLANS to logically seperate the subnets, HSRP for first hop redundancy, and two routers with two different HSRP groups. This gives us the ability to have one network use one router and the other network use a different one. If either of them fail HSRP will provide the redundancy we need.

larry
larry

Not sure of the rational for two ISPs except for fault-tolerance maybe. If that's the case, I'm intrigued with the Netgear Prosecure UTM25 (less than $500 street). The product focus is threat management, but it also elegantly manages IPSec/SSL VPN and two separate WAN interfaces. AD can effectively manage staff with higher privileges from students on the same internal network using the same clients.

Spitfire_Sysop
Spitfire_Sysop

I certainly don't understand using multiple ISPs for anything other than failover or bandwidth. To seperate groups you can use different subnets and have completely seperate firewall rules for each subnet. They would not only have different rules but you could easily control what traffic, if any, could be shared between the two. That being said, you could make multiple solutions for the situation you proposed. If you had a router with 2 WAN connections coming in and 2 subnets coming out it would be identical to a router with 1 WAN connection coming in and 2 subnets coming out. The traffic separation is still logical. I think you would get better performance from two routers. One per subnet. That way you have 2 WAN bottlenecks instead of the one. You would also have the advantage of physcial seperatoin which can make management easier. So it depends on if you would rather have physical or logical seperation. If you are going with logical seperation I would question your need for 2 ISPs. Plus, you save a ton of time and money by sticking with one ISP, one router and two logical subnets.

ohiomike12
ohiomike12

It appears this thread has turned into a Cisco Bashing Thread. This makes me very frustrated because i just recently got my CCNA and CCNA security certifications and I was going to start looking for a job in the next few months and then work on my CCNP. I don't want to go through all this work to learn products for a company that is in decline.

mark
mark

First, at $500 for a base model, a SonicWALL tz210 is hardly comparative to linksys equipment. Linksys however is Cisco these days. :-) Second, Sonicwall platforms are very feature rich. I can do nat policies on vpn tunnels that allow two site locations that use the same ip scheme to talk to each other. I can use the application firewall to prevent specific commands from being run on services such as telnet or rtp. I can do multiple (4x)WAN failover and load balancing, protocol and IP origination and destination bandwidth management, SSL-VPNs, single sign on security with LDAP. These features are what put sonicwall ahead for deployments at endpoint locations.

sserwe
sserwe

We have Cisco 2821 routers at both our main office and hosting site at the front with SSL IpSec VPN, a couple of Catalyst 2960s for internal switching/POE. We also have a CCX and CM server for our call center which we've been having MASSIVE problems with for several months (constant dropped calls) and Cisco can't even figure out whats wrong... It seems like Cisco is going backwards as time goes on. It's like they purposely keep IOS impossible to work with without a hefty degree and a dozen Cisco certs. The owner of our company decided to spend 60k on a Cisco phone system without consulting IT that works for shit and costs us tons of money to support (the fact that they cannot figure it out is even more frustrating), not to mention their bullshit licensing model. I recommend going with either a Sonicwall or HP A series for routing and HP Curve series for switching (HP is much easier to support and seem to be much more reliable). And for God's sake, whatever you do, don't get a Cisco Call Manager. I have MS Lync server running in a test environment and I gotta say: so much better (not that they are any more stable but MS products are so much easier to support).

Sensor Guy
Sensor Guy

I've put in a number of 5510s and it was certainly not easy and very unintuitive, if not painful.

dcollar
dcollar

My experiences with SonicWALL vs. Cisco is comparable with yours. Cisco is so overrated andcostly for what you get...

nwallette
nwallette

The IOS GUI is a command line with 100% auto-complete. You never have to type the commands, but you still use them. Useless doesn't begin to cover it. ASAs have ASDM, which I don't like at all. I was recently told that some minute parts of the configuration are no longer even available by CLI. I haven't verified that, but I would be very sad to find it's true. Contrast this with most modern firewalls, which have a web-based GUI worth a crap, and I'll take dynamic HTML over JAVA applets any day! Configure via my phone (in a pinch)? Yes, please.

Sensor Guy
Sensor Guy

The complexities of doing sub-interfaces and 802.1q are far too complex for the average Cisco customer. Cisco's ASA product architecture reminds me of IBM's decision to make products complex to give much unnecessary work to their loyal techies so that in turn they forced their companies to invest in their products which made them economic captives.

howard_davis
howard_davis

I guess I did not state why the two ISP's. It was not for separating originally. Our current T1 has a 5 year contract (not my choice, signed the month before I started). To increase bandwidth was insane cost. So I added second line, cable with 15 down 2 up, for increased bandwidth (do not need the up speed). After some investigation, I am going with a Radware Load balancer. This comes after the two modems, before firewall. Firewall will act as DHCP (we only have approx. 80 computers). Thanks for the help. (If my idea is a nightmare, other ideas appreciated)

nwallette
nwallette

Having a Cisco cert says you've been through formal network training. Nothing wrong with that. If you know how to configure an IOS router or ASA, you know networking. If your knowledge is 100% Cisco, you'll miss out on opportunities elsewhere. But, your understanding of the essentials will help you learn the syntax and ideology differences, if you choose to take that initiative. It's important to remember that a cert does not equal experience. You can be certified and a total moron. You can be NOT certified and a total genius. Some employers won't bother to check which applies to you, which is a shame. Others will gladly take experience over paper credentials.

GDoC
GDoC

But its competition is accending. The true gain with a Cisco "infrastructure" is that they at least make an attempt at consolidation of management interfaces/CLI command structure. Are there differences in the CatOS, IOS, PIX, ASA, and NX-OS command structures? Of course there are, but they are close enough in context and syntax that if you know one you can figure the rest out with a bit of research and trial. Additionally if you get into a Cisco-centric enterprise you'll find of of the support, documentation and interoperablilty caveats and release notes at one location, easing the engineering and management of the infrastructure end to end over a shotgun approach to picking on only best feature for the dollar criteria in isolation. Cisco is probably not the best in switch, router, VM, FC, Firewall, IPS, and management environments....but they are near enough to the top in all of the environments that they are a very good choice. Don't worry, your certifications are not in vain!

vectra-v6
vectra-v6

ohiomike12 - dont dispair at the vendor bashing that goes on in forums, I did my CCNA 10 years ago and the Cisco training knowledge is gold in any network environment. As for Cisco as a supplier, in any large enterprise network there will always be vast amounts of Cisco kit and Company buyers who will only buy Cisco because its a name they know! so somebody who knows how to make it all work will always be in demand. Good luck with the career.

nbridges
nbridges

Hi OhioMike12, I am on the side that increasing your knowledge is a good thing! Although the CCNA is vendor specific, you also learn many things that will relate to other vendors. If the company you get hired on to has Cisco equipment, then go for your CCNP, if not, then go for the certification that best applies to the vendor product you support. Good luck!

dslam24
dslam24

It just takes skill and knowledge. IMHO sonic wall is just a step above a wal-mart linksys router, any kid out of high school can point and click. Cisco may cost more but it's a true leader in the industry closely followed by Brocade.

nwallette
nwallette

There are better products out there. Juniper switches will run circles around Catalysts in the same price range, with layer-3 routing, PoE, dual PSUs, and a usable web GUI as a nice bonus. We're rolling out a competitor's firewall product now to determine its suitability. We've already put a couple in production at some small sites. They're doing great. And not having to deal with "interesting traffic" on our site-to-site VPNs is SUCH A NICE CHANGE. Finally, we can use dynamic routing protocols! That was such a stupid, misguided paradigm. Also, no license limit on SSL VPNs for end-users. And it was still much, much more affordable. Compare that to our core Cisco ASAs -- where: - Failover is just -over - GBICs are locked by vendor - TAC support costs more than our replacement products - You can't route back out of the same interface (yet my Linux iptables firewall can) - The codebase is monolithic, so any crash, overrun or leak affects ALL other "processes" I upgraded the firmware on a Catalyst switch recently. File Verify Auto was on. It refused to boot because it failed checksum. For kicks, we power-cycled it. It booted fine. Still failed checksum once running. Turns out, File Verify is broken, and has been for a while. Huh. Go figure. The solution: "Don't verify the image." OK, Cisco. Cisco is junk. Expensive junk.

bdean
bdean

I'll second for Sonicwall. Their licensing structure is very straight forward and the device is a lot more intuitive than ASAs in my opinion.

fred
fred

My company is a Cisco Partner, meaning that we sell/support only Cisco. I have a CCNA cert and CCNP training-only which has turned out to be handy. My boss, a very talented but uncertified Cisco-ite, was impressed but didn't want to say so! Comments above are very consistent with my experience, especially since I am the VPN "guru" in our shop. Using ASDM to set up an ASA initially is a very good idea if you have not done, say a dynamic VPN, before. I had trouble getting ASDM to work because it needed an older Java version...took some time to fix. For run of the mill L2L connections, I have a more-or-less standard config for that. Your notes confirm my certainty that there are other nice products out there, and much friendlier, but it is unlikely I will get to see them as long as I am here. I would just add that Cisco has a new free GUI out, Cisco Configuration Manager to replace SDM. It's much friendlier and prettier, but only does routers and switches. No security products at this writing.

BrandonCarroll
BrandonCarroll

The IOS Router GUI interface is called Security Device Manager (SDM) and you will be able to configure *most* tasks in SDM related to security, general configuration, IPS, and QOS. However, this is NOT a replacement for the command line interface. On another note, using the proper authentication and https versus http it is a secure way to access the device. I personally don't turn it off as a security measure, I turn it off because I don't use it. I am a fan of the CLI. I personally believe that there is never going to be a true replacement for it, but on the ASA the ASDM interface is a MUST if you intend to configure SSL VPNs. A great deal of the configuration is called from XML files that are created by ASDM. ASDM is very functional and actually what Cisco recommends for configuration of ASAs these days.

Spitfire_Sysop
Spitfire_Sysop

A load balancer is perfect for this scenario. It should provide failover and increased performance.

pneumoboy
pneumoboy

US Cert today shows 10 HIGH vulnerabilities and 3 Medium vulnerabilities with ASA code. That is unacceptable for a security device.

sserwe
sserwe

The amount of knowledge required to use their products is staggering if you want to use advanced features. It's funny to compare sonicwall to a wal-mart router because I have never met anyone that used a sonicwall that didn't completely love it. Also, Cisco is falling behind in their market share so while they still lead now, they are going to have to make some massive changes to keep that title. More and more non-cisco models that can do the same thing with much more user friendly interface are appearing for a fraction of the price.

pasky2112
pasky2112

I'd bake-off any IOS vs. Juniper/Netscreen (JunOS/ScreenOS)any day and walk away with my JNPR as the Cisco ASA slowly melts away. While the branch SRX may have some IPS issues, it's features, performance and flexibility smoke the competition.

halarcon
halarcon

we have done everything with mikrotik.com , sometimes even more than cisco for a fraction of the cost .