Choosing the right product for a branch office: Cisco ASA or IOS Router?

CCIE Brandon Carroll compares the Cisco ASA and an IOS Router for connecting a small branch office. Here is the criteria he evaluates and the product that he thinks works best.

Have you ever had to make a decision between an ASA or a Cisco IOS Router at a smaller branch office? This sounds like it would be an easy task, but it's not. The ASA puts up a good case for being the device of choice. Then again, so does the Cisco IOS router. So the decision usually comes down to what an admin is more comfortable with. In this post I'm going to share why I would chose a router, even though I'm a huge fan of the ASA.

Note: For purposes of simplicity I'll be comparing the Cisco 891 Integrated Services Routers to the Cisco ASA 5505 but most of the features discussed relate to most Branch Routers running Cisco IOS version 12.4 or 15.x.


Let's start with interfaces. The Cisco 891 has an 8-port 10/100 Fast Ethernet managed switch with VLAN support and 4-port support for Power over Ethernet (PoE) (optional) to power IP phones or external access point. The Cisco ASA 5505 has 8 port 10/100 switch with only 2 PoE ports.

The Cisco 891 has Metro Ethernet features which include one 1000BASE-T Gigabit Ethernet WAN port, one 10/100BASE-T Fast Ethernet WAN port, or one 1-port Gigabit Ethernet (GE) Small Form-Factor Pluggable (SFP) socket for WAN connectivity however only the 1000BASE-T Gigabit Ethernet WAN or the SFP can be operational at any given time.

The Cisco ASA 5505 doesn't have any of this functionality, therefore this round goes to the Cisco 891.


Next, let's talk about QoS features. The Cisco ASA is capable of some QOS features configurable with the Modular Policy Framework. This includes policing on inbound and outbound as well as the ability to configure a priority queue in addition to the single best effort queue. Matching capabilities are still immature on the Cisco ASA OS. The Cisco 891 is feature-rich with QoS being capable of multiple classification methods, multiple queuing methods, traffic policing, traffic shaping, and even auto qos. When it comes to QoS, the Cisco 891 wins again.

The Cisco 891 supports a number of protocols based around Metro Ethernet but since the ASA doesn't support them, there is no use in mentioning them.

The Cisco 891 also has an optional integrated secure 802.11a/g/n access point that's based on the draft 802.11n standard as well as dual-band radios for mobility and support for autonomous or Cisco Unified WLAN architectures. This is another area where the Cisco ASA 5505 can't touch the router.

You may also want to consider routing functionality when making a decision like this. While the ASA 5505 does in fact support routing protocols, it by no means compares to the routing capability of the Cisco IOS.

But you may be interested in security, since that's the primary function of the 5505. While the 5505 certainly is capable of everything a firewall can be and then some, there is a "not-so-common" feature of the Cisco IOS called Zone Based Policy Firewalls. This is a very feature-packed firewall capability. I can pretty much do anything with the Zone Based Firewalls that I can do with an ASA.

And finally to round things off with VPN capability, I again have to go with a Cisco Router. The main reason for this is DMVPN. There is simply no DMVPN capability in the ASA, probably because it doesn't support GRE tunnels. DMVPN is a great solution for connecting branches using the central site as the hub and only building the tunnels between branches on the fly when they are needed. With an ASA the tunnel would need to remain up, or you would have to hairpin via the central site in which you'd need a little more configuration on the central site to allow the hairpinning.

So while I stress the fact that I am a fan of the Cisco ASA platform, I'd take a Cisco Router at the branch any day. What other criteria would you use to make a similar decision?