[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3758
  • Last Modified:

Cisco ASA Bandwidth management, Radius authentication, 800 users using 4 separate gateways

Hi Folks, here's a confusing one for you. I have a network with approximately 800 users. We have 12 Cisco Aironet 1300 Series Access Points spread out across our 24000 square foot campus.

Currently in place we have  DIA 4mbps that is costing us $3000 monthly.  We have maxed out our bandwidth and are receiving frequent complaints from the users that the internet services are too slow.

Another ISP provider is offering a business DSL connection 6mbps down and 1 mbps up. The total cost for 4 of these Business DSL connections is 200 monhtly for each connection totalling $800 Monthly and ultimately providing us with 24Mbps of bandwidth coming down the pipe and 4 MBPS upload (Obviously VIA 4 different gateways)

I have been researching a few different methods on best practices to get the best use and possibly centralize all 4 gateways through one device. Bandwidth Management and packet shaping is a priority. Currently we have 2 different solutions. A cisco ASA 5510 (Currently not using any service policy framework), that is used for all of the hardwired ports on the network and a ver 2.6 Mikrotik WISP Router wireless Hotspot and Bandwidth management device  that controls all AAA access to the wireless access points.

I'd like to find out from the experts-exchange community some case studes or  different solutions they may have implemented and what hardware/software solutions were used.

Thanks in advance for any help.

2 Solutions
do you have a 2600, 1800, or 2800 series cisco router?    I use PBR (policy Based Routing) to select different Internet connections for different source addresses....

For example,  at one site I might have a Cable, DSL and a T1 connection all into the same router... the usual problem is that you can only have one default gateway...    but with a route map applied to the ethernet interface of the router,  I can define access lists that make traffic from different inside hosts go out different ISP connections...

I even use the IP SLA commands to failover clients to another internet connection if their primary one goes down...
You might want to try something purpose-built like the FatPipes Extreme out in front of your ASA and let it do all the work for you.

the xtreme looks pretty cool,  but when froogled it appears to cost over 10,000 dollars... and the smaller model only handles 2 connections up to 2 mb/s...    this can be done just as well with a $800 cisco 1811 router....  or better yet a $50 2611XM off ebay...
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Agree that PBR on a Cisco router makes some sense, but if you have 4 DSL  modems handing off Ethernet, you need at least 5 ethernet ports or 4 DSL WIC modules. Only the 2800 series has 4 WIC slots out of the box and capability to add a WIC-4ESW 4 port switch.
PBR will only give you pseudo load sharing and not true load balancing. Understanding that cost is an issue and I know the Fatpipes is expensive, you might consider a Linksys RV016 that can load share up to 7 DSL/cable links.
The other thing I would suggest is to get a really good handle on exactly what users are doing to the bandwidth you have. Monitor the traffic with tools like NTOP/netflow to see what is really going on.
Once you know what users are really doing, create good acceptible use policies to limit what users are allowed to do. Hold contests for least bandwidth used for the week, name the bandwidth "hog" of the week and make the hog pay for dinner for the least-use winner... Getting more bang-for-the-buck out of what you already have is a human behavior issue more than a technology issue.
On the flip side, if all the traffic is legitimate business related traffic, then you may need better SLA's and bandwidth than you can ever get with DSL lines. Consider Metro Ethernet, FIOS or other high-bandwidth offerings from your local ISP's that do carry SLA's and guaranteed availability.

Remember, too, that with 4 DSL lines, your uploads are all going to be restricted to the lower upload speed of any single line. No single upload will ever spread across all 4 lines and you will never be able to upload faster than 1Mb at a time. Same with downloads. No single download will ever be faster than the max of one line and no single download will ever be spread across multiple DSL lines to get more than the 6M at any one time.

not true.... the 1811 has 2 ethernet and 5 vlan ports for a total of 7 avaliable interfaces...
Forced accept.

EE Admin
fcoreyAuthor Commented:
I know it's been a long time since I replied to this thread,  but just wanted to let everyone know I solved the MULTI-WAN gateway issue by implementing a XINCOM X16R. It allows 8 WAN interfaces and then routes all of the traffic through our Mikrotik router. Cost on the device was approx $750 and so far we've had it implemented for a month and it has worked flawlessly.
Thanks for the update!
Did you have any issue with getting VPN (pptp) to work with the X16R?  I have a user inside who is trying to connect to an office VPN and not gettting connected?  The settings on the X16R look correct, but the documentation and support are a little week.


Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now