Cisco announced recently a new WAN Router model, the ASR 1000 series. This is a high performance integrated services device, which can be used for both Enterprise and Service Provider networks. One of the key hardware design features of this router model is its Cisco QuantumFlow processor which can support any current and future services at line rates without compromising network performance.

When we speak about performance, it really breaks the barrier especially in security performance features. It delivers 10Gbps firewall throughput and multigigabit encryption.

There are three router models available:

• ASR 1002: Scalable to 10 Gbps Software redundancy 4 built-in Gigabit Ethernet ports. 3 SPA Slots.
• ASR 1004: Scalable to 10 Gbps+ Software redundancy. 8 SPA Slots
• ASR 1006: Scalable to 10 Gbps+ Hardware redundancy. 12 SPA Slots.

Starting from version 7.2(1) and upwards, the Cisco ASA 5500 series firewall supports now the Dual-ISP capability. You can connect two interfaces of the firewall to two different ISPs and use the new “SLA Monitor” feature (SLA=Service Level Monitoring) to monitor the link to the primary ISP, and if that fails, the traffic is routed to the Backup ISP. The diagram below shows how to implement the Dual-ISP feature.

Assume that the Primary ISP (ISP-1) has assigned to us the public IP address 100.100.100.1 with gateway 100.100.100.2. Also, the Backup ISP (ISP-2) has assigned us the public IP 200.200.200.1 with gateway 200.200.200.2. Normally all traffic should flow through ISP-1, but if the physical link (or route) to that ISP fails, then traffic should be redirected to the Backup ISP. We can configure an SLA monitor service which will be checking every 10 seconds (using a ping echo request) the availability of the primary Gateway IP address (100.100.100.2). If there is no response in 3000 milliseconds (3 sec), then the default route will be redirected to the Backup ISP. The configuration is shown below:

asa5500(config)# sla monitor 100
asa5500(config-sla-monitor)# type echo protocol ipIcmpEcho 100.100.100.2 interface outside
asa5500(config-sla-monitor-echo)# timeout 3000
asa5500(config-sla-monitor-echo)# frequency 10
asa5500(config)# sla monitor schedule 100 life forever start-time now
asa5500(config)# track 1 rtr 100 reachability
asa5500(config)# route outside 0.0.0.0 0.0.0.0 100.100.100.2 1 track 1
asa5500(config)# route backup-isp 0.0.0.0 0.0.0.0 200.200.200.2 254

Of course the configuration above assumes that you have already configured two interfaces connected to the ISPs, the first one with name ‘outside’ (security level 0) and the second one with name ‘backup-isp’ (security level 1).