I would like to change my two Cisco ASA 5520 for two MikroTik CCR1072-1G-8S+. The Cisco ASA 5520 firewall throughput 450Mbps. This value is few. I’m looking for a device that knows the following:
device redundancy ( High Availability / Failover )
firewall throughput minimum 2-4Gbps
management via VPN
VLAN
NAT
SFP+ ports
TCP / UDP connection limit management
Serving about 1500 and 2000 users simultaneously to the internet
I was thinking of Mikrotik CCR1072 as a possible alternative. What do you think I can change my Cisco ASA5520 with Mikrotik CCR1072?
Cisco ASAP is a firewall and ccr is a router. Not the same type of product. ROS does have a firewall and can be used but is not built to be a firewall.
I use ROS at home as both firewall and router but would not do so at work.
I personally like Pfsense a lot. They also have some great appliances and can run in a hypervisor if needed.
Unfortunately there isn’t native RouterOS mechanism for sharing state or config between multiple devices. If you can live with no state and manual config replication, you’ll be fine…
My ccr1009 has a firewall rules count over 100, over 50 nat rules and mangle over 90 for queue and easy connections understanding.
Connections count over 8000. Max net load 300mb/s. Many vpn ipsec channels, capsman for over 150 users and 11 wifi caps, OSPF. Max cpu load 35%. What do you mean about this?
Cisco ASA is built to be a firewall with a lot of redundancy functions. You can cluster for HA and share states so a failover is more or less seamless for users.
You can use ROS as a firewall but it’s not built for it and speed may suffer. It is my experience that adding a “firewall” rule to a router class device effects performance more then if it’s a firewall class device.
As I said you can use ROS as a firewall, I do this myself, but if you want to replace a Cisco ASA with a CCR it should be pointed out that it’s not the same type of device.
And also if he want HA Cisco ASA is better at this. So he cannot replace that out of the box.
Yep… HA its also bgp, few isp… etc. Any device spend cpu to firewall rule processing! But mikrotik is not a security appliance with antivirus, thread detectors, etc…