We are in the process of planning to phase out a Sonicwall tz205 in our office. i am hoping to replace it with a CISCO ASA 5516 specifically. We have three networks in house the main production network (LAN and Wireless) on one interface, a public wifi VLAN on a sub-interface on the same interface as the main network. and VOIP phones on a second interface. My first question is if the ASA is capable of being a DHCP server for a sub interface (public WIFI), and the Phone networks? I have been unable to find any documentation answering this. Second is the ASA 5516 capable of routing traffic between the phone network and the production network?
asked Sep 6, 2016 at 19:45 23 4 4 bronze badgesYes, your ASA can act as a DHCP server, but the thing to remember is that this is not the primary purpose of the ASA and as such it doesn't perform it as well as a dedicated DHCP server. It can perform it well enough for your clients though. I am uncertain about the VOIPs as the documentation deals specifically with Cisco VOIPs.
This link is Cisco's guide to configuring DHCP on the 5500 ASA.
Personally speaking, I am not overly fond of how you are describing your new network. Typically I like to recommend that all of your devices connect to a switch and then that switch connect to your router (which I imagine is your edge router.)
answered Sep 6, 2016 at 19:57 Zack Scaringello Zack Scaringello 547 2 2 silver badges 11 11 bronze badgeswe are a small buisness about 75 users. I started here about 6 months ago (first IT job). on my arrival the network was using the sonicwalll as its router. we have 6 switches 3 for the phones and 3 for the LAN. i have been pushing for a dedicated router and a new security appliance, and got approved for the security appliance. hopefully the ASA can fill both roles until a router is approved.
Commented Sep 6, 2016 at 20:05Okay, just be aware that this is a relatively large project for someone so new to IT. An ASA can route, but that isn't its primary purpose. It sounds like you inherited a bit of a messy network that isn't necessarily designed as well as it could be. Are you the sole IT person?
Commented Sep 6, 2016 at 20:11no, one of three actually, but by virtue of my CCENT it gets to be my project. I am slowly making progress towards cleaning it up.
Commented Sep 6, 2016 at 20:17I haven't actually seen dedicated phone switches in several years. More typically I see them inline with the PCs.
Commented Sep 6, 2016 at 20:18i have nothing to compare it to experience wise, and am for now happy to let them hum away. Have had bigger fires to put out.
Commented Sep 6, 2016 at 20:26You can do DHCP and Routing from vlan to vlan with an ASA5516. It's a little more complex with the rules and it doesn't do sub-interfaces like router on a stick. It's more like an SVI (switched virtual interface) of a layer 3 switch. An SVI is a fancy way of saying create a vlan, set the ip address of that vlan interface on the ASA or switch and use it as the gateway. Traffic is seperated on each port by vlan tags similar to the sub-interface idea (on a router the encapsulation dot1q command on a sub-interface is identifying the vlan tag to look for).
This below is beyond answering your question and I apologize if I'm butting in. Just trying to offer some advice.
If you plan to get an ASA5516 with firepower do your research. Its a complex venture. I just installed one for a school with 1500 people. Each feature requires a license/subscription. You'll need anyconnect vpn licenses if you want more than the 2 it comes with. If you want historical data you MUST have a VMWARE esxi server to load the Cisco created VM. No other virtual environment works. (Some have manipulated virtual box but I don't trust that in production personally). You use seperate rules to direct traffic to the firepower module. It's a VERY expensive and complex device for a 75 person business.
If i may make a suggestion, I personally suggest put some money into a router or a decent layer 3 switch to take the load off the sonic wall to start. An HP2930 (labeled Aruba now) may even do the job (no cisco routing protocols but most small business are static routes anyway). It extremely easy to program. I think the Cisco 2960x switch is now offering similar routing as well (you could check) Let the sonic wall manage in and out traffic only. For the money of that ASA you could put a layer 3 switch and route at each closet (and then buy a used car. lol) but it sounds like that's not necessary with 75 users and under 250 devices (I'm guessing). One layer 3 device should suffice. It would be your mixed core and distribution layer. You would plug your servers, wifi controller, phone system, etc. in it if you can. Your backbone devices basically. It would be a good start.
I'm not always brand partial but for non-network engineer types or I.T. folks that don't have the opportunity to get good with cmd line because they are so busy now days, the HPs enterprise grade procurve switches have a Web gui that's hard to beat. The 2920s now called 2930s have proven themselves in my opinion very well especially for the price.
Edit. I also agree with the comment above. If you can move dhcp to a windows server that will give you more control and more insight. If your AD server isn't a dedicated AD server you may run it from there. If you have an inside DNS server that could be a good place as well since your network ip helpers go there already.