I put together this feature summary from the ISA500 series data sheet.
|Zone Based Firewall
The ISA550W has seven 10/100/1000 Ethernet ports. One of the ports must be a WAN port and two ports must be LAN ports. The other four ports are configurable as either LAN, WAN, or DMZ ports.
The four configurable ports default as LAN ports. As a LAN port, they can be configured as an access or trunk port. As an access port, they can be assigned to a single VLAN. As a trunk port, they support 802.1q VLAN tagging. Up to 16 VLANs are supported on the ISA550W. Further, a unique DHCP server can be created for each VLAN.
As a test, I added VLAN33 on the ISA550W and enabled the DHCP server for that VLAN to provide addresses in the 192.168.33.0/24 subnet. I configured port 6 on the ISA550W as an 802.1q trunk port as a member of VLAN1 and VLAN33, and connected port 6 to a similarly configured 802.1q trunk port on a NETGEAR GS108T switch. The test was successful. PCs on VLAN1 access ports got IP addresses from VLAN1 and PCs on VLAN33 access ports got IP addresses from VLAN33.
The networking status screen below shows port 6 is configured as a trunk and is a member of VLAN 1 and 33.
Cisco ISA550W dashboard showing VLAN and Trunking
Any one (but only one) of the four configurable ports can be configured as an additional WAN port, making the ISA550W a dual WAN router. The screenshot above shows port 1 and port 7 are configured as WAN ports.
The default dual WAN configuration is a 50-50 traffic distribution between the two WAN ports. Load balancing over dual WAN ports on the ISA550W can be adjusted by allocating different percentages of traffic to each port, distributing traffic based on link bandwidth, by setting one interface as primary and the other secondary, or by policy based routing. Traffic can also be metered on each WAN port if you're connected to an ISP that limits bandwidth consumption.
I tested dual WAN functionality by making port 1 primary and port 7 secondary and left all other settings at default. I then set up a continuous ping to the Internet and disconnected port 1. With the default settings, it took the ISA550W about 45 seconds to failover to port 7. After setting the failover timers to their lowest values, it took the ISA550W only about 10 seconds to failover to port 7. Failback to port 1 in both cases was within 10 seconds.
Policy-based routing is a neat way to distribute traffic over dual WAN ports. For example, SIP based VoIP traffic could be routed over one WAN port, while all other traffic could be routed over the other WAN port to minimize bandwidth congestion for VoIP traffic.
Quality of Service (QoS) options are available for the WAN, LAN, and Wireless interfaces and can be applied to both uplink and downlink traffic. On the WAN interfaces, traffic can be queued using strict priority (SP), weighted round robin (WRR), or low latency queuing (LLQ) methods. Both source and destination traffic types can be classified with either a DSCP or CoS value, and then assigned to one of the priority queues. The screenshot below shows where you enable QoS by interface.
Cisco ISA550W QoS enables
WAN QoS configuration is a multi-step process. The steps include setting the uplink bandwidth of your WAN interface(s) and choosing a queuing method. SP queuing is good for voice, but may delay (“starve”) data traffic too much. WRR queuing is good for data, but may not provide enough priority for voice. LLQ queuing allows you to reserve bandwidth for a specific traffic type and specify queue priorities for remaining traffic.
With bandwidth and queuing selected, the remaining steps are 1) to create traffic classification selectors to identify which traffic is to be prioritized; 2) create a policy and rule to apply the priority to specific uplink or downlink traffic; and 3) apply that rule to a WAN interface. There are 53 predefined traffic types, more can be added based on protocol and port. One rule can be applied to each WAN interface in both the uplink and downlink direction. The ISA manual provides a nice example on how to configure Voice QoS for both uplink and downlink traffic.
On the LAN interfaces, traffic can be queued using strict priority, weighted round robin, or both. On both the LAN and Wireless interfaces, traffic can be classified with either CoS or DSCP markings. QoS for LAN traffic is then applied by queuing egress (outbound) traffic to either the wired or wireless interfaces.
Additional network options to mention include support for IPv6, port mirroring, port-based access control, IGMP, and VRRP. Finally, there are numerous network reporting options, including reports on traffic statistics, usage, and WAN bandwidth utilization. The screenshot below shows traffic statistics by port on the ISA550W.