Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Wi-Fi Router Charts

Click for Wi-Fi Router Charts

Mesh System Charts

Click for Wi-Fi Mesh System Charts


The ISA550W has a zone-based firewall. Note that the firewall functions in the ISA550W do not require the annual license as discussed in the security section.

Predefined zones include the LAN, WAN, DMZ, VPN, SSLVPN, GUEST, and VOICE zones. Additional zones can be created in the Networking menu. Each zone is assigned a trust level from 0 (Untrusted) to 100 (Trusted). Interfaces or VLANs are then assigned to a zone.

Firewall rules, or Access Control Lists, can be created to permit or deny traffic based on source and destination zone, traffic type, source and destination IP or MAC addresses. In the below example, I created a simple rule to deny all HTTP traffic going through the ISA550W. It worked as expected, no one was able to access web sites while this rule was in place.

Firewall ACL Rules

Firewall ACL Rules

Multiple options exist for Network Address Translation as well. By default, the ISA550W will perform Dynamic PAT (Port Address Translation) out the WAN interfaces. PAT is what most of us think of when we think of NAT. Static NAT rules, Port Forwarding, Port Triggering, and complex NAT rules can also be created to manage traffic source and destination addresses as traffic passes through the router.

If you're not going to use the Web Reputation and URL Filtering feature, you can set up simple firewall rules to block up to 32 websites or keywords and apply them by zone. You can also enable an Application Layer Gateway feature to manipulate traffic headers on SIP, H.323, and FTP traffic.

Other protections in the ISA550W firewall include protection against TCP and UDP flooding and DoS attacks. Session limits can be set to limit the total number of traffic flows on the router, with a maximum limit of 60,000 connections.

Routing Performance

Routing performance for the ISA550W, loaded with firmware and using our standard test method, is summarized in Table 3. We had to create Advanced NAT and firewall rules to allow all services from WAN to LAN test clients and disable Firewall > Attack Protection > Block UDP Flood to run Max Session test.

With just the firewall enabled, Cisco rates the ISA550W at 200 Mbps. As you can see from Table 3, the ISA550W meets or exceeds that rating.

Test Description ISA550W
WAN - LAN 200.2
LAN - WAN 255.0
Total Simultaneous 252.2
Maximum Simultaneous Connections 34925
Firmware Version
Table 3: Routing throughput

The above measurements were performed with only the firewall on the ISA550W enabled. UTM security features such as IPS and anti-virus reduce throughput significantly. With IPS enabled, Cisco rates the ISA550W as capable of 60 Mbps throughput. With all UTM features enabled, Cisco rates the ISA550W at 45 Mbps.

Using the same Iperf methodology I described in the VPN section, I measured the ISA550W throughput with its security features disabled and enabled. Average throughput on the ISA550W with all UTM features disabled was 153 Mbps. Average throughput on the ISA550W with IPS enabled was 47.3 Mpbs. Average throughput on the ISA550W with all UTM features enabled was 44.5Mpbs.

In Table 4, I've compared the Cisco ISA550W throughput with the UTM features on and off to previous UTM devices I've reviewed, including the SonicWall TZ100W and the Zyxel USG100. As you can see, the Cisco ISA550 produces much higher throughput.

Router UTM On (Mbps) UTM Off (Mbps)
Cisco ISA550W 44.5 153
SonicWall TZ100W 31.3 78.2
Zyxel USG100 16.5 82.5
Table 4: UTM On / Off Throughput Comparison

Wireless Performance

All testing was performed with firmware using our standard test process, which uses Channel 1 for 2.4 GHz tests. The test client was our standard Intel Centrino Ultimate-N 6300 with Win7 driver.

The ISA550W is Wi-Fi Certified and defaults to auto channel selection and auto 20/40Mhz mode on startup. It also defaults to no wireless security set and WPS disabled. After setting WPA2/AES security and enabling WPS, the client did not prompt for WPS session upon first association, however. So we manually set up WPA2/AES for our test client for all wireless testing.

We did not test to see if the ISA550W obeyed 40 MHz coexistence rules or Fat Channel Intolerant bit enable.

Benchmark Summary

Benchmark Summary

I ran a simple comparison of overall average performance by filtering the charts for single-band routers only for the 20 MHz mode wireless benchmark. (The charts have been trimmed for space reasons.)

Overall 2.4 GHz downlink performance comparison

Overall 2.4 GHz downlink performance comparison

The charts above for downlink and below for uplink show the ISA550W in second and third place, respectively. This is impressive, especially considering that the wireless integrated into many security-focused appliances usually seems like an afterthought with middling performance.

Overall 2.4 GHz uplink performance comparison

Overall 2.4 GHz uplink performance comparison

Closing Thoughts

Cisco ISA500 series devices can be purchased on line with a 1 or 3 year warranty, support and UTM license. Table 5 shows pricing as listed on as I write this.

Model 1 year 3 year
ISA550 $272 $398
ISA550W $323 $434
ISA570 $485 $742
ISA570W $578 $794
Table 5: Cost comparison, 1 and 3 year licenses

Specifically for the ISA550W, if you purchase it with a 1 year contract, you can extend just the support contract to 3 years for $69, which covers technical support and firmware upgrades. Extending the license for the UTM security features will run $187 for a 1 year term or $352 for a 3 year term. Similar pricing applies to the other models.

I tested a SonicWall TZ100W UTM device back in 2009, and was impressed with its throughput at the time. However, the TZ100W I tested in 2009 doesn’t have the speed of today’s ISA550W. Based on specs, SonicWall’s TZ200W is a more apples-apples competitor for the ISA550W. The TZ200W and ISA550W have very similar VPN and UTM specs, but the ISA550W has a higher firewall throughput rating (200 Mbps vs. 100 Mbps). Moreover, shows the TZ200W at $459, over $125 more than the ISA550W.

From a performance standpoint, the ISA550W is quite impressive. VPN, routing and wireless throughput on the ISA550W are all quite respectable. It would be nice if configuration performance were a little faster. But it's better to have fast network throughput than a quick configuration menu.

From a security standpoint, the ISA550W has Cisco's SIO team and 1.6 million other devices around the world providing it with the latest protections and updates. Alltogether, the Cisco ISA550W makes a pretty solid argument to be your Unified Threat Management device.

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Don't Miss These

  • 1
  • 2