«

Hi, Can I ask for your advice?

I am currently using a 2610. It has two WIC-1DSU-T1 cards in it. I use
the two T1s to connect my LAN to the Internet. In the near future, I
am looking at replacing the two T1s with a 10mb/s EFM connection to the
Internet. When I do that, I won't need the two t1 cards anymore. But
I will need to add a second ethernet port in order to route between my
LAN and the EFM modem.

I actually could use no router at all in this scenerio, but I use the
Cisco for some pretty aggressive ACLs (I allow only a few protocols and
then DENY everything else).

Considering the speeds involved (routing between 10mb EFM and 100mb
LAN) and also considering that I'll have to buy a new ethernet card
anyway, should I be looking at buying a newer, faster router? Or
perhaps some kind of smart switch that could do the ACL work since I
actually don't have to route in this situation.
Any advice appreciated.

Brett

In article < .com>,
Brett <> wrote:
:I am currently using a 2610. It has two WIC-1DSU-T1 cards in it. I use
:the two T1s to connect my LAN to the Internet. In the near future, I
:am looking at replacing the two T1s with a 10mb/s EFM connection to the
:Internet.

:Considering the speeds involved (routing between 10mb EFM and 100mb
:LAN) and also considering that I'll have to buy a new ethernet card
:anyway, should I be looking at buying a newer, faster router? Or
erhaps some kind of smart switch that could do the ACL work since I
:actually don't have to route in this situation.
:Any advice appreciated.

A 'smart switch' in your context would have to be a multilayer switch with
ACLs such as the 3550 or 3750. There are restrictions on the ACLs
for the 3550 and 3750 that could potentially be insufficient for your
purposes unless your ACL is very simple. (If it's more than a few lines
long then you could potentially run into the restrictions.)
The 3550 and 3570 are not exactly "cheap", and the router approach
might turn out to be less expensive.

The 2610 is rated as a maximum of 15K pps (64 byte packets), which is
also (in round numbers) the pps rate that would fill a 10 megabits/s
half duplex connection. If you want to be able to handle full duplex
flat out on the EFM, you should be considering a device that gets
closer to 30K pps. The 2620 and 2621 do 25K pps (75% of the maximum
possible load, if you were using it full duplex with minimum sized
packets only) so those could be considered. On the other hand, the
2620/2621 are not recommended by Cisco anymore: they suggest instead
the 2620XM or 2621XM, which are rated at 30K pps. A refurbished 2621XM
is about $US1800.

If you check for prices on 2620XM or 2621XM on some of the price
comparison sites, or if you google for prices on the devices, look very
carefully at the part number. Some of the devices that come up near the
top of the google search are 2621XM-DC which is DC powered instead of AC.
And some of the sites say "New" for the devices but give a part number
that includes -RF : the RF stands for "refurbished"!

The part numbers for the various 26xx devices and their option cards can
be found near the bottom of this page:

http://www.cisco.com/en/US/products/...d800fa5be.html


You mention that your LAN is 100 megabits/s. If you are thinking of
having the new device do LAN routing (such as between VLANs or between
multiple subnets), then if you expect the device to route at wirespeed,
you should be considering at least a 3660 (120K pps, which is 80% of
the 148K pps possible on a 100 megabit half duplex link) and possibly
higher. But by then you might have gotten into the price range where
a switch would make more sense for you, if you can live with the
ACL restrictions of the switches.
--
Preposterous!! Where would all the calculators go?!

Thank you very much, Walter. Can you elaborate on what the ACL
restrictions are exactly? (Or point me to an article about it?). What
kind of ACL is the switch not able to do? My ACL list currently
consists of 60 PERMIT statements which explicitly allow certain outside
hosts or protocols to connect to certain servers on my network. I then
end the ACLs with a "DENY IP any any log" sending the results to a
syslog server. Can the switches you mention handle ACLs like that?

In article < .com>,
Brett <> wrote:
:Can you elaborate on what the ACL
:restrictions are exactly? (Or point me to an article about it?).

On the 3550:
http://www.cisco.com/warp/public/473/145.html
http://www.cisco.com/en/US/products/...080211cd8.html

The 3550 tries to handle security in hardware, but the hardware has
limited resources. These resources are more likely to be exhausted
if you want to configure router ACLs together with VLAN maps, or
if you want your router ACLs to have layer 4 information.

You can use both router ACLs and VLAN maps on the same switch.
However, you cannot use port ACLs on a switch that contains input
router ACLs or VLAN maps.

[...]

The switch hardware provides one lookup for security ACLs for each
direction (input and output); therefore, you must merge a router
ACL and a VLAN map when they are configured on the same VLAN.
Merging the router ACL with the VLAN map might significantly
increase the number of ACEs.

Similar issues apply to the 3750:
http://www.cisco.com/en/US/products/...801e7bb9.shtml

Since the Catalyst 3750 allows only one ACL lookup per ingress or
egress traffic direction, security ACLs, VACLs, and RACLs need to
be merged into one compiled ACL in the TCAM.


Some of the other restrictions I was thinking of might perhaps
apply only to the 2950, eg. "system defined masks" and "user defined masks".
http://www.cisco.com/en/US/products/...08007ebdb.html
--
Aleph sub {Aleph sub null} little, Aleph sub {Aleph sub one} little,
Aleph sub {Aleph sub two} little infinities...

Hi Brett,

Why not use a firewall. A Pix506e will do the job just fine. A Pix cannot do
"internal" routing, so just keep the existing router for that.

Erik

"Brett" <> wrote in message
news: oups.com...
> Thank you very much, Walter. Can you elaborate on what the ACL
> restrictions are exactly? (Or point me to an article about it?). What
> kind of ACL is the switch not able to do? My ACL list currently
> consists of 60 PERMIT statements which explicitly allow certain outside
> hosts or protocols to connect to certain servers on my network. I then
> end the ACLs with a "DENY IP any any log" sending the results to a
> syslog server. Can the switches you mention handle ACLs like that?
>

Check out the new Cisco 2800 series routers.

They have faster processors, a lot more memory, onboard acceleration
for encryption, USB ports and take most of the existing 2600 NMs and
WICS.

The product manager stated that IOS and PIX feature ses will be
aligned over time.

I second this. They are looking to be the killer product.

Robert




On 10 Oct 2004 07:27:11 -0700, (mh) wrote:

>Check out the new Cisco 2800 series routers.
>
>They have faster processors, a lot more memory, onboard acceleration
>for encryption, USB ports and take most of the existing 2600 NMs and
>WICS.
>
>The product manager stated that IOS and PIX feature ses will be
>aligned over time.