Cisco 1720 - Capabilities?

We have a small network here that we are planning to redesign, so we want to
take advantage of some new hardware that wasn't here when first set up. The
LAN itself is mostly gigabit over copper with some 802.11a/b and 100mbit on
the internet portions of the LAN.

A diagram of our network can be found at
http://www.csd.ca/Network.jpg -(220KB) (don't laugh - I'd love to have a
proper network diagram.)

The SMC router on our internet server can do port forwarding, but not
translation. The load here is very light, used mostly for FTP access to
maintain documents when not on site. The main functions of our routers are
NAT and firewalling (closing unused ports).

We're considering picking up a dual WAN router to boost the throughput for
client surfing as well and make more bandwidth available for the internet
services when load get high. The device we're considering does NAT, NAPT
(port translation), load balancing, up to eight IP addresses per WAN port.
Before we do this we want to know what we can do with what we have.

The 2610 router and 1912 switch are part of a study lab right now so we
can't use them. The 1720 router is idle at the moment. Some details about
this router:

- IOS Image is named: c1700-y-mz.121-8c
- There is a T1-DSU WIC installed.
- Second WIC slot is empty.

So... by adding the 1720 to our network, will we gain anything? Can the 1720
support multiple IP addresses on the T1-DSU WIC? Can I do port forwarding or
port translation on the 1720 (traffic coming in on the WIC on port 21
translated to a different port on the Fast Ethernet port?)

Comments? Suggestions?

Lerner

Here's a diagram of what we were considering.
http://www.csd.ca/Proposed.jpg - (209KB)

Would adding another WIC ot the 1720 let us use it as a dual WAN router?
Will it provide the same functionality as a Hawking H2WR54G dual WAN
router? (minus the 802.11g of course) Forgetting dual WAN, would the 1720
perform the same job?

"Lerner" <postmaster@127.0.0.1> wrote in message
news:2oybd.738872$gE.568288@pd7tw3no...
> We have a small network here that we are planning to redesign, so we want
to
> take advantage of some new hardware that wasn't here when first set up.
The
> LAN itself is mostly gigabit over copper with some 802.11a/b and 100mbit
on
> the internet portions of the LAN.
>
> A diagram of our network can be found at
> http://www.csd.ca/Network.jpg -(220KB) (don't laugh - I'd love to have a
> proper network diagram.)

<snip>

> The 2610 router and 1912 switch are part of a study lab right now so we
> can't use them. The 1720 router is idle at the moment. Some details about
> this router:
>
> - IOS Image is named: c1700-y-mz.121-8c
> - There is a T1-DSU WIC installed.
> - Second WIC slot is empty.
>
> So... by adding the 1720 to our network, will we gain anything? Can the
1720
> support multiple IP addresses on the T1-DSU WIC? Can I do port forwarding
or
> port translation on the 1720 (traffic coming in on the WIC on port 21
> translated to a different port on the Fast Ethernet port?)
>
> Comments? Suggestions?

Lerner

In article <2oybd.738872$gE.568288@pd7tw3no>,
Lerner <postmaster@127.0.0.1> wrote:
:So... by adding the 1720 to our network, will we gain anything? Can the 1720
:support multiple IP addresses on the T1-DSU WIC?

Yes, but you wouldn't gain any throughput unless the T1 is channelized.

But maybe I'm misunderstanding your question. Are you asking whether
the 1720 would be able to support NAT and PAT (aka NATP and "NAT overload")
with multiple public IPs, with the traffic to be sent down the T1?
If so, looking through the features supported in the image
you named (c1700-y-mz.121-8c), the answer looks to be that it
would support both one-to-one address translation and PAT/NATP.

:Can I do port forwarding or
ort translation on the 1720 (traffic coming in on the WIC on port 21
:translated to a different port on the Fast Ethernet port?)

It appears to me that that release likely does not support that feature.
The documentation is inconsistant on this point, so I am not certain.
The feature did not exist in 12.0, and the next documented change
to NAT facilities was in 12.2(4)T, which introduced a feature
built upon port forwarding, which implies that port forwarding
already existed. My search of the Cisco technical documents did not
find any 12.1* documents mentioning port forwarding; but it could
be the case that the feature was introduced sometime in 12.1T
under different phrasing -- I didn't go and read the various 12.1*
reference manuals to hunt for this possibility. I can say, though,
that it would be unusual (but not unheard of) for Cisco to introduce
a feature into 12.1T and migrate it to base 12.1 as early as a (
release: maybe by (15) or (20) or in a specialized X or Z series release,
but the rule of thumb is that new features are introduced in the T series
stream, and are -usually- not migrated to the base stream until
the next dot release (e.g., a new feature in 12.1T would appear in
base 12.2).


You did not specifically mention security as such, but you should
be advised that the release of IOS you have for that device
does not support the Firewall features, so security is limited to
static ACLs and "reflexive acls" (which allows for some limited
stateful packet inspection.)
http://www.cisco.com/univercd/cc/td/...tm#xtocid87130

Your release, 12.1(8c) has a known security risk, so you are
entitled to a free upgrade, to 12.1(16) it looks like. However,
12.1(16) has no new features relative to 12.1(8c), just bug fixes.
For information on getting the free upgrade, please see
http://www.cisco.com/en/US/products/...800b13d9.shtml


:We're considering picking up a dual WAN router to boost the throughput for
:client surfing as well and make more bandwidth available for the internet
:services when load get high.

That will likely only work for you if you have support for it from the
far end (i.e, your ISP(s)). The 1720 by itself can, in that release, do
some forms of load balancing to multiple WAN interfaces, but the
reply packets from the far end are not going to know that either
route is acceptable, and so the replies are all going to come back
through a single WAN, unless you arrange inward load balancing with
your ISP(s).

There are several different load balancing mechanisms available with
that release on that platform. Multilink PPP bundling is supported
(but requires that the other end know you are running multilink PPP.)
DLSw+ Enhanced Load Balancing is supported and does not require
any configuration on the other end to support outward load balancing,
but it was designed in the context of "circuits". You might be able
to use EIGRP for outward load balancing; I do not know if the
load balancing facilities of EIGRP were present in 12.1(8c).
There may be other choices as well.

If your multiple links are to be via different ISPs, then do set up
inward load balancing properly you would, at a minimum, have to
make BGP arrangements with the ISPs. If your multiple links are to be
with the same ISP, then you would need them to configure one of the
load balancing features on their end, such as Multilink PPP or
EIGRP load balancing.

There is a "poor-man's" approach to load balancing that involves
NAT'ing the source IP of outgoing flows according to the interface
the flow is to be sent to (per-packet won't work for this; you'd need
per-destination balancing.) Your image does support policy based
routing (PBR), and you could probably route to 'loopback' interfaces
that performed the NAT itself before passing the packet on. Your
router does support PAT, so you likely -could- impliment this
mechanism for outgoing connections. This mechanism does not
really share the load equally between the two links, as it is seldom
the case that traffic initiators and traffic destinations are both
uniformly randomly distributed -- chances are that you would find
one link used noticably more than the other, as typically a small
subset of users will use the majority of the bandwidth and will tend
to be mostly using a relatively small number of sites. But it's
worth trying, and you would likely have the flexibility to smooth
out the imbalances by changing the MAC or IP address of selected users.
--
millihamlet: the average coherency of prose created by a single monkey
typing randomly on a keyboard. Usenet postings may be rated in mHl.
-- Walter Roberson

Walter Roberson

In article <n9Abd.101220$a41.16945@pd7tw2no>,
Lerner <postmaster@127.0.0.1> wrote:
:Would adding another WIC ot the 1720 let us use it as a dual WAN router?
:Will it provide the same functionality as a Hawking H2WR54G dual WAN
:router? (minus the 802.11g of course) Forgetting dual WAN, would the 1720
erform the same job?

No, the H2WR54G has stateful packet inspection (SPI), protection
against DoS attacks, and VPN pass-through, which the 1720 image
you have does not have. You could purchase an IOS upgrade to add
those features to the 1720, but the price of the upgrade is potentially
higher than the cost of the H2WR54G.

The H2WR54G claims a throughput of 50 Mbps. The performance spec for
the 1720 is in a different measure which should not really be compared
against a Mbps rating without an understanding of the uncertainties
involved.

The 1720 rating is 8400 packets per second (pps) of 64 byte packets.
64 byte packets are the shortest valid IP packets, and so indicate how
quickly a router can forward a packet before the next packet arrives.
There is a close-to-constant overhead per packet due to examination of
IP headers, packet CRC calculations and routing table lookups: making a
packet longer affects only the linear-time CRC calculation (which is
often done in hardware in parallel with the packet arriving.)
Thus, although the 8400 pps at first glance would imply only
8,400 * (64+20) * 8 = 5,644,800 bits per second of throughput,
the 1720 could probably handle close to 8400 maximum length
packets per second, which would be 8,400 * (1520+20) * 8 bits per second,
which is just over 100 megabits per second -- twice the rated speed
of the H2WR54G. But ~100 megabits per second should be recognized
as an interpolation instead of a measured quantity: we don't really
have enough information at hand to know what the maximum throughput
of maximum length packets would be.

Hawking's WWW site is missing the manual for the H2WR54G, but it
does have the manual for the H2BR4 dual WAN firewall, which we would
expect to be very similar in its dual WAN facilities. Unfortunately,
the manual for the H2BR4 is rather lacking in specifics of how
the Hawkings dual WAN devices handle load balancing. There is an
adjustable traffic ratio setting, which is useful if the two WANs are
different speeds or different costs per byte. The claim in the
H2BR4 documentation is that the unit load balances on both sending
and receiving. I can see how it could load balance on sending
(through the NAT mechanism I described in the previous posting),
but I have difficulty in figuring how it could possibly be doing
*incoming* load balancing without the cooperation of the other end.

I am particularily suspicious of the claim in the H2BR4 documentation
that when one WAN is detected as down and the unit falls over to
using solely the other WAN, that "the intranet users will not notice"
any interruption. Any NAT-based approach to load balancing has
the disadvantage of dropping all current TCP connections when
failing over to fewer active WAN interfaces: one can't simply
start NAT'ing the stream through a different IP address range because
TCP connections work based upon the (source IP, destination port,
TCP sequence number) triple, and if one suddenly switches IP
addresses in mid connection, although the sequence number and
destination port number may match some connection, the source IP would
have changed and the packet will not be recognized as being part of
the previous connection. If you need to avoid dropping the active
TCP connections when when one of the WAN interfaces fails, then
if one is using distinct ISPs, one *must* arrange a strong routing
protocol such as BGP with all the ISPs involved.
--
Take care in opening this message: My grasp on reality may have shaken
loose during transmission!

Walter Roberson