A question from a first-time Cisco buyer

Discussion in 'Cisco' started by Al Dykes, Oct 25, 2003.

  1. Al Dykes

    Al Dykes Guest

    I've never worked with Cisco before, not that I have anything against
    it, I've always seen Cisco high-end products including PIX firewalls
    used that were way overkill for the type of work I do.

    I'm working up a project proposal for someone that is predisposed to
    Cisco. We need the usual router/firewall for the internet feed for a
    100+ desk office, so I read the Cisco web site and found that Cisco has
    a firewall feature for IOS and I got the following quote. The price
    is reasonable and I like the all-in-one box.

    CISCO 2611XM DUAL 10/100 ENET ROUTER 1819.16 1819.16
    CISCO E-SMARTNET 8X5XNBD CAT5 418.48 418.48
    CISCO 1700/2600/3600 1PT-T1 DSU/CSU 725.30 725.30
    CISCO 2600 IP/FW FEATURE PK 386.25 386.25

    CISCO E-SMARTNET 24X7X4 CAT5 CSV-CON-SNTP-PKG5 659.57

    I have a couple of questions

    1) Do any PC software tools to manage this box come with it ?
    2) I expect to get a modem and hang it on the serial port for
    remote control. Is there anything I should know to do this ?
    3) How does the IOS Firewall functionality compare to other firewalls.


    I'd welcome any comments about this configuration

    Thanks
     
    Al Dykes, Oct 25, 2003
    #1
    1. Advertisements

  2. :I'm working up a project proposal for someone that is predisposed to
    :Cisco. We need the usual router/firewall for the internet feed for a
    :100+ desk office, so I read the Cisco web site and found that Cisco has
    :a firewall feature for IOS and I got the following quote. The price
    :is reasonable and I like the all-in-one box.

    : CISCO 2611XM DUAL 10/100 ENET ROUTER 1819.16 1819.16
    : CISCO E-SMARTNET 8X5XNBD CAT5 418.48 418.48
    : CISCO 1700/2600/3600 1PT-T1 DSU/CSU 725.30 725.30
    : CISCO 2600 IP/FW FEATURE PK 386.25 386.25
    : CISCO E-SMARTNET 24X7X4 CAT5 CSV-CON-SNTP-PKG5 659.57

    Caution: the IP/FW Feature PK does not include IPSec.

    Also, the IP/FW Feature PK does not apply to IOS version 12.3
    or later [i.e., the current IOS version] for the 2600 XM series: for
    12.3 onwards, you need the Advanced Security Package. The list price
    of Advanced Security is $US1000 for the 2600XM series, according to
    http://www.cisco.com/en/US/products/sw/iosswrel/ps5460/prod_bulletin09186a00801af451.html

    Considering the price of Advanced Security, I would suggest you
    consider a PIX 506E bundle, Cisco part PIX-506E-BUN-K9; those are
    currently just a little less than $US900 at the lowest street price.
    Then you don't have to worry about the firewall features overloading
    the CPU on the 2611XM. The CPU on the 2611XM is only a 40 MHz MPC860P.
    http://www.cisco.com/en/US/products...ducts_user_guide_chapter09186a008019aa1e.html

    3DES in particular is pretty expensive computationally, so if you
    think you might be wanting VPN then the 506E makes a lot more sense
    for performance.

    A summary of resource limits for the various PIX firewalls can be
    found at my list at
    http://www.ibd.nrc.ca/~roberson/cisco_pix_models.txt


    :I have a couple of questions

    :1) Do any PC software tools to manage this box come with it ?

    I -believe- so, especially by 12.3. But what exactly do you mean
    by "manage"? Do you mean "Is there a configuration GUI suitable for
    keeping people from having to learn much about the command line
    interface" ?


    :2) I expect to get a modem and hang it on the serial port for
    : remote control. Is there anything I should know to do this ?

    Just the usual modem concerns -- make sure you have a password,
    considering using a dial-back system, watch out for cheap modems that
    might get wedged when you disconnect. The kind of modem you would
    buy for a situation in which you can call up someone by phone and
    say "Joe, could you power-cycle the modem again?!" is different than
    what you would get for a stand-alone operation where getting through
    quickly in the middle of the night might be important.


    :3) How does the IOS Firewall functionality compare to other firewalls.

    It's not bad, as far as I can see. But you should know the following
    tidbits in comparison to some of the competitors:

    - You need different subnets on every interface. IOS FW will not act
    as a "filter" on a line: it only makes firewall decisions in conjunction
    with -routing- of packets

    - IOS FW has *no* mandatory yearly maint fee; if you don't want to buy
    support, you can just keep running with the release that you have

    - application level decisions aren't as complex as on some competitors;
    in particular, control of bandwidth by application is better on
    Packeteer (which isn't meant as a firewall)

    - there is no nice mechanism to custom-design application-level filtering
    on IOS FW [but you can do it]

    - the 2611XM is not designed as a VPN Concentrator, but it can be pressed
    into VPN server duties. Overall, IOS IPSec features usually lags behind
    Nortel's Contivity a bit (but IOS IPSec is perhaps more configurable,
    with Contivity perhaps sometimes assuming you are doing things It's Way.)

    - access control lists on IOS are relatively easy to configure compared
    to some of the competition. I recently investigated one product that
    pretty much requires a paragraph of configuration per constraint,
    that would be done in a line in IOS. And trying to figure out
    the product's rate limiting was giving me a headache!

    - Speaking of headaches: IOS documentation is unusually thorough
    for the industry, and you can actually *find* things on the technical
    support pages (okay, so it can be tricky for some of the more obscure
    stuff.) With one of the other major vendors, finding what I'm looking
    for is usually like hitting myself over the head with a stick and
    hoping the answer will be spelt out in the "stars" in front of my
    eyes. [The information might be on that vendor's site, but
    *finding* it is Way Too Hard.]
     
    Walter Roberson, Oct 25, 2003
    #2
    1. Advertisements

  3. Al Dykes

    Hugo Drax Guest

    yes, Telnet it is built into windows :)
    nope, just read the docs in ciscos website
    It depends on the traffic, I have seen a 2611 go 80-90% cpu when running
    IP/FW (on a T1 line) that would not faze a pix 506e. The thing you need to
    consider is not really the bandwidth but how many new connections per second
    and how many active TCP sessions CBAC will need to process. the CPU on a
    2611XM is pretty wimpy compared to dedicated firewalls. Just make sure you
    understand the clients network and prepare accordingly.
     
    Hugo Drax, Oct 25, 2003
    #3
  4. Al Dykes

    Hugo Drax Guest

     
    Hugo Drax, Oct 25, 2003
    #4
  5. Al Dykes

    Richard Deal Guest

    Well, if you needed a three-interface firewall, with limited throughput,
    then a 2611 would be much more price-effective than a 515E. However, you
    definitely must consider how much traffic the router has to process, as well
    as the kinds of features you need to implement, like VPNs, before choosing
    the router. As I've always said, every networking situation is
    different--what works for one won't necessarily work for another.

    Cheers!
    --

    Richard A. Deal

    Visit my home page at http://home.cfl.rr.com/dealgroup/

    Author of CCNA Cisco Certified Network Associate Study Guide (Exam 640-801),
    Cisco PIX Firewalls, CCNA Secrets Revealed!, CCNP Remote Access Exam Prep,
    CCNP Switching Exam Cram, and CCNP Cisco LAN Switch Configuration Exam Cram

    Cisco Test Prep author for QuizWare, providing the most comprehensive Cisco
    exams on the market.



     
    Richard Deal, Oct 25, 2003
    #5
  6. Al Dykes

    Andre Beck Guest

    Maybe simply because you *want* a *router*, not a NAT-engine? It all
    depends on whether you are actually focusing on a Firewall, on a NAT
    Engine with attached firewall features, or on a Router with attached
    firewall features. If you want the latter, a PIX just makes you head-
    aches.
    Huh? CBAC is essentially the fixup stuff taken from the PIX and plugged
    into IOS. The gates to that are opened using access lists in exactly the
    same way, all that is "missing" is the NAT crap. And if you dont want
    NAT because you dont need NAT, you are thankful for not being forced
    to use it anyway.
    Well, on the level of colorful web charts and fancy stickers on the box,
    that may really make a difference. But that's like customers who bash
    on you because you want to sell them proper RAID and "but there is already
    RAID5, so why do you want to sell me RAID1?"...
    For us, too. It's just later when you have to explain the drawbacks of
    those boxes (like their inability to *just* *route*, be it directly or
    between sites of a VPN) to same customer when you wish you would better
    have used a decent router with some attached VPN and FW instead of a
    sophisticated NAT-Box with some attached VPN and FW.
    When I have to route a network to the customer and at the same time
    provide some basic 1st level firewalling in front of the real FW that
    completes the 2 layer FW setup, a CPE router with CBAC fits quite
    nicely.
     
    Andre Beck, Oct 26, 2003
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.