A question from a first-time Cisco buyer

I've never worked with Cisco before, not that I have anything against
it, I've always seen Cisco high-end products including PIX firewalls
used that were way overkill for the type of work I do.

I'm working up a project proposal for someone that is predisposed to
Cisco. We need the usual router/firewall for the internet feed for a
100+ desk office, so I read the Cisco web site and found that Cisco has
a firewall feature for IOS and I got the following quote. The price
is reasonable and I like the all-in-one box.

CISCO 2611XM DUAL 10/100 ENET ROUTER 1819.16 1819.16
CISCO E-SMARTNET 8X5XNBD CAT5 418.48 418.48
CISCO 1700/2600/3600 1PT-T1 DSU/CSU 725.30 725.30
CISCO 2600 IP/FW FEATURE PK 386.25 386.25

CISCO E-SMARTNET 24X7X4 CAT5 CSV-CON-SNTP-PKG5 659.57

I have a couple of questions

1) Do any PC software tools to manage this box come with it ?
2) I expect to get a modem and hang it on the serial port for
remote control. Is there anything I should know to do this ?
3) How does the IOS Firewall functionality compare to other firewalls.


I'd welcome any comments about this configuration

Thanks

 

:I'm working up a project proposal for someone that is predisposed to
:Cisco. We need the usual router/firewall for the internet feed for a
:100+ desk office, so I read the Cisco web site and found that Cisco has
:a firewall feature for IOS and I got the following quote. The price
:is reasonable and I like the all-in-one box.

: CISCO 2611XM DUAL 10/100 ENET ROUTER 1819.16 1819.16
: CISCO E-SMARTNET 8X5XNBD CAT5 418.48 418.48
: CISCO 1700/2600/3600 1PT-T1 DSU/CSU 725.30 725.30
: CISCO 2600 IP/FW FEATURE PK 386.25 386.25
: CISCO E-SMARTNET 24X7X4 CAT5 CSV-CON-SNTP-PKG5 659.57

Caution: the IP/FW Feature PK does not include IPSec.

Also, the IP/FW Feature PK does not apply to IOS version 12.3
or later [i.e., the current IOS version] for the 2600 XM series: for
12.3 onwards, you need the Advanced Security Package. The list price
of Advanced Security is $US1000 for the 2600XM series, according to
http://www.cisco.com/en/US/products/sw/iosswrel/ps5460/prod_bulletin09186a00801af451.html

Considering the price of Advanced Security, I would suggest you
consider a PIX 506E bundle, Cisco part PIX-506E-BUN-K9; those are
currently just a little less than $US900 at the lowest street price.
Then you don't have to worry about the firewall features overloading
the CPU on the 2611XM. The CPU on the 2611XM is only a 40 MHz MPC860P.
http://www.cisco.com/en/US/products...ducts_user_guide_chapter09186a008019aa1e.html

3DES in particular is pretty expensive computationally, so if you
think you might be wanting VPN then the 506E makes a lot more sense
for performance.

A summary of resource limits for the various PIX firewalls can be
found at my list at
http://www.ibd.nrc.ca/~roberson/cisco_pix_models.txt


:I have a couple of questions

:1) Do any PC software tools to manage this box come with it ?

I -believe- so, especially by 12.3. But what exactly do you mean
by "manage"? Do you mean "Is there a configuration GUI suitable for
keeping people from having to learn much about the command line
interface" ?


:2) I expect to get a modem and hang it on the serial port for
: remote control. Is there anything I should know to do this ?

Just the usual modem concerns -- make sure you have a password,
considering using a dial-back system, watch out for cheap modems that
might get wedged when you disconnect. The kind of modem you would
buy for a situation in which you can call up someone by phone and
say "Joe, could you power-cycle the modem again?!" is different than
what you would get for a stand-alone operation where getting through
quickly in the middle of the night might be important.


:3) How does the IOS Firewall functionality compare to other firewalls.

It's not bad, as far as I can see. But you should know the following
tidbits in comparison to some of the competitors:

- You need different subnets on every interface. IOS FW will not act
as a "filter" on a line: it only makes firewall decisions in conjunction
with -routing- of packets

- IOS FW has *no* mandatory yearly maint fee; if you don't want to buy
support, you can just keep running with the release that you have

- application level decisions aren't as complex as on some competitors;
in particular, control of bandwidth by application is better on
Packeteer (which isn't meant as a firewall)

- there is no nice mechanism to custom-design application-level filtering
on IOS FW [but you can do it]

- the 2611XM is not designed as a VPN Concentrator, but it can be pressed
into VPN server duties. Overall, IOS IPSec features usually lags behind
Nortel's Contivity a bit (but IOS IPSec is perhaps more configurable,
with Contivity perhaps sometimes assuming you are doing things It's Way.)

- access control lists on IOS are relatively easy to configure compared
to some of the competition. I recently investigated one product that
pretty much requires a paragraph of configuration per constraint,
that would be done in a line in IOS. And trying to figure out
the product's rate limiting was giving me a headache!

- Speaking of headaches: IOS documentation is unusually thorough
for the industry, and you can actually *find* things on the technical
support pages (okay, so it can be tricky for some of the more obscure
stuff.) With one of the other major vendors, finding what I'm looking
for is usually like hitting myself over the head with a stick and
hoping the answer will be spelt out in the "stars" in front of my
eyes. [The information might be on that vendor's site, but
*finding* it is Way Too Hard.]

 

yes, Telnet it is built into windows

nope, just read the docs in ciscos website

It depends on the traffic, I have seen a 2611 go 80-90% cpu when running
IP/FW (on a T1 line) that would not faze a pix 506e. The thing you need to
consider is not really the bandwidth but how many new connections per second
and how many active TCP sessions CBAC will need to process. the CPU on a
2611XM is pretty wimpy compared to dedicated firewalls. Just make sure you
understand the clients network and prepare accordingly.

 

Well, if you needed a three-interface firewall, with limited throughput,
then a 2611 would be much more price-effective than a 515E. However, you
definitely must consider how much traffic the router has to process, as well
as the kinds of features you need to implement, like VPNs, before choosing
the router. As I've always said, every networking situation is
different--what works for one won't necessarily work for another.

Cheers!
--

Richard A. Deal

Visit my home page at http://home.cfl.rr.com/dealgroup/

Author of CCNA Cisco Certified Network Associate Study Guide (Exam 640-801),
Cisco PIX Firewalls, CCNA Secrets Revealed!, CCNP Remote Access Exam Prep,
CCNP Switching Exam Cram, and CCNP Cisco LAN Switch Configuration Exam Cram

Cisco Test Prep author for QuizWare, providing the most comprehensive Cisco
exams on the market.

 

Maybe simply because you *want* a *router*, not a NAT-engine? It all
depends on whether you are actually focusing on a Firewall, on a NAT
Engine with attached firewall features, or on a Router with attached
firewall features. If you want the latter, a PIX just makes you head-
aches.

Huh? CBAC is essentially the fixup stuff taken from the PIX and plugged
into IOS. The gates to that are opened using access lists in exactly the
same way, all that is "missing" is the NAT crap. And if you dont want
NAT because you dont need NAT, you are thankful for not being forced
to use it anyway.

Well, on the level of colorful web charts and fancy stickers on the box,
that may really make a difference. But that's like customers who bash
on you because you want to sell them proper RAID and "but there is already
RAID5, so why do you want to sell me RAID1?"...

For us, too. It's just later when you have to explain the drawbacks of
those boxes (like their inability to *just* *route*, be it directly or
between sites of a VPN) to same customer when you wish you would better
have used a decent router with some attached VPN and FW instead of a
sophisticated NAT-Box with some attached VPN and FW.

When I have to route a network to the customer and at the same time
provide some basic 1st level firewalling in front of the real FW that
completes the 2 layer FW setup, a CPE router with CBAC fits quite
nicely.