Need unrestricted license for PIX 520

Discussion in 'Cisco' started by Mike Voss, Oct 14, 2003.

  1. Mike Voss

    Mike Voss Guest

    I am looking to buy an unrestricted license for a PIX 520 I recently
    bought at auction. It has the old V 4.2 and I'm looking for the
    lattest 6.X rev. If anyone has one they don't need and want to sell,
    please drop me a line. Just looking for a lower-cost option before
    going with Smartnet.

    Thanks,

    Mike
     
    Mike Voss, Oct 14, 2003
    #1
    1. Advertisements

  2. :I am looking to buy an unrestricted license for a PIX 520 I recently
    :bought at auction. It has the old V 4.2 and I'm looking for the
    :lattest 6.X rev. If anyone has one they don't need and want to sell,
    :please drop me a line. Just looking for a lower-cost option before
    :going with Smartnet.

    Used PIX (or IOS) licenses are not transferable.

    It -is-, though, possible, that someone might happen to have
    an entitlement for sale. I don't know if the entitlements are
    transferable or not.


    You probably do not have enough flash memory to upgrade to 6.x.
    16 Mb of flash was not supported until 4.4(3). A flash upgrade
    is available.

    To be frank, between the cost of the flash upgrade and the cost of
    the software upgrade, unless you need at least 3 interfaces, it would
    likely be less expensive to buy a PIX 501 than to get your 520 up to
    6.3(3).
     
    Walter Roberson, Oct 14, 2003
    #2
    1. Advertisements

  3. I agree, go with the 501. All 501s are shipping with 3DES and 6.3
    these days, and you will have a very nice solution. We have a 520
    with the upgraded RAM (actually a new PIX card). The 520 is likely
    overkill. How many users behind the unit?

    -Shawn Westerhoff
     
    Shawn Westerhoff, Oct 15, 2003
    #3
  4. Mike Voss

    Thomas Larus Guest

    There is one more advantage to the Pix 501-- you can get a new one cheaply,
    and it will be official. You can buy it new from an authorized reseller,
    purchase Smartnet support for a reasonable price (something like 80 bucks,
    if I remember correctly), and get legal Pix OS updates as they come out.
    You also have the option of putting it into production, since it is
    official.

    Best regards,
     
    Thomas Larus, Oct 15, 2003
    #4
  5. Mike Voss

    Mike Voss Guest

    Thanks for all the info. This unit will be protecting a web farm -
    100K concurrent sessions possibly.My understanding was that we'd have
    to go with the 525 if not these - am I mistaken ? Since we have them
    already, I hate to get something else, but I guess we could always
    sell them.

    Mike
     
    Mike Voss, Oct 15, 2003
    #5
  6. :Thanks for all the info. This unit will be protecting a web farm -
    :100K concurrent sessions possibly.My understanding was that we'd have
    :to go with the 525 if not these - am I mistaken ?

    The official rating on the PIX 520 is 65536 concurrent connections.
    Seeing as that's not a nice round number like "130000" (for the 515E),
    the PIX 520 possibly has a 16 bit table internally and this is perhaps
    a hard limit on the unit.

    It is possible that the 65536 limit really only referred to the old
    per-connection licensing scheme, and perhaps under PIX 6.x the limit is
    higher. I find one unsupported claim that the 520 will handle 240 Mbps
    and 256000 simultaneous connections; another says 270 Mbps and 250000
    simultaneous connections (but that was from a regular poster whom I
    would tend to trust.) The only figure I can find in Cisco's site is the
    65536 figure. I do, see, though, that the PIX 100000 supported more
    than 160000 simultaneous connections, and as the 520 was faster than
    the 10000, then the 520 should be able to handle as many, memory
    permitting.


    My research appears to indicate that at various times, the CPU
    on the 520 was anywhere from 199 MHz to 350 MHz; that would be a
    substantial performance range. You mentioned a very old software version,
    suggesting likely a unit towards the lower end of the performance
    range.

    The 515E is rated to 130000 simultaneous connections (and 433 MHz).

    Looking at the various limits and at the performance specs, I would
    tend to think that the 525 would be the unit you would be most comfortable
    with, and that the 520 you have now would likely not be able to
    handle the load with the kind of performance you would hope for.


    For cross-comparisons of the various PIX models, please see my table
    at http://www.ibd.nrc.ca/~roberson/cisco_pix_models.txt
     
    Walter Roberson, Oct 15, 2003
    #6
  7. Mike Voss

    Mike Voss Guest

    I actually got that 160,000 session figure off the Cisco website,
    can't find where it was, but it was just the other day. Based on your
    assessment, it sounds like we're safe. I'll be sure to max out the
    memory. It looks like Smartnet is the way to go - is approx: $2300 a
    reasonable price, or should I shop around more ?

    Thanks very much for the input.

    Mike
     
    Mike Voss, Oct 15, 2003
    #7
  8. :Based on your
    :assessment, it sounds like we're safe.

    My assessment is that you -might- be able to get by with your model,
    but that it isn't at all certain by looking at the specifications.
    You might have one of the 199 MHz models.

    : I'll be sure to max out the memory.

    I see PIX-MEM-5XX-128 from about $US95. Obviously not original
    Cisco memory, but it'd likely be good enough.

    :It looks like Smartnet is the way to go - is approx: $2300 a
    :reasonable price, or should I shop around more ?

    You should check with Cisco first. I am not certain that Smartnet
    would cover the jump from PIX 4.2 to PIX 6.3(3). Smartnet is
    intended to cover ongoing maintenance of a product that has
    a current software release at the time of contract purchase. My
    belief, from having looked at Cisco part numbers, is that Cisco
    intends that you pay a license upgrade fee to get to the 6.1+ series
    and that smartnet would cover any upgrades you wanted to make after
    that.

    An operational note: you cannot upgrade from PIX 4.2 to 6.3(3)
    in one step. My memory is a bit fuzzy on the details, but my
    recollection is that you have to upgrade to something near 4.4(2)
    first. The boot helper in PIX 4.2 cannot deal with the larger
    software images, so first you have to upgrade to a version that
    supports network upgrades. Also, you will need a new software license
    key along the way as I recall -- one "just because" (just part of
    the old upgrade process), and one to convert from the connection-
    license scheme to the restricted/unrestricted license scheme. You will
    likely also want to get your (now) free 3DES key. Possibly you'll be
    able to do all of these license upgrades in one step; I don't know,
    as the documentation does not say very much about the conversion
    of connection limits licenses to other licenses.


    My suspicion is that the PIX 510 and 520 will not be supported in
    the next major round of software improvements, which some have said
    will be PIX 7.0 in the first quarter of 2004. See if you can get
    a sales rep from Cisco to talk to you about this point before you
    plunk down $US2300 for Smartnet.


    In a situation such as you face, I would hesitate a long time before
    deploying an old PIX 520. You can get PIX-525-R-BUN for < $US5000.
    Less than $US3000 if you don't mind a refurb (www.shoplet.com -- but
    I can't see the details with the browser I'm using.)
     
    Walter Roberson, Oct 15, 2003
    #8
  9. Our experience indicates that with newer PIX OS's (5.x ?) any software
    limits on connections are not enforced, and that the only limit on
    simultanious connections is RAM. If the 520 has had RAM upgrades it may
    handle 250K connections or so.

    We have run the 515R, 515UR and 525 models out of RAM to I have those
    numbers.

    From out last DOS on a 525UR:
    whatever-pix# sho conn count
    440 in use, 757760 most used

    On a 515R:
    wherever-pix# sho conn count
    66 in use, 40960 most used

    I think that our 515UR's max out at about 200k connections. I don't
    recall running a 520 out of RAM.

    As far as throughput goes, it depends on packet size. I'd guess that
    200+Mbps on a 520 would be a traffic mix with large packets & few sessions.

    It seems like in the OP's case that failover may be the most important
    feature. I'd hate to blow away 100K connections during upgrades & such,
    and you'd have to spare it anyway, just to prevent long-term firewall
    induced outages. Without Smartnet, it will take days to get it replaced.

    --Mike
     
    Michael Janke, Oct 15, 2003
    #9
  10. Yes it would. Smartnet covers jumps in licensing. See the following:

    http://www.cisco.com/en/US/products/svcs/ps3034/ps2827/ps2978/service_q_and_a09186a00800b7706.html

    The relevant sentence is:

    Cisco IOS maintenance updates and upgrades (minor and major releases) for
    the covered product
    Correct. What you lose by buying Smartnet after the fact on a used device
    is
    HARDWARE REPLACEMENT. In short, if you buy smartnet when you buy the
    new device, and keep it maintained by buying new smartnet contracts every
    year,
    then you get hardware coverage.

    But if you let it lapse, or you buy a smartnet for a USED device, then in
    order to get
    the hardware coverage activated, you must send the device back to Cisco for
    inspection. The inspection fee is almost the same as a new device, plus the
    only
    place Cisco mentions inspection is in the explanation buried in their
    website as
    to why buying used Cisco gear as a Bad Thing. There is unfortunately no
    mention
    anywhere else on the website of how exactly to go about getting the device
    inspected.
    Those part numbers are upgrades that you buy if you don't have smartnet
    coverage on the device. The only reason they are there is for the
    thickheads
    that won't buy a service contract over anyone's dead body. It's usually
    a much better deal to buy Smartnet, then you get tech support as well.

    Now it's important to keep in mind, though, that smartnet isn't a substitute
    for a license. You must have a license in addition to smartnet, on your
    device.
    They are just going to refer you to a Cisco reseller or Cisco Partner.
    Cisco
    sales reps work much bigger deals than this kind of small potatoes. Rather
    than calling Cisco, your much better off purchasing your used gear, then
    once
    it's in house and powers up, look in the phone book and call a local Cisco
    Reseller and explain what you have, then have him quote you on what you
    need to go to "get legal" Sure, the reseller will be pissed off on losing
    the sale
    on the hardware itself, but that will spare you an hour of the resellers
    sales
    rep yapping in your ear about how you should never buy used Cisco gear.
    And they still will make some money on the software and licensing. And
    trust me, you want to have an established relationship with a local Cisco
    dealer if your running Cisco gear.

    Ted
     
    Ted Mittelstaedt, Oct 16, 2003
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.