PIX 501 or 851/871 router?

Discussion in 'Cisco' started by Douglas McIver, Sep 11, 2005.

  1. We have a small office or 3 users that are connected through a DSL circuit.
    We want to link them back to the corporate office. Our main office has a
    PIX 515.

    In regards to the external office, I have seen that both the PIX 501 and the
    8xx routers can create a VPN tunnel. What would be the main difference
    between them?

    Thanks:)
    -Douglas
     
    Douglas McIver, Sep 11, 2005
    #1
    1. Advertisements

  2. Because easier to maintain/deploy in your case: PIX

    /edgar
     
    =?ISO-8859-1?Q?Edgar=AE_du_Midi=AE?=, Sep 11, 2005
    #2
    1. Advertisements

  3. :We have a small office or 3 users that are connected through a DSL circuit.
    :We want to link them back to the corporate office. Our main office has a
    :pIX 515.

    :In regards to the external office, I have seen that both the PIX 501 and the
    :8xx routers can create a VPN tunnel. What would be the main difference
    :between them?

    If you are considering an 851 or 871, then it might perhaps make
    more sense to get an 857 or 877, which have the ADSL modem built in.
    That would save having an external ADSL modem. The Cisco 8x7 ADSL models
    are used quite a bit with ADSL -- "serious contenders", not merely
    "well, it -claims- to work..."

    Whether to get an 8x1 or 8x7 would depend in part on your future plans:
    if you might be moving to a different kind of line then the 8x1
    ethernet-to-ethernet series would be more portable, not locked into xDSL.


    The 85x and 87x have hardware accelaration for 3DES and AES. The
    501 uses software encryption. The 501 is not suitable for
    "extreme" DSL such as 8/1 -- the 501 tops out somewhere near 3.5/1.
    [But see below...]

    The 8xx have more packet inspection facilities than the 501, and the 8xx
    have QoS, which the 501 does not have.

    The "Recommended number of users" for the 871 is 20; 10 for the 851.
    The 501 base license is for 10 users. We find that in practice the
    501 has no problem handling 10 users (who aren't particularily
    network intensive), but that by 20 users the 501 is possibly running
    out of memory -- but we have an unusually large configuration.

    It's easier to find hard performance numbers for the PIX series
    than for the 8xx series. If you know the magic place to look,
    http://www.cisco.com/warp/public/765/tools/quickreference/routerperformance.pdf
    you can see the 85x rated for 10000 pps (5.1 megabits/s), and the
    87x rated for 25000 ppps (12.8 megabits/s) for routing.

    But the 501 is rated to 60 megabits/s cleartext (e.g., just NAT +
    routing without encryption.) That's ~5 times the speed of the 871 for
    about $US75 less...

    The 871 is licensed for 20 VPN tunnels; the corresponding license on the
    501 is 10 "IKE peers". The 501 is a bit more specific in its
    terminology: it can have a large number of different
    "security associations", all of which are being encapsulated to talk
    to the same peer; for the 871, it isn't immediately clear whether
    it is talking about 20 peers or 20 security associations.


    Now a bit of speculation:

    The PIX 501 has a relatively small amount of memory, and there are
    significant challenges in fitting the PIX 7.0 software in that small
    amount of memory. Cisco has reportedly said that 7.0 *will* be
    supported on the 501, but they are running late on that. It's an
    open question at the moment as to whether they will be able to deliver
    on that, and as to how much they will have to cut out of 7.0 to make
    it fit. So although the 501 has been selling quite well, there are
    rumblings that the 6.x software stream might really be the end of
    the line for existing 501's, with possibly a 501E in the works,
    or possibly a price reduction on the 506E to have it take over the
    market niche of the 501.

    Cisco has introduced the ASA 5500 series of Security Appliances,
    which do everything the PIX does and have more advanced packet
    inspection and more advanced heuristic intrusion prevention.
    There is a lot of competition from other vendors such as SonicWall,
    who are pushing anti-virus and deeper packet inspection and QoS
    services into lower-cost devices. One has to wonder how Cisco
    is going to compete with those (especially the deeper packet
    inspection) within the PIX line if the PIX line is differentiated
    from the ASA line mostly by the lack of those features. Thus,
    for all that the PIX line ins very well known, I have to wonder
    whether it has a future. Is it's only future in being more
    "modular" [i.e., expandable interfaces] than the ASA? If so then
    that would argue for the discontinuation of the fixed-configuration
    501.


    But you asked what the main difference was between the PIX and the
    851/871. The answer is that the PIX is designed for security
    where as the 851/871 are designed for routing and designed with
    the full kitchen-sink complement of IOS features. The result is
    that the 8xx series is higher absolute risk than the PIX: there
    are more things to go wrong in the 8xx and when things go wrong,
    packets are allowed through... whereas on the PIX, the code
    internals are designed to block packets that aren't approved by
    policy. Internal architectural differences but similar external
    functionality. But do you need the "extra heavy duty shock absorbers",
    or are the standard heavy duty shock absorbers good enough for your
    purposes?
     
    Walter Roberson, Sep 12, 2005
    #3
  4. Thank you for the detailed explanation Walter. It is very handy!!! What
    surprised us was that the 8xx routers were less expensive than the 501, and
    some of them had built in wireless. I guess it comes down to configuration
    knowledge. If we find a future employee who is very good at IOS then we
    should do the 8xx series, but a general run of the mill WAN guy will
    probably be safer with the PIX.

    I was just looking at the ASA boxes, they are pretty cool. To me they look
    like a direct replacement to the 515s, is that true? we were thinking of
    scaling to something higher than the 515R we have now, so the ASA looks
    nice.

    Thanks!
    -Douglas
     
    Douglas McIver, Sep 12, 2005
    #4
  5. :What
    :surprised us was that the 8xx routers were less expensive than the 501, and
    :some of them had built in wireless. I guess it comes down to configuration
    :knowledge. If we find a future employee who is very good at IOS then we
    :should do the 8xx series, but a general run of the mill WAN guy will
    :probably be safer with the PIX.

    If you have someone who is already good with PIX then no problem.

    And if you only want to do simple things with the PIX, just simple
    LAN-to-LAN tunnels that can be relatively easily configured via the
    graphical interface (PDM / SDM), then public vs private addressing is
    possibly the biggest bump to get over for a newcomer.

    However, if you intend to really exploit the PIX, then the truth is
    that it takes -years- to learn the PIX thoroughly. Indeed, I've been
    working with it for 4 years, participating quite actively in online
    discussions of the PIX, and I can still only answer about 2/3 of the
    questions.

    IOS... IOS isn't really any less easy to learn, but it is pushed a lot
    more, with training academies and several different levels of
    certifications and practice exams and so on. It is thus easier to come
    by someone who knows IOS relatively well than to come by someone who
    knows PIX relatively well.
     
    Walter Roberson, Sep 12, 2005
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.