PIX 501 or 851/871 router?

We have a small office or 3 users that are connected through a DSL circuit.
We want to link them back to the corporate office. Our main office has a
PIX 515.

In regards to the external office, I have seen that both the PIX 501 and the
8xx routers can create a VPN tunnel. What would be the main difference
between them?

Thanks
-Douglas

 

Because easier to maintain/deploy in your case: PIX

/edgar

 

:We have a small office or 3 users that are connected through a DSL circuit.
:We want to link them back to the corporate office. Our main office has a
IX 515.

:In regards to the external office, I have seen that both the PIX 501 and the
:8xx routers can create a VPN tunnel. What would be the main difference
:between them?

If you are considering an 851 or 871, then it might perhaps make
more sense to get an 857 or 877, which have the ADSL modem built in.
That would save having an external ADSL modem. The Cisco 8x7 ADSL models
are used quite a bit with ADSL -- "serious contenders", not merely
"well, it -claims- to work..."

Whether to get an 8x1 or 8x7 would depend in part on your future plans:
if you might be moving to a different kind of line then the 8x1
ethernet-to-ethernet series would be more portable, not locked into xDSL.


The 85x and 87x have hardware accelaration for 3DES and AES. The
501 uses software encryption. The 501 is not suitable for
"extreme" DSL such as 8/1 -- the 501 tops out somewhere near 3.5/1.
[But see below...]

The 8xx have more packet inspection facilities than the 501, and the 8xx
have QoS, which the 501 does not have.

The "Recommended number of users" for the 871 is 20; 10 for the 851.
The 501 base license is for 10 users. We find that in practice the
501 has no problem handling 10 users (who aren't particularily
network intensive), but that by 20 users the 501 is possibly running
out of memory -- but we have an unusually large configuration.

It's easier to find hard performance numbers for the PIX series
than for the 8xx series. If you know the magic place to look,
http://www.cisco.com/warp/public/765/tools/quickreference/routerperformance.pdf
you can see the 85x rated for 10000 pps (5.1 megabits/s), and the
87x rated for 25000 ppps (12.8 megabits/s) for routing.

But the 501 is rated to 60 megabits/s cleartext (e.g., just NAT +
routing without encryption.) That's ~5 times the speed of the 871 for
about $US75 less...

The 871 is licensed for 20 VPN tunnels; the corresponding license on the
501 is 10 "IKE peers". The 501 is a bit more specific in its
terminology: it can have a large number of different
"security associations", all of which are being encapsulated to talk
to the same peer; for the 871, it isn't immediately clear whether
it is talking about 20 peers or 20 security associations.


Now a bit of speculation:

The PIX 501 has a relatively small amount of memory, and there are
significant challenges in fitting the PIX 7.0 software in that small
amount of memory. Cisco has reportedly said that 7.0 *will* be
supported on the 501, but they are running late on that. It's an
open question at the moment as to whether they will be able to deliver
on that, and as to how much they will have to cut out of 7.0 to make
it fit. So although the 501 has been selling quite well, there are
rumblings that the 6.x software stream might really be the end of
the line for existing 501's, with possibly a 501E in the works,
or possibly a price reduction on the 506E to have it take over the
market niche of the 501.

Cisco has introduced the ASA 5500 series of Security Appliances,
which do everything the PIX does and have more advanced packet
inspection and more advanced heuristic intrusion prevention.
There is a lot of competition from other vendors such as SonicWall,
who are pushing anti-virus and deeper packet inspection and QoS
services into lower-cost devices. One has to wonder how Cisco
is going to compete with those (especially the deeper packet
inspection) within the PIX line if the PIX line is differentiated
from the ASA line mostly by the lack of those features. Thus,
for all that the PIX line ins very well known, I have to wonder
whether it has a future. Is it's only future in being more
"modular" [i.e., expandable interfaces] than the ASA? If so then
that would argue for the discontinuation of the fixed-configuration
501.


But you asked what the main difference was between the PIX and the
851/871. The answer is that the PIX is designed for security
where as the 851/871 are designed for routing and designed with
the full kitchen-sink complement of IOS features. The result is
that the 8xx series is higher absolute risk than the PIX: there
are more things to go wrong in the 8xx and when things go wrong,
packets are allowed through... whereas on the PIX, the code
internals are designed to block packets that aren't approved by
policy. Internal architectural differences but similar external
functionality. But do you need the "extra heavy duty shock absorbers",
or are the standard heavy duty shock absorbers good enough for your
purposes?

 

Thank you for the detailed explanation Walter. It is very handy!!! What
surprised us was that the 8xx routers were less expensive than the 501, and
some of them had built in wireless. I guess it comes down to configuration
knowledge. If we find a future employee who is very good at IOS then we
should do the 8xx series, but a general run of the mill WAN guy will
probably be safer with the PIX.

I was just looking at the ASA boxes, they are pretty cool. To me they look
like a direct replacement to the 515s, is that true? we were thinking of
scaling to something higher than the 515R we have now, so the ASA looks
nice.

Thanks!
-Douglas

 

:What
:surprised us was that the 8xx routers were less expensive than the 501, and
:some of them had built in wireless. I guess it comes down to configuration
:knowledge. If we find a future employee who is very good at IOS then we
:should do the 8xx series, but a general run of the mill WAN guy will
robably be safer with the PIX.

If you have someone who is already good with PIX then no problem.

And if you only want to do simple things with the PIX, just simple
LAN-to-LAN tunnels that can be relatively easily configured via the
graphical interface (PDM / SDM), then public vs private addressing is
possibly the biggest bump to get over for a newcomer.

However, if you intend to really exploit the PIX, then the truth is
that it takes -years- to learn the PIX thoroughly. Indeed, I've been
working with it for 4 years, participating quite actively in online
discussions of the PIX, and I can still only answer about 2/3 of the
questions.

IOS... IOS isn't really any less easy to learn, but it is pushed a lot
more, with training academies and several different levels of
certifications and practice exams and so on. It is thus easier to come
by someone who knows IOS relatively well than to come by someone who
knows PIX relatively well.