Replacement Router/Firewall IOS Module

Discussion in 'Cisco' started by TFlee55510, Jul 13, 2004.

  1. TFlee55510

    TFlee55510 Guest

    My question is should I throw away my 506E firewall which presently sits behind
    my Internet router (Cisco 4000) and order the replacment router with the
    Firewall Feature set?

    Or keep using the 506E and not order the new firewall.

    The replacment router will be a 3725 with a NM, or possibly a 2651XM.

    Stats on 506E say we use about 3 connections/sec during the day, CPU
    utilization less than 5%.

    I appears previous post say let the router route, and let a firewall be your
    firewall. Does any have any thoughts on changing that philosophy?

    Tom
     
    TFlee55510, Jul 13, 2004
    #1
    1. Advertisements

  2. :My question is should I throw away my 506E firewall which presently sits behind
    :my Internet router (Cisco 4000) and order the replacment router with the
    :Firewall Feature set?

    What do you stand to gain if you were to do that? Is the configuration
    not working as is? You say you are only hitting 3% cpu on the PIX, so
    it sounds as if performance is not the reason for the change. Are you
    in need a make-work project?
     
    Walter Roberson, Jul 14, 2004
    #2
    1. Advertisements

  3. TFlee55510

    TFlee55510 Guest

    Nope.

    The reason for the upgrade is two-fold.

    1) Need full duplex, 100MB capabilities.
    2) Will use the 4000 at other site which
    does not have a router, but will benefit from intelligent routing.

    On the 3% CPU utilization, I looked at a 12 hours span at the moment is sent
    the EMail, given the time of the month, the number of Citrix users this could
    vary significantly, probably should not of thrown that into the equation.

    Do you have an opinion whether the 506E should be kept in the design ?
     
    TFlee55510, Jul 15, 2004
    #3
  4. :The reason for the upgrade is two-fold.

    :1) Need full duplex, 100MB capabilities.

    The PIX 506E already has that. It is rated as 100 Mbps cleartext,
    so I don't know that you would be able to get 100 megabits per second
    simultaneously in both directions through a 506E -- but even the 501
    will run its interfaces at 100 Mb full duplex (as of 6.2-ish)

    :Do you have an opinion whether the 506E should be kept in the design ?

    I'd want to have a careful look at the 4000 performance specs
    (and another reading of your original posting). I'm not sure that
    going to a 4000 series would be an upgrade in your situation.
    My understanding is that the stateful firewall layers are largely
    cpu-processed under IOS. For example, even though many of the
    newer Cisco devices support netflow at the hardware level, netflow
    does not [I believe] check TCP sequence numbers, and I'm pretty sure
    the netflow layer doesn't support tasks such as checking to be sure
    that FTP ports are valid. Thus, unless you are running a 650x or
    720x with FWSM, any stream which you want "inspect" to work on is going
    to have to be CPU processed before being handed off to netflow for
    distribution to the appropriate destination interfaces.
     
    Walter Roberson, Jul 15, 2004
    #4
  5. TFlee55510

    TFlee55510 Guest

    The 4000 is on the Edge.

    The architecture is as follows

    3550T(Core) -->506E(FW)-->4000(Internet Router)

    The 4000 is connected to the Internet using fiber 10MB/Full. We also hang
    another subnet off the 4000 to external corporation. A remote office also uses
    it for a gateway router.

    Thus, although the FW can do a 100MB/Full, it can only connect at 10MB/Half to
    the router, unless I buy a used card.

    From your response, I do get the general idea you think keeping the 506E is
    worthwhile, that it will pass traffic faster, plus save the router's CPU.

    Is that fair to say ?

    I have given some thought to just taking the 4000 out of the picture and using
    our 3550T, but decided I still preferred a router on the internet edge to help
    make routing decisions.


    Thanks for the feedback.

    Tom
     
    TFlee55510, Jul 15, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.