2811

Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
Ok I am still shopping for a new edge router and I am trying to hash out between buying a cisco 2811 and building one with Zeroshell or PFsense.

Can anyone confirm or deny that they have used the 2800 series (specifically the 2811) for an edge router. I am trying to keep our cost down and I am can pick one up for about 1000 bucks or so.

Comments

  • networker050184networker050184 Mod Posts: 11,962 Mod
    knwminus wrote: »
    Ok I am still shopping for a new edge router and I am trying to hash out between buying a cisco 2811 and building one with Zeroshell or PFsense.

    Can anyone confirm or deny that they have used the 2800 series (specifically the 2811) for an edge router. I am trying to keep our cost down and I am can pick one up for about 1000 bucks or so.


    What do you need the router to do? We use them as customer CPE without issue.
    An expert is a man who has made all the mistakes which can be made.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    What do you need the router to do? We use them as customer CPE without issue.

    Basically simply route. I would like to do some QoS as well along with the basics like security and such...for now I mean. Our User VPNS are going to terminate into our new Sonic wall boxes so our router won't need to do anything with that. We only have about 60 users.

    I guess I would need 3 physical ports (dmz, inside and outside) and the ability to one day add failover (Active/Active) and load balancing.
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Depending on the size of your internet pipe you should be good with a 2800. If you are just going to use some QoS and probably a default route you should be fine.
    An expert is a man who has made all the mistakes which can be made.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Depending on the size of your internet pipe you should be good with a 2800. If you are just going to use some QoS and probably a default route you should be fine.

    Our pipe is quite small (4m). We are looking to go to 10 within the next few months (budget issues).
  • burbankmarcburbankmarc Member Posts: 460
    knwminus wrote: »
    Basically simply route. I would like to do some QoS as well along with the basics like security and such...for now I mean. Our User VPNS are going to terminate into our new Sonic wall boxes so our router won't need to do anything with that. We only have about 60 users.

    I guess I would need 3 physical ports (dmz, inside and outside) and the ability to one day add failover (Active/Active) and load balancing.

    I use 2811s for all my edge equipment. It's an ISR so it's meant to be an all in one type device. It has VPN hardware, which you don't need. It supports IPS functions, which is nice. It's QoS is pretty good. It has full support for HSRP/VRRP/GLBP, and fully supports all routing protocols.

    I run BGP/OSPF on it without a problem. I have several hundred users, and I have multiple VPNs on it and it hits about a constant 20% CPU utilization.

    For the money they're pretty good routers. They come with 2 built in FE ports and have 2 module ports.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Awesome burbankmarc! I'm still very much a noob at a lot of these things and since no one really knows about the network (the guy that knew left) , I guess I have to figure out these things on my own.

    As far as IPS/IDS I will probably be using an additional device for that (probably a snort box) since we will probably have to keep this thing off our smart net for a while (at least a few months, budget issues). I will probably pick up 2 of them so I can swap it out just in case one dies.

    I have to put together 3 proposals: 1: Optimize out 2610 (yuck!) 2: Get a 2800 series router or two, or 3: Hardcore BSD router.
  • burbankmarcburbankmarc Member Posts: 460
    If you look at my avatar that's a 2811 next to my left eye.

    But yeah I run the IPS on the router and I have a snort machine as well. Also on my snort machine I'm running Ntop which I would highly recommend.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    If you look at my avatar that's a 2811 next to my left eye.

    But yeah I run the IPS on the router and I have a snort machine as well. Also on my snort machine I'm running Ntop which I would highly recommend.

    NOOB ALERT: Why would you run an IPS/IDS on both places? Wouldn't that slow your network down some?
  • burbankmarcburbankmarc Member Posts: 460
    The more security the better. Also, to be honest I'm not real up on Cisco's IDS implementation so I mostly use the snort box.

    No slow down. The way I have it is 2811->3560->ASA->inside network. So on my 3560 I just setup a SPAN port and mirror all of the traffic into a promiscuous port on my snort box. The 3560 handles all traffic and you know how fast L3 switches are.
  • notgoing2failnotgoing2fail Member Posts: 1,138
    The more security the better. Also, to be honest I'm not real up on Cisco's IDS implementation so I mostly use the snort box.

    No slow down. The way I have it is 2811->3560->ASA->inside network. So on my 3560 I just setup a SPAN port and mirror all of the traffic into a promiscuous port on my snort box. The 3560 handles all traffic and you know how fast L3 switches are.


    Do you think the SPAN port increases CPU utilization at all?
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    No slow down. The way I have it is 2811->3560->ASA->inside network.

    We don't have a spare L3 switch but in concept this is close to what I want to do.
  • burbankmarcburbankmarc Member Posts: 460
    Do you think the SPAN port increases CPU utilization at all?

    It pegs to 60% every now and again but for the most part it's a steady 10-20%. I'm not sure if that's the SPAN though.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    How difficult is doing a cut over to one of those devices from another router? Have you ever did a change like that?
  • burbankmarcburbankmarc Member Posts: 460
    I assume you mean switching from your existing equipment? Well as long as you configure everything properly it should be pretty quick. Just make sure you schedule down time though just in case.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    I assume you mean switching from your existing equipment? Well as long as you configure everything properly it should be pretty quick. Just make sure you schedule down time though just in case.

    Yea that's what I meant. TBH I'm a little nervous. I have never had to do anything like this. It will be the first time that I will be thee network guy so I'm really concerned about making it right.
  • burbankmarcburbankmarc Member Posts: 460
    Keep your old router in place in case things go wrong so you can just move back.

    But I doubt you'll have too much problems, it shouldn't be too big of a deal. Plus, good experience to get a high visibility project out of the way.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Yep icon_eek.gif its going to be put up or shut up time soon. I need to study the configs for our pix firewalls so I can make the cut over to our sonic walls boxes smooth as well.
  • notgoing2failnotgoing2fail Member Posts: 1,138
    knwminus wrote: »
    Yep icon_eek.gif its going to be put up or shut up time soon. I need to study the configs for our pix firewalls so I can make the cut over to our sonic walls boxes smooth as well.


    You are having a great learning experience! This is why you chose this profession!

    What kind of sonicwall did you guys purchase? I have an old Pro 330!
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    You are having a great learning experience! This is why you chose this profession!

    What kind of sonicwall did you guys purchase? I have an old Pro 330!


    NSA 240. Its look pretty slick
    Network Security, Firewall & Wireless - NSA 240 Appliance Details - SonicWALL, Inc.
  • notgoing2failnotgoing2fail Member Posts: 1,138
    knwminus wrote: »


    Wow that's pretty impressive.....makes my old Sonicwall look..well....old!!!

    I didn't know they change their design like that.....
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Wow that's pretty impressive.....makes my old Sonicwall look..well....old!!!

    I didn't know they change their design like that.....


    Yea. I've been reading the admin guides for it, it really is a cool device. I am looking over our old pix and trying to map out the commands so when I start configuring the Sonic Wall I can just pull the working config from the Pix. I've never worked on a pix so I've been doing a lot of googling.
Sign In or Register to comment.