2811

Ok I am still shopping for a new edge router and I am trying to hash out between buying a cisco 2811 and building one with Zeroshell or PFsense.

Can anyone confirm or deny that they have used the 2800 series (specifically the 2811) for an edge router. I am trying to keep our cost down and I am can pick one up for about 1000 bucks or so.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

networker050184

knwminus wrote: »

Ok I am still shopping for a new edge router and I am trying to hash out between buying a cisco 2811 and building one with Zeroshell or PFsense.

Can anyone confirm or deny that they have used the 2800 series (specifically the 2811) for an edge router. I am trying to keep our cost down and I am can pick one up for about 1000 bucks or so.

What do you need the router to do? We use them as customer CPE without issue.

Bl8ckr0uter

networker050184 wrote: »

What do you need the router to do? We use them as customer CPE without issue.

Basically simply route. I would like to do some QoS as well along with the basics like security and such...for now I mean. Our User VPNS are going to terminate into our new Sonic wall boxes so our router won't need to do anything with that. We only have about 60 users.

I guess I would need 3 physical ports (dmz, inside and outside) and the ability to one day add failover (Active/Active) and load balancing.

networker050184

Depending on the size of your internet pipe you should be good with a 2800. If you are just going to use some QoS and probably a default route you should be fine.

Bl8ckr0uter

networker050184 wrote: »

Depending on the size of your internet pipe you should be good with a 2800. If you are just going to use some QoS and probably a default route you should be fine.

Our pipe is quite small (4m). We are looking to go to 10 within the next few months (budget issues).

burbankmarc

knwminus wrote: »

Basically simply route. I would like to do some QoS as well along with the basics like security and such...for now I mean. Our User VPNS are going to terminate into our new Sonic wall boxes so our router won't need to do anything with that. We only have about 60 users.

I guess I would need 3 physical ports (dmz, inside and outside) and the ability to one day add failover (Active/Active) and load balancing.

I use 2811s for all my edge equipment. It's an ISR so it's meant to be an all in one type device. It has VPN hardware, which you don't need. It supports IPS functions, which is nice. It's QoS is pretty good. It has full support for HSRP/VRRP/GLBP, and fully supports all routing protocols.

I run BGP/OSPF on it without a problem. I have several hundred users, and I have multiple VPNs on it and it hits about a constant 20% CPU utilization.

For the money they're pretty good routers. They come with 2 built in FE ports and have 2 module ports.

Bl8ckr0uter

Awesome burbankmarc! I'm still very much a noob at a lot of these things and since no one really knows about the network (the guy that knew left) , I guess I have to figure out these things on my own.

As far as IPS/IDS I will probably be using an additional device for that (probably a snort box) since we will probably have to keep this thing off our smart net for a while (at least a few months, budget issues). I will probably pick up 2 of them so I can swap it out just in case one dies.

I have to put together 3 proposals: 1: Optimize out 2610 (yuck!) 2: Get a 2800 series router or two, or 3: Hardcore BSD router.

burbankmarc

If you look at my avatar that's a 2811 next to my left eye.

But yeah I run the IPS on the router and I have a snort machine as well. Also on my snort machine I'm running Ntop which I would highly recommend.

Bl8ckr0uter

burbankmarc wrote: »

If you look at my avatar that's a 2811 next to my left eye.

But yeah I run the IPS on the router and I have a snort machine as well. Also on my snort machine I'm running Ntop which I would highly recommend.

NOOB ALERT: Why would you run an IPS/IDS on both places? Wouldn't that slow your network down some?

burbankmarc

The more security the better. Also, to be honest I'm not real up on Cisco's IDS implementation so I mostly use the snort box.

No slow down. The way I have it is 2811->3560->ASA->inside network. So on my 3560 I just setup a SPAN port and mirror all of the traffic into a promiscuous port on my snort box. The 3560 handles all traffic and you know how fast L3 switches are.

notgoing2fail

burbankmarc wrote: »

The more security the better. Also, to be honest I'm not real up on Cisco's IDS implementation so I mostly use the snort box.

No slow down. The way I have it is 2811->3560->ASA->inside network. So on my 3560 I just setup a SPAN port and mirror all of the traffic into a promiscuous port on my snort box. The 3560 handles all traffic and you know how fast L3 switches are.

Do you think the SPAN port increases CPU utilization at all?

Bl8ckr0uter

burbankmarc wrote: »

No slow down. The way I have it is 2811->3560->ASA->inside network.

We don't have a spare L3 switch but in concept this is close to what I want to do.

burbankmarc

notgoing2fail wrote: »

Do you think the SPAN port increases CPU utilization at all?

It pegs to 60% every now and again but for the most part it's a steady 10-20%. I'm not sure if that's the SPAN though.

Bl8ckr0uter

How difficult is doing a cut over to one of those devices from another router? Have you ever did a change like that?

burbankmarc

I assume you mean switching from your existing equipment? Well as long as you configure everything properly it should be pretty quick. Just make sure you schedule down time though just in case.

Bl8ckr0uter

burbankmarc wrote: »

I assume you mean switching from your existing equipment? Well as long as you configure everything properly it should be pretty quick. Just make sure you schedule down time though just in case.

Yea that's what I meant. TBH I'm a little nervous. I have never had to do anything like this. It will be the first time that I will be thee network guy so I'm really concerned about making it right.

burbankmarc

Keep your old router in place in case things go wrong so you can just move back.

But I doubt you'll have too much problems, it shouldn't be too big of a deal. Plus, good experience to get a high visibility project out of the way.

Bl8ckr0uter

Yep

its going to be put up or shut up time soon. I need to study the configs for our pix firewalls so I can make the cut over to our sonic walls boxes smooth as well.

notgoing2fail

knwminus wrote: »

Yep its going to be put up or shut up time soon. I need to study the configs for our pix firewalls so I can make the cut over to our sonic walls boxes smooth as well.

You are having a great learning experience! This is why you chose this profession!

What kind of sonicwall did you guys purchase? I have an old Pro 330!

Bl8ckr0uter

notgoing2fail wrote: »

You are having a great learning experience! This is why you chose this profession!

What kind of sonicwall did you guys purchase? I have an old Pro 330!

NSA 240. Its look pretty slick
Network Security, Firewall & Wireless - NSA 240 Appliance Details - SonicWALL, Inc.

notgoing2fail

knwminus wrote: »

NSA 240. Its look pretty slick
Network Security, Firewall & Wireless - NSA 240 Appliance Details - SonicWALL, Inc.

Wow that's pretty impressive.....makes my old Sonicwall look..well....old!!!

I didn't know they change their design like that.....

Bl8ckr0uter

notgoing2fail wrote: »

Wow that's pretty impressive.....makes my old Sonicwall look..well....old!!!

I didn't know they change their design like that.....

Yea. I've been reading the admin guides for it, it really is a cool device. I am looking over our old pix and trying to map out the commands so when I start configuring the Sonic Wall I can just pull the working config from the Pix. I've never worked on a pix so I've been doing a lot of googling.