Pix vs 2611xm w/ firewall (CBAC)

johnwest43johnwest43 Posts: 294Member
Im sure there are a million answers to this but i am going to ask it anyway. For a home setup can the 2611xm with firewall feature compare to using a pix 501? At the moment I dont have to permit any traffic from out to in. I also have an easy vpn setup on the pix to connect from remote locations using the cisco vpn client and ddns running behind the firewall so i can connect. I have the 1 ip dynamic plan. Also can the 2611xm do the ddns for me?

Thanks guys

My current setup:Internet---> ATT DSL Modem--->Pix501---->LAN
Purposed setup: Internet--->2611xm (with WIC-1adsl)
>LAN
CCNP: ROUTE B][COLOR=#ff0000]x[/COLOR][/B , SWITCH B][COLOR=#ff0000]x[/COLOR][/B, TSHOOT [X ] Completed on 2/18/2014

Comments

  • Forsaken_GAForsaken_GA Posts: 4,024Member
    It'll work, just be aware that the processor in the 2611xm is kind of weak, and if you make it perform firewall and NAT duties, depending on how much traffic you put through it, it may go wonky sometimes
  • tierstentiersten Posts: 4,505Member
    You know the WIC-1ADSL only supports 8Mbps ADSL1 right? The ADSL2 WIC is the HWIC-1ADSL and that doesn't work in a 2600XM as it doesn't support HWICs.

    The PIX-501 is rated for 60Mbps cleartext and under 6Mbps if you're using crypto. DES is 6Mbps, 3DES is 3Mbps, AES-128 is 4.5Mbps and AES-256 is 3.4Mbps.
    The 2611XM is rated for 10Mbps which is with nothing enabled like the firewall and with 64 byte packets. I wouldn't attempt to use crypto on it unless you have a VPN AIM and even then you're unlikely to get very good performance.
  • johnwest43johnwest43 Posts: 294Member
    I am aware that it only supports up to 8Mb. ATT only offers 6Mb to our neighboorhood. I currently have the 3Mb plan. So throughput wont be too bad for the 2611xm.
    CCNP: ROUTE B][COLOR=#ff0000]x[/COLOR][/B , SWITCH B][COLOR=#ff0000]x[/COLOR][/B, TSHOOT [X ] Completed on 2/18/2014
  • tierstentiersten Posts: 4,505Member
    johnwest43 wrote: »
    I am aware that it only supports up to 8Mb. ATT only offers 6Mb to our neighboorhood. I currently have the 3Mb plan.
    Ah okay. Just checking :)
    johnwest43 wrote: »
    So throughput wont be too bad for the 2611xm.
    The rated forwarding performance is with nothing enabled. My old 1841 with everything enabled could only do 3-4Mbps but that was with IPS as well which is really CPU intensive.

    A very rough rule of thumb is that you halve the rated performance for each feature you enable. Firewall would be one and NAT would be another etc... The 1841 is rated for 38Mbps with nothing enabled according to the performance datasheet but Cisco only rate it as suitable for handling a single T1/E1 with features.

    You'll get better performance with what you've currently got IMO.
  • mgeorgemgeorge Posts: 777Member
    A 2611XM with NAT and IOS firewall would limit you down to around 3Mbps regardless due to performance of the platform. If you were to ever upgrade to 6Mbps then you'd have to disable IOS firewall.

    In all actuality it would probably be best if you got a Pix 506E and upgraded it to 64mb ram and ran 7.1(2) on it (the latest image for 8mb flash/64mb ram) then you can use the pix as a transparent firewall and keep the router doing what it does best, routing.

    -Matt George
    There is no place like 127.0.0.1
  • johnwest43johnwest43 Posts: 294Member
    mgeorge wrote: »
    In all actuality it would probably be best if you got a Pix 506E and upgraded it to 64mb ram and ran 7.1(2) on it (the latest image for 8mb flash/64mb ram) then you can use the pix as a transparent firewall and keep the router doing what it does best, routing.

    It just so happens that i have a 506e w/ 64MB RAM and 7.0.5 (largest you can shoe horn in and still have VLANS).

    So how about this setup: Internet--->2611xm--->pix506e--->LAN

    As far as transparent mode i have never tried that feature. What would you reccommend for vpn? I assume that the pix cant be setup in transpaert mode and a act as a easy vpn server.

    Thanks again for all the input.


    Side note , would a 2620xm's performance be better then the 2611xm? I know it supports more kpps but is it a big enough difference?
    CCNP: ROUTE B][COLOR=#ff0000]x[/COLOR][/B , SWITCH B][COLOR=#ff0000]x[/COLOR][/B, TSHOOT [X ] Completed on 2/18/2014
  • Forsaken_GAForsaken_GA Posts: 4,024Member
    mgeorge wrote: »
    A 2611XM with NAT and IOS firewall would limit you down to around 3Mbps regardless due to performance of the platform. If you were to ever upgrade to 6Mbps then you'd have to disable IOS firewall.

    -Matt George

    Not entirely true. I used to run a 2611XM as my ISP border device, and I was able to put 6 megs through it with the Firewall, NAT and NBAR all running. Anything more than that and the CPU spiked and I could no longer get SNMP off of it
  • hypnotoadhypnotoad Posts: 915Banned
    johnwest43 wrote: »
    Side note , would a 2620xm's performance be better then the 2611xm? I know it supports more kpps but is it a big enough difference?

    I think the 2620xm only has 1 FE compared to the 2611xm's two. Something to consider (in case you didnt know -- buying this stuff can be tricky, as many people have found out the hard way.)
  • johnwest43johnwest43 Posts: 294Member
    +1 on the tricky side. I already have the 2620xm. I bought it last december for my CCNA lab. I think i am going to try using just the 2611xm for the dsl connection and firewall for now and try to monitor its performance with prtg and see what i come up with.
    CCNP: ROUTE B][COLOR=#ff0000]x[/COLOR][/B , SWITCH B][COLOR=#ff0000]x[/COLOR][/B, TSHOOT [X ] Completed on 2/18/2014
  • johnwest43johnwest43 Posts: 294Member
    OK I tried it and the performance sucks!! Download speed was on par but latency while web browsing was horrible!!

    Next Security question for you guys.

    I currently have the 2611xm in bridging mode with ATM0/1 and fa0/1 bridged. Next in line connected to fa0/1 is a pix 515e doing all the pppoe and ppp negotiations. FA0/0 on the 2611xm is connected to the inside network and running CME. I assume that this is still secure because the other 2 ports are in bridged mode with no ip address therefore the outside world still has to pass through the pix to gain access to the inside network. Does this sound correct? I tried to illustrate the topo below.

    Thanks
    CCNP: ROUTE B][COLOR=#ff0000]x[/COLOR][/B , SWITCH B][COLOR=#ff0000]x[/COLOR][/B, TSHOOT [X ] Completed on 2/18/2014
  • johnwest43johnwest43 Posts: 294Member
    Anybody have any thoughts?
    CCNP: ROUTE B][COLOR=#ff0000]x[/COLOR][/B , SWITCH B][COLOR=#ff0000]x[/COLOR][/B, TSHOOT [X ] Completed on 2/18/2014
  • semangkasemangka Posts: 18Member ■□□□□□□□□□
    johnwest43 wrote: »
    OK I tried it and the performance sucks!! Download speed was on par but latency while web browsing was horrible!!
    Thanks

    Im running a 2611XM for home usuage with CBAC and had some performance problems initially too.

    Some tips
    * MTU size on your dialer 1492?
    * tcp mss adjust - just in case

    But the biggest issue was that CBAC was dropping out of order tcp segments which can be fixed with;

    * ip inspect name GNS fragment maximum 64 timeout 60 (might need IOS upgrade for that)

    Fine since ;)
  • johnwest43johnwest43 Posts: 294Member
    Tried them all... no luck I am also using the router as a CME Router as well. The Routers Lag wasnt bad until i turned on telephony-services.

    Anyone else have any insight on the security issue i posted above about the bridge on the 2611xm?
    CCNP: ROUTE B][COLOR=#ff0000]x[/COLOR][/B , SWITCH B][COLOR=#ff0000]x[/COLOR][/B, TSHOOT [X ] Completed on 2/18/2014
Sign In or Register to comment.