Re: Is ISR1100 + FPR1010 Overkill for Home Use?

TheGoob · ‎01-30-2025

Hello

So I know generally speaking it is overkill especially in home use but aside from wanting to have fun and the learning experience, I wonder if it is actually slowly things down and really too costly of overhead for a 40/5 MBps DSL.

My setup is the ISR is the PPPoE and the routing and NAT and ACL’s and the FPR is really just a 2nd set of ACL/Protection.

The ISR is the first line of defense with the OUT to IN ZBF and the the FPR does have more “localized” LAN based access.

But I will say I notice funky lags and dead spots (internet is up but it just, dies) and then comes back. Yeah it could be a misconfigured rule but really, is this simply just overkill?

Now, the FPR is then connected to a SG350XG which it in itself is what handles the DHCP Servers as I have 8 static ips (6 usable) and have 6 networks.

Anyway, what do you think?

Sheraz.Salim · ‎01-31-2025

Your setup with an ISR (Integrated Services Router) handling PPPoE, routing, NAT, and ACLs, followed by an FPR (Firepower) for additional protection, is indeed quite nice and impressive for a home network, especially with a 40/5 Mbps DSL connection. While this configuration offers enhanced security, it may be introducing unnecessary complexity and potential performance issues.

Here are some of my thoughts on your setup
Performance Impact, The multiple layers of security (ISR ZBF, FPR ACLs) could be contributing to the "funky lags and dead spots" you're experiencing. Each device in the chain adds some processing overhead and latency.
Complexity vs. Benefit, For a home network, this level of security might be overkill. A single, well-configured firewall/router is typically sufficient for most home environments.
Troubleshooting Challenges, With multiple devices handling security, it can be more difficult to pinpoint the source of issues when they arise.
Resource Utilization, Both the ISR and FPR are enterprise-grade devices designed to handle much higher throughput. They may be underutilized in a home setting with a 40/5 Mbps connection.
Cost-Effectiveness, The power consumption and maintenance of multiple devices might not be justified for a home network.

Recommendations:
Simplify Your Setup: Consider consolidating your security to a single device, preferably one designed for home/small office use that can handle your 40/5 Mbps connection efficiently.
While your current setup is an excellent learning experience, it may be introducing more complexity than benefit for a home network. Unless you have specific security requirements that necessitate this level of protection, a simpler, more streamlined approach might provide better performance and easier management without significantly compromising security for your home network needs.

you can also look into virtual router/Firewall running on vmware or Microsoft hyperV this will be more cost effective and more cost efficient as if you doing only this for learning purpose.

please do not forget to rate.

TheGoob · ‎01-31-2025

Fantastic response, and makes a lot of sense. I do agree it is overkill and really not the place for a home network but I just love exploring all these devices, but yeah it seems it is making the home internet usage not too enjoyable (and getting yelled at cause of the lag spikes). I re ally need to determine which would be best either the ISR or FPR as my Router/Firewall or indeed try to go VM instance. I have a nice HPE Proliant with sufficient RAM and CPU’s available so I could take that approach.
Thank you for the input. Maybe when we get fiber here it’ll be worth the current situation.

train00wreck · ‎01-31-2025

This sounds like the perfect setup to keep behind a single firewall, on a separate VLAN, in a "lab" kind of setup. I have just the same, with a few ISRs (4321, 1921, 891). Been practicing IKEv2 and RADIUS auth on them lately, and soon want to dive into MPLS.

(Tip: I've been where you are in regards to getting yelled at by friends/family Best to keep your lab setup independent of the internet setup).