Re: Is ISR1100 + FPR1010 Overkill for Home Use?

TheGoob · ‎01-30-2025

Hello

So I know generally speaking it is overkill especially in home use but aside from wanting to have fun and the learning experience, I wonder if it is actually slowly things down and really too costly of overhead for a 40/5 MBps DSL.

My setup is the ISR is the PPPoE and the routing and NAT and ACL’s and the FPR is really just a 2nd set of ACL/Protection.

The ISR is the first line of defense with the OUT to IN ZBF and the the FPR does have more “localized” LAN based access.

But I will say I notice funky lags and dead spots (internet is up but it just, dies) and then comes back. Yeah it could be a misconfigured rule but really, is this simply just overkill?

Now, the FPR is then connected to a SG350XG which it in itself is what handles the DHCP Servers as I have 8 static ips (6 usable) and have 6 networks.

Anyway, what do you think?

Sheraz.Salim · ‎01-31-2025

Your setup with an ISR (Integrated Services Router) handling PPPoE, routing, NAT, and ACLs, followed by an FPR (Firepower) for additional protection, is indeed quite nice and impressive for a home network, especially with a 40/5 Mbps DSL connection. While this configuration offers enhanced security, it may be introducing unnecessary complexity and potential performance issues.

Here are some of my thoughts on your setup
Performance Impact, The multiple layers of security (ISR ZBF, FPR ACLs) could be contributing to the "funky lags and dead spots" you're experiencing. Each device in the chain adds some processing overhead and latency.
Complexity vs. Benefit, For a home network, this level of security might be overkill. A single, well-configured firewall/router is typically sufficient for most home environments.
Troubleshooting Challenges, With multiple devices handling security, it can be more difficult to pinpoint the source of issues when they arise.
Resource Utilization, Both the ISR and FPR are enterprise-grade devices designed to handle much higher throughput. They may be underutilized in a home setting with a 40/5 Mbps connection.
Cost-Effectiveness, The power consumption and maintenance of multiple devices might not be justified for a home network.

Recommendations:
Simplify Your Setup: Consider consolidating your security to a single device, preferably one designed for home/small office use that can handle your 40/5 Mbps connection efficiently.
While your current setup is an excellent learning experience, it may be introducing more complexity than benefit for a home network. Unless you have specific security requirements that necessitate this level of protection, a simpler, more streamlined approach might provide better performance and easier management without significantly compromising security for your home network needs.

you can also look into virtual router/Firewall running on vmware or Microsoft hyperV this will be more cost effective and more cost efficient as if you doing only this for learning purpose.

please do not forget to rate.

TheGoob · ‎01-31-2025

Fantastic response, and makes a lot of sense. I do agree it is overkill and really not the place for a home network but I just love exploring all these devices, but yeah it seems it is making the home internet usage not too enjoyable (and getting yelled at cause of the lag spikes). I re ally need to determine which would be best either the ISR or FPR as my Router/Firewall or indeed try to go VM instance. I have a nice HPE Proliant with sufficient RAM and CPU’s available so I could take that approach.
Thank you for the input. Maybe when we get fiber here it’ll be worth the current situation.

train00wreck · ‎01-31-2025

This sounds like the perfect setup to keep behind a single firewall, on a separate VLAN, in a "lab" kind of setup. I have just the same, with a few ISRs (4321, 1921, 891). Been practicing IKEv2 and RADIUS auth on them lately, and soon want to dive into MPLS.

(Tip: I've been where you are in regards to getting yelled at by friends/family Best to keep your lab setup independent of the internet setup).

TheGoob · ‎02-22-2025

Hello

So, what I am planning on doing right now is simply using my DSL MODEM [Bridge] - Cisco ISR C1111 and eliminating the FPR1010 for right now. I do have ZBFW on the ISR so I assume that will be secure. I can not explain it but when I use my OPNSense firewall I never have lag spikes, but I am using a router I do not want to. But when I use the ISR/FPR combo, I get this sick crazy 100 to 3000 ms lag spikes up and down for like 30 minutes here and there... I am not implying it is Cisco rather than #1 something I have configured wrong or #2 as mentioned prior, maybe it is simply overkill using ISR and FPR on a 40/5 Connection. So, I will eliminate FPR and see if lag spikes go away. If they do NOT, then I will, if I can remember how I did it, configure the FPR with PPPoE and eliminate the ISR.

liviu.gheorghe · ‎02-22-2025

You can take the approach you mentioned and see if you experience anymore delays.

You could also use only the FPR which knows routing, PPPoE for ISP connectivity and it's very secure.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎02-23-2025

As that an indirect suggestion to use the FPR over the ISR?

I am really, really regretting why I did not save or if I did where the backup is where I had it [FPR] all configured the way I wanted. I am scanning old posts of mine for if I had posted my running-config but to no avail, unless it is in some obscure topic really not related.

FPR;

PPPoE, 6 VLANS w/ 6 DHCP Servers [each Interface it's own vlan/network].

Depending on situation, I have various Switches I can plug into any given Interface.

If I recall, I want to do NAT I.E x.x.x.177 [WAN] to 192.168.1.0/24 [LAN] that way in this example anything 1.0 Network associates with .177 WAN and the of course I would need ACL's for any given Access needed. oi vei I wish I was smart enough to have saved this.

liviu.gheorghe · ‎02-23-2025

What I'm suggesting is this - it's much easier to troubleshoot a network if the setup is a simple one.

You have two layers of firewall, the ISR running ZBF and the FPR; let's keep one of them, FPR for example, reconfigure the network on order to move essential services from the ISR - PPPoE, NAT, routing - and after that test if your delays are still present.

Before you start with the reconfiguration, save the configs of the equipment involved (FPR) and make a diagram of your existing network with port numbers and link between equipment.

What do learn from this? Two possible things:

1. if the problem disappears, then the culprit points to the ISR

2. if the problem is still there, then the FPR and/or switches may be to blame

HTH

Regards, LG
*** Please Rate All Helpful Responses ***

nomorenoless · ‎02-23-2025

While your question is legitime (ISR1100 and FPR1010 might be considered overkill for a typical home network) they offer a fantastic opportunity for learning and experimentation, especially if you're interested in networking.

Is it Overkill?

Capabilities: These devices are quite powerful and provide advanced features like robust security, extensive routing capabilities, and comprehensive network management. They are designed for small to medium business environments, but that doesn't mean they can't be used at home.
Performance: For a 40/5 Mbps DSL connection, these devices will handle your traffic effortlessly without becoming a bottleneck. However, make sure your configuration is optimized.

Considerations:

Learning Experience: Using these devices allows you to gain hands-on experience with Cisco's enterprise-level features, which is invaluable if you're pursuing a career in networking.
Configuration: Since you're noticing lags and dead spots, I recommend reviewing your configuration for any misconfigured rules or settings that might be affecting performance.

Recommendations:

Licensing: To fully utilize the FPR1010, consider subscribing to a license such as the L-FPR1010T-TMC-1Y for the first year. This will enable additional features and support.
Resources: Check out YouTube for tutorials and walkthroughs on configuring the FPR1010. There's a wealth of knowledge available that can help you make the most of your setup.
Purchasing Advice: Shop around for licenses and support. NOTE AVOID CDW, While CDW is a popular supplier, you might find better deals and support elsewhere.

Ultimately, these devices can serve as an excellent introduction to the Cisco environment, providing you with a strong foundation in networking. Enjoy the journey!

I hope this helps!