Re: ISR vs router and pix

mike.eklund · ‎05-16-2007

Currently our network looks like the attached image (current.jpg)... pretty simple really.

But we are adding capacity from a 1.5Mbs T1 to fiber 10Mbs. The fiber connectivity is delivered via Ethernet, but we are still required to have routing equipment. They deliver the service routed behind our interface (E0 x.x.x.126). We will also be adding several NAT'ed VLANS to the area behind the firewall in the near future.

My initial thought was to use one of the Integrated services routers that has a firewall built in but I am not sure how the firewalling and NAT would work if they are delivering behind our side of the interface. Is it done with virtual interfaces? Would we need to add a switch module to the router? Would we be better off with a more traditional router and a pix?

spremkumar · ‎05-16-2007

Hi Mike

Since the Bandwidth you are going to have in your site is more i would suggest to go for individual devices to take care of the functionalities like routing/security instead loading all the functionalities onto a single device which could make the device to hang or freeze up..

On the operations point of view too you will have ofcourse multiple devices but you will be able to figure out what has went wrong or the possible reason for the problems instead having all the functionalities in a single device and hitting the bush :-) ..

regds

desai.jaideep · ‎05-17-2007

Hi

Actually I had recently attended a meeting at cisco where they were promoting ISRs. They had shown some statictics from third party tests that a 3845 can sustain a WAN link of 50 Mbps with concurrent voice,video and data applications running.

Pls check the following links for the test reports:

http://www.cisco.com/en/US/products/hw/routers/networking_solutions_products_generic_content0900aecd803abfde.html

Also I was seeing your diagram. You have mentioned a subnet of C class. Which means your network consists of not more than 254 computers. Even if we provision expansion, then also I think ISRs are right choice for you.

I think you should definately go for ISR. This will help you save lot of money.

Regards

JD

mike.eklund · ‎05-17-2007

Link says that a 2851 can handle 20Mbs... I was leaning toward a 2821, no report on what it can handle.

I am curious about how the NAT'ing and firewalling is handled in the ISR. Is it through virtual (logical) interfaces, or would you need a switch module in the router?

desai.jaideep · ‎05-17-2007

Hi

NATing and firewalling do not require ESW. For a basic NAT and implementing firewall, you require at least 2 ethernet ports, which is already available in 2821.

Have I answered your question? If not please explain in detail .

Regards

JD

mike.eklund · ‎05-17-2007

Thanks for your patience.

In my current setup I have all of my machines behind a firewall with port forwarding to select services. My new isp is used to traditional routers, they tell me that they will route my ip block (a /27) to behind my interface (x.x.x.126) in my attached picture. I guess I am just hung up on understanding how the configuration would look with routing, firewall, and NAT with an ISR. I will be breaking new ground and wont be able to count on my ISP for help on this as they dont know anything about the ISRs.

desai.jaideep · ‎05-17-2007

Hi

I am sorry I cant post my configs to you but here is a link which can help you. Its of a router with firewall and about the same setup which you will have.

http://www.akadia.com/services/cisco_router_firewall.html

Hope that will help.

pls rate if I have helped.

Regards

JD