Solved: Router C892FSP-K9 features

Jaro · ‎01-16-2018

Hello All,

I´m trying to choose some router for small office with 25-50 users, I´m thinking about this device:

C892FSP-K9, questions are :

1. Is it possible to make HA (active/standby as on cisco ASA) with this devices, guess it is not possible but I need some confirmation, because I cannot find nothing about that.

2. Do you know some cisco routers with similar price (maybe little bit higher), which will be capable working at least active/standby.

3. Is Anyconnect SSL VPN, supported by this router or is there any option to use AnyConnect VPN?

Thank you in advance

Mark Malone · ‎01-16-2018

Hi
you would need two of them for active active or active standby design , it could be achieved using GLBP or HSRP , that would be hardware redundant , not same as ASAs though

You could also just connect 2 ISP lines to one device and have them both active active or failover between them for resiliency

yes they support ssl see the data sheet below for 890 series
https://www.cisco.com/c/en/us/products/collateral/routers/800-series-routers/data_sheet_c78-519930.html

View solution in original post

Mark Malone · ‎01-16-2018

What do you mean with "just connect 2 ISP lines to one device". It makes sense if I have 2 ISP lines and connect them first line to first R and second line to second R.
Yes exactly 2 routers would be best but some people may not have budget for 2 devices so the other option would be connect 2 lines to the same device with 2 different ISPs for some form of resiliency

So with GLBP you could have both routers active at the same time both sending traffic out there own wan circuits , with HSRP only 1 router is active at a time , if one fails either by tracking a route upstream or even the hardware itself fails the second router becomes active, you could use the features such as ip sla with tracking to initiate the instant fail over to the other router , design would look a bit like below , the LAN would be split across the 2 routers with say .251 on 1 lan interface of routerA and .252 on 1 lan interface of routerB and then they both share a VIP address .254 that the lan users point too so no matter which router is up and active they can get out of the lan to the wan

View solution in original post

Mark Malone · ‎01-16-2018

Hi
you would need two of them for active active or active standby design , it could be achieved using GLBP or HSRP , that would be hardware redundant , not same as ASAs though

You could also just connect 2 ISP lines to one device and have them both active active or failover between them for resiliency

yes they support ssl see the data sheet below for 890 series
https://www.cisco.com/c/en/us/products/collateral/routers/800-series-routers/data_sheet_c78-519930.html

Jaro · ‎01-16-2018

Thanks for answer, okay imagine that I have 2x C892FSP-K9, how they will cooperate? when one of them will "die", they will not have same configuration, so how I will ensure routing to the ISP (ther is only static route, to the provider. (maybe floating route).

What do you mean with "just connect 2 ISP lines to one device". It makes sense if I have 2 ISP lines and connect them first line to first R and second line to second R.

Mark Malone · ‎01-16-2018

What do you mean with "just connect 2 ISP lines to one device". It makes sense if I have 2 ISP lines and connect them first line to first R and second line to second R.
Yes exactly 2 routers would be best but some people may not have budget for 2 devices so the other option would be connect 2 lines to the same device with 2 different ISPs for some form of resiliency

So with GLBP you could have both routers active at the same time both sending traffic out there own wan circuits , with HSRP only 1 router is active at a time , if one fails either by tracking a route upstream or even the hardware itself fails the second router becomes active, you could use the features such as ip sla with tracking to initiate the instant fail over to the other router , design would look a bit like below , the LAN would be split across the 2 routers with say .251 on 1 lan interface of routerA and .252 on 1 lan interface of routerB and then they both share a VIP address .254 that the lan users point too so no matter which router is up and active they can get out of the lan to the wan

Jaro · ‎01-16-2018

Thanks for answer, and one more question, what is different between ASA active/standby and hsrp or glbp ? two ASAs are in one stack and they have same configuration, but what are advantages ?

And last question, if I will think about ASA, why should I choose ASA instead of router with IPS, zone based firewall....this one is classic question difference between Firewall and Router, but I cannot find some comprehensive answer, if you have some link please share with me.

Thank you for help Mark !

Mark Malone · ‎01-16-2018

the ASA is built to be more resilient and its an identical failover for HA

From DOC
High availability (HA) is not a standalone feature, but instead an approach to implementing a variety of interrelated features as tools to ensure business resilience and maintain end-to-end availability for services, users, devices, and applications.

The 2 features HSRP and GBLP are FHRP protocols which allows for transparent failover in routing scenarios

And last question, if I will think about ASA, why should I choose ASA instead of router with IPS, zone based firewall....this one is classic question difference between Firewall and Router, but I cannot find some comprehensive answer, if you have some link please share with me.

I dont have a document answer for this , but i have seen when using routers with IPS they performance gets seriously degraded because they have to deep-dive the packet for inspection which slows down the forwarding process while the ASA is built for that and can do it much quicker , routers should route and firewalls protect in my opinion , in smaller SOHO offices that fine using a small router with IPS as budget my predict that and it becomes to expensive to route have them everywhere or what some do is build tunnels from SOHO office routers through the FW in HQ so they can still get the benefits of both and keep budget down

Jaro · ‎01-17-2018

Thanks for answer, last question about C892FSP-K9: how many AnyConnect VPN clients could be connected, is there any licensing as on cisco ASA ?

Thank you

Mark Malone · ‎01-17-2018

Yes you need an ssl license for vpn heres the specific doc , 25 or 10 as below

https://www.cisco.com/c/en/us/products/collateral/routers/800-series-routers/white_paper_c11_499859.html

Cisco IOS SSL VPN License
Cisco IOS SSL VPN is the first router-based solution offering Secure Sockets Layer (SSL) VPN remote-access connectivity integrated with industry-leading security and routing features on a converged data, voice, and wireless platform. SSL VPN offers mobile workers a flexible, secure VPN alternative whereby the security is transparent to you and easy for IT to administer.
With Cisco IOS SSL VPN, you gain access securely from home or any Internet-enabled location such as wireless hotspots. Cisco IOS SSL VPN also can enable your company to extend corporate network access to offshore partners and consultants while keeping corporate data protected.
All Cisco IOS SSL VPN features are included in a single, cost-effective license that is purchased separately. There is no software key to enable the feature. You can purchase the 25- or 10-user SSL VPN Feature License for the Cisco 890 and 880 Series directly from the Cisco.com configuration tool. For more details, please visit: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/product_data_sheet0900aecd80405e25.html.