L3 Switches and Firewall

[GhostlyPea]

I'm looking at expanding my knowledge and the next logical step would be for me L3 switching and firewalls. Budget of around £300 and looking for minimum 2 x L3 switches and a firewall. The switches need to be Cisco as I intend to use them when I do my CCNP but the firewall I'm open to. Not sure whether a Juniper or a PIX?

I've seen a Cisco 501 for around the £70 maek, that sound like a good deal? Any recommendations on the rest for features?

Cheers guys

- Pea0n

 

[Arthalen]

I'd suggest a Pix's for Firewalls, have a pair myself for future study after my CCNA, but also might want to grab a cheap Watchguard box, I know there used in a couple of different companies and we use them.

Depending on the box (of course), they've been really useful for new offices that we've integrated into the company and want to extend just some temporary Intranet access to until we integrate the full whole hog with dedicated MPLS connection and so on.

 

[bigredshark]

Depends what you want to do, the problem with Juniper these days is that ScreenOS will be phased out in favour of an entirely JUNOS based product line and the new JUNOS units are still very expensive. JUNOS is a fantastic OS though and it runs right through Juniper's product line to stuff like the $1m T series routers so it's great to know. (and Juniper certified engineers are rare still, I have a JNCIE and far more people ask about it than my Cisco qualifications.

Cisco, you're in trouble for l3 switches. Cisco currently have the 3560, 3750 and 4900 as the only non chassis layer 3 switches. There are older models, I believe there was a 2948 layer three switch which is probably the cheapest you'll find on ebay but I don't know about feature set and I don't recall them being that popular. Basically you need to spend more unfortunately...you'll struggle to get even one which is good enough for CCNP purposes in your budget.

 

[bigredshark]

I'd suggest a Pix's for Firewalls, have a pair myself for future study after my CCNA, but also might want to grab a cheap Watchguard box, I know there used in a couple of different companies and we use them.

Depending on the box (of course), they've been really useful for new offices that we've integrated into the company and want to extend just some temporary Intranet access to until we integrate the full whole hog with dedicated MPLS connection and so on.

Well each to their own but I really really hate PIXs, they also don't bear a huge resemblance to other manufacturers firewalls. Avoid Sonicwall and Watchguard though, they're not enterprise kit and have limited market penetration. They're also basic that if you need to work with one you can pick it up as you go.

Juniper are really widely used these days, PIXs (or actually ASAs now) are widely used enough to be worth knowing despite their failings. Checkpoint are the other big enterprise name and career wise can be very useful to know.

 

[DRZ]

Not sure what to suggest on the pix front, the 501 is a pretty poor device IIRC. The better PIX devices start to eat up significant amounts of your budget!

L3 switching could be a problem for that budget really unless you get lucky - 2948G-L3 springs to mind as the switch to go for in your budget but they dont come up all that often on the bay.

 

[bigredshark]

L3 switching could be a problem for that budget really unless you get lucky - 2948G-L3 springs to mind as the switch to go for in your budget but they dont come up all that often on the bay.

That was what I was thinking off, but they were never very popular as I recall. Also, aren't they old enough that they actually ran CatOS??

 

[bigredshark]

There is a possibility I might be able to help you out with a firewall though, we have piles of old PIX515Es lying around we'll likely have to dispose off sometime soon. If they're being written off anyway then I should be able to sort you one for postage costs or something like that, they were fairly high end units once upon a time.

Don't hold me to it, it'll likely be january before I can confirm as well as I'll need to get a director to sign off on the disposal and they've all gone for christmas already.

 

[DRZ]

That was what I was thinking off, but they were never very popular as I recall. Also, aren't they old enough that they actually ran CatOS??

Pretty sure they run IOS 12.1, maybe 12.2. The non-L3 runs IOS I think (there is one in my living room).

I'd probably suggest a 3550 or something for L3 switching duties, but they are well and truly over your budget!!

 

[bigredshark]

Pretty sure they run IOS 12.1, maybe 12.2. The non-L3 runs IOS I think (there is one in my living room).

I'd probably suggest a 3550 or something for L3 switching duties, but they are well and truly over your budget!!

Having looked, it does run IOS it seems, but it's missing some features (BGP is a big one which might be a problem depending how you choose to set up your CCNP lab). Does need a 3550 or similar I think...

 

[psd99]

Whatever you do don't get a PIX 501 it is really useless. If you want a pix then perhaps 506 or 515 if not ASA all the way but they are a bit more pricey.
I use a ASA 5505 and ASA 5510 a lot in my line of work and they are great.

 

[GhostlyPea]

Well the budget isn't fixed to be honest, was more a stab figure. I have the money to buy what's needed, doesn't need to be top notch though as its just for training and I'm trying to save for a holiday

The firewall I'm after just for experience (although ofc if one is going for disposal bigred, then I'm sure we might be able to come to some arrangement ). Would it be worth getting a cheapo Juniper model and a PIX to at least test the basic feature sets and test setting up a VPN link etc? Considering basic Junipers can be had for very little money might be an idea

The switches are more important just to support the features needed for my CCNP really. Its more the model recommendation really as I can always grab one and another later.

Whilst Im on the subject, my 2500s obviously won't cut the mustard any more. 2600 series mixed with some 1700/1800s should be OK though?

Cheers for the help so far guys

- Pea0n

 

[GhostlyPea]

Just had a look on the bay, can get an ASA 5505 for under £300 itself. I'm assuming that would be a worthwhile investment assuming bigred can't help with a 515?

- Pea0n

 

[DRZ]

Just had a look on the bay, can get an ASA 5505 for under £300 itself. I'm assuming that would be a worthwhile investment assuming bigred can't help with a 515?

- Pea0n

The base ASA5505 only supports 2 or 3 VLANs, 10 connected IPs and is basically useless as a result! Thankfully, there is a 5505 version (Adv Sec) that doesnt have these limitations!

 

[GhostlyPea]

Well the performance and volume of features isn't really a problem for me as its purely academic or maybe it will get used at home, no more than 3 users so that's not such an issue providing it has all the features available to learn, even if its limited ^

the bay seems to have 10/50 user models...

- Pea0n

 

[DRZ]

If you dont plan on testing anything with it then thats fine, but if you do plan on it then I'd really strongly suggest that you get thet better model!

 

[GhostlyPea]

Well cheers for the info, Ill have a look around and see what I can find. The bay has a lot of basic stuff but not a lot of variety, what it does have is well out of my price range. Might be able to ninja something from work or bigred

- Pea0n

 

[Dist]

There is a possibility I might be able to help you out with a firewall though, we have piles of old PIX515Es lying around we'll likely have to dispose off sometime soon. If they're being written off anyway then I should be able to sort you one for postage costs or something like that, they were fairly high end units once upon a time.

Don't hold me to it, it'll likely be january before I can confirm as well as I'll need to get a director to sign off on the disposal and they've all gone for christmas already.

Have you had a chance to check with a director if you can dispose of the PIX515Es for postage costs or something? Would love to get my hands on one of these, I've never had a chance to learn to use a PIX or ASA type device yet.

Also, congrats on the Man of honour 2009, you and the others who were lucky enough to be selected deserve it.

 

[GhostlyPea]

As Dist says relly, gratz on the award and any idea on those firewalls?

- Pea0n

 

[bigredshark]

I will be looking into this week but I'm not back in the office till tomorrow and I think my boss is still in the US until later in the week, but we're certainly getting rid of them one way or the other so I'll let you as soon as I know!

 

[GhostlyPea]

Awesome sauce let me know if anything else is being disposed of ^

Cheers again dude

- Pea0n