Leased Line Hardware Choices?

paradigm

paradigm

paradigm

Caporegime
Joined
26 Aug 2003
Posts
37,508
Location
Leafy Cheshire
We're about to start the proceedings at work to migrate from our packet combined 3x ADSL2+ lines (provided by fluidata, pulling about 25Mb/s down and 3Mb/s up) and our "backup" 4Mb leased line (again provided by fluidata, presented by Virgin Business), to a 100Mb leased line (fully managed).

This is my opportunity to get rid of the last remnants of our old network (namely an utterly garbage Sonicwall 3060 PRO, and a NexGate NSA-1041 packet combiner), and replace it with a new leading edge.

Now I know strictly I don't "need" another router between their managed endpoint and our perimeter network, and that a security appliance (such as a cisco ASA) would do, but would it be of benefit to have both a leading edge hardware firewall and a separate router?

What would you recommend? I'd prefer to stay Cisco as that's what I know from an administration point of view, but I'm by no means tied down by brand if a significantly better alternative presents itself (significantly being the key word).

Cheers for any advice you can give.
 
We use a Dell server running Linux and using IPTables.
No proprietry Cisco languages to worry about.
And you really can do anything you need to do with IPTables.
Also a lot cheaper.

We're currently in the process of replacing our 40mb/40mb connection with a 100mb/100mb one and we'll keep on using the Dell server.
 
Really not interested in "cheap", really not bothered about needing to know IOS, as I do. Really not looking to install something based on a full blown PC running open source software.

Please, stop recommending them, I'm really not interested in the slightest.

Medium to large scale business dedicated hardware solutions only, thanks.
 
paradigm said:
Really not interested in "cheap", really not bothered about needing to know IOS, as I do. Really not looking to install something based on a full blown PC running open source software.

Please, stop recommending them, I'm really not interested in the slightest.

Medium to large scale business dedicated hardware solutions only, thanks.
Click to expand...

Your origianal post didn't mention "dedicated hardware" so really no need to take that tone in your reply.
We are a medium scale business and we use the Dell server - so any ideas it's a cheap, small company solution is very incorrect.
 
just for record pfsense is an enteprise level firewall. There is also dedicated racked and non racked hardware available for it.

good luck on finding a cisco router that meets your needs. sorry to waste your time.

i spoke to the cisco firewall guys behind me at work, they suggested the Cisco ASA 5510 Firewall Edition - Security appliance
 
Last edited:
groen said:
just for record pfsense is an enteprise level firewall. There is also dedicated racked and non racked hardware available for it.
Click to expand...

No, just no. It's just not. No ASICs, non of the high level features, distinctly questionable reliability and support. It's not competition for any kind of enterprise product (then again, the number of REAL enterprise vendors is fairly small - Cisco, Juniper, Checkpoint, maybe Fortinet)
 
As for useful advice, well I don't have a lot of time for Cisco security appliances myself, they seem to lack features or performance as compared to most of the competitors in my opinion and I just don't like the management (no problem with IOS for routers but the PIX and ASA CLI just isn't intuitive or logical as a firewall config tool IMO).

If you do want Cisco then I can tell you the latest 2900 ISR routers are another good evolution on the line and performance is much improved over the 2800s. Whereas you needed a top of the line 2851 for guaranteed 100Mbps with voice previously you can now get it from a bottom of the line 2901. Firewalling will hurt performance if you have any size of rule set but they're good boxes.

I'd use a Juniper SRX for the job every time (JUNOS on a firewall for £1000? - there's nothing more you could want!) but I understand not learning something new from scratch (and in a office environment the little extras like CDP can make a one vendor approach worthwhile).

A separate router is most useful if you have diverse internet links and want to run some kind of routing protocol to balance them (you could do it with virtual routers / VRFs on the firewall too of course but sometimes you just want a separate box). We use iBGP for our WAN links to the core but don't run it on the office firewalls themselves as they OSPF with the other datacenter firewalls and need separate routing tables for each (and I preferred physical boxes to virtual routers for simplicity and performance).

So if you want Cisco, a 2901 is a good choice, as would be a mid range ASA if you can get on with them.
 
they offer enterprise level support on the pfsense website, where you actually speak to the devs. link

I don't see why are you so against pfsense. it is very secure and because it is open source is constantly receiving updates. It also has a lot of packages like squid, wireshark and many many more. great forum and great irc channel that offer support for free.

They take pride in calling themselves enterprise level firewall so i think it is not nice that you just say because it is opensource that it is not enterprise level. :(

i hear what you are saying though, and didn't want to hijack this thread with the a pfsense debate, but just to answer you questions and respond...

what is "No ASICs, non of the high level features, " if you would be so kind as to elaborate.
 
groen said:
what is "No ASICs, non of the high level features, " if you would be so kind as to elaborate.
Click to expand...

Tried configuring BGP or multi area OSPF on a pfsense box? No vrouter/VRF support I know of, all sorts of stuff like that. It's at best an SME firewall and there are better off the shelf solutions for that in my opinion.

ASICs are chips which allow the interfaces to make forwarding decisions without reference to the CPU essentially, which is essential for a high throughput device especially if it's doing any kind of session aware work...
 
Routerboards support VRF, OSPF, BGP... even MPLS now and a whole host of other things :)

Firewall in them is still basically IP tables, but is pretty decent, and the QoS features are also well beyond what you get from anything like pF without some serious modification.

They're my current favourite choice when people can't afford "brand name" kit or where it simply isn't required.
 
Its got to be Cisco or Juniper here, Completely disregard Fortinet and I have no experience of Checkpoint to talk about that at all.

We've got a few 55xxs in production and they just get on with the job faultlessly although some of the way that ASA does things (compared to IOS) can be a little irritating at first. Throughput has never been an issue, although they dont tend to get hammered or have lots of VPNs on them.
 
wij said:
Routerboards support VRF, OSPF, BGP... even MPLS now and a whole host of other things :)

Firewall in them is still basically IP tables, but is pretty decent, and the QoS features are also well beyond what you get from anything like pF without some serious modification.

They're my current favourite choice when people can't afford "brand name" kit or where it simply isn't required.
Click to expand...

But when exactly is that? The OS is another pfsense alike, complete unknown quantity, unknown support, unknown ability. A Juniper SRX100 can do MPLS at the £350 price point, is superior in virtually every way (not to mention actually supporting ISIS which I consider a must have for IPv6 now) and if you aren't willing to spend £350 when your business depends on it working then my only recommendation is to reassess your priorities.

Fine if you want to mess around at home or it's a two men in a shed enterprise but it's not serious kit or a rival for serious kit.
 
You must log in or register to reply here.
Back
Top Bottom