Router selection assistance

Posted on 2010-01-05
Last Modified: 2012-05-08
We are a business with 5 small locations (5-15 users per location), and are in the process of replacing our site-to-site VPN solution at all locations with an MPLS + internet solution from a new provider.  My question is regarding which routers to purchase.  I have experience with Cisco equipment (albeit a number of years ago), so thats the direction Im currently leaning.  However, I am open to other options as well.

We will initially have a single T1 delivered to each location, each T1 carrying interoffice MPLS data and public internet on the same circuit.  As I understand it, the internet and private network streams will be encapsulated separately via frame relay encapsulation using different DLCIs to keep them isolated from each other.  Our service provider has recommended that we have our edge router dedicated to routing alone, and have it route interoffice (MPLS) traffic onto one inside Ethernet interface and internet traffic onto another inside Ethernet interface; then connect a firewall (e.g. ASA 5505) to the inside internet interface.  To me, it makes more sense to consolidate firewalling and routing on the same platform using IOS firewalling and have a single-box solution at each location (delivering everything to a single inside Ethernet interface), but am again open to suggestions.

The HQ site will begin with a single T1 just like the 4 remote sites, but I eventually see additional bandwidth into the MPLS cloud being necessary at HQ (and possibly at the remote sites as well).  So, I need some expansion room everywhere, but probably more at the HQ site.

If firewalling and routing is consolidated on the same device at each location, I want to make sure the solution I choose is fast/robust enough to handle routing, firewalling, QoS, etc. (with only a T1 or two at each site, it seems this is easy enough with most any solution??).

My current line of thinking is to choose one of the following options (listed in order of increasing cost).  Common to each of these options would be a) a single Cisco T1 HWIC card for each router, and b) the advanced security IOS image for that particular model (for firewalling):

4 x Cisco 1841 (remote sites, 2 HWIC slots) + 1 x Cisco 2901 (HQ Site, 4 EHWIC slots)
4 x Cisco 1941 (remote sites, 2 EHWIC slots) + 1 x Cisco 2901 (HQ Site, 4 EHWICH slots)
5 x Cisco 2901 (all sites, 4 EHWIC slots)

I like the idea of the 2901 at the HQ site since it has four slots (and it a new Gen2 ISR).  Is it also a good idea to use Gen2 ISRs everywhere for more future-proofing, or completely unncecesary?  For what its worth, the 1941 seems to be brand-spankin new and is not currently in stock through my normal channels.

Lastly, I also would like to consider eventually purchasing broadband at each location (cable, DSL, etc. depending on site) and have a failover site-to-site VPN solution in place in case the primary T1 fails.  Each of the aforementioned routers has a second Ethernet interface, so I assume I can use it to connect to a cable modem, etc.

As I mentioned previously I am accustomed to Cisco, however I am willing to consider other options if someone has a recommendation.
Question by:BClarkIndy
    LVL 22

    Accepted Solution

    There's absolutely nothing wrong with the 2nd generation ISRs, though they are still a bit wet behind the ears so-to-speak.  This means that not only are they largely untested in the field, but also that they are rather scarce.  There's certainly nothing wrong with looking at the 1st generation ISRs (the 2821 is largely comparable if you want the gigabit connectivity) as a strategy either.

    I agree with consolidating the Firewall into the router, especially if you have some prior IOS experience.  The ASA is a perfectly good platform, but it is a bit different from the router platform and takes a bit of getting used to.  There's something to be said for having a single, cohesive platform to manage...  and if you're just looking for firewall functionality, the IOS Firewall is perfectly good.

    With only T1 bandwidth to consider, just about any of the T1-capable ISRs that you've mentioned will do the trick and will allow broadband failover.  I have a number of installations that do this with multiple broadband links, so you've got nothing to worry about there.

    Personally, I would look at your first option but go  with a 2811 or 2821 at your HQ site.  You still get the 4 HWIC slots, the VPN acceleration and the expandability without having to worry about whether you can find the hardware.  Cisco has indicated that they have no immediate plans to phase out the 1st generation ISR technology, so future-proofing isn't as big a concern as might be expected...  though the x9xx series *is* pretty nice.  :)

    If you're looking at non-Cisco options, there are a number of them but I would focus on supportability.  Make sure that whatever you're considering offers support agreements that will minimize any potential downtime for your network.  You can get up to 2-hour response on the ISR units, which is a nice safety net should there be a hardware failure.

    Author Closing Comment

    Thanks for the informative reply!  It sounds as though I'm on the right track, and should have no problems leaning towards the x8xx series.  I just checked provantage, and they have the 2901 in stock and cheaper than the 2811, so I'll still need to think about the HQ router, however I will definitely pull the trigger on the 1841 at the remote sites.  Thanks!

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
    There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now