Cisco 2811 as a Backup Router - Need Security Package?

Posted on 2010-08-30
Medium Priority
Last Modified: 2012-05-10
I currently have a Cisco 2811, it's just a basic Cisco 2811, no special stuff just "Cisco 2800 IOS IP BASE" as we bought it when we had a Cisco Pix 506E firewall installed (still do) everything works fine. Except for last week when it seemed that the Cisco 2811 lost it's config. (we restored it, all is OK)

It took us a lot of time to figure out what was going on and now we'd like to have backup hardware to swap out instead of wasting hours finding the issue. Compounding the difficulty we weren't sure if the problem was the firewall...

We'd like to have a single point of failure we could swap out, so we are looking to get rid of the 506E firewall.

We are going to be purchasing a backup Cisco 2811 router shortly and wanted to know if I should get one with the "Cisco 2800 IOS ADVANCED SECURITY"? I am not sure if the "Cisco 2800 IOS ADVANCED SECURITY" would take over the Cisco Pix 506E firewall duties allowing us to get rid of that hardware?

If it does, I will want to replace my current Cisco with the new one with the added firewall software.
And also, do I need to buy an add on for my other original Cisco 2811 to make it identical?

Is the "Cisco 2800 IOS ADVANCED SECURITY" just part of an image that I can backup and copy to the other router in case of failure?  (I will only be running one at any one time, so I am not sure of licensing on this??)

I don't understand the softare or "add ons" side of things here, is it just software embedded?

I guess I have two questions:

1. Will the "Cisco 2800 IOS ADVANCED SECURITY" take over for the 506E Firewall if programed properly?

2. Do I need to buy an add on for my original or can I just copy the routers firmware or image over to the original?

(note: they will never run concurrently as one will always be in a box)
Question by:EGormly
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 15

Expert Comment

ID: 33558845
1)Yes you should be able to do almost everything with an Advanced Security image but without seeing what features you are using I can't guarantee that.

2) you can buy the add on for your current 2811.

I did want to say that you can purchase a Cisco ASA 5505 as it may be a cheaper option that will give you a spare device. Cisco IOS security features are good but they are also harder to tweak and the ASA5505 has an easy to use gui interface.

Author Comment

ID: 33559204

Can I turn all features off and use it eactly as one without the Cisco 2800 IOS ADVANCED SECURITY?
I just talked with my boss and he doesn't want to use the security on the 2811 he just wants to keep the 506E, so can I get this one and just copy over my curent config t it or will the extra advanced security packge not work?
LVL 15

Expert Comment

ID: 33559423
Not sure what your asking. When you upgrade to the advanced security package you upgrade your IOS to the firmware with Advanced security and then you get a PAK code from Cisco that lets you unlock the advanced Sec portion. Your current configuration does not change you just have access to more commands.

Now as far as copying from your PIX the command line is different so you can not copy and paste from a PIX to an IOS router. The ASA5505 is the true replacement for the PIX and even that you have to use  a tool that can migrate your PIX configuration to the ASA configuration. (Well you don't have to use the tool but it is easier then fixing the failed commands)
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.


Expert Comment

ID: 33560130
You may also be able to run the two 2800 routers in a hot redundant configuration using protocols like HSRP or similar. There are some other prerequisites such as making sure your IOS image supports it and you have additional IP addressing to spare and switch ports on appropriate VLANS (if used) to connect the various interfaces to. This may be a bit more than what you are looking to do and most notably the 506E cannot itself use the PIX/ASA redundancy (failover) configuration so you still have that as a single point of failure.

If you just want to make a ready to swap router the base IOS config should be identical configured on the other router that also has an advanced feature set, as stated by bkepford so you should be good there.

The Pix 506E is a great little firewall and it does a lot more than your average router such as full connection tracking and layer 7 inspection for various protocols. Of course there are several limitations and drawbacks but if you're not pushing tons of bandwidth it can generally cope well.

Author Comment

ID: 33560465
>>"Now as far as copying from your PIX the command line is different so you can not copy and paste from a PIX to an IOS router."

I didn't ask about that, I am not that daft :)
I was asking if I could copy the config of the standard 2811 to the Advanced Security 2811.

I ca see how you might have thought I was asking about 506e > 2811 but  wasn't.
LVL 15

Accepted Solution

bkepford earned 2000 total points
ID: 33617989
All commands should go into the Advanced security IOS without any problems. In truth they are the same operating system one just has more functionality unlocked.

Author Closing Comment

ID: 33618090
Thanks for the information

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question