Cisco 2811 as a Backup Router - Need Security Package?

I currently have a Cisco 2811, it's just a basic Cisco 2811, no special stuff just "Cisco 2800 IOS IP BASE" as we bought it when we had a Cisco Pix 506E firewall installed (still do) everything works fine. Except for last week when it seemed that the Cisco 2811 lost it's config. (we restored it, all is OK)

It took us a lot of time to figure out what was going on and now we'd like to have backup hardware to swap out instead of wasting hours finding the issue. Compounding the difficulty we weren't sure if the problem was the firewall...

We'd like to have a single point of failure we could swap out, so we are looking to get rid of the 506E firewall.

We are going to be purchasing a backup Cisco 2811 router shortly and wanted to know if I should get one with the "Cisco 2800 IOS ADVANCED SECURITY"? I am not sure if the "Cisco 2800 IOS ADVANCED SECURITY" would take over the Cisco Pix 506E firewall duties allowing us to get rid of that hardware?

If it does, I will want to replace my current Cisco with the new one with the added firewall software.
And also, do I need to buy an add on for my other original Cisco 2811 to make it identical?

Is the "Cisco 2800 IOS ADVANCED SECURITY" just part of an image that I can backup and copy to the other router in case of failure?  (I will only be running one at any one time, so I am not sure of licensing on this??)

I don't understand the softare or "add ons" side of things here, is it just software embedded?

I guess I have two questions:

1. Will the "Cisco 2800 IOS ADVANCED SECURITY" take over for the 506E Firewall if programed properly?

2. Do I need to buy an add on for my original or can I just copy the routers firmware or image over to the original?

(note: they will never run concurrently as one will always be in a box)
Who is Participating?

Improve company productivity with a Business Account.Sign Up

bkepfordConnect With a Mentor Commented:
All commands should go into the Advanced security IOS without any problems. In truth they are the same operating system one just has more functionality unlocked.
1)Yes you should be able to do almost everything with an Advanced Security image but without seeing what features you are using I can't guarantee that.

2) you can buy the add on for your current 2811.

I did want to say that you can purchase a Cisco ASA 5505 as it may be a cheaper option that will give you a spare device. Cisco IOS security features are good but they are also harder to tweak and the ASA5505 has an easy to use gui interface.
EGormlyAuthor Commented:

Can I turn all features off and use it eactly as one without the Cisco 2800 IOS ADVANCED SECURITY?
I just talked with my boss and he doesn't want to use the security on the 2811 he just wants to keep the 506E, so can I get this one and just copy over my curent config t it or will the extra advanced security packge not work?
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Not sure what your asking. When you upgrade to the advanced security package you upgrade your IOS to the firmware with Advanced security and then you get a PAK code from Cisco that lets you unlock the advanced Sec portion. Your current configuration does not change you just have access to more commands.

Now as far as copying from your PIX the command line is different so you can not copy and paste from a PIX to an IOS router. The ASA5505 is the true replacement for the PIX and even that you have to use  a tool that can migrate your PIX configuration to the ASA configuration. (Well you don't have to use the tool but it is easier then fixing the failed commands)
You may also be able to run the two 2800 routers in a hot redundant configuration using protocols like HSRP or similar. There are some other prerequisites such as making sure your IOS image supports it and you have additional IP addressing to spare and switch ports on appropriate VLANS (if used) to connect the various interfaces to. This may be a bit more than what you are looking to do and most notably the 506E cannot itself use the PIX/ASA redundancy (failover) configuration so you still have that as a single point of failure.

If you just want to make a ready to swap router the base IOS config should be identical configured on the other router that also has an advanced feature set, as stated by bkepford so you should be good there.

The Pix 506E is a great little firewall and it does a lot more than your average router such as full connection tracking and layer 7 inspection for various protocols. Of course there are several limitations and drawbacks but if you're not pushing tons of bandwidth it can generally cope well.
EGormlyAuthor Commented:
>>"Now as far as copying from your PIX the command line is different so you can not copy and paste from a PIX to an IOS router."

I didn't ask about that, I am not that daft :)
I was asking if I could copy the config of the standard 2811 to the Advanced Security 2811.

I ca see how you might have thought I was asking about 506e > 2811 but  wasn't.
EGormlyAuthor Commented:
Thanks for the information
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.