Solved

Cisco 2811 as a Backup Router - Need Security Package?

Posted on 2010-08-30
7
864 Views
Last Modified: 2012-05-10
I currently have a Cisco 2811, it's just a basic Cisco 2811, no special stuff just "Cisco 2800 IOS IP BASE" as we bought it when we had a Cisco Pix 506E firewall installed (still do) everything works fine. Except for last week when it seemed that the Cisco 2811 lost it's config. (we restored it, all is OK)

It took us a lot of time to figure out what was going on and now we'd like to have backup hardware to swap out instead of wasting hours finding the issue. Compounding the difficulty we weren't sure if the problem was the firewall...

We'd like to have a single point of failure we could swap out, so we are looking to get rid of the 506E firewall.

We are going to be purchasing a backup Cisco 2811 router shortly and wanted to know if I should get one with the "Cisco 2800 IOS ADVANCED SECURITY"? I am not sure if the "Cisco 2800 IOS ADVANCED SECURITY" would take over the Cisco Pix 506E firewall duties allowing us to get rid of that hardware?

If it does, I will want to replace my current Cisco with the new one with the added firewall software.
And also, do I need to buy an add on for my other original Cisco 2811 to make it identical?

Is the "Cisco 2800 IOS ADVANCED SECURITY" just part of an image that I can backup and copy to the other router in case of failure?  (I will only be running one at any one time, so I am not sure of licensing on this??)

I don't understand the softare or "add ons" side of things here, is it just software embedded?

I guess I have two questions:

1. Will the "Cisco 2800 IOS ADVANCED SECURITY" take over for the 506E Firewall if programed properly?

2. Do I need to buy an add on for my original or can I just copy the routers firmware or image over to the original?

(note: they will never run concurrently as one will always be in a box)
0
Comment
Question by:EGormly
  • 3
  • 3
7 Comments
 
LVL 15

Expert Comment

by:bkepford
ID: 33558845
1)Yes you should be able to do almost everything with an Advanced Security image but without seeing what features you are using I can't guarantee that.

2) you can buy the add on for your current 2811.

I did want to say that you can purchase a Cisco ASA 5505 as it may be a cheaper option that will give you a spare device. Cisco IOS security features are good but they are also harder to tweak and the ASA5505 has an easy to use gui interface.
0
 

Author Comment

by:EGormly
ID: 33559204
bkepford:

Can I turn all features off and use it eactly as one without the Cisco 2800 IOS ADVANCED SECURITY?
I just talked with my boss and he doesn't want to use the security on the 2811 he just wants to keep the 506E, so can I get this one and just copy over my curent config t it or will the extra advanced security packge not work?
0
 
LVL 15

Expert Comment

by:bkepford
ID: 33559423
Not sure what your asking. When you upgrade to the advanced security package you upgrade your IOS to the firmware with Advanced security and then you get a PAK code from Cisco that lets you unlock the advanced Sec portion. Your current configuration does not change you just have access to more commands.

Now as far as copying from your PIX the command line is different so you can not copy and paste from a PIX to an IOS router. The ASA5505 is the true replacement for the PIX and even that you have to use  a tool that can migrate your PIX configuration to the ASA configuration. (Well you don't have to use the tool but it is easier then fixing the failed commands)
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 1

Expert Comment

by:krejci_420
ID: 33560130
You may also be able to run the two 2800 routers in a hot redundant configuration using protocols like HSRP or similar. There are some other prerequisites such as making sure your IOS image supports it and you have additional IP addressing to spare and switch ports on appropriate VLANS (if used) to connect the various interfaces to. This may be a bit more than what you are looking to do and most notably the 506E cannot itself use the PIX/ASA redundancy (failover) configuration so you still have that as a single point of failure.

If you just want to make a ready to swap router the base IOS config should be identical configured on the other router that also has an advanced feature set, as stated by bkepford so you should be good there.

The Pix 506E is a great little firewall and it does a lot more than your average router such as full connection tracking and layer 7 inspection for various protocols. Of course there are several limitations and drawbacks but if you're not pushing tons of bandwidth it can generally cope well.
0
 

Author Comment

by:EGormly
ID: 33560465
bkepford:
>>"Now as far as copying from your PIX the command line is different so you can not copy and paste from a PIX to an IOS router."

I didn't ask about that, I am not that daft :)
I was asking if I could copy the config of the standard 2811 to the Advanced Security 2811.

I ca see how you might have thought I was asking about 506e > 2811 but  wasn't.
0
 
LVL 15

Accepted Solution

by:
bkepford earned 500 total points
ID: 33617989
All commands should go into the Advanced security IOS without any problems. In truth they are the same operating system one just has more functionality unlocked.
0
 

Author Closing Comment

by:EGormly
ID: 33618090
Thanks for the information
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now