Cisco 2811 as a Backup Router - Need Security Package?

Posted on 2010-08-30
Medium Priority
Last Modified: 2012-05-10
I currently have a Cisco 2811, it's just a basic Cisco 2811, no special stuff just "Cisco 2800 IOS IP BASE" as we bought it when we had a Cisco Pix 506E firewall installed (still do) everything works fine. Except for last week when it seemed that the Cisco 2811 lost it's config. (we restored it, all is OK)

It took us a lot of time to figure out what was going on and now we'd like to have backup hardware to swap out instead of wasting hours finding the issue. Compounding the difficulty we weren't sure if the problem was the firewall...

We'd like to have a single point of failure we could swap out, so we are looking to get rid of the 506E firewall.

We are going to be purchasing a backup Cisco 2811 router shortly and wanted to know if I should get one with the "Cisco 2800 IOS ADVANCED SECURITY"? I am not sure if the "Cisco 2800 IOS ADVANCED SECURITY" would take over the Cisco Pix 506E firewall duties allowing us to get rid of that hardware?

If it does, I will want to replace my current Cisco with the new one with the added firewall software.
And also, do I need to buy an add on for my other original Cisco 2811 to make it identical?

Is the "Cisco 2800 IOS ADVANCED SECURITY" just part of an image that I can backup and copy to the other router in case of failure?  (I will only be running one at any one time, so I am not sure of licensing on this??)

I don't understand the softare or "add ons" side of things here, is it just software embedded?

I guess I have two questions:

1. Will the "Cisco 2800 IOS ADVANCED SECURITY" take over for the 506E Firewall if programed properly?

2. Do I need to buy an add on for my original or can I just copy the routers firmware or image over to the original?

(note: they will never run concurrently as one will always be in a box)
Question by:EGormly
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 15

Expert Comment

ID: 33558845
1)Yes you should be able to do almost everything with an Advanced Security image but without seeing what features you are using I can't guarantee that.

2) you can buy the add on for your current 2811.

I did want to say that you can purchase a Cisco ASA 5505 as it may be a cheaper option that will give you a spare device. Cisco IOS security features are good but they are also harder to tweak and the ASA5505 has an easy to use gui interface.

Author Comment

ID: 33559204

Can I turn all features off and use it eactly as one without the Cisco 2800 IOS ADVANCED SECURITY?
I just talked with my boss and he doesn't want to use the security on the 2811 he just wants to keep the 506E, so can I get this one and just copy over my curent config t it or will the extra advanced security packge not work?
LVL 15

Expert Comment

ID: 33559423
Not sure what your asking. When you upgrade to the advanced security package you upgrade your IOS to the firmware with Advanced security and then you get a PAK code from Cisco that lets you unlock the advanced Sec portion. Your current configuration does not change you just have access to more commands.

Now as far as copying from your PIX the command line is different so you can not copy and paste from a PIX to an IOS router. The ASA5505 is the true replacement for the PIX and even that you have to use  a tool that can migrate your PIX configuration to the ASA configuration. (Well you don't have to use the tool but it is easier then fixing the failed commands)
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  


Expert Comment

ID: 33560130
You may also be able to run the two 2800 routers in a hot redundant configuration using protocols like HSRP or similar. There are some other prerequisites such as making sure your IOS image supports it and you have additional IP addressing to spare and switch ports on appropriate VLANS (if used) to connect the various interfaces to. This may be a bit more than what you are looking to do and most notably the 506E cannot itself use the PIX/ASA redundancy (failover) configuration so you still have that as a single point of failure.

If you just want to make a ready to swap router the base IOS config should be identical configured on the other router that also has an advanced feature set, as stated by bkepford so you should be good there.

The Pix 506E is a great little firewall and it does a lot more than your average router such as full connection tracking and layer 7 inspection for various protocols. Of course there are several limitations and drawbacks but if you're not pushing tons of bandwidth it can generally cope well.

Author Comment

ID: 33560465
>>"Now as far as copying from your PIX the command line is different so you can not copy and paste from a PIX to an IOS router."

I didn't ask about that, I am not that daft :)
I was asking if I could copy the config of the standard 2811 to the Advanced Security 2811.

I ca see how you might have thought I was asking about 506e > 2811 but  wasn't.
LVL 15

Accepted Solution

bkepford earned 2000 total points
ID: 33617989
All commands should go into the Advanced security IOS without any problems. In truth they are the same operating system one just has more functionality unlocked.

Author Closing Comment

ID: 33618090
Thanks for the information

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question