• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 904
  • Last Modified:

Best router for 100mbit WAN / NAT performance

Hello, we have a small office with a 100mbit fiber line (delivered over ethernet, 100mbit download / 5mbit upload.)
We need a new or 2nd hand cisco router that we can connect to our internal gigabit switch to share this internet connection. We'll have a max. of 10 PCs using the internet at any one time but they may do heavy downloads / uploads. Which Cisco line of used routers would work well for us? I'm myself CCNP certified so programming it etc. is not a problem. i.e. would a 1700 series, or 3600 series router work ok with our scenario or would we need a more sophisticated one?
0
eggster34
Asked:
eggster34
  • 3
  • 2
  • 2
  • +1
1 Solution
 
chakkoCommented:
Since you listed Cisco, I would go with an ASA device instead of a Router.  ASA 5505 I think is the small one suitable for 10 users

0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
As for routers, 1700 and 3600 series will definitely NOT be able to push the full 100M with NAT ...  the biggest 1700 maxes out at 16000 PPS using CEF, largest 3600 goes to 120k PPS CEF. But as you need NAT, these numbers will be drastically smaller, as the CPU has to touch every single packet ... As far as Cisco routers go, I reckon your safest way to go is with some newer ISR routers, though they're rather hard to find on the second hand market ...

ASA should do, but the 5505 might be a bit hard pushed doing the 100M together with NAT ... you may want to look at getting a 5510 to have some "spare" performance left ...

Maybe as an alternative suggestion, take a look at Fortinet FortiGate firewalls - they deliver quite good performance, with lots of extra features which many competition products (e.g. Cisco) do not even deliver in their entirety in one box. In your case, if you do not require Content Scanning at full line rate (just firewall/NAT e.g.), even the 60C unit would be sufficient ...
0
 
eggster34Author Commented:
Hmm, how about the PIX series? how do they compare to the newer ASAs? I can get a PIX515 or even a 525 fairly cheaply, would they do the same job? To confirm, all I really need is firewall and NAT, no content scanning etc. needed. Thanks!
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Definitely don't go lower than 515, if possible and the price is right, a 525 may do the job ... if it's a 515, make sure it has enough memory so that you have the option of upgrading to the 8.0 software (though I'm afraid it's most likely not available through "official" channels as it's EOS ... anything from the 7.x or higher is better than the old 6.x software ... especially the PDM is a PITA, though all in all, it's a solid firewall ...
0
 
amprantiCommented:
1700 and 3600 series will definitely a "not go"! Also PIX are too old, outdated and is not recommended.

Try a 2900 series; the comparison sheet is here:
http://www.cisco.com/en/US/products/ps10537/prod_series_comparison.html

If you want to use a firewall try ASA 5510 (5505 is too small).
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range

Also, if you have a layer 3 switch, you may connect directly the link to your local switch (if the traffic is internal (point-to-point) with an other office) and you want to avoid extra cost.

An othe roption is to contact your local cisco partner, and ask for his proposal. Then check the option you have ;)
0
 
eggster34Author Commented:
I don't care how old the PIX is since budget is my primary concern. Would a PIX 515 or 525 (which I can get for 1/6 of the price of a new 2901 router it seems) work or not? Thanks :)
0
 
amprantiCommented:
According to Cisco:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/ps4094/product_data_sheet09186a0080091b15.html

• Cleartext throughput: Up to 190 Mbps
• Concurrent connections: 130,000
• 168-bit 3DES IPSec VPN throughput: Up to 135 Mbps with VAC+ or 63 Mbps with VAC
• 128-bit AES IPSec VPN throughput: Up to 130 Mbps with VAC+
• 256-bit AES IPSec VPN throughput: Up to 130 Mbps with VAC+
• Simultaneous VPN tunnels: 2000

It is ok for you!
0
 
eggster34Author Commented:
thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now