New BGP Router Sizing
Posted on 2011-10-24
Our company is in the process of setting up redundant ISP connections with BGP routing and I need help deciding which Cisco router model is powerful enough to handle the task.
FYI, I’m not a dedicated networking guy – I’m just the person that’s done it the most, and so am elected by default. I’ve been managing our ISP connections for many years, but BGP is a totally new to me.
We’re a small software consulting company with about 20 users. We do a lot of work over the Internet supporting our clients via VPN, remote desktop, etc., and also have a small (but hopefully growing) business hosting apps at our site. After some recent episodes where our ISP connection was down, we decided to get a second ISP connection. I’ve also been setting up a redundant switch layout on our LAN, using spanning tree, so as to eliminate as many single points of failure as possible.
Currently, we have two bonded T1s for 3Mbps of bandwidth. This is normally enough bandwidth for our needs. It only starts bogging down if someone fires up a large software download or something during the work day. The new ISP is to be a 10Mbps fiber connection.
We’re using a Cisco ASA 5505 as our firewall. As an indication of our typical traffic load, this firewall seldom gets over 10% CPU usage. Traffic generally runs about 1 – 2 Mbps usage during the day.
My tentative plans call for a pair of Cisco 2901 routers in a HSRP failover configuration, each with 2GB of RAM.
Are the 2901 routers likely to handle BGP routing in this scenario, with some room for growth?
Secondly, we have a second ASA 5505 that I planned to set up in a failover configuration with the first. However, I’ve recently discovered that the 5505 doesn’t support STP, making my redundant switch plans unworkable.
Other than buy a pair of ASA 5510s, one option to address this issue is to use the firewall capabilities of the Cisco routers rather than using separate firewalls. I’m attracted to this idea, not only to save in hardware costs, but to simplify our setup by eliminating two pieces of equipment. I just don’t know how practical it is in our situation.
In researching this, the two major two objections I’ve read are 1) you should separate the routing and firewall functions to keep configuration errors in the one from affecting the other, and 2) the extra demand of enforcing firewall rules may be too much for a BGP router. As for the first objection, I understand the advice, but am not sure whether this overrides the advantage of simplifying our setup.
As for the performance objection, I’m finding it hard to believe that the new 2901 routers would choke on a set of firewall rules that the little ASA 5505 handles with 10% CPU usage. It seems to me that if that extra task pushes the router over the line, it doesn’t have enough horsepower for BGP routing to begin with.
One wrinkle is that currently, the only VPN connection to the firewall is a single site-to-site IPSec connection. There are plans to expand this to about 5 for so.
Any advice would be greatly appreciated.