Solved

Cisco 2911 router for routing, firewall, and VPN

Posted on 2013-01-16
8
1,933 Views
Last Modified: 2013-01-17
I have a small customer I want to deploy an all in one device for.  I have chossen a Cisco 2911 router and I'm not sure what part number I need for a router that will do routing, firewall, and VPN.  I see they come with a univeral image.  Do I also need to purchase a firewal license?  I'm looking at datasheets, but I'm still unclear.  Any assistance on what part number I need will be greatly appreciated.  Thanks.
0
Comment
Question by:denver218
  • 4
  • 2
  • 2
8 Comments
 
LVL 92

Assisted Solution

by:John Hurst
John Hurst earned 250 total points
ID: 38785123
The web data information says it does all you want. It does not say how many tunnels included

http://www.cisco.com/en/US/products/ps10540/index.html

The Cisco RV042G is a small business router that does firewall, IPSec VPN and has 50 tunnels (combined site-to-site and gateway-to-site). The G model is gigabit and is nice and fast.

The RV042G comes with Quick VPN (I think that is the name) but I use NCP Secure Entry as a robust general purpose VPN application

I cannot figure out how may tunnels the Cisco 2911 allows.

Both of these seem to do what you want, but the Cisco 2911 appears to have good VOIP features.

I use the RV042G in my home office and I have clients using the earlier model (RV0xx in site-to-site dispatch operations).  

.... Thinkpads_User
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 250 total points
ID: 38785353
The 2911 is license based, so to do the firewalling you need a SEC license. Although it functions, I've never been a big fan of deploying IOS firewall with a router, because a router is a router and not a firewall. The same is true in reverse that a firewall is a firewall and not a router (although we expect a certain amount of "routing" to go between inside, outside, and DMZ).

What does this customer all need to accomplish? If they have a single LAN/subnet, maybe a DMZ, and an internet connection, an ASA will be more than enough to accomplish it all. As far as the number of VPN connections, I don't know if the 2911 has a hard limit, but there is a hardware limit as to the amount of throughput it can give you.

This shows raw router performance specs (no firewall enabled, no vpn)
http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf

In a quick search I couldn't find specs on encryption throughput.
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 38785367
The RV042G has much higher NAT throughput than its earlier counterpart so be careful of throughput. The RV042G has 800Mbits/sec NAT throughput. I upgraded so as to get the maximum cable speed through the router. The older model would not do it.

The same is true in reverse that a firewall is a firewall and not a router

@rauenpc - I am not entirely sure what you mean. In small and medium businesses, Juniper Netscreen are combined firewall, VPN and router machines as I use them as such at clients. They work very well. My RV042G is aimed at small businesses, I use it myself and it functions well.

... Thinkpads_User
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 38785412
Using combined devices might be fine, if not great. In my personal opinion, I dislike using cisco isr routers for firewalling purposes. I've had a few bad experiences where iOS firewalls caused issues with poor performance and log messages about too many OOO packets (out of order). Once an Asa was put in place problem solved.

Now other product lines by companies like juniper might present completely different results, but I don't work with those brands so I can't speak to that.

As to the quote, I only mean to say that a firewall (not a combined device but a straight firewall like an Asa) shouldn't be expected to act as a router with 20 vlans to do internal routing. It might work, but that's not what it was intended for.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 92

Expert Comment

by:John Hurst
ID: 38785423
Thanks for the clarification.

From an electrical design perspective, it would be very simple to have the firewall on one circuit board / section and the router function on a separate circuit board / section. They need not interfere.

I have had very good success with Juniper and the same with the Cisco RVxx series. I have not used the other Cisco devices so I cannot comment on those.

... Thinkpads_User
0
 
LVL 4

Author Comment

by:denver218
ID: 38787121
Thanks guys.  I will be purchasing the Cisco 2911 with the SEC license.  The 2911 comes with three ethernet interfaces, which is what I need.  I have two internet circuits, and then a connection to my LAN.  This is just a small branch office that has 40 users, and requires only two site-to-site VPN's.  I've done this many times with the 2800 series routers.  I was just confused on the licensing of the 2900 series, but after doing more research its basically just like the 2800 series.  Thanks for all you input.
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 38787125
Thanks
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 38787150
@denver218 - Thank you and I was happy to assist. ... Thinkpads_User
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now