Cisco IOS Router Vs. ASA Firewall For Small Colo-racked Setup
May 3, 2008
I am in the process of gathering the peices to move from a dedicated box to my own hardware in a local colo and am undecided how best to choose the edge device.
The colo has a 30Mb pipe with about 10Mb of it being constantly used during biz hours. Another 10Mb is being allocated in the next couple of months. I want to be able to burst to the full 30Mb when needed.
I am getting 12 IP's allocated but will increase to 24 soon if all goes well (fingers crossed!).
I will have for starters just a single Proliant running dnp on 2008 with IIS, FTP, Mail, ns1 and a 2003 VM running my secondary ns.
What I am unsure of is the edge device and looking for others that have used either a 2800 series router or a ASA5500 series firewall in a similiar fashion. I know what the raw throughput of each device is, but raw benchmarks are not realworld numbers by any means.
I am looking at the 2801 with IOS Firewall turned on and hopefully even some inspects for FTP and HTTP traffic. The other option and one that I am less familiar with is to use the ASA5505 instead which will do my basic routing but supposedly provide more thourough inspects and advanced rules.
Does anyone have experiance with either of these in a hosting environment and have input on the realistic throughput one can expect from either device?
There is a signifigant cost difference with the ASA5505 being much cheaper but I am more familiar with IOS. Would anyone recommend a 1841 router instead?
View 6 Replies
ADVERTISEMENT
May 13, 2008
I've been using dedicated hosting in places like the planet and rackspace for a long time now, but we're about to purchase a rack in a local data facility. This is my first time setting up a rack environment, so I have a bunch of questions.
They'll be giving me an ethernet drop into the cabinet. I have to take it from there. I'm thinking I needed a router/firewall. Am I right? Can those be a single device? Should they be? Which models would you recommend? (We're still a small operation, we don't usually push more than 1Mbps bandwidth).
View 9 Replies
View Related
Jul 11, 2007
I am currently looking at these Cisco switches:
- Cisco 2924 WS-C2924-XL-EN Enterprise Switch
- Cisco 2950 WS-C2950-24 Catalyst Switch
- Cisco 3512 WS-C3512-XL-EN Enterprise Switch
- Cisco 3524 WS-C3524-XL-EN Enterprise Switch
- Cisco 3548 WS-C3548-XL-EN Enterprise Switch
1) I was recommended to chose the XL-EN model switches because it seems they have more Memory, but the second one in the list (Catalyst) is not a XL-EN, is that going to have any affect performance wise? or it doesn't really matter?
2) I was also recommended to choose managed switches because that way I can use the SNMP features to measure bandwidth, are any of the switches above unmanaged?
3) I also want to be able to manage the switch remotely, web managed, are any of the switches above web-manageable?
4) Most importantly, when my datacenter give me a 100mbit drop, I dont know which port to plug it in in the 29** series. In the 35** I see it clearly but I am not able to see it in the 29**, any ideas?
5) On some of these switches I see a special port called "Console", what is it? where does that connect to?
6) Do any of the switches above not have a console port?
View 14 Replies
View Related
Aug 2, 2009
I'm buying Cisco ASR 1000 router that should handle 2 Gbps bandwidth. Please advice on components, models, etc.
I have a vendor, but I'll appreciate any reference, based on your experience, on where to buy one at reasonable price. I think I can probably get refurbished ASR 1000 or similar as well, if the vendor can guarantee the quality of the device.
View 1 Replies
View Related
Sep 9, 2009
I have a requirement where one of our partner is planning to connect to our datacenter using a dedicated leased line.
As per our partner, they will engage a Leased line vendor for this. This vendor will terminate the leased line ( Single mode fiber -- SC connector) to the Comm room of our Colocation provider.
I have next to nothing knowledge about fiber connectivity and have few questions in this regard.
Q1. If Single mode fiber is terminated at COLO's Comm room in form of SMF SC connector, what kind of cross connect should we request from COlo's comm room to our cabinet. ( SMF / MMF )
Q2. How are these cross connects terminated in cabinet? Do Colo provider use some kind of fiber patch panel or they simply provide a fiber link with SC/LC connectors at the end of it?
Q3. If cross connect needs to be SMF SC then which cisco routers support SMF SC interfaces? Do I need SC-LC patch cable?
(I looked at the various option but could only find the following GLC-LH-SM or GLC-ZX-SM for SMF connectivity. I read about these and found that GLC-LH-SM is used for terminating single mode fiber that spans up to 10 km and GLC-ZX-SM is used for terminating single mode fiber that spans up to 70 km in length. It looks as if both of these support LC connectors. Are these the only two SMF connectivity options? Do I need SC-LC patch cable )
Q4. Our partner only tells us that the terminated link will be terminated using SMF SC. How to figure out if GLC-LH-SM or GLC-ZX-SM is required.
View 5 Replies
View Related
Jan 27, 2007
The Cisco 7301 has 3 integrated Gig-E ports and one empty slot which we'll use with an OC3 SMI PA for a handoff to SAVVIS. (when will they ever go to Ethernet handoff?)
Is anyone here leasing a Cisco 7301 router, who can comment on the approximate monthly lease cost? I know the approximate retail cost, but can't really guess on the residual after 3, 4, or 5 year lease, so it's hard to estimate the approximate payment to expect. I don't want to get a salesperson involved yet because once they have your phone #, they never stop calling, and I'm not 100% certain we're going with the 7301 (versus a Juniper M5 or M7i).
View 14 Replies
View Related
Feb 17, 2007
I've been shopping for routers, and I'm curious as to the capabilities of a Cisco 7206 VXR Router. Would an NPE-300 or NPE-400 be capable of running three BGP sessions for 100 Mbps? At what point would it start topping out bandwidth wise? How much RAM would be recommended? Is a PE-GE good enough for the connections that are delivered by gigabit ethernet?
I realize that some of you may be inclined to recommend talking to a network consultant, but at this stage that's probably premature. I'm in a planning stage at this point.
View 12 Replies
View Related
Dec 16, 2007
Fire sale at HE on used Cisco core router equipment
[url]
I wonder if some data center will purchase it just to hook it up for the flashing lights... would be quite impressive.
Wait a second, that was already done in North Atlanta and Las Vegas, wasnt it?
I wonder why HE didnt donate it to the tech museum in San Jose... would have been a better write off then selling it.
why I am musing so far off topic on a gorgeous Sunday morning?
View 8 Replies
View Related
Oct 18, 2009
I need 1U of space, .5 amp (50 watts) power, one IP, 2.5mbps bidirectional bandwidth (total of 5mbps up + down) and about 10GB of traffic per day each direction (total of 20GB up + down). Would be nice if they have remote KVM along with console (serial) access. Location should be anywhere in USA.
Purpose is to host a VPN router for various remote locations to connect in to. Reliability and good connection (low latency) is important.
View 6 Replies
View Related
Feb 22, 2008
I have seen these 2 OS that should work as router/firewall, but are they worth enything?
View 14 Replies
View Related
Oct 31, 2007
I am about to design my company network.
The network will be designed like : we have 3 providers of IP transit, one will be the main network while the two other will feed the first network and manage a highly available network, probably using protocols like BGP4 and OSPF.
The current size of each fiber is 45 Mbit/s per operator. So I am looking for :
A router :
- able to handle each provider with up to 200 MBit/s in/output
- able to support protocol such as BGP4 or OSPF
- able to output snmp for monitoring
- have a little intuitive GUI for basic operations and have a real routing OS (like IOS or JunOS)
- is branded and warrantly (a plus would be hardware extensible)
- not too big box, something between 1 and 6U
A firewall :
- able to handle ALL the traffic to all carrier
- able to work as a SPF (drop all, allow only what I want, very accurate rules)
- have a little intuitive GUI for basic operations
- not too big box, something between 1 and 6U
About brand, most probably about Cisco, Juniper, Extreme or some good brand.
Which model would you advice me as router and which as firewall ? The price is not the main proccupation until it will do job just fine, but I would prefer to don't buy too expensive also.
View 5 Replies
View Related
Nov 10, 2008
I run a small datacenter, and we are migrating from Cisco to Linux based routers.
This routers should run a firewall, DDOS mitigation rules, CBQ bandwidth limitation, etc..
I know how to mitigate DDOS using tcpdump, also I know how to route..
I just need some advice about the firewall, stopping basic DDOS, fragmented packets, etc..
Should I use APF firewall in this case? Is there a good IPTABLES set of rules I could use?
I'm giving up from Ciscos, as I just discovered there are some UDP packets that can easily break them. I tested it last night, and that was it, nothing secure A few traffic (bogus UDP packets) and the router was down for a few minutes.
View 5 Replies
View Related
Jan 30, 2008
we had 2 Xen serverers in colohouse, each with 30 IPs yet.
Now we are going to purchase third server and started to think about renting small rack and putting own firewall infront of the servers.
Actual bandwidth is 5Mbits for both servers together.
We are thinking about to have something like this:
Colohouse-->Firewall<-->switch<--->Xen server(s)
With scenario we would like to add:
1) traffic monitoring per IP
2) traffic shapping per IP
3) firewalling whole segment of our public IPs
FW will get single IP and range of public IPs routed to that IP
4) be able to put one public IP for VPS on to any Xen server
What firewall and switch you will recommend for this scenario?
View 0 Replies
View Related
Aug 21, 2007
We are looking to replace our existing WatchGuard Firebox's with a hopefully more reliable firewall from Cisco's range although I'm a bit lost when it comes to the different ranges.
Could somebody suggest a firewall that is capable of:
1: Both NAT & Drop-in (bridge) mode
2: Pretty low bandwidth requirements, no more than 10mbit/s traffic
3: SNMP Monitoring
4: High availability pairing
View 6 Replies
View Related
Jul 12, 2007
What is the difference between the Cisco PIX and Cisco ASA Firewall Systems?
Also which firewall do you guys recommend for a rack of servers
View 10 Replies
View Related
Apr 27, 2007
Does anyone know of a place or have for sale a Cisco PIX firewall? I have looked into ebay but was wondering what else is out there?
View 3 Replies
View Related
May 22, 2008
I would like to thank in advance to anyone who shares his knowledge or experience here.
I am trying to find a firewall with some routing capability. Since I expect to have Gbps transfer in the near future, I don't think I can find a solid commercial hardware firewall within my low budget. That's why I am looking at software products.
I would need firewall functions(ability to prevent DDoS attacks is desirable) and basic routing functions (dynamic routing and BGP is desirable but not necessary at the moment).
Stage 1 environment:
20Mbps from provider P;
100Mbps from provider C;
35 servers for budget dedicated, mainly web servers;
*I have a question in mind that, can I have my network setup that incoming from both provider P and C but outgoing through C only? Is static routing able to do that?
Expected stage 2 environment:
40 ~ 60Mbps from provider P;
100 ~ 200 Mbps from provider C;
70 ~150 servers, mainly web servers;
Currently I am looking at Vyatta, Untangle and Endian. Can someone give some comments on these software or any others that might be suitable for me?
View 14 Replies
View Related
Oct 16, 2009
i want a Cisco firewall suitable for one dedicated server protection, that server would host up to 30 vps
and i may buy another server in future, so what do you recommend?
View 8 Replies
View Related
Oct 16, 2009
from where can i get the price of cisco firewall?
View 4 Replies
View Related
Nov 3, 2009
I already get a new firewall for my server cisco ASA and I don't know how to config it
is there any rules to get protection from shell and virus trojan as example
View 2 Replies
View Related
Apr 11, 2008
specifications and pricing of different CISCO PIX 515E firewalls?
View 2 Replies
View Related
Jun 5, 2007
I'm in the process to setup a new service with an ISP with the following scenario and need your help.
I've got the rack (42U), servers and switches. Only routers has been left and here is that I need your help.
I have also 2 ports from the ISP where I can connect my routers. I need to get 2 router devices with auto sync feature in order to be able to setup a redundant plan in case that one of them goes down.
Those routers should have firewall features too in order to avoid setup iptables rules for each server. A basic DDoS protection is needed too.
I'm going to push around 100Mbit of traffic across the servers but that will happen after 3-4 months from the initial setup. In the first instance no more than 10-20Mbit will be used.
I heard a lot about Cisco but got no idea what model is the most suitable for my case. I will probably need a module for DDoS attacks and another one for advanced security IOS from what I read but it is not clear to me.
View 4 Replies
View Related
Sep 16, 2007
Is a basic Cisco ASA 5505 suitable for a low-bandwidth colocation environment? I run a small virtualization network, going to be expanding to multiple hosts with a SAN and looking for something that is more secure and easier to manage.
Right now, I only have 12 virtual servers and I'm only pushing about 1-1.5mbps on average, though going to be expanding it so my capacity will be about 4x, including multiple physical servers and a layer2 switch. Sometimes managing it even now can become a PITA.
I would like to use an external firewall, but don't think I need something as hefty as an ASA 5510, as I doubt I'd max out the 5505 on throughput. I'm also sceptical about putting up a m0n0wall/pfSense box, as it might not be as cost effective to put it on new, reliable hardware, and putting it on some older/purchased off Ebay server could be unreliable as it is the entry point to my network.
Think the ASA 5505 would be a good entry level point?
View 4 Replies
View Related
Dec 25, 2008
Does CISCO ASA Firewall block SQL and XSS Injection? If not, then which are the firewalls available which do this job. I have checked web application firewalls and found them to be too costly for my budget. What are the other cheap options available?
View 3 Replies
View Related
Oct 25, 2009
I have set up a Plesk Windows server behind a CISCO PIX 501 firewall and since then am not able to upgrade Plesk to the latest version. It cannot connect to the Plesk Update server. which port do I need to open and whether it will be inbound or outbound?
View 14 Replies
View Related
Feb 4, 2008
Thought this might be of interest since the PIX vs. ASA devices are frequently discussed here ...
View 1 Replies
View Related
May 9, 2009
I'm setting up a VPS server on Slicehost, I've followed the guide on howtoforge for debian and have everything installed including ISPConfig3. Everything seems to work fine at the mo but when I check the memory usage, i see that I'm using around 490/500mb of my 512mb setup. Its a Xen setup so I understand this is real memory available but I'm not sure if this is enough.
I will ultimately be running around a dozen sites, some static and some dynamic. There's one Mambo and one Joomla site there but they don't update. The rest are all php/mysql sites that I've built myself but again, they don't change that much. None of the sites currently see more than a couple hundred uniques a day, and some only a handful, so usage is not high. Most of the domains have e-mail accounts attached, but its only moderate usage with around a dozen addys per domain max.
So, do I need more memory or will 512 be enough? Is there anything I can do to reduce the load and give myself some more room?
I'm moving from a shared hosting environment and while I'm comfortable setting up the server, I would rather have a simple mail manager that would give users more control over their accounts, change passwords etc, which I'm hoping ISPConfig3 will be able to help with, but thats probably best discussed in another post.
View 14 Replies
View Related
Dec 1, 2008
Cisco Switch IP Route setup
This is probably an easy and simple task for someone that have a good knowledge in Cisco, BGP and Blackhole/Synchole communities.
We do have a Cisco 2948G that is our border and through this equipment we apply Blackhole (a sequence of commands to filter all the traffic from the world except our country, this is done by communities that is setup in cisco).
These are the sequence of the commands to apply it for IP 189.1.XXX.40
Enter configuration commands, one per line. End with CNTL/Z. asw-hl01(config)#router bgp 184XX
asw-hl01(config-router)#network 189.1.XXX.40 mask 255.255.255.255 asw-hl01(config-router)#exit
asw-hl01(config)#access-list 50 permit 189.1.XXX.40
asw-hl01(config)#ip route 189.1.XXX.40 255.255.255.255 Null0 250 asw-hl01(config)#
I have another Cisco 2948G that is connected in a FastEthernet port of the border above, and this other cisco is holding another subnet. To make it clear,
Border - I have 189.1.XXX.1 ~ 189.1.XXX.127 (subnet 255.255.255.128)
Cisco2 - I have 189.1.XXX.128 ~ 189.1.XXX.255 (subnet 255.255.255.128)
This is being done through a ip route from Border to Cisco2 to forward subnet 128 ~ 255 to the switch,
ip route 189.1.XXX.128 255.255.255.128 172.16.1.2
Ps: 172.16.1.2 is the internal IP for switch2
Now we go to the problem. If I want to apply a Blackhole (those sequence of commands for an IP located at subnet 128 ~ 255 switch2) it block all the traffic for that given IP, and I cant get access from national backbones. To make it clear,
Blackhole for IP 1 ~ 128 - It works fine
Blackhole for IP 128 ~ 255 - It doesnt work correctly, instead of blocking only international traffic its blocking everything in the world
View 0 Replies
View Related
Dec 10, 2007
I recently acquired a 2950 switch brand new, this is now on production but I needed several things to be setup on the switch such as SNMP, setup an IP to access it over a browser, etc. etc.
Do you know somebody who offers a setup service for cisco switches?
View 7 Replies
View Related
May 1, 2007
Anyone know what firewall do I need for my colo? I want to protect external IP. Here is my setup
3 servers, all have two nic cards, one of the cards will be the external IP and the other one will be LAN IP. So my question is what hardware firewall do I need to protect the External IP?
I was thinking of a cisco pix 515e. Which only route external IP to the LAN IP. I need something where I don't have to route, It just protect the external IP.
View 14 Replies
View Related
Oct 26, 2009
I'm looking to colo 5 servers, 3 app servers, 1 db, 1 backup/sparedb. I am looking for something to provide a bit of protection in, and it seems like the ASA5505 is a good firewall, but I was wondering if anyone had any other recommendations?
I probably won't need ridiculous features, I wish it had gigE ports (I need to get a separate gigE switch for now, just for internal transfers+backups).
Is there anything else that might be a little cheaper, or do I need to upgrade to the 5510? Myself and one other person are the only people who would be VPNing to the internal server cluster, so we don't need massive connection rights.
I do not think I will be pushing 100mbits of data transfer, so I'm not worried about the throughput of the server.
View 14 Replies
View Related