We have a small office or 3 users that are connected through a DSL circuit. We want to link them back to the corporate office. Our main office has a PIX 515.
In regards to the external office, I have seen that both the PIX 501 and the
8xx routers can create a VPN tunnel. What would be the main difference between them?Thanks:)
-Douglas
Because easier to maintain/deploy in your case: PIX
/edgar
In article , Douglas McIver wrote: :We have a small office or 3 users that are connected through a DSL circuit. :We want to link them back to the corporate office. Our main office has a :PIX 515.
:In regards to the external office, I have seen that both the PIX 501 and the :8xx routers can create a VPN tunnel. What would be the main difference :between them?
If you are considering an 851 or 871, then it might perhaps make more sense to get an 857 or 877, which have the ADSL modem built in. That would save having an external ADSL modem. The Cisco 8x7 ADSL models are used quite a bit with ADSL -- "serious contenders", not merely "well, it -claims- to work..."
Whether to get an 8x1 or 8x7 would depend in part on your future plans: if you might be moving to a different kind of line then the 8x1 ethernet-to-ethernet series would be more portable, not locked into xDSL.
The 85x and 87x have hardware accelaration for 3DES and AES. The
501 uses software encryption. The 501 is not suitable for "extreme" DSL such as 8/1 -- the 501 tops out somewhere near 3.5/1. [But see below...]The 8xx have more packet inspection facilities than the 501, and the 8xx have QoS, which the 501 does not have.
The "Recommended number of users" for the 871 is 20; 10 for the 851. The 501 base license is for 10 users. We find that in practice the
501 has no problem handling 10 users (who aren't particularily network intensive), but that by 20 users the 501 is possibly running out of memory -- but we have an unusually large configuration.It's easier to find hard performance numbers for the PIX series than for the 8xx series. If you know the magic place to look,
But the 501 is rated to 60 megabits/s cleartext (e.g., just NAT + routing without encryption.) That's ~5 times the speed of the 871 for about $US75 less...
The 871 is licensed for 20 VPN tunnels; the corresponding license on the
501 is 10 "IKE peers". The 501 is a bit more specific in its terminology: it can have a large number of different "security associations", all of which are being encapsulated to talk to the same peer; for the 871, it isn't immediately clear whether it is talking about 20 peers or 20 security associations.Now a bit of speculation:
The PIX 501 has a relatively small amount of memory, and there are significant challenges in fitting the PIX 7.0 software in that small amount of memory. Cisco has reportedly said that 7.0 *will* be supported on the 501, but they are running late on that. It's an open question at the moment as to whether they will be able to deliver on that, and as to how much they will have to cut out of 7.0 to make it fit. So although the 501 has been selling quite well, there are rumblings that the 6.x software stream might really be the end of the line for existing 501's, with possibly a 501E in the works, or possibly a price reduction on the 506E to have it take over the market niche of the 501.
Cisco has introduced the ASA 5500 series of Security Appliances, which do everything the PIX does and have more advanced packet inspection and more advanced heuristic intrusion prevention. There is a lot of competition from other vendors such as SonicWall, who are pushing anti-virus and deeper packet inspection and QoS services into lower-cost devices. One has to wonder how Cisco is going to compete with those (especially the deeper packet inspection) within the PIX line if the PIX line is differentiated from the ASA line mostly by the lack of those features. Thus, for all that the PIX line ins very well known, I have to wonder whether it has a future. Is it's only future in being more "modular" [i.e., expandable interfaces] than the ASA? If so then that would argue for the discontinuation of the fixed-configuration
501.But you asked what the main difference was between the PIX and the
851/871. The answer is that the PIX is designed for security where as the 851/871 are designed for routing and designed with the full kitchen-sink complement of IOS features. The result is that the 8xx series is higher absolute risk than the PIX: there are more things to go wrong in the 8xx and when things go wrong, packets are allowed through... whereas on the PIX, the code internals are designed to block packets that aren't approved by policy. Internal architectural differences but similar external functionality. But do you need the "extra heavy duty shock absorbers", or are the standard heavy duty shock absorbers good enough for your purposes?Thank you for the detailed explanation Walter. It is very handy!!! What surprised us was that the 8xx routers were less expensive than the 501, and some of them had built in wireless. I guess it comes down to configuration knowledge. If we find a future employee who is very good at IOS then we should do the 8xx series, but a general run of the mill WAN guy will probably be safer with the PIX.
I was just looking at the ASA boxes, they are pretty cool. To me they look like a direct replacement to the 515s, is that true? we were thinking of scaling to something higher than the 515R we have now, so the ASA looks nice.
Thanks!
In article , Douglas McIver wrote: :What :surprised us was that the 8xx routers were less expensive than the 501, and :some of them had built in wireless. I guess it comes down to configuration :knowledge. If we find a future employee who is very good at IOS then we :should do the 8xx series, but a general run of the mill WAN guy will :probably be safer with the PIX.
If you have someone who is already good with PIX then no problem.
And if you only want to do simple things with the PIX, just simple LAN-to-LAN tunnels that can be relatively easily configured via the graphical interface (PDM / SDM), then public vs private addressing is possibly the biggest bump to get over for a newcomer.
However, if you intend to really exploit the PIX, then the truth is that it takes -years- to learn the PIX thoroughly. Indeed, I've been working with it for 4 years, participating quite actively in online discussions of the PIX, and I can still only answer about 2/3 of the questions.
IOS... IOS isn't really any less easy to learn, but it is pushed a lot more, with training academies and several different levels of certifications and practice exams and so on. It is thus easier to come by someone who knows IOS relatively well than to come by someone who knows PIX relatively well.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.