Should I buy Cisco Pix 501 and a 605 E, or two 501s? Do I really need SmartNet Service?

Should I buy a Cisco Pix 501 and a 605 E, or two 501s? What are the differences? Also, do I really need the SmartNet service?

I need to connect a remote branch to our main system using DSL. I've been recommended a Cisco Pix 605 E for the main office, and a Cisco Pix 501 for the branch.

The main office consists of a single Windows 2000 Server with Appox.

30 -35 local clients with 15 - 20 networked printers. I'm told the networked printers count for an IP address. Some of the printers are connected to a network device that handles 3 printers (I think with a single IP address).

I could probably get away with a 501 for the branch with the standard

10 user licenses, as there are 4 pcs & 5 printers. I could always upgrade to the 50 user license in the future if needed. How complicated is it to upgrade to 50 users by the way and what's involved? Is it something I can do myself as a pc specialist, or does it require a networking expert like my MSCE?

What would the advantage be to having a 605 E instead of a 501 with 50 licenses at the main office? We probably won't be having people connect from their homes, so it's probably just those 4 pcs. Does the

605 E offer a lot more security protection, and is it necessary? The 501 should offer much better protection than what we currently have, but we're not having computer connect via the Internet currently.

Currently the branch connects to the server via very expensive 56k dedicated line, so I don't think speed is too much of an issue. I heard the 605 E has a 200mhz processor instead of a 133mhz or something like that. The DSL connection should be much cheaper & faster as a bonus.

My sales rep mentioned he has never sold a Pix without the Smartnet service. He described the service as not only technical support, but as a service that sends regular updates to the routers automatically, sometimes several times a day, similar to virus definition updates. Is this being explained correctly? Are you all subscribing to this service for that reason? Is the Pix kind of worthless without this service?

I have a MCSE that will help me hook up everything, so hopefully we won't need the Smartnet for the technical support.

Thanks for any advice

P.S. I posted this message on a less active Cisco forum, and 2 people both agreed the 501s should be fine, and that networked printers with their own IP addresses don't count toward the licenses. Does everyone on this forum agree?

Reply to
Nate Goulet
Loading thread data ...

In article , Nate Goulet wrote: :Should I buy a Cisco Pix 501 and a 605 E, or two 501s?

That's 506E, not 605E.

: What are the :differences?

formatting link

:Also, do I really need the SmartNet service?

No.

The PIX 501 power connector is notably flaky, but instead of paying fo a support contract, you could take the risk that it'll be fine for you -- and if you bet wrong you could just buy another PIX.

PIX 7.0(*) is likely to be released sometime this year or very early next for the 501 and 506E, and if you had a support contract you would be entitled to a free version update, but you certainly are not -required- to update your software, and you can always do one-off purchases of new OS versions; the one-time cost is usually no more than 3/4 of the price of a yearly support contract.

:I need to connect a remote branch to our main system using DSL.

No problem then. When your branch office connection goes down and everyone is screaming at you to get it back up, you can post about the problem on Usenet, and someone will usually answer within two or three days. Hardly any questions here go unanswered for more than 3 or 5 years, and the revised FAQ is expected to be out by 2017 at latest.

:I've :been recommended a Cisco Pix 605 E for the main office, and a Cisco :Pix 501 for the branch.

:The main office consists of a single Windows 2000 Server with Appox. :30 -35 local clients with 15 - 20 networked printers. I'm told the :networked printers count for an IP address.

PIX 506E have no inherent limits on the number of internal IP addresses they support.

PIX 501's are limited to 10, 50, or unlimited "users". A "user" is a host with an active connection to the outside; static IP translations do -not- count against the total from boot time until there is first traffic to the address, but after that they count permanently until the PIX is rebooted.

:How :complicated is it to upgrade to 50 users by the way and what's :involved?

Trivial. With current software, you log in, enter a single command, and reboot to bring the new key into effect.

:Is it something I can do myself as a pc specialist, or does :it require a networking expert like my MSCE?

If you can telnet or ssh, then you can easily put in a new key.

formatting link

:Does the 605 E offer a lot more security protection

No, the 506E is nearly identical in command set to the 501. See the model summary I linked to above.

:Currently the branch connects to the server via very expensive 56k :dedicated line

:The DSL connection should be much cheaper & :faster as a bonus.

DSL connections are almost always less reliable than a dedicated line. If the connection is business critical, then you should go with an ISP that offers an SLA (Service Level Agreement) with an uptime guarantee sufficient for your needs; or you should put in a backup link of some sort (through a completely different company such as cable), or you should skip DSL and go for a a commercial-grade technology.

:My sales rep mentioned he has never sold a Pix without the Smartnet :service. He described the service as not only technical support, but :as a service that sends regular updates to the routers automatically, :sometimes several times a day, similar to virus definition updates. :Is this being explained correctly?

No!!

The PIX has the ability to autoload new operating system updates, but the PIX operating system is usually updated only a few times per year.

There is absolutely nothing corresponding to virus definition updates for the PIX.

There is also nothing in PIX 6.x (which the 501 and 506E run) that would allow the PIX to reach out and pull in an updated configuration [e.g., because you had changed the set of locations you wanted to permit access to.] The closest to that is that you -can- have "downloadable ACLs" that will be copied in from a RADIUS server. It's not the same as what you describe.

:Are you all subscribing to this :service for that reason? Is the Pix kind of worthless without this :service?

We update the configuration on our PIXes every few days, but not because of deficiencies in the PIX. We are in an environment that is -required- to deny connections by default, and so we get requests to open the rules up to allow a netmeeting or an electronic journal that lives on an obscure port, etc..

:I have a MCSE that will help me hook up everything, so hopefully we :won't need the Smartnet for the technical support.

: Thanks for any advice

If you are going to "set and forget" the PIXes, allowing a very specific set of ports (e.g., outward http on port 80, and so what if people start up a filesharing service), then you might be able to do without the technical support. But if you anticipate that the environment might be a bit more dynamic than that, then my -advice- is that you get the support contract for at least the first year. It literally takes -years- to learn all the ins and outs of a PIX. If your security posture is "hands on" rather than "set and forget" then chances are excellent that you'll find something you want answers on until you get more accustomed to the PIX.

As you asked for advice, I would also advise you to figure out what you are going to do if one of your PIX fries (e.g., brownout) or dies, or starts rebooting itself endlessly. What is your plan of action in such a case? If the plan is to buy a new one to replace the old, then how quickly can your supplier deliver? Do they keep stock in the city, or do they have to order them in? Will they tell you how long the longest order backlog was within the last year? Will your people still be able to work in the meantime? How much will you lose for each hour or each day that the device is out of action?

:P.S. I posted this message on a less active Cisco forum, and 2 people :both agreed the 501s should be fine, and that networked printers with :their own IP addresses don't count toward the licenses. Does everyone :on this forum agree?

As I indicated above, any host that communicates with the outside potentially counts against the limit on a PIX 501. The PIX does not distinguish between "computers" and "printers". "Communicates with the outside" includes over the VPN. If your central site is monitoring the printers (e.g., if you are running a print server there, or you have a centralized networking monitoring host), or if people sometimes print on remote printers [one of our people delivers documents to a remote office by printing to the remote printer], or if you run a centralized application (e.g., timesheet recording or accounting) that includes a "print this page to a local printer" facility, then each addressible network printer could potentially be active and counting against the

10-user license limit.
Reply to
Walter Roberson

Thanks for the reply Walter.

I guess the first thing I need to do is run a scan on the network to determine exactly how many network devices we have.

I'm told there are utilities like Super scan for doing this. Can anytime tell me exactly how I can do this? I'm told to enter a starting IP & ending IP, but i'm not sure what to enter.

We've already select a DSL company, and it's problem the only one where the branch is, but i'll ask about a SLA (Service Level Agreement).

Reply to
Nate Goulet

In article , Nate Goulet wrote: :I guess the first thing I need to do is run a scan on the network to :determine exactly how many network devices we have.

:I'm told there are utilities like Super scan for doing this. Can :anytime tell me exactly how I can do this?

I recommend the program Look@Lan,

formatting link
. Adding ranges to scan is pretty simple for it -- click on 'scan ranges', click on Add, type in the IP start and finish, click on OK.

Reply to
Walter Roberson

In article , Walter Roberson wrote: :As you asked for advice, I would also advise you to figure out what :you are going to do if one of your PIX fries (e.g., brownout) :or dies, or starts rebooting itself endlessly. What is your plan :of action in such a case? If the plan is to buy a new one to replace :the old, then how quickly can your supplier deliver?

Note: to solve this problem, some people buy "hot spares" (or "cold spares"). If you use the same unit at each of the offices, you need one cold spare per group of offices that is reachable within (response time limit minus time it takes to wake someone up and have them collect the spare and drive to the other office.)

Also, units from the 515 upwards support "failover" to another inline unit, which can be important if you need the failover to be automatic (or at least faster than you can get someone trained out to the other location.) There are noticable increased costs for PIX failover configurations: it is less expensive to buy two "restricted" units but then you have to do the cutover manually.

Cisco offers three levels of hardware problem response time: overnight,

4 hour, or 2 hour. The overnight response time on the support contract that gives you support access 8 hours a day, 5 days a week, and it's technically "next business day" delivery, not "overnight". The 4 hour and 2 hour response time contracts are both 24 hours per day, 7 days a week, including weekends and holiday.

We are on the 4 hour contract for our main PIX, and I have literally received calls back from Cisco at 01:30 and 03:00 (each within 20 minutes of having entered the case), and those were for questions that could easily have waited. We haven't ever had reason to call upon the fast-delivery, so I can't speak from experience as to whether it... well, "delivers"... but the 24 hour a day response is the real thing.

Reply to
Walter Roberson

In article , Nate Goulet wrote: :We've already select a DSL company, and it's problem the only one :where the branch is, but i'll ask about a SLA (Service Level :Agreement).

Watch out for the "planned maintenance" on the DSL SLA.

If the DSL company serves only business customers, then it will probably have an SLA already drawn up. There are a number of business-only DSL providers who can offer reliable service. Such companies charge a fair bit for their services: they charge what it costs them to provide a quality service and to be able to expand and deploy new equipment at need. Open a case with one of these companies and you'll soon have a knowledgable technician on the line.

If, however, the DSL company serves the residential market as well, then the DSL company operates on volume rather than on quality. Prices might not be high, but reliability won't usually be high either, even for their business accounts.

A business account from a residential DSL provider gets you to a live human for problem reports, instead of to an answering machine that was last updated 3 months ago (which is what the residential customers get). But you still don't get to talk to the people who know what they are doing -- not unless you've managed to get past the first two levels of screening -and- the tech finds your problem interesting enough to call you directly. It's not -profitable- for a volume provider to have a real technical person speak to the customers.

Another thing about SLAs: if they are from a company that only deals with businesses, then they might have some real meaning. If, though, they are from a company that is volume-centered for residential accounts, then what you get is not a committment to really work seriously to -prevent- problems: what you get is a piece of paper that details the hoops you will have to go through to claim a pro-rated "no consequential damages" refund for the hours that you will be down.

Reply to
Walter Roberson

I've heard another rumor from an insider at Cisco that the 501 and 506E will never support 7.x; instead, Cisco will come out with a low-end ASA product that will replace these two PIXs. It would be nice if Cisco would say one way or another so that administrators could make the correct purchasing decisions. I would really like to have some of the 7.x features on a 501 or

506E, but if Cisco isn't going to move to 7.x on these boxes, then I might not be interested in investing in them anymore, but wait till the small-end ASA is introduced.

Cheers!

Richard

Reply to
Richard Deal

In article , Richard Deal wrote: :I've heard another rumor from an insider at Cisco that the 501 and 506E will :never support 7.x; instead, Cisco will come out with a low-end ASA product :that will replace these two PIXs.

Interesting. Martin Bilgrav indicated on April 24 that it'd be Q3 and that he "Heard on Partner Tech update".

:It would be nice if Cisco would say one :way or another so that administrators could make the correct purchasing :decisions.

Hear! Hear!

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.