Which router do we need?

We have just upgraded to a Metro Ethernet internet connection. Our ISP has loaned us a Cisco 1841 router for a month. After that we either have to buy a router or pay rental.

Now, one potential vendor has suggested that a Cisco 1811 would be the best option for us, but our ISP has supplied an 1841. After hearing what the difference is, I'm not sure what the best option would be for us. The 1811 seems a bit small for our needs, but the 1841 seems like overkill. Is there something in between the two? We will NOT be using a T1, just an ethernet connection. Also, we don't need a firewall as we have an ASA handling firewall duties.

We are doing some routing of our old T1 IP addresses over the Ethernet connection, so please keep that in mind. I know next to nothing about Cisco routers so I need an expert opinion.

Reply to
John Aldrich
Loading thread data ...

Why have a router at all if you have an ASA behind it? Obviously with the T1, you needed it for the conversion from the T1(s) onto Ethernet, but with a metro ether and you just routing ether to ether, what's the point the router is doing?

If the provider is routing down two blocks, (ie. an connected one for the router WAN side, and an LAN one for the router), why not reclaim the first block, and just go with the LAN block.

(We're not recommending routers for any our metro ether customers, just plug directly into their firewall). I've done many cuts of T1 customers onto metro ether just by making my side appear what their T1 router used to look like. They make sure they see the new MAC address, and away we go. Very simple cuts.

Granted, if your network is a bit more complex, and you are routing different IPs to different things, or doing VPLS or something else, you're going to need it, but I wouldn't think you are with an 1841/1811 in consideration. (If you do go for one of those, I'd choose the 1841 over the 1811 just for more future upgrade options, and its not much more than the 1811).

Reply to
Doug McIntyre

Ok. Thanks for the info. What happened is that our ISP ran out of IP addresses and had to get a new allocation for their Metro Ethernet and so what they're doing is routing the old T1 IP addresses to the Metro Ethernet connection. We tried to use the ASA to handle the routing, but couldn't get it to work, so we're going with a router. The problem with just giving up the old T1 addresses is that we don't really want to give them up... we have some externally accessible intranet resources that we want to keep where they are, IP-wise.

Reply to
John Aldrich

You just need to work out the packets per second rate that you will have and choose the appropriate router.

Aim for a bit of spare capacity - say 50%. There seems to be more scope for things to go wrong if the router is run at 100% CPU.

formatting link
to work without login, even though it is "partners" page.

It is OK to assume fast switching. I think that the bits per second figures in the document will be for 64 byte packtes and this is really over conservative for web browsing and the like. Of course for voice the packets are quite small.

If you want to come up with a estimate and post it then maybe someone will go over it.

Reply to
bod43

From my own experience I can tell that for example 2811 with IOS FW (CBAC), NAT/PAT, QoS (traffic shaping with nested CBWFQ)+IPS melts down on 16 Mbps Internet connection. CPU was at 50 - 60 % average but several times knocked up to 100% during peak hours with around 3000 connections per second.

Another example is customer with 1811 on metro 5 mbps line. User experience is very slow Internet browsing with more than 1000 connections per second (with only 3 users on the LAN side) due to CBAC firewall turned on. After disabling CBAC and implementing reflexive acls + PAT web surfing was fast as on "normal" linksys routers:)

My point here is when choosing the right router/firewall for your internet connection you need to pay attention on connections per second that this box is able to handle if you need PAT and statefull inspection features because every time your users clicks on the link router/firewall has to make cpu interrupt to create a new entry for that connection in it's nat and statefull tables. Your torrent clients can kill your router just like that if you allow that kind of traffic outbound. This was obvious in my examples above. Look at the number of connections per second.

Packets per second is also very important + size of the packets used in that measurement. Usually manufacturers uses 64 bytes packets, but on Internet average packet size is (AFAIK) is 356 bytes or something around that value, so your router can do more work for you in real environment (ISP connection), but pay attention with what features enabled manufacturers are conducting tests. If they don't have NAT and statefull firewall turned on when they measures router's performance then numbers they told you are much lower in reality;) unless you use your router for pure CCNA:) packet routing.

Another thing...I noticed that statefull firewall which on Cisco ISR routers that also utilizes so called "deep packet inspection" causes Internet browsing experience very slow even if you type 'no ip inspect myfw http' with only 'ip inspect myfw tcp' statement, so I always recommend to my customers ASA firewalls (if we are talking about Cisco) if they can afford it.

My 2 cents:)

Igor

Reply to
Igor Mamuzic aka Pseto

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.