Internal Router Only

Won't a 'home' router along the lines of a Linksys BEFSR41 (or 11) with the WAN port pointing at the factory and the LAN port pointing at the office network do what you want? [You'll probably want to disable the DHCP server on the LAN port.]

Does anyone have VPN performance numbers for the 830 series? (pps I guess).

I have done a quick search and can find (as usual with cisco performance numebrs) exactly nothing. I am interested specifically in IPSEC

In article , Mark wrote: :Im trying to source a router for internal routing only. I want to :connect our current network with a network of factory machines which :use a different ip range (Our domain 192.168.1.xxx, Factory :192.168.2.xxx). Im after a reasonably priced solution that will :prevent packets from the factory network reaching the office network, :but still allow the office to connect to the factory machines.

That can't be done if you are using TCP. TCP *needs* return packets: you *want* packets to return from the factory network if you are using TCP.

Perhaps a more precise criteria would be that you do not want the factory network to be able to initiate connections to the office network? If so, then what are your plans with respect to DNS, WINS, email, intranet to be able to read the Material Safety Data Sheets, and so on? Are you planning to use a network monitoring package that uses SNMP to examine the state of the switches and/or devices? SNMP is UDP based, and UDP can't tell replies from new transmissions.

:Im :assuming that I will need a router with 2 ethernet ports that will :connect to the appropriate switched.

Not completely true: you could do it with a single port "router on a stick" if the router and your switch support 802.11Q VLANs.

:Could anyone recommend a good :solution that isnt too expensive? (was thinkin up to £500ish). I don't :want anything too fancy as I dont need firewall/vpn/adsl etc. just :internal routing.

£500 would easily cover a true firewall such as a PIX 501, but as the other poster pointed out, you can probably get away with a D-Link or Linksys or Netgear device that has stateful packet inspection (SPI). These devices tend to assume that you have many addresses on the secure side that are to be network address translated (NAT) into one [or sometimes two] source IPs as they go out. If your factory machines will have a need to differentiate between different office sources (e.g., for logging or authentication purposes, or because you have some protocols other than TCP or UDP in the mix), then you will have to do a bit more digging.

I don't recall that you gave any bandwidth estimates that the router would need to handle?

If, after reflection upon the points I raise above, you find that your situation is more complex than you were previously thinking, then you might find that a Cisco PIX 501 (possibly with the optional "50 user license"), or Cisco 837 VPN Bundle might make more sense.

In article , wrote: :Does anyone have VPN performance numbers for the 830 series? (pps I :guess).

:I have done a quick search and can find (as usual with cisco :performance numebrs) exactly nothing. :I am interested specifically in IPSEC

A question probably better put to comp.dcom.sys.cisco, but no matter, I've looked up the numbers recently anyhow:

Cisco 830: 10 tunnels (peers), 7 Mbps 3DES, 2 Mbps AES-128

The high 3DES relative to the AES-128 is due to the fact that the 831, 836, and 837 have hardware DES and 3DES acceleration that does not support AES, so AES is done in software.

For comparison, since you appeared to be reacting to my mention of the Cisco 837: the Cisco PIX 501 is 3 Mbps 3DES, 4.5 Mbps AES-128 [software in both cases], and the PIX 506E is 17 Mbps 3DES,

30 Mbps AES-128 [hardware support.]

For Cisco IOS routers, a useful performance comparison can be found at

are raw pps figures, not IPSec figures. Different models and software releases react differently when additional features such as NAT or QoS are added to the mix: some slow down drastically and others like the new 2800/3800 series are supposed to be able to keep going at full speed with a wide range of features turned on.