ISR vs router and pix

Unanswered Question
May 16th, 2007

Currently our network looks like the attached image (current.jpg)... pretty simple really.

But we are adding capacity from a 1.5Mbs T1 to fiber 10Mbs. The fiber connectivity is delivered via Ethernet, but we are still required to have routing equipment. They deliver the service routed behind our interface (E0 x.x.x.126). We will also be adding several NAT'ed VLANS to the area behind the firewall in the near future.

My initial thought was to use one of the Integrated services routers that has a firewall built in but I am not sure how the firewalling and NAT would work if they are delivering behind our side of the interface. Is it done with virtual interfaces? Would we need to add a switch module to the router? Would we be better off with a more traditional router and a pix?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
spremkumar Wed, 05/16/2007 - 20:00

Hi Mike

Since the Bandwidth you are going to have in your site is more i would suggest to go for individual devices to take care of the functionalities like routing/security instead loading all the functionalities onto a single device which could make the device to hang or freeze up..

On the operations point of view too you will have ofcourse multiple devices but you will be able to figure out what has went wrong or the possible reason for the problems instead having all the functionalities in a single device and hitting the bush :-) ..


desai.jaideep Thu, 05/17/2007 - 03:25


Actually I had recently attended a meeting at cisco where they were promoting ISRs. They had shown some statictics from third party tests that a 3845 can sustain a WAN link of 50 Mbps with concurrent voice,video and data applications running.

Pls check the following links for the test reports:

Also I was seeing your diagram. You have mentioned a subnet of C class. Which means your network consists of not more than 254 computers. Even if we provision expansion, then also I think ISRs are right choice for you.

I think you should definately go for ISR. This will help you save lot of money.



mike.eklund Thu, 05/17/2007 - 09:57

Link says that a 2851 can handle 20Mbs... I was leaning toward a 2821, no report on what it can handle.

I am curious about how the NAT'ing and firewalling is handled in the ISR. Is it through virtual (logical) interfaces, or would you need a switch module in the router?

desai.jaideep Thu, 05/17/2007 - 19:58


NATing and firewalling do not require ESW. For a basic NAT and implementing firewall, you require at least 2 ethernet ports, which is already available in 2821.

Have I answered your question? If not please explain in detail .



mike.eklund Thu, 05/17/2007 - 20:43

Thanks for your patience.

In my current setup I have all of my machines behind a firewall with port forwarding to select services. My new isp is used to traditional routers, they tell me that they will route my ip block (a /27) to behind my interface (x.x.x.126) in my attached picture. I guess I am just hung up on understanding how the configuration would look with routing, firewall, and NAT with an ISR. I will be breaking new ground and wont be able to count on my ISP for help on this as they dont know anything about the ISRs.


This Discussion