What routers should I use

Unanswered Question
Sep 10th, 2007
User Badges:

We are moving into a new building. Each floor will have its own subnet. I am trying to determine what routers I should use. My boss wants to connect each floor and provide redundant ethernet lines to provide more throughput without going to fiber. (copper is already installed). To accomplish this we would need to have at least four routable network ports on each router. I was thinking that a 2811 would work since my boss would also like to provide stateful inspection and a vpn between floors since wire is run in a non-secure location.


What router can I use that would provide multiple ethernet redundant links between floors while providing firewall and VPN capabilities between these devices?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joseph W. Doherty Mon, 09/10/2007 - 17:05
User Badges:
  • Super Bronze, 10000 points or more

Are the copper uplinks 100 Mbps or gig? I'm guessing 100 Mbps since you mention "redundant ethernet lines to provide more throughput".


Assuming multiple 100s, a small WAN oriented router, such as the 2811, might be a bit overwhelmed.


See: http://www.cisco.com/application/pdf/en/us/guest/products/ps5854/c1244/cdccont_0900aecd8017382b.pdf


For the fastest router in this series, see http://www.cisco.com/application/pdf/en/us/guest/products/ps5854/c1244/cdccont_0900aecd80173887.pdf


You could look at even faster "feature rich" WAN routers or consider a small LAN L2/L3 switch (e.g. 3560-8PC), teamed with a separate appliance for firewall / VPN, e.g ASA series.

mpmccarron Tue, 09/11/2007 - 04:27
User Badges:

Throughput is not a problem. There is very little traffic between these floors usually, but is critical when it happens. Any large burst are done at night when there is little or no traffic.

amohabir1 Tue, 09/11/2007 - 04:41
User Badges:

Why not go with a hierarchal model and put a bunch of access layer switches in the closets with a bigger layer 3 switch (a 3500 series stack) or a 4500 series with a couple of GigE blades if you can afford it in the data center?


You can then use etherchannel to bond the ethernet ports to provide both redundancy and more bandwidth at the same time. You avoid spanning tree and you have a scalable model to build on.

mpmccarron Tue, 09/11/2007 - 06:50
User Badges:

Our main consideration was security, not just access or throughput. Because of where the wire is located we were going to run a VPN between routers and maybe use the firewall capabilities of the 2811. I was trying to acccomplish this in one box rather that have other appliances.


With the 2811 could I have redundant links to one other floor. They only have two network ports by default. What else would I need to buy. Do they have expansion cards?

mpmccarron Tue, 09/11/2007 - 07:26
User Badges:

Are you saying that with a 3560, I could do the routing, redundancy and load-balancing between subnets? I have some security issues that my boss wants to implement such as vpns and firewalls between locations which is supported by the 2811, but couldn't I offload those task to another appliance such as a pix and put it between each subnet and the switch which is acting as the router

Joseph W. Doherty Tue, 09/11/2007 - 05:09
User Badges:
  • Super Bronze, 10000 points or more

"Throughput is not a problem. There is very little traffic between these floors usually, but is critical when it happens. "


Contradictory?


PS:

Besides the report links I posted earlier, I can tell you I've personally stressed tested a 2811. The question was could one be used with a fractional T-3 providing 10 Mbps. I got it up to 20 Mbps across the 100 Mbps Ethernet interfaces; cpu maxed out. 2811 was installed and works quite well passing 10 Mbps; about 50% cpu.


mpmccarron Wed, 09/12/2007 - 06:05
User Badges:

Joe,


I was just trying to say that there is not much traffic passed between floors (throughput) but the data that does pass is extremely critical, time sensitive and needs to be secure. I'm not sure what you are trying to tell me about your test. I already use a 2811 as a perimeter router with a T-1 to our provider. I need a device that can handle redundant connections to multiple sites (floors) using 100mb Cat5 cabling that is in place rather than run other cable since speed and volume is not important. The 2811 doesn't seem to have enough ports to handle the job. I was wondering if someone could suggest an upgrade or a different device. I was looking at using maybe a L3 switch which I think will provide routing, redundancy and load balancing, but I would have to go elsewhere for my security (VPN and firewall). L3 switches can rout through any port, right?

amohabir1 Wed, 09/12/2007 - 06:07
User Badges:

Hey MP...


Why not go with a hierarchal model and put a bunch of access layer switches in the closets with a bigger layer 3 switch (a 3500 series stack) or a 4500 series with a couple of GigE blades if you can afford it in the data center?


You can then use etherchannel to bond the ethernet ports to provide both redundancy and more bandwidth at the same time. You avoid spanning tree and you have a scalable model to build on.



mpmccarron Wed, 09/12/2007 - 11:39
User Badges:

Thanks, but! Seem to be way too much new infrastructure for what we have. We only have about 60 devices on each subnet and non-intelligent switches. Security is our issue mostly, not performance. Little data is transferred between sites, but what is is critical and very confidential. We were looking at routers because some come with stateful inspection firewall and we could set up VPN between them. I was also thinking of a L3 switch on either end and off-loading the VPN and Firewall to another appliance. I was looking at 2811 router but it doesn't seem to have enough network ports available unless there is some type of upgrade. Connections between floors will be CAT5 in insecure environment which we cannot completely secure.

Joseph W. Doherty Wed, 09/12/2007 - 08:25
User Badges:
  • Super Bronze, 10000 points or more

What I was trying to say about the test was I found a 2811 good for up to 20 Mbps LAN throughput.


There are Ethernet add-modules that can be used with the 2800 series, including the 2811. See:


http://www.cisco.com/en/US/products/ps5854/products_data_sheet0900aecd80581fe6.html


http://www.cisco.com/en/US/products/ps5854/products_data_sheet0900aecd8016bf0b.html


Yes L3 switches can route, sometimes considerations on what is considered a port, such aa physical or VLAN.

mpmccarron Wed, 09/12/2007 - 12:03
User Badges:

Thanks Joe,


I see that the one port card will work in the 2811 and I could have two of them. All four ports would then be routable. It doesn't look like the 4 & 9 port cards are routable. Could they be used some way in my scenario. How would you use it? I may be a little thick, but I'm missing it. Would the switch ports still be on my subnet or can you make the switch ports be on another subnet and have the router rout to them creating another subnet between my existing subnets? Does this mak any sense?

Joseph W. Doherty Wed, 09/12/2007 - 18:17
User Badges:
  • Super Bronze, 10000 points or more

The 9 port card might not fit in the 2811.


With regard to the 4 port, although I believe you're correct the ports can't defined directly as routable, I think they can still be routed via VLANs, either via SVI or via a VLAN trunk to the 2811 (this latter would make the 4 port card appear as an external switch). (Hopefully someone will correct me on this if I have this wrong.)


If you're short of ports, you could also place a small external switch that supports VLANs between the router and your downstream devices. Then you could route between the VLANs trunked from the switch. (Since bandwidth isn't an issue, this might be a good alternative approach.)

mpmccarron Thu, 09/13/2007 - 07:09
User Badges:

Thanks Joe,


I guess if I was going to go with a switch in there I could get an 8 port L3 switch use that for routing and purchase a separate firewall to perform Firewall and VPN before the switch. Does that sound like it would work? One port would be from the subnet on one floor and all other ports would be used for connections to the other subnets.

Joseph W. Doherty Thu, 09/13/2007 - 10:08
User Badges:
  • Super Bronze, 10000 points or more

Yes, don't see why that wouldn't work, but possibly less expensive to "front" a 2811 with an inexpensive L2 switch, e.g. WS-C2960-8TC-L.


Have your floor subnets feed to ports on the switch, each a separate VLAN on the switch. Trunk the VLANs to the router and do whatever you want to do there. This would be a classical "router on a stick" design.


Keeping something like a 2811 on hand also allows you to easily add a WAN connection.

paolo bevilacqua Thu, 09/13/2007 - 16:04
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

All right, but actually, all the etherswitch modules in HWIC or HWIC-D form factor, will fit in any of the ISR routers, including the 2801, because there is a divider that can be removed for the purpose.



Joseph W. Doherty Thu, 09/13/2007 - 16:36
User Badges:
  • Super Bronze, 10000 points or more

Thank you Paolo for the note on the double wide HWICs.


Rereading the literature on various Ethernet modules, all appear they can be routed, although some via SVI. Information on SVI can be found here: http://www.cisco.com/en/US/products/ps5854/products_white_paper0900aecd8064c9f4.shtml


From: http://www.cisco.com/en/US/products/ps5854/products_qanda_item0900aecd802a9470.shtml


Q. Can I configure the switch interfaces as Layer 3 ports?


A. The Cisco EtherSwitch network module and service module interfaces can be configured directly as Layer 3, or routed, ports by using the no switchport command and assigning an IP address directly to the port. Cisco Switchports on the HWIC do not support Layer 3 addresses natively; they must be assigned to a SVI and use a VLAN interface for Layer 3. Every switch port can be assigned to a unique VLAN, up to 15 VLANs maximum.


Same document notes that 32 FastEthernet ports can be defined on a 2811.


It appears that you can have sufficient ports using one or more of these modules.



Actions

This Discussion