cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1237
Views
0
Helpful
16
Replies

What routers should I use

mpmccarron
Level 1
Level 1

We are moving into a new building. Each floor will have its own subnet. I am trying to determine what routers I should use. My boss wants to connect each floor and provide redundant ethernet lines to provide more throughput without going to fiber. (copper is already installed). To accomplish this we would need to have at least four routable network ports on each router. I was thinking that a 2811 would work since my boss would also like to provide stateful inspection and a vpn between floors since wire is run in a non-secure location.

What router can I use that would provide multiple ethernet redundant links between floors while providing firewall and VPN capabilities between these devices?

16 Replies 16

Joseph W. Doherty
Hall of Fame
Hall of Fame

Are the copper uplinks 100 Mbps or gig? I'm guessing 100 Mbps since you mention "redundant ethernet lines to provide more throughput".

Assuming multiple 100s, a small WAN oriented router, such as the 2811, might be a bit overwhelmed.

See: http://www.cisco.com/application/pdf/en/us/guest/products/ps5854/c1244/cdccont_0900aecd8017382b.pdf

For the fastest router in this series, see http://www.cisco.com/application/pdf/en/us/guest/products/ps5854/c1244/cdccont_0900aecd80173887.pdf

You could look at even faster "feature rich" WAN routers or consider a small LAN L2/L3 switch (e.g. 3560-8PC), teamed with a separate appliance for firewall / VPN, e.g ASA series.

Throughput is not a problem. There is very little traffic between these floors usually, but is critical when it happens. Any large burst are done at night when there is little or no traffic.

Why not go with a hierarchal model and put a bunch of access layer switches in the closets with a bigger layer 3 switch (a 3500 series stack) or a 4500 series with a couple of GigE blades if you can afford it in the data center?

You can then use etherchannel to bond the ethernet ports to provide both redundancy and more bandwidth at the same time. You avoid spanning tree and you have a scalable model to build on.

Our main consideration was security, not just access or throughput. Because of where the wire is located we were going to run a VPN between routers and maybe use the firewall capabilities of the 2811. I was trying to acccomplish this in one box rather that have other appliances.

With the 2811 could I have redundant links to one other floor. They only have two network ports by default. What else would I need to buy. Do they have expansion cards?

Are you saying that with a 3560, I could do the routing, redundancy and load-balancing between subnets? I have some security issues that my boss wants to implement such as vpns and firewalls between locations which is supported by the 2811, but couldn't I offload those task to another appliance such as a pix and put it between each subnet and the switch which is acting as the router

"Throughput is not a problem. There is very little traffic between these floors usually, but is critical when it happens. "

Contradictory?

PS:

Besides the report links I posted earlier, I can tell you I've personally stressed tested a 2811. The question was could one be used with a fractional T-3 providing 10 Mbps. I got it up to 20 Mbps across the 100 Mbps Ethernet interfaces; cpu maxed out. 2811 was installed and works quite well passing 10 Mbps; about 50% cpu.

Joe,

I was just trying to say that there is not much traffic passed between floors (throughput) but the data that does pass is extremely critical, time sensitive and needs to be secure. I'm not sure what you are trying to tell me about your test. I already use a 2811 as a perimeter router with a T-1 to our provider. I need a device that can handle redundant connections to multiple sites (floors) using 100mb Cat5 cabling that is in place rather than run other cable since speed and volume is not important. The 2811 doesn't seem to have enough ports to handle the job. I was wondering if someone could suggest an upgrade or a different device. I was looking at using maybe a L3 switch which I think will provide routing, redundancy and load balancing, but I would have to go elsewhere for my security (VPN and firewall). L3 switches can rout through any port, right?

Hey MP...

Why not go with a hierarchal model and put a bunch of access layer switches in the closets with a bigger layer 3 switch (a 3500 series stack) or a 4500 series with a couple of GigE blades if you can afford it in the data center?

You can then use etherchannel to bond the ethernet ports to provide both redundancy and more bandwidth at the same time. You avoid spanning tree and you have a scalable model to build on.

Thanks, but! Seem to be way too much new infrastructure for what we have. We only have about 60 devices on each subnet and non-intelligent switches. Security is our issue mostly, not performance. Little data is transferred between sites, but what is is critical and very confidential. We were looking at routers because some come with stateful inspection firewall and we could set up VPN between them. I was also thinking of a L3 switch on either end and off-loading the VPN and Firewall to another appliance. I was looking at 2811 router but it doesn't seem to have enough network ports available unless there is some type of upgrade. Connections between floors will be CAT5 in insecure environment which we cannot completely secure.

What I was trying to say about the test was I found a 2811 good for up to 20 Mbps LAN throughput.

There are Ethernet add-modules that can be used with the 2800 series, including the 2811. See:

http://www.cisco.com/en/US/products/ps5854/products_data_sheet0900aecd80581fe6.html

http://www.cisco.com/en/US/products/ps5854/products_data_sheet0900aecd8016bf0b.html

Yes L3 switches can route, sometimes considerations on what is considered a port, such aa physical or VLAN.

Thanks Joe,

I see that the one port card will work in the 2811 and I could have two of them. All four ports would then be routable. It doesn't look like the 4 & 9 port cards are routable. Could they be used some way in my scenario. How would you use it? I may be a little thick, but I'm missing it. Would the switch ports still be on my subnet or can you make the switch ports be on another subnet and have the router rout to them creating another subnet between my existing subnets? Does this mak any sense?

The 9 port card might not fit in the 2811.

With regard to the 4 port, although I believe you're correct the ports can't defined directly as routable, I think they can still be routed via VLANs, either via SVI or via a VLAN trunk to the 2811 (this latter would make the 4 port card appear as an external switch). (Hopefully someone will correct me on this if I have this wrong.)

If you're short of ports, you could also place a small external switch that supports VLANs between the router and your downstream devices. Then you could route between the VLANs trunked from the switch. (Since bandwidth isn't an issue, this might be a good alternative approach.)

Thanks Joe,

I guess if I was going to go with a switch in there I could get an 8 port L3 switch use that for routing and purchase a separate firewall to perform Firewall and VPN before the switch. Does that sound like it would work? One port would be from the subnet on one floor and all other ports would be used for connections to the other subnets.

Yes, don't see why that wouldn't work, but possibly less expensive to "front" a 2811 with an inexpensive L2 switch, e.g. WS-C2960-8TC-L.

Have your floor subnets feed to ports on the switch, each a separate VLAN on the switch. Trunk the VLANs to the router and do whatever you want to do there. This would be a classical "router on a stick" design.

Keeping something like a 2811 on hand also allows you to easily add a WAN connection.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco