cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
412
Views
0
Helpful
5
Replies

PIX 515 vs. 2621

jleuenberger
Level 1
Level 1

Can anyone give me the advantages of using a 2621 Router vs. a PIX for routing with the argument of speed?

Granted I would think the 2621 would be quicker because of less packet analysis...but I'd like to hear opinions and facts...

thanks-->

jason

5 Replies 5

mmellet
Level 3
Level 3

The major advantage of using a 2621 for routing instead of a pix is the fact that it is a "router". The PIX does not use routing protocols and realistically does not route. The PIX is designed for security not routing.

But the PIX is a layer 3 device, correct?

But now that I think about it...the PIX really just acts as a huge 'door' for lack of better terms....'are you allowed to go to my other interface?'---looks at conduits/acl's---then 'yes' or 'no'.

I think I had already known the answer to that one...I was just looking for a more detailed explanation.

thanks for your help...

-->jason

- 2600 is a router, PIX is not a router

- 2600 uses routing table for forwarding decision, PIX uses the translation table (NAT mapping basically) for forwarding decision

- PIX cannot say to be a layer 3 device, in fact the security algorithm it uses is Layer 7 aware (stateful firewall). For e.g. it understand a Telnet session

- PIX is a firewall, and 2600 can also be a firewall using built-in packet filtering, or it can be a stateful firewall similar to PIX with the Firewall feature set loaded

- In terms of firewall / VPN performance the PIX will be a much better choice since it is designed to perform such function.

Sridharagupta.b
Level 1
Level 1

As per my knowledge 2621 with VPN accelarator will be best suitable(cost effective) solution for VPN with 3DES but no failover. 2621 is a router which supports most of the routing protocols and PIX doen't do this. PIX does not support all the routing protocols. 2621 can't be a firewall,but can be a lower-end router. PIX got built in security for each interface depending on the name of that interface.

jleuenberger
Level 1
Level 1

All-->thanks for your comments and explanations.

I'm working on a project right now that will remove most of the load and 'routing' from our PIX. It has 6 interfaces and we are currently using ALL of them for 'routing'. Granted some could say that it should stay like that so that we have a layer of stateful packet inspection between all domains/environments...but I think that is unneccessary considering we have 2621's and a 6509 inhouse w/ an MSFC....that was being utilized with zero benefit to our infrastructure.

I love these forums.

-->jason

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco