Cisco Support Community
Community Member

Edge Device

I'm trying to figure out the best design for my network. I currently have a setup like this:

Internet - Cable Modem - Pix 515E (doing NAT) - 2621 - Internal Network

Now, should I have the 2621 as my edge device or the Pix? Just trying to get a good design or "best practice". Thanks for any help.

Community Member

Edge Device

It is recommeded to have Pix FW as your edge device instead of router (interms of secure connectivity)

Community Member

Edge Device

Hey Robert,

By Edge I assume you mean the box connected ot the internet.

I would ideally prefer a router as the edge to the internet. This because a internet connection can be terminated on PIX only on a ethernet media, while a router provides a wider choice of physical media that can be used (serial, FR, ATM etc).

Also a router provides a wider option for the IGP and BGP that can be run in the edge incase you need to in the future.

Considering the above, a router provides better scale than a PIX

If you are sure, that you are only going to use Ethernet (both on inside and outside) and simple routing protocols without a lot of churn, PIX would do just fine.

Hope this answers your questions.



Community Member

Edge Device


I my opinion, Router should be the edge deice. then firewall, i mean PIX. this should help increase the application layer filtering.




Thanks and Regards, Vipin

Edge Device

Just to add to the above posts

Routers in most cases recommended to be placed in the edge with a firewall behind it for many reasons such

Routers much better in qos and qos policies

You can do packet filtering with simple ACLs and nating on the router and application inspection on the firewall which will give tow layers of security

Routers can run gre tunneling multipoint tunneling if you need it in the future like dmvpn

Routers better in routing than firewall because if you let the router dose routing and the firewall dose firewalling you network will reduce the load on the devices

Also routers can support different  wan links like serial , 3G , ..etc

Hope this help

If helpful rate

Community Member

Edge Device

OK, thanks for all of the input. I think I am going to put the 2621 at the edge and allow it to terminate my IPSEC tunnels for both site-to-site as well as remote users. Now, I've never done it before, but can the 2621 terminate Cisco VPN Clients or do I need to pass port 500 down to the PIX to handle that one? What I am seeing in my current setup is an extra 20-40 milliseconds of latency added on when I connect via Cisco VPN Client. Now, just going from hotel or whatever to my inside network isn't that bad. But, if I come into the pix and then go right back out a site-to-site vpn tunnel to somewhere else, I see an increase of around 20-40 milliseconds. Now, to me, that is crap. What do you think?

Re: Edge Device

You can use the router if you have the relevant licensing for security and the router model can support the amount of VPN connections and encrypted traffic

By terminating the VPN in the router you will get the benefit of having VPN traffic to be inspected by the firewall as well


plz rate helpful posts

Sent from Cisco Technical Support iPhone App

CreatePlease to create content