Firewall Wizards mailing list archives

Re: Cisco 2621 opinions

From: Patrick Darden <darden () armc org>
Date: Mon, 15 Jul 2002 09:44:12 -0400 (EDT)


The 2600 series is really designed as a border router for slow bandwidth
connections.  2XT1s is really the most it can comfortably handle.

IPFWIOS with CBAC is a great cheap firewall solution--for a small office.
However, it is extremely limited (it does stateful packet inspection 
for around 70 different protocols), and eats up the CPU cycles.

Someone mentioned reflexive access lists as a possibility, and stated that
they are stateful.  They are stateful in a sense, but they do not keep
track of tcp sequence numbers so they are not stateful in a security
context. There is a large discussion of IPFWIOS vs. reflexive access lists
available in the archives.

175 ethernet computers are going to saturate a 2600 very quickly if
anything is on the other side of the router/firewall (file servers, etc.).

If the only other choice is the PIX, then I heartily recommend the PIX.
It was designed for high-bandwidth situations.  It is a great firewall.

A linux or bsd based computer would do a great job as well, using ipchains
or whatever.  And it would be cheap.

--
--Patrick Darden                Internetworking Manager             
--                              706.475.3312    darden () armc org
--                              Athens Regional Medical Center


On Sat, 13 Jul 2002, joe macdonald wrote:

Hello all,

I have a rather simple question that I would
appreciate feedback on.

I have a network of about 175 computers that I'm
looking to put behind a Cisco 2621 router and also
deploy it as a firewall.  I'm new to the Cisco world,
so I'm wondering how well these devices work as a
router/firewall and how drastic the learning curve
will be (I have deployed firewalls in the past using
ipfw, iptables, ipchains on Unix systems). Also, my
network isn't very big, but is the 2621 a suitable
choice, or would a higher end model be necessary? 
Would a PIX be able to do this job better? (it's not
exactly a comlpex routing situation, but is the PIX
strickly a firewall?)

Thanks. Any opinions are greatly appreciated.

__________________________________________________
Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes
http://autos.yahoo.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Cisco 2621 opinions joe macdonald (Jul 13)
- Re: Cisco 2621 opinions John Adams (Jul 13)
  - Re: Cisco 2621 opinions Nick Drage (Jul 15)
    - Re: Cisco 2621 opinions Charles W. Swiger (Jul 15)
    - Re: Cisco 2621 opinions Patrick M. Hausen (Jul 16)
- Re: Cisco 2621 opinions Patrick Darden (Jul 15)
- <Possible follow-ups>
- RE: Cisco 2621 opinions Henry Sieff (Jul 13)
- RE: Cisco 2621 opinions Kent, Ashley (Jul 15)
- RE: Cisco 2621 opinions Brian Ford (Jul 15)
- RE: Cisco 2621 opinions Iannaccone, Al (Jul 15)
- Re: Cisco 2621 opinions Patrick Darden (Jul 15)
- Re: Cisco 2621 opinions Brian Ford (Jul 16)
  - Re: Cisco 2621 opinions Patrick Darden (Jul 16)
  - Re: Cisco 2621 opinions Carson Gaspar (Jul 16)