dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1751
share rss forum feed

badsykes1

join:2004-12-08

[H/W] Cisco 1921 vs 880 and 890 series

Hello

So what you guys think about performance:

»anticisco.ru/pubs/ISR_G2_Perfomance.pdf

Based on the document above do you guys recommend going for 891 or should i go with 1921 and buy a 4 port gigabit WIC card for future proof?

My ISP introduced two tiers 500Mbps and 1gbps...So for very little i may theoretically upgrade in the future for more than 100mbps..

The 1921 on ebay will go for around 560$ + gigabit WIC card around 200-300$ ...

OR should i use a Juniper SRX210 for my network and just use packettracer and emulators for my CCNA stuff

The SRX210 kinda fits the price bill and all i want...
Firewall performance at least 100mbps wire speed, future gbit upgrades and don't need to buy aditional cards for a 2 person network...


markysharkey
Premium
join:2012-12-20
united kingd

1 edit

Depends what other services you plan to run on them. Adding NAT and some sort of firewall (CBAC or zone based) can have a dramatic effect on throughput. Check out table 8 in that document for throughput in a real world scenario.
If you are looking for an edge device to run at 500Mb/s or 1Gig, I doubt the lower end of ISR range will be able to cope.

--
Binary is as easy as 01 10 11


badsykes1

join:2004-12-08

Well...I think the SRX210 hits the nail on all things except the fact that is not a Cisco...I can leave without hardware firewall because i already own firewall on every pc.Adding a card to the 1900 series is something new that i never done before...Also the SRX support one add in card too...


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to badsykes1

said by badsykes1:

and buy a 4 port gigabit WIC card for future proof?

Futureproof against... what, exactly?

Also, if you're thinking the particular WIC card I think you're thinking about, remember that each
interface is SWITCHED, not ROUTED -- ie. you can put em in a VLAN, you can put an IP address to a
VLAN interface, but you cannot apply an IP address to each phyiscal interface.

Think it's been said enough here before is what speeds do you want, and with what services turned on?
I seem to recall an 891 performance test here before... and there was some 19xx test as well -- EDIT :
never mind, found some of the older threads :

»Cisco 891 vs 1811

»1921 vs 891 Throughput Testing

...as I recall, I wasn't terribly impressed with the 1921 out of the gate.

said by badsykes1:

My ISP introduced two tiers 500Mbps and 1gbps...

First off, lucky you!

Secondly, the only things I know of that are rated for that speed is the PIX 535(E), ASA 5550,
ISR4451X and ASK1K, the last two FOR SURE will do that WITH SERVICES with a smile on their face,
and come back for seconds.

My 00000010bits

Regards

markysharkey
Premium
join:2012-12-20
united kingd

I concur with Hellfire and if enterprise grade is what you need then those are your options. However, if you can get away with "pro-sumer" gear, I have deployed an RV180 hanging off a 1Gb link. With services (NAT and firewall) I regularly see 850Mb/s.
To be perfectly frank, I don't really like it, and it has a serious VPN flaw (PPTP and IPSec VPN only work with 32 bit clients!) but it moves packets around quickly enough and for the price, it's pretty much disposable! And it's been up for 150 days without incident so it's not all bad.

--
Binary is as easy as 01 10 11


badsykes1

join:2004-12-08
reply to HELLFIRE

Hello Hellfire

First of all thx for all the Help and info and stuff durring all this years...I am still impressed about your patience and activity around here...You should try teaching if you don't do it already...

back to topic...Here is the interface i am talking about:

»www.senetic.ro/product/EHWIC-4ESG=

Is a local site but the explanation is in english...
The price is in Euro w/o VAT and Ron w/ VAT included
So add 24% to the euro price and you get the picture...

"The 4- and 8-port Gigabit Ethernet EHWICs provide line-rate Layer 2 switching across onboard Gigabit Ethernet ports. "

I need only switching on these ports and i want to use the Router GE ports for Wan links...Theoretically a good ALL in ONe router resembling home routers is the 1941w with that card..Wireless, gigabit and security in one box...The combination costs more than 1000$...

Regarding those tiers (500 and 1gbps) i don't wanna spend the price of a second hand car on a router (ISR4451X and so on).
After all i can disable firewall and get decent gigabit or wirespeeds...

Seems the SRX210 is faster and can activate the firewall and still 100mbps speeds...At least this is what i can get reading the datasheet...

»www.juniper.net/us/en/local/pdf/···1-en.pdf

Why Cisco routers feels slow or cisco don't want to make them too speedier so keep everyone in chess...I read the Huawei AR1220 datasheet and it feels faster and more interfaces than 891 and 1921/1941 series...

Huawei aR1220 forwarding capacity is 350kpps

»www.huawei.com/ucmf/groups/publi···3990.pdf

Wan speed with services is 25mbps vs 15mbps for 1941 ...

Maybe because is very rare stuff ?


badsykes1

join:2004-12-08
reply to markysharkey

In the RV price category you can find other intersting stuff...

»www.tp-link.com/en/products/deta···L-ER5120

or

»www.tp-link.com/en/products/deta···L-ER6120


kamikatze

join:2007-11-02
kudos:2
reply to badsykes1

said by badsykes1:

I read the Huawei AR1220 datasheet and it feels faster and more interfaces than 891 and 1921/1941 series...

Huawei aR1220 forwarding capacity is 350kpps
[..]
Maybe because is very rare stuff ?

Let me just stop you right there and steer you towards this particular Defcon talk:

»www.youtube.com/watch?v=sn4JofQEFuY#t=0m9


Your ISP is residential RDS Romania. There is zero doubt at this point :)
What you forgot to mention is that this very good service has the downside of being wrapped in PPPoE. So, CPU overhead. Lots of it. This is never done in silicon on the low end stuff, including the 4451-X, maybe in the ASR1k, but certainly not ISRs (the G2 is pretty much a software only platform, whatever you turn on eats processor cycles). I can't comment on how Juniper's low end SRX handles PPP but i feel it through watching lots of astrophysics talks lately that it's done in software too.

If this is of any help i can tell you the 2921 handles 100Mbps with NAT and very light reflexive ACLs (no PPP) with about 50% CPU load. Throw in PPP and you've just maxed it out.

ISR2921#sh proc cpu sort | e _0.00 (i'm really sorry cramer)
CPU utilization for five seconds: 53%/48%; one minute: 32%; five minutes: 20%
 PID Runtime(ms)     Invoked      uSecs   5Sec   1Min   5Min TTY Process
 130    79359448   327518925        242  3.11%  2.76%  3.18%   0 IP Input
 319        1184         417       2839  1.03%  0.62%  0.19% 388 Virtual Exec
   6     6460236     1153091       5602  0.55%  0.10%  0.06%   0 Check heaps
 101       79004   959076102          0  0.15%  0.17%  0.16%   0 Ethernet Msec Ti
 325       39348     8091934          4  0.15%  0.14%  0.14%   0 IP RACL Ager
 126       26688   236279082          0  0.07%  0.04%  0.02%   0 IPAM Manager
  85       85680    30291634          2  0.07%  0.13%  0.15%   0 Netclock Backgro
 154       49176     8146373          6  0.07%  0.02%  0.01%   0 CEF: IPv4 proces
  67       30372     7579009          4  0.07%  0.05%  0.06%   0 Per-Second Jobs
 

badsykes1

join:2004-12-08

That clip was plenty of fun...Well thank for opening my eyes....To require knowing chinesse or neeed a chinesse guy to actually debug my router is kinda....Meh..
No access to firmwares....Is ok from their point of view but i prefer the DIY way and security is an unknown...Unknown is exciting ... Seems the guy that talked first and played with the router got excited too ... Definetly he had a good laugh durring the interaction with the router.. ...
Defcon stuff is surely fun to see and pretty much eyes open...They put on the table all things vulnerabilities, support quality and you can choose if you prefer what you see or not...
Yes i am on RDS residential Romania... :P
I worked in RDS for 2 and half year and i can tell you that very good service moved to PPPOE for Bussiness zone too...They migrated everyone from Static ip to PPPOE and alocating the same static IP ... Juniper SRX is a competition for ISR series so no wonder if they do it in software anyway but at least i am not buying an external gigabit card to actually build the switch portion...I haven't studied PPPOE overhead but seems the implementation is kinda complicated...

I looked at 2921 and is not my preference...The price, the bulk etc...Some people here recommended me Netscreen series if i want a sustained 100mbps pipe with firewall too...And is cheap stuff on ebay...

Thanks for the info...



kamikatze

join:2007-11-02
kudos:2

Well now, if it doesn't really have to be an ISR or SRX, why not go with a classic + a small switch to trunk some vlans to it. Might even want to throw an Olive at it.
»www.intel.com/content/www/us/en/···iew.html


markysharkey
Premium
join:2012-12-20
united kingd
reply to badsykes1

Ubiquiti Edgemax may be worth a look too. I had a chat with them about their new £99 1Gig WAN router and they seemed confident it would be comparable to the throughput I see on the RV180. I'm hoping to get one to test in the not too distant.
»www.ubnt.com/edgemax
--
Binary is as easy as 01 10 11


badsykes1

join:2004-12-08

Pretty stuff markysharkey...If you get one please tell me the results..I am interested..Also tell me who is selling in EU those toys

»dl.ubnt.com/Tolly212127UbiquitiE···ance.pdf

There are only two clients so i need 3 ports..1 wan + 2 lans...ANd is fanless ! ...Sleeping in the same room..

Kamikatze: thx for the link.Looks fine but i prefer the little thing that marky posted..


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to badsykes1

Thanks for the kind words, badsykes1 See Profile

said by badsykes1:

I need only switching on these ports and i want to use the Router GE ports for Wan links...

and I'm just making sure I'm clear about what you want.

I'd also go with the Edgemax, blashpemous as it is to mention in this forum --

try this first look review at smallnetbuilder.com.
I've got one myself but haven't had much time to test it out, but for the sheer power and functionality for a home
edge device for the going price can't be understated.

I'd also agree that in light of today's speeds, even the ISR G2 seem dated when Gig speeds are creaping up on even
the resdiential space ... it just goes back to a) the reality of Moore's Law, G2s came out 2009 and here we are at
the start of 2014, b) it depends what you want in the end vs what you can afford.

My 00000010bits.

Regards

badsykes1

join:2004-12-08

1 edit

thx for the review Hellfire...

Ouch ...
Cisco requires learning their language, ERL requires learning linux language...Both requires time to learn their language...Fortunetly the article is old so things changed from when the review was done.The latest firmware is 1.4.0 vs 1.0.2 in the article and the CPU is 500mhz and there is a some documentation too on the site...Also seems the support is looking nice...I mean the latest firmware is from 20/01/2014..Also people gave good feedback on the router in comments...

Looking at home router speeds Cisco feels really dated...With my CCNA i can escape with an 1812 easily that also can be updated to IOS 15 to support the latest CCNA v5 commands...I found an Cisco 892 at around 300$ in my country but i am not sure if it's worth it...Both the Cisco 892 and 1812 can't sustain Firewall+NAT+100mbps pipe..The gbit port on the 892 is kinda useless because the switching side is only 10/100..And wirespeed without firewall i can do with the cheaper 1812 based on my own experience...The irony is the only router that have gbit port+gbit port switch side is 866VAE/867VAE that is low end and fanless and it may sustain wirespeeds (100mbps) without firewall like the other too at decent price...

Performance of the 860 series with services.... 10mbps .. So i imagine those gbit port are only for facade...THe document of the 866VAE is from 2011...


markysharkey
Premium
join:2012-12-20
united kingd

Very few people configure the ASA using the CLI. Most of us use the ASDM which is a perfectly good GUI. And if you have a CCNA then learning the ASA CLI isn't difficult, it's the sheer size and scope of the commands that is the issue.
And as you have realised, if you genuinely need >500Mb/s at the edge without taking out a second mortgage then it won't be a Cisco (and probably not a Juniper) device.
If you're looking for kit to add to a lab environment or to build a lab for CCNP etc you can't go far wrong with some 1841's and some 10/100 2960's. If you need regular ADSL then add an ADSL WIC card to the 1841's or get an 877 or 887.
--
Binary is as easy as 01 10 11


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to badsykes1

EdgeMAX KB Config Examples ... so you don't have too much (re)learning to do.

said by badsykes1:

Both the Cisco 892 and 1812 can't sustain Firewall+NAT+100mbps pipe..

...not to knock that, but got any proof of that? Me personally, I still point to that testing I did
way back when showing what CBAC / NAT can do. If you've got some testing that shows otherwise, I'm
quite interested to see.

@ kamikatze See Profile
Thanks for the video. I knew Huwai was a bit of a gongshow, but I didn't know it was THAT big of a gongshow
security-wise. Then again, they're the poster child for the old saying of "Cheap, fast, perfect. Pick Two."

Regards

badsykes1

join:2004-12-08

»anticisco.ru/pubs/ISR_G2_Perfomance.pdf

Table 4 Firewall says 54mbps for 890 but from an old link here looks it can...

»1921 vs 891 Throughput Testing

Also i use PPPOE here so may or may cut even more from transfer rate...
Except the 1812 that i had physically where i never actually activated firewall on it i never had a chance to play physically with the new 860 or 890 series...
Other than what you guys posted i have no proof...


badsykes1

join:2004-12-08
reply to markysharkey

Actually the SRX 210 can sustain gigabit speeds if you don't add too many services...

»www.juniper.net/us/en/local/pdf/···1-en.pdf

Even the SRX 100 is rated at 700mbps but the ports are only 10/100

Also i don't own an SSD so it may simplify the things a bit

My rig is
i5 750
8gb ram
Velociraptor 450Gb HlHX



RyanG1
Premium
join:2002-02-10
San Antonio, TX
kudos:1
reply to badsykes1

i use a 1921 with the security license as my edge/nat router and i like it quite a bit. I run ZBFW, NAT, BGP, OSPF, QoS, and PBR on it and it rarely peaks above 20% cpu. However, my ISP is only 50mbps so i cant speak to what it would be like on gigabit.

If i get some time i could plug my laptop into the ISP facing port and do a file transfer to see what i get if you want.

Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams



RyanG1
Premium
join:2002-02-10
San Antonio, TX
kudos:1
reply to badsykes1

well i figured id do it because no i was curious....

so with no QOS enabled across the routers interfaces i got around 130mbps at 67% cpu usage on the router but i maxed out the CPU on my server (its a dual core intel atom and the FTP uses encryption).

Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams


badsykes1

join:2004-12-08

Thx for the test ... Here i use PPPOE+NAT at minimum to connect my network to my ISP..
By getting 67% at 130mbps i am thinking an up to 200mbps to fill up the router CPU ?


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to RyanG1

said by RyanG1:

well i figured id do it because no i was curious....

...would you be able to do any more detailed testing RyanG1 See Profile ? Think it'd be interesting to have around
for reference here.

Regards


ua_hockey

join:2003-08-07
Columbus, OH

Thought I would chime in regarding the ASA 5510 mentioned previously. The max throughput on those is rated at 350 Mbps. On the Gen-1 ASA platform (non-x), you're looking at a 5550 minimum for 1 Gbps. If you want to stay Cisco, you could pick up a used PIX 525 or 535 for a song. They will run relatively recent code (up to 8.0(4)) and have decent performance numbers 330Mbps and 1.6Gbps respectively). I wouldn't even consider trying to run services (nat, inspection, etc) on an ISR at anywhere close to those speeds. I'd stay away from Huawei (and by extension 3Com and HP). Although no one has brought it up, the best bang for your buck might be an old PC, with a few nics running openbsd and pf. Clearly not for the enterprise, but if I didn't already have Cisco and Checkpoint at home, that is exactly what I'd be running. If configured properly, it would be the most flexible, best performance, and most secure option of anything mentioned on this thread.

Cisco throughput:
»www.cisco.com/c/en/us/products/s···l#~tab-a
OpenBSD PF:
»www.openbsd.org/faq/pf/


badsykes1

join:2004-12-08

Out of curiosity why Cisco is still in business when those cheap pc's with linux can do much much more and are cheaper..You can put an APU,some fiber NIC's, install linux, configure it and enjoy the Uber speed...?

I found this article...

»www.linux-mips.org/wiki/Cisco



tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1

said by badsykes1:

Out of curiosity why Cisco is still in business when those cheap pc's with linux can do much much more and are cheaper..

for the branch -- its about support and availability of trained resources. additionally -- i can make my cisco isr/g2 router into a complete branch in a box, complete with switchports, a ucs for virtualized servers, and a wireless lan controller for local a/p registration.
(a) you won't find that integration in a linux router and (b) you won't find people knowledgeable enough to support it if your "admin" leaves.

for the enterprise space -- multilayer switching, etc -- you can't get the multi-10gbe performance in a linux box that i can in my cat6800 or nexus box.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


RyanG1
Premium
join:2002-02-10
San Antonio, TX
kudos:1
reply to HELLFIRE

said by HELLFIRE:

...would you be able to do any more detailed testing RyanG1 See Profile ? Think it'd be interesting to have around
for reference here.

Regards

When i get back home from my trip, ill do some more extensive testing with just wirespeed and then basic nat but it probably wont be until monday night.

Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams

markysharkey
Premium
join:2012-12-20
united kingd

Looking forward to seeing those numbers.
--
Binary is as easy as 01 10 11


markysharkey
Premium
join:2012-12-20
united kingd
reply to tubbynet

said by tubbynet:

for the branch -- its about support and availability of trained resources. additionally -- i can make my cisco isr/g2 router into a complete branch in a box, complete with switchports, a ucs for virtualized servers, and a wireless lan controller for local a/p registration.

I had to re-do my SMB quals to retain our company Select Partner status and this came up. Good job too 'cos I had previously underestimated just how versatile the ISR G2's were. Most branches won't be sitting on hyper fast internet connections so I can forgive the loss of wire performance when services are added because the platform offers so much more than just moving packets around.
--
Binary is as easy as 01 10 11


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1

said by markysharkey:

Most branches won't be sitting on hyper fast internet connections so I can forgive the loss of wire performance when services are added because the platform offers so much more than just moving packets around.

well -- in the isr/g2 space -- you can go all the way up to a 3945e -- which will give you a few hundred meg depending on services. if you need to exceed that -- there is the isr4451-x -- which is a paravirtualised qfp (used in the asr1k). this will give you up to nearly 2gbps throughput (assuming correct licensing) with most services enabled.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."

markysharkey
Premium
join:2012-12-20
united kingd

Thanks for the number Tubbs. I'll be hitting up my re-seller for prices. I was aware of the 39xx series and it's capabilities. but... I am in a reasonably unique / niche market where selling what are obviously good ideas (to us) can be a tall order. But it'll be good to re-visit the 29xx / 39xx range and properly dig through the options, especially the NM form factor servers and WLC modules.
--
Binary is as easy as 01 10 11