Depends what other services you plan to run on them. Adding NAT and some sort of firewall (CBAC or zone based) can have a dramatic effect on throughput. Check out table 8 in that document for throughput in a real world scenario. If you are looking for an edge device to run at 500Mb/s or 1Gig, I doubt the lower end of ISR range will be able to cope.
Well...I think the SRX210 hits the nail on all things except the fact that is not a Cisco...I can leave without hardware firewall because i already own firewall on every pc.Adding a card to the 1900 series is something new that i never done before...Also the SRX support one add in card too...
and buy a 4 port gigabit WIC card for future proof?
Futureproof against... what, exactly?
Also, if you're thinking the particular WIC card I think you're thinking about, remember that each interface is SWITCHED, not ROUTED -- ie. you can put em in a VLAN, you can put an IP address to a VLAN interface, but you cannot apply an IP address to each phyiscal interface.
Think it's been said enough here before is what speeds do you want, and with what services turned on? I seem to recall an 891 performance test here before... and there was some 19xx test as well -- EDIT : never mind, found some of the older threads :
Secondly, the only things I know of that are rated for that speed is the PIX 535(E), ASA 5550, ISR4451X and ASK1K, the last two FOR SURE will do that WITH SERVICES with a smile on their face, and come back for seconds.
I concur with Hellfire and if enterprise grade is what you need then those are your options. However, if you can get away with "pro-sumer" gear, I have deployed an RV180 hanging off a 1Gb link. With services (NAT and firewall) I regularly see 850Mb/s. To be perfectly frank, I don't really like it, and it has a serious VPN flaw (PPTP and IPSec VPN only work with 32 bit clients!) but it moves packets around quickly enough and for the price, it's pretty much disposable! And it's been up for 150 days without incident so it's not all bad.
Is a local site but the explanation is in english... The price is in Euro w/o VAT and Ron w/ VAT included So add 24% to the euro price and you get the picture...
"The 4- and 8-port Gigabit Ethernet EHWICs provide line-rate Layer 2 switching across onboard Gigabit Ethernet ports. "
I need only switching on these ports and i want to use the Router GE ports for Wan links...Theoretically a good ALL in ONe router resembling home routers is the 1941w with that card..Wireless, gigabit and security in one box...The combination costs more than 1000$...
Regarding those tiers (500 and 1gbps) i don't wanna spend the price of a second hand car on a router (ISR4451X and so on). After all i can disable firewall and get decent gigabit or wirespeeds...
Seems the SRX210 is faster and can activate the firewall and still 100mbps speeds...At least this is what i can get reading the datasheet...
Why Cisco routers feels slow or cisco don't want to make them too speedier so keep everyone in chess...I read the Huawei AR1220 datasheet and it feels faster and more interfaces than 891 and 1921/1941 series...
Your ISP is residential RDS Romania. There is zero doubt at this point :) What you forgot to mention is that this very good service has the downside of being wrapped in PPPoE. So, CPU overhead. Lots of it. This is never done in silicon on the low end stuff, including the 4451-X, maybe in the ASR1k, but certainly not ISRs (the G2 is pretty much a software only platform, whatever you turn on eats processor cycles). I can't comment on how Juniper's low end SRX handles PPP but i feel it through watching lots of astrophysics talks lately that it's done in software too.
If this is of any help i can tell you the 2921 handles 100Mbps with NAT and very light reflexive ACLs (no PPP) with about 50% CPU load. Throw in PPP and you've just maxed it out.
ISR2921#sh proc cpu sort | e _0.00 (i'm really sorry cramer)
CPU utilization for five seconds: 53%/48%; one minute: 32%; five minutes: 20%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
130 79359448 327518925 242 3.11% 2.76% 3.18% 0 IP Input
319 1184 417 2839 1.03% 0.62% 0.19% 388 Virtual Exec
6 6460236 1153091 5602 0.55% 0.10% 0.06% 0 Check heaps
101 79004 959076102 0 0.15% 0.17% 0.16% 0 Ethernet Msec Ti
325 39348 8091934 4 0.15% 0.14% 0.14% 0 IP RACL Ager
126 26688 236279082 0 0.07% 0.04% 0.02% 0 IPAM Manager
85 85680 30291634 2 0.07% 0.13% 0.15% 0 Netclock Backgro
154 49176 8146373 6 0.07% 0.02% 0.01% 0 CEF: IPv4 proces
67 30372 7579009 4 0.07% 0.05% 0.06% 0 Per-Second Jobs
That clip was plenty of fun...Well thank for opening my eyes....To require knowing chinesse or neeed a chinesse guy to actually debug my router is kinda....Meh.. No access to firmwares....Is ok from their point of view but i prefer the DIY way and security is an unknown...Unknown is exciting ... Seems the guy that talked first and played with the router got excited too ... Definetly he had a good laugh durring the interaction with the router.. ... Defcon stuff is surely fun to see and pretty much eyes open...They put on the table all things vulnerabilities, support quality and you can choose if you prefer what you see or not... Yes i am on RDS residential Romania... :P I worked in RDS for 2 and half year and i can tell you that very good service moved to PPPOE for Bussiness zone too...They migrated everyone from Static ip to PPPOE and alocating the same static IP ... Juniper SRX is a competition for ISR series so no wonder if they do it in software anyway but at least i am not buying an external gigabit card to actually build the switch portion...I haven't studied PPPOE overhead but seems the implementation is kinda complicated...
I looked at 2921 and is not my preference...The price, the bulk etc...Some people here recommended me Netscreen series if i want a sustained 100mbps pipe with firewall too...And is cheap stuff on ebay...
Ubiquiti Edgemax may be worth a look too. I had a chat with them about their new £99 1Gig WAN router and they seemed confident it would be comparable to the throughput I see on the RV180. I'm hoping to get one to test in the not too distant. »www.ubnt.com/edgemax -- Binary is as easy as 01 10 11
I'd also agree that in light of today's speeds, even the ISR G2 seem dated when Gig speeds are creaping up on even the resdiential space ... it just goes back to a) the reality of Moore's Law, G2s came out 2009 and here we are at the start of 2014, b) it depends what you want in the end vs what you can afford.
Ouch ... Cisco requires learning their language, ERL requires learning linux language...Both requires time to learn their language...Fortunetly the article is old so things changed from when the review was done.The latest firmware is 1.4.0 vs 1.0.2 in the article and the CPU is 500mhz and there is a some documentation too on the site...Also seems the support is looking nice...I mean the latest firmware is from 20/01/2014..Also people gave good feedback on the router in comments...
Looking at home router speeds Cisco feels really dated...With my CCNA i can escape with an 1812 easily that also can be updated to IOS 15 to support the latest CCNA v5 commands...I found an Cisco 892 at around 300$ in my country but i am not sure if it's worth it...Both the Cisco 892 and 1812 can't sustain Firewall+NAT+100mbps pipe..The gbit port on the 892 is kinda useless because the switching side is only 10/100..And wirespeed without firewall i can do with the cheaper 1812 based on my own experience...The irony is the only router that have gbit port+gbit port switch side is 866VAE/867VAE that is low end and fanless and it may sustain wirespeeds (100mbps) without firewall like the other too at decent price...
Performance of the 860 series with services.... 10mbps .. So i imagine those gbit port are only for facade...THe document of the 866VAE is from 2011...
Very few people configure the ASA using the CLI. Most of us use the ASDM which is a perfectly good GUI. And if you have a CCNA then learning the ASA CLI isn't difficult, it's the sheer size and scope of the commands that is the issue. And as you have realised, if you genuinely need >500Mb/s at the edge without taking out a second mortgage then it won't be a Cisco (and probably not a Juniper) device. If you're looking for kit to add to a lab environment or to build a lab for CCNP etc you can't go far wrong with some 1841's and some 10/100 2960's. If you need regular ADSL then add an ADSL WIC card to the 1841's or get an 877 or 887. -- Binary is as easy as 01 10 11
Both the Cisco 892 and 1812 can't sustain Firewall+NAT+100mbps pipe..
...not to knock that, but got any proof of that? Me personally, I still point to that testing I did way back when showing what CBAC / NAT can do. If you've got some testing that shows otherwise, I'm quite interested to see.
@ kamikatze Thanks for the video. I knew Huwai was a bit of a gongshow, but I didn't know it was THAT big of a gongshow security-wise. Then again, they're the poster child for the old saying of "Cheap, fast, perfect. Pick Two."
Also i use PPPOE here so may or may cut even more from transfer rate... Except the 1812 that i had physically where i never actually activated firewall on it i never had a chance to play physically with the new 860 or 890 series... Other than what you guys posted i have no proof...
i use a 1921 with the security license as my edge/nat router and i like it quite a bit. I run ZBFW, NAT, BGP, OSPF, QoS, and PBR on it and it rarely peaks above 20% cpu. However, my ISP is only 50mbps so i cant speak to what it would be like on gigabit.
If i get some time i could plug my laptop into the ISP facing port and do a file transfer to see what i get if you want.
Ryan -- Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams
Thought I would chime in regarding the ASA 5510 mentioned previously. The max throughput on those is rated at 350 Mbps. On the Gen-1 ASA platform (non-x), you're looking at a 5550 minimum for 1 Gbps. If you want to stay Cisco, you could pick up a used PIX 525 or 535 for a song. They will run relatively recent code (up to 8.0(4)) and have decent performance numbers 330Mbps and 1.6Gbps respectively). I wouldn't even consider trying to run services (nat, inspection, etc) on an ISR at anywhere close to those speeds. I'd stay away from Huawei (and by extension 3Com and HP). Although no one has brought it up, the best bang for your buck might be an old PC, with a few nics running openbsd and pf. Clearly not for the enterprise, but if I didn't already have Cisco and Checkpoint at home, that is exactly what I'd be running. If configured properly, it would be the most flexible, best performance, and most secure option of anything mentioned on this thread.
Out of curiosity why Cisco is still in business when those cheap pc's with linux can do much much more and are cheaper..You can put an APU,some fiber NIC's, install linux, configure it and enjoy the Uber speed...?
Out of curiosity why Cisco is still in business when those cheap pc's with linux can do much much more and are cheaper..
for the branch -- its about support and availability of trained resources. additionally -- i can make my cisco isr/g2 router into a complete branch in a box, complete with switchports, a ucs for virtualized servers, and a wireless lan controller for local a/p registration. (a) you won't find that integration in a linux router and (b) you won't find people knowledgeable enough to support it if your "admin" leaves.
for the enterprise space -- multilayer switching, etc -- you can't get the multi-10gbe performance in a linux box that i can in my cat6800 or nexus box.
q. -- "...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."
for the branch -- its about support and availability of trained resources. additionally -- i can make my cisco isr/g2 router into a complete branch in a box, complete with switchports, a ucs for virtualized servers, and a wireless lan controller for local a/p registration.
I had to re-do my SMB quals to retain our company Select Partner status and this came up. Good job too 'cos I had previously underestimated just how versatile the ISR G2's were. Most branches won't be sitting on hyper fast internet connections so I can forgive the loss of wire performance when services are added because the platform offers so much more than just moving packets around. -- Binary is as easy as 01 10 11
Most branches won't be sitting on hyper fast internet connections so I can forgive the loss of wire performance when services are added because the platform offers so much more than just moving packets around.
well -- in the isr/g2 space -- you can go all the way up to a 3945e -- which will give you a few hundred meg depending on services. if you need to exceed that -- there is the isr4451-x -- which is a paravirtualised qfp (used in the asr1k). this will give you up to nearly 2gbps throughput (assuming correct licensing) with most services enabled.
q. -- "...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."
Thanks for the number Tubbs. I'll be hitting up my re-seller for prices. I was aware of the 39xx series and it's capabilities. but... I am in a reasonably unique / niche market where selling what are obviously good ideas (to us) can be a tall order. But it'll be good to re-visit the 29xx / 39xx range and properly dig through the options, especially the NM form factor servers and WLC modules. -- Binary is as easy as 01 10 11