dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
769
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey to cooldude9919

Premium Member

to cooldude9919

Re: [H/W] Hardware recommendation required

Looking at the 60D as the customer has one of these deployed already. Makes sense to me to try and maintain consistency as much as possible.
I have looked at the 4000 series and whilst they cost more there is much more "honesty" (for want of a better word) in the throughput numbers. I will be using them...
cooldude9919
join:2000-05-29

cooldude9919

Member

said by markysharkey:

Looking at the 60D as the customer has one of these deployed already. Makes sense to me to try and maintain consistency as much as possible.
I have looked at the 4000 series and whilst they cost more there is much more "honesty" (for want of a better word) in the throughput numbers. I will be using them...

Id take a look at the thread I started a while back about the 4000 series, there is some good information in there.

»New ISR 4000 Series

I agree the numbers are more realistic, but they aren't a guarantee either, and they are definitely a maximum. Keep in mind that throughput limit is all traffic through the router, even internal VLAN traffic, so say on the one that tops out at 300mbit, you will never get more than 300mbit through it no matter what you do.

Along with that they disable cores in the router until you purchase the license to the highest throughput, so if you are very service heavy you may not see the limit of your license before or after the upgrade purchase, but you will see an improvement as it would unlock the cores.

You do realize for the 4000 series you would have to get at least the 4431 with the upgraded license to have a chance at 1gbps service and that would be the maximum for the device. You would be better off with the 4451 which would give you headroom to 2gbps but the sec model lists at $21000 and that's without smartnet.
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

said by cooldude9919:

I agree the numbers are more realistic, but they aren't a guarantee either, and they are definitely a maximum. Keep in mind that throughput limit is all traffic through the router, even internal VLAN traffic, so say on the one that tops out at 300mbit, you will never get more than 300mbit through it no matter what you do

I never use my routers for inter-vlan routing. On an ISR it's pointless loading up the processor when a Layer 3 switch can do it better and faster. The only traffic that hits my routers does so because it has to go off-net.
said by cooldude9919:

You do realize for the 4000 series you would have to get at least the 4431 with the upgraded license to have a chance at 1gbps service and that would be the maximum for the device. You would be better off with the 4451 which would give you headroom to 2gbps but the sec model lists at $21000 and that's without smartnet.

Is that retail or from a VAR? A 10 second look at Google has a 4451 Bundle for a shade under 15,000 USD (9K Sterling here in the UK) retail. As a Cisco Select Partner I'm looking at a significant discount on that price, well over 50% and almost certainly in the order of 70%. I'll make margin and still be able to offer the customer a discount on Cisco retail prices. Win/Win!
markysharkey

markysharkey to HELLFIRE

Premium Member

to HELLFIRE
Had a look at the Gartner report. Makes for interesting reading and means Palo Alto are now being considered alongside Fortinet.
Currently Fotinet are ahead by a nose as they have a nice on-line demonstrator that allows a really good (it seems to me) look around and interact with the device. Prices are keen too.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to markysharkey

MVM

to markysharkey
Picked up this book awhile back, very good intro into the FortiOS... too bad I didn't have an actual device to test it out on.

Not to knock on the ISR4K series -- and one question not really answered here -- is what either markysharkey See Profile or his client(s) want / expect
when they say "UTM"? Unfortinately, it's one of those weasel-words that has a bad habit of being touted around and mis/ab/used.

For me, the key features of UTM should include :
- anti-virus
- anti-spam
- web content filtering
- email filtering / scanning
- IDS / IPS

...don't know if anyone else has any other feature(s) that should be under this list.

From what I recall
- ISR G1s had IOS IPS, but had no anti-virus/spam, content filtering and the like. I also seem to recall a NAM module as well.
- ISR G2s don't seem to have a comparible module / feature. Don't know if you couldn't build something like that off an ISM module
- don't know if the ISR G2 4K has IDS / IPS... the front page of the 4K claims IPS, but couldn't find much more details when drilling down.

I've a few former colleagues who're working on Palo Alto -- my takeaway so far is they're nice pieces of kit but in terms of code stability
they're rather out on the bleeding edge.

Regards
cooldude9919
join:2000-05-29

cooldude9919 to markysharkey

Member

to markysharkey
said by markysharkey:

said by cooldude9919:

I agree the numbers are more realistic, but they aren't a guarantee either, and they are definitely a maximum. Keep in mind that throughput limit is all traffic through the router, even internal VLAN traffic, so say on the one that tops out at 300mbit, you will never get more than 300mbit through it no matter what you do

I never use my routers for inter-vlan routing. On an ISR it's pointless loading up the processor when a Layer 3 switch can do it better and faster. The only traffic that hits my routers does so because it has to go off-net.
said by cooldude9919:

You do realize for the 4000 series you would have to get at least the 4431 with the upgraded license to have a chance at 1gbps service and that would be the maximum for the device. You would be better off with the 4451 which would give you headroom to 2gbps but the sec model lists at $21000 and that's without smartnet.

Is that retail or from a VAR? A 10 second look at Google has a 4451 Bundle for a shade under 15,000 USD (9K Sterling here in the UK) retail. As a Cisco Select Partner I'm looking at a significant discount on that price, well over 50% and almost certainly in the order of 70%. I'll make margin and still be able to offer the customer a discount on Cisco retail prices. Win/Win!

For the price, there is a pretty good difference between the regular and the SEC. We get around 60% off list with cisco hardware, so for example for the 4431-sec with 3 years of con-su1 which includes ips updates and its around ~$11,600 after discount.

As hellfire said I don't think the ISR 4k does more than IPS without an extra cost or at all, as some of the UTM stuff is more in the ASA range I believe.

We are now also looking at Sophos as it looks to be even cheaper than fortinet so we will see how those conversations go.

Keep in mind our use case is different, we will be looking at buying over 100 of these next year, so at some of these prices differences we will be looking at savings of between $600,000 and $1,000,000 (depending on what model we go with) by going with something cheaper than cisco which is hard to ignore.

As for Palo Alto it is CRAZY expensive. With regular discounts the palo alto 3020 with only threat prevention updates and support would be $10,500 for the device and $11,000 for 3 years of support for a total of $21,500, and the 3020 is the lowest end box in that series.

For a comparison Fortinet and Sophos look to be in the $3000-$6000 range depending on the model.
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

Thanks HF and Cooldude. I have not yet had a quote for Palo Alto but if that's the cost then they're off and it'll be Fortinet.
Hellfire, your assumptions are correct I want anit-virus, IPS and web content filtering but not much more. The key requirement is it must put 1Gb through to the premises as we have a 1Gb internet connection (minus overhead) to the LAN and the first thing they will do is speed test it (iPerf, Speedtest dot net and testmy dot net). If it fails significantly on any of these I'll be in the dog house
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to markysharkey

MVM

to markysharkey
said by markysharkey:

I want anit-virus, IPS and web content filtering but not much more.

...then I'd say take a ABC (Anything But Cisco) position -- I don't even think Cisco's got anything in the ASA, IPS or Meraki lineup that'll
do that all in one box -- and look at the other vendors mentioned.
said by markysharkey:

The key requirement is it must put 1Gb through to the premises as we have a 1Gb internet connection

Symmetrical fiber, I presume?

Keep us posted, for sure!

Regards
aryoba
MVM
join:2002-08-22

aryoba

MVM

said by HELLFIRE:

said by markysharkey:

I want anit-virus, IPS and web content filtering but not much more.

...then I'd say take a ABC (Anything But Cisco) position -- I don't even think Cisco's got anything in the ASA, IPS or Meraki lineup that'll do that all in one box

I think the ASA does all that in one box
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

Yup, there are ASA's that will do it in one box and with the new SourceFire (or whatever it is) engine I expect it's pretty good. But my one and only experience with an ASA has put me off, and if you compare the Forti/SonicWall/Checkpoint/Etc gear service for service against an ASA, cost leaps up the list of priorities!
I have today been in touch with a Fortinet disti, asked my questions, spoke to a techie and had a dig around Youtube and a very handy on-line demo of a Fortigate 140D. I liked what I saw so as of tomorrow I will be a Fortigate re-seller. Time to get a demo box and hit the GUI and CLI and wreak some havoc. Woohoo...

As always I would like to thank you guys for your thoughts and opinions.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to markysharkey

MVM

to markysharkey
IIRC, the 5510, 5520, and 5540 had a IPS module OR a Content module , and that was the big weakness of the ASA line was was you could
have one or the other, but not both simultaneously.

I'm not up on how the X series ASAs work -- from what I can tell, IPS is "in the cloud" via sourcefire, but taking a quick scan of the datasheet
here Cisco only mentions Application Visibility and Control and Web Security Essentials, but nothing explicitly about the anti-virus component.

Let us know how it goes markysharkey See Profile and if you do pick up the Fortinet, GET THAT BOOK I mentioned!

Regards
cooldude9919
join:2000-05-29

cooldude9919 to markysharkey

Member

to markysharkey
Yea let us know how things go with Fortinet and any real world performance numbers once you get one installed.
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey to HELLFIRE

Premium Member

to HELLFIRE
Yup, I will keep you guys updated. Shouldn't be long, I have to get the gear in and get myself familiar enough with it to deploy and test on site before the end of Feb!
The disti so far has been very efficient and has responded positively to all my dumbass questions so I'm feeling the love right now. Lets see if it lasts...