Re: Cisco 2611 as a firewall?

[Jonathan Q <jq@example.com>]

Jean-Christian Imbeault (jean_christian@example.com) wrote:

> boxes crash on me, so I'd say they're pretty stable. And even if they did 
> crash, flip the switch and it's usually back up again unless it's a hard 
> disk crash or something similar.

That's exactly it - disk failures can and do happen, and when they
do your router is down for a good long time.  Not many people
are going to consider hours of router downtime an acceptable risk,
even if they don't have mission-critical servers behind that
router.

Cisco puts in a lot of modularity, redundancy and hot-swappable
parts to avoid downtime and minimize it when it happens (as
do other router vendors, of course).  Now, something like
Linux Router Project running in a machine with no disks and multiple
fans and with redundant power supplies could make you a very
effective router with excellent uptime, and with a fast CPU 
could switch some pretty fat pipes at wire speed.  But the config
is probably a lot more work than on a Cisco.  As Scott notes, the
Cisco CLI is great - a think of beauty, even - and it does its one
thing really, really well.

For really high-end applications, it's also worth considering that
the router industry as a whole is moving ot ASICs, and this will
in the long run even trickle down into a lot of lower-end routers.
Besides all of the redundancy and hot-swap features built into
large core routers, the use of ASICs for routing gives performance
that the one-big-CPU model can't keep up with.

Scott's comments on Cisco support are dead-on.  I get better support
from Cisco on stuff that they *hope* I'll buy then I do from a certain
other vendor on stuff that we use all over the country.  When it came
time to buy more of that stuff, it was a slam-dunk to go with Cisco
rather than the current vendor. 


> Point well taken. But in our case we have never had to call Cisco. Never had 

The other part of their support that's so good is the documentation.  
Whatever you need to know is available on their web site, and
it's both highly detailed and pretty accurate.  If there's anything
at all wrong with Cisco documentation, it's simply that there's so 
much of that it can sometimes take a while to find what you want.
And they don't just have manuals, either.  They have useful case studies,
as well.  

> a reason to. But also I've heard that configuring Cisco routers is a pretty 
> though thing that should only be done under a physician's supervision, 
> unless you happened to be Cisco certified :)

Scott and I both are, and that does help, but it doesn't necessarily have
to be a pre-requisite.  Experience works just fine, too.  So does
time spent with a manual and a good book or two on routing.

Routing and network architecture are complex subjects; it's not
specifically learning Cisco that's so tough, but it's part
of a whole, big field.  Granted, your setup is going to
be a lot smaller and therefore easier.

> I sure don't want to get shot but the cost savings seem to be justifiable 
> ... or I'm missing something basic.

In the case of your network with 35 routers, you also need to consider
the cost of replacing them all with Linux boxes.  After that, 
you may then find that while downtime is low, it will be higher than
before.  Power supplies in PCs seem to fail a lot more often than 
ones in even old routers. The world is filled with aging Cisco 2501s
whose powersupplies are still going strong.  And you'll have at least
one disk in each PC.  Enter an additional point of failure.  

The ongoing cost of ownership is likely to be higher, too, since
a PC sucks a lot more power than a 25xx or 26xx router.  Also, 
a full upgrade of the OS on a Linux router may require a trip onsite,
and downtime while it's being done.  On the Cisco, you just 
tftp the new IOS image to flash, make it the boot image, and reload
the router.  We have routers in our network that no one has seen for
over two years, but they've had several IOS upgrades during that time.
They just sit in remote sites doing their thing, never needing visits.
We've only had one router fail in service in 3 years, and that was a 
brand new unit that turned belly-up not long after I installed.  I was
still in the area, so I had a replacement flown down to me the next
day and swapped it out.  It would be difficult to match these points
with a PC-based router.

All of the above is not to say that Linux-based routers are bad or
don't have their place.  To be sure, there are networks where the
tradeoffs will be considered acceptable and the potential cost savings
on purchase are considered worth it (Cisco is good, but ain't cheap).
Of course, it's also possible to save some money with decent used
Cisco gear.  http://www.usedrouters.com/ is one dealer, a Google search
should turn up some others.

For running an ISP, though, I think I'd go with Cisco.

Jonathan