Great Circle Associates Firewalls
(April 1994) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Cisco 3101 as a firewall
From: Ray Hunter ECD <RHUNTER%ESOC . BITNET @ vm . gmd . de>
Date: Fri, 1 Apr 94 11:06:22 EST
To: Brent Chapman <brent @ GreatCircle . COM>
Cc: <Firewalls @ GreatCircle . COM>
Comments: Converted from PROFS to RFC822 format by PUMP V2.2X
In-reply-to: note of 94-04-01 03:12 
fair comment Brent.

I think this discussion is a bit marginal to the list, but I beg your
indulgence. If you want even more Cisco opinions then have a look at the
newsnet group comp.dcom.sys.cisco.

I agree that the 4000 is almost certainly overkill in 95% of cases.
It depends how much budget you have!

If you are looking for a 2e 'choke router' aka packet filter, that is not
running much multiprotocol routing then a 3101 is fine.

However, the applications mentioned were:
(1) ethernet to ethernet
(2) involved large use of graphics (WWW etc)
(I assumed by the positioning that it involved large volumes)

Also the world (and especially Cisco) drop hardware as soon as it is out of
fashion. I have heard (a rumour) from a Cisco VAR that the 3000 has a limited
future. OK perhaps he was trying to sell us a more expensive box!

Since the design is now virtually the oldest in the range I tend to agree.
(if you agree the AGS+ on a CSC4 is very different from an AGS on CSC3;
and a 3000 is basically a reboxed IGS)

The 3000 is fixed hardware config, and stands little chance of re-use
if the topology changes.

The 4000 (with the addition of an NP-E module and the new ip packet filtering
on inbound packets) could conceivably be used as a screened subnet gateway
on its own for a small incremental cost.

One thing that is rarely metioned in testing, is that when a cisco rebuilds
routing tables it can stop forwarding. This can give a noticable 'pause'
of 0.5-1 second where NO packets are forwarded (yes I have seen this on the
4000 too). Here the larger processor comes into its own when running
multi-protocol routing.


To conclude:

If you are looking at a *cheap* packet filter with only 2e interfaces for
IP only with no fancy routing beyond IGRP/static then look at the 3101
with the basic software option. European list price= $4994
(plus $563 for bridging if you need it)

If you think your net is going to change or you have really *high* X/
graphics based applications or you are running a complex routing set up
then look at the 4000 with 1 NP2-e interface: European list=$9500
(plus $1001 for bridging)

It's only double the price.

I *know* our net is going to change (otherwise I'd be out of a job ;-)

______________________RHUNTER @
 ESOC .
 BITNET________________________
Ray Hunter: Cray Systems on contract to the European Space Agency
Tel. +49 6151 902953                          FAX.+49 6151 902908
Room B107, ESOC, Robert Bosch Strasse 5, 64293 DARMSTADT, Germany
Follow-Ups:
Indexed By Date Previous: screend on BSD/386 is now available
From: Tim Guarnieri <timg @ vix . com>
Next: My apologies for bogus Firewalls-Digest issues last night
From: Brent Chapman <brent @ mycroft . GreatCircle . COM>
Indexed By Thread Previous: Re: Cisco 3101 as a firewall
From: Brent Chapman <brent @ mycroft . GreatCircle . COM>
Next: Re: Cisco 3101 as a firewall
From: Steve Kennedy <steve @ gbnet . org>
Google
 
Search Internet Search www.greatcircle.com