Which router should I get and how should it be setup?

By cnott ·
We currently host 20 servers (Vmware clients) in-house with a cisco 800 router, servers are configured with 2 network cards, LAN and WAN IP address. Firewall is configured on both router and windows OS.

We want to move the setup to a co-location datacentre. I am thinking of using a NAT so that there wouldn't be any need for WAN addresses on the servers. The number of server is being reduced to 4. So I thought I could have one Cisco 870 setup with VPN, Firewall and DMZ. And maybe another Cisco 870 as a cold standby.

Was wondering if anybody thought this was ok or if there was better solution, without paying an arm an a leg for a PIX.


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

The 870 will do the job.....

by robo_dev In reply to Which router should I get ...

but your 'actual mileage may vary'....not sure how network intensive your application is.

Cisco 800 series offer about 512Kbps of throughput, which is not exactly light-speed, but it may be what you need. The 870 is OK as a VPN box for 20 users or so.

Obviously you get more router performance for more money (Cisco 1800), and you also get more failover options when you have more wan interfaces.

And, of course, with the fancier Cisco routers you get things like dual power supplies can help you meet uptime requirements, at additional cost, of course.

Collapse -

cisco routers

by randy In reply to The 870 will do the job.. ...

we run about 25 servers behind a Cisco 3540 series router and we have never had an issue with it. We keep a spare on hand with an identical config loaded for emergencies.

Collapse -

3540 and no HA?

by infazorak In reply to cisco routers

Why the cold standby? Why not use HSRP? It'll save you a ton of time in a fail, it'll just swap right over.

Collapse -

3540 and no HA?

by randy In reply to 3540 and no HA?

we just haven't gotten around to that yet; procrastination on our part

Collapse -

Step up to an ISR

by mjmurdza In reply to cisco routers

Look into an 1841. The 1841 supports crypto in hardware on the motherboard vs. software on the 800 series. Doing crypto in hardware will allow for much higher forwarding rates. Even with the Advanced Security feature set the 800 series only supports 10 VPN tunnels. This leads me to believe the VPN forwarding rates on this platform are relatively low. I wouldn't put a server behind an 800 with a VPN tunnel. The 800 is meant to be a small branch/SOHO router. Why put a bottleneck directly in front of your server(s).

Collapse -


by cnott In reply to The 870 will do the job.. ...

Thanks for the reply, only need 2 or 3 VPN connections. But the workload through the router is likely to be 5Mbps. I didn't know the Cisco 870 throughput was so slow. I thought I was getting the full 2mbps on our SDSL link, at least that?s what the NetFlow stats are telling me. Although I'm not sure how accurate the "Manageengine netflow analyser" is since it sometimes tells me that the utilisation is maxed at 150%.


Collapse -

870 will do it, but....there's better out there.....

by infazorak In reply to Which router should I get ...

The 870 will be OK, but if you want to use a pair of them, set them up with HSRP, VRRP, or GLBP. NAT/PAT will work on it, but, for a true security and HA solution

I'd suggest looking into the Cisco ASA 5505's (Replaced the PIX 505). Considering how little you've got going they'd be a good solution. Built in 8 port switch on each unit. Also, they're fairly cheap. If high-availability is your concern, get them loaded with a Security Plus license, and they'll do auto fail-over (just don't put your failover lan over another network infrastructure - just use a crossover cable between the two... Cisco bug) They're damned secure, and should do the job nicely for you. And probably cost you a lot less than the 870.

Also, if you're looking to do VPN / DMZ, you can set up a few dozen VPN tunnels and DMZ on the firewall just fine. I've deployed these (5505s, 5510s, 5520s) at many customer sites, and they're rock solid.

Collapse -


by cnott In reply to 870 will do it, ...

That very helpfull. I can't belive there cheaper than 870 and 8 ports. So I can now plug in all 4 of my servers LAN ports and the servers managment ports into it. Will try and get two of them and get testing in the office.

Thanks mate.

Related Discussions

Related Forums