Choosing the right Cisco router

[James Bond]

I found a white paper one time that showed a bunch of Cisco routers, and the maximum WAN connection that would run optimally.

It recommends a 3925 for 100mbps WAN, 2951 for 75mbps WAN, etc. Nice bar graph.

They assume that these WAN connections are running with a lot of load on the router from ACL, NAT, VPN, etc.

One thing they didn't mention was what type of WAN connection was being used. It seems like having a couple DS3's terminate on a 3925 would have a much higher load than a single 100mbps ethernet hand-off.

Could anyone clear this up some for me?

I don't have a good "system" for determining what router is necessary, other than physical needs such as WIC slots.

 

[bobdole369]

What it comes down to is how fast the router can process packets. It isn't necessarily a single connection using that amount of bandwidth. The 100mbps, 75mbps, et al indicates sort of a "speed limit" of sorts on how quickly the CPU can move packets around. We used to talk about PPS (packets per second) but thats gone out of favor.

It really does take experience and having installed a bunch of these things to figure out how much router to throw at a problem.

For example - 15 IPSEC vpns will take significantly more CPU and use more of your available mbps than say a big routing table and a bunch of NAT.

 

[James Bond]

What it comes down to is how fast the router can process packets. It isn't necessarily a single connection using that amount of bandwidth. The 100mbps, 75mbps, et al indicates sort of a "speed limit" of sorts on how quickly the CPU can move packets around. We used to talk about PPS (packets per second) but thats gone out of favor.

It really does take experience and having installed a bunch of these things to figure out how much router to throw at a problem.

For example - 15 IPSEC vpns will take significantly more CPU and use more of your available mbps than say a big routing table and a bunch of NAT.

That makes sense. And yeah, I realize that each function has a different amount of load.

Was I right in assuming that an ethernet handoff is going to use way less CPU than a DS1 or DS3?

 

[alpineranger]

As far as I'm aware there isn't any significant difference in cpu overhead using DSx interface vs ethernet.

 

[spidey07]

As far as I'm aware there isn't any significant difference in cpu overhead using DSx interface vs ethernet.

Any modern router it's all being done in hardware, no difference.

 

[drebo]

That makes sense. And yeah, I realize that each function has a different amount of load.

Was I right in assuming that an ethernet handoff is going to use way less CPU than a DS1 or DS3?

Not necessarily, and it depends what you're doing with that connection.

For example, your WIC-1DSU-T1 for unchannelized full T1 is pretty basic. Similarly, an unchannelized or ATM DS3 will be pretty simple. A channelized DS3, on the other hand, is much more resource intensive. Also, MLPPP is pretty resource intensive. (Reading about the "points" for Cisco 7200 PAs is kind of interesting).

There isn't really any hard and fast rule that says "for this application, you need this". In general, for branch Internet access routers, the current generation ISR 1x series is more than enough. If you need to add voice, IPSEC, or other services on to that, then you can go up. If you have some absurdly high speed link, such as a gigabit metro-e connection, then you might need something a bit faster.

That said, there is no hard and fast rule. A router can forward a specific number of packets per second. The size of those packets determines the throughput in megabits. Downloading one large file will give more real, usable throughput on a T1 line than holding 13 ULAW phone conversations over the same connection. The actual bandwidth on the line is the same under congestion, but the usable amount lost in headers versus the actual payload is much higher in the latter as the data payloads never reach the MTU.

I like this doc from Cisco: http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf . It gives a good idea about the relative performance of each router.

 

[James Bond]

Not necessarily, and it depends what you're doing with that connection.

For example, your WIC-1DSU-T1 for unchannelized full T1 is pretty basic. Similarly, an unchannelized or ATM DS3 will be pretty simple. A channelized DS3, on the other hand, is much more resource intensive. Also, MLPPP is pretty resource intensive. (Reading about the "points" for Cisco 7200 PAs is kind of interesting).

There isn't really any hard and fast rule that says "for this application, you need this". In general, for branch Internet access routers, the current generation ISR 1x series is more than enough. If you need to add voice, IPSEC, or other services on to that, then you can go up. If you have some absurdly high speed link, such as a gigabit metro-e connection, then you might need something a bit faster.

That said, there is no hard and fast rule. A router can forward a specific number of packets per second. The size of those packets determines the throughput in megabits. Downloading one large file will give more real, usable throughput on a T1 line than holding 13 ULAW phone conversations over the same connection. The actual bandwidth on the line is the same under congestion, but the usable amount lost in headers versus the actual payload is much higher in the latter as the data payloads never reach the MTU.

I like this doc from Cisco: http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf . It gives a good idea about the relative performance of each router.

Thank you for being so detailed. That helps a lot.

Without knowing other necessities - what routers would you consider for a 100mbps Metro-E connection? + ACL's + NAT + some RA IPSEC VPN? Also, there are 20+ SIP phones on-site, but the router is not handling the voice (no pvdm), it's just passing it.

Edit: PS Thank you for that PDF

 

[drebo]

As I said, you're probably fine with a 1941. An 1841 would probably even get you where you need to be with an AIM-VPN card. Really depends on traffic patterns, though. Bulk internet, an 1841 would be fine. Day trading with 1500 stock brokers? Probably not.

Depending on how many remote access VPN sessions you're looking at, it might be best to offload that to a different appliance.

I'd say you'll be safe with a 1941, though.

 

[jlazzaro]

As I said, you're probably fine with a 1941. An 1841 would probably even get you where you need to be with an AIM-VPN card. Really depends on traffic patterns, though. Bulk internet, an 1841 would be fine. Day trading with 1500 stock brokers? Probably not.

Depending on how many remote access VPN sessions you're looking at, it might be best to offload that to a different appliance.

I'd say you'll be safe with a 1941, though.

1841 would be hating life. 1941 may be up to the task, but i'd still do 2901-2911. future expandability and i hate the 1941 form factor.

 

[Pheran]

As I said, you're probably fine with a 1941. An 1841 would probably even get you where you need to be with an AIM-VPN card. Really depends on traffic patterns, though. Bulk internet, an 1841 would be fine. Day trading with 1500 stock brokers? Probably not.

Depending on how many remote access VPN sessions you're looking at, it might be best to offload that to a different appliance.

I'd say you'll be safe with a 1941, though.

I think the 1900 series is a little dubious for the scenario he is describing (100M + ACL + NAT + VPN). I'd recommend looking at the 2900 series instead. I would much rather spend slightly more money upfront than run into a headroom problem later.

There is another option you could explore. Since your handoff is ethernet, you don't need the WAN flexibility that a router provides. An ASA 5510 firewall appliance would provide better remote access VPN support than you can get out of an IOS router. Of course, if nobody on your staff knows how to run ASAs this probably isn't a good fit.

 

[Pheran]

1841 would be hating life. 1941 may be up to the task, but i'd still do 2901-2911. future expandability and i hate the 1941 form factor.

I second this - the 1941 form factor is crap. Give me a standard 1U rack mount device any day.

 

[spidey07]

1841 would be hating life. 1941 may be up to the task, but i'd still do 2901-2911. future expandability and i hate the 1941 form factor.

Bite the bullet and get an ASR. Got a few in a while ago, they are beasts in the mid-range router area.

 

[alkemyst]

You also have to consider what's happening on the front of the switch as well. Many make the mistake of thinking because a switch has 24 100/1000 ports on it it can handle full bandwidth on every port.

Cisco's site should have your answers, they are extremely documented there.

 

[alkemyst]

I second this - the 1941 form factor is crap. Give me a standard 1U rack mount device any day.

The series is designed for the small office which many need better than a linksys/netgear today.

Most do not have nor want full rack sized gear.

Heck every the wireless repeaters are designed to be more 'pretty' for the small business lineup.

 

[Pheran]

Bite the bullet and get an ASR. Got a few in a while ago, they are beasts in the mid-range router area.

That's a completely different class of router. A base 2911 lists for $2700, while a base ASR1001 (the absolute cheapest ASR model) lists for $17K. It's massive overkill for a 100M link.

 

[spidey07]

That's a completely different class of router. A base 2911 lists for $2700, while a base ASR1001 (the absolute cheapest ASR model) lists for $17K. It's massive overkill for a 100M link.

True, it is. But I never like to skimp on routers, been burnt to many times. I would recommend take what you need today, and make sure it will last 5-7 years. Which means get at least 4 times the router you need today.

In general traffic doubles every two years. So in 4 years you'll be moving 4 times what you're doing today. In 6, 8. If OP has a 100 meg link today, it WILL be 1 gig in 5 years especially if he's using metro services.

 

[theevilsharpie]

True, it is. But I never like to skimp on routers, been burnt to many times. I would recommend take what you need today, and make sure it will last 5-7 years. Which means get at least 4 times the router you need today.

In general traffic doubles every two years. So in 4 years you'll be moving 4 times what you're doing today. In 6, 8. If OP has a 100 meg link today, it WILL be 1 gig in 5 years especially if he's using metro services.

You're recommending a router that costs over 6x as much as the one that meet will the OP's needs today, just to add room for growth?

Are you on drugs?

 

[James Bond]

Thanks for all the input. Helps put things in perspective.

 

[alkemyst]

True, it is. But I never like to skimp on routers, been burnt to many times. I would recommend take what you need today, and make sure it will last 5-7 years. Which means get at least 4 times the router you need today.

In general traffic doubles every two years. So in 4 years you'll be moving 4 times what you're doing today. In 6, 8. If OP has a 100 meg link today, it WILL be 1 gig in 5 years especially if he's using metro services.

wow just wow.

Sadly, most don't have the budget for a 5 figure device when they are looking at entry 4 figure ones.

What are you running at home a 6509?

 

[Railgun]

Maybe I'm missing it, but everyone is throwing out a rather wide range of products here. Do we know what this router's function is going to be?

OP, what's the intended use of this thing? You're throwing out a couple DS3s vs a 100M circuit...You mention VPNs. Are you doing IPSEC or GRE? NATting isn't anything to be too concerned about nor are ACLs unless you're talking hundreds to thousands of lines (depending on the eventual product).

Your system in determining a product should start with how you're going to use it. Profile the traffic...If IPSEC, how many tunnels? If general traffic, what kind of traffic? Are you connecting offices together or using it as an edge router for hosting some services?

Even the low end ASRs are probably overkill for your application, but until that's defined, I'd say the swags should be kept to a minimum.

 

[James Bond]

Maybe I'm missing it, but everyone is throwing out a rather wide range of products here. Do we know what this router's function is going to be?

OP, what's the intended use of this thing? You're throwing out a couple DS3s vs a 100M circuit...You mention VPNs. Are you doing IPSEC or GRE? NATting isn't anything to be too concerned about nor are ACLs unless you're talking hundreds to thousands of lines (depending on the eventual product).

Your system in determining a product should start with how you're going to use it. Profile the traffic...If IPSEC, how many tunnels? If general traffic, what kind of traffic? Are you connecting offices together or using it as an edge router for hosting some services?

Even the low end ASRs are probably overkill for your application, but until that's defined, I'd say the swags should be kept to a minimum.

The reason I mentioned DS3s and an ethernet hand-off was to get an idea of how much more load the DS3 would cause, if any.

100M ethernet hand-off. 20mbps average utilization.
20 IPSEC L2L Tunnels
50 IPSEC RA Tunnels
NAT for ~500 users
No crazy ACLs
Mostly web traffic and pervasive DB traffic.

 

[drebo]

With that many IPSEC tunnels, I would definitely recommend offloading that traffic on to an ASA. ISRs are notoriously bad at IPSEC, and I wouldn't trust them to distinguish that many tunnels without issue. If it were less than 10, I'd say go for it...but with that many, you'll definitely want something a little more purpose-built.

 

[Emulex]

Let's now forget terminating a few DS3's affords you BGP4 and the load and ram it requires. but its a good thing to have.

 

[James Bond]

With that many IPSEC tunnels, I would definitely recommend offloading that traffic on to an ASA. ISRs are notoriously bad at IPSEC, and I wouldn't trust them to distinguish that many tunnels without issue. If it were less than 10, I'd say go for it...but with that many, you'll definitely want something a little more purpose-built.

Is there much difference in terms of load between L2L and RA? Obviously L2L will have more traffic crossing it, but is it the tunnel itself, or the encryption of the data crossing that hurts the ISR so bad?