Cisco ISR (Integrated Services Router) 2811
By Steve Broadhead | Techworld | Published: 12:55, 08 June 2010
When youve been around the IT reviewers block a few times, there are certain words that, if were being honest here, you dont associate with Cisco.
For example, interesting, innovative or value for money spring to mind from recent years. Then, suddenly heres a product that meets all of those criteria. From Cisco. The 2800 series of ISRs or Integrated Services Routers is in the middle of a triple-layer range of totally revised branch office routers. The 2811 were looking at here ships with built-in virtual private network (VPN) hardware encryption and acceleration, firewall, IDS/IPS, NAT, QoS support and IP telephony functionality. This comes courtesy of Ciscos CallManager Express and Cisco Unity IP telephony suites and consists of an IP telephony, voice mail and auto attendant solution, which can effectively replace a PBX in the small/medium/branch office. Management wise, in addition to the classic Cisco CLI, Ciscos Router and Security Device Manager (SDM) GUI (in release 2.0 format) is also packaged.
Significant architectural changes amounting to more than just popping a faster processor and more memory in place and including the addition of ASICs to create a switch fabric type architecture, have resulted in this new range having several times more performance capacity than Ciscos previous generation products. So much so that the company is claiming full wire-speed performance across the box.
In this case, wire speed is directly related to the particular network interface in question namely, this is not a device that does everything all 100Mbit/s (or 200Mbit/s full-duplex) just because some of the interfaces are Fast Ethernet. For example, wire speed over an E1 connection is 2Mbit/s. Now, heres a clue to the nature of the ISR. It is a totally modular product. What you get is a base chassis and a whole host of features, in addition to which you have an enormously wide range of module options, depending on what exactly you want to use the product for, and across what type of connections.
The 2811 cones with four module slots ours were filled with a couple of E1/G703 WAN cards, a four-port voice connection for directly connecting analogue phones or other telephony equipment to and a four-port Ethernet (10/100) switch, PoE enabled. Other module options are far too numerous to mention but, for example, on the WAN interface side alone this could include various flavours of ISDN and DSL. Two Fast Ethernet ports are included as standard one for the internal network, one for the external. Higher up the 2800 range, these are 10/100/1000 copper ports. A console port, management Ethernet port and two USB ports (not currently used, but are there to support storage options and security tokens) complete the base configuration.
On the voice side, significant advances in voice trunk and station densities and digital signal processing (DSP) have enabled Cisco to embed the voice technology within the router, without it taking up any module slots. The DSPs handle all secure voice, voice gateway, conferencing, and transcoding capabilities, combined with call processing integrated within Cisco IOS software, along with optional voice mail and automated attendant in advanced integration modules (AIMs) yet more Cisco-ese. This sounds promising for the ability to run the router pretty well flat-out while maintaining all the voice services, something we obviously put to the test (see later).
The array of security features form part of what Cisco calls its Self-Defending Network security strategy. By this it means that you can configure the 2811 to be the first line of defence or the only line of defence against an attack on your network and let it just get on with the job. Given that this device is intended for branch offices, it is not surprising to see that courtesy of the SDM GUI it comes with a number of wizards for setting up features such as VPNs (numerous options here), Firewall and IPS. In all cases there are default setups you can opt for, or custom alternatives. As part of the configuration it is also possible to define QoS parameters for real time and business critical traffic, in terms of what percentage of bandwidth is reserved for each, what the priority level is, and what protocols are supported by each traffic type.
Whereas, in truth, Ciscos GUI management alternative is usually a minimalist attempt whose primary function is to ensure that you use the CLI, with SDM 2.0 it is both an attractive and truly functional interface. The only problem is that it is slow. So, come on Cisco, youve speeded the rest of the ISR up, now do the GUI too.
For the test, we created a simulated Internet connection, using Spirent WebAvalanche and WebReflector test devices to create web traffic and servers. We configured the 2811 with one internal and one external network, plus a voice network, on separate VLANs. In order to test the IP telephony functionality we attached some Cisco 7960 IP Phones. These are configured separately to the ISRs data functions, either via CLI or a browser-based manager. With compression enabled, each voice channel took around 20Kbit/s of bandwidth. We ran a whole series of functionality tests covering everything from messaging to hunt group calls without problems.
We then created a series of tests, generating simulated Internet users. In line with Ciscos tentative recommendation of up to 500 users for the 2811, the test increased users in steps up to this limit. We repeated the test several times, on each occasion enabling another feature, then another, then another such as Firewall, then VPN, then IPS and compared performance, across tests, plus the 2811s CPU and memory utilisation each time. We found a gradual degradation in performance as each feature was enabled, but only saw lots of failed connections towards the end of each test run, when the number of virtual users was more than 400. What we did see was that the 2811 CPU utilisation quickly went up to 100 percent with multiple features enabled, though memory usage was relatively low.
Despite this, we tested the IP telephony features during each test, and even at 100 percent utilisation, had no problems at all, which shows that the architecture works. We also set QoS for real time traffic to 70 percent reserved bandwidth, including support for RTSP (streaming video) traffic and set up a streaming video test as part of the simulated traffic. We achieved 66 percent (looking for 70 percent) which is pretty good.
In all, the 2811 was up and running non-stop in our labs for over two weeks and survived quite a hammering without any enforced reboots. With the ISR, Cisco describes routing as being just another service and, for once, this isnt mere marketing talk but does sum up the product routing is indeed just one of many services it offers.