Network overhaul on the "cheap".

C

crept

n00b
Joined
Oct 8, 2009
Messages
14
Hello,

I would really appreciate the insight of fellow network engineers for a network overhaul on the "cheap".

We are currently using 192 ports (10/100/1000 mix) on non managed/non stacking switches and PoE injectors on some of the ports (this is hell). The core router is a joke. Someone decided it was a good idea to install an ISA570w for a company with 100 users on site, 3 remote locations with 10 users each, 50 VPN users and 80+ VoIP phones. This thing slows to a crawl with security services enabled and will randomly reboot. Plus side, we recently got a 100 Mbps fiber connection.

I won't be able to convince the big wigs to invest 40k+ on new equipment because of the "small business" mentality.

My only choice at this point is to go refurbished. Budget seems to only be 6k at this point.... (crossing my fingers for more)

Option 1:

3750g-48-ps
These are very popular, stable, stacking switches, PoE, oversubscription shouldn't be an issue, 32gb fabric. Can get these for under $1300, non PoE are about $800.

ISR 3925E
Solid router, jack of all trades. Expensive at $4000. Miercom reports state it'll maintain a 250 Mbps Troughtput with security services enabled, IPsec performance is 100 Mbps using 64 byte packets.

Going this route, I would end up over budget by $2200. (4000+1300+1300+800+800).

Option 2:

My other choice is going for a Catalyst 6509-e chassis.
A company a few blocks away went out of business and is selling a 6509-e dirt cheap with a sup32, X6148-GE-45AF PoE cards and dual 6000w power supplies. (under $500)

I could purchase a sup720-3B for about $350 (let the sup720 do the routing)
Two WS-X6748-GE-TX-3B for $600
Two WS-X6548-GE-45AF for $1000
(I might be able to get away with the X6148-GE-45AF cards already installed)

This would basically be the equivalent, maybe even better than going for the 3750g and ISR 3925E.
Of course this would mean that I would be without Firewall/IPS/VPN, so I would have to look for other line cards to achieve what an ISR would do.

Firewall line card: WS-SVC-FWM-1-K9 REF $1300
Intrusion Detection: WS-SVC-IDS2-BUN-K9 $500
VPN: WS-SVC-IPSEC-1: $350

Total price: 500+350+600+1000+1300+500+350 = $4650
Not bad, just another 3 cards taking up potential switch space.

Option 3:

A colleague suggested going for a newer external ASA 5000 device.
The sup720 would handle the routing
ASA5525-X (AnyConnect Premium 500) $3500.
Total price: 500+350+600+1000+3500 = $5950

Option 4?
Look into the newer ISR4331?
Look into the ASR line? (ASR 1002)

5,6?

What do you guys think?
At the moment I am leaning towards the 6509-e with the Sup720-3B and ASA 5525-X. I'm sure that the Sup720 would handle routing just fine and I'm not using BGP.
At the rate that the company is growing (not so fast), I think this might hold us until the sup720 is EOL (January 2018). Then I would expect the Sup 2T to be cheaper, or better yet, IT would be a real department! (Or I change jobs lol)

I know that I'm focusing on Cisco products, but any suggestions are welcomed.
 
Get in touch with a juniper product specialist. We use juniper mx480's with 40gb and 100gb links between offices and a couple mx960's at the local main site. Couldn't be happier with the support and service. Next project is moving to 100% SDN on the core network, 5 year plan.

I have personally used some juniper routers & firewalls and been extremely happy with their performance and value.
 
Is voip terminated internally or externally?
That would make a big difference on how I would set it up.
I am not a big fan of doing everything on one router for networks this size and would split it up.
one dedicated vpn server
one router for ids and filtering
2 switch stacks one for computers and stuff and one for voip.
Then a router to tie it all together where the wan of the vpn box and wan ids/filtering router terminate and if doing external voip the voip stack terminate and use qos
 
Last edited:
Thanks guys for the responses.

@bds1904, I've started doing some research on the EX8208/EX4200 and SRX lines. On paper they do seem to be way better both spec and price wise! Very interesting stuff. The only thing that might put me off is that I'll have to learn JunOS, but as far as I've read it doesn't seem that hard coming from IOS or catOS. Those MX480 boxes are beastly! But 15k, way out of budget, any recommendations in the 2 to 3k range?

@storym1, I agree, I would like to have all services spread out. Having something like an ISR handle everything seems convenient, but I do see the down side to that approach. As for voip, we are running a FreePBX box that's connected to our sip trunk provider (GoFiber). This provides phone service to our phones on site and off. QoS is a must. If I go the 6509 route, 2 line cards will be for servers/desktops and the other two poe cards for phones, access points and cameras. Routing on the Sup720 and firewall/ids/vpn on the asa.

It's sad, but I only have 6k to "play" with.
 
6k is what I normally spend on my core switches... It's insane that you are tasked to do this on that budget.
 
You don't have go do used/refurbished equipment. UBNT has their Edge line which would probably work for you. Buy 4x EdgeSwitch 48 switches for data networks, 1x EdgeSwitch 24 PoE for VoIP/WAP, and their EdgeRouter Pro to handle the firewall/routing duties.

EdgeRouter Pro ~$350
EdgeSwitch 48 x4 ~$3196
EdgeSwtich 24 PoE ~$400

They can support SFP for future fiber installs, gives you some extra ports, everything is new, CLI is extensive.

Possibly replace the EdgeRouter with a Watchguard XTM5xx series, it has the UTM packages and processing power for AV, IPS, Web Content Filters, Application Control, etc.
 
@thras408, Yes sir, totally insane, but that's the mentally I'm dealing with ATM. No wonder the last guy quit.

@firedrow, Thanks for the input, I'll look at Ubiquiti's products. I'm already using their Unifi access points and so far 0 complains there. I'll do some research to see how their products stack up against the bigger names.
 
For routing and firewalling have you given any thought to a unix/linux firewall distro like PfSense,smoothwall, etc.?

I think you could get the performance you need for a lot cheaper by building a dedicated PfSense box or the like.
 
Yes! I'm actually testing pfSense on a vm right now. I've successfully established an IPSEC tunnel to a Cisco 2911. I'm only getting about 5Mbps trough it, but that just could be because pfsense is virtualized.
So far I'm really impressed about Clamav and Squid. I'm really tempted on building a cheap 1U server for pfsense.

So many decisions! :eek:
 
If you are willing to consider pfsense I would build 2 routers, run carp for failover and use UBNT switches.

Stick with cpu's that support aes-ni and you'll have a fast, redundant setup.
 
We just implemented a PFSense box today at a large clients site to handle bandwidth management for guest access. Was pretty cool how well it worked. I don't know if i would use it as a full fledged firewall, but it has a log of nice options. I think they spent $800 bucks and it came with 1 year support.
 
look at Mikrotik too... we replaced some $10k+ ciscos with $1300 microtiks and could not be happier
 
FLECOM said:
look at Mikrotik too... we replaced some $10k+ ciscos with $1300 microtiks and could not be happier
Click to expand...

If it wasn't for the VPN requirement, I would recommend them too. RouterOS's implementation of VPN (both site-to-site and client-server) sucks. OpenVPN only supports TCP transport and TCP over an IPSEC tunnel is slow. Not supporting UDP VPN protocols is a big downfall.

I currently run RouterOS at 8 sites and constantly see performance issues through VPN tunnels but not outside of them to the same sites. It is clearly not a bandwidth issue and all the routers are either CCR1016 or x86 that support 200Mbit+ AES256-CBC encrypted traffic.

I am in the progress of replacing all of it with PFSense boxes ranging from a Xeon x5650 based box for a 500/500mbit site to Atom c2550 based boxes for 50/50. Preliminary testing is showing they are able to max out the VPN tunnel full duplex without breaking a sweat no matter what traffic is going over it. Even OpenVPN aes-256 with compression running is great.
 
Last edited:
Switch wise, look at HP Procurve. Lifetime warranty and reasonably priced. Router wise, what are you trying to accomplish? Inter-vlan routing or strictly NAT for internet?
 
Used Dell R610 with untangle for your edge device :)

Was going to say get some HP 2530's? i think they are...
 
green91 said:
Switch wise, look at HP Procurve. Lifetime warranty and reasonably priced. Router wise, what are you trying to accomplish? Inter-vlan routing or strictly NAT for internet?
Click to expand...

+1 for Procurve. Cisco/Juniper guys probably cringe but these were a decent value for what they offer and quite reliable. At a past company I worked for, our Cisco bigot VAR scoffed at HP but wasn't able to convince our bean counters the Cisco badge warranted more than twice the cost when they lined up the features that would get used on the switches. How HP bundles their 8200 ZL line made it so they literally bought two and combined cards to make one, making a cold spare chassis on the shelf, and were still 1/2 the cost of the Cisco.
 
I use the 3500yl line of hp switches. They work fine, but they were not "that" much cheaper then Cisco as far as price goes. The main thing that is nice is the warranty, but you still have to pay yearly for support and updates
 
thrash408 said:
I use the 3500yl line of hp switches. They work fine, but they were not "that" much cheaper then Cisco as far as price goes. The main thing that is nice is the warranty, but you still have to pay yearly for support and updates
Click to expand...

The 3500yl (now 3800) series are a very good switch, and run the same firmware as the 5400/8200 series. They are a full L3 switch. HP offers many less expensive options if you only need L2, like the 2530 series.

I've never paid for support or updates on any of our HP gear.
 
Thank you guys for all your input!

Right now I'm a very awkward position...
The CEO is throwing a temper tantrum on why things aren't working since we throw so much money at/on IT! :mad:
So annoying.

I've been given a very unreasonable deadline and things must be "fixed" or heads will be chopped off. :eek:

Taking this into account, I'm practically being forced to go for that 6509e for the core. I've talked to the company that selling it and I'll be snagging it for $100.

My chain of though is to update the line cards and use an external ASA/SRX for security/vpn. I'll be able to do this in a week and be under the deadline. Afterwards I'll probably start looking for new employment because the situation here is just crazy! :(
 
If you need a functional firewall, I would consider going with the 6509 option (that's a hell of switch and does very well with basic routing, IP SLA etc.).

You can pick up a Fortinet Fortigate 60D for under a grand - that would more than capably handle the 100MB internet link, can terminate VPN's and also supports dynamic routing and NGFW features. You may not be able to use full UTM, but it's a darn site better than an ASA!

If you have budget, a 100D would capably handle all the features in real time too and be a better link/VPN aggregator.
 
By the way, in case this helps save your job or teach your CEO a lesson about how smart he isn't, Gartner and other trusted vendors publish reports on average IT spend as a % of revenue based on vertical. They also have it by per supported employee. I suspect that would shut him up - it's pretty hard to say Gartner data is BS.

Here is an image of the primary chart:

article_itmetrics_0314_b2.png
 
Yeah screw that place. I wouldn't even go through the stress trying to upgrade, i'd just start looking now.

@Green, we use the 2000 series switches for L2. Like i said everything works fine, the only complaint i've ever had with HP is the wireless. It's way confusing to me compared to Cisco, but then again it's probably because i've spent so much time learning cisco :p
 
thrash408 said:
Yeah screw that place. I wouldn't even go through the stress trying to upgrade, i'd just start looking now.

@Green, we use the 2000 series switches for L2. Like i said everything works fine, the only complaint i've ever had with HP is the wireless. It's way confusing to me compared to Cisco, but then again it's probably because i've spent so much time learning cisco :p
Click to expand...

YES, HP wireless is g-a-r-b-a-g-e! I've spent the last 3 years ripping out and replacing both HP WESM and MSM systems. Both are JUNK. When you throw over 1000 WAPs into the mix, it's awful.
 
Wow, didn't your CEO get the memo that bullying is no longer tolerated?

Make sure you video his response to those Gartner graphs. If he's that much of an ass to threaten chopping off heads over his past bad decisions, he will *LOVE* being told he doesn't know how to run a business. :)

I agree with thrash408. Don't bother helping him. Update your resume and jump.
 
thrash408 said:
I use the 3500yl line of hp switches. They work fine, but they were not "that" much cheaper then Cisco as far as price goes. The main thing that is nice is the warranty, but you still have to pay yearly for support and updates
Click to expand...

Not sure where you bought your HP's or who from but you do not need to pay yearly for HP switches, unluike Cisco who rapes you on everything

Cisco was "the man" 10-15 years ago, now there are just as good options and often far cheaper and perform as good, and sometimes better than Cisco who keep recycling their 10 year old hardware.

Cisco switches are so great, why do they not have life time warranties like HP...
 
crept said:
Thank you guys for all your input!

Right now I'm a very awkward position...
The CEO is throwing a temper tantrum on why things aren't working since we throw so much money at/on IT! :mad:
So annoying.

I've been given a very unreasonable deadline and things must be "fixed" or heads will be chopped off. :eek:

Taking this into account, I'm practically being forced to go for that 6509e for the core. I've talked to the company that selling it and I'll be snagging it for $100.

My chain of though is to update the line cards and use an external ASA/SRX for security/vpn. I'll be able to do this in a week and be under the deadline. Afterwards I'll probably start looking for new employment because the situation here is just crazy! :(
Click to expand...

Fuck that, bail.

Oh and brocade makes nice stuff now too.

I mean too expensive for the used Netgear/TrendNet budget your smacktard CEO has set, but keep them in mind in the future.

Just set his ass up with a bunch of 10/100 3com hubs and walk out like a boss.
 
MrGuvernment said:
Not sure where you bought your HP's or who from but you do not need to pay yearly for HP switches, unluike Cisco who rapes you on everything

Cisco was "the man" 10-15 years ago, now there are just as good options and often far cheaper and perform as good, and sometimes better than Cisco who keep recycling their 10 year old hardware.

Cisco switches are so great, why do they not have life time warranties like HP...
Click to expand...

You don't pay for warranty, you pay for the support and downloads to latest IOS. For instance, i have lifetime warranty on my switches, but when i wanted to upgrade to the latest i called and they made me purchase a year of "support" in order to get the latest version for the switch. I use CDWG, so i know i'm not get screwed. The switches all have lifetime hardware warranty, but if i need help configuring something, they won't talk to me without support. I just spent two weeks fighting HP about my wireless "randomly" not working after i upgraded the controller. I ended up having to pay $1,300 for 1 year of support for the guy to remote in and look at the controller for 20 minutes.

Cisco does some things wrong, but my networks are rock solid and i never have issues. If i do run into issues, I have a dedicated Cisco Engineer that i can call if i run into issues with TAC (most of the time i just can't understand the Indian lol)
Also, Cisco isn't going to warranty a switch for lifetime, how do you expect them to make so much money :p

@ Schiz - Lol, go buy about 20 x 10 port netgear 100mb switches and stack them in the rack on a 2x4.
 
thrash408 said:
You don't pay for warranty, you pay for the support and downloads to latest IOS. For instance, i have lifetime warranty on my switches, but when i wanted to upgrade to the latest i called and they made me purchase a year of "support" in order to get the latest version for the switch. I use CDWG, so i know i'm not get screwed. The switches all have lifetime hardware warranty, but if i need help configuring something, they won't talk to me without support. I just spent two weeks fighting HP about my wireless "randomly" not working after i upgraded the controller. I ended up having to pay $1,300 for 1 year of support for the guy to remote in and look at the controller for 20 minutes.

Cisco does some things wrong, but my networks are rock solid and i never have issues. If i do run into issues, I have a dedicated Cisco Engineer that i can call if i run into issues with TAC (most of the time i just can't understand the Indian lol)
Also, Cisco isn't going to warranty a switch for lifetime, how do you expect them to make so much money :p

@ Schiz - Lol, go buy about 20 x 10 port netgear 100mb switches and stack them in the rack on a 2x4.
Click to expand...

Fuckin-A right. Now you're thinking like a boss.

Seriously the whole "HP Switches have a lifetime warranty" is so grossly misrepresented. Yeah they warranty the hardware forever. Great. No real support is included with that switch like software upgrades etc, which is far more important in terms of how long that switch will remain relevant. I have a pile of Cisco 3750's that while they still work like the day they were made, are fully obsolete. a 3-5 year service contract was worth a ton for their lifespan for new OS and support. A lifetime warranty on useless hardware is just that, useless. My current switches all have 3 year support agreements on them, and at the end of that they will be reassessed to see if they are still meeting our needs and if not they will be replaced.

Regardless of choice of vendor (HP, Cisco, Juniper, Brocade etc) a "lifetime warranty" on a box that has a usable lifespan of 3-5 years is just marketing. Support contracts are what is valuable.
 
Instead of just throwing random ideas around do we have any idea what the actual network load looks like and how it's designed?

192 ports, that doesn't say much at all.... (same location or across several locations on site)?
Some are PoE, how many, same location?
What does the core router actually do? Again, network map would help
~100 users, I assume this would be "office work" load or....?
3 remote locations, okay... are all these offices (all users are in all these locations)?
50 VPN clients, just random laptops and whatnot I presume?
100/100 connection....
Depending on network load and devices you might pull it off decently
//Danne
 
schizrade said:
Seriously the whole "HP Switches have a lifetime warranty" is so grossly misrepresented. Yeah they warranty the hardware forever. Great. No real support is included with that switch like software upgrades etc, which is far more important in terms of how long that switch will remain relevant. I have a pile of Cisco 3750's that while they still work like the day they were made, are fully obsolete. a 3-5 year service contract was worth a ton for their lifespan for new OS and support. A lifetime warranty on useless hardware is just that, useless. My current switches all have 3 year support agreements on them, and at the end of that they will be reassessed to see if they are still meeting our needs and if not they will be replaced.
Click to expand...

I have no idea what you are going on about!

HP warranty also includes 3 years of 24/7 support in addition to the lifetime replacement, included!
Example: http://www8.hp.com/us/en/products/networking-switches/product-detail.html?oid=5333803

As far as HP updates:
http://pro-networking-h17007.external.hp.com/us/en/support/converter/index.aspx

Type in the J number (j8692a for example), click the checkbox, display selected. The click software, and boom! free firmware downloads, no service contract required. This applies for all HP switches. Cisco can't touch this, most people resort to illegal methods to obtain IOS images since they require smartnet. I have several hundred HP switches without any maintenance agreement and have NEVER paid for support on them.
 
Last edited:
thrash408 said:
I just spent two weeks fighting HP about my wireless "randomly" not working after i upgraded the controller. I ended up having to pay $1,300 for 1 year of support for the guy to remote in and look at the controller for 20 minutes.
Click to expand...
controllers are not covered by the same warranty as switches and indeed do have a yearly support contract model.
Switches as far as I know are all covered by the lifetime warranty 2 which comes with free new updates until eol + 3years even then the old patches are still free. 24/7 3 year phone support is also included and after that limited email support.

Like anything else never assume and always check the specific warranty on any product.
 
Last edited:
green91 said:
I have no idea what you are going on about!

HP warranty also includes 3 years of 24/7 support in addition to the lifetime replacement, included!
Example: http://www8.hp.com/us/en/products/networking-switches/product-detail.html?oid=5333803

As far as HP updates:
http://pro-networking-h17007.external.hp.com/us/en/support/converter/index.aspx

Type in the J number (j8692a for example), click the checkbox, display selected. The click software, and boom! free firmware downloads, no service contract required. This applies for all HP switches. Cisco can't touch this, most people resort to illegal methods to obtain IOS images since they require smartnet. I have several hundred HP switches without any maintenance agreement and have NEVER paid for support on them.
Click to expand...

3 years, such a product shouldn't fail in the 3 years, i wonder what their MTBF is!
 
jpcolin said:
3 years, such a product shouldn't fail in the 3 years, i wonder what their MTBF is!
Click to expand...

They have lifetime replacement warranty. The 3 years is for 24/7 support thats included with the switch. I have had HP gear that's been in production for 10+ years before we replaced it.
 
You must log in or register to reply here.
Back
Top