I am a real Cisco lover. At home, I have a wall-mounted 5505 connected to my ONT. She makes me proud day in and day out.
In the past, I’ve had experience performing basic tasks on much higher-end Cisco gear. I’ve also used DD-WRT and slogged through the SonicWall mud. Seemingly attractive solutions pop up all the time. Whether an option I’m seeking is obscured or missing altogether, web-based interfaces on new network appliances always find a way to frustrate me during the initial configuration. Shortly after the initial installation, they frustrate me both for the aforementioned reason, and because the interface degrades to the point of uselessness as it does not / cannot keep up with the rapidly changing browser marketplace.
I have installed many a 5505 - lately LAN overhauls have been one of my most popular items (hey man, how come all this stuff we moved into the cloud is so slow...?).
Small businesses, and homes inhabited by intelligent people who want Internet service that attempts to approach the level of reliability of telephone, electric, water, or natural gas service, have needs not unlike those found at the branch office of a well-managed corporation. If we needed to apply a marketing label to the situation, we could loosely say they need a “branch office level device.”
I don’t wish to engage in a debate about Internet addiction or needs. I am simply summarizing the need as acute, and backed by legitimate monetary concern/s. We are not talking about a hospital or 911 call center,where human life would immediately be in jeopardy with any failure, however these are hardly casual newbies comfortable with extended periods of downtime.
I’m about to embark on yet another LAN overhaul or two in the immediate future. This project is for a very dear and patient friend. He’s fed up with his mediocre Internet access. His ISP recently increased speeds, but he remains hampered by an inadequate, consumer-grade router. Normally this is where I’d apply a 5505, the “Tussin” of solid networking base for the average user.
However, one of the first SLA components that we’ve identified for his network is smooth Skype video conferencing. In a relaxed residential environment with unrelated tenants, (young BitTorrenters, Pandora and YouTube fans), this simple challenge quickly rises above those found at mellow office, where large PDF attachments can still sometimes be the biggest consumer of router resources.
In this somewhat typical installation, we find a need that cannot truly be met by any ASA device. A real Cisco router, running full-blown IOS with NBAR capability, is seemingly my only hope of identifying and classifying Skype traffic coming in from an ever-changing array of user devices. Even after settling for refurbished gear instead of factory fresh, the price tag with SmartNet is quite high. The footprint is much larger. Furthermore, going this route introduces moving parts (even though only fans) into the mission-critical equipment stack, where none had previously been.
I’m concerned with the ASA as my go-to choice for SMB router on a number of fronts:
- to do anything of worth on an ASA 5505, one needs the Security Plus license, which more than doubles the price largely nullifying the 5505’s appeal as an entry-level device
- clients who recently “took the plunge” and upgraded to a 5505 from their blue plastic box are requesting seemingly basic (to end users anyway) features (like video conferencing QoS) that their peppy new box was never capable of (I’m honest and thorough with people, but many do not hear tech talk talk outside of the “Genius Bar.” Insane requests are the norm and logical thought about tech is all but nonexistent). Explaining real tech to people is hard, but senseless restrictions is even harder yet.
- I'm an independent operator and I like being this way. Cisco’s campaign to eradicate people like me, and ensure we are isolated from all resources possible, is both insulting and a barrier to full technical efficiency at times. As their IOS command structure has changed throughout the years, I’ve had to update my self-education. After such radical and abrupt changes, I can’t imagine how much easier the change would have been had I invested in their courses and certifications.
- Because of their old school ways, their inability to meet marketplace demands, bad press, and new (faster, lower-priced,real) competition entering the space, I fear that Cisco may actually drop the ball and begin to lose their leadership status over time.
As a result, I’m looking for alternatives. With new, small, solid-state machines like Intel’s NUC in the marketplace, and continued advances being made in the FreeBSD networking stack, I’m taking a fresh look using open-source alternatives like pfSense. I’ve had commercial success with open-source products before. Yet I lack the experienced teams that large outfits like Google and Facebook have at their disposal. Too much experimenting without results can lead to hunger and/or homelessness for myself. Keeping the delicate balance of boring-routine-proven, inline with fun experimentation is the challenge at the heart of this query. Today’s tough economy limits opportunity for innovation and testing at every level.
The idea of being able to implement new features without being forced up against the wall, to pay for feature licenses, is an obvious turn-on. Then again, the notion that the same minor network driver issue that could provide a vexing weekend of troubleshooting on a homebrew server could be the very same one that keeps dragging down an entire LAN makes my stomach turn. Despite a limited budget for test equipment, I can stomach some tough work and research so long as it leads to needed solutions that I can deploy for long-term production with confidence.
Cisco ASA (5505) Pros:
- sturdy construction, wall and rack mounts available
- easily tolerates the wide temperature swings typically present at smaller location router installs
- world-class software and on-site hardware support
- efficient, well-tuned OS
- popularity = documented fixes / workarounds for most any situation encountered
- no moving parts to stop moving at inopportune times
Cisco ASA (5505) Cons:
- costs a fortune
- dedicated to throwing small operators under bus
- requires additional costs for f/w updates and device recovery (anyone in the office have a spare USB to serial cable you can borrow?)
- incompatible w/ best practice of referring to NTP server by fqdn
- incompatible w/ even simple dynamic dns services, utilized for redundancy
- lacks even basic DNS services for orgs w/o a dedicated, on-site server
- limited / out-of-touch offerings for anything but mega-sized orgs
- arbitrary limitations imposed on otherwise capable devices, merely to generate additional revenue
pfSense on embedded, solid-state device Pros:
- more cost effective, and growing even more so, as PC prices decline
- no manufacturer incentive to hold me hostage for licensing fees
- device software limits logically tied hardware limitations in a practical way, allowing for easier forethought, selling, and planning
- in some cases, building a fully-redundant cold or hot swap unit would be less than the cost of Cisco + SmartNet
- support for USB flash drives eases admin burden
- Layer 7 inspection and VLAN trunking support out-of-the-box
- Linux base means ability to add relevant packages, like Asterisk, for a small-business PBX server
- can run off commodity hardware in an emergency
pfSense on embedded, solid-state device Cons:
- uncertainty: most of the (compact, powerful, yet solid-state) devices I’ve looked at feature Realtek NICs, instead of genuine Intel as I (and pfSense documentation) would prefer. Ordering hundreds of dollars in parts to build a router would not yield a happy client if something as basic and fundamental as NIC drivers could grow into a time-consuming, network-crashing issue
- support: I understand these smaller, open-sourced businesses may be forced to charge for time rather than on a per-incident basis. If their team is effective, it could be a more profitable solution, with just a few hours potentially lasting me a long time. On the other hand, if they are ineffective script readers, I could find myself out of a job and support hours all at once. Even if awsome,, they could succumb to economic pressures and fold tomorrow, leaving me with no support team at mission critical moments of the multi-year lifespan of these devices
- some resources must be wasted: I am not naive enough to think that a router based on a general-purpose OS could perform as efficiently as Cisco IOS - I go in assuming I will need a processor at least twice as powerful as the one I’d find in a comparable Cisco device to attain the same level of performance. This is approximately consistent with the recommendations tendered on the pfSense blog. I hope to be pleasantly surprised, yet I work in IT so I continue to plan for the worst.
- difficult to keep consistent hardware lineup means additional time spent tweaking and developing support and testing protocols for an ever-evolving set of hardware
I’m not interested in hearing about non-Cisco or non-Open Source options. I’ve seen all I care to: they are all second-rate compared to Cisco. All the commercial competitors decapitate their product lines unnecessarily, in vital ways, so as to coerce additional monetary payments at the most inconvenient moments. Once one graduates past a 5505 with Security Plus license and even basic level SmartNet, they are in a price range where considering alternatives that factor in a cold spare becomes not insane.
Much as I enjoy foregoing raises and vacations so that the IT budget can be spent enabling router commands I need in order to do my job, this must end somewhere. I feel the end of my near-universal endorsement period for ASAs may be coming to a close.
I am still in the midst of conducting research. I hope to have a clearer vision of what the specs and costs will be for a solid-state pfSense appliance that I can recommend for purchase with confidence. The (slightly) lower price and patience of my friend will buy me some leeway for testing, and even post-rollout tweaking. The potential for embarrassment and/or sky-high support costs still looms - as does letting this valuable educational opportunity pass me by.
I was looking initially at the Jetway JNF9D from mini-box. I like many things about the design, particularly the fact that it is solid-state, wall mountable, has 5 Ethernet ports, and operates on 12VDC. Concern over their use of Realtek NICs and proprietary daughterboards has found me investigating other options and drafting this query.
I can’t be the only one pondering this type of situation.
I am very interested in thoughts and suggestions, particularly from those who have recently installed pfSense on the newer breed of powerful small machines, and those who have experience both with pfSense and commercial Cisco gear.
Thank you in advance for your time and attention.