Home office network hardware advice (Cisco vs Juniper)

J

joshu

Limp Gawd
Joined
Aug 11, 2011
Messages
160
Hi

I need some advice regarding the purchase of new network hardware for my home office. At home I have two VMware vSphere hosts running several virtual machines including an email server. My internet connection is 24Mbit ADSL and I currently have an Airport Extreme connected directly to the ADSL modem.

I want to replace the Airport with a proper security firewall and after many hours of research I've narrowed down my choices to the following:

OPTION 1
Cisco ASA 5505 Security Plus + Cisco Aironet 1142n

OPTION 2
Juniper SRX 100 + Juniper AX411

The reason I have chosen the Security Plus license is that I need more VLANS than is offered by the base license, so that I can separate traffic coming from the internet to some of my virtual machines.

I'm not a networking expert and I have minimal experience of setting up a Cisco ASA 5505 (base) once for a small company. I've never used Juniper devices.

I'm leaning more towards OPTION 1 as I'm confused about some of the features of Juniper's hardware. I am a Mac user and need to provide VPN access to my network from both Macs, iPhones and iPads. This is easily done with the ASA5505 as I can use the native Cisco IPSec clients. However, with Juniper my understanding is that I would need Junos Pulse which is a free app, but I haven't been able to find any explanation as to how this works and if there are an hidden costs involved.

Another Juniper concern I have is the cost of software upgrades and maintenance. For Cisco I have been able to find online SmartNet resellers (on Cisco's partner list) and get an idea of the cost. I haven't found pricing information for Juniper maintenance.

My ideal solution would be a "box" that combines the ASA 5505 Sec Plus with WIFI-N, but the closest I've seen is a Cisco 881W and it's not a proper firewall. If only the base ASA 5505 had the security plus features my choice would probably be even easier.

I'm hoping to decide what to purchase within the coming week, so I would appreciate any advice/ recommendations ;)

Thank you

P.S. If you need more information let me know.
 
In my experience, Juniper equipment is good, but setup and maintenance can be a pain to the uninitiated especially when coming from Cisco land. If you've already used Cisco products it may be best to stick with them, if only to save your sanity.

If also found that you don't need prosumer or enterprise wireless products for your home. The high end wireless routers are more than capable for your needs. The good ones will even allow you to use a RADIUS server.

One question to ask yourself: "Do I need IPv6 support?" The short answer, yes, so ensure you get products that do support it even if your DSL provider doesn't (yet).

Your first best stop in your search for products that fit your needs should be: www.smallnetbuilder.com

There are piles of great articles from the basics of small networks, VPNs, NAS, and a myriad of products that are right up your alley. I refer to it when I run into esoteric situations.

Hope this helps!
 
Hey Sebastianem,

Thanks for your comments!

Sebastianem said:
In my experience, Juniper equipment is good, but setup and maintenance can be a pain to the uninitiated especially when coming from Cisco land. If you've already used Cisco products it may be best to stick with them, if only to save your sanity.
Click to expand...

As I've only configured one Cisco device (ASA5505) switching to something different isn't really an issue.

Sebastianem said:
If also found that you don't need prosumer or enterprise wireless products for your home. The high end wireless routers are more than capable for your needs. The good ones will even allow you to use a RADIUS server.
Click to expand...

The reason I chose the Aironet 1142n rather than continuing to use say an Airport Extreme is that I want to separate WIFI into VLANS as well as the wired LAN. For instance, separate my families' computers and devices from my own business. Also, if I'm going to use an enterprise firewall then I wouldn't want to compromise on the WIFI aspect of my network.

Sebastianem said:
One question to ask yourself: "Do I need IPv6 support?" The short answer, yes, so ensure you get products that do support it even if your DSL provider doesn't (yet).
Click to expand...

I've not dealt with IPv6 although I know we're approaching wide adoption, so you make a good point about this. I haven't looked at whether my two options are IPv6 compatible.[/QUOTE]

Thanks
 
I'd go with the ASA because I know Cisco better than Juniper. Juniper is solid though.

I wouldn't buy that WAP though, I'd go with a Ubiquiti for much, much cheaper. If all you're worried about are coverage and VLANs, this is a more logical solution.
 
I've never heard of Ubiquiti before. So they have a WAP that supports VLANs and 802.11n?
 
joshu said:
My ideal solution would be a "box" that combines the ASA 5505 Sec Plus with WIFI-N, but the closest I've seen is a Cisco 881W and it's not a proper firewall. If only the base ASA 5505 had the security plus features my choice would probably be even easier.
Click to expand...

I'm curious what you mean about the 881W being a proper firewall. Because you say the ideal solution is to combine them, I don't think you're inferring proper to be the physical separation of the two.

The 881 according to feature navigator with its latest 12.4 Universal Data image supports stateful firewalling and a whole bunch of other security features. The ASA would probably be faster for firewalling and VPN, but the router will be able to do that, and a lot more. (Performance shouldn't be an issue, 881 should be able to handle 24mbps.)
 
damacus said:
I'm curious what you mean about the 881W being a proper firewall. Because you say the ideal solution is to combine them, I don't think you're inferring proper to be the physical separation of the two.

The 881 according to feature navigator with its latest 12.4 Universal Data image supports stateful firewalling and a whole bunch of other security features. The ASA would probably be faster for firewalling and VPN, but the router will be able to do that, and a lot more. (Performance shouldn't be an issue, 881 should be able to handle 24mbps.)
Click to expand...

What I mean is that with the ASA by default no traffic can move from low to high security zone, so out-of-the-box you have to configure what to open up. On Cisco's IOS such as the 881W you don't have the concept of security zones and you have to specify rules to lock it down.

I did a lot of research when I was deciding whether to choose a Cisco 861w/ 881w or go for an ASA5505 (for the company I set it up). Although the 800 series has the performance and firewall capabilities, my understanding is that if you are offering services facing the public internet then an ASA5505 is more suitable.
 
I may be stepping out on a ledge here, but have you considered an Zyxel 100 and as others have suggested using Ubiquity Unfi's?


The reason I am suggesting the Zyxel 100 is we just got rid of a Cisco RV082 v3. Cisco offered us a ASA5505, but the WAN to LAN performace would be lower and the VPN licensing costs get higher.

The Zyxel unit has a VPN encryption accelerator chip so AES encryption does not impact the primary CPU on the unit.
 
joshu said:
What I mean is that with the ASA by default no traffic can move from low to high security zone, so out-of-the-box you have to configure what to open up. On Cisco's IOS such as the 881W you don't have the concept of security zones and you have to specify rules to lock it down.
Click to expand...

Not necessarily true. You can utilize IOS Firewall to make the router act as a firewall.
 
joshu said:
What I mean is that with the ASA by default no traffic can move from low to high security zone, so out-of-the-box you have to configure what to open up. On Cisco's IOS such as the 881W you don't have the concept of security zones and you have to specify rules to lock it down.

I did a lot of research when I was deciding whether to choose a Cisco 861w/ 881w or go for an ASA5505 (for the company I set it up). Although the 800 series has the performance and firewall capabilities, my understanding is that if you are offering services facing the public internet then an ASA5505 is more suitable.
Click to expand...

Sure, the default stance is different, but I don't think there's any reason that should affect your purchase. You simply put an ACL on your WAN interface, and boom - deny-policy firewall. If you were working for an organization that required an ASA-style device at the border to prevent a misconfig mistake from opening the network, that'd be one thing, but aside from that, I'd only go for the ASA if cost-wise it made sense, ie it served every need, say just NAT, firewall, VPN, so you only had to get that one device thats less expensive than a full service router. In your case, you also want advanced wireless and potentially other features, so I'd look to the 881w and compare it to your other options.
 
Mackintire said:
I may be stepping out on a ledge here, but have you considered an Zyxel 100 and as others have suggested using Ubiquity Unfi's?


The reason I am suggesting the Zyxel 100 is we just got rid of a Cisco RV082 v3. Cisco offered us a ASA5505, but the WAN to LAN performace would be lower and the VPN licensing costs get higher.

The Zyxel unit has a VPN encryption accelerator chip so AES encryption does not impact the primary CPU on the unit.
Click to expand...

Thanks for the suggestion, but to be honest after experience with products from Zyxel, Netgear and Dlink I want to avoid these brands. Even though I have my office at home I want something stable with good performance and security.
 
I deployed an SRX210 cluster and two AX411s last year. They were a pain because the junos release for them was very immature. Don't know if things have gotten better. The SRX line is the first Juniper firewall to switch over to junos instead of using ScreenOS and there were some issues.

I would go with the ASA for that reason alone.
 
joshu said:
Thanks for the suggestion, but to be honest after experience with products from Zyxel, Netgear and Dlink I want to avoid these brands. Even though I have my office at home I want something stable with good performance and security.
Click to expand...

The Zyxel USG 100 we are using is being used in a mission critical role. Smallnetbuilder also said they couldn't kill it.

Zyxel has had 4 firmware released this year alone for the USG line, so I am thinking that they are trying very hard to get their house in order.

As far as I know...current bugs include:

  • Connectivity check on the WAN is not working
  • IPv6 has not been implemented
  • Only 128 static IPs can be reserved on the USG 100, the USG 200 can reserve 256, the USG 300 1024.
 
Having deployed quite a few ASA's at my old job and never touched JunOS before I'd go w/ the SRX100 solely based on cost. Hardware wise the SRX is a bit more expensive then a base 5505, however one you add in Sec+ and a 50/UL user license the price is heavily in favor the of the SRX. Support on the SRX is a bit cheaper too @ ~$50/year according to CDW.
 
Have you looked at pfSense or other open source security appliances? I replace alot of Junipers, SonicWall, Cisco, etc with pfSense to get away from the fees and lock-in. Most of the SOHO line is either re-badged consumer stuff or Branch-Office gear, neither of which is a good fit in an internet dependant small office. pfSense 2.0 which just came out has huge VPN support. Ubiquiti is a good shop, enGenius' Business line gets you VLAN support at a good price.
I've also seen Junipers take a 30% hit in bandwidth crossing their firewall.
 
RocketTech I hadn't heard of pfSense till you mentioned it. I spent last night browsing their website and googling pfSense versus Cisco ASA etc and I got a lot of different opinions. Personally I'm not sure what to think about it. I like that it is open-source and there are no licenses to purchase to unlock features. However, looking at the documentation and seeing that a lot of it is outdated worries me.

I'm still undecided on what to do :confused:
 
joshu said:
RocketTech I hadn't heard of pfSense till you mentioned it. I spent last night browsing their website and googling pfSense versus Cisco ASA etc and I got a lot of different opinions. Personally I'm not sure what to think about it. I like that it is open-source and there are no licenses to purchase to unlock features. However, looking at the documentation and seeing that a lot of it is outdated worries me.

I'm still undecided on what to do :confused:
Click to expand...

Depends on what you need and what you want. If you want to learn IOS or JUNOS then go with one of those. If you are looking for a damn good firewall to secure your network then pfsense will do that for a hell of a lot less. I'm sure someone will bring up Untangle, so you might want to look at that if you want/need UTM features.

I wouldn't worry about the lack of up to date documentation for pfsense. I'd say in a home office scenario you won't need any real documentation at all. It's very easy with the web interface.

For the record I've worked on Cisco (PIX and ASA), Juniper (SRX and Netscreen), Checkpoint, and Sonicwall. I'm running pfsense at home :)
 
shabazkilla said:
For the record I've worked on Cisco (PIX and ASA), Juniper (SRX and Netscreen), Checkpoint, and Sonicwall. I'm running pfsense at home :)
Click to expand...

Interesting! What led you to run pfsense at home rather than one of the brands you've worked with?
 
joshu said:
Interesting! What led you to run pfsense at home rather than one of the brands you've worked with?
Click to expand...

Mostly cost. I don't really work on the network side much any more so it's not like I needed something to study on or keep my skills sharp on.
 
I run a pair of CARP pfSense routers on a ~400 node network with several internet connections of varied types (100/100 fiber, 10/10 fiber, 100/10 cable, and a few 6mbps DSL lines). We've got several p2p OpenVPN tunnels and dial-up VPN access with dozens of users and more being rolled out all the time. The p2p VPN's run pfSense appliances on the other end and we run VOIP from the remote offices using our PRI at the main office. Some offices use OSPF to route over pairs of VPNs to ensure an internet connection failure doesnt take down the VPN. BGP over the fiber lines is the next project.

Internet lines fail over seamlessly (most of the time it goes unnoticed to end users), different traffic is routed by priority over varied connections to provide appropriate latency and speeds, and we see essentially 100% uptime - more than the SonicWall and Vyatta's they replaced by a good margin.

Before working here, I was deploying lots of pfSense appliances to small business', mostly replacing Juniper Netscreens and SonicWalls. I'm not sure it was a good business move (no recurring charges, less support) but network support fell to literally zero, unless it was to ask for an upgrade like dual-WAN or VPN setups.

All that is to say, I definitely suggest giving pfSense a look. It's quite mature and easy to manage.
 
I manage a Cisco network and several ASA's at work. I also run pfSense at home simply because it has a couple more features (believe it or not) than an ASA for home use. Things like WOL, UPnP and PPTP as a backup VPN come in handy. I'd have no problem running an ASA 5505 at home though.

Between Cisco and Juniper, Cisco easily. If you are not adverse to learning it and get the license that runs AnyConnect, you can have a fantastic VPN client for your MAC, iPhone and iPad. AnyConnect is free in the App store.

I'm indifferent on the Cisco Aironet 1142n for home use. Yah, its a decent AP, but probably overkill. The main positive about them is LWAPP mode with a controller. If you want to run one in autonomous mode, you can probably find something cheaper, and possibly more powerful, that'll support your vlan needs. And though you didn't mention it specifically, make sure you have a vlan capable switch behind all this, otherwise that feature means nothing. The HP Procurve 1800 line would be the cheapest I recommend, with a Cisco 3560/3570 being the Cadillac for a home network.
 
obrith said:
Before working here, I was deploying lots of pfSense appliances to small business', mostly replacing Juniper Netscreens and SonicWalls. I'm not sure it was a good business move (no recurring charges, less support) but network support fell to literally zero, unless it was to ask for an upgrade like dual-WAN or VPN setups.

All that is to say, I definitely suggest giving pfSense a look. It's quite mature and easy to manage.
Click to expand...

Not to thread-jack, but you can get recurring revenue through reselling openDNS to pfSense customers for filtering and monitoring. I see pfSense as a great way to focus on other 'sexy' services like e-mail, VoIP, PC Service, etc. /thread-jack

There is alot of community support for pfSense, I get the feeling pfSense has a huge following in these forums. I see Cisco, Juniper, Sonicwall etc as a great choice when you want end-to-end managed product lines with critical support. They also have solid feature sets available and good education. The downside is the fees, lock-ins and product cycles. This opinion is coming from the point-of-view of someone who supports small business- my largest client is 30 seats over 3 locations linking via VPN and TS. Other admins will see it differently.

I like the fact I can control the hardware pfSense runs on- I refurb Dell PE1750s and run redundant power supplies, RAID 1, Dual Processor, spare memory and have up-time limited only by power or planned maintenance. Restarting my pfSense routers as a troubleshooting method just doesn't happen. If you prefer a mini-ITX machine, or soekris, microtik, etc, you have the option. I hate wall-warts in network equipment.

I am by no means a pfSense expert, but I have never been wanting for documentation. I have heard rumblings that a new book is coming out for pfSense 2.0 Release, but I've never felt the need to buy the first book.

Anyways, as has been mentioned, if you plan on supporting Cisco or Juniper, go with those- great advice.
 
Juniper, cisco products are garbage.

What are you confused about on the juniper hardware? I'm not an expert on that particular model but I may be able to help.
 
yes, complete garbage. I'll take juniper routing/security at the edge with force10 (now owned by dell) switching over cisco all day long.
 
madrebel said:
Juniper, cisco products are garbage.

What are you confused about on the juniper hardware? I'm not an expert on that particular model but I may be able to help.
Click to expand...

Theerrre'sss a great way of joining a forum. Nice.
 
Many of you are providing great insight and advice. Thank you!


Valnar said:
I manage a Cisco network and several ASA's at work. I also run pfSense at home simply because it has a couple more features (believe it or not) than an ASA for home use. Things like WOL, UPnP and PPTP as a backup VPN come in handy. I'd have no problem running an ASA 5505 at home though.

Between Cisco and Juniper, Cisco easily. If you are not adverse to learning it and get the license that runs AnyConnect, you can have a fantastic VPN client for your MAC, iPhone and iPad. AnyConnect is free in the App store.

I'm indifferent on the Cisco Aironet 1142n for home use. Yah, its a decent AP, but probably overkill. The main positive about them is LWAPP mode with a controller. If you want to run one in autonomous mode, you can probably find something cheaper, and possibly more powerful, that'll support your vlan needs. And though you didn't mention it specifically, make sure you have a vlan capable switch behind all this, otherwise that feature means nothing. The HP Procurve 1800 line would be the cheapest I recommend, with a Cisco 3560/3570 being the Cadillac for a home network.
Click to expand...

Valnar you're not the first one to comment on my WiFi choice. Vito_Corleone introduced me to Ubiquiti UniFi.

Those of you who have responded saying that you use pfSense at home. What do you use for WiFi? Do you use a separate WAP or do you add hardware to your pfSense box?

Also, would running pfSense on my vSphere hosts rather than say on a SuperMicro Atom be a good idea? Any reason to get extra hardware?

You guys have given me much food for thought especially when you threw in pfSense.
 
I don't need anything fancy for wireless, but I did pick up a mid-range model that has worked well for years without a reboot.

Netgear WG102

It's only 802.11g though, but rock solid.
 
I'm using my old WRG3500 Netgear router as an access point, My next upgrade is to an Ubiquity Unfi Pro.......that is when they come out.
 
madrebel said:
Juniper, cisco products are garbage.

What are you confused about on the juniper hardware? I'm not an expert on that particular model but I may be able to help.
Click to expand...

I think Juniper makes some great stuff and I have chosen them over Cisco a few times with great results ... but Cisco is nowhere near "garbage".
 
Astaro is good too if you want to save money. We use 5505s for our DR clients and they have been very reliable, but for SOHO when you consider the extra licensing cost + support it becomes a ripoff. Maybe I'm missing something, but why would do people spend almost $1000 on an ASA when you can use Astaro, pfSense, Untangle, Vyatta, and the rest for much less? It's not like we need custom hardware for routing SOHO connections...
 
Last edited:
shiznit said:
Astaro is good too if you want to save money. We use 5505s for our DR clients and they have been very reliable, but for SOHO when you consider the extra licensing cost + support it becomes a ripoff. Maybe I'm missing something, but why would do people spend almost $1000 on an ASA when you can use Astaro, pfSense, Untangle, Vyatta, and the rest for much less? It's not like we need custom hardware for routing SOHO connections...
Click to expand...

Who the hell is spending $1k on a 5505? A base license is very cheap and the Sec bundle isn't close to $1k when you buy used. They're pretty cheap new with a good discount as well.

http://www.ebay.com/itm/CISCO-ASA55...342?pt=LH_DefaultDomain_0&hash=item4aaf093dc6

If you're asking about people buying simply for home use, I spend the money on Cisco stuff at home because I use it every day and I'm very comfortable with it. I also use and appreciate many of the features Cisco devices offer. Another thing, purpose-built devices > homebrew shit, IMO.

If you're asking why a business would use Cisco over PFSense, Untangle, etc, that's a silly question. Those products are comparable to real network vendors like Cisco, Juniper, Palo Alto, etc.
 
As an eBay Associate, HardForum may earn from qualifying purchases.
inferior hardware. crappy proprietary bs protocols. over priced. etc, etc.

cisco did a great job luring in the market with their sales teams. their products are inferior though.
 
madrebel said:
inferior hardware. crappy proprietary bs protocols. over priced. etc, etc.

cisco did a great job luring in the market with their sales teams. their products are inferior though.
Click to expand...

The 5505 is lightweight on hardware (as it is supposed to be), but not their 5510+. Those can handle hundreds to thousands of users just fine. :confused:

All the open protocols are available on Cisco products AND their excellent proprietary protocols. While not an ASA protocol, EIGRP kicks ass. I use CDP and VTP all the time on the switches. 'very useful.

Expensive? Yah. But support is good. Anyone who is #1 in their product line, anywhere, always charges more than their competitors (see: Verizon Wireless). Cisco is not alone in this, and it doesn't make their products suck.
 
so lets use your 5510 example. up to 300mbps FW throughput ... wow! ebay price is ~$1500. after licensing and smart net you're adding another grand to the cost.

or, you get a juniper srx240H which gets your 1.5gbps FW throughput and you don't need a special fruity license to get the max of 128k simultaneous connections. you can find these on ebay for 2500ish I have a guy that quoted me iirc $2200 brand new a few months ago.

Or you could step up to the isg1000 which can be found for $1500-$2000 which is odd as it is a much more powerful device.

EIGRP and all their other proprietary BS are just vendor lock in tools.

don't even get me started on their god awful switches.
 
You must log in or register to reply here.
Back
Top