L3 router for CCNA/CCNP

amrogers3

Gawd
Joined
Nov 7, 2010
Messages
641
Looking to purchase a L3 router. Been looking at the Cisco Catalyst 3560-12PC, does anyone know if it has Zone Based firewall capability?

Courtesy of Cisco:
Cisco IOS® Software Release 12.4(6)T introduced Zone-Based Policy Firewall (ZFW), a new configuration model for the Cisco IOS Firewall feature set. This new configuration model offers intuitive policies for multiple-interface routers, increased granularity of firewall policy application, and a default deny-all policy that prohibits traffic between firewall security zones until an explicit policy is applied to allow desirable traffic.
 
First off, you'll have to understand the differences in the OSI layers. All routers are layer 3. In basic terminology, layer 3 is where IP packet routing takes place. Basic switches are layer 2. Layer two does the frame switching based on source and destination MAC addresses.

Secondly, there are devices that are termed layer 3 switches (not routers) because they offer basic (and in some cases advanced) routing capabilities but are still switches at their core. The Cisco 3550/3560 series are layer 3 switches.

Most switches that you'll be able to get your hands on do not offer things like zone based firewalls. They just do not have the power or the resources to do that kind of function and be able to switch frames efficiently.

You'll have to get an actual router (800 series, 1700 series -1721 or above to get the most features out of 12.4, 1800 series, 2600 series, etc.) to implement stuff like zone based firewalls. The only drawback is getting your hands on a T train IOS (which has the zone based firewall). Most of the items you can get at places like ebay only have the mainline train of IOS loaded and if something has the T train IOS, they'll try to sell it for a premium.

to give you an example, I am about to start my CCNP studies and I have purchased 5 1760 routers (128mb of RAM with 12.4(15T)), a 3550 layer 3 switch and three 2950C layer 2 switches for that purpose.

I would suggest starting out by finding a few routers (1700 series cuz they're cheap) and a couple switches to practice your CCNA studies on and getting a deeper understanding of the core networking fundamentals.

here's a link to a few topics on CCNA labs. This blog is written by Wendell Odom who writes a lot of Cisco Press books concerning routing and switching.

http://www.certskills.com/LabGear.aspx
 
What he said plus if you don't know the difference between a layer 3 switch and an integrated services router you probably don't have the skills required to configure and maintain a ZBF on IOS. They are probably the most PITA firewall implementation ever.

That being said I don't want to completely turn you off from them but if you don't have a solid grasp of IOS and aren't comfortable working with class maps, policy maps, ACLs, etc a ZBF will quite possibly melt your brain the first time you look at the config.
 
I'd recommend reading this: http://hardforum.com/showthread.php?t=1414407

Personally, I'd start off with Packet Tracer, then use GNS3, then Dynagen.

Why buy equipment when you can run it all virtually?

I have a Cisco 3725 and a managed switch (model # escapes me) that I bought for hands-on experience a while back, and aside from a little networking project I got involved in with a few guys from this forum about a year ago, I haven't used it much.
 
After weeks and weeks of researching and asking questions to anyone who would listen, think I settled on a L3 behind my pfSense firewall for my internal network.

Looking at the CISCO891-K9. Looks like it has SPAN (port mirroring), zone based firewall, and VLAN functionality.

Only problem is that it isn't fanless. Anyone with first hand experience with the device that can let me know how quiet/noisy it is? It's going to be in a room that needs to be quiet.
 
After weeks and weeks of researching and asking questions to anyone who would listen, think I settled on a L3 behind my pfSense firewall for my internal network.

Looking at the CISCO891-K9. Looks like it has SPAN (port mirroring), zone based firewall, and VLAN functionality.

Only problem is that it isn't fanless. Anyone with first hand experience with the device that can let me know how quiet/noisy it is? It's going to be in a room that needs to be quiet.

Most high end networking equipment is going to have fans and be noisy as hell.

http://www.xrackpro.com/
 
Not to rain on your CCNA parade, but at the level of CCNA, especially learning the material for your CCNA, you really REALLY REALLY do not need to spend a dime on physical equipment. There are tons of nice simulators that are cheaper than a single router. Personally, I got through all my CCNA Academy courses and the exams using nothing but Cisco's Packet Tracer (pre 4.0, it's way better now).

CCNP is a different story, but cross that bridge when you get to it. If you don't already have a job supporting Cisco devices, CCNP is a waste of time and money IMO. CCNA does a good job of testing more general concepts that are transferable, CCNP gets into Cisco-land a bit too deep.

I spent way too much time and money doing a CCNP, and I ended up at a job where the entire 28-office WAN is run using OpenBSD routers, the LAN is on HP ProCurve switches, and we have 1 (yes, one) Cisco device that I manage. And it's a 9 year old PIX. :(
 
Not to rain on your CCNA parade, but at the level of CCNA, especially learning the material for your CCNA, you really REALLY REALLY do not need to spend a dime on physical equipment. There are tons of nice simulators that are cheaper than a single router. Personally, I got through all my CCNA Academy courses and the exams using nothing but Cisco's Packet Tracer (pre 4.0, it's way better now).

CCNP is a different story, but cross that bridge when you get to it. If you don't already have a job supporting Cisco devices, CCNP is a waste of time and money IMO. CCNA does a good job of testing more general concepts that are transferable, CCNP gets into Cisco-land a bit too deep.

I spent way too much time and money doing a CCNP, and I ended up at a job where the entire 28-office WAN is run using OpenBSD routers, the LAN is on HP ProCurve switches, and we have 1 (yes, one) Cisco device that I manage. And it's a 9 year old PIX. :(
Could be worse, you could be using Novell.
 
Could be worse, you could be using Novell.

I'm actually a Certified Novell Administrator for Netware 5. I got it roughly 10 years ago. Its actually been a pretty useful cert in 2 ways:

1. It taught me I NEVER want to admin or use Netware or Novell in any way.
2. I keep the CNA card in my wallet for laughs, and when I need a sturdy plastic card for something and don't want to damage a actual useful card :)

As for the OP: Personally, if you can find the equipment cheap, buy it and use it in conjunction with emulators. A personal lab can be quite fun if your serious about a career in networking. I personally feel learning on actual equipment is more beneficial, plus you can simulate layer 1 issues too and see what results you get. Also, check out sites like http://www.certificationkits.com/ or http://www.ciscoland.net/home.html to see what equipment they use in their kits.

Remember you don't always need the latest and best hardware, and if you hit ebay or local auctions enough you can find some good deals on used gear that would be great for a lab.
 
Thanks for replies. I would like to be able to be "hands on" with the equipment. Also, this is more than what I need to learn but I also want to actually implement the device into my network behind a pfsense firewall for an extra layer of security. So it won't be soley used to learn on.
 
Back
Top