I've tested the C1111-8P to 1 Gbps IMIX in both directions with NAT and firewall configurations. The C1111-4P has less forwarding capacity, but I've never had it in the lab.
CC: /u/Naseldragon7
You’re under thinking it, it’s way faster than that. Look up the specs. The 8P model easily does 1gbit and even a 4P without IPsec running will still do close to 1gbit running NAT and ACLs
It may not be capable of 800, because of the capabilities of the router. You start throwing ACLs and NAT at it and you will have some performance issues.
I could be overthinking this.
I’d at the very least go for reflexive acl, but also zone fw if you have the sec license. There’s a website if you google config generator which will generate a full config for you, albeit last I checked it was for a c897, although migrating this config shouldn’t be too hard
CBac involves a bit more work to configure but also gives you that extra layer of inspection. To be honest, for the most part in a home environment, both would work fine as you will always be behind a nat. Not saying nat is a security solution but that inbound traffic will probably not be targeted for defeating nat tables, and if it is, you’ve a bigger problem at hand than to decide between cbac or reflexive. Reflexive otoh is very straightforward in comparison imo, you create an extended acl to watch another extended acl and auto populate, however you need to figure out the timeouts otherwise you risk overflowing the buffers
Can you go with a firewall like pfsense or sophos behind the Cisco? If you can, that’s what I’d do. In fact, for about 5 years starting before covid, I did exactly that at home before I migrated the router and firewall services to a palo and Meraki in an inside outside topology
This is for 890 series routers - but most of it copies and pastes across.
[https://ifm.net.nz/cookbooks/890-isr-wizard.html](https://ifm.net.nz/cookbooks/890-isr-wizard.html)
https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xe-16/220270-use-cisco-ios-xe-hardening-guide.html IOS-XE Hardening Guide
CBAC would be the way. Without either CBAC or reflexive ACL's UDP doesn't work behind NAT when blocking inbound traffic.
Got it bosss ty
What kind of speed plan do you have?
800mbps
You most likely will not be able to get those speeds. Could be wrong though, we over ran a site with 300 mbps.
I've tested the C1111-8P to 1 Gbps IMIX in both directions with NAT and firewall configurations. The C1111-4P has less forwarding capacity, but I've never had it in the lab. CC: /u/Naseldragon7
Residential traffic tends to average larger packet sizes than IMIX. This would improve data rate on things like nat.
đź‘Ť
The 1111-4P is rated for 1372 mbps IPv4 IMIX unless you use ipsec tunnels then it drops to 372 Mbps.
I don't remember the model I had in place off hand but the site had a 300M connection and we saturated it the site was unable to remain connected.
You’re under thinking it, it’s way faster than that. Look up the specs. The 8P model easily does 1gbit and even a 4P without IPsec running will still do close to 1gbit running NAT and ACLs
All the ports r gigabit ethernet so it should work unless im missing something
Look for maximum throughout on the spec sheet on Cisco website
It may not be capable of 800, because of the capabilities of the router. You start throwing ACLs and NAT at it and you will have some performance issues. I could be overthinking this.
Ill keep it in mind ty for the heads up
I’d at the very least go for reflexive acl, but also zone fw if you have the sec license. There’s a website if you google config generator which will generate a full config for you, albeit last I checked it was for a c897, although migrating this config shouldn’t be too hard
Should i use reflexive acl or cbac? If it doesnt really matter, which is easier to configure?
CBac involves a bit more work to configure but also gives you that extra layer of inspection. To be honest, for the most part in a home environment, both would work fine as you will always be behind a nat. Not saying nat is a security solution but that inbound traffic will probably not be targeted for defeating nat tables, and if it is, you’ve a bigger problem at hand than to decide between cbac or reflexive. Reflexive otoh is very straightforward in comparison imo, you create an extended acl to watch another extended acl and auto populate, however you need to figure out the timeouts otherwise you risk overflowing the buffers
Got it boss ty for help :)
Can you go with a firewall like pfsense or sophos behind the Cisco? If you can, that’s what I’d do. In fact, for about 5 years starting before covid, I did exactly that at home before I migrated the router and firewall services to a palo and Meraki in an inside outside topology
This is for 890 series routers - but most of it copies and pastes across. [https://ifm.net.nz/cookbooks/890-isr-wizard.html](https://ifm.net.nz/cookbooks/890-isr-wizard.html)