As I have mentioned before, I have been working on a network redesign for a non-profit organization, with an aim of deploying a (relatively) low-cost, manageable solution. For various reasons, the organization has only just approved the funding for my design, so I have had my contract extended until the end of the year, which has given me time to experiment with some different technologies. So, this post will be a bit of a departure from many of the recent posts dealing with switches-that-cost-more-than-my-car-or-house.
For most of the twenty or so residential facilities that the organization has, I have chosen to implement the Cisco 880 series routers, and in particular the 887VA for those sites that will be DSL-attached. As a pilot, I have deployed a couple of these already. The 887VA is quite a capable unit, and you can see some of the specs here. For a site that has a couple of PCs, but which need to be strictly separated (for example, staff and client PCs), the unit is great – it has a few VLANs, ACLs, firewall functionality, and even VRFs or L2TP if you want to go that far. Take note that to get the most options available and therefore the most flexibility with things like a choice of routing protocols, DMVPN, and IPSec tunnels, for a few extra dollars go for the Advanced IP feature set.
Another thing that I have been trialling is Scansafe content filtering; content filtering is a duty-of-care and in some cases legislative requirement for an organization that has under-18s in residential care. The 887VA with Advanced IP running 15.2 and up can natively integrate with Scansafe, meaning no configuration on the end-user; no pesky .pac files to exclude the intranet sites from the filtering. I’ve had it running in a trial at two sites and it works a treat. At the management end, you can use user authentication or, as I am doing, the embedded local IP addresses to differentiate sites and groups for access, and on the router only a handful of commands are required to set up a system with regex and IP whitelists. If anyone is interested, I can give you my impressions or do a post about it. Like all content filtering, it has its flaws, and a savvy user will be able to circumvent it given enough time and effort, but at this stage, it is proving very effective.
All that said, a major thing I have been looking at is making things easy for the non-Cisco savvy ICT staff who will be left behind after I leave. Apart from encouraging them to at least look at some CCNA-level training (which should be more than adequate on an ongoing basis), I have been building up a management infrastructure like TFTP servers, config archiving and monitoring. While messing about with options for software upgrading and config restoration, I thought I’d have a play with the USB port on the 887VA. As a functional USB port was not an option on most of the Cisco kit I’d used before, I was surprised how well it worked by just plugging in my FAT32-formatted Toshiba 16Gb thumb drive.
In the image below, I just did a “dir ?” to list the file systems, then plugged in the USB, and lo and behold, there it was.
So now, just like any flash or nvram file system, I can copy to and from the USB drive.
At this stage, you can boot with a config on the thumb drive; you can’t yet boot from an image on the drive.
While this may seem a bit passe, and many of you have seen it before, I was happy to come across this feature, as it was one lacking on the 7200s and 3800s I had used in the past. I can certainly see where it could come in handy – non-technical people can usually be relied upon to plug in a thumb drive for you if you can’t do your software update remotely for some reason, or you could use the archive commands to regularly do local copies of configs, or copy logs or debugs for later analysis. Plus if you are on site, you don’t need a laptop with an ethernet and a TFTP client and a console cable to do a local update – just plug in the USB and the console cable.
It is a little thing that I can potentially leverage for ease of maintenance once I leave.
The 887VA is a very capable small branch router, and if you are in the market for a fixed form factor router that gives you all the options you might need, so far I can certainly recommend it. As always, you pay a premium for Cisco kit, and you may need to argue why you can’t get by with just a supermarket brand router that costs one-fifth the price. But this is a space where I have found that you really do get what you pay for, and I will be able to deploy over twenty of these for less than $AU10K. For that, I will be getting local security using port security, VLANs, ACLs or firewall features, transit security via IPSec and manageability using IP SLA and SNMP and EEM, and QoS (for what it is worth on a DSL service). Well worth it, I say.