The pfSense Store

Author Topic: How I Killed Off Cisco And Saved Money And Confusion Along The Way  (Read 629 times)

0 Members and 1 Guest are viewing this topic.

Offline Schnyde

  • Newbie
  • *
  • Posts: 16
  • Karma: +1/-0
    • View Profile
How I Killed Off Cisco And Saved Money And Confusion Along The Way
« on: September 12, 2017, 08:25:11 am »
Hello,

I wanted to give a quick shout out to the pfSense team, you've saved me so much time, money, and confusion over the years.

I have now replaced over 20 Cisco ASAs with pfSense firewalls, and the benefits are abundant.  Not only can I use newer technologies than what Cisco provides (like OpenVPN for instance), I can use licensed Cisco features for free (like BGP, which the ASA can't even do), create more advanced networks (using VLANs and trunking, which again, the ASA does not do), better reliability, scalability, and performance than the ASA also.

Over the last two years alone, I have saved my company countless time and money by deploying pfSense, and from a management perspective, it makes perfect sense for the enterprise.  My uptime and performance has increased significantly, and my operating cost of maintaining these firewalls is incredibly low. 

If your thinking about switching over to pfSense in your enterprise, do it, you will be very happy you did.

Thanks again!

Offline Soyokaze

  • Full Member
  • ***
  • Posts: 174
  • Karma: +20/-2
    • View Profile
Re: How I Killed Off Cisco And Saved Money And Confusion Along The Way
« Reply #1 on: September 12, 2017, 08:55:35 am »

perfect sense
That's definitely makes a perfect sense to use it as pfsense slogan and/or motto.
Need full pfSense in a cloud? PM for details!

Offline mkaishar

  • Newbie
  • *
  • Posts: 18
  • Karma: +1/-0
    • View Profile
Re: How I Killed Off Cisco And Saved Money And Confusion Along The Way
« Reply #2 on: September 13, 2017, 07:42:11 pm »

I can use licensed Cisco features for free (like BGP, which the ASA can't even do), create more advanced networks (using VLANs and trunking, which again, the ASA does not do), better reliability


I am looking at BGP, which package did you use and is it stable?


Offline Schnyde

  • Newbie
  • *
  • Posts: 16
  • Karma: +1/-0
    • View Profile
Re: How I Killed Off Cisco And Saved Money And Confusion Along The Way
« Reply #3 on: September 14, 2017, 12:34:03 pm »
OpenBGPD off of the package manager, although my BGP needs have diminished recently, I did find it to be stable.  I was not doing anything fancy, just pushing routes to my provider.

As the Docs say, conflicts with the OSPF package, so probably best not to run those together.

Cheers!

Offline JKnott

  • Hero Member
  • *****
  • Posts: 888
  • Karma: +29/-4
    • View Profile
Re: How I Killed Off Cisco And Saved Money And Confusion Along The Way
« Reply #4 on: September 14, 2017, 04:51:00 pm »
Quote
As the Docs say, conflicts with the OSPF package, so probably best not to run those together.

????

You'd use BGP to connect autonomous systems but still need something for your own network.  If not OSPF, what???  RIP???

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9046
  • Karma: +1031/-306
    • View Profile
Re: How I Killed Off Cisco And Saved Money And Confusion Along The Way
« Reply #5 on: September 15, 2017, 01:17:05 am »
Check out the FRR package in 2.3.4_1, 2.4. Please, if you can, switch a real workload to it and give feedback.

Glad to have you in the pfSense camp but since when do ASAs not tag/trunk dot1q VLANs?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Schnyde

  • Newbie
  • *
  • Posts: 16
  • Karma: +1/-0
    • View Profile
Re: How I Killed Off Cisco And Saved Money And Confusion Along The Way
« Reply #6 on: September 15, 2017, 08:40:19 am »
I was surprised to find that out also, almost the hard way.  There are no options in ASDM or the CLI to even make vlans, let alone trunk them, I guess Cisco wants you to buy their routers to do that...  I had mostly 5525Xs and 5512Xs.

Cheers!

Offline bingo600

  • Full Member
  • ***
  • Posts: 113
  • Karma: +12/-0
    • View Profile
Re: How I Killed Off Cisco And Saved Money And Confusion Along The Way
« Reply #7 on: September 15, 2017, 02:54:29 pm »
I was surprised to find that out also, almost the hard way.  There are no options in ASDM or the CLI to even make vlans, let alone trunk them, I guess Cisco wants you to buy their routers to do that...  I had mostly 5525Xs and 5512Xs.

Cheers!

Ahemm .. Cough..Cough  ;)
https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/interface-vlan.pdf
Or
https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/interface-basic.html


Even my old 5505 can do vlan , but fancy stuff might require a PLUS licence

/Bingo
pfSense 2.4.1

QOTOM-Q355G4 Quad Lan.
CPU  : Core i5 5250U
Ram : 8GB Kingston DDR3LV 1600
LAN  : 4 x Intel 211
Disk  : 240G Toshiba Sata SSD

Offline Schnyde

  • Newbie
  • *
  • Posts: 16
  • Karma: +1/-0
    • View Profile
Re: How I Killed Off Cisco And Saved Money And Confusion Along The Way
« Reply #8 on: September 16, 2017, 05:51:44 am »
As usual, the Internet is always right!  Good find, not a fan of sub-interfacing though...

Cheers!

Offline JKnott

  • Hero Member
  • *****
  • Posts: 888
  • Karma: +29/-4
    • View Profile
Re: How I Killed Off Cisco And Saved Money And Confusion Along The Way
« Reply #9 on: September 16, 2017, 06:06:23 am »
As usual, the Internet is always right!  Good find, not a fan of sub-interfacing though...

Cheers!

Why's that?  It's nice to be able to keep different services separate, so that you can apply CoS etc, without worrying about where something is plugged in.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9046
  • Karma: +1031/-306
    • View Profile
Re: How I Killed Off Cisco And Saved Money And Confusion Along The Way
« Reply #10 on: September 16, 2017, 09:13:47 am »
pfSense generally does the same thing under the hood:

igb0
igb0_vlan100
igp0_vlan200
etc.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Schnyde

  • Newbie
  • *
  • Posts: 16
  • Karma: +1/-0
    • View Profile
Re: How I Killed Off Cisco And Saved Money And Confusion Along The Way
« Reply #11 on: September 17, 2017, 05:09:43 am »
Just not a big fan, albiet, I understand that this is how non-switches do it.  No technical reasons, just seems to add complexity to Cisco config.

The one thing that Cisco does that pfSense does not is NATing, or more specifically, outbound NATing to a network without an upstream gateway.  We use that feature often at a few locations, and until pfSense (or BSD even) can do this, we cannot use it to replace the Cisco ASAs at these sites.  This is very unfortunate, and leaves me stuck with Cisco until this is sorted out.

Cheers!


Offline JKnott

  • Hero Member
  • *****
  • Posts: 888
  • Karma: +29/-4
    • View Profile
Re: How I Killed Off Cisco And Saved Money And Confusion Along The Way
« Reply #12 on: September 17, 2017, 06:29:57 am »
Just not a big fan, albiet, I understand that this is how non-switches do it.  No technical reasons, just seems to add complexity to Cisco config.

Actually, there are a few technical reasons, such as fewer devices in a broadcast domain, isolation of traffic for increased security and CoS can be applied to some traffic.  A few years ago, I set up a network in a seniors residence.  There was the office traffic on the native LAN and VLANs for VoIP, the residents Internet access and one for network management.  The WiFi access points also used VLANs and multiple SSIDs for staff & resident access.

Offline PiBa

  • Hero Member
  • *****
  • Posts: 728
  • Karma: +123/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: How I Killed Off Cisco And Saved Money And Confusion Along The Way
« Reply #13 on: September 17, 2017, 08:34:48 am »
that pfSense does not is NATing, or more specifically, outbound NATing to a network without an upstream gateway.
I use outbound-nat on my management network to reach a few devices that dont have pfSense set as their gateway themselves. In pfSense there is no gateway configured on this management interface and outbound-nat works fine.. Am i missing something in where your configuration.?.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9046
  • Karma: +1031/-306
    • View Profile
Re: How I Killed Off Cisco And Saved Money And Confusion Along The Way
« Reply #14 on: September 17, 2017, 11:59:37 am »
Quote
Just not a big fan, albiet, I understand that this is how non-switches do it.  No technical reasons, just seems to add complexity to Cisco config.
A more complicated network often adds complexity to a firewall/router configuration.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM