Cisco Systems Inc.'s Integrated Services Routers provide outstanding throughput and encryption performance, making the devices an attractive option for small and midsize businesses or branch offices that want to simplify their network without sacrificing security or application support.

eWEEK Labs' tests show Cisco's Integrated Services Routers offer security and voice services on one platform without degrading performance in real-life deployments. Integrated hardware cryptographic accelerators provide improved encryption performance using Triple DES (Data Encryption Standard) or AES (Advanced Encryption Standard). New module interface slots provide throughput capabilities to support advanced services while remaining backward-compatible with most legacy interface cards.

However, companies that are comfortable with their current security infrastructure or that have no near-term interest in VOIP (voice over IP) may balk at the built-in premium that comes with such an expandable platform. These companies, instead, should look to similarly feature-rich integrated solutions from Juniper Networks Inc. or Enterasys Inc. that offer improved firewalling in the base offering. Other alternatives include more-affordable basic solutions from 3Com Corp. or Adtran Inc. or even Cisco's previous-generation platform.

We tested the 1U (1.75-inch) Cisco 2801 and 2U (3.5-inch) Cisco 2851, each of which is designed to support multiple T-1 (1.544M-bps) WAN connections. Both models are available now.

We focused on the performance impact of enabling multiple services in each device, examining the effects on throughput performance. As we layered on additional security services, we scrutinized the impact of IPSec (IP Security) encryption and Cisco's IPS (intrusion prevention system).

For the base price of $1,995, the Cisco 2801 includes two Fast Ethernet ports, 128MB of DRAM (dynamic RAM), 64MB of CF (CompactFlash) and an embedded hardware cryptography accelerator. The Cisco 2801 also includes four HWICs (high-performance WAN interface cards) and two AIMs (Advanced Integration Modules).

The Cisco 2851 device includes two Gigabit Ethernet ports, 64MB of CF and 256MB of DRAM for the base price of $6,495. The Cisco 2851 offers four HWICs, two AIMs, one Enhanced Network Module and one Extension Voice Module slot to increase voice services or density, plus the cryptography accelerator.

To each device, we added the Cisco IOS (Internet Operating System) Security feature set, which includes the advanced Cisco IOS Firewall and IPS features, for $1,000 more each ($900 when purchased with the router). We also added a double-wide, nine-port Fast Ethernet switch HWIC ($800) to each router tested.

The base version of Cisco's IOS that comes with these routers includes basic ACL (access control list) capabilities, but we would like to see Cisco offer the more-robust, stateful-inspection Cisco IOS Firewall as part of the base package.

However, we appreciated the modularity of the intrusion prevention engine. The IPS upgrade process is decoupled from IOS, so administrators can upgrade to the latest signatures without upgrading the core operating system.

To measure the routers' throughput, we used NetIQ Corp.'s Chariot with the benchmark endpoints installed on two IBM Gigabit Ethernet-enabled eServer 325s, each configured with Advanced Micro Devices Inc. dual-Opteron processors and 2GB of RAM.

We performed two sets of tests for each set of services. The first tests were designed to maximize throughput, using eight concurrent traffic streams that each used 1,518-byte packets. The second set of tests measured a more realistic traffic load, with the eight streams carrying a mix of 64-byte, 570-byte and 1,518-byte packets.

Testing raw throughput through each device with no advanced services enabled, we found the Cisco 2801 could support 184MB of full-duplex traffic, while the Cisco 2851 topped out at slightly more than a gigabit of full-duplex traffic.

We then configured the routers back to back, linked via their Ethernet interfaces, and used RIP (Routing Information Protocol) to route traffic between the endpoint networks. The large-packet tests showed a maximum of 135M-bps full-duplex throughput, while the mix of traffic sizes topped out at 124M bps.

We configured an IPSec tunnel between the devices using Triple DES for strong encryption and a preshared key. We used Network Instruments LLC's Observer 10 to capture and examine data to verify that traffic was encrypted. The large-packet tests showed a maximum throughput of 74M bps, and the traffic mix yielded 29M bps.

The IPS service had the biggest performance hit among the services we tested. Throughput performance dropped significantly when we set up the IPS service to scan for all known signatures except two: signature 1101 (Unknown IP Protocol) and 3040 (Null TCP Packet). The large-packet tests resulted in 64M bps unencrypted and 24M bps encrypted, while the traffic mix yielded 34M bps and 12M bps, respectively.

Technical Analyst Andrew Garcia can be reached at andrew_garcia@ziffdavis.com.

Check out eWEEK.com's for the latest news, views and analysis on servers, switches and networking protocols for the enterprise and small businesses.