Cisco 800 Series firewalls to be replaced

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
User avatar
Mikerowaved
Community Moderators
Posts: 4734
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

Cisco 800 Series firewalls to be replaced

#1

Post by Mikerowaved »

I just got an email forwarded from my FM Group that states all the Cisco 881/891 firewalls will be replaced with new models. Here's the part that applies to us:
The Church is initiating a project to replace the internet firewalls that are managed by Technology Manager in all areas beginning in 2017. We will need you, the local FM, or a qualified technician to replace the existing Cisco 881/891 firewalls at facilities with internet services.
This will be our 3rd generation of firewall. I'm not sure of the need to replace them all again, but obviously the church does. Also, they specifically mention "TM-managed firewalls". I wonder if this will impact the TM tools we've grown to love.
So we can better help you, please edit your Profile to include your general location.
russellhltn
Community Administrator
Posts: 34421
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Cisco 800 Series firewalls to be replaced

#2

Post by russellhltn »

"We will need you, the local FM, or a qualified technician ...."

Sounds like they're not planning on going though the STS for this.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
eblood66
Senior Member
Posts: 3907
Joined: Mon Sep 24, 2007 9:17 am
Location: Cumming, GA, USA

Re: Cisco 800 Series firewalls to be replaced

#3

Post by eblood66 »

Mikerowaved wrote:I'm not sure of the need to replace them all again, but obviously the church does.
One of the church employees indicated that they are going out of warranty and that they had to be replaced.
User avatar
Mikerowaved
Community Moderators
Posts: 4734
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

Re: Cisco 800 Series firewalls to be replaced

#4

Post by Mikerowaved »

eblood66 wrote:One of the church employees indicated that they are going out of warranty and that they had to be replaced.
That part boggles me. If a firewall is out of warranty and in need of repair, then simply replace it then. There has to be some other reason(s) that we're not privy to (yet).
So we can better help you, please edit your Profile to include your general location.
russellhltn
Community Administrator
Posts: 34421
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Cisco 800 Series firewalls to be replaced

#5

Post by russellhltn »

Mikerowaved wrote:That part boggles me. If a firewall is out of warranty and in need of repair, then simply replace it then. There has to be some other reason(s) that we're not privy to (yet).
I don't think it's warranty, but end-of-life. Same reason we're not running WinXP anymore. Since these connect to the "big bad internet" you don't want to be running one when the software updates end.

I tried Googling around, and found a page where "select" 881 models stopped receiving software updates back in 2015. I couldn't find a date for end of security updates.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
russellhltn
Community Administrator
Posts: 34421
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Cisco 800 Series firewalls to be replaced

#6

Post by russellhltn »

If the Help Center is any indication, we'll be switching to a C881 or C891F model.

The switch out seems to involve updating the firmware via USB, so perhaps CHQ isn't so keen on STSs doing the work. I get the sense that some STSs are called as a area of responsibility (much like a High Council calling) rather then based technical prowess.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
harddrive
Senior Member
Posts: 501
Joined: Thu Jan 03, 2008 7:52 pm

Re: Cisco 800 Series firewalls to be replaced

#7

Post by harddrive »

I would expect that this is the reason that they are being replaced. http://www.cisco.com/c/en/us/products/c ... 30681.html

I also think that the church can get a bulk discount price for purchasing so many at one time instead of purchasing them piece meal. It is also called a life cycle upgrade and all companies have to do it at some point. They can't let equipment just die. I know that the church isn't like that, but support for the systems can be important.

Just my thoughts.
User avatar
Mikerowaved
Community Moderators
Posts: 4734
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

Re: Cisco 800 Series firewalls to be replaced

#8

Post by Mikerowaved »

Makes more sense to me. Thanks for everyone's input. I recall now seeing reports in the forum starting about 2 1/2 years ago that CHQ had started using the C881's.

I saw in the Cisco forum HERE a person describing the CPU in the C881 as "much more powerful" and went on to say that in his application, the first generation [881] was running at around 80% to 90% CPU utilization. The second generation [C881] doing the same task was under 10%. Of course, YMMV, but it seems like the new firewalls will be more than just a minor step forward. They also have twice the flash area (256MB vs 128MB on the 881).

This guy has a pretty good side-by-side comparison of the old and new 800 models (neither with WiFi), with pics inside and out.
So we can better help you, please edit your Profile to include your general location.
Hagothsen
Member
Posts: 100
Joined: Thu Aug 12, 2010 12:30 pm
Location: Henderson, NV USA

Re: Cisco 800 Series firewalls to be replaced

#9

Post by Hagothsen »

Mikerowaved wrote:the CPU in the C881 as "much more powerful" and went on to say that in his application, the first generation [881] was running at around 80% to 90% CPU utilization. The second generation [C881] doing the same task was under 10%. Of course, YMMV, but it seems like the new firewalls will be more than just a minor step forward. They also have twice the flash area (256MB vs 128MB on the 881).
I get the feeling this is a dumb question but... Can we expect better WiFi performance for end users with the C881? For example, each week my stake brings in youth from different wards to teach and experience family history work (Familysearch.com, Ancestry.com Etc.) However,
  • Despite having seen a 20 fold increase in internet speed (5Mb/768Kb to 100Mb/20Mb)
    Despite having the wireless access point across the hall
    Despite confirming nearly all 100Mb through the firewall
All participants move along at a crawl.
tlhackett
Church Employee
Church Employee
Posts: 69
Joined: Mon Dec 23, 2013 1:54 pm

Re: Cisco 800 Series firewalls to be replaced

#10

Post by tlhackett »

Mikerowaved wrote: Also, they specifically mention "TM-managed firewalls". I wonder if this will impact the TM tools we've grown to love.
TM will still be managing all meetinghouse firewalls. We will be moving to Meraki firewalls, APs, and switches (although optional). We will be replacing all 881 (881W, C881W, C881, etc.) and 891 models in all meetinghouses throughout the world. This will standardize all meetinghouse firewalls increasing security and improving support. We've been testing on a few PILOT locations with a full Meraki stack (Meraki firewall, Meraki APs, and Meraki switches) and have been given really good feedback on reliability of the network vs. the older Cisco equipment. In certain circumstances, noticeably improved speeds.

The project, however, only includes a Meraki firewall (to replace the existing Cisco firewall) and possibly one Meraki AP if certain criteria is met (ex: firewall was a main source of Wifi, meaning the only or one of few wireless APs in a building). Existing Cisco APs will still be supported alongside the new Meraki APs, to the best of our ability. We call it a "hybrid" environment. One of the goals is to eventually only have Meraki APs (being replaced as necessary). This will mean that the Church will only have Meraki APs available for purchase/replacement in the near future.

A new update to TM will be released soon (look for the official announcement coming soon) to allow the ability to activate new Meraki devices (new network) and to replace existing Cisco firewalls. As stated above, soon only Meraki APs will be available for purchase/replacement. Because of this TM will allow you to add Meraki APs to a Cisco firewall to create a "hybrid" environment. When the firewall is replaced, all APs (Meraki and Cisco) will automatically migrate to the new Meraki firewall. You may also notice a small reduction of features when managing a Meraki firewall due to current limitations. One of the biggest is the lack of usage statistics for the new Meraki firewalls. This is temporary. We hope to provide meaningful usage statistics in the future.
Post Reply

Return to “Meetinghouse Internet”