Page 1 of 4

Cisco 800 Series firewalls to be replaced

Posted: Thu Mar 30, 2017 12:16 pm
by Mikerowaved
I just got an email forwarded from my FM Group that states all the Cisco 881/891 firewalls will be replaced with new models. Here's the part that applies to us:

The Church is initiating a project to replace the internet firewalls that are managed by Technology Manager in all areas beginning in 2017. We will need you, the local FM, or a qualified technician to replace the existing Cisco 881/891 firewalls at facilities with internet services.

This will be our 3rd generation of firewall. I'm not sure of the need to replace them all again, but obviously the church does. Also, they specifically mention "TM-managed firewalls". I wonder if this will impact the TM tools we've grown to love.

Re: Cisco 800 Series firewalls to be replaced

Posted: Thu Mar 30, 2017 12:36 pm
by russellhltn
"We will need you, the local FM, or a qualified technician ...."

Sounds like they're not planning on going though the STS for this.

Re: Cisco 800 Series firewalls to be replaced

Posted: Thu Mar 30, 2017 1:08 pm
by eblood66
Mikerowaved wrote:I'm not sure of the need to replace them all again, but obviously the church does.

One of the church employees indicated that they are going out of warranty and that they had to be replaced.

Re: Cisco 800 Series firewalls to be replaced

Posted: Thu Mar 30, 2017 1:14 pm
by Mikerowaved
eblood66 wrote:One of the church employees indicated that they are going out of warranty and that they had to be replaced.

That part boggles me. If a firewall is out of warranty and in need of repair, then simply replace it then. There has to be some other reason(s) that we're not privy to (yet).

Re: Cisco 800 Series firewalls to be replaced

Posted: Thu Mar 30, 2017 1:23 pm
by russellhltn
Mikerowaved wrote:That part boggles me. If a firewall is out of warranty and in need of repair, then simply replace it then. There has to be some other reason(s) that we're not privy to (yet).


I don't think it's warranty, but end-of-life. Same reason we're not running WinXP anymore. Since these connect to the "big bad internet" you don't want to be running one when the software updates end.

I tried Googling around, and found a page where "select" 881 models stopped receiving software updates back in 2015. I couldn't find a date for end of security updates.

Re: Cisco 800 Series firewalls to be replaced

Posted: Thu Mar 30, 2017 1:29 pm
by russellhltn
If the Help Center is any indication, we'll be switching to a C881 or C891F model.

The switch out seems to involve updating the firmware via USB, so perhaps CHQ isn't so keen on STSs doing the work. I get the sense that some STSs are called as a area of responsibility (much like a High Council calling) rather then based technical prowess.

Re: Cisco 800 Series firewalls to be replaced

Posted: Thu Mar 30, 2017 5:44 pm
by harddrive
I would expect that this is the reason that they are being replaced. http://www.cisco.com/c/en/us/products/c ... 30681.html

I also think that the church can get a bulk discount price for purchasing so many at one time instead of purchasing them piece meal. It is also called a life cycle upgrade and all companies have to do it at some point. They can't let equipment just die. I know that the church isn't like that, but support for the systems can be important.

Just my thoughts.

Re: Cisco 800 Series firewalls to be replaced

Posted: Fri Mar 31, 2017 12:50 am
by Mikerowaved
Makes more sense to me. Thanks for everyone's input. I recall now seeing reports in the forum starting about 2 1/2 years ago that CHQ had started using the C881's.

I saw in the Cisco forum HERE a person describing the CPU in the C881 as "much more powerful" and went on to say that in his application, the first generation [881] was running at around 80% to 90% CPU utilization. The second generation [C881] doing the same task was under 10%. Of course, YMMV, but it seems like the new firewalls will be more than just a minor step forward. They also have twice the flash area (256MB vs 128MB on the 881).

This guy has a pretty good side-by-side comparison of the old and new 800 models (neither with WiFi), with pics inside and out.

Re: Cisco 800 Series firewalls to be replaced

Posted: Tue Apr 04, 2017 9:19 am
by Hagothsen
Mikerowaved wrote:the CPU in the C881 as "much more powerful" and went on to say that in his application, the first generation [881] was running at around 80% to 90% CPU utilization. The second generation [C881] doing the same task was under 10%. Of course, YMMV, but it seems like the new firewalls will be more than just a minor step forward. They also have twice the flash area (256MB vs 128MB on the 881).


I get the feeling this is a dumb question but... Can we expect better WiFi performance for end users with the C881? For example, each week my stake brings in youth from different wards to teach and experience family history work (Familysearch.com, Ancestry.com Etc.) However,

    Despite having seen a 20 fold increase in internet speed (5Mb/768Kb to 100Mb/20Mb)
    Despite having the wireless access point across the hall
    Despite confirming nearly all 100Mb through the firewall

All participants move along at a crawl.

Re: Cisco 800 Series firewalls to be replaced

Posted: Tue Apr 04, 2017 9:58 am
by yarrgh
Mikerowaved wrote:Also, they specifically mention "TM-managed firewalls". I wonder if this will impact the TM tools we've grown to love.


TM will still be managing all meetinghouse firewalls. We will be moving to Meraki firewalls, APs, and switches (although optional). We will be replacing all 881 (881W, C881W, C881, etc.) and 891 models in all meetinghouses throughout the world. This will standardize all meetinghouse firewalls increasing security and improving support. We've been testing on a few PILOT locations with a full Meraki stack (Meraki firewall, Meraki APs, and Meraki switches) and have been given really good feedback on reliability of the network vs. the older Cisco equipment. In certain circumstances, noticeably improved speeds.

The project, however, only includes a Meraki firewall (to replace the existing Cisco firewall) and possibly one Meraki AP if certain criteria is met (ex: firewall was a main source of Wifi, meaning the only or one of few wireless APs in a building). Existing Cisco APs will still be supported alongside the new Meraki APs, to the best of our ability. We call it a "hybrid" environment. One of the goals is to eventually only have Meraki APs (being replaced as necessary). This will mean that the Church will only have Meraki APs available for purchase/replacement in the near future.

A new update to TM will be released soon (look for the official announcement coming soon) to allow the ability to activate new Meraki devices (new network) and to replace existing Cisco firewalls. As stated above, soon only Meraki APs will be available for purchase/replacement. Because of this TM will allow you to add Meraki APs to a Cisco firewall to create a "hybrid" environment. When the firewall is replaced, all APs (Meraki and Cisco) will automatically migrate to the new Meraki firewall. You may also notice a small reduction of features when managing a Meraki firewall due to current limitations. One of the biggest is the lack of usage statistics for the new Meraki firewalls. This is temporary. We hope to provide meaningful usage statistics in the future.