I work for a managed services provider, and am often tasked to evaluate the equipment in place at new customer sites and make recommendations for replacements as appropriate. We support a number of different makes and models of edge device, including:
- Cisco routers (ISR G1/G2)
- Cisco ASA firewalls
- Juniper (JunOS) routers
- Juniper SSG/Netscreen firewalls
- Adtran routers and multilayer switches
- Sonicwall (Dell) firewalls
While our customers benefit from our extensive platform support, it does place a burden on our field engineers. They must know how to configure a VPN tunnel, for example, on not just Cisco IOS, but also on flavors of ASA, Netscreen, Adtran, and Sonicwall operating systems. While this isn't an unreasonable expectation of a network engineer, it does shrink our potential candidate pool for new hires: It's much easier to find someone with experience specifically with Cisco or Juniper products than who has measured exposure to half a dozen platforms.
Another drawback is that the overwhelming choice complicates the process of recommending new or replacement equipment. Suppose you need to order an edge device for a new customer site with 30 users, a T1 circuit to an MPLS VPN, and a broadband Internet circuit with point-to-point VPN overlay. Do you recommend a Cisco 1921, an ASA 5505, a Juniper SSG5, an Adtran NetVanta 3448, or a Sonicwall NSA 240? While these are all generally comparable devices, there are obviously many differences among them, and keeping track of the details is no trivial chore.
Cisco Routers (ISR G2 Series)
I prefer deploying Cisco 1900 and 2900 routers at small- and medium-sized branch offices because they're so versatile and well-established. I can configure BGP, EIGRP or OSPF, point-to-point or policy-based VPN tunnels, firewalling (through IOS Zone-Based Firewall), SLA tracking, and numerous other critical features on a single device with a single point of management and configuration. And Cisco IOS is what most novice network engineers are familiar with given Cisco's prevalence in the market and their extensive certification tracks.
Of course, the major downside to Cisco is cost. Consider a Cisco 1921 router. While base hardware (the router itself) is arguably cheap, the licensing and accessories quickly pile on. Even economizing on the bundle package with the SEC license and a single T1 WIC can run you $1500 before SMARTnet. But wait, you want IP SLA tracking?
You'll need to fork over another couple hundred dollars for the data license as well. Correction: IP SLA tracking is provided by both the SEC and DATA licenses (but not by the base license).
Many of our smaller customers are very focused on price and balk at the up-front expense of Cisco gear, especially when paired with a three-year support contract.
Cisco ASA 5500
The ASA 5500 series (and before it, PIX) has been around a long time and garnered a decent fan base. However, with the introduction of ZBF on IOS, the division between router and firewall becomes more blurred. ASAs are great for high availability pairing and remote access through inexpensive SSL VPN connectivity, but are otherwise weak in feature parity compared to a integrated services router which can accommodate various media types and run BGP. ASA also supports IDS/IPS functionality, but I haven't had the opportunity to play with it.
Juniper (JunOS) Routers
JunOS is great. It's extremely structured, robust, and elegant. Unfortunately, it's also a pain in the ass to learn for someone with a background in Cisco IOS. Configuration is comparatively tedious (until you get the hang of it) and the configuration file can be overwhelming. Juniper does have a great free self-paced training course called JunOS as a Second Language, but like any worthwhile training it takes time and effort that overworked and/or lazy engineers simply don't have. This results in a chicken-and-egg problem for me: I can't deploy Juniper routers until I have engineers who can support the devices, but I can't get people trained without the hardware to work on. Factor in the price, which is comparable to (if not more than) an equivalent Cisco device, and there just hasn't been much incentive to expand on the platform.
These are a favorite among our engineers. They don't do a whole lot but they're good at what they do. Having a mature web UI and CLI allows newbies to go at their own pace while more experienced engineers can script out what they want. The price point of the SSG5 is attractive to customers as well. The major downside of the SSG series is that its operating system and command syntax aren't portable: Engineers can't leverage a knowledge of ScreenOS commands when configuring another non-ScreenOS platform (in contrast to Cisco IOS and Adtran, for example).
Adtran seems to do everything, and that's part of my problem with them. While device integration is generally a good thing, having a T1 in my multilayer switch just feels unnatural. I've also run into issues with Adtran multilayer switches apparently resulting from limited field testing. For example, when all of the physical interfaces assigned to a given VLAN are down, one would expect the routed SVI for that VLAN to also go down. Such is not the case, at least with the model of Adtran switch I was testing. This resulted in an inability to implement reliable failover routing at a customer site. Adtrans have a decent price point and are very IOS-like, but stepping off the beaten path on the platform can get you into trouble.
I'm not a big fan of Sonicwalls. My number one complaint? No command line. How am I supposed to take your devices seriously without a robust command line? The web interface is decent enough, and their built-in WAN failover feature is certainly nice, but the lack of a CLI or human-friendly configuration file means I can't parse and templatize configs. Which means I'm not interested.
One of my goals for the coming year is to start limiting the number of platforms we support moving forward. This will help us focus our training and standardization efforts, and help simplify the ordering process for account managers. I intend to lean heavily on the Cisco portfolio due to their breadth, engineers' collective experience (and yes, personal bias). I'll also have to include one or two alternatives with lower up-front costs, simply because customers will demand it. Which devices would you choose? Have I given a particular vendor an unfair wrap? Someone I left out? Let me know.