[Soekris] Soekris -vs- Cisco ASA, etc.

Harald Kubota hkubota at gmx.net
Sat Apr 23 01:12:31 UTC 2011

On 04/23/2011 12:38 AM, Karl Fife wrote:

> > 2.) Do any of you use a Soekris in an Enterprise environment now?
>  [...]
 > Honestly the biggest reason we take this approach is less about
>  cost (which happens to be far cheaper), but mostly because every time
>  we need to turn up another solution, we don't have to waste our own
>  time and attention on licensing, sales & support contracts.

Working in a huge enterprise environment, I can add some comments:

Karl is basically right: Hardeware/license costs speak heavily
against "Enterprise solutions".

But there are more considerations: Support. That is support inside your
company configuring all those Soekris boxes with pfSense (or whatever
you choose), as well as support from Cisco (or your firewall vendor of

Say your Soekris solution gets too small/slow. Or you simply
need some extra ports. In Cisco's case, you pay (a lot of money)
for a larger model with more ports. Configuration is unchanged.
It's consistent (just more ports), and thus less chances of problems later.
In the Soekris case, you either have to be creative, possibly
interconnecting 2 Soekris machines via bridging and firewall rule changes
to accomodate this. In Cisco case you pay dearly for the hardware, but
you save on not needing to change configuration methods.
In Soekris case you save hardware costs, but have extra overhead
supporting it. That is ok if you have 10 firewalls. What about 500 globally
distributed and managed by 3 teams?

The other thing about "enterprise solutions" is the support: If you have
odd issues with Cisco, they'll come and look at it and possibly
fix it. Again, you pay for it of course. If they cannot fix it, you can 
deflect any
responsibility and let Cisco find a solution. Since they are big in
the enterprise market, they do have experience though with
huge setups.
In the Soekris case, it's up to you. If you are good, then no problem.
If you leave the company, company has a problem. That would not
be acceptable from a risk perspective for them. Same applies
to all home-grown solutions.
We have some software running in the place I work and no one
dares to touch it: the team who created and maintained it
is all gone, so this is not a theoretical problem, but a real one.
pfSense is better of course since more people use this, but it'll
be always easier to throw money at Cisco than finding a pfSense

And if you need a faster solution, Cisco has a solution for that.
Again they will charge you, but they have a solution.
Soekris has the models they have. Might be ok in your case.
Maybe for now. What in 3 years?
Adding a different brand adds another product to support,
increasing your support costs. Changing brands is expensive.

Does it all make sense? Upper management thinks so.
Do I think it makes sense? No, and if I could, I would
change a lot of our existing enterprise solutions we use as
the quality is surprisingly bad, and most support requests
we have are usually starting with "This is a known problem.
Please upgrade to the latest version or implement this
kudgy workaround". The former you cannot easily do
in an enterprise environment and the latter is, well, kludgy.

In the end it's always a tradeoff.

For 10 offices globally distributed with each 1000 employees,
I would go for a brand-name product with according
24/7 support. Cisco has that.
If I had to connect 1000 offices with 10 people in each,
I would certainly NOT use Cisco as the costs would kill us.
For anything between, you need to find out how much you
like to have piece of mind (or your bottom covered) or
how much money you want to save.


More information about the Soekris-tech mailing list