Contents

1. Overview
2. 3CR860 and 3CR870 circuitry
3. Comparative table of device specifications
4. Excursus to settings
5. Performance tests
6. Performance of the LAN-WAN segment, NetIQ Chariot
7. Performance of the LAN-WAN segment, NetPIPE
8. IPSec performance, DES encryption
9. IPSec performance, 3DES encryption
10. IPSec performance, tunnel scaling, 3DES encryption, two tunnels
11. IPSec performance, tunnel scaling, 3DES encryption, three tunnels
12. IPSec performance, AES-128 encryption
13. Traffic shaping tests
14. Limiting the entire band of outgoing traffic
15. Limiting the entire band of incoming traffic
16. Limiting the outgoing traffic by ports (creating queue groups)
17. Limiting the incoming traffic by ports (creating queue groups)
18. 3CR860 and 3CR870 security tests
19. Availability
20. Conclusions

The 3Com company has launched new network security products:

• Screening router
  3Com OfficeConnect Secure Router (3CR860-95);
• Firewall
  3Com OfficeConnect VPN Firewall (3CR870-95)

OfficeConnect Secure Router is positioned by the company as a device providing protected, high-speed Internet access for multiple users in home and small or branch office environments. The router has an embedded VPN server, which allows to establish up to two IPSec VPN tunnels (tunneling modes supported: server-server and server-host). It also supports termination for up to L2TP over IPSec or PPTP tunnels. The firewall contains special algorithms, which allow to detect (by patterns) and block hacker and DoS attacks. This device can filter traffic using specified or preset rules based on IP addresses or content/url. Besides, the device has a logging service for a wide range of events.

OfficeConnect VPN Firewall is an "elder brother" of the previous device. The number of VPN tunnels supported is extended to 50, it has a new traffic shaping function - that is controlling the data transfer speed on the whole and by the specified set of protocols.

  

Both devices have the same case, and at the first glance their only difference is in the label on the right of the front panel. Apart from this label, the panel contains 4 LEDs for LAN-ports indicating with color the connection speed and with blinking - data transfer. Cable/DSL LED is similar to the previous four LEDs, but it indicates the WAN port of the device. There remain obvious LEDs - Power and Alert. The latter blinks when the device starts up and in case of malfunctions (software and hardware). Besides it lights up when an attack is detected (at the same time the intruder is blocked by the built-in firewall).

  

All the ports (four LAN and one WAN) are located on the back panel. The power connector is also located there. On the bottom side of the device you can see brackets to mount the device on vertical surfaces. To put the device on a horizontal surface, it will be sufficient to attach four rubber feet (included into the bundle) to the bottom of the device.

  

You can also pile the devices in a "stack" using the plastic clip shipping with the device. Note that this stack can grow upwards and include arbitrary number of the devices.

The bundle of the both routers contains (apart from the device and its power adapter):

• Install and quick setup guide (in English)
• CD ROM containing the complete documentation, the Gateway Discovery Program for quick search of the device in the network
• Four plastic feet to put the case horizontally
• Ethernet patch cord
• Plastic clip to assemble several devices in a stack

3CR860 and 3CR870 circuitry... or the "find ten differences" puzzle

  

- Do you see a gopher?
- No.
- I don't see it either... But it's out there!

In other words, I didn't manage to find any differences. 3CR860-95 photo is on the left, on the right - 3CR870-95. These devices most likely differ only by their firmware. A label on the bottom of the PCB "OfficeConnect Cable Secure/DSL Gateway" reminded me of the similar device reviewed in this article. The circuitry has not change much since then. At least the microcontroller and the chip of the embedded Broadcom switch remained the same.

There are still no detailed specifications on the main processor of the device - BCM6350 microcontroller and BCM5325 controller operating as a 100Mbit Ethernet switch (properly speaking, we didn't manage to find the specifications at all), so I don't see the point in repeating the information already provided in the article 3Com OfficeConnect Cable/DSL Secure Gateway.

Another big chip on the PCB is Pulse H1184, which (probably) serves as AUTO MDI/MDI-X (cable type detection) and also as a galvanic isolation to protect the embedded switch controller from high voltages. Two HY57V641620HGT-H chips are 64 Mbit (4 Banks x 1M x 16Bit) SDRAM by Hynix. Their nominal operation frequency is 133MHz.

The PCB also contains two Flash-memory chips 8MB each (presumably). Why two? Perhaps the device has a fault-tolerant firmware - one of the chips contains a backup version of firmware, which is activated when the main firmware gets corrupted. We can't really say about it for sure, but the firmware size in both devices does not exceed 6MB.

I faced the "emergency system" personally: when I upgraded the firmware in 3CR870, there occurred some procedural failure - the Alert LED continued blinking long after the file should have been uploaded to the device. I had to reboot the device, following which the device disappeared (that is it couldn't be detected neither over the network nor by the Discovery utility even after 3CR870 had been reset to factory defaults), and the Alert LED went on blinking evoking gloomy thoughts. What should I do? I had to remind myself of the wisdom "If you are getting nowhere fast, RTFM!". It really helped - it appeared that the device was responding to the web interface at the fixed address (within the range 192.168.x.x) but it displayed a screen with the notice that "you have some problems with the firmware, upload it once again". I re-uploaded it (this time successfully), rebooted the device and everything started working all right. By the way, at first I accidentally selected to upload the firmware version for 3CR860 (in safe mode). The file was successfully uploaded, but then the device gave a message that the firmware version was wrong and 3CR870 refused to use it. I wrote about it to inform you that it would hardly be possible to upgrade 3CR860 to 3CR870.

Specifications on 3CR860 and 3CR870

Specs on both devices are similar, so I united them into one table (the differences between the devices are specified in this table).

Navigation:

• Overview, circuitry, and specifications
• Excursus to settings
• Performance tests
• Testing traffic shaping, security; availability and conclusions

Write a comment below. No registration needed!