Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Another IPSec VPN related question (http://www.velocityreviews.com/forums/t39119-another-ipsec-vpn-related-question.html)

Richard Graves 05-08-2005 11:54 PM

Another IPSec VPN related question
 
Hi All,

We are getting ready to add over 200+ sites to our network. We currently
have approx 125 sites, all connected via point-to-point T1s (which aggregate
into DS3s at the regional cores). The new sites will have sDSL as the local
loop, with the goal being to create IPSec tunnels into our network. I am
looking for opinions on which would be better to use to terminate the
tunnels at the core, a VPN concentrator or a large router with a crypto
accelerator card. All of our current traffic is encrypted over the T1s and
DS3s, which terminate into 7200 series routers, so I am intimately familiar
with the workings of IOS crypto. However, these routers are not exposed to
the internet, which this device would be. Any thoughts, ideas, or
smart-aleck comments are appreciated!!!

-Richard



Richard Graves 05-10-2005 12:50 AM

Re: Another IPSec VPN related question
 
"Richard Graves" <rgraves_22*NONONONO*@yahoo*NONONO*.com> wrote in message
news:ZExfe.65$6f5.60@newssvr31.news.prodigy.com...
> Hi All,
>
> We are getting ready to add over 200+ sites to our network. We currently
> have approx 125 sites, all connected via point-to-point T1s (which
> aggregate into DS3s at the regional cores). The new sites will have sDSL
> as the local loop, with the goal being to create IPSec tunnels into our
> network. I am looking for opinions on which would be better to use to
> terminate the tunnels at the core, a VPN concentrator or a large router
> with a crypto accelerator card. All of our current traffic is encrypted
> over the T1s and DS3s, which terminate into 7200 series routers, so I am
> intimately familiar with the workings of IOS crypto. However, these
> routers are not exposed to the internet, which this device would be. Any
> thoughts, ideas, or smart-aleck comments are appreciated!!!
>
> -Richard
>


Wow.. Nobody has any thoughts on this??? Or have I some how offended an
entire Usenet group to the point of being snubbed?? Not that something of
that scope is beyond me, but it usually requires a little effort on my
part!! :-)

Any thoughts at all?? Anyone? Bueller? Bueller? ;-)

-Richard



Richard Deal 05-10-2005 03:36 PM

Re: Another IPSec VPN related question
 
Routers are much better at dealing with L2L connections. I'm assuming that
some of the end-points will have dynamic addresses; therefore, the
concentrator won't be able to handle this. Use DMVPN on the routers with a
hub-and-spoke design. Minimal configuration on the hub and you can still
bring up dynamic connections to the spokes. You need a certain rev of IOS to
have spoke-to-spoke connections...12.3(x)T, so not all routers will support
this function, but you'll still be able to move traffic between spokes via
the hubs in older IOS versions.

Also, if you need QoS, then a router is the best solution.

For a large number of remote access users, then I would get a dedicated
concentrator to only handle this function.

Good luck!
Richard

"Richard Graves" <rgraves_22*NONONONO*@yahoo*NONONO*.com> wrote in message
news:LzTfe.554$j17.92@newssvr33.news.prodigy.com.. .
> "Richard Graves" <rgraves_22*NONONONO*@yahoo*NONONO*.com> wrote in message
> news:ZExfe.65$6f5.60@newssvr31.news.prodigy.com...
> > Hi All,
> >
> > We are getting ready to add over 200+ sites to our network. We

currently
> > have approx 125 sites, all connected via point-to-point T1s (which
> > aggregate into DS3s at the regional cores). The new sites will have

sDSL
> > as the local loop, with the goal being to create IPSec tunnels into our
> > network. I am looking for opinions on which would be better to use to
> > terminate the tunnels at the core, a VPN concentrator or a large router
> > with a crypto accelerator card. All of our current traffic is encrypted
> > over the T1s and DS3s, which terminate into 7200 series routers, so I am
> > intimately familiar with the workings of IOS crypto. However, these
> > routers are not exposed to the internet, which this device would be.

Any
> > thoughts, ideas, or smart-aleck comments are appreciated!!!
> >
> > -Richard
> >

>
> Wow.. Nobody has any thoughts on this??? Or have I some how offended an
> entire Usenet group to the point of being snubbed?? Not that something of
> that scope is beyond me, but it usually requires a little effort on my
> part!! :-)
>
> Any thoughts at all?? Anyone? Bueller? Bueller? ;-)
>
> -Richard
>
>




Richard Graves 05-13-2005 01:28 AM

Re: Another IPSec VPN related question
 
"Richard Deal" <rdeal2 @ cfl.rr.com> wrote in message
news:Dx4ge.10318$VH2.5631@tornado.tampabay.rr.com. ..
> Routers are much better at dealing with L2L connections. I'm assuming that
> some of the end-points will have dynamic addresses; therefore, the
> concentrator won't be able to handle this. Use DMVPN on the routers with a
> hub-and-spoke design. Minimal configuration on the hub and you can still
> bring up dynamic connections to the spokes. You need a certain rev of IOS
> to
> have spoke-to-spoke connections...12.3(x)T, so not all routers will
> support
> this function, but you'll still be able to move traffic between spokes via
> the hubs in older IOS versions.
>
> Also, if you need QoS, then a router is the best solution.
>
> For a large number of remote access users, then I would get a dedicated
> concentrator to only handle this function.
>
> Good luck!
> Richard



Richard,

Thanks for the info! Your thoughts parallel mine, this is the way that I am
leaning towards.

Thanks again,

-Richard Graves




All times are GMT. The time now is 12:40 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.