Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Another IPSec VPN related question

Reply
Thread Tools

Another IPSec VPN related question

 
 
Richard Graves
Guest
Posts: n/a
 
      05-08-2005
Hi All,

We are getting ready to add over 200+ sites to our network. We currently
have approx 125 sites, all connected via point-to-point T1s (which aggregate
into DS3s at the regional cores). The new sites will have sDSL as the local
loop, with the goal being to create IPSec tunnels into our network. I am
looking for opinions on which would be better to use to terminate the
tunnels at the core, a VPN concentrator or a large router with a crypto
accelerator card. All of our current traffic is encrypted over the T1s and
DS3s, which terminate into 7200 series routers, so I am intimately familiar
with the workings of IOS crypto. However, these routers are not exposed to
the internet, which this device would be. Any thoughts, ideas, or
smart-aleck comments are appreciated!!!

-Richard


 
Reply With Quote
 
 
 
 
Richard Graves
Guest
Posts: n/a
 
      05-10-2005
"Richard Graves" <rgraves_22*NONONONO*@yahoo*NONONO*.com> wrote in message
news:ZExfe.65$(E-Mail Removed)...
> Hi All,
>
> We are getting ready to add over 200+ sites to our network. We currently
> have approx 125 sites, all connected via point-to-point T1s (which
> aggregate into DS3s at the regional cores). The new sites will have sDSL
> as the local loop, with the goal being to create IPSec tunnels into our
> network. I am looking for opinions on which would be better to use to
> terminate the tunnels at the core, a VPN concentrator or a large router
> with a crypto accelerator card. All of our current traffic is encrypted
> over the T1s and DS3s, which terminate into 7200 series routers, so I am
> intimately familiar with the workings of IOS crypto. However, these
> routers are not exposed to the internet, which this device would be. Any
> thoughts, ideas, or smart-aleck comments are appreciated!!!
>
> -Richard
>


Wow.. Nobody has any thoughts on this??? Or have I some how offended an
entire Usenet group to the point of being snubbed?? Not that something of
that scope is beyond me, but it usually requires a little effort on my
part!!

Any thoughts at all?? Anyone? Bueller? Bueller?

-Richard


 
Reply With Quote
 
 
 
 
Richard Deal
Guest
Posts: n/a
 
      05-10-2005
Routers are much better at dealing with L2L connections. I'm assuming that
some of the end-points will have dynamic addresses; therefore, the
concentrator won't be able to handle this. Use DMVPN on the routers with a
hub-and-spoke design. Minimal configuration on the hub and you can still
bring up dynamic connections to the spokes. You need a certain rev of IOS to
have spoke-to-spoke connections...12.3(x)T, so not all routers will support
this function, but you'll still be able to move traffic between spokes via
the hubs in older IOS versions.

Also, if you need QoS, then a router is the best solution.

For a large number of remote access users, then I would get a dedicated
concentrator to only handle this function.

Good luck!
Richard

"Richard Graves" <rgraves_22*NONONONO*@yahoo*NONONO*.com> wrote in message
news:LzTfe.554$(E-Mail Removed).. .
> "Richard Graves" <rgraves_22*NONONONO*@yahoo*NONONO*.com> wrote in message
> news:ZExfe.65$(E-Mail Removed)...
> > Hi All,
> >
> > We are getting ready to add over 200+ sites to our network. We

currently
> > have approx 125 sites, all connected via point-to-point T1s (which
> > aggregate into DS3s at the regional cores). The new sites will have

sDSL
> > as the local loop, with the goal being to create IPSec tunnels into our
> > network. I am looking for opinions on which would be better to use to
> > terminate the tunnels at the core, a VPN concentrator or a large router
> > with a crypto accelerator card. All of our current traffic is encrypted
> > over the T1s and DS3s, which terminate into 7200 series routers, so I am
> > intimately familiar with the workings of IOS crypto. However, these
> > routers are not exposed to the internet, which this device would be.

Any
> > thoughts, ideas, or smart-aleck comments are appreciated!!!
> >
> > -Richard
> >

>
> Wow.. Nobody has any thoughts on this??? Or have I some how offended an
> entire Usenet group to the point of being snubbed?? Not that something of
> that scope is beyond me, but it usually requires a little effort on my
> part!!
>
> Any thoughts at all?? Anyone? Bueller? Bueller?
>
> -Richard
>
>



 
Reply With Quote
 
Richard Graves
Guest
Posts: n/a
 
      05-13-2005
"Richard Deal" <rdeal2 @ cfl.rr.com> wrote in message
newsx4ge.10318$(E-Mail Removed). ..
> Routers are much better at dealing with L2L connections. I'm assuming that
> some of the end-points will have dynamic addresses; therefore, the
> concentrator won't be able to handle this. Use DMVPN on the routers with a
> hub-and-spoke design. Minimal configuration on the hub and you can still
> bring up dynamic connections to the spokes. You need a certain rev of IOS
> to
> have spoke-to-spoke connections...12.3(x)T, so not all routers will
> support
> this function, but you'll still be able to move traffic between spokes via
> the hubs in older IOS versions.
>
> Also, if you need QoS, then a router is the best solution.
>
> For a large number of remote access users, then I would get a dedicated
> concentrator to only handle this function.
>
> Good luck!
> Richard



Richard,

Thanks for the info! Your thoughts parallel mine, this is the way that I am
leaning towards.

Thanks again,

-Richard Graves


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Configure Cisco PIX515e PPTP VPN Clients to allow access to another network across a IPSEC Tunnel ashley.lawrence@gmail.com Cisco 2 08-22-2007 08:32 PM
PIX ipsec client vpn, how to create access-lists for multiple vpn groups Mephesto Cisco 2 06-09-2005 05:23 PM
IPSec VPN problem with a CISCO C827 ADSL Router and a Nortel Contivity VPN Client mw Cisco 2 04-20-2005 08:18 PM
PIX 501: Access an IPSEC VPN through a PPTP VPN - is this possible? Alex Cisco 3 05-11-2004 11:26 PM
VPN IPSEC connection between a cisco 17xx and Nortel vpn box Joris Deschacht Cisco 0 10-16-2003 02:13 PM



Advertisments