«

I am looking for a VPN solution with 1500 site-to-site connections.

The 3030 seems the obvious choice, but the PIX 515e with an accelerator card
seems to fit the bill at less than half the price.

Any thoughts?

In article <RViTf.70467$%> ,
Michael Williams <> wrote:
>I am looking for a VPN solution with 1500 site-to-site connections.

>The 3030 seems the obvious choice, but the PIX 515e with an accelerator card
>seems to fit the bill at less than half the price.

How did you plan to manage the authentication?

Would user attributes be important? e.g., per-user
or per-group ACLs ? Downloadable ACLs?

Will the users be using you to proxy to the internet, or will
you be doing split-tunneling for them, or will you be refusing them
access to anything other than your internal resources while they are
connected to you?

To what extent is "clientless" VPN (SSL) important to you?

Clientless VPN's not a requirement, nor is routing between sites. Only
communicaiton between the main site servers and the remotes sites is a
requirement. No external internet is required.

Authentication will be done through pre-shared keys, probably with a pix501
as endpoints. The separate management of these endpoints is not a
requirement.


"Walter Roberson" <> wrote in message
news:QAkTf.159302$sa3.73116@pd7tw1no...
> In article <RViTf.70467$%> ,
> Michael Williams <> wrote:
>>I am looking for a VPN solution with 1500 site-to-site connections.
>
>>The 3030 seems the obvious choice, but the PIX 515e with an accelerator
>>card
>>seems to fit the bill at less than half the price.
>
> How did you plan to manage the authentication?
>
> Would user attributes be important? e.g., per-user
> or per-group ACLs ? Downloadable ACLs?
>
> Will the users be using you to proxy to the internet, or will
> you be doing split-tunneling for them, or will you be refusing them
> access to anything other than your internal resources while they are
> connected to you?
>
> To what extent is "clientless" VPN (SSL) important to you?

In article <8zlTf.40026$>,
Michael Williams <> top-posted [now re-arranged]:

>"Walter Roberson" <> wrote in message
>news:QAkTf.159302$sa3.73116@pd7tw1no...
>> In article <RViTf.70467$%> ,
>> Michael Williams <> wrote:
>>>I am looking for a VPN solution with 1500 site-to-site connections.

>>>The 3030 seems the obvious choice, but the PIX 515e with an accelerator
>>>card
>>>seems to fit the bill at less than half the price.

>Clientless VPN's not a requirement, nor is routing between sites. Only
>communicaiton between the main site servers and the remotes sites is a
>requirement. No external internet is required.

>Authentication will be done through pre-shared keys, probably with a pix501
>as endpoints.

The documented limit for the PIX 515/515E is 2000 VPN peers.
In practice this limit would probably depend greatly on throughput
and memory use; and complexity of the ACLs (unless you use turbo ACLs,
which use a fair bit of memory.)

The documented limit for a maxed-out 3030 Concentrator is 1500 VPN peers
http://www.cisco.com/en/US/netsol/ns...0801f0a72.html
Thus if you are approaching 1500 then you may wish to go into the 3060.

Have you considered the Cisco ASA 5540 with VPN Plus? 2000 VPN peers
and better packet inspection (e.g., anti-virus) than the PIX?


Sorry, I do not have any experience with the VPN Concentrator series --
nor any experience with 515E's pushed towards their peer limit.