Another IPSec VPN related question

Discussion in 'Cisco' started by Richard Graves, May 9, 2005.

  1. Hi All,

    We are getting ready to add over 200+ sites to our network. We currently
    have approx 125 sites, all connected via point-to-point T1s (which aggregate
    into DS3s at the regional cores). The new sites will have sDSL as the local
    loop, with the goal being to create IPSec tunnels into our network. I am
    looking for opinions on which would be better to use to terminate the
    tunnels at the core, a VPN concentrator or a large router with a crypto
    accelerator card. All of our current traffic is encrypted over the T1s and
    DS3s, which terminate into 7200 series routers, so I am intimately familiar
    with the workings of IOS crypto. However, these routers are not exposed to
    the internet, which this device would be. Any thoughts, ideas, or
    smart-aleck comments are appreciated!!!

    -Richard
    Richard Graves, May 9, 2005
    #1
    1. Advertising

  2. "Richard Graves" <rgraves_22*NONONONO*@yahoo*NONONO*.com> wrote in message
    news:ZExfe.65$...
    > Hi All,
    >
    > We are getting ready to add over 200+ sites to our network. We currently
    > have approx 125 sites, all connected via point-to-point T1s (which
    > aggregate into DS3s at the regional cores). The new sites will have sDSL
    > as the local loop, with the goal being to create IPSec tunnels into our
    > network. I am looking for opinions on which would be better to use to
    > terminate the tunnels at the core, a VPN concentrator or a large router
    > with a crypto accelerator card. All of our current traffic is encrypted
    > over the T1s and DS3s, which terminate into 7200 series routers, so I am
    > intimately familiar with the workings of IOS crypto. However, these
    > routers are not exposed to the internet, which this device would be. Any
    > thoughts, ideas, or smart-aleck comments are appreciated!!!
    >
    > -Richard
    >


    Wow.. Nobody has any thoughts on this??? Or have I some how offended an
    entire Usenet group to the point of being snubbed?? Not that something of
    that scope is beyond me, but it usually requires a little effort on my
    part!! :)

    Any thoughts at all?? Anyone? Bueller? Bueller? ;-)

    -Richard
    Richard Graves, May 10, 2005
    #2
    1. Advertising

  3. Richard Graves

    Richard Deal Guest

    Routers are much better at dealing with L2L connections. I'm assuming that
    some of the end-points will have dynamic addresses; therefore, the
    concentrator won't be able to handle this. Use DMVPN on the routers with a
    hub-and-spoke design. Minimal configuration on the hub and you can still
    bring up dynamic connections to the spokes. You need a certain rev of IOS to
    have spoke-to-spoke connections...12.3(x)T, so not all routers will support
    this function, but you'll still be able to move traffic between spokes via
    the hubs in older IOS versions.

    Also, if you need QoS, then a router is the best solution.

    For a large number of remote access users, then I would get a dedicated
    concentrator to only handle this function.

    Good luck!
    Richard

    "Richard Graves" <rgraves_22*NONONONO*@yahoo*NONONO*.com> wrote in message
    news:LzTfe.554$...
    > "Richard Graves" <rgraves_22*NONONONO*@yahoo*NONONO*.com> wrote in message
    > news:ZExfe.65$...
    > > Hi All,
    > >
    > > We are getting ready to add over 200+ sites to our network. We

    currently
    > > have approx 125 sites, all connected via point-to-point T1s (which
    > > aggregate into DS3s at the regional cores). The new sites will have

    sDSL
    > > as the local loop, with the goal being to create IPSec tunnels into our
    > > network. I am looking for opinions on which would be better to use to
    > > terminate the tunnels at the core, a VPN concentrator or a large router
    > > with a crypto accelerator card. All of our current traffic is encrypted
    > > over the T1s and DS3s, which terminate into 7200 series routers, so I am
    > > intimately familiar with the workings of IOS crypto. However, these
    > > routers are not exposed to the internet, which this device would be.

    Any
    > > thoughts, ideas, or smart-aleck comments are appreciated!!!
    > >
    > > -Richard
    > >

    >
    > Wow.. Nobody has any thoughts on this??? Or have I some how offended an
    > entire Usenet group to the point of being snubbed?? Not that something of
    > that scope is beyond me, but it usually requires a little effort on my
    > part!! :)
    >
    > Any thoughts at all?? Anyone? Bueller? Bueller? ;-)
    >
    > -Richard
    >
    >
    Richard Deal, May 10, 2005
    #3
  4. "Richard Deal" <rdeal2 @ cfl.rr.com> wrote in message
    news:Dx4ge.10318$...
    > Routers are much better at dealing with L2L connections. I'm assuming that
    > some of the end-points will have dynamic addresses; therefore, the
    > concentrator won't be able to handle this. Use DMVPN on the routers with a
    > hub-and-spoke design. Minimal configuration on the hub and you can still
    > bring up dynamic connections to the spokes. You need a certain rev of IOS
    > to
    > have spoke-to-spoke connections...12.3(x)T, so not all routers will
    > support
    > this function, but you'll still be able to move traffic between spokes via
    > the hubs in older IOS versions.
    >
    > Also, if you need QoS, then a router is the best solution.
    >
    > For a large number of remote access users, then I would get a dedicated
    > concentrator to only handle this function.
    >
    > Good luck!
    > Richard



    Richard,

    Thanks for the info! Your thoughts parallel mine, this is the way that I am
    leaning towards.

    Thanks again,

    -Richard Graves
    Richard Graves, May 13, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Joris Deschacht
    Replies:
    0
    Views:
    3,886
    Joris Deschacht
    Oct 16, 2003
  2. Alex
    Replies:
    3
    Views:
    838
    Guest
    May 12, 2004
  3. VectorX
    Replies:
    0
    Views:
    396
    VectorX
    Oct 4, 2005
  4. Replies:
    2
    Views:
    899
    Walter Roberson
    Aug 22, 2007
  5. Shane

    Yet another OS related thread

    Shane, Sep 17, 2007, in forum: NZ Computing
    Replies:
    1
    Views:
    274
    Shane
    Sep 17, 2007
Loading...

Share This Page