Cisco PIX 506E VPN to 2 other locations bandwidth?

Discussion in 'Cisco' started by usual, Dec 19, 2003.

  1. usual

    usual Guest

    If there is a site with a PIX 506E as the main location and 2 remote
    sites with PIX 501's, connected to the main site using vpn's, on a
    current business cable modem account, with about 25 clients in all.
    What would be sufficent bandwidth for this scenario?
     
    usual, Dec 19, 2003
    #1
    1. Advertising

  2. In article <>,
    usual <> wrote:
    :If there is a site with a PIX 506E as the main location and 2 remote
    :sites with PIX 501's, connected to the main site using vpn's, on a
    :current business cable modem account, with about 25 clients in all.
    :What would be sufficent bandwidth for this scenario?


    Depends on the encryption.

    DES: The 6 Mbps DES rating of the 501 fits within T2 (6.132 Mbps),
    but T2 is not right for this connection. (A) You might find it hard to
    find a T2 carrier [T1 and T3 are easier to find]. (B) You need
    to take into account packet overhead that will drive the
    required bandwidth up, possibly to above the T2 clock rate.
    (C) You will never get 100% efficient throughput. Thus, you
    should be looking at fractional T3 provisioned at 5+ DS1.
    Pricing is a bit odd on fractionals, so you might find it more
    cost efficient to get 7 DS1, which would be 1/4 T3. The main
    location would, of course, require one of these from each side
    [T1/T2/T3 are point-to-point], so the main location would end up
    with either 1/4 T3 or 1/2 T3.

    3DES: Half of the DES speed on the 501, i.e., 3 Mbps, which is
    2 x T1 (DS1) plus the overhead described above. But the drop is
    just enough that you might be able to get away with an 8/3 ADSL
    line (8 Mbps download, 3 Mbps upload) (not common, but RR could
    probably provision it), or a 5/5 SDSL (rarer, you might have to
    find a different carrier). xDSL would likely be a lot less expensive
    than partial T3.

    With 3DES, you get another option: "10 Mbps fibre" is commonly
    available and -much- less expensive than n*T1, but 10 Mbps is the burst
    speed, and the sustained rate is usually provisioned as only 3 Mbps
    transmit. Which you might be able to get away with on 3DES, but with
    DES being twice as fast, you might not be able to get a fibre
    provisioned for 6 Mbps sustained. And of course you'd have difficulty
    finding a 10 Mbps fibre able to receive at 2 * 6 = 12 Mbps, so
    if you went 10 Mbps fibre on DES, you would need to put in dual
    links at the HQ.

    AES-128: rated 4.5 Mbps on the 501, exactly inbetween the two
    above. That drops out the common 10 Mbps fibre solutions (but
    -perhaps- a carrier would be willing to provision at 5 Mbps
    burst), leaves open the possibility of a 5/5 SDSL line, and
    nominally fits in 3 x DS3 but if you were doing that you'd do
    full 4 x DS3 = T2 for pricing reasons.


    The above analysis assumes that you are saturating the capabilities
    of your 501 and 506E in transmitting data from the remote offices
    to the main office. Thousands of sensors in the remote offices sending
    complex updates every microsecond via UDP, perhaps.


    If I could offer a suggestion? Next time you ask a question like this,
    perhaps you could as part of the question include information about
    your traffic patterns, including details about any latency (response
    time) requirements and expected traffic volumes in each direction,
    and information about the approximate distance between the
    offices.

    If your remote offices are a long way from HQ and the bulk of your work
    is TCP, then your maximum throughput is highly dependant on TCP ACK
    requirements, and if your latency is high the maximum theoretical
    bandwidth per connection can end up being quite low.

    And of course *bandwidth* might not matter very much if your
    users are essentially just typing in text and waiting for
    responses -- but in such cases, *latency* can drive users
    insane, so in such cases, you would provision technologies
    that offer lower latency even if the bandwidth was lower.
    --
    "No one has the right to destroy another person's belief by
    demanding empirical evidence." -- Ann Landers
     
    Walter Roberson, Dec 19, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark
    Replies:
    2
    Views:
    2,711
  2. dak991
    Replies:
    1
    Views:
    962
    Walter Roberson
    Dec 4, 2004
  3. Kai
    Replies:
    0
    Views:
    7,678
  4. Laurent
    Replies:
    2
    Views:
    595
    Laurent
    Mar 1, 2008
  5. andypatterson24
    Replies:
    2
    Views:
    2,905
    andypatterson24
    Apr 25, 2008
Loading...

Share This Page