Cisco 2621 with AIM-VPN performance?

Discussion in 'Cisco' started by Olav Langeland, Aug 22, 2003.

  1. We are contemplating a change in VPN hardware, and are looking into two

    - Cisco 2621 with max RAM, appropriate IOS and the AIM-VPN module,
    redundancy via HSRP

    - Cisco Concentrator 3005, redundancy via cluster or VRRP

    Our needs are quite modest, 4-5 site-to-site tunnels, 30-40+ remote
    users with Cisco VPN Client authenticated via Radius. Bandwith use is
    usually low since it's mostly HTTP/Citrix/SSH/SQL traffic that goes
    through it. We have some 3005 now for customer use and are quite
    satisfied with them and I believe it would be sufficient for us, but the
    100user and 4mbit bw limit is annoying.

    Any comments on the performance of a 2621 w/AIM-VPN? Is it better to
    apply ACL for restricting VPN access to the network on the 2621 instead
    of the firewall (VPN is on a separate DMZ zone)? Will it handle the
    traffic mentioned above without any problems? Any arguments for choosing
    it instead of the Concentrator?


    Olav Langeland -
    Olav Langeland, Aug 22, 2003
    1. Advertisements

  2. Olav,

    I'm running a 2610 with an AIM-VPN/BP on an internet based VPN... eight 3DES
    site tunnels, each site has a full T-1. This 2610 also supports a DMZ, runs
    the FW feature set, and has extensive ingress and egress ACLs. Even when its
    T-1 is saturated CPU usage rarely exceeds 15%.

    The AIM is a good product... basically turns encryption into a "free"
    operation. However, IIRC, the new AES encryption available in 12.3 is not
    supported in standard AIM hardware; there's a new version of the AIM that
    does it. The original AIM-VPN only supports hardware offload of MD5, SHA,
    DES and 3DES operations.

    Jonathan Wilson
    Jonathan Wilson, Aug 25, 2003
    1. Advertisements

  3. We too are contemplating a VPN for a single site with only less than
    30 remote users. The site has 3mbps adsl Internet connection, so the
    requirements are really modest. The Windows Server VPN (PPTP) has been
    giving us a few problems and doesnt seem to be scalable, but for the
    Linux and Solaris solutions we've contemplated, it takes too much long
    term maintenance and multiple logins are required, one for the VPN
    connection, another to log onto the NT Domain.
    Ghazan Haider, Sep 8, 2003
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.