Cisco 515 - VPN accelerator card

Hello,

I'm wondering if I have to buy a VPN accelerator card. Our company is
planning on buying
a Cisco 515 for VPN access to our network. We have three branch offices with
<10 users each
and a few VPN clients (Windows 2000 systems) at home. We want to offer VPN
connection
to our network and we are planning on buying a Cisco 515 for our
headquarters and a Cisco 501
for the branch offices.
Now I'm wondering if it's neccesary in our situation to buy a Cisco 515 with
a VPN accelerator card?
Do we need this module, or is the Cisco 515 fast enough to support 3-10 VPN
tunnels?

The specifications of the Cisco 515 also speak of restricted and
unrestricted bundle. Does this
have something to do with the number of licences? Or is it something else?

Also, what's the difference between the PIX-515E-R-BUN and the
PIX-515E-DC-R-BUN? Where
does the 'DC' stand for?

Thanks a lot for your help!

 

:I'm wondering if I have to buy a VPN accelerator card. Our company is
lanning on buying
:a Cisco 515 for VPN access to our network. We have three branch offices with
:<10 users each
:and a few VPN clients (Windows 2000 systems) at home. We want to offer VPN
:connection
:to our network and we are planning on buying a Cisco 515 for our
:headquarters and a Cisco 501
:for the branch offices.
:Now I'm wondering if it's neccesary in our situation to buy a Cisco 515 with
:a VPN accelerator card?
o we need this module, or is the Cisco 515 fast enough to support 3-10 VPN
:tunnels?

It depends more on how fast you need the connections to be. 10 VPN
tunnels all channeled into a single T1 line (say) is a lot different
than 10 channeled into a 100 Mbit connection.

It is hard to find throughput ratings for the PIX 515, so I cannot
give an exact answer, but the PIX 515 -should- be enough for
about 5 Mbit/s 3DES, I would estimate.


:The specifications of the Cisco 515 also speak of restricted and
:unrestricted bundle. Does this
:have something to do with the number of licences? Or is it something else?

The Restricted license on the 515 supports up to 3 physical interfaces
and 3 802.1Q VLANs (maximum 5 total interfaces), and does NOT
support Failover. The Unrestricted supports up to 6 physical
interfaces and 6 802.1Q VLANs (maximum 10 total interfaces) and *does*
support Failover.

:Also, what's the difference between the PIX-515E-R-BUN and the
IX-515E-DC-R-BUN? Where
:does the 'DC' stand for?

DC as in DC power instead of AC power. High density telecomms rooms
sometimes work off of DC, but I don't know what the benefit is.


Note, by the way, that your throughput questions were about the
PIX 515, but the part number you gave is for the PIX 515E, which is
a newer faster version of the PIX 515 (433 MHz instead of 200 MHz.)
Make sure you don't end up with a 515 at 515E prices!


Question: do you need a DMZ, such as in order to better restrict which
hosts the VPN users can get to? If you do not, if you just want
VPN capabilities, then the PIX 506E might be all you need. It supports
up to 25 simultaneous peers, 17 Mbit/s 3DES. And it's a lot less
expensive than a 515 or 515E.

 

Thanks for your reply! I'm referring to the PIX 515E, but I didn't write it
down
correctly. The router will be attached to a 2 mbit SDSL line, just for the
VPN connection,
so no other services will be routed through that line. Because this line
will be used
for the VPN connection only, we don't need a DMZ. The 515E will be connected
to
our LAN directly.
I prefer the 515E, because 25 concurrent VPN sessions is not enough, I'm
afraid.
Suppose that in the future a lot of employees want to be able to connect to
our network
with their laptop, I can imagine that 25 sessions may not be enough.

The branch offices will be using the vpn line for internet browsing (via our
internet connection),
for terminal services and access to our Exchange server. So do you think
that a 515E is fast
enough, or mabye a accelerator card is necessary?

If we want to use 3DES, we have to buy licences for that, is that correct?
So it's maybe
wiser (and cheaper) just to use DES... or is that an ancient, no longer
supported, technique?

Thanks!

ps. mabye if you want to run the router on batteries, you can choose for the
DC model!

 

:Thanks for your reply! I'm referring to the PIX 515E, but I didn't write it
:down
:correctly. The router will be attached to a 2 mbit SDSL line, just for the
:VPN connection,

Any of the PIXes will handle that rate, including the PIX 501.

:I prefer the 515E, because 25 concurrent VPN sessions is not enough, I'm
:afraid.
:Suppose that in the future a lot of employees want to be able to connect to
ur network
:with their laptop, I can imagine that 25 sessions may not be enough.

Well, maybe -- but when?

The PIX-515E-R-BUN is about $US2500 street price. The PIX-506E-BUN-K9
is about $US950 street price. If your growth is slow, you could
put in one 506E now and an additional one sometime later, and still
come out less expensive then a single 515E (though perhaps not
quite as convenient.) Meanwhile, prices are going to fall, and
new models are going to be introduced in another few months. If the
money isn't "Use it or lose it!" and if you are only speculating about
the success of the project, then it might be better to buy lower-end now
and expand later if you need to. And there's almost always a use for
a spare unit, even if only for testing new configurations before
deployment.

:The branch offices will be using the vpn line for internet browsing (via our
:internet connection),
:for terminal services and access to our Exchange server. So do you think
:that a 515E is fast
:enough, or mabye a accelerator card is necessary?

At 2 mbit/s, you won't need an accelerator card.


:If we want to use 3DES, we have to buy licences for that, is that correct?

No, the 3DES licenses are now free if you are qualified for 3DES at all.


s. mabye if you want to run the router on batteries, you can choose for the
C model!

Good point.

 

Thanks again for your anwsers. Yesterday I contacted Cisco for this
information and today they
phoned me back.
They say that in my situation a 506E is not suitable, because multiple
branch offices will be
connected to the headquarter. Now we have 3 branch offices and in 1-2 years
this will grow
to 5-6 offices. (all with < 10 users)
Cisco also says that a VPN acc. card is always necessary, if you are
planning on using the PIX for
VPN connections. They say that a PIX without VPN acc. card cannot handle VPN
traffic.

Well, I'm not sure what to think about that. It sounds a little bit like a
sales person speaking, haha!

If I buy one 506E and later another one, don't I need an additional SDSL
line for that? Or are they
'stackable'??

 

:Thanks again for your anwsers. Yesterday I contacted Cisco for this
:information and today they
honed me back.
:They say that in my situation a 506E is not suitable, because multiple
:branch offices will be
:connected to the headquarter.

I don't see what that has to do with anything?? Unless they are expecting
you to use a different interface for every branch.

:Cisco also says that a VPN acc. card is always necessary, if you are
lanning on using the PIX for
:VPN connections. They say that a PIX without VPN acc. card cannot handle VPN
:traffic.

Nonsense. I have VPN connections working with my 501's, 506E, and 525.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b15.html

Notice in the 'Flexible VPN Services' paragraph that the "certain models"
is only talking about hardware accelaration, and there is no restriction
in the paragraph indicating that some models do not support the
described encryptions.

VPNs are listed in the Key Features and Benefits table without
restriction as to model.

Notice also in the description of Unrestricted Software License, that
"The PIX 515E "Unrestricted" (PIX 515E-UR) model extends the
capabilities of the family with support for stateful failover,
additional LAN interfaces, and increased VPN throughput via
integrated hardware-based VPN acceleration."
The key there is "increased" VPN throughput with the accelerator.
For your purposes, the throughput in the base unit is fine.
If, though, you were running all 10 branches at 2 mbit/s each,
and using 3DES, then you would be exceeding the rating for a
single PIX 506E -- but a 506E could handle that load with AES
(but not 60 users.)

:Well, I'm not sure what to think about that. It sounds a little bit like a
:sales person speaking, haha!

Refer them to their own product literature, cited above.

:If I buy one 506E and later another one, don't I need an additional SDSL
:line for that? Or are they
:'stackable'??

Are you going to have one 2 mbit SDSL to handle -all- the offices?
Or are you going to have one -per- office? Or are you planning
to push up that 2 mbit as you add offices? If you are planning multiple
lines, then you need a router, hub, or switch between the SDSL modem
and the PIX. With a switch or hub, (or router with bridgable
interfaces) you can even have the outside interfaces of the two PIX
be in the same subnet, with the two PIX being assigned different
IP addresses. PIX are not "stackable" in the sense of working
together as a single unit, but there are a variety of topologies
you can use as long as you can have different users contact different
IP addresses, or have the VPN clients try multiple IP addresses
automatically. For example, for PIX-to-PIX tunnels, you could
set multiple 'peer' IPs; if it wasn't able to negotiate with one,
it would move on to the other.

 

Hello,

we are purchasing one 2048 kbit SDSL line for the VPN connection at the
headquarters. The connection
to the internet at the branch offices is arranged by the people working
there. We do not buy or install the
DSL line at the branch offices. We just configure the 501E router and send
it to them, with the instructions
how to connect the device. (and hope it works! ;-))

The idea is to connect the 515E to the SDSL line, so that the branch offices
can create a VPN tunnel to
this connection. That's the way it works, right? So for my own view: every
branch office creates one VPN tunnel
to the headquarters, with which a number of clients can communicate with our
network? So with three branch
offices, three concurrent VPN tunnels will be created, all connecting to
this one SDSL connection at
the headquarters? Is that a correct view of this situation?

If we use just one SDSL line and one 506E VPN router, can we add another
506E in the future? Then we have
to use a router behind the SDSL line, to connect the two 506E, is that
correct?

Thanks!

 

:we are purchasing one 2048 kbit SDSL line for the VPN connection at the
:headquarters. The connection
:to the internet at the branch offices is arranged by the people working
:there. We do not buy or install the
SL line at the branch offices. We just configure the 501E router and send
:it to them, with the instructions
:how to connect the device. (and hope it works! ;-))

I think you mean PIX 501; there is no PIX 501E (at least not yet.)

Even the PIX 501 can handle more than 2 mbit/s of 3DES. The
PIX 506E or PIX 515E would not have the slightest difficulty with
that rate, so anything from the 506E upwards should just be sized
based upon the number of VPN peers and any need for additional
interfaces or failover.


:The idea is to connect the 515E to the SDSL line, so that the branch offices
:can create a VPN tunnel to
:this connection. That's the way it works, right? So for my own view: every
:branch office creates one VPN tunnel
:to the headquarters, with which a number of clients can communicate with our
:network? So with three branch
ffices, three concurrent VPN tunnels will be created, all connecting to
:this one SDSL connection at
:the headquarters? Is that a correct view of this situation?

Yes. The limits in the PIX 501 and 506/506E are on the number of
IKE peers, not on the number of security associations (SAs).
So with a 506E you could have 25 different peers -- 10 offices
plus 15 other connections.



:If we use just one SDSL line and one 506E VPN router, can we add another
:506E in the future? Then we have
:to use a router behind the SDSL line, to connect the two 506E, is that
:correct?

There is more than one way to handle it.

I currently have a 501 "inside" a 525. A remote office is sending
some IPSec traffic to the 525, but some of it is peered to the local 501
instead. The traffic to the local 501 has to pass through the
525 in my topology, which it does in IPSec form, IP protocols 50
and 51 (ESP and AH), and UDP 500. There is no problem with this
arrangement.

If you were to use a similar topology, you would not need
a router on the outside, but you might need a router on the inside.

You do need to worry about routing issues if your remote offices
do not always connect to the same PIX. It isn't as much of a problem
for VPN Software Client as those are usually configured to hand
out IP addresses, so as long as you use different pools, the
return traffic wil automatically go to the proper PIX. In my
topology, return traffic goes through the proper PIX because I
NAT at the inside PIX; there would be problems if that traffic
were not NATable.

 

Thank you a lot for all the information. It's much more clear now what the
different models can perform
and which model to buy in what situation. I've not figured it out yet, but I
will soon.

My last question, that came up when I was thinking about the communication
with the branch offices...
how about VOIP? Is that an easy subject, or difficult to implement? Is it
supported by the VPN connections
that we are going to implement? Well, I'll have to look into that subject
also, because it can save us a LOT
of money! Not more high telephone bills because of all the calling between
Europe, China and the USA.

Okay, thanks a lot again! And I will let you know what the decision is going
to be.

With kind regards,

Russell Buijsse

 

:My last question, that came up when I was thinking about the communication
:with the branch offices...
:how about VOIP? Is that an easy subject, or difficult to implement? Is it
:supported by the VPN connections
:that we are going to implement?


You said earlier that you are getting a 2 mbit SDSL connection at
the main office, and that the branch offices would be left on their
own to get whatever connection they could. That strategy is very
likely to fail if you want VOIP. For example, if they were to get
a standard ADSL circuit, then although their download link might
be fast enough, their upload link might not be. Unless you present
minimum technical standards on the branch office ISP connections,
some of the branch offices -will- end up getting unsuitable connections.

At present, the PIX has no ability to prioritize traffic of any
sort (perhaps in a few months.)

I do not know a lot about VOIP, but from what little I do know,
I believe that if you want to impliment it, you will find that it
will completely alter your planned WAN strategy -- or at least it
will if you want to get serious about it and use it to
substantially replace transcontinental calls. If VOIP is a
serious project then I would recommend you bring in a VOIP
consultant -- and be prepared for hearing pricing in the
tens of thousands of dollars per site.

 

IDM is very nice
An excellent utility that allows computer-savvy users to control the
process. A WONDERFUL PRODUCT

www.internetdownloadmanager.com/index.html?affilid=9875-194</a>

 

Hello,

I talked to my superior and he says that voip is not necessary, because they
don't expect a lot of calls being made
between the (overseas) offices. So voip does not have to be implemented.
Pffiew, because by reading your reply, I'm
guessing that it is a very expensive and difficult technique to implement!

If the 506E or 515E does not suppport bandwith control, then it is possible
that one VPN tunnel will absorp
all of the bandwith and that other VPN tunnels will be left with nothing...
is that correct? Or can I setup a 501 at
the branch office not to exceed 512 kbit/s, for example?

 

:If the 506E or 515E does not suppport bandwith control, then it is possible
:that one VPN tunnel will absorp
:all of the bandwith and that other VPN tunnels will be left with nothing...
:is that correct? Or can I setup a 501 at
:the branch office not to exceed 512 kbit/s, for example?

The PIX currently has no bandwidth controls at all, so Yes,
tunnel starvation is a theoretical possibility. I don't think it
is likely in practice, though.

To introduce a point you might not have thought about:
overseas offices implies long distances, which in turn implies long
latencies. And that in turn implies fairly bad TCP throughputs for any
one TCP connection. Once your round trip latency goes beyond 20 ms
(according to one paper I read) or 200 ms (my calculation but I might
have slipped a decimal somewhere) then the entire TCP 64 Kb
transmission window could be in transit during a single latency period.
The sender then won't transmit any more until they receive an ACK,
which isn't going to arrive until the the receiving side receives
at least -some- of the data (one latency period after the -start- of
transmission) and sends the ACK (which is going to thus arrive
two latency periods after the start of transmission.)

If you want higher TCP throughput, then you need to use the extensions
to TCP to increase the window size. Those extensions aren't supported
on all systems. Windows 2000 supports them, but you need to enable
them with a registry hack.

We see low TCP throughputs on our 22 ms (including VPN overhead)
link to about 1000 km away, even though the link itself has a
high bandwidth (OC8 I think they said.)

 

:I prefer the 515E, because 25 concurrent VPN sessions is not enough, I'm
:afraid.
:Suppose that in the future a lot of employees want to be able to connect to
ur network
:with their laptop, I can imagine that 25 sessions may not be enough.

Earlier, I said that the 506E is restricted to 25 IKE peers.
We have since that time received a 506E in, and I see that under 6.3(3)
at least, there is no built-in IKE peer limit on the 506E. It is possible
that 25 is the current recommended maximum; your effective limits
would depend a lot on how you have the PIX configured.