Cisco 515 - VPN accelerator card

Discussion in 'Cisco' started by R.Buijsse, Jan 19, 2004.

  1. R.Buijsse

    R.Buijsse Guest

    Hello,

    I'm wondering if I have to buy a VPN accelerator card. Our company is
    planning on buying
    a Cisco 515 for VPN access to our network. We have three branch offices with
    <10 users each
    and a few VPN clients (Windows 2000 systems) at home. We want to offer VPN
    connection
    to our network and we are planning on buying a Cisco 515 for our
    headquarters and a Cisco 501
    for the branch offices.
    Now I'm wondering if it's neccesary in our situation to buy a Cisco 515 with
    a VPN accelerator card?
    Do we need this module, or is the Cisco 515 fast enough to support 3-10 VPN
    tunnels?

    The specifications of the Cisco 515 also speak of restricted and
    unrestricted bundle. Does this
    have something to do with the number of licences? Or is it something else?

    Also, what's the difference between the PIX-515E-R-BUN and the
    PIX-515E-DC-R-BUN? Where
    does the 'DC' stand for?

    Thanks a lot for your help!
     
    R.Buijsse, Jan 19, 2004
    #1
    1. Advertisements

  2. :I'm wondering if I have to buy a VPN accelerator card. Our company is
    :planning on buying
    :a Cisco 515 for VPN access to our network. We have three branch offices with
    :<10 users each
    :and a few VPN clients (Windows 2000 systems) at home. We want to offer VPN
    :connection
    :to our network and we are planning on buying a Cisco 515 for our
    :headquarters and a Cisco 501
    :for the branch offices.
    :Now I'm wondering if it's neccesary in our situation to buy a Cisco 515 with
    :a VPN accelerator card?
    :Do we need this module, or is the Cisco 515 fast enough to support 3-10 VPN
    :tunnels?

    It depends more on how fast you need the connections to be. 10 VPN
    tunnels all channeled into a single T1 line (say) is a lot different
    than 10 channeled into a 100 Mbit connection.

    It is hard to find throughput ratings for the PIX 515, so I cannot
    give an exact answer, but the PIX 515 -should- be enough for
    about 5 Mbit/s 3DES, I would estimate.


    :The specifications of the Cisco 515 also speak of restricted and
    :unrestricted bundle. Does this
    :have something to do with the number of licences? Or is it something else?

    The Restricted license on the 515 supports up to 3 physical interfaces
    and 3 802.1Q VLANs (maximum 5 total interfaces), and does NOT
    support Failover. The Unrestricted supports up to 6 physical
    interfaces and 6 802.1Q VLANs (maximum 10 total interfaces) and *does*
    support Failover.

    :Also, what's the difference between the PIX-515E-R-BUN and the
    :pIX-515E-DC-R-BUN? Where
    :does the 'DC' stand for?

    DC as in DC power instead of AC power. High density telecomms rooms
    sometimes work off of DC, but I don't know what the benefit is.


    Note, by the way, that your throughput questions were about the
    PIX 515, but the part number you gave is for the PIX 515E, which is
    a newer faster version of the PIX 515 (433 MHz instead of 200 MHz.)
    Make sure you don't end up with a 515 at 515E prices!


    Question: do you need a DMZ, such as in order to better restrict which
    hosts the VPN users can get to? If you do not, if you just want
    VPN capabilities, then the PIX 506E might be all you need. It supports
    up to 25 simultaneous peers, 17 Mbit/s 3DES. And it's a lot less
    expensive than a 515 or 515E.
     
    Walter Roberson, Jan 19, 2004
    #2
    1. Advertisements

  3. R.Buijsse

    R.Buijsse Guest


    Thanks for your reply! I'm referring to the PIX 515E, but I didn't write it
    down
    correctly. The router will be attached to a 2 mbit SDSL line, just for the
    VPN connection,
    so no other services will be routed through that line. Because this line
    will be used
    for the VPN connection only, we don't need a DMZ. The 515E will be connected
    to
    our LAN directly.
    I prefer the 515E, because 25 concurrent VPN sessions is not enough, I'm
    afraid.
    Suppose that in the future a lot of employees want to be able to connect to
    our network
    with their laptop, I can imagine that 25 sessions may not be enough.

    The branch offices will be using the vpn line for internet browsing (via our
    internet connection),
    for terminal services and access to our Exchange server. So do you think
    that a 515E is fast
    enough, or mabye a accelerator card is necessary?

    If we want to use 3DES, we have to buy licences for that, is that correct?
    So it's maybe
    wiser (and cheaper) just to use DES... or is that an ancient, no longer
    supported, technique?

    Thanks!

    ps. mabye if you want to run the router on batteries, you can choose for the
    DC model! :)
     
    R.Buijsse, Jan 20, 2004
    #3
  4. :Thanks for your reply! I'm referring to the PIX 515E, but I didn't write it
    :down
    :correctly. The router will be attached to a 2 mbit SDSL line, just for the
    :VPN connection,

    Any of the PIXes will handle that rate, including the PIX 501.

    :I prefer the 515E, because 25 concurrent VPN sessions is not enough, I'm
    :afraid.
    :Suppose that in the future a lot of employees want to be able to connect to
    :eek:ur network
    :with their laptop, I can imagine that 25 sessions may not be enough.

    Well, maybe -- but when?

    The PIX-515E-R-BUN is about $US2500 street price. The PIX-506E-BUN-K9
    is about $US950 street price. If your growth is slow, you could
    put in one 506E now and an additional one sometime later, and still
    come out less expensive then a single 515E (though perhaps not
    quite as convenient.) Meanwhile, prices are going to fall, and
    new models are going to be introduced in another few months. If the
    money isn't "Use it or lose it!" and if you are only speculating about
    the success of the project, then it might be better to buy lower-end now
    and expand later if you need to. And there's almost always a use for
    a spare unit, even if only for testing new configurations before
    deployment.

    :The branch offices will be using the vpn line for internet browsing (via our
    :internet connection),
    :for terminal services and access to our Exchange server. So do you think
    :that a 515E is fast
    :enough, or mabye a accelerator card is necessary?

    At 2 mbit/s, you won't need an accelerator card.


    :If we want to use 3DES, we have to buy licences for that, is that correct?

    No, the 3DES licenses are now free if you are qualified for 3DES at all.


    :ps. mabye if you want to run the router on batteries, you can choose for the
    :DC model! :)

    Good point.
     
    Walter Roberson, Jan 20, 2004
    #4
  5. R.Buijsse

    R.Buijsse Guest

    Thanks again for your anwsers. Yesterday I contacted Cisco for this
    information and today they
    phoned me back.
    They say that in my situation a 506E is not suitable, because multiple
    branch offices will be
    connected to the headquarter. Now we have 3 branch offices and in 1-2 years
    this will grow
    to 5-6 offices. (all with < 10 users)
    Cisco also says that a VPN acc. card is always necessary, if you are
    planning on using the PIX for
    VPN connections. They say that a PIX without VPN acc. card cannot handle VPN
    traffic.

    Well, I'm not sure what to think about that. It sounds a little bit like a
    sales person speaking, haha!

    If I buy one 506E and later another one, don't I need an additional SDSL
    line for that? Or are they
    'stackable'??
     
    R.Buijsse, Jan 20, 2004
    #5
  6. :Thanks again for your anwsers. Yesterday I contacted Cisco for this
    :information and today they
    :phoned me back.
    :They say that in my situation a 506E is not suitable, because multiple
    :branch offices will be
    :connected to the headquarter.

    I don't see what that has to do with anything?? Unless they are expecting
    you to use a different interface for every branch.

    :Cisco also says that a VPN acc. card is always necessary, if you are
    :planning on using the PIX for
    :VPN connections. They say that a PIX without VPN acc. card cannot handle VPN
    :traffic.

    Nonsense. I have VPN connections working with my 501's, 506E, and 525.

    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b15.html

    Notice in the 'Flexible VPN Services' paragraph that the "certain models"
    is only talking about hardware accelaration, and there is no restriction
    in the paragraph indicating that some models do not support the
    described encryptions.

    VPNs are listed in the Key Features and Benefits table without
    restriction as to model.

    Notice also in the description of Unrestricted Software License, that
    "The PIX 515E "Unrestricted" (PIX 515E-UR) model extends the
    capabilities of the family with support for stateful failover,
    additional LAN interfaces, and increased VPN throughput via
    integrated hardware-based VPN acceleration."
    The key there is "increased" VPN throughput with the accelerator.
    For your purposes, the throughput in the base unit is fine.
    If, though, you were running all 10 branches at 2 mbit/s each,
    and using 3DES, then you would be exceeding the rating for a
    single PIX 506E -- but a 506E could handle that load with AES
    (but not 60 users.)

    :Well, I'm not sure what to think about that. It sounds a little bit like a
    :sales person speaking, haha!

    Refer them to their own product literature, cited above.

    :If I buy one 506E and later another one, don't I need an additional SDSL
    :line for that? Or are they
    :'stackable'??

    Are you going to have one 2 mbit SDSL to handle -all- the offices?
    Or are you going to have one -per- office? Or are you planning
    to push up that 2 mbit as you add offices? If you are planning multiple
    lines, then you need a router, hub, or switch between the SDSL modem
    and the PIX. With a switch or hub, (or router with bridgable
    interfaces) you can even have the outside interfaces of the two PIX
    be in the same subnet, with the two PIX being assigned different
    IP addresses. PIX are not "stackable" in the sense of working
    together as a single unit, but there are a variety of topologies
    you can use as long as you can have different users contact different
    IP addresses, or have the VPN clients try multiple IP addresses
    automatically. For example, for PIX-to-PIX tunnels, you could
    set multiple 'peer' IPs; if it wasn't able to negotiate with one,
    it would move on to the other.
     
    Walter Roberson, Jan 20, 2004
    #6
  7. R.Buijsse

    R.Buijsse Guest

    Hello,

    we are purchasing one 2048 kbit SDSL line for the VPN connection at the
    headquarters. The connection
    to the internet at the branch offices is arranged by the people working
    there. We do not buy or install the
    DSL line at the branch offices. We just configure the 501E router and send
    it to them, with the instructions
    how to connect the device. (and hope it works! ;-))

    The idea is to connect the 515E to the SDSL line, so that the branch offices
    can create a VPN tunnel to
    this connection. That's the way it works, right? So for my own view: every
    branch office creates one VPN tunnel
    to the headquarters, with which a number of clients can communicate with our
    network? So with three branch
    offices, three concurrent VPN tunnels will be created, all connecting to
    this one SDSL connection at
    the headquarters? Is that a correct view of this situation?

    If we use just one SDSL line and one 506E VPN router, can we add another
    506E in the future? Then we have
    to use a router behind the SDSL line, to connect the two 506E, is that
    correct?

    Thanks!
     
    R.Buijsse, Jan 20, 2004
    #7
  8. :we are purchasing one 2048 kbit SDSL line for the VPN connection at the
    :headquarters. The connection
    :to the internet at the branch offices is arranged by the people working
    :there. We do not buy or install the
    :DSL line at the branch offices. We just configure the 501E router and send
    :it to them, with the instructions
    :how to connect the device. (and hope it works! ;-))

    I think you mean PIX 501; there is no PIX 501E (at least not yet.)

    Even the PIX 501 can handle more than 2 mbit/s of 3DES. The
    PIX 506E or PIX 515E would not have the slightest difficulty with
    that rate, so anything from the 506E upwards should just be sized
    based upon the number of VPN peers and any need for additional
    interfaces or failover.


    :The idea is to connect the 515E to the SDSL line, so that the branch offices
    :can create a VPN tunnel to
    :this connection. That's the way it works, right? So for my own view: every
    :branch office creates one VPN tunnel
    :to the headquarters, with which a number of clients can communicate with our
    :network? So with three branch
    :eek:ffices, three concurrent VPN tunnels will be created, all connecting to
    :this one SDSL connection at
    :the headquarters? Is that a correct view of this situation?

    Yes. The limits in the PIX 501 and 506/506E are on the number of
    IKE peers, not on the number of security associations (SAs).
    So with a 506E you could have 25 different peers -- 10 offices
    plus 15 other connections.



    :If we use just one SDSL line and one 506E VPN router, can we add another
    :506E in the future? Then we have
    :to use a router behind the SDSL line, to connect the two 506E, is that
    :correct?

    There is more than one way to handle it.

    I currently have a 501 "inside" a 525. A remote office is sending
    some IPSec traffic to the 525, but some of it is peered to the local 501
    instead. The traffic to the local 501 has to pass through the
    525 in my topology, which it does in IPSec form, IP protocols 50
    and 51 (ESP and AH), and UDP 500. There is no problem with this
    arrangement.

    If you were to use a similar topology, you would not need
    a router on the outside, but you might need a router on the inside.

    You do need to worry about routing issues if your remote offices
    do not always connect to the same PIX. It isn't as much of a problem
    for VPN Software Client as those are usually configured to hand
    out IP addresses, so as long as you use different pools, the
    return traffic wil automatically go to the proper PIX. In my
    topology, return traffic goes through the proper PIX because I
    NAT at the inside PIX; there would be problems if that traffic
    were not NATable.
     
    Walter Roberson, Jan 20, 2004
    #8
  9. R.Buijsse

    R.Buijsse Guest

    Thank you a lot for all the information. It's much more clear now what the
    different models can perform
    and which model to buy in what situation. I've not figured it out yet, but I
    will soon.

    My last question, that came up when I was thinking about the communication
    with the branch offices...
    how about VOIP? Is that an easy subject, or difficult to implement? Is it
    supported by the VPN connections
    that we are going to implement? Well, I'll have to look into that subject
    also, because it can save us a LOT
    of money! Not more high telephone bills because of all the calling between
    Europe, China and the USA.

    Okay, thanks a lot again! And I will let you know what the decision is going
    to be.

    With kind regards,

    Russell Buijsse
     
    R.Buijsse, Jan 20, 2004
    #9
  10. :My last question, that came up when I was thinking about the communication
    :with the branch offices...
    :how about VOIP? Is that an easy subject, or difficult to implement? Is it
    :supported by the VPN connections
    :that we are going to implement?


    You said earlier that you are getting a 2 mbit SDSL connection at
    the main office, and that the branch offices would be left on their
    own to get whatever connection they could. That strategy is very
    likely to fail if you want VOIP. For example, if they were to get
    a standard ADSL circuit, then although their download link might
    be fast enough, their upload link might not be. Unless you present
    minimum technical standards on the branch office ISP connections,
    some of the branch offices -will- end up getting unsuitable connections.

    At present, the PIX has no ability to prioritize traffic of any
    sort (perhaps in a few months.)

    I do not know a lot about VOIP, but from what little I do know,
    I believe that if you want to impliment it, you will find that it
    will completely alter your planned WAN strategy -- or at least it
    will if you want to get serious about it and use it to
    substantially replace transcontinental calls. If VOIP is a
    serious project then I would recommend you bring in a VOIP
    consultant -- and be prepared for hearing pricing in the
    tens of thousands of dollars per site.
     
    Walter Roberson, Jan 20, 2004
    #10
  11. David Callier, Jan 21, 2004
    #11
  12. R.Buijsse

    R.Buijsse Guest

    Hello,

    I talked to my superior and he says that voip is not necessary, because they
    don't expect a lot of calls being made
    between the (overseas) offices. So voip does not have to be implemented.
    Pffiew, because by reading your reply, I'm
    guessing that it is a very expensive and difficult technique to implement!

    If the 506E or 515E does not suppport bandwith control, then it is possible
    that one VPN tunnel will absorp
    all of the bandwith and that other VPN tunnels will be left with nothing...
    is that correct? Or can I setup a 501 at
    the branch office not to exceed 512 kbit/s, for example?
     
    R.Buijsse, Jan 22, 2004
    #12
  13. :If the 506E or 515E does not suppport bandwith control, then it is possible
    :that one VPN tunnel will absorp
    :all of the bandwith and that other VPN tunnels will be left with nothing...
    :is that correct? Or can I setup a 501 at
    :the branch office not to exceed 512 kbit/s, for example?

    The PIX currently has no bandwidth controls at all, so Yes,
    tunnel starvation is a theoretical possibility. I don't think it
    is likely in practice, though.

    To introduce a point you might not have thought about:
    overseas offices implies long distances, which in turn implies long
    latencies. And that in turn implies fairly bad TCP throughputs for any
    one TCP connection. Once your round trip latency goes beyond 20 ms
    (according to one paper I read) or 200 ms (my calculation but I might
    have slipped a decimal somewhere) then the entire TCP 64 Kb
    transmission window could be in transit during a single latency period.
    The sender then won't transmit any more until they receive an ACK,
    which isn't going to arrive until the the receiving side receives
    at least -some- of the data (one latency period after the -start- of
    transmission) and sends the ACK (which is going to thus arrive
    two latency periods after the start of transmission.)

    If you want higher TCP throughput, then you need to use the extensions
    to TCP to increase the window size. Those extensions aren't supported
    on all systems. Windows 2000 supports them, but you need to enable
    them with a registry hack.

    We see low TCP throughputs on our 22 ms (including VPN overhead)
    link to about 1000 km away, even though the link itself has a
    high bandwidth (OC8 I think they said.)
     
    Walter Roberson, Jan 22, 2004
    #13
  14. :I prefer the 515E, because 25 concurrent VPN sessions is not enough, I'm
    :afraid.
    :Suppose that in the future a lot of employees want to be able to connect to
    :eek:ur network
    :with their laptop, I can imagine that 25 sessions may not be enough.

    Earlier, I said that the 506E is restricted to 25 IKE peers.
    We have since that time received a 506E in, and I see that under 6.3(3)
    at least, there is no built-in IKE peer limit on the 506E. It is possible
    that 25 is the current recommended maximum; your effective limits
    would depend a lot on how you have the PIX configured.
     
    Walter Roberson, Jan 30, 2004
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.