Less than 20-site VPN Best Practice?

Discussion in 'Cisco' started by Ram Rajadhyaksha, Jun 30, 2004.

  1. We're dumping our frame-relay and moving to Internet T1's all off ATT's
    backbone. However, we have yet to decide on how to configure the VPN
    architecture. We have a good amount of experience with PIX-to-PIX and
    PIX-to-Concentrator VPN configuration.

    1. At first I thought I'd use PIX 506s on the border for FW only and a
    2610 inside the LAN to terminate the fully-meshed VPN tunnels. Well,
    apparently the 2610 can only handle about 384 kb/s 3DES throughput,
    which sucks. ( I'll have 12 left-over 2610 units too. :-/ )

    2. The second option is to terminate all my tunnels at the border PIX
    units? Is anyone doing this? It's not hard to configure but I'd be wary
    of one of our employees blowing up the config when changing a FW rule.

    3. The third option is to buy a non-Cisco device to take the role of
    those 2600's. Ie, a FreeBSD server or something.

    Anyone that's rolled their own multi-site VPN care to comment? The PIX
    506e claims to handle 4 Mb/s of encryption bandwidth, good enough for a
    multi-link T1. Unfortunately it only supports 25 peers which limits the
    scalibility of the fully-meshed network.

    Thanks!
     
    Ram Rajadhyaksha, Jun 30, 2004
    #1
    1. Advertisements

  2. :Anyone that's rolled their own multi-site VPN care to comment? The PIX
    :506e claims to handle 4 Mb/s of encryption bandwidth, good enough for a
    :multi-link T1.

    No, the 506E is rated to 20 Mbps DES, 17 Mbps 3DES, 30 Mbps AES-128.

    :Unfortunately it only supports 25 peers which limits the
    :scalibility of the fully-meshed network.

    25 peers is still a limit on the 506E.
     
    Walter Roberson, Jun 30, 2004
    #2
    1. Advertisements

  3. Ram Rajadhyaksha

    John Osmon Guest

    : We're dumping our frame-relay and moving to Internet T1's all off ATT's
    : backbone. However, we have yet to decide on how to configure the VPN
    : architecture. We have a good amount of experience with PIX-to-PIX and
    : PIX-to-Concentrator VPN configuration.

    Have you considered asking AT&T for a layer 3 VPN solution? If you're
    going to work with a single carrier for all the connectivity, why not
    offload the VPN piece off to them, and use the 2610s you have in
    place already?

    If you don't have a *requirement* for encryption, it'll likely end
    up being a lot cheaper to get your carrier to build the tunnels for
    you, so you don't need to deal with the complexity.
     
    John Osmon, Jul 1, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.