PIX, VPN Accelerator Cards for AES

Discussion in 'Cisco' started by Julien Nicodeme, Apr 25, 2005.

  1. Hello,

    I am about to choose the transforms for a huge VPN depoyment using PIX
    firewalls from 501 to 535 HA. Some of those firewalls will have VPN AC
    cards, others not.

    Question, Are the VPN AC cards optimized for 3DES/DES or is it also
    bringing refreshing soda's for busy PIX using AES?

    That post since I know some VPN Ac cards, like for Soekris firewalls are
    optimized only for DES/3DES. So I am wondering ;-)

    Thank you very much,

    Julien
     
    Julien Nicodeme, Apr 25, 2005
    #1
    1. Advertisements

  2. M.C. van den Bovenkamp, Apr 25, 2005
    #2
    1. Advertisements

  3. Alain Bogaert, Apr 25, 2005
    #3
  4. :I am about to choose the transforms for a huge VPN depoyment using PIX
    :firewalls from 501 to 535 HA. Some of those firewalls will have VPN AC
    :cards, others not.

    :Question, Are the VPN AC cards optimized for 3DES/DES or is it also
    :bringing refreshing soda's for busy PIX using AES?

    501: 3 Mbps 3DES, 4.5 Mbps AES-128, ? AES-256
    506: 10 Mbps 3DES, ? AES-128, ? AES-256
    506E: 17 Mbps 3DES, 30 Mbps AES-128, ? AES-256
    515: ??
    515E + VAC: 63 Mbps 3DES, ? AES-128, ? AES-256
    515E + VAC+: 140 Mbps 3DES, 135 Mbps AES-128, 140 Mbps AES-256
    520: ?
    520 + VAC : (supported, rates unknown)
    520 + VAC+ : (supported, rates unknown)
    525 + VAC: 72 Mbps 3DES, ? AES-128, ? AES-256
    525 + VAC+: 155 Mbps 3DES, 165 Mbps AES-128, 170 Mbps AES-256
    535 + VAC: 100 MBPS 3DES, ? AES-128, ? AES-256
    535 + VAC+: 440 Mbps 3DES, 535 Mbps AES-128, 440 Mbps AES-256

    Note: there are documented total VPN throughput restrictions on the
    506E, 515, and 515E, that are noticably lower than the figures
    given above. The documentation might not reflect the use of VAC/VAC+.
    Also, the document was the "506E/515E Q&A" from the 6.1(2) timeframe,
    but 6.2 introduced substantial VPN speedups for at least some of the
    systems (e.g., 501), so the data in that document may be obsolete.
     
    Walter Roberson, Apr 25, 2005
    #4
  5. Also please be aware that the VAC+ card, take up one PCI slot.
    So in some configurations you have to reorder NIC Interface cards, and/or
    get quad-FE cards instead.
    This is mostly seen in PIX515 HW-configuration, since they only got 2 slots.

    HTH
    Martin Bilgrav
     
    Martin Bilgrav, Apr 25, 2005
    #5
  6. Yes, and the new routerseries kick both their butts ! at anytime !
    Sure is close - but then again routers costs more than PIXs, but for some
    senarios they might come in handy.

    HTH
    Martin Bilgrav
     
    Martin Bilgrav, Apr 25, 2005
    #6
  7. Julien Nicodeme

    stephen Guest

    its about picking a box to fit the requirement - and hardware performance
    isnt always most important.

    we had a discussion with a cisco SE a year or so back.

    the gist was that you could more or less force routers, VPN concentrators or
    PIXen to do any of the various IPsec VPN jobs, but the platforms are
    optimised in different ways in terms of features, complexity and amount of
    ongoing day to day support needed.

    use the box optimised for the job:

    VPN concentrators for remote access (i.e. lots of individual PCs)
    PIXes where you want VPNs between firewalls, but with simple topologies like
    a star network.
    routers where you want resilience, meshed topology and / or flexibility.

    all of the boxes have got more features and are more flexible, but i think
    those rules of thumb still make a lot of sense.
     
    stephen, Apr 26, 2005
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.