[nsp] VPN product recommendation.

Eric Matkovich ematkovi at cisco.com
Mon Mar 17 18:01:59 EST 2003

Hi Terry,

What encap support are you looking to implement?  How are your spoke sites connected?

The reason being, if you are looking for a fairly easy MP2MP solution DMVPN may work for you.  If you are looking to implement Layer 2 services (FR, Ethernet, etc.) over the PSN you may look at platforms that support L2TPv3 (currently 7200, 7500, GSR), with platform support for lower end platforms later.

Please see other comments inline:

At 08:02 PM 3/17/2003 -0500, Terry Baranski wrote:
>I'm researching various VPN endpoint solutions for our HQ site, and am
>hoping I can get some recommendations from those who have experience
>with this stuff. 
>Essentially, we're in need of a device to terminate customer VPN tunnels
>at HQ (site-to-site).  We're currently doing this at the firewall, but
>we don't consider this to be scalable -- we'd rather let the firewall
>filter packets and terminate the VPN tunnels on a device meant for such

How many sites are you looking to implement (spoke side)?

>I was originally looking at VPN concentrators exclusively, but I noticed
>that various router platforms (3600/3700/7200) have VPN modules that, if
>the specs are accurate, will more than suffice for our purposes as far
>as bandwidth and number of simultaneous tunnels go.  This has me
>wondering what the differences are between VPN concentrators and VPN
>router modules. When is one typically chosen over the other?  

VPN concentrators are more purpose built boxes that concentrate on a limited task set (termination and forwarding).  Often used in conjunction with remote access / mobile user environments (VPN3000).

>A sales
>rep mentioned that the concentrators are typically used for dial-up
>users and VPN routers are typically used for site-to-site tunnels.  Is
>this accurate?

True.  A VPN router is going to offer some of the enhanced features (like QoS, routing protocol features, etc.) that are associated with a regular router.

>We also need a router for the segment that the VPN device will live in,

Router or interface for the segment?

>so a VPN router would kill two birds with one stone if it will suffice.
>It looks like a 3700 series router can terminate a couple thousand
>tunnels at upwards of 200mbps as per the datasheet. But I don't know if
>these numbers reflect reality. 

The 7301 is a promising box.  However, it is a little newer in the development cycle than say the 7200.  So it is important to know what features,  port adaptors and performance will suffice.  With 3 onboard ethernet ports (10/100/1000) it would be possible to it in conjunction with a VAM (VPN Accelerator Module) which offloads compression and  decryption /encryption functions.  Not sure what release would be required for this specific configuration. (probably 12.3(1)T when available)

>So, what do you folks recommend to terminate site-to-site VPNs with
>customers?  Any advice would be appreciated.

Again, depending on the requirements Pps, features, etc. there are many options available.  Perhaps with a bit more information we can narrow it down.



>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>archive at http://puck.nether.net/pipermail/cisco-nsp/ 

Eric Matkovich                                  510 McCarthy Blvd., Bldg 24/2
Technical Marketing Engineer             Milpitas, CA 95035
Tunneling Technologies                      (408) 527.4111 office
ematkovi at cisco.com                         (800) 365.4578 pager
Internet Technologies Division (ITD) 

More information about the cisco-nsp mailing list