[nsp] VPN product recommendation.

Terry Baranski terry at eurocompton.net
Mon Mar 17 22:47:51 EST 2003

Thanks for the help, Eric.  Comments inline.

> What encap support are you looking to implement?  How are 
> your spoke sites connected?

Primarily 3DES, though support for AES would be very nice as some
clients will inevitably want/require it.  Customers are connected to us
either via the Internet (some using a VPN, some not) or private links.
In the latter case, it's desirable for a customer's connectivity to be
able to fail-over to a VPN if the private link fails.  This is why we
need a router on the segment -- we need something to run a routing
protocol with the customer routers and detect if a link fails.  
> The reason being, if you are looking for a fairly easy MP2MP 
> solution DMVPN may work for you.  If you are looking to 
> implement Layer 2 services (FR, Ethernet, etc.) over the PSN 
> you may look at platforms that support L2TPv3 (currently 
> 7200, 7500, GSR), with platform support for lower end platforms later.

We don't require Layer 2, and though I'm not very familiar with DMVPN,
my gut says that it's too complex for our purposes.  All we need here is
a VPN endpoint that can terminate a tunnel from each customer who
desires a VPN.

> How many sites are you looking to implement (spoke side)?

I think if the solution we go with could handle 100 or so, we'd be in
good shape for a while.  It looked like all the modules for the 3600+
routers could handle well over this amount.
> True.  A VPN router is going to offer some of the enhanced 
> features (like QoS, routing protocol features, etc.) that are 
> associated with a regular router.

Which is why I'm leaning towards such a device if there's no advantage
(for our needs) in going with a concentrator.  The segment needs a
router regardless to make a routing decision between a customer's
private link and the VPN.  

> The 7301 is a promising box.  However, it is a little newer 
> in the development cycle than say the 7200.  So it is 
> important to know what features,  port adaptors and 
> performance will suffice.  With 3 onboard ethernet ports 
> (10/100/1000) it would be possible to it in conjunction with 
> a VAM (VPN Accelerator Module) which offloads compression and 
>  decryption /encryption functions.  Not sure what release 
> would be required for this specific configuration. (probably 
> 12.3(1)T when available)

This reminds me of two things I forgot to mention originally: 1) The
design as it currently exists on paper would require 3 Ethernet
interfaces on the VPN router (if that's what we go with), and 2)
Compatibility with other implementations is a big concern of ours.
Oftentimes, a customer wants to use a particular VPN endpoint on their
end because of equipment they already have.  So the solution we have on
our end will ideally work with most if not all other common
implementations.  The rep I spoke with said that VPN products from
CheckPoint and Cisco offer the most compatibility, but I'm wondering if
the experience of others on this list backs this up.

> Again, depending on the requirements Pps, features, etc. 
> there are many options available.  Perhaps with a bit more 
> information we can narrow it down.

I appreciate your assistance.  Feel free to respond privately (this goes
for anyone else as well) if we're getting off-topic for the list... Not
sure what the etiquette is with respect to situation-specific product


More information about the cisco-nsp mailing list