[c-nsp] Cisco VPN capabilities

Michael Markstaller mm at elabnet.de
Fri Sep 3 05:39:38 EDT 2004


Though only having a quite smaller environment with few hundred peer
mostly meshed, I maybe have some hints:
Split the values for throughput and tunnels in marketing papers at least
in half if you have a real-world environment ;)
Depending on the NPE used a 7200 might be ok but lookout for the 7400
with a VAM2 - much better than ISA/VAM1
HSRP works fine, Stateful IPSec failover - might work but I gave up
causing it more troubles than benefits.. 
I'd rather split things up a bit to descrease tunnel-failover time but
I'd definitely go with IOS. 
But in general, the more features you concurrently use like ACL's,
Inspection, RRI, NAT etc. the more likely your're hitting one of dozens
of bugs.

Michael

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kenny Sallee
> Sent: Friday, September 03, 2004 1:33 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cisco VPN capabilities
> 
> 
> Has anyone here worked in large scale VPN deployments
> (3000 + endpoints)?  What hardware did you use at the
> head end?  I'm thinking about Cisco 7200's VPN bundles
> with HW accelerators, HSRP, RRI and stateful IPSec
> failover (which Cisco claims they do).  Has anyone
> experienced this solution?  If so can you provide me
> with specifics of how many tunnels and how well
> failover works?  Does it work as advertised?
> 
> And of course if there are any alternate platforms
> that are compatable with PIX firewalls and Cisco
> routers that makes sense for large VPN environments I
> wouldn't mind that info either.  Thanks,
> Kenny
> 
> 
> 
> 
> 		
> __________________________________
> Do you Yahoo!?
> Read only the mail you want - Yahoo! Mail SpamGuard.
> http://promotions.yahoo.com/new_mail 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



More information about the cisco-nsp mailing list