[c-nsp] CPE for IPSEC

Arie Vayner (avayner) avayner at cisco.com
Tue Aug 5 09:33:25 EDT 2008 

Michael,
 
Would you also require any QOS policies (especially hierarchical
policing with shaping)?
 
Arie


________________________________

	From: Michael Malitsky [mailto:malitsky at netabn.com] 
	Sent: Tuesday, August 05, 2008 16:31 PM
	To: Arie Vayner (avayner); cisco-nsp at puck.nether.net
	Subject: RE: [c-nsp] CPE for IPSEC
	
	

	Arie,
	
	Thanks for the response.  200Mb is the aggregate bandwidth
available on the WAN port at each site.  Even if I knew what the typical
traffic rates were today, the application group would change something
tomorrow, so I have to design for the worst case - 390kpps using 64-byte
packets.
	I phrased the original question the way I did because the specs
for the ASA and VAM are written in bits-per-second rather than
packets-per-second.  In either case, I am curious how close does real
world come to the specs?
	
	Thanks,
	Michael Malitsky
	
	
	-----Original Message-----
	From: Arie Vayner (avayner) [mailto:avayner at cisco.com]
	Sent: Tue 8/5/2008 3:51 AM
	To: Michael Malitsky; cisco-nsp at puck.nether.net
	Subject: RE: [c-nsp] CPE for IPSEC
	
	Michael,
	
	A few questions:
	
	1. I see you mention 225Mbps, but what is the packet-per-second
rate?
	This is actually a more important factor, as router performance
is
	usually PPS-rate based
	2. Is 225M the total hub rate, or is it per spoke?
	
	In general, I would suggest getting the HW encryption option
(VAM in the
	7200 case) as it would provide a more deterministic latency as
	encryption would be done in dedicated HW.
	
	Arie
	
	-----Original Message-----
	From: cisco-nsp-bounces at puck.nether.net
	[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Michael
Malitsky
	Sent: Tuesday, August 05, 2008 01:36 AM
	To: cisco-nsp at puck.nether.net
	Subject: [c-nsp] CPE for IPSEC
	
	Greetings,
	
	The auditors are trying to force me to encrypt our WAN traffic.
The WAN
	in question is Cogent's ethernet service - built as a mesh of
	point-to-point VLANs.  There are 3 sites, at every site I have a
single
	port over which I receive 2 VLANs in a dot1q trunk.  Aggregate
bandwidth
	on the port is 200Mbps.  Putting in encryption seems fairly
	straightforward - 3 static IPSEC tunnels.  I am trying to figure
out
	what kind of hardware can handle IPSEC at this bandwidth.  So
far I am
	looking at:
	-ASA5520.  Specs say 225Mb of IPSEC - can the box actually
handle that,
	or should I be looking at 5540?
	-7201 (or 7206) with NPEG2.  Do I need to add a VAM, or will the
NPE
	handle the load?
	
	Any real-world experiences will be most appreciated.  Also, if
there are
	better suggestions (including non-Cisco), please share.
	
	Thanks,
	Michael Malitsky
	
	
	_______________________________________________
	cisco-nsp mailing list  cisco-nsp at puck.nether.net
	https://puck.nether.net/mailman/listinfo/cisco-nsp
	archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list