[c-nsp] 7600 vs. 7200 vs. ASR1000 for multi-gigabit encrypted traffic?

Terje Bless link at pobox.com
Tue May 27 14:52:53 EDT 2008 

Hi all,

We're setting up a WAN connecting 12 main sites and maybe 100 
smaller sites. Each of the main sites will have 1Gbps links and 
the smaller will have on the order of < 100Mbps (average will 
probably start closer to 10Mbps and possibly climb towards 
100Mbps over time).

All traffic over this WAN must be encrypted.

Given the (sparse, I know) information above, what model router 
would you suggest? Gut feeling? Experience?

I'm specifically looking at ASR1000 vs. 7200VXR vs. Cat6500/7600.


We're having a discussion internally where a lot of people are 
suggesting a 7206VXR, whereas I started out thinking along the 
lines of a 6500/7600 series box and am now leaning towards an 
ASR1000 series box as a sort of “compromise position” 
(partly because the 7600 BU haven't got their act together on 
GET VPN support yet, and the 6500 folk only makes vague mumbling 
noises about Q4/2008 with no real conviction).

I'm a bit sceptical about the 7200 series based on what little 
I've picked up about its architecture, performance, scalability, 
and probable useful lifespan (those 1Gbps pipes hopefully won't 
be saturated from Day 1, but...). Granted I've barely laid hands 
on one of those boxes, whereas I've worked quite a bit with 
6500/7600 (I'm a LAN kind of guy at heart ;D), so I'm probably a 
bit biased.


My quick calculations suggest the 6500/7600 series will be 
overkill, but everything else will be somewhere between slightly 
oversubscribed (ASR1000: 10Gbps backplane / ~2.5Gbps encrypted 
IMIX) to very oversubscribed (7200VXR: 1.8Gbps backplane / 
600Mbps encrypted IMIX)[0].

[0] — These are the marketing numbers picked from /guest/ on CCO.
       The numbers quoted by our Cisco rep and various informal
       sources are… variable.

There's also a whole bunch of feature-support issues (QoS; we 
may need to run MPLS on top of this, or maybe beneath; GET is 
spec'ed, but DMVPN et al are still possibilities; plan is to use 
external ASA for FW, but may end up doing IOS Firewall; not 
planning on doing NAT, but a case might pop up; no need for 
IPv6, multicast, etc. today, but... etc. etc.), but I'm 
deliberately ignoring those for the purposes of this post.


Anyways, I'm a bit too green at choosing router iron on this 
scale to feel entirely confident in my assessment here. Any of 
you lot feel I'm way off? Agree with me? Think I should look at 
other boxes entirely?


TIA, -link


PS. If “Help me pick a box please” messages are off-topic 
and known to agitate the natives, my apologies. I tried to find 
a FAQ and Google only came up with the thread back in ~2000 
concluding c-nsp didn't need one. :-)

-- 
>I suggest you attend some sort of anger management class....
That's where you learn to upset the PHBs?
                                                       -- Peter 
da Silva

More information about the cisco-nsp mailing list