[c-nsp] 7600 vs. 7200 vs. ASR1000 for multi-gigabit encrypted traffic?

[Kevin Graham]

> We're setting up a WAN connecting 12 main sites and maybe 100 
> smaller sites. Each of the main sites will have 1Gbps links and 
> the smaller will have on the order of < 100Mbps
[...]
> All traffic over this WAN must be encrypted.

Is the WAN all direct PtP? Based on link speeds you cited,
presumably this is ethernet? If yes to both of these, it might be
worth bringing up 802.1AE/af with your account team, as old
roadmaps suggested that it may be an option soon.

> Given the (sparse, I know) information above, what model router 
> would you suggest? Gut feeling? Experience?
> 
> I'm specifically looking at ASR1000 vs. 7200VXR vs. Cat6500/7600.

The VPN SPA's are probably the best approach if you're really
touching those traffic levels, though the bump-in-the-wire config
for them is awkward (and annoying, since presumably it could be
managed internally to support 'tunnel protection'-style SA's).

If you can cope w/ multiple tunnels (and devices) for the larger
links, NPE-G2/VSA's will give you the most flexible solution
from a redeployment and future configuration standpoint. For
smaller sites still, ISR's could be used w/ the same configuration.

> I'm a bit sceptical about the 7200 series based on what little 
> I've picked up about its architecture, performance, scalability, 
> and probable useful lifespan (those 1Gbps pipes hopefully won't 
> be saturated from Day 1, but...). 

Yeah, the NPE-G2/VSA would be fine for a few of the smaller sites,
but won't handle the main ones. The biggest problem is getting
a consistent solution -- those would be great with the ASR1000's
or 6500's for larger sites. With those 3 platforms you get 3
divergent branches of software. Since Cisco has touted this as a
feature, rather than a temporary necessity, a uniform config for
your different sites is inconsistent with their direction.