[c-nsp] 7600 vs. 7200 vs. ASR1000 for multi-gigabit encryptedtraffic?
Andrew Gristina
agristina+cisco-nsp at gmail.com
Tue May 27 18:56:42 EDT 2008
On Tue, May 27, 2008 at 3:29 PM, Robert Blayzor <rblayzor.bulk at inoc.net> wrote:
> On May 27, 2008, at 5:17 PM, Lasher, Donn wrote:
>> At least on paper, the SA-VAM2, and C7200 VSA modules, in a 7200/NPE-
>> G2
>> could at least make a good showing at what you're talking about here.
>
>
>
> Good showing, are you serious?
>
> "We're setting up a WAN connecting 12 main sites and maybe 100
> smaller sites. Each of the main sites will have 1Gbps links and
> the smaller will have on the order of < 100Mbps (average will
> probably start closer to 10Mbps and possibly climb towards
> 100Mbps over time)."
>
> 12 x 1GE
> 100 X 100Mbps.
>
> While I realize he may not be looking at wire speed throughput on
> every connection, considering an NPE-G2 is probably really only good
> for maybe a max of 500-800Mbps of "typical" traffic, and the lack of
> ports.... it's not even worth considering.
>
> A 7206VXR might "get your foot in the door" as a proof of concept,
> with those requirements you'd be replacing it almost immediately.
>
I've looked at 10Gb IPSec throughput recently, and I'd say you'd be
hard pressed on any platform. The current easiest/cost effective way
to do it is to break out terminating the IPSec and switching and
routing. Since you are multiple tunnels terminating to get 10Gb+ of
encrypted traffic, this is easy. I'd look into the biggest ASAs
(5580-40) for Ipsec termination and then deal with routing/switching
termination of your customers conventionally. I'd probably start with
a few ASAs. The customer termination part I didn't follow closely
enough to suggest hardware.
It makes it easier to troubleshoot as well.
More information about the cisco-nsp
mailing list