[c-nsp] Cisco ASA VPN Active/Standby - license requirements

Scott McGrath mcgrath at fas.harvard.edu
Mon Sep 22 10:33:25 EDT 2008


Think LBSSP

- Although Cisco making everything a 'Revenue Enhancement' opportunity 
puts my teeth on edge Cisco seems to have forgotten how they got to 
their dominant position
  mediocre products with GREAT support and reasonable licensing 
terms.     They still have mediocre products but now support is 
expensive and delivered by call center drones  reading from a script and 
unreasonable licensing terms.   It used to be that Cisco was a 
compromise you could get all your support under one roof and the 
commonality of the products made the compromise worthwhile now more and 
more it seems the 'best of breed' approach is called for once again.

The ASA is nowhere near the product the VPN3000 was I can see Cisco not 
wanting 3 separate hardware platforms for boxes with similar 
computational capabilities but at least come up with 3 separate images 
which are optimized for the task at hand   NOT this LAME firewall with 
some VPN stuff thrown in.   Case in point we use RRI on our VPN 3000's 
on the 3000's the RRI modifies the ospf routing table directly.  in the 
ASA the RRI is handled by creating STATIC's so much for 'no redistribute 
static' if you have a  out of band management network and want to handle 
that routing statically now what was a simple elegant solution which 
worked for years (7 in our case) now will become a science project with 
route maps from here to infinity and one that junior engineers will no 
longer be able to support.

-

Jeff Kell wrote:
> Garry wrote:
>   
>>  ... makes sense
>> especially for Active/Active standby, as it's more or less load
>> balancing, too 
>>     
>
> Bzzzttt!  You can't do VPN in active/active mode, at least with 7.x and
> under.  If you can, please tell me how!
>
> Jeff
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


More information about the cisco-nsp mailing list