In order to hit performance marks that are excellent with IPSec you will need not only a spiffy NPE but the PA-VAM or PA-ISA. Be aware that the PA-VAM may not work with the latest and greatest IPSec image. I picked up a 7206VXR VPN bundle from Cisco last month and the only IOS supported was 12.1(9)E. This may have changed with 12.2(13)T - do your homework and test it. With the VAM and the NPE-400 Cisco claims ~150Mbps throughput. Be sure to top it off with memory - if you are running lots of tunnels you will need the space. I haven't tested the performance myself and do not know how the split bus of the 7200's will affect performance of one PA or another depending on where it's plugged in. Not all my questions have been answered... The VPN bundle lists for $23,500 - apply your discount. That gives you fastethernet interfaces(2), the PA-VAM, and the NPE-400. You'll have to pay for more.... If you can use a newer IOS version (come ON Cisco...) you can run the easy VPN server on the box and make life so much easier. The 12.1 code does a good job of working with x.509 certs, but there is a lot of command change between 12.1(9) and 12.2(13)T, so watch your configurations carefully and be prepared to rewrite things between versions. The PA-ISA does run with a piece of 12.2 code (I have a client using it) and does just fine. In the case of both accellerators there is no AES support that I am aware of. If you are looking for AES, the software crypto engine is supposed to support it in 12.2(13)T on some(all?) platforms and I've heard that there's a new crypto hardware piece in the works to support it also.
Just a thought: Depending on your application, you may consider buying two smaller VPN enabled routers (3600 or 2600) and using multiple tunnels frome each site to the hub for layer 3 based load balancing and fault tolerance. They are routers, make 'em route! (Or heck, just buy 2 7206 bundles... :) You may get performance every bit as good, with availability numbers that make you look like an uber-star to the boss. TTFN, Bill Pearch, Anchorage -----Original Message----- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Saturday, December 21, 2002 10:11 AM To: [EMAIL PROTECTED] Subject: RE: 7200 Router Questions... [7:59645] thanks for the info. have you or anyone else any idea what configuration it takes for a 7200 router to be comparable in performance to a PIX 515 when it comes to a site-to-site VPN? for example, would a 7204VXR by itself be enough (over more than enough, for that matter) to meet the packet throughput performance of a PIX 515 on a 3DES ipsec tunnel set up site-to-site? i can't seem to find pps performance specs for the 7200 series... thanks, ed -----Original Message----- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Friday, December 20, 2002 1:46 PM To: Edward Sohn Cc: [EMAIL PROTECTED] Subject: Re: 7200 Router Questions... [7:59645] Edward Sohn wrote: > Can anyone help me answer a few questions regarding this series > router? > > 1. The spec sheet says it performs multiprotocol routing over ipsec. > My question is: how? Is there some inherent technology that performs > this feature, or is it the IOS's ability to create a GRE over an IPSEC > tunnel? 2. What are the main differences between the NPE's and NSE's? > I can't decide which processor I need. The primary differance is the NSE is it is only supported in the 7200VXR and incorporates the PXF processor for accelerated packet switching. > 3. What's the difference between the VXR models and the "normal" > models? To get VXR performance you must use at least a NPE300 and you get a MIX backplane, good for voice stuff. Also the VXR gives you increased backplane bandwidth capabilities. With the new NPE-1G you no longer have any bandwidth point limitations! Dave > > That's it, for starters...any help would be greatly appreciated. > > Ed -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 "You don't make the poor richer by making the rich poorer." --Winston Churchill Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59780&t=59645 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
