Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
523
Views
0
Helpful
4
Replies

Impact of Replacing VAC + card in pix 535

Go to solution
JEETENDRA BAGALE
Level 1
Level 1

‎03-28-2010 04:02 AM - edited ‎03-11-2019 10:26 AM

We have Pix 535 Firewall with licenced Failover .We want to introduce one additional gigaport for our client requirement,we had already used 3 gigibyte port and we can make the provision by replacing the VAC+ card.

so want to know what impact it will hav on VPN ,we have configured  remote access VPN around 20 tunnel group but the continues use of vpn is only done by one group.

Wheter replacing the VAC+ card hamper the VPN connection and can we go with the replacement .

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to JEETENDRA BAGALE

‎03-28-2010 05:42 AM 

rajsh.sharma wrote:
Kusankar, i dont want to create subinterface as my requiement is to create a new DMZ whose traffic should be on gig interface and i had extra GIG cards ,so installing  gigport card on the slot where vac + card is installed can achive my requirement 
So only thing iam not sure about the impact on vpn connection.
so i want to know  Wheter replacing the VAC+ card hamper the VPN connection and can we go  with the replacement

Well the answer is it depends.

How much CPU is being used currently on the firewall ?  -  If it is low then yes you could probably remove the VAC+ card and still be able to run your VPN connections but obviously you are now asking the main CPU of the firewall to do more work.

How much VPN traffic is there going through the firewall ? - again if relatively low you should be fine without the VAC+ card but if you have high volumes of VPN traffic then this can severely impact the main CPU.

It is one of those questions that is difficult to answer because it is unclear what the current state is. I have run 20+ site-to-site VPNs on a Pix 515E with no VAC card and it has run fine but then that pix was really only being used to terminate VPNs. What can be said for sure is that offloading VPN encryption to the VAC+ card takes load off the main CPU. Removing the VAC+ card will put that load back. So as i said you need to base the decision on current CPU usage and VPN throughput requirements.

If you do not need full gigabit throughput for this DMZ or one of your others i would be tempted to do what Kusankar suggested though and think of using subinterfaces. What you can do is remove the VAC+ card and if you find CPU too high then you have the subinterface solution as a backup.

Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee

‎03-28-2010 04:04 AM

I would use sub-inteface on the existing gig ports and leave the VAC+ card in there.

-KS

0 Helpful

Go to solution
JEETENDRA BAGALE
Level 1
Level 1
In response to Kureli Sankar

‎03-28-2010 04:46 AM

Kusankar, i dont want to create subinterface as my requiement is to create a new DMZ whose traffic should be on gig interface and i had extra GIG cards ,so installing  gigport card on the slot where vac + card is installed can achive my requirement

So only thing iam not sure about the impact on vpn connection.

so i want to know  Wheter replacing the VAC+ card hamper the VPN connection and can we go  with the replacement

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to JEETENDRA BAGALE

‎03-28-2010 05:42 AM 

rajsh.sharma wrote:
Kusankar, i dont want to create subinterface as my requiement is to create a new DMZ whose traffic should be on gig interface and i had extra GIG cards ,so installing  gigport card on the slot where vac + card is installed can achive my requirement 
So only thing iam not sure about the impact on vpn connection.
so i want to know  Wheter replacing the VAC+ card hamper the VPN connection and can we go  with the replacement

Well the answer is it depends.

How much CPU is being used currently on the firewall ?  -  If it is low then yes you could probably remove the VAC+ card and still be able to run your VPN connections but obviously you are now asking the main CPU of the firewall to do more work.

How much VPN traffic is there going through the firewall ? - again if relatively low you should be fine without the VAC+ card but if you have high volumes of VPN traffic then this can severely impact the main CPU.

It is one of those questions that is difficult to answer because it is unclear what the current state is. I have run 20+ site-to-site VPNs on a Pix 515E with no VAC card and it has run fine but then that pix was really only being used to terminate VPNs. What can be said for sure is that offloading VPN encryption to the VAC+ card takes load off the main CPU. Removing the VAC+ card will put that load back. So as i said you need to base the decision on current CPU usage and VPN throughput requirements.

If you do not need full gigabit throughput for this DMZ or one of your others i would be tempted to do what Kusankar suggested though and think of using subinterfaces. What you can do is remove the VAC+ card and if you find CPU too high then you have the subinterface solution as a backup.

Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

0 Helpful

Go to solution
JEETENDRA BAGALE
Level 1
Level 1
In response to Jon Marshall

‎03-28-2010 07:44 AM

Thanks jon ,

Currently cpu utilisation is around 30 % max and had just a query how to find How much actual VPN traffic is there going through the firewall

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card