Re: Choose router for VPN and eigrp

Greg Maaaag · ‎02-17-2013

Hello everyone!

We have software router vyatta and about 15 branches with cisco 881w and cisco 1941. All branches have 10mb\s bandwidth and 3 of them have 50mb\s. Link to vyatta has 100mb\s bandwidth and situated in datacenter.

All branches connect to vyatta via vpn site-to-site with ipsec.

I want to change vyatta to cisco router or asa.

Can you please tell me what device should I go for?

Jernej Vodopivec · ‎02-17-2013

You can go with ASA 5515 or 5525 X series: http://www.cisco.com/en/US/products/ps6120/prod_models_home.html#~tab-b
ASA supports HA (but doesn't support EIGRP).

You should consider buying IPS software modul also.

Richard Burts · ‎02-17-2013

Greg

You certainly could use an ASA for these site to site tunnels. I sometimes like to do site to site ipsec tunnels with a router rather than an ASA. In your situation I would think that something like a 1921 might be a candidate to replace the vyatta.

HTH

Rick

HTH

Rick

jawad-mukhtar · ‎02-17-2013

Go for a Router because managbility is easy in router.

Regards,..

Jawad

Jernej Vodopivec · ‎02-17-2013

Rick,

are you sure 1921 would do it (100Mbps IPsec traffic)?

I would rather choose 2951 for this job.

Jernej

Richard Burts · ‎02-17-2013

Jernej

You ask an interesting question and it caused me to do some additional research and resulted in my finding some interesting information. So thanks to you.

According to a white paper from Cisco on performance of ISR G2 (link is below) the 1921 is marginal for this requirement. It claims about 75 Mb each direction for IPSec traffic. To be sure of the capacity for this requirement it would need something in the 2900 series. A 2951 would be nice and certainly has the capacity needed. It looks like a 2921 would probably do also.

https://supportforums.cisco.com/servlet/JiveServlet/download/3805860-139872/white_paper_c11_595485.pdf

HTH

Rick

HTH

Rick

Jernej Vodopivec · ‎02-17-2013

Rick, I was referring to the same datasheet ;)

Greg, if you'll choose router over ASA don't forget to purchase security bundle (SEC) instead of router with base licence.

Greg Maaaag · ‎02-18-2013

Hello everyone!

Thank you for your answers!

As i said, on couple of branches we have 1941, one of them has 20mb\s channel.

On this channel average traffic 10bm\s average cpu load 20%? maximum 14mb\s and 30%CPU

I can devide traffic on theese categories:

1.Voice traffic from cisco ip phones to asterisk which is behind vyatta

2.Video traffic. There is a video cameras with video registrator placed on most every branch and our security devision sits behind other 1941 and looks for video.

3.pcoip traffic, now we have about 10 zero clients but in future director want to set up to 30 zero clients cisco and wyse goig through vyatta to vmware view server

4. traffic to our servers in DC behind vyatta to AD, accounting software,fileshare, wsus, kms and so on

5. web traffic

With such parameters we have 4 branches, other 11 have cisco 881 with CPU load up to 10-15% channel 10mb\s and traffic:

1. video

2. One-two pcioip clients

3. Four running accounting software

4. couple of calls from ip phones.

Now on vyatta we have firewall with opened forwarded ports to our 3-4 servers, vpn connections from 15 branches with routing.