We do use f5 for LTM purposes

Don Maker · ‎12-13-2016

We're looking to replace a couple of devices that are doing some VPN based data center DR stuff. We're only getting about 200 Mbps of sustained VPN throughput with our current Juniper SRX240, but we would, ideally, like to see approx 1 Gbps. This will be on a 10 Gbps Internet connection ( I work at a university, so we have crazy links). We are open to a Cisco solution as we use plenty of Cisco products elsewhere across campus and in the data center. I did some basic looking over my lunch hour today and it seems that for Cisco, we would need at a minimum an ASA5585-X with SSP-10. The cost on this is pretty high vs a Juniper SRX550 or SRX650, both of which advertise sustained, encrypted throughput of 1 Gbps or higher.

I'm curious what others here use for scenarios like this. I'll continue to look online, of course, and engage our vendor reps, etc, but I like getting peer feedback whenever I can as well.

Thanks!

Georg Pauwen · ‎12-13-2016

Hello,

here are the models that support 1Gbps or higher:

http://www.cisco.com/c/en_ca/products/security/asa-5500-series-next-generation-firewalls/models-comparison.html#~tab-c

Reza Sharifi · ‎12-13-2016

Don,

This is just my opinion.

I would not switch from Juniper to Cisco, because the people who mange these firewalls today will hate you, as you have taken away a great device with great flexibility from them. If you are the one managing them, than I am sure you have used the rollback command, insert command, replace command, merge command, etc....Think about an outage at 2:00AM when you add a command to a Cisco firewall and lock yourself completely out and the device is 2000 miles away. Who can go reboot it for you and how long is it going to take before your boss start screaming at you or even get fired because you caused a big outage. That is when rollback 5 command comes handy and if you lock yourself out, all you have to do is to wait 5 minutes and before your boss finds out, you are back in business.When you meet with Cisco to talk about ASA, ask them about these features :)

Juniper SRX 550 or 650 would be a perfect fit for you.

HTH

Don Maker · ‎12-13-2016

Thank you for the feedback, Reza. This is the type of stuff that I love to hear. You can't beat peer feedback when trying to make a product selection choice.

I like the pricing of the Juniper devices, too. They look to be significantly cheaper than the ASA option. I put a feeler out to our f5 rep as well. BIG-IP Edge Gateway might be an interesting option. Also curious about what Aruba might have to offer.

Reza Sharifi · ‎12-13-2016

Dan,

I have used F5 load balancers before. They are good devices but expensive. If you are looking for load balancers, check out A10 networks. They are great with very reasonable prices and good support. Have never used their Edge-gateway.

As for Aruba, I use them for wireless only. Never had any issues with their controllers and/or APs. Great, solid products and also good support. I hope, things don't change now that they are part of HP.

HTH

Don Maker · ‎12-13-2016

We do use f5 for LTM purposes. They do also make edge products that do IPsec tunneling. Our rep just got back to me that both entry level products will achieve the IKEv1 and IKEv2 throughput that I'm looking for.

Since this is a pretty simple deployment with only one purpose--a single tunnel for data center DR--I think Cisco is going to be priced out of the running. The minimum I would need is a 5585-X with SSP-10 That will have lots of other great things like IPS and great remote access client support, etc. But I really don't need any of that for this purpose.

Device capable of encrypted throughput at 1 Gbps or higher?