cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
428
Views
20
Helpful
4
Replies
Highlighted
Frequent Contributor

Best Virtual Tunnel Concentrater Device?

Wondering what anyone could recommend if you needed a Virtual/VM appliance like a CSR1000v or something that you really only want to configure as a IPSEC hub device. Looking for some help.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
VIP Advisor

Hi,
As you suggested, I'd go with a CSR1000v. An IOS/IOS-XE supports more types of IPSec VPN than an ASA does, which in turn supports more than an FTD (currently). Cisco considers crypto map legacy and recommends using VTIs, routers support the widest range of VPN topologies.

ASA only supports a static VTI and crypto maps and the FTD only supports crypto maps, static VTIs are coming in FTD 6.7.
IOS/IOS-XE routers supports Crypto Map, GETVPN, DMVPN and FlexVPN (Dynamic and Static VTI).

However if you want a Remote Access SSL-VPN solution, then probably ASA or FTD is a better choice than an IOS/IOS-XE router.

HTH

View solution in original post

Highlighted

Hi,
It depends on the number of tunnels to be supported and required IPSec throughtput.
Determine your requirements and then spec from there, but you could use the ISR 1000 or 4000 series routers or for a large deployment ASR 1000 routers.

HTH

View solution in original post

4 REPLIES 4
Highlighted
VIP Advisor

Hi,
As you suggested, I'd go with a CSR1000v. An IOS/IOS-XE supports more types of IPSec VPN than an ASA does, which in turn supports more than an FTD (currently). Cisco considers crypto map legacy and recommends using VTIs, routers support the widest range of VPN topologies.

ASA only supports a static VTI and crypto maps and the FTD only supports crypto maps, static VTIs are coming in FTD 6.7.
IOS/IOS-XE routers supports Crypto Map, GETVPN, DMVPN and FlexVPN (Dynamic and Static VTI).

However if you want a Remote Access SSL-VPN solution, then probably ASA or FTD is a better choice than an IOS/IOS-XE router.

HTH

View solution in original post

Highlighted

Great thanks! What about if you decided to go with a physical device? What comes to mind?
Highlighted

Hi,
It depends on the number of tunnels to be supported and required IPSec throughtput.
Determine your requirements and then spec from there, but you could use the ISR 1000 or 4000 series routers or for a large deployment ASR 1000 routers.

HTH

View solution in original post

Highlighted

Right, I would say the device must be able to support couple hundred plus tunnels at least.