Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5902
Views
2
Helpful
15
Replies

Cisco 1921/ K9

Go to solution
tech.linkwave
Level 1
Level 1

‎12-06-2014 11:09 PM

Hello All,

 

1: At my Corp Office i have installed a Cisco 1921 /K9, I want to know that how many IPSec VPN Tunnel Cisco 1921 /k9 can support and what is the IPSec VPN throughput ?

2: I have connected a bandwidth link (150 Mbps Download and 25 Mbps upload) to my Cisco 1921/K9, i want to know whether Cisco 1921/K9 is capable to handle 150Mbps Bandwidth ?

3: If one of my retail location is running on 10Mbps bandwidth on Cisco RV220W connect to Corp Office's Cisco 1921/K9. how much bandwidth IPSec tunnel will use?

4: I have 200 Retail locations and each have 3 computer and 5 computers maximum, Connect over wifi and wires (Mix few are on wifi and few are wired) Which one is batter to install at Retails location Cisco RV325 or Cisco RV220W.

 

Thanks,

Sandy

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to tech.linkwave

‎12-07-2014 02:17 AM

For the retail locations I would look at the 880s series. They are available with integrated ADSL/VDSL modems and also wireless. The WLAN can be controlled by a WLC.

The management is the reason I wouldn't use the RV-devices. As far as I know, they still don't have anything that is IOS-like. The AP can be controlled with a WLC which also makes management quite easy.

For the 4000 router, I only know what is stated in the data sheet and the licensing part of the config-guide (the last Cisco 4000 router I operated was from a decade ago ... ;-) ).

But there are again feature-licenses like SEC/HSEC that you would need.

It seems that the performance is completely controlled by the license and the 100/300 MBit/s is the performance with services. But without the HSEC-license you are limited (as with many cisco routers) to 85 MBit/s encrypted bandwidth and 225 tunnels.

View solution in original post

0 Helpful
15 Replies 15

Go to solution
tech.linkwave
Level 1
Level 1

‎12-06-2014 11:15 PM

My goal is to connect all 200 locations to Corp Office over VPN so that they can join the domain.

I have a Cisco 1921/K9 at corp Office, and do not have any Cisco router at Retail location so we are planing to buy for retails locations.

I want dual VPN on Cisco 1921 for load balancing and fail over. 

so that each Retails location connect to Cisco 1921 by two tunnels and if 1 goes down 2nd come in play automatically.

Also I have 2 Internet connection  from same internet service provider and i want to connect both to my Cisco 1921 /K9 for dual VPN to achieve VPN load balancing and fail over..

Please let me know how to achieve this goal...

Thanks

Sandy

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎12-07-2014 12:28 AM

The 1921 is far to slow for that task. With a limited budget, I would go at least for a 2921 if it should be an ISR G2. But there are now the newer ISR4000, where the 4331 looks like a good choice.

And for real redundancy, you should have two of them, one for each internet-connection. Or one faster one for the primary link and the 1921 for the backup link. But with the 1921, only 150 tunnels are supported.

For the retail locations I wouldn't use one of the SMB-devices. The 800 series routers should be fine there.

0 Helpful

Go to solution
tech.linkwave
Level 1
Level 1
In response to Karsten Iwen

‎12-07-2014 12:50 AM

@ Corp Office: Cisco 1921 is slow for 200 locations..i agree ....but what about total number of VPN tunnels ? few says 250 few stated 150...even i tried searching google but got no luck. i am getting confused!

Well, 1921 is not good enough to handle that much of traffic...so i will get 2 Cisco 4000 series routers.

i just checked the data sheet and found that Cisco 4331 throughput is 300 Mbps with 4 GB RAM and 3 Gigabit Wan ports....but again Cisco din't mention the total number of IPSec VPN and it's IPSec VPN throughput......do i need a license to use IPSec VPN on it ?

 

@ Retail Location:

Which one you suggest from Cisco 800 Series ? each retail location have minimum 3, maximum 5 users/computers @ different internet speed.  50 Locations are running on 50 Mbps Download and 10 Mbps upload speed, 10 are running on 10Mbps and reaming are running at 7Mbps. and at each location we need 2 wifi SSIDs one for guest access and another to connect wifi all in one computers. becasue each location is a retails location and not all computers are hired wired.

Why not Cisco RV325 ro Cisco RV220W ? both support 25 IPSec VPN Tunnel and at 100 Mbps throughput.

 

Thanks,

Sandy

0 Helpful

Go to solution
tech.linkwave
Level 1
Level 1
In response to tech.linkwave

‎12-07-2014 01:40 AM

ISR4331/K9

  ISR 4331 with 3 onboard GE, 2 NIM slots, 1 ISC slot, 1 SM slots, 4 GB Flash Memory default, 4 GB DRAM default

Cisco 4331 /K9 no redundant power supply.....

Default is 100 Mbps, to gain 300 Mbps need to purchase a PERF license...

Platform

Performance-on-Demand License

Features

 ISR4331

FL-4330-PERF-K9

Increases the performance from base performance 100 Mbps to 300 Mbps

 

 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to tech.linkwave

‎12-07-2014 02:17 AM

For the retail locations I would look at the 880s series. They are available with integrated ADSL/VDSL modems and also wireless. The WLAN can be controlled by a WLC.

The management is the reason I wouldn't use the RV-devices. As far as I know, they still don't have anything that is IOS-like. The AP can be controlled with a WLC which also makes management quite easy.

For the 4000 router, I only know what is stated in the data sheet and the licensing part of the config-guide (the last Cisco 4000 router I operated was from a decade ago ... ;-) ).

But there are again feature-licenses like SEC/HSEC that you would need.

It seems that the performance is completely controlled by the license and the 100/300 MBit/s is the performance with services. But without the HSEC-license you are limited (as with many cisco routers) to 85 MBit/s encrypted bandwidth and 225 tunnels.

0 Helpful

Go to solution
tech.linkwave
Level 1
Level 1
In response to Karsten Iwen

‎12-07-2014 07:26 AM

You suggested 2 Cisco 4431 Routers to achieve load balancing and fail over.....what about firewall? do i need to purchase 2 firewalls 1 for each router? 

 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to tech.linkwave

‎12-07-2014 08:50 AM

You don't need two firewalls to operate both links, but if you wan't also some level of HA, you should have two of them. Two 5515-X could be the right device for your needs if you want to primarily firewall internet-traffic. If you also have much traffic from inside to to different DMZs (or between DMZs), then the 5525-X could be the right one.

0 Helpful

Go to solution
tech.linkwave
Level 1
Level 1
In response to Karsten Iwen

‎12-07-2014 06:52 PM

actually i do not want to increase my budget, so i will prefer only 1 firewall.

please tell me how i will point 2 Cisco 4431 routers to 1 firewall and 1 firewall to 2 ISP connections..

Actually it about 120 Retail locations (next 3 year it would near about 150) so i do not want any downtime. so my plan is:

 

@ Corp Office My Goal is:

2 different internet connections (150 Mbps Download and 25 Mbps Upload each)for fail over and load balancing, i want to use both for faster speed.

2 Cisco 4331 Routers for IPSec VPN Fail over and load balancing. 

 

ISP1:                                             CISCO 4331 (IPSec VPN Tunnel) 

                 FIREWALL5512                                                                      CORP Servers

ISP2:                                             CISCO 4331 (IPSec VPN Tunnel)

 

Please tell me if this is not correct, 

 

Thanks,

Sandy (Sandeep Sharma)

Sandy@wer-wireless.com

Direct: +01-856-812-0158

0 Helpful

Go to solution
tech.linkwave
Level 1
Level 1
In response to tech.linkwave

‎12-07-2014 07:43 PM

Tech Specification of ASA 5512 Firewall:

Feature

Cisco ASA 5512-X, Security Plus

tateful inspection throughput (maximum)

1 Gbps

Stateful inspection throughput (multi protocol)

500 Mbps

ASA IPS throughput

250 Mbps
(extra hardware not required)

Next-generation firewall throughput (multiprotocol)

200 Mbps

Triple Data Encryption Standard/Advanced Encryption Standard (3DES/AES) VPN throughput

200 Mbps

Users/nodes

Unlimited

IPsec VPN peers

250

 

Thanks,

Sandy

0 Helpful

Go to solution
tech.linkwave
Level 1
Level 1
In response to tech.linkwave

‎12-07-2014 10:18 PM

To achieve this goal should I configure ISP Redundancy and Load Balancing Active/Active mode on Cisco 5512 Firewall and HSRP Active/Active mode on both Cisco 4431...am i right ?

 

Please check the below mentioned network diagrams, which one is correct to achieve what i need....

 

Network 1: With 1 ASA 5512 and 2 Cisco 4331

ISP1:                                        CISCO 4331 (IPSec VPN Tunnel) 

                 FIREWALL5512                                                                CORP Servers

ISP2:                                        CISCO 4331 (IPSec VPN Tunnel)

 

Network 2: With 2 ASA 5512 and 2 Cisco 4331

ISP1: ---> FIREWALL 5512 ---> CISCO 4331 (IPSec VPN Tunnel) 

                                                                                                            CORP Servers

ISP2: ---> FIREWALL 5512 ---> CISCO 4331 (IPSec VPN Tunnel)

 

As per Cisco; License and total number of IPSec combines if we are using Active/Active mode in load sharing and fail over. (I am not sure please make me correct if i am wrong here)

if it's correct then we can use Cisco 1921 after applying performance license and in that case total number of Tunnel and throughput would be increased... 

 

Network 3: With ASA 5505 and Cisco 1921

ISP1: ---> FIREWALL 5505 ---> CISCO 1921 (IPSec VPN Tunnel) 

                                                                                                              CORP Servers

ISP2: ---> FIREWALL 5505 ---> CISCO 1921 (IPSec VPN Tunnel)

 

Thanks,

Sandy 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to tech.linkwave

‎12-08-2014 01:08 AM

It all depends on how you want your network to behave. Typically I would set it up the following way:

  • Both ASAs in Active/Standby Failover. Thats the reason for 5515-X, the 5512-X needs an extra license for FO. 5512-X +SecPlus license is exactly the same list price as the faster 5515-X.
  • Both routers terminate the VPNs with VTIs or FlexVPN. Thats also a reason for ISRs on the spokes. With a routing-protocol you control the routing to the sites. 
  • The ASAs are connected to both ISP on two outside interfaces
  • The routers are connected to both ASAs on a shared WAN-interface. Here you can control the traffic by extending the routing to the ASA or by using  HSRP to send the traffic to one router.
0 Helpful

Go to solution
tech.linkwave
Level 1
Level 1
In response to Karsten Iwen

‎12-08-2014 10:10 AM

Can you please create a network diagram so that i can understand it properly....

 

 

0 Helpful

Go to solution
tech.linkwave
Level 1
Level 1
In response to Karsten Iwen

‎12-10-2014 04:15 PM

Ok, as per the network diagram. If isp 1 fail it will work on isp 2.

If ASA 1 fail it will work on ASA 2.

 

Where is the 2 router in play? 

0 Helpful
Customers Also Viewed These Support Documents