The 1941 should be fine. With

nvanhaute · ‎01-04-2015

hi,

I'm working on hub and spokes VTI IPSec project. My lab is already ok : dual hub + vti with bgp as dynamic routing inside tunnels.

I should have around 250 spokes for 2 hubs (one primary other as backup). Spokes and hubs will be used only for ipsec usage (no internet accesses). ikev2 with suite-B is used.

Total bandwidth will not be higher than 50 Mbps on hubs (so 50 Mbps encrypted).

Total routes learnt by bgp on hubs : around 1000.

With all info I gathered, I thought to use :

- on hub side : 2x 1941 with ISM

- on spoke side : 881

what do you think about ? should be ok ?

Thanks for your advises.

Regards

Nicolas

ghostinthenet · ‎01-04-2015

50Mb of IPSec traffic is pushing the limit a bit on the 881, though the newer C881 may be a bit beefier. As long as 50Mb is your peak and not sustained, you should be okay.

Depending on how much spoke-to-spoke traffic you expect to see, you may find that DMVPN phase 3 will suit your needs better and eliminate the need to deploy BGP over all of your spokes.

nvanhaute · ‎01-04-2015

I never said there will be 50 Mbps (ipsec) with 881... but on hub side, so all the bitrate coming from all spokes will be at this max

Spoke to spoke will be very rare. I'm not a fan of DMVPN with NHRP protocol, in using VTI with BGP it's more easy and configurations are very simple.

My question was more : 881/1941(ISM) => is it ok with ipsec bitrate given and number of tunnels (VTI) with BGP... it's more about 1941.

thanks

Nicolas

ghostinthenet · ‎01-05-2015

The 1941 should be fine. With the ISM, it can handle 140Mb of encrypted traffic and 500 IPSec tunnels.

Sorry about missing the hub reference in your original question. I really shouldn't answer technical questions late at night. :)

hub and spokes advises