1751's and VPN

[snootalope]

Hello

I currently have a WAN in which each office has a 1751 router on-site. As of now, we have no VPN’s in place. Each of my routers are running an IOS of 12.2(15)ZJ2. Last week my company was pricing out other frame-relay providers and one company made us a great offer, but they said we’ll need to do it all in VPN. I was told our current routers will support the VPN, but I don’t know if it’s just a software upgrade I need to do, or if I have to purchase new hardware.

Each of the routers has a T1 card in it for our frame, and two of them have FXO and FXS cards in them. I don’t know if that’ll affect me being able to support a VPN, but just thought I’d mention it. I did notice on Cisco’s site that they mention “Security Bundles.” Those include a VPN module and Memory upgrade. I have 64 meg of RAM already! So, can someone tell me, do I need to purchase additional hardware for my routers to support a VPN, or can I just upgrade my IOS to a feature set that includes the IP/VOICE IPsec 3DES?

Thanks for any info..

 

[routerman]

The VPN bundles include a VPN accelerator card as well which offloads the 3DES encryption to hardware so as not to load up the CPU.

But I recently installed a 1750 with 3DES, 64meg RAM and no VPN card, it runs fine with a 512k DSL link. Customer has no complaints of slow speed etc.

But, I think if you buy the card as a component you end up paying a lot more than if you buy the bundle.

I suppose the first question on your current route is what does the CPU run at presently (SH PROC) and how much memory is available? (SH MEM)

 

[snootalope]

CPU time on all of our routers is staying under 20% on an average. The memory average is around 18 meg available, but that's without the IOS with the 3DES feature set.

We're looking at implementing full T1's to each of our office's so bandwidth is not a factor here.. My largest office outside of the home office has 17 users, the others are like 10 and 10.

So what do you think? Do I just need to up my IOS to something that has the 3DES built in? Or is the bundle a better bet? Remember, two of my four office routers have voice cards, so I've got to have the feature set with IP/VOICE PLUS and the IPSec 3DES.

Thanks!

 

[routerman]

I'd go for the VPN bundle at the sites which have voice as well. Reason is that these are the ones that are most likely to have a higher average CPU load.
Redeploy the existing routers to the branch offices with out voice, if they dont have routers currently.

I seem to recall reading a document on cisco.com, or maybe a study guide, that recommended a VPN card for instances where there are more than 8-10 VPN tunnels in concurrent use.

 

[snootalope]

So your saying use the vpn cards at my remote offices? with or without voice huh..

See, I was thinking, if I have my home office as the only one with a vpn card, because it will be recieving the most info consistantly.. I'm only going to have 3 tunnels total, so i may not even need a vpn card at the home office..

snoots

 

[routerman]

Snoots, I'd consider using the cards where the CPU load is going to be at its highest, which I would have thought is where they are processing voice and data.

The attached link points to the data sheet on these cards for more info. Of course there is nothing to stop you going ahead without hardware encryption and if you run into problems adding this later. The cards dont need any configuration, once fitted the additional CPU is automatically used for the encryption.

http://www.cisco.com/en/US/products/hw/routers/ps259/products_data_sheet09186a0080088750.html

Note the performance figures, for the MOD1700-VPN max throughput is 8mbps at 1400 byte packtes, this will reduce to around 2.5mbps at 64 byte packets. This is still adequate for T1 performance.