Future Direction of VPN

Unanswered Question
Jun 21st, 2007

Hey All,

This has been in the back of my mind lately, and wanted to float this out there for any input. The company I work for has gone from limited VPN needs to using VPNs for business-critical applications. Our VPN requirements have gone from 2 L2L tunnels and 5-10 end-user connections to 130 L2L tunnels and a growing population of 100+ end-users. Unfortunately... the architecture has been built out with the aging VPN 3005 Concentrator. Looking to the future, I'd like to know what the direction of Cisco VPN strategy is so I'm not budgeting for improper VPN hardware. As I see it now there are a couple options.


- Has the ability to handle both L2L, end-user IPSec and SSL VPN connections. High availability could be done by virtualizing two identical routers with HSRP. Could prove to be messy configuration-wise, but by using IOS this fits nicely into our existing routing infrastructure (internally we route using BGP).


- Seems to be the future of VPN hardware, but it seems to be lacking features. The plusses are extended SSL VPN support and easier high-availability using the failover capabilities of the ASAs. My biggest concern is on the back-end with the routing. The ASAs still do not support BGP and I'm not sure if this will ever be an option. I do see EIGRP was added with v8, and EIGRP operates in a limited part of our routing infrastructure.

Just wanted to hear the direction others are going as the concentrator begin to age and possibly if anyone know where Cisco's VPN strategy is heading,



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Thu, 06/21/2007 - 09:08

everything i've heard is that the ASA is indeed the vpn solution that Cisco wants its customers to move towards, hence the vpn edition of the asa. it definitely sounds like your 3005's are already outdated. do you do any sort of bandwidth monitoring on those?

We currently have PIX515's and 3005's as well, but I know our next step is to move to the ASA for both.

As far as BGP not being able to run on a firewall, are you sure you would even want this feature? at want point then does the PIX/ASA simply become a router? Personally, i prefer that my routers route, and my security appliances handle security...of course I have some crossover of both of these in my own network, but you get the idea.

roluce Thu, 06/21/2007 - 09:25

The term "VPN" means a number of different things, and it depends on who you speak to as to which meaning you'll be speaking of. Personally, the sales slug that used the terms MPLS and VPN together should be tarred and feathered. MPLS isn't VPN, but, that's digressing from the point.

IOS and ASA (VPN appliance) are really two different boxes for two different things.

Site to Site VPN connectivity is something that IOS excels at. Configurations requiring high availability options, interoperability with a existing network environment, traffic management capability, etc.

End user VPN is very possible in IOS, but it's not its strong point.

We are using IOS for our encrypted network to network transports, and for this purpose, I believe that Cisco IOS is the best solution available from any company.

For our encrypted end user connectivity, we use appliances which are more tuned to end user requirements and security.

I don't see this changing in the next couple of years.



This Discussion