cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
447
Views
0
Helpful
4
Replies

Impact of Replacing VAC + card in pix 535

We have Pix 535 Firewall with licenced Failover .We want to introduce one additional gigaport for our client requirement,we had already used 3 gigibyte port and we can make the provision by replacing the VAC+ card.

so want to know what impact it will hav on VPN ,we have configured  remote access VPN around 20 tunnel group but the continues use of vpn is only done by one group.

Wheter replacing the VAC+ card hamper the VPN connection and can we go with the replacement .

1 Accepted Solution

Accepted Solutions

rajsh.sharma wrote:

Kusankar, i dont want to create subinterface as my requiement is to create a new DMZ whose traffic should be on gig interface and i had extra GIG cards ,so installing  gigport card on the slot where vac + card is installed can achive my requirement

So only thing iam not sure about the impact on vpn connection.

so i want to know  Wheter replacing the VAC+ card hamper the VPN connection and can we go  with the replacement

Well the answer is it depends.

How much CPU is being used currently on the firewall ?  -  If it is low then yes you could probably remove the VAC+ card and still be able to run your VPN connections but obviously you are now asking the main CPU of the firewall to do more work.

How much VPN traffic is there going through the firewall ? - again if relatively low you should be fine without the VAC+ card but if you have high volumes of VPN traffic then this can severely impact the main CPU.

It is one of those questions that is difficult to answer because it is unclear what the current state is. I have run 20+ site-to-site VPNs on a Pix 515E with no VAC card and it has run fine but then that pix was really only being used to terminate VPNs. What can be said for sure is that offloading VPN encryption to the VAC+ card takes load off the main CPU. Removing the VAC+ card will put that load back. So as i said you need to base the decision on current CPU usage and VPN throughput requirements.

If you do not need full gigabit throughput for this DMZ or one of your others i would be tempted to do what Kusankar suggested though and think of using subinterfaces. What you can do is remove the VAC+ card and if you find CPU too high then you have the subinterface solution as a backup.

Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

View solution in original post

4 Replies 4

Kureli Sankar
Cisco Employee
Cisco Employee

I would use sub-inteface on the existing gig ports and leave the VAC+ card in there.

-KS

Kusankar, i dont want to create subinterface as my requiement is to create a new DMZ whose traffic should be on gig interface and i had extra GIG cards ,so installing  gigport card on the slot where vac + card is installed can achive my requirement

So only thing iam not sure about the impact on vpn connection.

so i want to know  Wheter replacing the VAC+ card hamper the VPN connection and can we go  with the replacement

rajsh.sharma wrote:

Kusankar, i dont want to create subinterface as my requiement is to create a new DMZ whose traffic should be on gig interface and i had extra GIG cards ,so installing  gigport card on the slot where vac + card is installed can achive my requirement

So only thing iam not sure about the impact on vpn connection.

so i want to know  Wheter replacing the VAC+ card hamper the VPN connection and can we go  with the replacement

Well the answer is it depends.

How much CPU is being used currently on the firewall ?  -  If it is low then yes you could probably remove the VAC+ card and still be able to run your VPN connections but obviously you are now asking the main CPU of the firewall to do more work.

How much VPN traffic is there going through the firewall ? - again if relatively low you should be fine without the VAC+ card but if you have high volumes of VPN traffic then this can severely impact the main CPU.

It is one of those questions that is difficult to answer because it is unclear what the current state is. I have run 20+ site-to-site VPNs on a Pix 515E with no VAC card and it has run fine but then that pix was really only being used to terminate VPNs. What can be said for sure is that offloading VPN encryption to the VAC+ card takes load off the main CPU. Removing the VAC+ card will put that load back. So as i said you need to base the decision on current CPU usage and VPN throughput requirements.

If you do not need full gigabit throughput for this DMZ or one of your others i would be tempted to do what Kusankar suggested though and think of using subinterfaces. What you can do is remove the VAC+ card and if you find CPU too high then you have the subinterface solution as a backup.

Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

Thanks jon ,

Currently cpu utilisation is around 30 % max and had just a query how to find How much actual VPN traffic is there going through the firewall

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: