2610 software encrypted VPN 128kbit

Unanswered Question
Jul 21st, 2003
User Badges:

Hi,


Can anyone give me a suggestion in the following.

We have a centralized WAN environment. 36XX-s are in the central site, 36pcs of 2610s are in the remote offices.

There's a 128Kbit leased line for every branch.

We are planning to run 3DES VPNs on every connection.

I know that I need HW vpn module in the central routers, but is it necessary in the remote 2610s?

These routers have very simple config, no jitter sensitive applications, just 128kbit data link.

Very simple and stable EIGRP network. No bells and whistles.


I and my Cisco SE are on different opinions. He sais the VPN module is necessary, I say it's not...

He sais the we should use HW VPNs for every site. That's 70-90k USD.


I tested it in our lab that the cpu usage goes up to 35-39% on a 2610 in this scenario sending large ftps from both directions. (full duplex 128kbit with large packets.) That seems acceptable.


And another thing, what about the faster 2610XM?


Thanks for the help,

Attila

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gfullage Mon, 07/21/2003 - 18:51
User Badges:
  • Cisco Employee,

It's really hard to give an accurate answer on this. The VPN module will take the encryption load off the main router CPU and do it on the module, freeing up the router CPU for other important tasks like routing of packets and EIGRP, etc. If you don't have one, and the CPU load on the router is at an acceptable level for you, then everything should run fine without it.


The trouble is as the encryption traffic rate rises, so will the CPU utilization on the router. You have to think about the business cost of having one or more of these remote sites down or degraded because the CPU load is too high. Will that end up costing you more than 70-90K in the long run? It's really up to you, without knowing the traffic ratios you're going to have and what you deem as "acceptable" response times, we really can't give an exact answer. Think about the business cost of a degraded network though and that might help your decision.


You don't even have to have VPN modules in all of them, if you suspect that some will have higher traffic rates than others then purchase modules for those sites and monitor the others closely. Maybe don't purchase any just now but factor it into your budget just in case and monitor all the routers closely and see how you go.



Actions

This Discussion