Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Best device to fit for a project

I'm not sure this is the right section but I try.

For a project (less than 100 branch offices and 2 Headquarters connected in an hub&spoke topology with IPSEC over MPLS among branch and HQ) I’m looking for the best device which cover the following items:

Single device
At least two Ethernet interfaces (WAN/LAN)
Ipsec supporting 10-50-100 Mbs
Routing protocols such as BGP-OSPF
Redundant power supply (some site not but in principle I need it)

Single device with XE intf
At least two Ethernet interfaces (WAN/LAN)
IPSEC supporting up to 7-10 Gbs of IPSEC (the sum of branches)
Routing protocols such as BGP-OSPF
Redundant power supply

Firewall is not needed, MPLS will be runned by two carrier (this is why single device, there will be two single devices (with hsrp/vrrp) per site each one connected to one MPLS carrier), IPSECs tunnels are on-top of MPLS.

I’m looking for the best solution in terms of scalability and price (very important).

I've an idea in my mind but I'd like to share your experience for the decision...



Hello.I guess for MPLS you


I guess for MPLS you would use GETVPN, so ASA couldn't be an option.

For 10M, I would suggest Cisco 892 or 1921.

Up to 50M - 1941 could be fine (for asymmetrical flow), and 2921 for symmetrical;

Up to 100M - 2921/2951(for asymmetrical) and 3925 for symmetrical.

Not sure what to sugegst for HQ, but it should be anything like ASR1000-ESP20 (sure you need 2 devices for HA).

PS: why do you need NAT on MPLS?

PS2: in HQ I would suggest to split IPSec and NAT roles between different devices (ASA would be best for NAT).

New Member

Hi Vasiliithe device will be

Hi Vasilii

the device will be on top of MPLS, this means there will be the CPE from the carrier and next the device I'm looking for.

Anyway I do not understand why you make differentiation from asymetrical to symmetrical, those links will be small at 10 Mbs ethernet and big up to 100 Mbs ethernet on branch.

I think 8xx and 19xx do not have redundant power supply.

NAT is not intended on MPLS as explained before MPLS is a layer down.


Hello.Symmeric for 10M = 10M


Symmeric for 10M = 10M inbound + 10M outboud = 20M overall IPSec.

Asymmetric for 10M = 10M inbound + 2M outboud = 12M overall IPSec.

PS: I would bet on 2 routers, than a single router with 2 power supplies.