I'm researching various VPN endpoint solutions for our HQ site, and am hoping I can get some recommendations from those who have experience with this stuff.
Essentially, we're in need of a device to terminate customer VPN tunnels at HQ (site-to-site). We're currently doing this at the firewall, but we don't consider this to be scalable -- we'd rather let the firewall filter packets and terminate the VPN tunnels on a device meant for such usage.
I was originally looking at VPN concentrators exclusively, but I noticed that various router platforms (3600/3700/7200) have VPN modules that, if the specs are accurate, will more than suffice for our purposes as far as bandwidth and number of simultaneous tunnels go. This has me wondering what the differences are between VPN concentrators and VPN router modules. When is one typically chosen over the other? A sales rep mentioned that the concentrators are typically used for dial-up users and VPN routers are typically used for site-to-site tunnels. Is this accurate?
We also need a router for the segment that the VPN device will live in, so a VPN router would kill two birds with one stone if it will suffice. It looks like a 3700 series router can terminate a couple thousand tunnels at upwards of 200mbps as per the datasheet. But I don't know if these numbers reflect reality.
So, what do you folks recommend to terminate site-to-site VPNs with customers? Any advice would be appreciated.
VPN3000 concentrator have a lot more features than a VPN router when it comes to vpn remote access client users, and they also have SEP(HW Accelarator) card (3030/3060/3080).
But routers are more targetted towards doing routing across the vpn tunnel, GRE over IPSec(in case you have mutlicast/broadcast/non-IP traffic), all in all better candidates in case of more site-to-site vpn implementations.
Certainly 37xx platform would be better solutions, in case you have a few vpn client users, but a large number of site-to-site vpn tunnels requiring routing(EIGRP/OSPF), Redundancy, and BW, routers are better investment, I'd say.
If you are going to have a huge amount of vpn traffic, you can use 71xx/72xx series routers with the VAM cards to support that.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :