Another IPSec VPN related question

Hi All,

We are getting ready to add over 200+ sites to our network. We currently have approx 125 sites, all connected via point-to-point T1s (which aggregate into DS3s at the regional cores). The new sites will have sDSL as the local loop, with the goal being to create IPSec tunnels into our network. I am looking for opinions on which would be better to use to terminate the tunnels at the core, a VPN concentrator or a large router with a crypto accelerator card. All of our current traffic is encrypted over the T1s and DS3s, which terminate into 7200 series routers, so I am intimately familiar with the workings of IOS crypto. However, these routers are not exposed to the internet, which this device would be. Any thoughts, ideas, or smart-aleck comments are appreciated!!!

-Richard

Reply to
Richard Graves
Loading thread data ...

Wow.. Nobody has any thoughts on this??? Or have I some how offended an entire Usenet group to the point of being snubbed?? Not that something of that scope is beyond me, but it usually requires a little effort on my part!! :-)

Any thoughts at all?? Anyone? Bueller? Bueller? ;-)

-Richard

Reply to
Richard Graves

Routers are much better at dealing with L2L connections. I'm assuming that some of the end-points will have dynamic addresses; therefore, the concentrator won't be able to handle this. Use DMVPN on the routers with a hub-and-spoke design. Minimal configuration on the hub and you can still bring up dynamic connections to the spokes. You need a certain rev of IOS to have spoke-to-spoke connections...12.3(x)T, so not all routers will support this function, but you'll still be able to move traffic between spokes via the hubs in older IOS versions.

Also, if you need QoS, then a router is the best solution.

For a large number of remote access users, then I would get a dedicated concentrator to only handle this function.

Good luck! Richard

Reply to
Richard Deal

Richard,

Thanks for the info! Your thoughts parallel mine, this is the way that I am leaning towards.

Thanks again,

-Richard Graves

Reply to
Richard Graves

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.