Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN Router Versus Concentrator

Status
Not open for further replies.
amorielljr

amorielljr

MIS
Dec 17, 2001
80
US
I was wondering if I could get some advice on what Cisco equipment to purchase for a VPN solution (site-to-site and possibly client VPN in the future). I have fairly extensive knowledge/experience with Checkpoint/Nokia VPN and Firewall solutions but not necessarily with Cisco's solution. I was wondering what's the advantages of using a Router (I was looking at the 7200) over a Concentrator (I was looking at the 3030) or Vise Versa (this is for the Corporate host). We are going to be connecting around 280 sites to our corporate host (the corporate host is a T3). Thanks.
 
Sort by date Sort by votes
Concentrator. I'd suggest the bigger model which I think is the 3060. It's designed for the amount of users/sites that your wanting to connect to it. If you go to Cisco's web site and do a search for the 3060 it will tell you all that you need to know.

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts
 
Upvote 0 Downvote
I checked the Cisco VPN site and read the information on the Concentrator and Router. Is there any particular reason(s) why you suggest the concentrator other then it is a dedicated device?? Thanks.
 
Upvote 0 Downvote
I agree with IPKONFIG.

Yes, the router could do the job; but the concentrator is designed for the job.

Trust me, with 280 sites, you want a dedicated device. As a matter of fact, you'll want 2, the second configured as a hot-standby.

MCSE CCNA CCDA
 
Upvote 0 Downvote
Yes, I agree with having the two devices. The router with the VPN cards are designed for the job too (plus they will do a bunch of other stuff too). I was wondering if you guys have more techincal facts that you could point me to. Thanks.
 
Upvote 0 Downvote
Well as far as technical facts, you'd just have to read up on both of them on Cisco's website. The reason I suggested the concentrator over the router is because of it's ease of use and the amount of connections. Like dearingkr said, it's designed for exactly what your wanting to do.

Now if you want this device to do more, like the router, then spring for the router. It's really what you want to do. Although, I think the price difference might drive you to the Concentrator vs. the 7200.

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts
 
Upvote 0 Downvote
Thanks for the answers. I'm going to eventually have to read the docs on both devices, but I wanted to get some opinions before doing so.
 
Upvote 0 Downvote
The bottom line is how to configure the VPNs and the flexiblity of the configuration. The router is a router, first and foremost. While it can be configure to pass VPNS, site to site VPNs it does not have the flexiblity nor the processing power of the concentrator.

The concentrator on the other hand is very flexible in configuring the VPN endpoint or passthrough. Groups, permissions, routes, interfaces, RADIUS are all relatively easy to configure unlike the router. It has both a GUI HTTP front end and a CLI for the GUI-adverse. You can offer DHCP served addresses to the clients or static, you can push client updates out and configure an VPN "cluster". Something near and dear to the admin's heart is the ablity to use NT authentication with a few clicks of a mouse.

Even as strong as the 7200 series is, the number of VPNs you are talking about could easily overpower the CPU unless you have some type of onboard/card for VPN acceleration. The router is having to route traffic AND handle the encryption/decryption of the packets which is process intensive depending on the key size and prototocol. THe router also can not be configured nearly as well for redundency (ie..clustering). You can have HSRP or VRRP but there are some issues with VPNs depending on configuration.

We tried with dual 7200s running HSRP and ended up with a pair of concentrators talking to the NT boxes and to a RADIUS box. This was for 300 or so remote connections (sales, stores etc) We were going to put in a second concentrator for the store to store connections when I left that project.

We have not even touched on the raw performance issues surrounding a full T3 worth of VPN traffic.. thats ALOT of encryption/decryption for any device to do so something like a cluster very well may be in your future.

Get the entire book on the 3000 series configuration here:

MikeS

Find me at
"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
137
quazimotto
quazimotto
Tariq Habaybeh
  • Locked
  • Question
Cisco 881WD-E-K9 router configuration
Replies
1
Views
179
burtsbees
burtsbees
Zia khan
  • Locked
  • Question
Cisco: 2811 Router
Replies
1
Views
160
CASSBusinessSystems
CASSBusinessSystems
kjhg
  • Locked
  • Question
2811 ROUTER
Replies
3
Views
212
iggsterman
iggsterman
ths0210
  • Locked
  • Question
Cisco 4G LTE Router - WiFi Issues
Replies
0
Views
121
ths0210
ths0210

Part and Inventory Search

Sponsor

Back
Top