At an impressive rate, organizations are deploying site to site VPN for their corporate office connectivity.  Here a quick summary of design options:

1. Direct IPSec for smaller implementations for simplicity.  Nearly any firewall and many sub-$1000 routers will accomplish this.  Fastest failover to backup hub gateway can be achieved here in under 2 seconds.  This is the quick-and-dirty lowest-cost option.  As usual, such solutions can grow hard to manage and troubleshoot.

2. Multiple IPSec tunnels with GRE for improved reliability and redundancy.  Routers become the main option here unless another device is introduced to handle the IPSec termination only.  Per-tunnel QoS is one feature unique here.  Multicast support is introduced at this level.

3.  Dynamic Multipoint VPN uses GRE, NHRP, IPSec and an IGP to further improve resilience and scalability.  Full mesh and minimal spoke configurations are significant advantages. I’ve heard of DMVPN with hundreds of spokes on sub-$2k routers and the headend running a $5k router.  Let me know of other scalable solutions you like!

I’ve heard of DMVPN with hundreds of spokes on sub-$2k routers and the headend running a $5k router.  Let me know of other scalable solutions you like!

Sure, you’ve got most of your servers running Virtual now.  And you’ve got a couple of contexts on your Cisco ACE.  But how manageable and automatic is the provisioning?  Check out Cisco’s Vframe: 

Cisco VFrame DC offers a rich middleware platform to orchestrate the provisioning of VMware ESX Server in a quick, easy, consistent, and repeatable manner. Cisco VFrame DC will integrate with VMware VI3 to automate the provisioning of stateless, network-based ESX Server images onto a utility pool of Intel and AMD processor based servers.

Cisco VFrame Data Center manages the external dependencies VI3 does not address. It orchestrates the configuration of all the services downstream from the hypervisor

OK, this one is about speeds for load balancers.  Or firewalls for that matter. Don’t get completely caught up in the maximum throughput and concurrent session numbers.  Remember to fully investigate the connections per second (CPS) or new flows data under a variety of enabled features.  Sure a box can pass 900Mbits/sec when it is 20 high-speed flows and there are minimal rules enabled.  But how many new connections can it process and build state tables for under your configuration requirements.  The file size requested in those new connections will also have a drastic effect. You might find products handing only 4000 up to 400,000.