Cisco Support Community

Home

Cisco 1921/ K9
Answered Question

tech.werwireless Dec 6th, 2014

Hello All,

1: At my Corp Office i have installed a Cisco 1921 /K9, I want to know that how many IPSec
VPN Tunnel Cisco 1921 /k9 can support and what is the IPSec VPN throughput ?
2: I have connected a bandwidth link (150 Mbps Download and 25 Mbps upload) to my Cisco
1921/K9, i want to know whether Cisco 1921/K9 is capable to handle 150Mbps Bandwidth ?
3: If one of my retail location is running on 10Mbps bandwidth on Cisco RV220W connect to
Corp Office's Cisco 1921/K9. how much bandwidth IPSec tunnel will use?
4: I have 200 Retail locations and each have 3 computer and 5 computers maximum, Connect
over wifi and wires (Mix few are on wifi and few are wired) Which one is batter to install at
Retails location Cisco RV325 or Cisco RV220W.

Thanks,
Sandy

I have this problem too

0 votes
1
2
3
4
5
Average Rating: 3.5 (2 ratings)

Replies

Collapse all
Recent replies last

Karsten Iwen Sun, 12/07/2014 - 00:28

Cisco Designated VIP2015 Security">

The 1921 is far to slow for that task. With a limited budget, I would go at least for a 2921 if it
should be an ISR G2. But there are now the newer ISR4000, where the 4331 looks like a good
choice.
And for real redundancy, you should have two of them, one for each internet-connection. Or
one faster one for the primary link and the 1921 for the backup link. But with the 1921, only
150 tunnels are supported.
For the retail locations I wouldn't use one of the SMB-devices. The 800 series routers should be
fine there.

See More
1
2
3
4
5
Average Rating: 0 (0 ratings)

tech.werwireless Sun, 12/07/2014 - 07:26

You suggested 2 Cisco 4431 Routers to achieve load balancing and fail over.....what about
firewall? do i need to purchase 2 firewalls 1 for each router?

See More
1
2
3
4
5
Average Rating: 0 (0 ratings)

Karsten Iwen Sun, 12/07/2014 - 08:50

Cisco Designated VIP2015 Security">

You don't need two firewalls to operate both links, but if you wan't also some level of HA, you
should have two of them. Two 5515-X could be the right device for your needs if you want to
primarily firewall internet-traffic. If you also have much traffic from inside to to different DMZs
(or between DMZs), then the 5525-X could be the right one.

See More
1
2
3
4
5
Average Rating: 0 (0 ratings)

tech.werwireless Sun, 12/07/2014 - 18:52

actually i do not want to increase my budget, so i will prefer only 1 firewall.
please tell me how i will point 2 Cisco 4431 routers to 1 firewall and 1 firewall to 2 ISP
connections..
Actually it about 120 Retail locations (next 3 year it would near about 150) so i do not want
any downtime. so my plan is:

@ Corp Office My Goal is:

2 different internet connections (150 Mbps Download and 25 Mbps Upload each)for fail over
and load balancing, i want to use both for faster speed.
2 Cisco 4331 Routers for IPSec VPN Fail over and load balancing.

ISP1:

CISCO 4331 (IPSec VPN Tunnel)

FIREWALL5512

CORP Servers

ISP2:

CISCO 4331 (IPSec VPN Tunnel)

Please tell me if this is not correct,

Thanks,
Sandy (Sandeep Sharma)
Sandy@wer-wireless.com
Direct: +01-856-812-0158

See More
1
2
3
4
5
Average Rating: 0 (0 ratings)

tech.werwireless Sun, 12/07/2014 - 22:18

To achieve this goal should I configure ISP Redundancy and Load Balancing Active/Active mode
on Cisco 5512 Firewall and HSRP Active/Active mode on both Cisco 4431...am i right ?

Please check the below mentioned network diagrams, which one is correct to achieve what i
need....

Network 1: With 1 ASA 5512 and 2 Cisco 4331

ISP1:

CISCO 4331 (IPSec VPN Tunnel)

FIREWALL5512
ISP2:

CORP Servers
CISCO 4331 (IPSec VPN Tunnel)

Network 2: With 2 ASA 5512 and 2 Cisco 4331

ISP1: ---> FIREWALL 5512 ---> CISCO 4331 (IPSec VPN Tunnel)

CORP Servers
ISP2: ---> FIREWALL 5512 ---> CISCO 4331 (IPSec VPN Tunnel)

As per Cisco; License and total number of IPSec combines if we are using Active/Active mode in
load sharing and fail over. (I am not sure please make me correct if i am wrong here)
if it's correct then we can use Cisco 1921 after applying performance license and in that case total
number of Tunnel and throughput would be increased...

Network 3: With ASA 5505 and Cisco 1921

ISP1: ---> FIREWALL 5505 ---> CISCO 1921 (IPSec VPN Tunnel)

CORP Serve
ISP2: ---> FIREWALL 5505 ---> CISCO 1921 (IPSec VPN Tunnel)

Thanks,

Sandy

See More
1
2
3
4
5
Average Rating: 0 (0 ratings)

Karsten Iwen Mon, 12/08/2014 - 01:08

Cisco Designated VIP2015 Security">

It all depends on how you want your network to behave. Typically I would set it up the
following way:

Both ASAs in Active/Standby Failover. Thats the reason for 5515-X, the 5512-X needs an
extra license for FO. 5512-X +SecPlus license is exactly the same list price as the faster
5515-X.
Both routers terminate the VPNs with VTIs or FlexVPN. Thats also a reason for ISRs on the
spokes. With a routing-protocol you control the routing to the sites.
The ASAs are connected to both ISP on two outside interfaces
The routers are connected to both ASAs on a shared WAN-interface. Here you can control the
traffic by extending the routing to the ASA or by using HSRP to send the traffic to one
router.

See More
1
2
3
4
5
Average Rating: 0 (0 ratings)

tech.werwireless Mon, 12/08/2014 - 10:10

Can you please create a network diagram so that i can understand it properly....

See More
1
2
3
4
5
Average Rating: 0 (0 ratings)

Karsten Iwen Tue, 12/09/2014 - 06:36

Cisco Designated VIP2015 Security">

something like that:

See More
1
2

3
4
5
Average Rating: 2 (1 ratings)

tech.werwireless Wed, 12/10/2014 - 16:15

Ok, as per the network diagram. If isp 1 fail it will work on isp 2.
If ASA 1 fail it will work on ASA 2.

Where is the 2 router in play?

See More
1
2
3
4
5
Average Rating: 0 (0 ratings)

tech.werwireless Thu, 12/11/2014 - 12:21

Cisco recommend:

Corp Location:
2 x Cisco ASA 5515-X w/IPS Provides VPN termination, basic routing from ISP connection, IPS
services and Firewall services

Each Branch location:

1 x Cisco 891 ISR Provides site to site IPSec, Firewall services, LAN and Wireless connectivity

See More
1
2
3
4
5
Average Rating: 0 (0 ratings)

tech.werwireless Sun, 12/07/2014 - 19:43

Tech Specification of ASA 5512 Firewall:
Feature

Cisco ASA 5512-X, Security Plus

tateful inspection throughput (maximum)

Stateful inspection throughput (multi protocol)
ASA IPS throughput

250 Mbps
(extra hardware not required)

1 Gbps
500 Mbps

Next-generation firewall throughput (multiprotocol)

200 Mbps

Triple Data Encryption Standard/Advanced Encryption Standard

(3DES/AES) VPN throughput
Users/nodes
IPsec VPN peers

Thanks,
Sandy

See More
1
2
3
4
5
Average Rating: 0 (0 ratings)

200 Mbps

Unlimited
250

tech.werwireless Sun, 12/07/2014 - 00:50

@ Corp Office: Cisco 1921 is slow for 200 locations..i agree ....but what about total number of
VPN tunnels ? few says 250 few stated 150...even i tried searching google but got no luck. i
am getting confused!
Well, 1921 is not good enough to handle that much of traffic...so i will get 2 Cisco 4000 series
routers.
i just checked the data sheet and found that Cisco 4331 throughput is 300 Mbps with 4 GB
RAM and 3 Gigabit Wan ports....but again Cisco din't mention the total number of IPSec VPN
and it's IPSec VPN throughput......do i need a license to use IPSec VPN on it ?

@ Retail Location:
Which one you suggest from Cisco 800 Series ? each retail location have minimum 3,
maximum 5 users/computers @ different internet speed. 50 Locations are running on 50 Mbps
Download and 10 Mbps upload speed, 10 are running on 10Mbps and reaming are running at
7Mbps. and at each location we need 2 wifi SSIDs one for guest access and another to connect
wifi all in one computers. becasue each location is a retails location and not all computers are
hired wired.
Why not Cisco RV325 ro Cisco RV220W ? both support 25 IPSec VPN Tunnel and at 100 Mbps
throughput.

Thanks,
Sandy

See More
1
2
3
4
5
Average Rating: 0 (0 ratings)

Correct Answer

Karsten Iwen Sun, 12/07/2014 - 02:17

Cisco Designated VIP2015 Security">

For the retail locations I would look at the 880s series. They are available with integrated
ADSL/VDSL modems and also wireless. The WLAN can be controlled by a WLC.
The management is the reason I wouldn't use the RV-devices. As far as I know, they still don't
have anything that is IOS-like. The AP can be controlled with a WLC which also makes
management quite easy.
For the 4000 router, I only know what is stated in the data sheet and the licensing part of
the config-guide (the last Cisco 4000 router I operated was from a decade ago ... ;-) ).
But there are again feature-licenses like SEC/HSEC that you would need.
It seems that the performance is completely controlled by the license and the 100/300 MBit/s
is the performance with services. But without the HSEC-license you are limited (as with many
cisco routers) to 85 MBit/s encrypted bandwidth and 225 tunnels.

See More
1
2
3
4
5
Average Rating: 5 (1 ratings)

tech.werwireless Sun, 12/07/2014 - 01:40

ISR4331/K9

ISR 4331 with 3 onboard GE, 2 NIM slots, 1 ISC slot, 1 SM slots,
4 GB Flash Memory default, 4 GB DRAM default

Cisco 4331 /K9 no redundant power supply.....

Default is 100 Mbps, to gain 300 Mbps need to purchase a PERF license...
Platform
ISR4331

Performance-on-Demand License
FL-4330-PERF-K9

Features

Increases the performance from base performance 100 Mbps to

300 Mbps

See More
1
2
3
4
5
Average Rating: 0 (0 ratings)

tech.werwireless Sat, 12/06/2014 - 23:15

My goal is to connect all 200 locations to Corp Office over VPN so that they can join the
domain.
I have a Cisco 1921/K9 at corp Office, and do not have any Cisco router at Retail location so
we are planing to buy for retails locations.
I want dual VPN on Cisco 1921 for load balancing and fail over.
so that each Retails location connect to Cisco 1921 by two tunnels and if 1 goes down 2nd
come in play automatically.
Also I have 2 Internet connection from same internet service provider and i want to connect
both to my Cisco 1921 /K9 for dual VPN to achieve VPN load balancing and fail over..
Please let me know how to achieve this goal...
Thanks
Sandy
See More
1
2
3
4
5
Average Rating: 0 (0 ratings)

https://supportforums.cisco.com/discussion/12370391/cisco-1921-k9