Multicast over VPN - Options?

dave-lew99 · 8 Jun 2010 at 17:52

Posted in here since this is an enterprise problem...

Anyway, the problem - our application makes heavy use of multicast for various different data stream, we want to be able to pour this down a VPN to get it across the internet.

It would appear the default Cisco solution is to use GRE tunnels, but GRE isn't supported on the ASAs and in my mind those make better edge devices then tha routers (due to good NAT/firewalling).

A one box solution is the ideal, for NAT, firewall and VPN.

I'd rather stick with Cisco as its the one i know the most and since it's just a part of our system theres no real value to us in supporting multiple vendors (if we supply the link we can just choose the same one every time, if someone else supplies it, it just meets our spec and they look after it).

Suggestions?

I was wanting a link to set up in time for a trade show next week, however, i've only got a Pix 506E and a 871 at my disposal at the moment.

Thanks!

dave-lew99 · 8 Jun 2010 at 20:22

Well i'm not completely stuck on Cisco, so feel free to suggest your favourite Juniper product

I'd just rather avoid it, as it's yet another learning curve to climb (both the product range and configuration/use) when i don't have really any time to dedicate to it anyway.

We're shunting on the order of 10 megabits of multicast data quite often so even with a handful of client hosts it's a big bandwidth saving, especially when the remote end is typically hostile (in relation to connectivity), it's not uncommon to only have ADSL MAX available.

dave-lew99 · 9 Jun 2010 at 17:16

Well just taken a look at the SSGs, while the SSG5 is more expensive than the Cisco 871s we were getting as a base access device, it does offer more features and the SSG140 was less than the cost of the ASA 5510 i was looking at.

So they look reasonably priced and well featured, looks like i'll be buying some more books then...

I'll probably speak to sales for specific product advice, i'm more or less sold, if it does everything in one box i can't see it being an issue.

I've just yet to come across Juniper in the field, our bigger clients have used only Cisco or Sonicwall for VPN access, but where we supply the link, it'll cover both ends, either between two client sites or between them and our office.

dave-lew99 · 16 Jun 2010 at 23:51

That would be a bit of a problem as i'd have been using the ASA at one end and the 871 at the other, i think i'll be looking at the Juniper kit for full on data transfer links and maybe stick with the basic cisco stuff for remote admin/monitoring as it's what i know.

We're exhibiting at a trade show at the moment using a Pix in the office with an 871 at the show, demoing our system running live and it's working rather well.

As for the 12.8Mbps sustained performance, presumably you mean for encryption throughput?

I've heard stories about people having poor PAT performance, but i tested it in the office and i had the same througput on the Pix as i did on the 871 and the Draytek 2820 - ~16Mbps which is our downlink line rate.