It's not terribly often that hardware vendors are so forward-thinking that they can retrofit a whole new class of hardware into an existing chassis. However, Cisco seems to be able to do this with ease. The new Cisco 7200 router is a perfect example.

The 7000-series core routers have been the mainstays of ISP and large MAN/WAN deployments for decades. The now-deceased Cisco 7010 could be found at the core of nearly every ISP in the mid-'90s, boasting 10Mbit/s Ethernet ports and the ability to handle HSSI (high-speed serial interface) and traditional T1/T3 services in a modular fashion. The later models in the same series, such as the 7500 and 7600, built on that base to deliver more horsepower and more high-speed connectivity options within a large-footprint modular chassis.

The 7200, first introduced several years ago, was the middle of the road. With high-speed modules dropping in size, it became possible to fit much more into a much smaller space. The 7202, 7204, and 7206 represented three variations on a common theme: a modular workhorse router that could grow with the needs of the infrastructure.

The 'new' 7200-series is the latest example of that capability, taking the 7200 to places it's never been before. Rather than introducing a completely new router series, Cisco has simply released new core modules for the existing 7200 routers, resulting in the ability to do wholesale upgrades to existing routers without unracking anything.

This collection of new gear for the 7200 series is aimed at companies looking to leverage their existing hardware in new ways, such as high-bandwidth VPN aggregation. The new 7200VXR NPE-G2 (Network Processing Engine) promises twice the performance of the existing NPE, and the VSA (VPN Services Adapter) provides encryption offload to kick those VPN tunnels into high gear. Not only are these modules now available, but with the new Port Adapter Jacket Card, some new features can be implemented without reducing the available slot count on existing 7200 routers.

Starting at the top, the new NPE-G2 offers some serious horsepower. With 1GB of SDRAM and 256MB of onboard flash, it has three built-in Gigabit Ethernet ports, one Fast Ethernet port, and two USB ports. The Gig Ethernet ports are all dual-personality, and can be ordered as either copper/GBIC or copper/SFP, which lets admins leverage existing hardware in the upgrade, or at least defer the cost of GBICs with lower-cost SFP optics. With the new NPE, Cisco can offer much more than just simple routing capabilities in the 7200. Their services matrix for this router runs from firewalling and IPS duties to VPN end point termination, to voice, video, QoS, and multicast routing tasks, all within the same box. In short, they're trying to fit the 7200 into nearly every corner of the network, either all-in-one, or a la carte, and with notable success.

I had two Cisco 7206 routers in the lab, equipped with the new NPE-G2 as well as the VSA module. The testing I conducted was based around high-speed VPN configurations, basically AES and 3DES VPNs running at gigabit speeds between the routers. To drive all the testing, I relied on a Spirent SmartBits chassis with a few Gig interfaces to generate traffic through the VPN constructed between the two 7206 routers. Cisco's VPN performance claims were well founded, with my results showing just under wire-speed Gig IPSec VPN operation between the two routers. Even without the VPN in place, I was able to achieve just under wire-rate throughout the testing, with a max of 960Mbit/s throughput.

As with nearly every mid- to high-end Cisco device, proper configuration and maintenance can be a challenge for the uninitiated. It's certainly not something to be done casually, nor without the proper training and experience. Cisco IOS has long been the bane as well as the saviour of networking. Hideously complex in places, and obscenely powerful and configurable in others, it's the stuff of legend. Just trying to navigate through the Cisco Web site's software support matrix to determine the proper IOS version and sub-version for a specific piece of hardware can be trying, not to mention the half-dozen or so authentication requests as you navigate through the process. High-end internetworking has never been simple, nor is it ever likely to be, but sometimes it seems that Cisco's being purposefully obtuse in order to separate the wheat from the chaff.

Cisco's attempts at providing GUI tools for its hardware has never really produced a workable mid-range solution, although the Cisco Network Assistant (CNA) application for switched infrastructures does a fairly decent job of simplifying common administration tasks such as VLAN port assignments without requiring the massive financial and physical resources needed to implement the high-end CiscoWorks suite. CNA doesn't support the devices at the top of the Cisco food chain, such as the Catalyst 6509 or the 7200 routers. Cisco has been pushing SDM (Security Device Manager), a new GUI for their higher-end devices, however, and the 7200 is supported for basic routing configurations as well as advanced features such as firewall, VPN, QoS, and IPS configurations. This is a relatively new step for Cisco, and a good one, although it will certainly be eschewed by Cisco CLI gurus.

Overall, the power and functionality present in the 7200 series routers is certainly worth the investment. The 'new' 7200 is a worthwhile new take on an already solid platform.


Cisco's 7206VXR is more than meets the eye. The major components, such as the new NPE-G2, provide double the performance of the previous generation, but are fully compatible with existing chassis. The same is true for the new VPN Services Adapter, which provides IPSec VPN acceleration for high-performance VPN tunnels. Aggregation routers are generally responsible for large parts of any network, so performance and reliability are mandatory, not optional. On these fronts, the new 7206 delivers.