With respect for the fact that this is a cisco list I
would still like to point out that it is precisely
because of the cpu intensive nature of crypto that the
most popular solution is not a router per se but a
dedicated VPN box such as the Nortel Contivity.
For the curious:
http://www.nortelnetworks.com/products/01/contivity/doclib.html
In the same vein I must point out that it is the
central cpu cisco router architecture and top down
nature of IOS that makes any kind of additional
processing problematic. Other router architectures
that utilize distributed processing can handle these
additional chores much more gracefully.
Chuck...any guess as to where I wound up working ?
--- Chuck Larrieu <[EMAIL PROTECTED]> wrote:
> Have fiannly gotten around to printing out the IPSec
> Design Guide published
> on the Cisco site.
>
>
http://www.cisco.com/cpropart/sync-src/ccstcp/cc/techno/protocol/ipsecur/ips
> ec/tech/
> watch the word wrap
> need a CCO login to get there
>
> rather interesting publication, with 15 pages on
> IPSec, 27 pages on design
> considertions, and over 370 pages of case
> studies/configurations!
>
> the relevant protion to this conversation is the
> design guide, which does
> talk about performance, memory usage, and processor
> impact. The information
> presented is not a complete as I would hope, but it
> is indicative.
>
> for example, using a 16xx router, and a 125K
> clockrate on a back to back
> serial link, a file transfer that took 10 minutes
> with no encryption took
> only 18 seconds longer using IPSec. CPU usage was at
> 29% on average during
> the tests. ( The publication states that "the same
> test was run several
> times and the times were averaged together")
>
> Although there are several charts measuring
> bandwidth % used with different
> size packets on several router platforms, I am
> disappointed to find that
> this presentation is not particularly detailed, nor
> particularly rigorous.
>
> One chart compares performnce in megabits per second
> of several routers, one
> of which is a 2514 ( no 2501's ). Said router
> without encryption perfermed
> in the range of 2.4-9.9 mbs, and with AH and ESP
> enabled dropped to 01.-0.2
> mbs. there is a column labeled "suggested bandwidth"
> but no explaination in
> the text. There is a rather interesting line stating
> that "the suggested
> bandwidth is reduced from the maximum possible to
> bring the CPU utilization
> more within accepted limits"
>
> the same table states that a 7505 popping AH and ESP
> was filling a 6 mbs
> serial link with a 70-75% CPU usage rate.
>
> All this leads me to infer that the chances are very
> good that doing what
> you are planning to do will be bad for the router.
> IPSec checws up processor
> cycles. With a T-1 to fill, your poor CPU's are
> going to burn along at 100%
> utilization to fiull that bandwidth. Not good for
> router!
>
> Given these kinds of numbers, you may find your
> remote users complaining a
> lot about "slow performance" and with good reason.
> your 2 meg pipe becomes a
> 100K pipe, assuming the router doesn't shut down a
> lot due to overload.
>
> Anyone got some other good reads on IPSec and router
> resource utilization?
>
> Chuck
>
> <[EMAIL PROTECTED]> wrote in message
>
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Hello,
> >
> > I wish to setup a 3DES VPN between two sites (a
> local and a remote site)
> on
> > a 2MB serial link using 2 2502 cisco routeurs. I
> will have 30 people
> > working on the remote site using telnet session,
> NT file and print with
> > servers in the local site.
> >
> > Do you think the 25XX could handle such
> calculation (3DES processing) for
> > such amount of user. If yes is someone already
> setup such thing ?
> >
> > regards,
> > Christophe.
> >
> > ___________________________________
> > UPDATED Posting Guidelines:
> http://www.groupstudy.com/list/guide.html
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com
> > Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
> > ---
>
__________________________________________________
Do You Yahoo!?
Kick off your party with Yahoo! Invites.
http://invites.yahoo.com/
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
