What are you seeing in the way of CPU usage during business hours? Are your
results along the lines of what the Cisco document I quoted is indicating?
Also, when you say you have 6 offices terminating, I presume you are doing
frame relay. What are your port speeds and CIRs? The Cisco doc is rather
unspecific in terms of the kinds of information that would be beneficial in
understanding the relationship of bandwidth to CPU usage.
Chuck
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Darren Johnson
Sent: Monday, August 07, 2000 8:07 AM
To: [EMAIL PROTECTED]
Subject: RE: VPN 3DES ON 2MB Link with 25XX
Also the hated ones (Nortel) have a fairly good VPN box that seems to work
ok. About the only real problem I have had with it is the interface is GUI
only also they say they are working on a BCR (blatant Cisco rip-off) command
line also.
As to VPN's being to cpu intensive, at our corporate office we have 6
satellite offices that are terminating into a 2600. Of course the traffic
over those links doesn't really amount to that much and it is only DES. At
our site we have a total of 5 DES vpns terminating into a PIX and it is
running fine. Once again though if we were doing 3DES I would want to find
some sort of hardware accelerator or way to offload the encryption off of
the CPU.
Just my .02
Darren
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Chuck Larrieu
> Sent: Monday, August 07, 2000 9:40 AM
> To: Robert Hanley; [EMAIL PROTECTED]
> Subject: RE: VPN 3DES ON 2MB Link with 25XX
>
>
> Since this is a Cisco list, Robert, the least you could have done is name
> the Cisco CVPN ( formerly Altiga ) boxes! :->
>
> Say, where you been? Haven't seen your name here in several
> months. Good to
> hear from you. I'm still eating my blueberries! :->
>
> Other dedicated VPN boxes include VPNet ( www.vpnet.com ) and Checkpoint
> makes a pretty good one, particularly when running on the Nokia hardware
> platform ( www.checkpoint.com )
>
> And yes I concur. Customers continue to say to me "I have and
> existing Cisco
> router. Can't we just use that for our VPN?" And I always
> respond "you sure
> can. But you won't like what happens!" When designing a VPN, the
> temptation
> is great to try to be cheap. And with VPNs particularly, it can
> end up being
> a LOT more expensive in the long run.
>
> Keep in touch, Robert. Your insight is welcome and missed.
>
> Chuck
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> Robert Hanley
> Sent: Monday, August 07, 2000 12:06 AM
> To: Chuck Larrieu; [EMAIL PROTECTED]
> Subject: Re: VPN 3DES ON 2MB Link with 25XX
>
> With respect for the fact that this is a cisco list I
> would still like to point out that it is precisely
> because of the cpu intensive nature of crypto that the
> most popular solution is not a router per se but a
> dedicated VPN box such as the Nortel Contivity.
>
> For the curious:
> http://www.nortelnetworks.com/products/01/contivity/doclib.html
>
> In the same vein I must point out that it is the
> central cpu cisco router architecture and top down
> nature of IOS that makes any kind of additional
> processing problematic. Other router architectures
> that utilize distributed processing can handle these
> additional chores much more gracefully.
>
> Chuck...any guess as to where I wound up working ?
>
>
> --- Chuck Larrieu <[EMAIL PROTECTED]> wrote:
> > Have fiannly gotten around to printing out the IPSec
> > Design Guide published
> > on the Cisco site.
> >
> >
> http://www.cisco.com/cpropart/sync-src/ccstcp/cc/techno/protocol/i
> psecur/ips
> > ec/tech/
> > watch the word wrap
> > need a CCO login to get there
> >
> > rather interesting publication, with 15 pages on
> > IPSec, 27 pages on design
> > considertions, and over 370 pages of case
> > studies/configurations!
> >
> > the relevant protion to this conversation is the
> > design guide, which does
> > talk about performance, memory usage, and processor
> > impact. The information
> > presented is not a complete as I would hope, but it
> > is indicative.
> >
> > for example, using a 16xx router, and a 125K
> > clockrate on a back to back
> > serial link, a file transfer that took 10 minutes
> > with no encryption took
> > only 18 seconds longer using IPSec. CPU usage was at
> > 29% on average during
> > the tests. ( The publication states that "the same
> > test was run several
> > times and the times were averaged together")
> >
> > Although there are several charts measuring
> > bandwidth % used with different
> > size packets on several router platforms, I am
> > disappointed to find that
> > this presentation is not particularly detailed, nor
> > particularly rigorous.
> >
> > One chart compares performnce in megabits per second
> > of several routers, one
> > of which is a 2514 ( no 2501's ). Said router
> > without encryption perfermed
> > in the range of 2.4-9.9 mbs, and with AH and ESP
> > enabled dropped to 01.-0.2
> > mbs. there is a column labeled "suggested bandwidth"
> > but no explaination in
> > the text. There is a rather interesting line stating
> > that "the suggested
> > bandwidth is reduced from the maximum possible to
> > bring the CPU utilization
> > more within accepted limits"
> >
> > the same table states that a 7505 popping AH and ESP
> > was filling a 6 mbs
> > serial link with a 70-75% CPU usage rate.
> >
> > All this leads me to infer that the chances are very
> > good that doing what
> > you are planning to do will be bad for the router.
> > IPSec checws up processor
> > cycles. With a T-1 to fill, your poor CPU's are
> > going to burn along at 100%
> > utilization to fiull that bandwidth. Not good for
> > router!
> >
> > Given these kinds of numbers, you may find your
> > remote users complaining a
> > lot about "slow performance" and with good reason.
> > your 2 meg pipe becomes a
> > 100K pipe, assuming the router doesn't shut down a
> > lot due to overload.
> >
> > Anyone got some other good reads on IPSec and router
> > resource utilization?
> >
> > Chuck
> >
> > <[EMAIL PROTECTED]> wrote in message
> >
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Hello,
> > >
> > > I wish to setup a 3DES VPN between two sites (a
> > local and a remote site)
> > on
> > > a 2MB serial link using 2 2502 cisco routeurs. I
> > will have 30 people
> > > working on the remote site using telnet session,
> > NT file and print with
> > > servers in the local site.
> > >
> > > Do you think the 25XX could handle such
> > calculation (3DES processing) for
> > > such amount of user. If yes is someone already
> > setup such thing ?
> > >
> > > regards,
> > > Christophe.
> > >
> > > ___________________________________
> > > UPDATED Posting Guidelines:
> > http://www.groupstudy.com/list/guide.html
> > > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com
> > > Report misconduct and Nondisclosure violations to
> > [EMAIL PROTECTED]
> > > ---
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Kick off your party with Yahoo! Invites.
> http://invites.yahoo.com/
>
> ___________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
> ___________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
