I stand duly corrected sir. I was not aware of the
product. I must confess I haven't been keeping up on
my cisco, new job and all...
Thanks for your positive input as always...
--- Chuck Larrieu <[EMAIL PROTECTED]> wrote:
> Since this is a Cisco list, Robert, the least you
> could have done is name
> the Cisco CVPN ( formerly Altiga ) boxes! :->
>
> Say, where you been? Haven't seen your name here in
> several months. Good to
> hear from you. I'm still eating my blueberries! :->
>
> Other dedicated VPN boxes include VPNet (
> www.vpnet.com ) and Checkpoint
> makes a pretty good one, particularly when running
> on the Nokia hardware
> platform ( www.checkpoint.com )
>
> And yes I concur. Customers continue to say to me "I
> have and existing Cisco
> router. Can't we just use that for our VPN?" And I
> always respond "you sure
> can. But you won't like what happens!" When
> designing a VPN, the temptation
> is great to try to be cheap. And with VPNs
> particularly, it can end up being
> a LOT more expensive in the long run.
>
> Keep in touch, Robert. Your insight is welcome and
> missed.
>
> Chuck
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of
> Robert Hanley
> Sent: Monday, August 07, 2000 12:06 AM
> To: Chuck Larrieu; [EMAIL PROTECTED]
> Subject: Re: VPN 3DES ON 2MB Link with 25XX
>
> With respect for the fact that this is a cisco list
> I
> would still like to point out that it is precisely
> because of the cpu intensive nature of crypto that
> the
> most popular solution is not a router per se but a
> dedicated VPN box such as the Nortel Contivity.
>
> For the curious:
>
http://www.nortelnetworks.com/products/01/contivity/doclib.html
>
> In the same vein I must point out that it is the
> central cpu cisco router architecture and top down
> nature of IOS that makes any kind of additional
> processing problematic. Other router architectures
> that utilize distributed processing can handle these
> additional chores much more gracefully.
>
> Chuck...any guess as to where I wound up working ?
>
>
> --- Chuck Larrieu <[EMAIL PROTECTED]> wrote:
> > Have fiannly gotten around to printing out the
> IPSec
> > Design Guide published
> > on the Cisco site.
> >
> >
>
http://www.cisco.com/cpropart/sync-src/ccstcp/cc/techno/protocol/ipsecur/ips
> > ec/tech/
> > watch the word wrap
> > need a CCO login to get there
> >
> > rather interesting publication, with 15 pages on
> > IPSec, 27 pages on design
> > considertions, and over 370 pages of case
> > studies/configurations!
> >
> > the relevant protion to this conversation is the
> > design guide, which does
> > talk about performance, memory usage, and
> processor
> > impact. The information
> > presented is not a complete as I would hope, but
> it
> > is indicative.
> >
> > for example, using a 16xx router, and a 125K
> > clockrate on a back to back
> > serial link, a file transfer that took 10 minutes
> > with no encryption took
> > only 18 seconds longer using IPSec. CPU usage was
> at
> > 29% on average during
> > the tests. ( The publication states that "the same
> > test was run several
> > times and the times were averaged together")
> >
> > Although there are several charts measuring
> > bandwidth % used with different
> > size packets on several router platforms, I am
> > disappointed to find that
> > this presentation is not particularly detailed,
> nor
> > particularly rigorous.
> >
> > One chart compares performnce in megabits per
> second
> > of several routers, one
> > of which is a 2514 ( no 2501's ). Said router
> > without encryption perfermed
> > in the range of 2.4-9.9 mbs, and with AH and ESP
> > enabled dropped to 01.-0.2
> > mbs. there is a column labeled "suggested
> bandwidth"
> > but no explaination in
> > the text. There is a rather interesting line
> stating
> > that "the suggested
> > bandwidth is reduced from the maximum possible to
> > bring the CPU utilization
> > more within accepted limits"
> >
> > the same table states that a 7505 popping AH and
> ESP
> > was filling a 6 mbs
> > serial link with a 70-75% CPU usage rate.
> >
> > All this leads me to infer that the chances are
> very
> > good that doing what
> > you are planning to do will be bad for the router.
> > IPSec checws up processor
> > cycles. With a T-1 to fill, your poor CPU's are
> > going to burn along at 100%
> > utilization to fiull that bandwidth. Not good for
> > router!
> >
> > Given these kinds of numbers, you may find your
> > remote users complaining a
> > lot about "slow performance" and with good reason.
> > your 2 meg pipe becomes a
> > 100K pipe, assuming the router doesn't shut down a
> > lot due to overload.
> >
> > Anyone got some other good reads on IPSec and
> router
> > resource utilization?
> >
> > Chuck
> >
> > <[EMAIL PROTECTED]> wrote in message
> >
>
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Hello,
> > >
> > > I wish to setup a 3DES VPN between two sites (a
> > local and a remote site)
> > on
> > > a 2MB serial link using 2 2502 cisco routeurs. I
> > will have 30 people
> > > working on the remote site using telnet session,
> > NT file and print with
> > > servers in the local site.
> > >
> > > Do you think the 25XX could handle such
> > calculation (3DES processing) for
> > > such amount of user. If yes is someone already
> > setup such thing ?
> > >
> > > regards,
> > > Christophe.
> > >
> > > ___________________________________
> > > UPDATED Posting Guidelines:
> > http://www.groupstudy.com/list/guide.html
> > > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com
> > > Report misconduct and Nondisclosure violations
> to
> > [EMAIL PROTECTED]
> > > ---
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Kick off your party with Yahoo! Invites.
> http://invites.yahoo.com/
>
> ___________________________________
> UPDATED Posting Guidelines:
> http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
>
__________________________________________________
Do You Yahoo!?
Kick off your party with Yahoo! Invites.
http://invites.yahoo.com/
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
