RE: VPN 3DES ON 2MB Link with 25XX
I would look and see if the Crypto card is available for the router yet. Cisco had a PL2 card for the CET and Private Link technology and they were working on (last time I checked) a card that would take the encryption and decryption off the router processor and onto the Card. Again, I am not sure if it is availbale. I though they were going to call it the PL3 which makes it sound like it is for the Private Link CET technology, but the person I spoke with said it was going to work for DES/3DES etc. -Original Message- From: Chuck Larrieu [mailto:[EMAIL PROTECTED]] Sent: Saturday, August 05, 2000 7:45 PM To: [EMAIL PROTECTED] Subject: Re: VPN 3DES ON 2MB Link with 25XX Have fiannly gotten around to printing out the IPSec Design Guide published on the Cisco site. http://www.cisco.com/cpropart/sync-src/ccstcp/cc/techno/protocol/ipsecur/ips ec/tech/ watch the word wrap need a CCO login to get there rather interesting publication, with 15 pages on IPSec, 27 pages on design considertions, and over 370 pages of case studies/configurations! the relevant protion to this conversation is the design guide, which does talk about performance, memory usage, and processor impact. The information presented is not a complete as I would hope, but it is indicative. for example, using a 16xx router, and a 125K clockrate on a back to back serial link, a file transfer that took 10 minutes with no encryption took only 18 seconds longer using IPSec. CPU usage was at 29% on average during the tests. ( The publication states that "the same test was run several times and the times were averaged together") Although there are several charts measuring bandwidth % used with different size packets on several router platforms, I am disappointed to find that this presentation is not particularly detailed, nor particularly rigorous. One chart compares performnce in megabits per second of several routers, one of which is a 2514 ( no 2501's ). Said router without encryption perfermed in the range of 2.4-9.9 mbs, and with AH and ESP enabled dropped to 01.-0.2 mbs. there is a column labeled "suggested bandwidth" but no explaination in the text. There is a rather interesting line stating that "the suggested bandwidth is reduced from the maximum possible to bring the CPU utilization more within accepted limits" the same table states that a 7505 popping AH and ESP was filling a 6 mbs serial link with a 70-75% CPU usage rate. All this leads me to infer that the chances are very good that doing what you are planning to do will be bad for the router. IPSec checws up processor cycles. With a T-1 to fill, your poor CPU's are going to burn along at 100% utilization to fiull that bandwidth. Not good for router! Given these kinds of numbers, you may find your remote users complaining a lot about "slow performance" and with good reason. your 2 meg pipe becomes a 100K pipe, assuming the router doesn't shut down a lot due to overload. Anyone got some other good reads on IPSec and router resource utilization? Chuck <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello, > > I wish to setup a 3DES VPN between two sites (a local and a remote site) on > a 2MB serial link using 2 2502 cisco routeurs. I will have 30 people > working on the remote site using telnet session, NT file and print with > servers in the local site. > > Do you think the 25XX could handle such calculation (3DES processing) for > such amount of user. If yes is someone already setup such thing ? > > regards, > Christophe. > > ___ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN 3DES ON 2MB Link with 25XX
I stand duly corrected sir. I was not aware of the product. I must confess I haven't been keeping up on my cisco, new job and all... Thanks for your positive input as always... --- Chuck Larrieu <[EMAIL PROTECTED]> wrote: > Since this is a Cisco list, Robert, the least you > could have done is name > the Cisco CVPN ( formerly Altiga ) boxes! :-> > > Say, where you been? Haven't seen your name here in > several months. Good to > hear from you. I'm still eating my blueberries! :-> > > Other dedicated VPN boxes include VPNet ( > www.vpnet.com ) and Checkpoint > makes a pretty good one, particularly when running > on the Nokia hardware > platform ( www.checkpoint.com ) > > And yes I concur. Customers continue to say to me "I > have and existing Cisco > router. Can't we just use that for our VPN?" And I > always respond "you sure > can. But you won't like what happens!" When > designing a VPN, the temptation > is great to try to be cheap. And with VPNs > particularly, it can end up being > a LOT more expensive in the long run. > > Keep in touch, Robert. Your insight is welcome and > missed. > > Chuck > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > Robert Hanley > Sent: Monday, August 07, 2000 12:06 AM > To: Chuck Larrieu; [EMAIL PROTECTED] > Subject: Re: VPN 3DES ON 2MB Link with 25XX > > With respect for the fact that this is a cisco list > I > would still like to point out that it is precisely > because of the cpu intensive nature of crypto that > the > most popular solution is not a router per se but a > dedicated VPN box such as the Nortel Contivity. > > For the curious: > http://www.nortelnetworks.com/products/01/contivity/doclib.html > > In the same vein I must point out that it is the > central cpu cisco router architecture and top down > nature of IOS that makes any kind of additional > processing problematic. Other router architectures > that utilize distributed processing can handle these > additional chores much more gracefully. > > Chuck...any guess as to where I wound up working ? > > > --- Chuck Larrieu <[EMAIL PROTECTED]> wrote: > > Have fiannly gotten around to printing out the > IPSec > > Design Guide published > > on the Cisco site. > > > > > http://www.cisco.com/cpropart/sync-src/ccstcp/cc/techno/protocol/ipsecur/ips > > ec/tech/ > > watch the word wrap > > need a CCO login to get there > > > > rather interesting publication, with 15 pages on > > IPSec, 27 pages on design > > considertions, and over 370 pages of case > > studies/configurations! > > > > the relevant protion to this conversation is the > > design guide, which does > > talk about performance, memory usage, and > processor > > impact. The information > > presented is not a complete as I would hope, but > it > > is indicative. > > > > for example, using a 16xx router, and a 125K > > clockrate on a back to back > > serial link, a file transfer that took 10 minutes > > with no encryption took > > only 18 seconds longer using IPSec. CPU usage was > at > > 29% on average during > > the tests. ( The publication states that "the same > > test was run several > > times and the times were averaged together") > > > > Although there are several charts measuring > > bandwidth % used with different > > size packets on several router platforms, I am > > disappointed to find that > > this presentation is not particularly detailed, > nor > > particularly rigorous. > > > > One chart compares performnce in megabits per > second > > of several routers, one > > of which is a 2514 ( no 2501's ). Said router > > without encryption perfermed > > in the range of 2.4-9.9 mbs, and with AH and ESP > > enabled dropped to 01.-0.2 > > mbs. there is a column labeled "suggested > bandwidth" > > but no explaination in > > the text. There is a rather interesting line > stating > > that "the suggested > > bandwidth is reduced from the maximum possible to > > bring the CPU utilization > > more within accepted limits" > > > > the same table states that a 7505 popping AH and > ESP > > was filling a 6 mbs > > serial link with a 70-75% CPU usage rate. > > > > All this leads me to infer that the chances are > very > > good that doing what > > you are planning to do will be bad for the router. > > IPSec checws up processor > > cycle
RE: VPN 3DES ON 2MB Link with 25XX
Currently the CPU usage at the central office is topping out at around 30 to 40 percent. The router itself is terminating 2 frame connections with a 256k cir burstable to 1.5meg the other 4 connections are coming in over a 7/1meg DSL connection. I believe that Cisco in, it's usual fashion, is extremely conservative in what its routers can handle. Our PIX at the office here that is terminating our 5 other VPNs is the busy one. The two main T'1 we have coming in are running around 60 to 70%. The PIX does all of the encryption for the tunnels as well as filtering our internal webserfing out of another dedicated link and routing the internal stuff between four different DMZ areas, our internal network, and the rest of the world. If it gets any busier, or we start doing and 3DES, we are going to get the DES acceleration card to move some of it off of the cpu. > -Original Message- > From: Chuck Larrieu [mailto:[EMAIL PROTECTED]] > Sent: Monday, August 07, 2000 10:36 AM > To: Darren Johnson; [EMAIL PROTECTED] > Subject: RE: VPN 3DES ON 2MB Link with 25XX > > > What are you seeing in the way of CPU usage during business > hours? Are your > results along the lines of what the Cisco document I quoted is indicating? > > Also, when you say you have 6 offices terminating, I presume you are doing > frame relay. What are your port speeds and CIRs? The Cisco doc is rather > unspecific in terms of the kinds of information that would be > beneficial in > understanding the relationship of bandwidth to CPU usage. > > Chuck > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of > Darren Johnson > Sent: Monday, August 07, 2000 8:07 AM > To: [EMAIL PROTECTED] > Subject: RE: VPN 3DES ON 2MB Link with 25XX > > Also the hated ones (Nortel) have a fairly good VPN box that seems to work > ok. About the only real problem I have had with it is the > interface is GUI > only also they say they are working on a BCR (blatant Cisco > rip-off) command > line also. > As to VPN's being to cpu intensive, at our corporate office we have 6 > satellite offices that are terminating into a 2600. Of course the traffic > over those links doesn't really amount to that much and it is > only DES. At > our site we have a total of 5 DES vpns terminating into a PIX and it is > running fine. Once again though if we were doing 3DES I would > want to find > some sort of hardware accelerator or way to offload the encryption off of > the CPU. > Just my .02 > Darren > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > > Chuck Larrieu > > Sent: Monday, August 07, 2000 9:40 AM > > To: Robert Hanley; [EMAIL PROTECTED] > > Subject: RE: VPN 3DES ON 2MB Link with 25XX > > > > > > Since this is a Cisco list, Robert, the least you could have > done is name > > the Cisco CVPN ( formerly Altiga ) boxes! :-> > > > > Say, where you been? Haven't seen your name here in several > > months. Good to > > hear from you. I'm still eating my blueberries! :-> > > > > Other dedicated VPN boxes include VPNet ( www.vpnet.com ) and Checkpoint > > makes a pretty good one, particularly when running on the Nokia hardware > > platform ( www.checkpoint.com ) > > > > And yes I concur. Customers continue to say to me "I have and > > existing Cisco > > router. Can't we just use that for our VPN?" And I always > > respond "you sure > > can. But you won't like what happens!" When designing a VPN, the > > temptation > > is great to try to be cheap. And with VPNs particularly, it can > > end up being > > a LOT more expensive in the long run. > > > > Keep in touch, Robert. Your insight is welcome and missed. > > > > Chuck > > > > -Original Message- > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > > Robert Hanley > > Sent: Monday, August 07, 2000 12:06 AM > > To: Chuck Larrieu; [EMAIL PROTECTED] > > Subject:Re: VPN 3DES ON 2MB Link with 25XX > > > > With respect for the fact that this is a cisco list I > > would still like to point out that it is precisely > > because of the cpu intensive nature of crypto that the > > most popular solution is not a router per se but a > > dedicated VPN box such as the Nortel Contivity. > > > > For the curious: > > http://www.nortelnetworks.com/products/01/contivity/doclib.html > > > > In the same vein I must point out that it is the > > central cpu cisco router architecture and top down > >
RE: VPN 3DES ON 2MB Link with 25XX
What are you seeing in the way of CPU usage during business hours? Are your results along the lines of what the Cisco document I quoted is indicating? Also, when you say you have 6 offices terminating, I presume you are doing frame relay. What are your port speeds and CIRs? The Cisco doc is rather unspecific in terms of the kinds of information that would be beneficial in understanding the relationship of bandwidth to CPU usage. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darren Johnson Sent: Monday, August 07, 2000 8:07 AM To: [EMAIL PROTECTED] Subject:RE: VPN 3DES ON 2MB Link with 25XX Also the hated ones (Nortel) have a fairly good VPN box that seems to work ok. About the only real problem I have had with it is the interface is GUI only also they say they are working on a BCR (blatant Cisco rip-off) command line also. As to VPN's being to cpu intensive, at our corporate office we have 6 satellite offices that are terminating into a 2600. Of course the traffic over those links doesn't really amount to that much and it is only DES. At our site we have a total of 5 DES vpns terminating into a PIX and it is running fine. Once again though if we were doing 3DES I would want to find some sort of hardware accelerator or way to offload the encryption off of the CPU. Just my .02 Darren > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Chuck Larrieu > Sent: Monday, August 07, 2000 9:40 AM > To: Robert Hanley; [EMAIL PROTECTED] > Subject: RE: VPN 3DES ON 2MB Link with 25XX > > > Since this is a Cisco list, Robert, the least you could have done is name > the Cisco CVPN ( formerly Altiga ) boxes! :-> > > Say, where you been? Haven't seen your name here in several > months. Good to > hear from you. I'm still eating my blueberries! :-> > > Other dedicated VPN boxes include VPNet ( www.vpnet.com ) and Checkpoint > makes a pretty good one, particularly when running on the Nokia hardware > platform ( www.checkpoint.com ) > > And yes I concur. Customers continue to say to me "I have and > existing Cisco > router. Can't we just use that for our VPN?" And I always > respond "you sure > can. But you won't like what happens!" When designing a VPN, the > temptation > is great to try to be cheap. And with VPNs particularly, it can > end up being > a LOT more expensive in the long run. > > Keep in touch, Robert. Your insight is welcome and missed. > > Chuck > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of > Robert Hanley > Sent: Monday, August 07, 2000 12:06 AM > To: Chuck Larrieu; [EMAIL PROTECTED] > Subject: Re: VPN 3DES ON 2MB Link with 25XX > > With respect for the fact that this is a cisco list I > would still like to point out that it is precisely > because of the cpu intensive nature of crypto that the > most popular solution is not a router per se but a > dedicated VPN box such as the Nortel Contivity. > > For the curious: > http://www.nortelnetworks.com/products/01/contivity/doclib.html > > In the same vein I must point out that it is the > central cpu cisco router architecture and top down > nature of IOS that makes any kind of additional > processing problematic. Other router architectures > that utilize distributed processing can handle these > additional chores much more gracefully. > > Chuck...any guess as to where I wound up working ? > > > --- Chuck Larrieu <[EMAIL PROTECTED]> wrote: > > Have fiannly gotten around to printing out the IPSec > > Design Guide published > > on the Cisco site. > > > > > http://www.cisco.com/cpropart/sync-src/ccstcp/cc/techno/protocol/i > psecur/ips > > ec/tech/ > > watch the word wrap > > need a CCO login to get there > > > > rather interesting publication, with 15 pages on > > IPSec, 27 pages on design > > considertions, and over 370 pages of case > > studies/configurations! > > > > the relevant protion to this conversation is the > > design guide, which does > > talk about performance, memory usage, and processor > > impact. The information > > presented is not a complete as I would hope, but it > > is indicative. > > > > for example, using a 16xx router, and a 125K > > clockrate on a back to back > > serial link, a file transfer that took 10 minutes > > with no encryption took > > only 18 seconds longer using IPSec. CPU usage was at > > 29% on average during > > the tests. ( The publication states that "the same > > test was run several > > times and the times were averaged t
RE: VPN 3DES ON 2MB Link with 25XX
>Also the hated ones (Nortel) have a fairly good VPN box that seems to work >ok. About the only real problem I have had with it is the interface is GUI >only also they say they are working on a BCR (blatant Cisco rip-off) command >line also. Harrumph from the hated side. Yes, I agree, I hate menus other than in restaurants. I have a friend who recently moved to the Contivity VPN box group so I can check on things if need be. I do use the Contivity extranet client on my PC, and it's far more reliable than Outlook. Is that a recommendation? :-) But a Cisco ripoff? Where did Cisco get CLI other than from UNIX and EMACS? >As to VPN's being to cpu intensive, at our corporate office we have 6 >satellite offices that are terminating into a 2600. Of course the traffic >over those links doesn't really amount to that much and it is only DES. At >our site we have a total of 5 DES vpns terminating into a PIX and it is >running fine. Once again though if we were doing 3DES I would want to find >some sort of hardware accelerator or way to offload the encryption off of >the CPU. >Just my .02 >Darren > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > > Chuck Larrieu > > Sent: Monday, August 07, 2000 9:40 AM > > To: Robert Hanley; [EMAIL PROTECTED] > > Subject: RE: VPN 3DES ON 2MB Link with 25XX > > > > > > Since this is a Cisco list, Robert, the least you could have done is name > > the Cisco CVPN ( formerly Altiga ) boxes! :-> > > > > Say, where you been? Haven't seen your name here in several > > months. Good to > > hear from you. I'm still eating my blueberries! :-> > > > > Other dedicated VPN boxes include VPNet ( www.vpnet.com ) and Checkpoint > > makes a pretty good one, particularly when running on the Nokia hardware > > platform ( www.checkpoint.com ) > > > > And yes I concur. Customers continue to say to me "I have and > > existing Cisco > > router. Can't we just use that for our VPN?" And I always > > respond "you sure > > can. But you won't like what happens!" When designing a VPN, the > > temptation > > is great to try to be cheap. And with VPNs particularly, it can > > end up being > > a LOT more expensive in the long run. > > > > Keep in touch, Robert. Your insight is welcome and missed. > > > > Chuck > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] >On Behalf Of > > Robert Hanley > > Sent: Monday, August 07, 2000 12:06 AM > > To:Chuck Larrieu; [EMAIL PROTECTED] > > Subject: Re: VPN 3DES ON 2MB Link with 25XX > > > > With respect for the fact that this is a cisco list I > > would still like to point out that it is precisely > > because of the cpu intensive nature of crypto that the > > most popular solution is not a router per se but a > > dedicated VPN box such as the Nortel Contivity. > > > > For the curious: > > http://www.nortelnetworks.com/products/01/contivity/doclib.html > > > > In the same vein I must point out that it is the > > central cpu cisco router architecture and top down > > nature of IOS that makes any kind of additional > > processing problematic. Other router architectures > > that utilize distributed processing can handle these > > additional chores much more gracefully. > > > > Chuck...any guess as to where I wound up working ? > > > > > > --- Chuck Larrieu <[EMAIL PROTECTED]> wrote: > > > Have fiannly gotten around to printing out the IPSec > > > Design Guide published > > > on the Cisco site. > > > > > > > > http://www.cisco.com/cpropart/sync-src/ccstcp/cc/techno/protocol/i > > psecur/ips > > > ec/tech/ > > > watch the word wrap > > > need a CCO login to get there > > > > > > rather interesting publication, with 15 pages on > > > IPSec, 27 pages on design > > > considertions, and over 370 pages of case > > > studies/configurations! > > > > > > the relevant protion to this conversation is the > > > design guide, which does > > > talk about performance, memory usage, and processor > > > impact. The information > > > presented is not a complete as I would hope, but it > > > is indicative. > > > > > > for example, using a 16xx router, and a 125K > > > clockrate on a back to back > > >
RE: VPN 3DES ON 2MB Link with 25XX
Also the hated ones (Nortel) have a fairly good VPN box that seems to work ok. About the only real problem I have had with it is the interface is GUI only also they say they are working on a BCR (blatant Cisco rip-off) command line also. As to VPN's being to cpu intensive, at our corporate office we have 6 satellite offices that are terminating into a 2600. Of course the traffic over those links doesn't really amount to that much and it is only DES. At our site we have a total of 5 DES vpns terminating into a PIX and it is running fine. Once again though if we were doing 3DES I would want to find some sort of hardware accelerator or way to offload the encryption off of the CPU. Just my .02 Darren > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Chuck Larrieu > Sent: Monday, August 07, 2000 9:40 AM > To: Robert Hanley; [EMAIL PROTECTED] > Subject: RE: VPN 3DES ON 2MB Link with 25XX > > > Since this is a Cisco list, Robert, the least you could have done is name > the Cisco CVPN ( formerly Altiga ) boxes! :-> > > Say, where you been? Haven't seen your name here in several > months. Good to > hear from you. I'm still eating my blueberries! :-> > > Other dedicated VPN boxes include VPNet ( www.vpnet.com ) and Checkpoint > makes a pretty good one, particularly when running on the Nokia hardware > platform ( www.checkpoint.com ) > > And yes I concur. Customers continue to say to me "I have and > existing Cisco > router. Can't we just use that for our VPN?" And I always > respond "you sure > can. But you won't like what happens!" When designing a VPN, the > temptation > is great to try to be cheap. And with VPNs particularly, it can > end up being > a LOT more expensive in the long run. > > Keep in touch, Robert. Your insight is welcome and missed. > > Chuck > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of > Robert Hanley > Sent: Monday, August 07, 2000 12:06 AM > To: Chuck Larrieu; [EMAIL PROTECTED] > Subject: Re: VPN 3DES ON 2MB Link with 25XX > > With respect for the fact that this is a cisco list I > would still like to point out that it is precisely > because of the cpu intensive nature of crypto that the > most popular solution is not a router per se but a > dedicated VPN box such as the Nortel Contivity. > > For the curious: > http://www.nortelnetworks.com/products/01/contivity/doclib.html > > In the same vein I must point out that it is the > central cpu cisco router architecture and top down > nature of IOS that makes any kind of additional > processing problematic. Other router architectures > that utilize distributed processing can handle these > additional chores much more gracefully. > > Chuck...any guess as to where I wound up working ? > > > --- Chuck Larrieu <[EMAIL PROTECTED]> wrote: > > Have fiannly gotten around to printing out the IPSec > > Design Guide published > > on the Cisco site. > > > > > http://www.cisco.com/cpropart/sync-src/ccstcp/cc/techno/protocol/i > psecur/ips > > ec/tech/ > > watch the word wrap > > need a CCO login to get there > > > > rather interesting publication, with 15 pages on > > IPSec, 27 pages on design > > considertions, and over 370 pages of case > > studies/configurations! > > > > the relevant protion to this conversation is the > > design guide, which does > > talk about performance, memory usage, and processor > > impact. The information > > presented is not a complete as I would hope, but it > > is indicative. > > > > for example, using a 16xx router, and a 125K > > clockrate on a back to back > > serial link, a file transfer that took 10 minutes > > with no encryption took > > only 18 seconds longer using IPSec. CPU usage was at > > 29% on average during > > the tests. ( The publication states that "the same > > test was run several > > times and the times were averaged together") > > > > Although there are several charts measuring > > bandwidth % used with different > > size packets on several router platforms, I am > > disappointed to find that > > this presentation is not particularly detailed, nor > > particularly rigorous. > > > > One chart compares performnce in megabits per second > > of several routers, one > > of which is a 2514 ( no 2501's ). Said router > > without encryption perfermed > > in the range of 2.4-9.9 mbs, and with AH and ESP > > enabled dropped to 01.-0.2 > > mbs. there is a column labeled "suggested
RE: VPN 3DES ON 2MB Link with 25XX
Since this is a Cisco list, Robert, the least you could have done is name the Cisco CVPN ( formerly Altiga ) boxes! :-> Say, where you been? Haven't seen your name here in several months. Good to hear from you. I'm still eating my blueberries! :-> Other dedicated VPN boxes include VPNet ( www.vpnet.com ) and Checkpoint makes a pretty good one, particularly when running on the Nokia hardware platform ( www.checkpoint.com ) And yes I concur. Customers continue to say to me "I have and existing Cisco router. Can't we just use that for our VPN?" And I always respond "you sure can. But you won't like what happens!" When designing a VPN, the temptation is great to try to be cheap. And with VPNs particularly, it can end up being a LOT more expensive in the long run. Keep in touch, Robert. Your insight is welcome and missed. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert Hanley Sent: Monday, August 07, 2000 12:06 AM To: Chuck Larrieu; [EMAIL PROTECTED] Subject:Re: VPN 3DES ON 2MB Link with 25XX With respect for the fact that this is a cisco list I would still like to point out that it is precisely because of the cpu intensive nature of crypto that the most popular solution is not a router per se but a dedicated VPN box such as the Nortel Contivity. For the curious: http://www.nortelnetworks.com/products/01/contivity/doclib.html In the same vein I must point out that it is the central cpu cisco router architecture and top down nature of IOS that makes any kind of additional processing problematic. Other router architectures that utilize distributed processing can handle these additional chores much more gracefully. Chuck...any guess as to where I wound up working ? --- Chuck Larrieu <[EMAIL PROTECTED]> wrote: > Have fiannly gotten around to printing out the IPSec > Design Guide published > on the Cisco site. > > http://www.cisco.com/cpropart/sync-src/ccstcp/cc/techno/protocol/ipsecur/ips > ec/tech/ > watch the word wrap > need a CCO login to get there > > rather interesting publication, with 15 pages on > IPSec, 27 pages on design > considertions, and over 370 pages of case > studies/configurations! > > the relevant protion to this conversation is the > design guide, which does > talk about performance, memory usage, and processor > impact. The information > presented is not a complete as I would hope, but it > is indicative. > > for example, using a 16xx router, and a 125K > clockrate on a back to back > serial link, a file transfer that took 10 minutes > with no encryption took > only 18 seconds longer using IPSec. CPU usage was at > 29% on average during > the tests. ( The publication states that "the same > test was run several > times and the times were averaged together") > > Although there are several charts measuring > bandwidth % used with different > size packets on several router platforms, I am > disappointed to find that > this presentation is not particularly detailed, nor > particularly rigorous. > > One chart compares performnce in megabits per second > of several routers, one > of which is a 2514 ( no 2501's ). Said router > without encryption perfermed > in the range of 2.4-9.9 mbs, and with AH and ESP > enabled dropped to 01.-0.2 > mbs. there is a column labeled "suggested bandwidth" > but no explaination in > the text. There is a rather interesting line stating > that "the suggested > bandwidth is reduced from the maximum possible to > bring the CPU utilization > more within accepted limits" > > the same table states that a 7505 popping AH and ESP > was filling a 6 mbs > serial link with a 70-75% CPU usage rate. > > All this leads me to infer that the chances are very > good that doing what > you are planning to do will be bad for the router. > IPSec checws up processor > cycles. With a T-1 to fill, your poor CPU's are > going to burn along at 100% > utilization to fiull that bandwidth. Not good for > router! > > Given these kinds of numbers, you may find your > remote users complaining a > lot about "slow performance" and with good reason. > your 2 meg pipe becomes a > 100K pipe, assuming the router doesn't shut down a > lot due to overload. > > Anyone got some other good reads on IPSec and router > resource utilization? > > Chuck > > <[EMAIL PROTECTED]> wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hello, > > > > I wish to setup a 3DES VPN between two sites (a > local and a remote site) > on > > a 2MB serial link using 2 2502 cisco routeurs. I > will have 30 people > > working on the remote si
Re: VPN 3DES ON 2MB Link with 25XX
With respect for the fact that this is a cisco list I would still like to point out that it is precisely because of the cpu intensive nature of crypto that the most popular solution is not a router per se but a dedicated VPN box such as the Nortel Contivity. For the curious: http://www.nortelnetworks.com/products/01/contivity/doclib.html In the same vein I must point out that it is the central cpu cisco router architecture and top down nature of IOS that makes any kind of additional processing problematic. Other router architectures that utilize distributed processing can handle these additional chores much more gracefully. Chuck...any guess as to where I wound up working ? --- Chuck Larrieu <[EMAIL PROTECTED]> wrote: > Have fiannly gotten around to printing out the IPSec > Design Guide published > on the Cisco site. > > http://www.cisco.com/cpropart/sync-src/ccstcp/cc/techno/protocol/ipsecur/ips > ec/tech/ > watch the word wrap > need a CCO login to get there > > rather interesting publication, with 15 pages on > IPSec, 27 pages on design > considertions, and over 370 pages of case > studies/configurations! > > the relevant protion to this conversation is the > design guide, which does > talk about performance, memory usage, and processor > impact. The information > presented is not a complete as I would hope, but it > is indicative. > > for example, using a 16xx router, and a 125K > clockrate on a back to back > serial link, a file transfer that took 10 minutes > with no encryption took > only 18 seconds longer using IPSec. CPU usage was at > 29% on average during > the tests. ( The publication states that "the same > test was run several > times and the times were averaged together") > > Although there are several charts measuring > bandwidth % used with different > size packets on several router platforms, I am > disappointed to find that > this presentation is not particularly detailed, nor > particularly rigorous. > > One chart compares performnce in megabits per second > of several routers, one > of which is a 2514 ( no 2501's ). Said router > without encryption perfermed > in the range of 2.4-9.9 mbs, and with AH and ESP > enabled dropped to 01.-0.2 > mbs. there is a column labeled "suggested bandwidth" > but no explaination in > the text. There is a rather interesting line stating > that "the suggested > bandwidth is reduced from the maximum possible to > bring the CPU utilization > more within accepted limits" > > the same table states that a 7505 popping AH and ESP > was filling a 6 mbs > serial link with a 70-75% CPU usage rate. > > All this leads me to infer that the chances are very > good that doing what > you are planning to do will be bad for the router. > IPSec checws up processor > cycles. With a T-1 to fill, your poor CPU's are > going to burn along at 100% > utilization to fiull that bandwidth. Not good for > router! > > Given these kinds of numbers, you may find your > remote users complaining a > lot about "slow performance" and with good reason. > your 2 meg pipe becomes a > 100K pipe, assuming the router doesn't shut down a > lot due to overload. > > Anyone got some other good reads on IPSec and router > resource utilization? > > Chuck > > <[EMAIL PROTECTED]> wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hello, > > > > I wish to setup a 3DES VPN between two sites (a > local and a remote site) > on > > a 2MB serial link using 2 2502 cisco routeurs. I > will have 30 people > > working on the remote site using telnet session, > NT file and print with > > servers in the local site. > > > > Do you think the 25XX could handle such > calculation (3DES processing) for > > such amount of user. If yes is someone already > setup such thing ? > > > > regards, > > Christophe. > > > > ___ > > UPDATED Posting Guidelines: > http://www.groupstudy.com/list/guide.html > > FAQ, list archives, and subscription info: > http://www.groupstudy.com > > Report misconduct and Nondisclosure violations to > [EMAIL PROTECTED] > > --- > __ Do You Yahoo!? Kick off your party with Yahoo! Invites. http://invites.yahoo.com/ ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN 3DES ON 2MB Link with 25XX
Have fiannly gotten around to printing out the IPSec Design Guide published on the Cisco site. http://www.cisco.com/cpropart/sync-src/ccstcp/cc/techno/protocol/ipsecur/ips ec/tech/ watch the word wrap need a CCO login to get there rather interesting publication, with 15 pages on IPSec, 27 pages on design considertions, and over 370 pages of case studies/configurations! the relevant protion to this conversation is the design guide, which does talk about performance, memory usage, and processor impact. The information presented is not a complete as I would hope, but it is indicative. for example, using a 16xx router, and a 125K clockrate on a back to back serial link, a file transfer that took 10 minutes with no encryption took only 18 seconds longer using IPSec. CPU usage was at 29% on average during the tests. ( The publication states that "the same test was run several times and the times were averaged together") Although there are several charts measuring bandwidth % used with different size packets on several router platforms, I am disappointed to find that this presentation is not particularly detailed, nor particularly rigorous. One chart compares performnce in megabits per second of several routers, one of which is a 2514 ( no 2501's ). Said router without encryption perfermed in the range of 2.4-9.9 mbs, and with AH and ESP enabled dropped to 01.-0.2 mbs. there is a column labeled "suggested bandwidth" but no explaination in the text. There is a rather interesting line stating that "the suggested bandwidth is reduced from the maximum possible to bring the CPU utilization more within accepted limits" the same table states that a 7505 popping AH and ESP was filling a 6 mbs serial link with a 70-75% CPU usage rate. All this leads me to infer that the chances are very good that doing what you are planning to do will be bad for the router. IPSec checws up processor cycles. With a T-1 to fill, your poor CPU's are going to burn along at 100% utilization to fiull that bandwidth. Not good for router! Given these kinds of numbers, you may find your remote users complaining a lot about "slow performance" and with good reason. your 2 meg pipe becomes a 100K pipe, assuming the router doesn't shut down a lot due to overload. Anyone got some other good reads on IPSec and router resource utilization? Chuck <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello, > > I wish to setup a 3DES VPN between two sites (a local and a remote site) on > a 2MB serial link using 2 2502 cisco routeurs. I will have 30 people > working on the remote site using telnet session, NT file and print with > servers in the local site. > > Do you think the 25XX could handle such calculation (3DES processing) for > such amount of user. If yes is someone already setup such thing ? > > regards, > Christophe. > > ___ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN 3DES ON 2MB Link with 25XX
Hi Christophe, The 2500-series routers would *NOT* be capable of performing 3DES processing with a 2MB link. To put it into perspective, I recently spoke to an engineer from Cisco and he confirmed that one of the higher end routers, the 3640, will only perform 3DES encryption at a rate of 512Kbit. The 3640 is easily 10+ times faster than the 2500 series. As well, a 1600-series router performing only DES (56-bit) encryption is only capable of about 64kbit/sec processing. This router is comparable in performance to the 2500-series. 3DES processing, then, would be far less and would be VERY poor. Therefore, the 2500 wouldn't even be capable of managing 64 Kbit or 128 Kbit of 3DES processing. Your 2Mb link would be better served by something like the Cisco VPN Concentrator 3005 or similar. Regards, Paul Lalonde, CCNP <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello, > > I wish to setup a 3DES VPN between two sites (a local and a remote site) on > a 2MB serial link using 2 2502 cisco routeurs. I will have 30 people > working on the remote site using telnet session, NT file and print with > servers in the local site. > > Do you think the 25XX could handle such calculation (3DES processing) for > such amount of user. If yes is someone already setup such thing ? > > regards, > Christophe. > > ___ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN 3DES ON 2MB Link with 25XX
Christophe, The 2M serial link will handle the telnet traffic. All that is sent during telnet is keyboard and video characters. All processing is done on the remote machine, therefore there won't be any paging traffic, etc. If all file & print services are provided locally, then you should be just fine. Regards, Susan <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello, > > I wish to setup a 3DES VPN between two sites (a local and a remote site) on > a 2MB serial link using 2 2502 cisco routeurs. I will have 30 people > working on the remote site using telnet session, NT file and print with > servers in the local site. > > Do you think the 25XX could handle such calculation (3DES processing) for > such amount of user. If yes is someone already setup such thing ? > > regards, > Christophe. > > ___ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN 3DES ON 2MB Link with 25XX
Hi Christophe, I have been looking into a similar solution except I have 5 branches accessing ALL their services from the head office and everything needs to be encrypted. I arranged the establishment of a PVC over fibre for 2 of the branches to the head office and have setup a router at one of those branches to also connect 2 other branches through it. This still leaves me with the problem of encrypting traffic from 1 branch to the head office. I called my local Cisco rep and gave them my scenario. They recommended a router based encryption solution at first but then I said I wanted 3DES and there would be approx 30 people using the connection from the branch. They told me the throughput on a 25/2600 series router is only about 256Kb@3DES. That means I can't utilize my 2Mb fibre connection between offices. =( They suggested I use the brand new PIX506. I told them at first I didn't have that kind of money but they explained that Cisco realized their shortcomings in the SOHO firewall market and designed this PIX with that segment in mind. It has 7Mb throughput @3DES and costs only $2300 CDN, less than my 2600 routers here. I just found my solution but I have yet to implement it. It's still in proposal right now. I'm planning on putting a PIX506 in the branch and moving the PIX520 we already have at our website branch to the head office. Hope this helps. Don't quote ME on the stats because I got them from a rep. -- Greg Reaume Network Analyst Cowan Dalton Inc. 25 Bruce Street, P.O. Box 2007 Kitchener, ON, N2H 6K8 Office: (519)578-9001 x355 Fax: (519)578-0549 Cell: (905)741-4734 E-Mail: [EMAIL PROTECTED] Pager: (416)714-7405 / (519)220-6114 [EMAIL PROTECTED] --- Original message --- Hello, I wish to setup a 3DES VPN between two sites (a local and a remote site) on a 2MB serial link using 2 2502 cisco routeurs. I will have 30 people working on the remote site using telnet session, NT file and print with servers in the local site. Do you think the 25XX could handle such calculation (3DES processing) for such amount of user. If yes is someone already setup such thing ? regards, Christophe. ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]