Have fiannly gotten around to printing out the IPSec Design Guide published
on the Cisco site.
http://www.cisco.com/cpropart/sync-src/ccstcp/cc/techno/protocol/ipsecur/ips
ec/tech/
watch the word wrap
need a CCO login to get there
rather interesting publication, with 15 pages on IPSec, 27 pages on design
considertions, and over 370 pages of case studies/configurations!
the relevant protion to this conversation is the design guide, which does
talk about performance, memory usage, and processor impact. The information
presented is not a complete as I would hope, but it is indicative.
for example, using a 16xx router, and a 125K clockrate on a back to back
serial link, a file transfer that took 10 minutes with no encryption took
only 18 seconds longer using IPSec. CPU usage was at 29% on average during
the tests. ( The publication states that "the same test was run several
times and the times were averaged together")
Although there are several charts measuring bandwidth % used with different
size packets on several router platforms, I am disappointed to find that
this presentation is not particularly detailed, nor particularly rigorous.
One chart compares performnce in megabits per second of several routers, one
of which is a 2514 ( no 2501's ). Said router without encryption perfermed
in the range of 2.4-9.9 mbs, and with AH and ESP enabled dropped to 01.-0.2
mbs. there is a column labeled "suggested bandwidth" but no explaination in
the text. There is a rather interesting line stating that "the suggested
bandwidth is reduced from the maximum possible to bring the CPU utilization
more within accepted limits"
the same table states that a 7505 popping AH and ESP was filling a 6 mbs
serial link with a 70-75% CPU usage rate.
All this leads me to infer that the chances are very good that doing what
you are planning to do will be bad for the router. IPSec checws up processor
cycles. With a T-1 to fill, your poor CPU's are going to burn along at 100%
utilization to fiull that bandwidth. Not good for router!
Given these kinds of numbers, you may find your remote users complaining a
lot about "slow performance" and with good reason. your 2 meg pipe becomes a
100K pipe, assuming the router doesn't shut down a lot due to overload.
Anyone got some other good reads on IPSec and router resource utilization?
Chuck
<[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hello,
>
> I wish to setup a 3DES VPN between two sites (a local and a remote site)
on
> a 2MB serial link using 2 2502 cisco routeurs. I will have 30 people
> working on the remote site using telnet session, NT file and print with
> servers in the local site.
>
> Do you think the 25XX could handle such calculation (3DES processing) for
> such amount of user. If yes is someone already setup such thing ?
>
> regards,
> Christophe.
>
> ___________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> ---
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
