Also the hated ones (Nortel) have a fairly good VPN box that seems to work
ok. About the only real problem I have had with it is the interface is GUI
only also they say they are working on a BCR (blatant Cisco rip-off) command
line also.
As to VPN's being to cpu intensive, at our corporate office we have 6
satellite offices that are terminating into a 2600. Of course the traffic
over those links doesn't really amount to that much and it is only DES. At
our site we have a total of 5 DES vpns terminating into a PIX and it is
running fine. Once again though if we were doing 3DES I would want to find
some sort of hardware accelerator or way to offload the encryption off of
the CPU.
Just my .02
Darren
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Chuck Larrieu
> Sent: Monday, August 07, 2000 9:40 AM
> To: Robert Hanley; [EMAIL PROTECTED]
> Subject: RE: VPN 3DES ON 2MB Link with 25XX
>
>
> Since this is a Cisco list, Robert, the least you could have done is name
> the Cisco CVPN ( formerly Altiga ) boxes! :->
>
> Say, where you been? Haven't seen your name here in several
> months. Good to
> hear from you. I'm still eating my blueberries! :->
>
> Other dedicated VPN boxes include VPNet ( www.vpnet.com ) and Checkpoint
> makes a pretty good one, particularly when running on the Nokia hardware
> platform ( www.checkpoint.com )
>
> And yes I concur. Customers continue to say to me "I have and
> existing Cisco
> router. Can't we just use that for our VPN?" And I always
> respond "you sure
> can. But you won't like what happens!" When designing a VPN, the
> temptation
> is great to try to be cheap. And with VPNs particularly, it can
> end up being
> a LOT more expensive in the long run.
>
> Keep in touch, Robert. Your insight is welcome and missed.
>
> Chuck
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> Robert Hanley
> Sent: Monday, August 07, 2000 12:06 AM
> To: Chuck Larrieu; [EMAIL PROTECTED]
> Subject: Re: VPN 3DES ON 2MB Link with 25XX
>
> With respect for the fact that this is a cisco list I
> would still like to point out that it is precisely
> because of the cpu intensive nature of crypto that the
> most popular solution is not a router per se but a
> dedicated VPN box such as the Nortel Contivity.
>
> For the curious:
> http://www.nortelnetworks.com/products/01/contivity/doclib.html
>
> In the same vein I must point out that it is the
> central cpu cisco router architecture and top down
> nature of IOS that makes any kind of additional
> processing problematic. Other router architectures
> that utilize distributed processing can handle these
> additional chores much more gracefully.
>
> Chuck...any guess as to where I wound up working ?
>
>
> --- Chuck Larrieu <[EMAIL PROTECTED]> wrote:
> > Have fiannly gotten around to printing out the IPSec
> > Design Guide published
> > on the Cisco site.
> >
> >
> http://www.cisco.com/cpropart/sync-src/ccstcp/cc/techno/protocol/i
> psecur/ips
> > ec/tech/
> > watch the word wrap
> > need a CCO login to get there
> >
> > rather interesting publication, with 15 pages on
> > IPSec, 27 pages on design
> > considertions, and over 370 pages of case
> > studies/configurations!
> >
> > the relevant protion to this conversation is the
> > design guide, which does
> > talk about performance, memory usage, and processor
> > impact. The information
> > presented is not a complete as I would hope, but it
> > is indicative.
> >
> > for example, using a 16xx router, and a 125K
> > clockrate on a back to back
> > serial link, a file transfer that took 10 minutes
> > with no encryption took
> > only 18 seconds longer using IPSec. CPU usage was at
> > 29% on average during
> > the tests. ( The publication states that "the same
> > test was run several
> > times and the times were averaged together")
> >
> > Although there are several charts measuring
> > bandwidth % used with different
> > size packets on several router platforms, I am
> > disappointed to find that
> > this presentation is not particularly detailed, nor
> > particularly rigorous.
> >
> > One chart compares performnce in megabits per second
> > of several routers, one
> > of which is a 2514 ( no 2501's ). Said router
> > without encryption perfermed
> > in the range of 2.4-9.9 mbs, and with AH and ESP
> > enabled dropped to 01.-0.2
> > mbs. there is a column labeled "suggested bandwidth"
> > but no explaination in
> > the text. There is a rather interesting line stating
> > that "the suggested
> > bandwidth is reduced from the maximum possible to
> > bring the CPU utilization
> > more within accepted limits"
> >
> > the same table states that a 7505 popping AH and ESP
> > was filling a 6 mbs
> > serial link with a 70-75% CPU usage rate.
> >
> > All this leads me to infer that the chances are very
> > good that doing what
> > you are planning to do will be bad for the router.
> > IPSec checws up processor
> > cycles. With a T-1 to fill, your poor CPU's are
> > going to burn along at 100%
> > utilization to fiull that bandwidth. Not good for
> > router!
> >
> > Given these kinds of numbers, you may find your
> > remote users complaining a
> > lot about "slow performance" and with good reason.
> > your 2 meg pipe becomes a
> > 100K pipe, assuming the router doesn't shut down a
> > lot due to overload.
> >
> > Anyone got some other good reads on IPSec and router
> > resource utilization?
> >
> > Chuck
> >
> > <[EMAIL PROTECTED]> wrote in message
> >
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Hello,
> > >
> > > I wish to setup a 3DES VPN between two sites (a
> > local and a remote site)
> > on
> > > a 2MB serial link using 2 2502 cisco routeurs. I
> > will have 30 people
> > > working on the remote site using telnet session,
> > NT file and print with
> > > servers in the local site.
> > >
> > > Do you think the 25XX could handle such
> > calculation (3DES processing) for
> > > such amount of user. If yes is someone already
> > setup such thing ?
> > >
> > > regards,
> > > Christophe.
> > >
> > > ___________________________________
> > > UPDATED Posting Guidelines:
> > http://www.groupstudy.com/list/guide.html
> > > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com
> > > Report misconduct and Nondisclosure violations to
> > [EMAIL PROTECTED]
> > > ---
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Kick off your party with Yahoo! Invites.
> http://invites.yahoo.com/
>
> ___________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
> ___________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
