>Also the hated ones (Nortel) have a fairly good VPN box that seems to work
>ok. About the only real problem I have had with it is the interface is GUI
>only also they say they are working on a BCR (blatant Cisco rip-off) command
>line also.
Harrumph from the hated side. Yes, I agree, I hate menus other than
in restaurants. I have a friend who recently moved to the Contivity
VPN box group so I can check on things if need be. I do use the
Contivity extranet client on my PC, and it's far more reliable than
Outlook. Is that a recommendation? :-)
But a Cisco ripoff? Where did Cisco get CLI other than from UNIX and EMACS?
>As to VPN's being to cpu intensive, at our corporate office we have 6
>satellite offices that are terminating into a 2600. Of course the traffic
>over those links doesn't really amount to that much and it is only DES. At
>our site we have a total of 5 DES vpns terminating into a PIX and it is
>running fine. Once again though if we were doing 3DES I would want to find
>some sort of hardware accelerator or way to offload the encryption off of
>the CPU.
>Just my .02
>Darren
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > Chuck Larrieu
> > Sent: Monday, August 07, 2000 9:40 AM
> > To: Robert Hanley; [EMAIL PROTECTED]
> > Subject: RE: VPN 3DES ON 2MB Link with 25XX
> >
> >
> > Since this is a Cisco list, Robert, the least you could have done is name
> > the Cisco CVPN ( formerly Altiga ) boxes! :->
> >
> > Say, where you been? Haven't seen your name here in several
> > months. Good to
> > hear from you. I'm still eating my blueberries! :->
> >
> > Other dedicated VPN boxes include VPNet ( www.vpnet.com ) and Checkpoint
> > makes a pretty good one, particularly when running on the Nokia hardware
> > platform ( www.checkpoint.com )
> >
> > And yes I concur. Customers continue to say to me "I have and
> > existing Cisco
> > router. Can't we just use that for our VPN?" And I always
> > respond "you sure
> > can. But you won't like what happens!" When designing a VPN, the
> > temptation
> > is great to try to be cheap. And with VPNs particularly, it can
> > end up being
> > a LOT more expensive in the long run.
> >
> > Keep in touch, Robert. Your insight is welcome and missed.
> >
> > Chuck
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
>On Behalf Of
> > Robert Hanley
> > Sent: Monday, August 07, 2000 12:06 AM
> > To: Chuck Larrieu; [EMAIL PROTECTED]
> > Subject: Re: VPN 3DES ON 2MB Link with 25XX
> >
> > With respect for the fact that this is a cisco list I
> > would still like to point out that it is precisely
> > because of the cpu intensive nature of crypto that the
> > most popular solution is not a router per se but a
> > dedicated VPN box such as the Nortel Contivity.
> >
> > For the curious:
> > http://www.nortelnetworks.com/products/01/contivity/doclib.html
> >
> > In the same vein I must point out that it is the
> > central cpu cisco router architecture and top down
> > nature of IOS that makes any kind of additional
> > processing problematic. Other router architectures
> > that utilize distributed processing can handle these
> > additional chores much more gracefully.
> >
> > Chuck...any guess as to where I wound up working ?
> >
> >
> > --- Chuck Larrieu <[EMAIL PROTECTED]> wrote:
> > > Have fiannly gotten around to printing out the IPSec
> > > Design Guide published
> > > on the Cisco site.
> > >
> > >
> > http://www.cisco.com/cpropart/sync-src/ccstcp/cc/techno/protocol/i
> > psecur/ips
> > > ec/tech/
> > > watch the word wrap
> > > need a CCO login to get there
> > >
> > > rather interesting publication, with 15 pages on
> > > IPSec, 27 pages on design
> > > considertions, and over 370 pages of case
> > > studies/configurations!
> > >
> > > the relevant protion to this conversation is the
> > > design guide, which does
> > > talk about performance, memory usage, and processor
> > > impact. The information
> > > presented is not a complete as I would hope, but it
> > > is indicative.
> > >
> > > for example, using a 16xx router, and a 125K
> > > clockrate on a back to back
> > > serial link, a file transfer that took 10 minutes
> > > with no encryption took
> > > only 18 seconds longer using IPSec. CPU usage was at
> > > 29% on average during
> > > the tests. ( The publication states that "the same
> > > test was run several
> > > times and the times were averaged together")
> > >
> > > Although there are several charts measuring
> > > bandwidth % used with different
> > > size packets on several router platforms, I am
> > > disappointed to find that
> > > this presentation is not particularly detailed, nor
> > > particularly rigorous.
> > >
> > > One chart compares performnce in megabits per second
> > > of several routers, one
> > > of which is a 2514 ( no 2501's ). Said router
> > > without encryption perfermed
> > > in the range of 2.4-9.9 mbs, and with AH and ESP
> > > enabled dropped to 01.-0.2
> > > mbs. there is a column labeled "suggested bandwidth"
> > > but no explaination in
> > > the text. There is a rather interesting line stating
> > > that "the suggested
> > > bandwidth is reduced from the maximum possible to
> > > bring the CPU utilization
> > > more within accepted limits"
> > >
> > > the same table states that a 7505 popping AH and ESP
> > > was filling a 6 mbs
> > > serial link with a 70-75% CPU usage rate.
> > >
> > > All this leads me to infer that the chances are very
> > > good that doing what
> > > you are planning to do will be bad for the router.
> > > IPSec checws up processor
> > > cycles. With a T-1 to fill, your poor CPU's are
> > > going to burn along at 100%
> > > utilization to fiull that bandwidth. Not good for
> > > router!
> > >
> > > Given these kinds of numbers, you may find your
> > > remote users complaining a
> > > lot about "slow performance" and with good reason.
> > > your 2 meg pipe becomes a
> > > 100K pipe, assuming the router doesn't shut down a
> > > lot due to overload.
> > >
> > > Anyone got some other good reads on IPSec and router
> > > resource utilization?
> > >
> > > Chuck
> > >
> > > <[EMAIL PROTECTED]> wrote in message
> > >
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > Hello,
> > > >
> > > > I wish to setup a 3DES VPN between two sites (a
> > > local and a remote site)
> > > on
> > > > a 2MB serial link using 2 2502 cisco routeurs. I
> > > will have 30 people
> > > > working on the remote site using telnet session,
> > > NT file and print with
> > > > servers in the local site.
> > > >
> > > > Do you think the 25XX could handle such
> > > calculation (3DES processing) for
> > > > such amount of user. If yes is someone already
> > > setup such thing ?
> > > >
> > > > regards,
> > > > Christophe.
> > > >
> > > > ___________________________________
> > > > UPDATED Posting Guidelines:
> > > http://www.groupstudy.com/list/guide.html
> > > > FAQ, list archives, and subscription info:
> > > http://www.groupstudy.com
> > > > Report misconduct and Nondisclosure violations to
> > > [EMAIL PROTECTED]
> > > > ---
> > >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Kick off your party with Yahoo! Invites.
> > http://invites.yahoo.com/
> >
> > ___________________________________
> > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> > FAQ, list archives, and subscription info: http://www.groupstudy.com
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
> > ___________________________________
> > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> > FAQ, list archives, and subscription info: http://www.groupstudy.com
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>___________________________________
>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
