* Stefan Simko <Stefan.Simko@KPNQwest.com> [20001018 07:45]:
> Hi,
> I can't find any information, what are the limits of different Cisco devices
> in encryption using IPSEC and different encryption and authentication
> methods, how many encrypted channels or how many pps can they handle.
>
> Does anyone know this?
>
> Where on CCO is information about these and other limits?
I've not found a centralized page with this info just tidbits mentioned
as side remarks in release notes and things.
It also varies a bit because some platforms support IPSec both on the main
CPU as well as on hardware assisted cards.
The AIM (26xx and 36xx card) vaguely says:
The data encryption AIMs and NM are hardware Layer 3 (IPSec) encryption
modules and provide DES(56-bit) and 3DES(168-bit) IPsec encryption for
multiple T1s or E1s of bandwidth. This level of performance is a dramatic
increase over that achievable when running IPSec in software on the main
CPU of the Cisco 2600 or 3600. These products also have hardware support
for DH, RSA, and DSA key generation.
Now just how many "multiples" of T1s or E1s I have no idea. :) Nor what
combinations of ciphers or ESP and AH modes.
The 17xx platform VPN module docs say:
The VPN module, which fits in a slot inside the Cisco 1720 or 1750 chassis,
encrypts data using the Data Encryption Standard (DES) and 3DES algorithms
at speeds suitable for a full-duplex T1/E1 serial connection (4 megabits
per second [Mbps] for 1514-byte packets). The module, together with the
platform, supports as many as 100 encrypted tunnels (400 security
associations) for concurrent sessions with mobile users or other sites.
These are of course mostly edge devices and the smaller ones at that. Cisco
consistently portrays the above platforms as being for from "10-100 users".
The low end of that range being supported without acceleration and the upper
end requiring hardware acceleration from an option card.
Not very scientific but may have you an idea of where they fit. The 12000
isn't considered an IPSec platform (the idea being the 12000s are in your
core and just routing IP packets...you're encrypting out closer to your edge).
Whether the GSR and similar still support IPSec anyway I'm unsure (and don't
have immediate access to one at the moment to check).
The 72xx and 75xx are portrayed as being for terminating/originating 500+
IPSec tunnels. (again, unscientific and vague I know...*sigh* where oh where
is a decent datasheet that summarizes and clearly states this stuff on Cisco's
site?). The 7100 platform with an ISM (Integrated Service Model) is stated
by Cisco to support up to 2000 tunnels up to full duplex DS-3 line rate (90
Mbps). The ISA (Integrated Services Adapater) for the 7100/7200VXR has the
same. Again, no details on what ciphers or AH/ESP combos in use. :(
The Cisco VPN 5001 (intended for enterprise use...for terminating tunnels
from remote employees for example) is 1500 tunnels or 50 Mbps using ESP 3DES
and AH MD5.
This information is reaped from various release notes and documentation spread
around Cisco's site. Hopefully it helps a bit. If you find a "here are
the performance characteristics of our various products that support IPSec"
URL on CCO someplace that I couldn't find...please lemme know. :)
-jr
---- Josh Richards [JTR38/JR539-ARIN] <jrichard@geekresearch.com/cubicle.net/fix.net/freedom.gen.ca.us> Geek Research LLC - <URL:http://www.geekresearch.com/> IP Network Engineering and Consulting
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:20 EDT