RE: VPN Encryption Module

From: Joseph Brunner (joe@affirmedsystems.com)
Date: Mon Dec 01 2008 - 05:53:17 ARST

The 2800 series all ship with a built-in hardware module; the only question
is if you have the better AIM EPII module.

The 2800/ISR series do not do encryption in software.

They can be forced to handle encrypted traffic in the process path if CEF is
broken by fragmentation, etc. by first re-assembling the encrypted packets
before handing them off to the module (which really defeats the main CPU
gain of the module, etc)

You can check with Farrukh's command and also with show version (you will
see 2 Vpn modules if you have the EPII card added).

Also withv"show crypto engine config" and "show crypto engine accelerator
statistic"
As shown with this command, the cheap built-in vpn encryption module is
disabled if the EPII is present;

wanrtr_1#show crypto engine config

        crypto engine name: Virtual Private Network (VPN) Module
        crypto engine type: hardware
                     State: Enabled
                  Location: aim 0
        VPN Module in slot: 0
              Product Name: AIM-VPN/SSL-2
         Software Serial #: 55AA
                 Device ID: 001F - revision 0000
                 Vendor ID: 0000
               Revision No: 0x001F0000
              VSK revision: 0
              Boot version: 255
               DPU version: 0
               HSP version: 3.3(18) (PRODUCTION)
              Time running: 6w0d
               Compression: Yes
                       DES: Yes
                     3 DES: Yes
                   AES CBC: Yes (128,192,256)
                  AES CNTR: No
     Maximum buffer length: 4096
          Maximum DH index: 2000
          Maximum SA index: 2000
        Maximum Flow index: 4000
      Maximum RSA key size: 2048

        crypto engine name: Virtual Private Network (VPN) Module
        crypto engine type: hardware
                     State: Disabled
                  Location: onboard 0
              Product Name: Onboard-VPN
                FW Version: 01100200
              Time running: 3681984 seconds
               Compression: Yes
                       DES: Yes
                     3 DES: Yes
                   AES CBC: Yes (128,192,256)
                  AES CNTR: No
     Maximum buffer length: 4096
          Maximum DH index: 0300
          Maximum SA index: 0300
        Maximum Flow index: 0600
      Maximum RSA key size: 2048

        crypto lib version: 19.0.0

     crypto engine in slot: 0
                  platform: VPN hardware accelerator

   Crypto Adjacency Counts:
                Lock Count: 48545
              Unlock Count: 48545
        crypto lib version: 19.0.0

wanrtr_1#show crypto engine accelerator statistic

Device: AIM-VPN/SSL-2
Location: AIM Slot: 0
Virtual Private Network (VPN) Module in slot : 0
        Statistics for Hardware VPN Module since the last clear
         of counters 3682153 seconds ago
         317398 packets in 317398 packets out
       56129963 bytes in 54491981 bytes out
              0 paks/sec in 0 paks/sec out
              0 Kbits/sec in 0 Kbits/sec out
         143866 packets decrypted 173532 packets encrypted
       25969680 bytes before decrypt 28522301 bytes encrypted
       16543035 bytes decrypted 39586928 bytes after encrypt
              0 packets decompressed 0 packets compressed
              0 bytes before decomp 0 bytes before comp
              0 bytes after decomp 0 bytes after comp
              0 packets bypass decompr 0 packets bypass
compres
              0 bytes bypass decompres 0 bytes bypass
compressi
              0 packets not decompress 0 packets not
compressed
              0 bytes not decompressed 0 bytes not compressed
          1.0:1 compression ratio 1.0:1 overall
         371899 commands out 371899 commands acknowledged
        Last 5 minutes:
            136 packets in 136 packets out
              0 paks/sec in 0 paks/sec out
            538 bits/sec in 575 bits/sec out
           8264 bytes decrypted 7892 bytes encrypted
            223 Kbits/sec decrypted 213 Kbits/sec encrypted
          1.0:1 compression ratio 1.0:1 overall

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Farrukh Haroon
Sent: Monday, December 01, 2008 2:27 AM
To: Razzaq Shaikh
Cc: Cisco certification
Subject: Re: VPN Encryption Module

You could run the 'show diag' command, it will show you something like:

        AIM Module in slot: 0
        PCB Serial Number : FXXXX
        Hardware Revision : 1.0
        Top Assy. Part Number :
        Board Revision : D0
        Deviation Number : 0
        Fab Version : 03
        RMA Test History : 00
        RMA Number : 0-0-0-0
        RMA History : 00
        CLEI Code : CNC
        *Product (FRU) Number : AIM-VPN/HPII-PLUS*
**
You can check the performance using some VPN performance monitoring tool to
ensure it matches that Cisco stated throughput figures with the AIM. The AIM
VPN module comes bundled with the HSEC bundles.

Regards

Farrukh

On Mon, Dec 1, 2008 at 10:03 AM, Razzaq Shaikh
<shaikh.razzaq@gmail.com>wrote:

> Hello,
>
> I have couple of questions for VPN setup ;
>
>
> - How could I identify if there is a VPN hardware encryption module on
> cisco 2800 router.
> - Is there a tool to see the difference between software & hardware
> encryption
> - With VPN hardware encryption module ; Do I need to perform some
> configuration.
>
> Thanks
> SR

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:07 ARST