cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
660
Views
0
Helpful
9
Replies

Compression using AIM

steve
Level 1
Level 1

I am investigating the use of AIM cards in 2600 series routers. Has anyone successful experience of compressing data on a 2600 then pushing it out via an ethernet port to a firewall and then out to the internet over VPN to another office with the same equipment?

cheers

Steve

9 Replies 9

gmarogi
Level 5
Level 5

I have not used it, but if you are looking for some configuration info. , this link might help you :

http://www.cisco.com/en/US/tech/tk713/tk802/tech_technical_documentation.html

raarons
Level 1
Level 1

I guess the reason you are using data compression is for efficiency in transport over the internet, so you're talking about IPComp (IPPCP) compression within IPSec, rather than link compression over ethernet!

Well, sorry not to be much help, but I have had exactly the same question in mind, so any help from the forum would be useful.

The big question, to me, is not so much how well it might work, but whether it will work at all. The reason I have my doubts is that I understand the use of IPPCP is negotiated during IKE Phase 1, and I can't see anywhere in IOS that it can be configured, even though the hardware supports it.

Thus, although the compression AIM will support IPComp from a VPN client which can request it (perhaps through a Radius AV-pair), a pure IOS site-to-site VPN is another matter entirely.

If anyone has any insight into this, I'd be grateful.

We're using IP PCP with IPSec across a number of link types and it works fine.

IP PCP is an option within the IPSec transform as follows:

router(config)#crypto ipsec transform-set NAME ?

ah-md5-hmac AH-HMAC-MD5 transform

ah-sha-hmac AH-HMAC-SHA transform

comp-lzs IP Compression using the LZS compression algorithm

esp-3des ESP transform using 3DES(EDE) cipher (168 bits)

esp-des ESP transform using DES cipher (56 bits)

esp-md5-hmac ESP transform using HMAC-MD5 auth

esp-null ESP transform w/o cipher

esp-sha-hmac ESP transform using HMAC-SHA auth

To enable IP PCP you use the "comp-lzs" option.

As for the question of how well the compression works, that is entirely dependent upon the data being passed to the compression algorithm. Data that has highly repetitive patterns will compress much better than data that is already compressed e.g. MPEG, but on average we reckon on getting an average ration of 1.6:1.

That's just the answer I was looking for. Strange thing, but I must have seen "comp-lzs" dozens, perhaps hundreds, of times when working on the routers and never really noticed it!

Thanks indeed for your help.

Could I see your full transform set ? The compression happens to the IP payload before it is encrypted, correct ? So after the "comp-lzs" you just specify your other parameters, ie, 3des, etc ?Ive never used compression over IPSec and am interested in seeing the config.

The transform set we have is as follows:

!

crypto ipsec transform-set IPSEC-3DES-PCP esp-3des comp-lzs

!

As you say, compresion works before encrypton, but the order the commands are entered in the transform set is not important.

To check if it's working or not use the "sh crypto ipsec sa" command

router#sh crypto ipsec sa int atm 4/0.1

[snip]

#pkts encaps: 2301316558, #pkts encrypt: 2301316558, #pkts digest 0

#pkts decaps: 4244102107, #pkts decrypt: 4244189834, #pkts verify 0

#pkts compressed: 1652452925, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 648863635, #pkts decompress failed: 0

#send errors 2929, #recv errors 87727

Don't be too worried by the "#pkts compr. failed" counter. This is the number of packets that were passed to the compression algorithm, but could not be compressed, probably as they had already been compressed by the application i.e., ZIP files, MPEGs etc.

The other point I forgot to mention is that the AIM-VP/EP (2600 series) and the NM-VPN/MP (3600 series) don't themselves support compression. If you have these adapters installed you don't get the "comp-lzs" as an option in the transform-set *unless* you go to 12.2(13)T or above when a feature was added that provides software compression (router CPU) with hardware encryption.

The following snip is from the release notes (http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/xprn122t/122tnewf.htm#wp33891):

LZ Software with Hardware Encryption - Before the LZ Software with Hardware Encryption feature was introduced, compression was not supported with the VPN encryption hardware advanced integration module (AIM) and network module (NM); that is, a user had to remove the VPN module from the router and run software encryption with software compression. This feature enables all VPN modules to support LZ compression in software when the VPN module is in Cisco 2600 and Cisco 3600 series routers, thereby, allowing users to configure and compress 2 128Kb/sec streams

Regards

And not to disagree with this in any way, note also that this is not true of the more recent AIM modules, which ***do*** support compression in hardware. Any module that has II or II-Plus in the code supports IPPCP in hardware, according to

http://www.cisco.com/en/US/products/hw/routers/ps282/products_data_sheet09186a0080088750.html

HTH

rucus01
Level 1
Level 1

I run compression on all of mine and they seem to work fine. The links that dont have the hardware compression seem to peg the CPU pretty hard though. I wouldnt suggest compression without the aim at over 700k or so.

Review Cisco Networking for a $25 gift card