06-23-2004 04:01 AM - edited 03-02-2019 04:33 PM
I am investigating the use of AIM cards in 2600 series routers. Has anyone successful experience of compressing data on a 2600 then pushing it out via an ethernet port to a firewall and then out to the internet over VPN to another office with the same equipment?
cheers
Steve
06-29-2004 05:35 AM
I have not used it, but if you are looking for some configuration info. , this link might help you :
http://www.cisco.com/en/US/tech/tk713/tk802/tech_technical_documentation.html
07-05-2004 04:46 AM
I guess the reason you are using data compression is for efficiency in transport over the internet, so you're talking about IPComp (IPPCP) compression within IPSec, rather than link compression over ethernet!
Well, sorry not to be much help, but I have had exactly the same question in mind, so any help from the forum would be useful.
The big question, to me, is not so much how well it might work, but whether it will work at all. The reason I have my doubts is that I understand the use of IPPCP is negotiated during IKE Phase 1, and I can't see anywhere in IOS that it can be configured, even though the hardware supports it.
Thus, although the compression AIM will support IPComp from a VPN client which can request it (perhaps through a Radius AV-pair), a pure IOS site-to-site VPN is another matter entirely.
If anyone has any insight into this, I'd be grateful.
07-17-2004 03:05 PM
We're using IP PCP with IPSec across a number of link types and it works fine.
IP PCP is an option within the IPSec transform as follows:
router(config)#crypto ipsec transform-set NAME ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-sha-hmac ESP transform using HMAC-SHA auth
To enable IP PCP you use the "comp-lzs" option.
As for the question of how well the compression works, that is entirely dependent upon the data being passed to the compression algorithm. Data that has highly repetitive patterns will compress much better than data that is already compressed e.g. MPEG, but on average we reckon on getting an average ration of 1.6:1.
07-22-2004 02:58 AM
That's just the answer I was looking for. Strange thing, but I must have seen "comp-lzs" dozens, perhaps hundreds, of times when working on the routers and never really noticed it!
Thanks indeed for your help.
07-22-2004 12:13 PM
Could I see your full transform set ? The compression happens to the IP payload before it is encrypted, correct ? So after the "comp-lzs" you just specify your other parameters, ie, 3des, etc ?Ive never used compression over IPSec and am interested in seeing the config.
07-26-2004 02:32 PM
The transform set we have is as follows:
!
crypto ipsec transform-set IPSEC-3DES-PCP esp-3des comp-lzs
!
As you say, compresion works before encrypton, but the order the commands are entered in the transform set is not important.
To check if it's working or not use the "sh crypto ipsec sa" command
router#sh crypto ipsec sa int atm 4/0.1
[snip]
#pkts encaps: 2301316558, #pkts encrypt: 2301316558, #pkts digest 0
#pkts decaps: 4244102107, #pkts decrypt: 4244189834, #pkts verify 0
#pkts compressed: 1652452925, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 648863635, #pkts decompress failed: 0
#send errors 2929, #recv errors 87727
Don't be too worried by the "#pkts compr. failed" counter. This is the number of packets that were passed to the compression algorithm, but could not be compressed, probably as they had already been compressed by the application i.e., ZIP files, MPEGs etc.
07-26-2004 02:45 PM
The other point I forgot to mention is that the AIM-VP/EP (2600 series) and the NM-VPN/MP (3600 series) don't themselves support compression. If you have these adapters installed you don't get the "comp-lzs" as an option in the transform-set *unless* you go to 12.2(13)T or above when a feature was added that provides software compression (router CPU) with hardware encryption.
The following snip is from the release notes (http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/xprn122t/122tnewf.htm#wp33891):
LZ Software with Hardware Encryption - Before the LZ Software with Hardware Encryption feature was introduced, compression was not supported with the VPN encryption hardware advanced integration module (AIM) and network module (NM); that is, a user had to remove the VPN module from the router and run software encryption with software compression. This feature enables all VPN modules to support LZ compression in software when the VPN module is in Cisco 2600 and Cisco 3600 series routers, thereby, allowing users to configure and compress 2 128Kb/sec streams
Regards
07-27-2004 12:58 AM
And not to disagree with this in any way, note also that this is not true of the more recent AIM modules, which ***do*** support compression in hardware. Any module that has II or II-Plus in the code supports IPPCP in hardware, according to
http://www.cisco.com/en/US/products/hw/routers/ps282/products_data_sheet09186a0080088750.html
HTH
07-29-2004 12:36 PM
I run compression on all of mine and they seem to work fine. The links that dont have the hardware compression seem to peg the CPU pretty hard though. I wouldnt suggest compression without the aim at over 700k or so.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide