Solved: Packet proccessing with crypto map on interface

Andrey.Krupitsa · ‎08-30-2017

Hi.

For example: we attach crypto map on interface.

Will there be any change in the processing of incoming non-esp (and also non-ike) packets?

Сan somebody explain in detail how the router detects interesting IPSec traffic in the outbound direction, this is just ACL check?

Marvin Rhoads · ‎09-01-2017

That's easy -

1. No

2. Yes. (for initial packets - once the VPN is established with active connections, I believe they will match the existing connections check prior to ACL processing.)

:)

View solution in original post

Marvin Rhoads · ‎09-01-2017

That's easy -

1. No

2. Yes. (for initial packets - once the VPN is established with active connections, I believe they will match the existing connections check prior to ACL processing.)

:)

Andrey.Krupitsa · ‎09-01-2017

Do you belive, or do you now?
I belive that ASA does so, but not sure that so does the router.

Just for example, we have router with 200 Mbps real life traffic on interface gi 0/0 and we have 50% utilization of cpu in this case.

And another case: we have router with 200 Mbps real life traffic on interface gi 0/0 + crypto map with 3 Mbps encrypted traffic. What processor utilization will be in this case?

Marvin Rhoads · ‎09-01-2017

Sorry - I mistakenly assumed you were asking about a firewall.

Router CPU is definitely affected by having to encrypt traffic. It still doesn't change the order of operations for non-IPsec traffic though.

Andrey.Krupitsa · ‎09-01-2017

Thank you for your help.
I know that router's CPU affected by traffic encryption, but I would like to know more specific figures, some more details may be.