At the minute I am doing some VPN testing for a college project and all is going fine except that when I initiate a full VPN and carry out file transfers the encryption process hogs the CPU to nearly 100%.

Is there a way to restrict this process from hogging the CPU, I know this will slow down the transfer but it will leave some resources for normal usage.

_________________
Good Luck,

David

What kind of shoddy router is this? If you limit the rate it's sending via a service policy does the CPU decrease?

_________________
www.mellowd.co.uk/ccie/

It's an old 2610xm, it's my own lab equipment for testing purposes only.

I haven't tried any policy shaping at all I just wanted to see if it was possible to control the router processes.

_________________
Good Luck,

David

turn off unnecessary services on the router,
i.e. dhcp server
ftp server
http server
etc.

this should free up some cpu.

what type of encryption are you using for the vpn tunnel?
encryption is very cpu intensive,
so instead of using aes-256 use 3DES
(or DES if this is lab only.)
this should free up cpu cycles

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw

There is nothing unecessary running on the router.
The routers have been set up to specifically test different types of VPN and their impact on bandwidth.
However because the routers are 2610xm and encryption is being performed in software the routers take a big hit.
I have all the data I need for now because when the different VPN's come up they don't use all of the available bandwidth.
It's a test between no VPN, a VPN with minimal encryption, (des) and a VPN with max encryption, (aes 256).

But I am trying to find out if there is a way of identifying a particular PID on the router and restricting access to the router CPU.
It's more of an interest than a necessity, I just thought because you can identify a PID you should be able to control it's access to the CPU.

_________________
Good Luck,

David

Good question. I know in JUNOS you can restrict CPU usage for a process. I've never needed to do it on a Cisco box yet

_________________
www.mellowd.co.uk/ccie/

I'm googling and searhing books at the minute but to na avail.
I have found the process cpu command but I'm still trying to figure it out, at the minute it just looks like a monitoring facility.

_________________
Good Luck,

David

Then, it's Box limitation. some new Routers like 2800 built with VPN hardware accelerator.
VPN encryption/deception is processor incentive.


cisco_1

_________________
"Nothing Is Limited, Except Our Understanding To The Universe"

Yeah I can't find anything that individually restricts a pid to the cpu but I did put traffic shaping on the interface and restricted the traffic that way. Not a particularly pretty way to do it but after a bit of faffing around I was able to transfer the files with about a 60% increase in time but I was able to hold CPU usage to about 70%. Again not pretty but in this particular situation it worked.

The only thing I can think of that would work would be a TCL script that identifies and manipulates a particular PID??

_________________
Good Luck,

David

Sounds like too much of a hack. What speeds do you need? You can get cheap firewalls that can do these things at high speed

_________________
www.mellowd.co.uk/ccie/

It's not really about the speeds it's about having the possibilty to do secure VPN's with just the router. That's why I was comparing 3 different types of transfer. Of course speed would be an issue but if all you where stuck with was an old router then the study proves that it can be done.

It's a final year project so it's more about finding solutions to problems which I think I have done.

So you can do software VPN's on the highest security settings with an old router but it will take time and if you where using this as a backup method then you could run it at night with no problems.

I still think the hack would be possible but, that's for another day, problem found problem solved, (I hope).

_________________
Good Luck,

David

the 2600XM series router running IOS version 12.3(6) or higher will support Cisco DES/3DES/AES Encryption Module, AIM-VPN/BPII-PLUS

ref:
http://www.cisco.com/en/US/docs/ios/12_ ... imvpn.html

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw

I know it will support the encryption methods, that was never in doubt, it's how the router would handle doing it in software.
This was a study for SMB's who can't afford new gear but may need to use a VPN ocassionaly.

_________________
Good Luck,

David

I think mellowd's original suggestion is worth a try. Try shaping or policing the VPN traffic.

You wouldn't be able to do anything.

For you CS/CMPEN majors, legacy IOS is an old monolithic kernel. This means that each process shares the same memory space (and why a bug in OSPF can crash the whole router). The other big drawback with the IOS kernel is the choice of a completion scheduler. This means that each process has to tell the router it is done before the CPU is allowed to do anything else. So, IOS can't tell your encryption process to "STOP".

I'd imagine that the encryption process isn't poorly written, otherwise you would have tons of issues (routing adjacency drops, etc). Software encryption is expensive, so that process probably runs in short intervals (lots of context switching, but IOS doesn't have to starve other processes). Your CPU may still be close to 100%, but that's because it will use whatever you have left over. The bad CPU hogs are the ones that hold on to the CPU for a very long time without releasing, causing adjacency drops since IOS can't stop it and no other process can run before dead timers expire.

JUNOS doesn't have this problem since its designed intelligently, as is IOS-XE/IOS-XR/NX-OS. To be fair, legacy IOS has been around since the early 90s and has been great despite these huge limitations.