Encryption features found in the Cisco IOS provide the ability to secure data communications by encrypting the payload of packets. Once encrypted, the contents of packets cannot be read by utilities such as network analyzers. While encryption provides the benefit of securing network communications, it also comes with a cost in the form of higher router CPU utilization.
While a variety of data encryption techniques exist, Cisco routers provide the ability to secure data using two primary technologies – Cisco Encryption Technology (CET) and IPSec. CET is an older proprietary encryption method developed by Cisco, and has been phased out of the Cisco IOS as of version 12.1. IPSec is an IETF-standardized encryption method that was designed by a number of companies, including Cisco. Not only is IPSec an Internet standard, it also provides interoperable encryption between the equipment of different vendors.
Encryption techniques are most commonly employed to securely transmit data over untrusted public networks like the Internet. For example, data encryption is used to implement what are known as Virtual Private Networks (VPNs), using the Internet rather than dedicated WAN links as a backbone to connect locations. Imagine a situation in which a company has two locations, each of which are connected to the public Internet using Cisco routers whose IOS images support IPSec. The company uses the IPSec capabilities of the routers to form a secure encrypted tunnel over the Internet. When a user from Office 1 attempts to communicate with a server in Office 2, data will be encrypted at the Office 1 router, sent over the Internet as a regular datagram (with an encrypted payload), and then decrypted at the Office 2 router. The end stations need not know about, or have any encryption capabilities.
While the ability to encrypt traffic using Cisco routers is a useful feature, it can also have a considerable impact on router performance, especially CPU utilization. As a general rule, Cisco recommends that encryption not be configured on routers whose CPU utilization is already above 40%.