[nsp] 2621 VPN mb/s w/wo AIM
Tim D.
zsolutions at cogeco.ca
Mon Dec 1 13:26:30 EST 2003
Just wanted to clarify some things, and thank everyone for their replies.
I am now using 2 2621's with AIM/VPN modules installed. I am not using
tunnel interfaces/GRE so as to avoid fragmentation. I am using
CEF switching, and have IP redirects enabled. Using 12.2 IOS I have managed
to get a throughput of 3.5mbs with FTP protocol thus far, but the devices
are not responsive to telnet/ssh for management at these speeds. One thing
that made a huge difference in throughput was removing the logging command
from the extended access-list :)
I plan to try an upgrade to 12.3 as per the advice of Atticus, and re-test.
It would be really nice if Cisco had a list of VPN devices (PIX, 26/3600,
3000 etc.) and the relative throughput one could expect doing 3des (hardware
and software) on each. I've looked for just such a list on Cisco to no
avail.
----- Original Message -----
From: <atticus at satanic.org>
To: "Tim D." <zsolutions at cogeco.ca>
Cc: <cisco-nsp at puck.nether.net>
Sent: Sunday, November 30, 2003 6:14 PM
Subject: Re: [nsp] 2621 VPN mb/s w/wo AIM
>
> > I was wondering what kind of mb/s speeds I could expect using 3DES in
both
> > software mode, and with the AIM VPN accelerator card installed, on a
2621.
>
> > So far I have found I can only get .5mb/s using software. Does this sou
> > off to anyone?
>
> Definately low, but not outrageously so. One place you can easily loose
> alot of capacity is fragmentation (not paying attention to this made the
> difference between ~12mb/s and ~20mb/s between two 3660's w/ AIM-VPN/HP).
>
>
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
>
> Covers this nicely, though I could've sworn there was a similar doc
> specific to ipsec, but I can't find it now.
>
> > Here is the situation: I have a 10M internet link, which I would like
to do
> > a VPN over and get as much throughput as I can (8M +- would be ideal)
using
> > 2621's.
>
> > I can put a VPN accelerator card in both routers if I need to, but so
> > far using software I am getting very piss poor results
>
> > I'm using IOS12.2(5)d on both routers.
>
> Try taking them up to 12.3 -- 12.2T had lots of IPSec work and general
> performance improvements that should help you along. Also be sure to check
> for high levels of process switching (software-side should be heavy on
> 'Encrypt Proc', but not ip input .. side w/ aim-vpn/bp should be almost
> all cef/interrupt switched).
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list