[nsp] 2621 VPN mb/s w/wo AIM
atticus at satanic.org
atticus at satanic.org
Mon Dec 1 12:34:31 EST 2003
On Mon, 1 Dec 2003, Tim D. wrote:
> Just wanted to clarify some things, and thank everyone for their replies.
>
> I am now using 2 2621's with AIM/VPN modules installed.
> I am not using tunnel interfaces/GRE so as to avoid fragmentation. I
> am using CEF switching, and have IP redirects enabled.
You _are_ fragmenting then. The only time you're not going to add overhead
is an ESP/transport (no ESP) connection. However, since this applies only
to traffic directly between the two routes, its probably not applicable in
your case (personally, I do use ESP/transport for GRE tunnels).
> Using 12.2 IOS I have managed to get a throughput of 3.5mbs with FTP
> protocol thus far, but the devices are not responsive to telnet/ssh for
> management at these speeds.
>
> One thing that made a huge difference in throughput was removing the
> logging command from the extended access-list :)
Get a sesssion open to both routers ahead of time and watch your cpu
utilization. That logging acl would've made IP Input stick out like a sore
thumb.
> It would be really nice if Cisco had a list of VPN devices (PIX, 26/3600,
> 3000 etc.) and the relative throughput one could expect doing 3des (hardware
> and software) on each.
Yeah, its all fragmented, since it spans so many product lines. If you
lean on pre-sales, they should be able to get you the software-only
performance numbers (from experience though, 3660 is the only thing that's
going to turn in numbers > 1mbit,). Alteast the router platforms are
covered at (see table down towards bottom):
http://www.cisco.com/en/US/products/hw/routers/ps259/products_data_sheet09186a00800921d5.html
The AIM options specifically are all at:
http://www.cisco.com/en/US/products/hw/routers/ps259/products_data_sheet09186a0080088750.html
> ----- Original Message -----
> From: <atticus at satanic.org>
> To: "Tim D." <zsolutions at cogeco.ca>
> Cc: <cisco-nsp at puck.nether.net>
> Sent: Sunday, November 30, 2003 6:14 PM
> Subject: Re: [nsp] 2621 VPN mb/s w/wo AIM
>
>
> >
> > > I was wondering what kind of mb/s speeds I could expect using 3DES in
> both
> > > software mode, and with the AIM VPN accelerator card installed, on a
> 2621.
> >
> > > So far I have found I can only get .5mb/s using software. Does this sou
> > > off to anyone?
> >
> > Definately low, but not outrageously so. One place you can easily loose
> > alot of capacity is fragmentation (not paying attention to this made the
> > difference between ~12mb/s and ~20mb/s between two 3660's w/ AIM-VPN/HP).
> >
> >
> http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
> >
> > Covers this nicely, though I could've sworn there was a similar doc
> > specific to ipsec, but I can't find it now.
> >
> > > Here is the situation: I have a 10M internet link, which I would like
> to do
> > > a VPN over and get as much throughput as I can (8M +- would be ideal)
> using
> > > 2621's.
> >
> > > I can put a VPN accelerator card in both routers if I need to, but so
> > > far using software I am getting very piss poor results
> >
> > > I'm using IOS12.2(5)d on both routers.
> >
> > Try taking them up to 12.3 -- 12.2T had lots of IPSec work and general
> > performance improvements that should help you along. Also be sure to check
> > for high levels of process switching (software-side should be heavy on
> > 'Encrypt Proc', but not ip input .. side w/ aim-vpn/bp should be almost
> > all cef/interrupt switched).
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list