[c-nsp] crypto performance for 831+836?

Michael Markstaller mm at elabnet.de
Mon Apr 11 07:16:10 EDT 2005 

Now I wouldn't compare a 1721 & a 83x ! I did quite some tests with these type of boxes..
1720:
1MBit w/o HW-crypto, 3DES
2,5 MBit simplex w/o HW-crypto, 3DES-LZS (compressable iperf traffic)
6 MBit with HW-crypto, 3DES (5,5MBit duplex)
the 1712 is a bit faster, between 4 & 7 MBit depending on config
when appliying ACL's, nat,inspect etc. performance drops about 1-2 MBit on the 17xx, the 83x becomes very quickly unresponsive under load.

although the 83x have some kind of HW-crypto I wouldn't expect them to do more than 512kBit-1MBit maximum in real life with 3DES..
I've rated them for max. 384kBit IPSec here internally and we don't deploy them anymore for IPSec also because of numerous other problems we encountered, it's quite hard to find a working image for these toys..
take a look at the 1711/1712 instead of 831, does at least 4MBit with 3DES, has support for LZS in software while keeping the crypto engine active (the 83x cannot) and works quite smooth.

Michael

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kris 
> S. Amundson
> Sent: Saturday, April 09, 2005 2:14 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] crypto performance for 831+836?
> 
> Gert Doering wrote:
> > Hi,
> > 
> > I'm trying to research the specified IPSEC/3DES throughput for the 
> > Cisco 831 routers.  CCO is not helpful - I found lots of interesting
> > documents, but can't seem to come up with a search term that would
> > just return "831: 1 Mbit/s. 3DES"...   (unlike searching 
> for "AIM-VPN"
> > which brings up a nice table).
> > 
> > So... does one of you have a useful pointer for me?
> 
> I recently took two 1721's back to back and tested both 3DES 
> and AES IPSEC.  I 
> was getting 1.5-2.0Mb/s using software encryption.  This was 
> tested with two 
> linux boxes running iperf.  In some cases the AES seemed like 
> it could push more 
> than 3DES.
> 
> If software IPSEC is a function of the router CPU you could 
> compare the 1721 to 
> the 800 series.
> 
> 
> -- 
> Kris S. Amundson
> Portland State University
> Computing & Network Services
> desk: 503.725.9545
> cell: 503.970.5985
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list