[c-nsp] Poor speed through GRE tunnel
Nick Cutting
ncutting at edgetg.co.uk
Thu Jul 23 12:34:07 EDT 2015
I probably replied to soon - I get 85+ when using pure VTI, not Gre+Ipsec, on a 1921 - same on 41, and 2901.
Also these client site devices are not doing anything at all but this one tunnel. No nat, no zone based firewall etc. There are dedicated ASA's for the user internet onsite.
The other end is an ASR, which terminates multiple 1921 tunnels.
I am yet to test speeds on gre+Ipsec, sorry for the confusion.
-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Bacon
Sent: 23 July 2015 17:05
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Poor speed through GRE tunnel
> Message: 6
> Date: Thu, 16 Jul 2015 09:54:45 +0000
> From: Nick Cutting <ncutting at edgetg.co.uk>
> To: "A.L.M.Buxey at lboro.ac.uk" <A.L.M.Buxey at lboro.ac.uk>, Gert Doering
> <gert at greenie.muc.de>
> Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] Poor speed through GRE tunnel
> Message-ID:
> <DAE5489DEFDE014E882D054887E5F7533C169775 at ETGLNEX01.edgetg.co
> m>
> Content-Type: text/plain; charset=WINDOWS-1252
>
> Buy cheap 1921's with sec licences - In every case I've deployed these
> as DMVPN / VTI can get GREoIPsec to hit the 85Megabit limit on fast
> enough internet connections.
>
> I'm sure without ipsec you could hit 150 Megabits+ (no Ipsec ISR G2
> Speed limits)
Errr, how?
I've been doing a lot of testing with the ISR G2 hardware with DMVPN/GRE/IPSec, and the performance has been... underwhelming, to say the least. The best I've done on a 1941 is ~40-50Mbit with the CPU pegged; add Netflow and PfRv3 and it gets all the way down to ~30Mbit/sec. Even a 2921 isn't much better.
This is using a pseudowire over a 10G connection to an ASR1001/2.5G as the "uplink", with sub-milli latency, so that isn't it.
If I disable IPSec, performance jumps about 2x, more so on the 2921 - straight DMVPN/GRE without IPsec or Netflow I can get 150-180Mb/sec. But in any case I've yet to hit the 85Mbit/s limit.
I don't think I'm doing anything terribly interesting from a configuration standpoint - I am doing the "remote ingress scheduling" trick that's described in a Cisco Live talk, but I've done with and without, and that doesn't effectively change the throughput.
what am I doing wrong??
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list