[nsp] 2621 VPN mb/s w/wo AIM

Johnson, Michael michael.johnson at digex.com
Mon Dec 1 11:01:32 EST 2003


I have the "CCSP Cisco Secure VPN" book and it states the following:

2600 routers(does not breakdown stats per 2600 model, must be the best
performer of each family perhaps the 2651)

14Mbps and up to 800 tunnels with VPN module

3600 routers 40Mbps, 1800 tunnels with VPN module


Mike j

-----Original Message-----
From: Tim D. [mailto:zsolutions at cogeco.ca] 
Sent: Monday, December 01, 2003 1:27 PM
To: atticus at satanic.org
Cc: cisco-nsp at puck.nether.net
Subject: Re: [nsp] 2621 VPN mb/s w/wo AIM


Just wanted to clarify some things, and thank everyone for their replies.

I am now using 2 2621's with AIM/VPN modules installed.  I am not using
tunnel interfaces/GRE so as to avoid fragmentation.  I am using CEF
switching, and have IP redirects enabled.  Using 12.2 IOS I have managed to
get a throughput of 3.5mbs with FTP protocol thus far, but the devices are
not responsive to telnet/ssh for management at these speeds.  One thing that
made a huge difference in throughput was removing the logging command from
the extended access-list :) I plan to try an upgrade to 12.3 as per the
advice of Atticus, and re-test.

It would be really nice if Cisco had a list of VPN devices (PIX, 26/3600,
3000 etc.) and the relative throughput one could expect doing 3des (hardware
and software) on each.  I've looked for just such a list on Cisco to no
avail.

----- Original Message ----- 
From: <atticus at satanic.org>
To: "Tim D." <zsolutions at cogeco.ca>
Cc: <cisco-nsp at puck.nether.net>
Sent: Sunday, November 30, 2003 6:14 PM
Subject: Re: [nsp] 2621 VPN mb/s w/wo AIM


>
> > I was wondering what kind of mb/s speeds I could expect using 3DES 
> > in
both
> > software mode, and with the AIM VPN accelerator card installed, on a
2621.
>
> > So far I have found I can only get .5mb/s using software.  Does this 
> > sou off to anyone?
>
> Definately low, but not outrageously so. One place you can easily 
> loose alot of capacity is fragmentation (not paying attention to this 
> made the difference between ~12mb/s and ~20mb/s between two 3660's w/ 
> AIM-VPN/HP).
>
>
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00
800d6979.shtml
>
> Covers this nicely, though I could've sworn there was a similar doc 
> specific to ipsec, but I can't find it now.
>
> > Here is the situation:  I have a 10M internet link, which I would 
> > like
to do
> > a VPN over and get as much throughput as I can (8M +- would be 
> > ideal)
using
> > 2621's.
>
> > I can put a VPN accelerator card in both routers if I need to, but 
> > so far using software I am getting very piss poor results
>
> > I'm using IOS12.2(5)d on both routers.
>
> Try taking them up to 12.3 -- 12.2T had lots of IPSec work and general 
> performance improvements that should help you along. Also be sure to 
> check for high levels of process switching (software-side should be 
> heavy on 'Encrypt Proc', but not ip input .. side w/ aim-vpn/bp should 
> be almost all cef/interrupt switched).
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list