[nsp] IPSEC throughput impact?

Streiner, Justin streiner at stargate.net
Tue Jul 6 15:01:34 EDT 2004


On Tue, 6 Jul 2004, Steve Francis wrote:

> > The 3 T1s
> > are running CEF per-packet load-sharing on both sides and are
> > short-haul only, so I feel pretty confident in ruling out RTT
> > variance across the 3 circuits interfering with the
> > load-sharing and eventual packet reassembly/decryption in this case.
>
> I wouldn't feel so confident of that.  IPSec packets have to arrive in
> order of sequence number, or they are discarded, and rely on the upper
> layer protocol (whatever is encapsulated) to timeout and resend.
>
> I'd guess that is what is happening.

Good point, though I'm not sure how I'd fix it quickly :-)  We have
proposals on the table with this customer that include upgrading from the
T1s to a larger single pipe, bit those may be far in the future.

I pretty much have to use a per-packet load-sharing method because the
traffic is all between one specific source and destination address.
Per-flow doesn't handle that too well.  IIRC, CEF will normally pick
one interface in each direction and send the traffic over that, so one T1
would get maxed out while the others sit idle.

jms


More information about the cisco-nsp mailing list