[nsp] IPSEC throughput impact?

Brant I. Stevens branto at branto.com
Tue Jul 6 15:17:54 EDT 2004


How about using a multi-link PPP bundle across the T1s?

On Jul 6, 2004, at 3:01 PM, Streiner, Justin wrote:

> On Tue, 6 Jul 2004, Steve Francis wrote:
>
>>> The 3 T1s
>>> are running CEF per-packet load-sharing on both sides and are
>>> short-haul only, so I feel pretty confident in ruling out RTT
>>> variance across the 3 circuits interfering with the
>>> load-sharing and eventual packet reassembly/decryption in this case.
>>
>> I wouldn't feel so confident of that.  IPSec packets have to arrive in
>> order of sequence number, or they are discarded, and rely on the upper
>> layer protocol (whatever is encapsulated) to timeout and resend.
>>
>> I'd guess that is what is happening.
>
> Good point, though I'm not sure how I'd fix it quickly :-)  We have
> proposals on the table with this customer that include upgrading from 
> the
> T1s to a larger single pipe, bit those may be far in the future.
>
> I pretty much have to use a per-packet load-sharing method because the
> traffic is all between one specific source and destination address.
> Per-flow doesn't handle that too well.  IIRC, CEF will normally pick
> one interface in each direction and send the traffic over that, so one 
> T1
> would get maxed out while the others sit idle.
>
> jms
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list