[nsp] IPSEC throughput impact?
sam_ml at spacething.org
sam_ml at spacething.org
Tue Jul 6 16:14:19 EDT 2004
On Tue, 6 Jul 2004, Streiner, Justin wrote:
> On Tue, 6 Jul 2004, Steve Francis wrote:
>
> > > The 3 T1s
> > > are running CEF per-packet load-sharing on both sides and are
> > > short-haul only, so I feel pretty confident in ruling out RTT
> > > variance across the 3 circuits interfering with the
> > > load-sharing and eventual packet reassembly/decryption in this case.
> >
> > I wouldn't feel so confident of that. IPSec packets have to arrive in
> > order of sequence number, or they are discarded, and rely on the upper
> > layer protocol (whatever is encapsulated) to timeout and resend.
> >
> > I'd guess that is what is happening.
>
> Good point, though I'm not sure how I'd fix it quickly :-) We have
> proposals on the table with this customer that include upgrading from the
> T1s to a larger single pipe, bit those may be far in the future.
>
> I pretty much have to use a per-packet load-sharing method because the
> traffic is all between one specific source and destination address.
> Per-flow doesn't handle that too well. IIRC, CEF will normally pick
> one interface in each direction and send the traffic over that, so one T1
> would get maxed out while the others sit idle.
Can you not run MLPPP over the T1s? That should preserve the packet order.
Sam
More information about the cisco-nsp
mailing list