[nsp] IPSEC throughput impact?

Church, Chuck cchurch at wamnetgov.com
Tue Jul 6 22:44:18 EDT 2004


If you do a 'sh crypto ipsec sa' on the 7140 (I'm sure there's an
equivalent counter on the VPN conc), you should be able to tell if the
out of order packets are causing errors.  Might want to check that out
first before making a lot of changes, in case the out-of-orders aren't
the cause.


Chuck Church
Wam!Net Government Services - D&I Team
Lead Design Engineer
CCIE #8776, MCNE, MCSE
1210 N. Parker Rd.
Greenville, SC 29609
Office: 864-335-9473
Cell: 703-819-3495
cchurch at wamnetgov.com
PGP key:
http://pgp.mit.edu:11371/pks/lookup?op=index&search=cchurch%40wamnetgov.
com

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Streiner, Justin
Sent: Tuesday, July 06, 2004 3:51 PM
To: cisco-nsp at puck.nether.net
Subject: RE: [nsp] IPSEC throughput impact?

On Tue, 6 Jul 2004, Raymond, Steven wrote:

> What hardware platforms are you using?  Have seen a 2620XM hit 99% CPU

> with a single PTP ipsec VPN with ~250 packets per second at about 
> 350,000 bits per second.  This is using two T1s in an MLPPP bundle 
> with GRE and NAT, plus CBAC.  Removing only the crypto map from the 
> MLPPP interfaces droped CPU to 17%.  Apparently there is a hardware
crypto accelerator available.

There are crypto accelerator modules available for many Cisco platforms.

The implementation is a little more complex.  The routers that terminate
the T1s (a 7204 on our side and a 2651 on the customer's side) are just
passing the traffic once it's already encrypted.  The tunnel endpoints
are a 7140 on the customer's side and a VPN 5002 (don't ask, long story
;-)  ) on ours.

jms
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list