[c-nsp] VPN max throughput
Justin M. Streiner
streiner at cluebyfour.org
Mon Oct 3 11:08:16 EDT 2005
On Mon, 3 Oct 2005, Grant Moerschel wrote:
> We terminate 3DES VPN connections on a 7206 without an accelerator. The
> Internet connection is a burstable OC3 (155 Mbps). I am looking for a
> list of things to consider that will affect max throughput for the VPN
> connection. Things I can think of are:
>
> 1) capacity of 7206 for vpn
> 2) latency between the headends which is about 20ms
> 3) IPsec overhead
> 4) Packet size
> 5) The Internet paths through which data flows.
6) Number of simultaneous VPN sessions
> What is a good method to estimate the max I might be able to realize and
> what knobs might I be able to change to get more throughput? We'd like
> to get 70 Mbps for quick bursts. Am I dreaming?
Is this a 7206VXR or one of the older non-VXR 7206s? What type of
processor is in the box?
I think without a VAM, you won't get even remotely close to 70 Mb/s before
the 7200 falls over. IIRC, you need a VXR chassis to use a VPN accelerator
in a 7200, and a reasonably fast CPU (NPE-400, NPE-G1) is also a good
idea. With a VAM, I still doubt you'd see 70 Mb/s. You may also want to
look at Cisco's new 2800 and 3800 series routers.
Something else that can affect VPN throughput is the encryption/hash types
used for both ISAKMP and IPSEC. Encryption using larger keys and larger
hashes are more expensive from a processing standpoint. This can lower your
throughput.
jms
More information about the cisco-nsp
mailing list