[c-nsp] VPN max throughput

[Michael Markstaller]

Cisco tends to spread several different numbers for IPSec throughput, most of them derived from the size of shoes the marketing guy writing it, not real world..

I found the numbers listed in the DMVPN SRND quite realistic, also for plain IPSec with 3DES and certificates w/ or w/o DMVPN..
http://www.cisco.com/warp/public/779/largeent/it/ese/DMVPN_bk.pdf
A 7200VXR with NPE-G1 and two VAM2 is listed pushing through between 33 and 60 MBit..
I sometimes wonder what people are doing IPSec for when suggestions go for using single-DES and short PSK's.. (?) one could also use ESP-NULL or even faster a unencrypted GRE-Tunnel then without all the hassles of encryption and data integrity ;)

Michael

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Grant 
> Moerschel
> Sent: Monday, October 03, 2005 5:55 PM
> To: Luan Nguyen
> Cc: cisco-nsp at puck.nether.net
> Subject: [c-nsp] VPN max throughput
> 
> According to Cisco marketing proganda a 7206vxr with a vam2 can do 
> 260Mbps but you say ~15Mbps.  What am I missing here?  That's a big 
> difference!
> 
> -Grant
> 
> 
> Luan Nguyen wrote:
> > You are dreaming :)
> > I would buy a vam2 accelerator card and put in npeg1 so you 
> could use the 3
> > gig/faste port on there without affecting the 
> backplane...then we are
> > talking about you might get to your dream with oh..say 90% 
> cpu utilization.
> > If I remember correctly, the package of npeg1/vam2 cost 
> about 7000 US
> > 1)	7206 with npeg1 probably won't get near 100Mbps for 
> clear ip trafic.
> > Capacity of the 7206VXR 		will exceed your
> > no-accl-card-3des-vpn
> > 3&4)	ipsec overhead = yes.  Avoid fragmentation if 
> possible.  Packet size
> > around 1200 seems to get	better thruput.
> > 
> > So I would suggest...use des, 1200 packetsize, no 
> keepalive, short preshared
> > key, longer ipsec/ike timeout
> > Estimate max you might get ~ 15M
> > 
> > -luan