[c-nsp] 3640 and 3DES IPSec

nick.nauwelaerts at thomson.com nick.nauwelaerts at thomson.com
Tue Sep 20 03:16:23 EDT 2005


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of FXCM 
> - "Brandon Palmer
> Sent: Tuesday, September 20, 2005 05:02 AM
> To: barney gumbo; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] 3640 and 3DES IPSec
> 
> 
> >>> barney gumbo <barney.gumbo at gmail.com> 2005.09.19 14:59:28 >>>
> Can anyone provide info on realistic CPU utilization 
> expectations for a 3640 
> running NAT overload, CBAC, IPSec 3DES for encryption, GRE 
> over the IPSec, 
> with BGP as the routing protocol, with a single T1 to the 
> internet for the 
> IPSec transport? 
> 
> 
> 3640s are a dog for IPsec.  For T1s,  use 2811-k9 or for T3s 
> use 2821s.
> 
> IPSec without the AIM modules (part of the 2800s by default, 
> but not on the 3640s) kills the router CPU.
> 
> On our 2821s,  we see full speed crypro on the T3.  The 2811s 
> don't even break a sweat with 4 T1s.  A 3725 started crying 
> at about 4mb/s unless we added an AIM module.

And 1 more vote to that. CPUs in these boxes just aren't up to
encrypting that amount of data. Adding AIMs or VPN modules for the
36(2,4)0's will drop your cpu usage significantly. To give you an idea,
the 2600's we've got running doing ipsec & compression do so at about
60% CPU for a 512kbit line, and at 5% CPU when we add an AIM. Only had
3660's with AIMs and 3845's, but I expect the results to be comparable.

// nick



More information about the cisco-nsp mailing list