[c-nsp] 3640 and 3DES IPSec

barney gumbo barney.gumbo at gmail.com
Wed Sep 21 13:19:43 EDT 2005


TAC is investigating a few paths. They thought the +/-800 Kbps ceiling we
are seeing was a bit low. I plan to try going to DES as well as turning CEF
off. CEF is currently on, someone provided some past experience where
disabling CEF actually helped CPU utilization on a simple two interface
router with IPSec/GRE.
 Thanks to all for the feedback.

 On 9/21/05, Ted Mittelstaedt <tedm at toybox.placo.com> wrote:
>
>
> what about switching to single DES not triple DES?
>
> Ted
>
> >-----Original Message-----
> >From: cisco-nsp-bounces at puck.nether.net
> >[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of barney gumbo
> >Sent: Monday, September 19, 2005 11:59 AM
> >To: cisco-nsp at puck.nether.net
> >Subject: [c-nsp] 3640 and 3DES IPSec
> >
> >
> >Can anyone provide info on realistic CPU utilization
> >expectations for a 3640
> >running NAT overload, CBAC, IPSec 3DES for encryption, GRE over
> >the IPSec,
> >with BGP as the routing protocol, with a single T1 to the
> >internet for the
> >IPSec transport?
> >
> >When there is approx 900 kbps in/out on the T1, CPU utilization
> >on a 3640 I
> >have is between 99-100%. Show proc cpu has the encryption
> >process using 75%
> >of the CPU consistently.
> >
> >The BGP process has approx 100 routes, it is used for internal
> >routing, not
> >peering with internet routers. There is nothing else
> >interesting happening
> >on the router, the only traffic being NAT'd is the IPSec/GRE
> >tunnel. CBAC
> >looks normal as well.
> >
> >I don't recall ever seeing this type of CPU utilization for
> >IPSec before. I
> >did some research and can't find any hard numbers. I know a basic VPN
> >accelerator module is supposed to be able to support approx 10
> >Mbps in/out
> >for 3DES IPSec, I hope a standard 3640 can support at least 1 Mbps.
> >
> >Can anyone provide any real world experience with throughput on
> >a 3640 with
> >the config and operations mentioned above?
> >_______________________________________________
> >cisco-nsp mailing list cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >--
> >Internal Virus Database is out-of-date.
> >Checked by AVG Anti-Virus.
> >Version: 7.0.344 / Virus Database: 267.10.18/86 - Release Date:
> >8/31/2005
> >
>


More information about the cisco-nsp mailing list