[c-nsp] Router recommndation 200 Mbps encryption traffic ( 7200 NPEG2 with C7200-VSA Card)
Kevin Graham
kgraham at industrial-marshmallow.com
Tue Oct 9 09:51:37 EDT 2007
> We use a 7206 with NPE-G1 and VSA
I believe you mean VAM2/2+ -- VSA is only supported on the NPE-G2.
> supporting ~10-15 tunnels running 150Mbps of throughput (with 1400
> byte packets).
That's capping out the VAM2, you're not going to push it a whole lot
further. (This is frustrating though, as there's no controllable
congestion management to the crypto-engine psuedointerface, nor is there
a good way to gauge its utilization. This gets uglier w/ VAM given the
non-linear performance scaling as SA DB entries increase).
> I don't honestly think you will have any problems at all.
NPE-G1/VAM2+ will get you close, but to do it with any kind of headroom,
really need to bump up to NPE-G2/VSA. The IPSec WAN design guides are
very good (though based on my experience, the performance estimates are
very conservative) and certainly worth a read:
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008074f22f.pdf
(There's a few references to dual-VAM configs, which seem interesting,
but I've never found documentation on that setup, namely how traffic is
balanced out across them).
More information about the cisco-nsp
mailing list