[c-nsp] IPsec Throughput on Cisco 800 series routers

Rodney Dunn rodunn at cisco.com
Tue Jul 29 23:12:03 EDT 2008


Unless you have a lot of LAN2LAN traffic or have a
very fast WAN connection to it with a lot of features
it's pretty unlikely that a end user performance complaint
is coming from the device being "overloaded".

It's probably something like packets being punted
to process level, fragmentation (#1 issue in tunnel
environments), packet loss somewhere along the path,
etc.

Rodney


On Wed, Jul 30, 2008 at 01:02:26PM +1000, Whisper wrote:
> Funny thing about the 87x series
> 
> Quite often the objective stats say you have maxed everything out, but the
> subjective end user experience never seems to indicate any CPU shortage at
> all.
> 
> Is that how other people see how this series operates in the real world?
> 
> On Wed, Jul 30, 2008 at 12:43 PM, Pete S. <pshuleski at gmail.com> wrote:
> 
> > During our ipsec testing (best case scenario, back to back encrypted
> > tunnel, adjusted mss of 1436bytes) we were pushing about 20Mbps with
> > ftp traffic.  Adjusting MTU down to 64bytes, I believe we were,
> > understandably so, only reaching about 6-8Mbps.  Still more than
> > enough to saturate most DSL, and some cable connections.   The router
> > CPU was of course at or near maxed out during both tests.  CBWFQ also
> > held out extremely well in the tests, although i cannot remember
> > specifics, just that the call did not drop or get choppy.  I think the
> > throughput speeds were similar.
> >
> > The 871 is our standard remote client hardware VPN solution, and we
> > haven't had any issues yet.  If you aren't maxing out the CPU, you're
> > probably not having a throughput issue.
> >
> >
> >
> > On Tue, Jul 29, 2008 at 2:46 PM, Bryan Welch <Bryan.Welch at digeo.com>
> > wrote:
> > > Greetings, anyone have any 800 series routers deployed to remote sites
> > > to terminate vpn tunnels?  We have an 871 deployed to a remote
> > > location/country that we are experiencing some throughput issues with.
> > >
> > >
> > >
> > > Router seems to handle the traffic just fine, no errors what so ever.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > TIA,
> > >
> > >
> > >
> > >
> > >
> > > Bryan
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list