[c-nsp] IPsec Throughput on Cisco 800 series routers

Mario Spinthiras spinthiras.mario at gmail.com
Wed Jul 30 05:11:07 EDT 2008


Since it is PPPoE and IPSEC on the top then I would say play a little with
your MTU since IPSEC and PPPoE demand a chunk from it. Then you have to
consider the size of your encrypted packets. Do you do payload or datagram
encryption (mode)?

A really good way I recently tuned an IPSEC tunnel was with the use of
iperf. Iperf is a bandwidth test application that can test bandwidth on both
ends with configurable variables of a connection (both tcp and udp). I have
a small article about this on my blog which can be found at :

http://www.spinthiras.net/2008/07/03/link-bandwidth-testing/

Regards,
Mario

On Wed, Jul 30, 2008 at 6:12 AM, Rodney Dunn <rodunn at cisco.com> wrote:

> Unless you have a lot of LAN2LAN traffic or have a
> very fast WAN connection to it with a lot of features
> it's pretty unlikely that a end user performance complaint
> is coming from the device being "overloaded".
>
> It's probably something like packets being punted
> to process level, fragmentation (#1 issue in tunnel
> environments), packet loss somewhere along the path,
> etc.
>
> Rodney
>
>
> On Wed, Jul 30, 2008 at 01:02:26PM +1000, Whisper wrote:
> > Funny thing about the 87x series
> >
> > Quite often the objective stats say you have maxed everything out, but
> the
> > subjective end user experience never seems to indicate any CPU shortage
> at
> > all.
> >
> > Is that how other people see how this series operates in the real world?
> >
> > On Wed, Jul 30, 2008 at 12:43 PM, Pete S. <pshuleski at gmail.com> wrote:
> >
> > > During our ipsec testing (best case scenario, back to back encrypted
> > > tunnel, adjusted mss of 1436bytes) we were pushing about 20Mbps with
> > > ftp traffic.  Adjusting MTU down to 64bytes, I believe we were,
> > > understandably so, only reaching about 6-8Mbps.  Still more than
> > > enough to saturate most DSL, and some cable connections.   The router
> > > CPU was of course at or near maxed out during both tests.  CBWFQ also
> > > held out extremely well in the tests, although i cannot remember
> > > specifics, just that the call did not drop or get choppy.  I think the
> > > throughput speeds were similar.
> > >
> > > The 871 is our standard remote client hardware VPN solution, and we
> > > haven't had any issues yet.  If you aren't maxing out the CPU, you're
> > > probably not having a throughput issue.
> > >
> > >
> > >
> > > On Tue, Jul 29, 2008 at 2:46 PM, Bryan Welch <Bryan.Welch at digeo.com>
> > > wrote:
> > > > Greetings, anyone have any 800 series routers deployed to remote
> sites
> > > > to terminate vpn tunnels?  We have an 871 deployed to a remote
> > > > location/country that we are experiencing some throughput issues
> with.
> > > >
> > > >
> > > >
> > > > Router seems to handle the traffic just fine, no errors what so ever.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > TIA,
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Bryan
> > > >
> > > > _______________________________________________
> > > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Warm Regards,
Mario A. Spinthiras


More information about the cisco-nsp mailing list