[c-nsp] 3550 CPU Usage & IPSec
randal k
cisconsp at data102.com
Thu Nov 20 14:24:31 EST 2008
Hive Mind,
I have a customer who started selling a landed a largish VPN contract
for people all over the world. Since then, he pushes about 40mbps of
IPSec traffic, which is growing steadily. Around the same time I
noticed that CPU usage on the distribution 3550 that he is attached to
started going up (has always been ~1%); it is now running between
20-35% depending on the time of day.
My only guess is that 3550s switch IPSec packets in software. Is this the case?
This Cisco document that I found agrees, but it extremely vague:
http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00801c2af3.shtml
-Traffic that cannot be interrupt-switched arrives
#IP packets with options
#Packets that require protocol translation
#Multilink Point-to-Point Protocol (supported in Cisco Express
Forwarding switching)
#Compressed traffic
If there is no Compression Service Adapter (CSA) in the router,
compressed packets must be process-switched.
#Encrypted traffic
If there is no Encryption Service Adapter (ESA) in the router,
encrypted packets must be process-switched.
I am concerned that when his traffic eventually gets large enough that
it will cripple the switch. I know that the solution is to stick him
on something with more guts - I am just looking to see if there is any
anecdotes out there about this situation.
Thanks,
Randal
More information about the cisco-nsp
mailing list