[c-nsp] High CPU util on a 2811 with two ipsec tunnels (Lasher, Donn)

Christopher J. Wargaski wargo1 at gmail.com
Thu Oct 7 21:52:45 EDT 2010


Yep, Donn is right. VPNs just kill the CPU on a router even if you
have the AIM card that offloads the encryption and decryption. Routers
can serve as VPN end points, but they are not optimized for that task.

If you are trying to push 10 to 11 Mbps of VPN traffic through a 2811,
it is amazing that it has not been crashing and smoking. The 2811 is
rated at 1.536 Mbps of process switching bandwidth. If you must use a
router, look at the specs for the 2900 series; they have dual-core
CPUs on them, perform encryption and decryption in hardware on the
motherboard (no AIM card needed) and blow the pants off their 2800
series counterparts (i.e. A 2921 compared to a 2821).



cjw



>
> Message: 1
> Date: Thu, 7 Oct 2010 11:45:02 -0700
> From: "Lasher, Donn" <DLasher at newedgenetworks.com>
> To: "James Graebner [VPNtranet]" <jamesg at vpntranet.com>,
>        <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] High CPU util on a 2811 with two ipsec tunnels
> Message-ID:
>        <C97F73E15F1F0D48A3AC0C423F8C221A02B9EC6D at rancor.ad.newedgenetworks.com>
>
> Content-Type: text/plain;       charset="us-ascii"
>
>
> In my experience, two things hammer the CPU for IPSEC tunnels:
>
> 1. mGRE is not accelerated by the hardware.
> 2. Fragmenting Packets, lower MTU/MSS, CPU driven.
>
> Pretty common to see 2811's out of CPU with 10-11M of IPSEC payload in a
> tunnel, in my experience.
>
>
>



More information about the cisco-nsp mailing list