[c-nsp] SA-VAM2+ Performance with 256-bit AES
Peter Rathlev
peter at rathlev.dk
Tue Jan 29 07:23:29 EST 2013
On Mon, 2013-01-28 at 16:31 -0600, David Ciciora wrote:
> Does anyone happen to know the possible throughput of the SA-VAM2+
> module on a 7206VXR? We are using this for our DMVPN hub in our
> organization and I'm trying to determine some possible bottlenecks.
With an NPE-G1 og NPE-G2 you should be able to push 222 Mbps with a
single VAM2+ doing AES. This is according to:
http://www.cisco.com/en/US/customer/docs/security/vpn_modules/vam_vsa/vam2plus/installation/guide/vam2p_ov.html#wp1056043
We're not really pushing ours a lot, but we tested 150 Mbps AES 256
through them with no real problems. Keep in mind that the VAM2+ only
does the encryption, so the CPU has to forward everything as usual.
And make sure you're using the right software versions. It works fine
for us with 12.4(25e) GD.
You can check if it generally works with "show crypto engine brief" and
you can check if a specific IPSec SA uses it by comparing the "conn id:"
from the SA with "show crypto engine connections active":
Router# show crypto ipsec sa
...
inbound esp sas:
spi: 0x10061ECD(268836557)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
---> conn id: 3006, flow_id: VAM2:6, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4538148/194)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
...
Router# show crypto engine connections active
...
ID Interface IP-Address State Algorithm Encrypt Decrypt
3006 Tunnel1 192.0.2.156 set AES+SHA 0 4740
...
--
Peter
More information about the cisco-nsp
mailing list