[c-nsp] Poor speed through GRE tunnel
Jeff Bacon
bacon at walleyesoftware.com
Thu Jul 23 12:05:27 EDT 2015
> Message: 6
> Date: Thu, 16 Jul 2015 09:54:45 +0000
> From: Nick Cutting <ncutting at edgetg.co.uk>
> To: "A.L.M.Buxey at lboro.ac.uk" <A.L.M.Buxey at lboro.ac.uk>, Gert
> Doering
> <gert at greenie.muc.de>
> Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] Poor speed through GRE tunnel
> Message-ID:
> <DAE5489DEFDE014E882D054887E5F7533C169775 at ETGLNEX01.edgetg.co
> m>
> Content-Type: text/plain; charset=WINDOWS-1252
>
> Buy cheap 1921's with sec licences - In every case I've deployed
> these as DMVPN / VTI can get GREoIPsec to hit the 85Megabit limit
> on fast enough internet connections.
>
> I'm sure without ipsec you could hit 150 Megabits+ (no Ipsec ISR G2
> Speed limits)
Errr, how?
I've been doing a lot of testing with the ISR G2 hardware with DMVPN/GRE/IPSec, and the performance has been... underwhelming, to say the least. The best I've done on a 1941 is ~40-50Mbit with the CPU pegged; add Netflow and PfRv3 and it gets all the way down to ~30Mbit/sec. Even a 2921 isn't much better.
This is using a pseudowire over a 10G connection to an ASR1001/2.5G as the "uplink", with sub-milli latency, so that isn't it.
If I disable IPSec, performance jumps about 2x, more so on the 2921 - straight DMVPN/GRE without IPsec or Netflow I can get 150-180Mb/sec. But in any case I've yet to hit the 85Mbit/s limit.
I don't think I'm doing anything terribly interesting from a configuration standpoint - I am doing the "remote ingress scheduling" trick that's described in a Cisco Live talk, but I've done with and without, and that doesn't effectively change the throughput.
what am I doing wrong??
More information about the cisco-nsp
mailing list