Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2

Rettke, Brian Brian.Rettke at
Thu Nov 18 16:55:50 CST 2010

Do you have the VPN/SSL AIM module? That would offload the crypto work. Supposedly capable of full 100Mbps line rate, I have them in 2811s.


Brian A . Rettke
Network Engineer, CableONE Internet Services

-----Original Message-----
From: Seth Mattinen [mailto:sethm at]
Sent: Thursday, November 18, 2010 3:48 PM
To: nanog at
Subject: Re: Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2

On 11/18/2010 14:39, Pete Lumbis wrote:
> This is probably more appropriate for the cisco-nsp list, but what
> process is taking up the CPU or is it due to interrupts?
> To the best of my knowledge the crypto should be hardware accelerated,
> while everything else is going to be done in software on the 3800.

The ISR series do have onboard hardware crypto, but I don't know offhand
if it can handle a full DS3 worth.

My first guess is fragment reassembly would probably kill it fast.


More information about the NANOG mailing list