Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2

Rettke, Brian Brian.Rettke at cableone.biz
Thu Nov 18 16:55:50 CST 2010


Do you have the VPN/SSL AIM module? That would offload the crypto work. Supposedly capable of full 100Mbps line rate, I have them in 2811s.

Sincerely,

Brian A . Rettke
RHCT, CCDP, CCNP, CCIP
Network Engineer, CableONE Internet Services


-----Original Message-----
From: Seth Mattinen [mailto:sethm at rollernet.us]
Sent: Thursday, November 18, 2010 3:48 PM
To: nanog at nanog.org
Subject: Re: Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2

On 11/18/2010 14:39, Pete Lumbis wrote:
> This is probably more appropriate for the cisco-nsp list, but what
> process is taking up the CPU or is it due to interrupts?
> To the best of my knowledge the crypto should be hardware accelerated,
> while everything else is going to be done in software on the 3800.
>


The ISR series do have onboard hardware crypto, but I don't know offhand
if it can handle a full DS3 worth.

My first guess is fragment reassembly would probably kill it fast.

~Seth





More information about the NANOG mailing list