Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2

• Previous message (by thread): Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2
• Next message (by thread): Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There are a couple potential issues, that when looked at in whole, add
up to a significant performance impact.

1) IPSec + GRE involves two forwarding operations, one to send it to the
tunnel interface , and another to send the now-encapsulated packet out
the WAN interface.  This effectively halves the total forwarding rate
before any other considerations.

2) While the IPSec portion is hardware accelerated, the GRE
encapsulation is not, unless this is a Cat6500/CISCO7600 router, or
7200VXR with C7200-VSA card.  Because of this, the GRE process itself
will consume a fairly large amount of CPU, as this is also a per-packet
process.  The impact is similar to a forwarding decision, so that
throughput level is halved again.

3) Other factors like quantity of tunnels, any routing protocols
running, NAT, or other such control protocols all have their own CPU
demands too, and can, in aggregate, be a small but significant burden
when the router also has to handle the demands of IPSec + GRE.

For reference, here is a guide to VPN performance:
http://www.cisco.com/web/partners/downloads/765/tools/quickreference/vpn
_performance_eng.pdf
It's slightly old, as it does not have the 39xx routers, but is still
useful for raw 3DES/AES performance for the 1800/2800/3800.  See Table
5.

Sam Chesluk | Team Lead - Key Accounts | Network Hardware Resale | 
T: 805.690.3718 | M:805.450.7469 | F: 805-690-3713
26 Castilian Dr. Santa Barbara, CA 93117
E: sam at networkhardware.com | www.networkhardware.com
 
- NHR's top global performer 7 years running
- World's largest provider of pre-owned/fully-tested and new/sealed
Cisco hardware

-----Original Message-----
From: Seth Mattinen [mailto:sethm at rollernet.us] 
Sent: Thursday, November 18, 2010 2:48 PM
To: nanog at nanog.org
Subject: Re: Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2

On 11/18/2010 14:39, Pete Lumbis wrote:
> This is probably more appropriate for the cisco-nsp list, but what
> process is taking up the CPU or is it due to interrupts?
> To the best of my knowledge the crypto should be hardware accelerated,
> while everything else is going to be done in software on the 3800.
> 


The ISR series do have onboard hardware crypto, but I don't know offhand
if it can handle a full DS3 worth.

My first guess is fragment reassembly would probably kill it fast.

~Seth

• Previous message (by thread): Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2
• Next message (by thread): Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]