Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2
Christopher J. Pilkington
cjp at 0x1.net
Fri Nov 19 08:34:04 CST 2010
On Thu, Nov 18, 2010 at 03:18:04PM -0800, Sam Chesluk wrote:
> 2) While the IPSec portion is hardware accelerated, the GRE
> encapsulation is not, unless this is a Cat6500/CISCO7600 router, or
> 7200VXR with C7200-VSA card. Because of this, the GRE process itself
> will consume a fairly large amount of CPU, as this is also a per-packet
> process. The impact is similar to a forwarding decision, so that
> throughput level is halved again.
I think this is where we're having the issue. It is just
shocking that this is occurring in a relatively low kpps
> 3) Other factors like quantity of tunnels, any routing protocols
> running, NAT, or other such control protocols all have their own CPU
> demands too, and can, in aggregate, be a small but significant burden
> when the router also has to handle the demands of IPSec + GRE.
The number we were given for the 3945 for IMIX 1400 raw IPSec
performance was 840Mbps. However, all this extra crypto power
is completely useless if the GRE processing is hitting the same
limits as it's predecessor, the 3845.
We're going to give straight IPSec a go to see if that solves
More information about the NANOG