Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1300
Views
1
Helpful
1
Replies

Throughput through MACSEC tunnel is very low

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee

‎05-20-2017 02:18 PM

Hi Team,

Customer running two Comcast routers (ISR4431 with Cisco IOS XE Software, Version 03.16.05.S ). Each router has a different provider's E-Line Metro-E circuit back to a different datacenter (where an ASR1001X, running Cisco IOS XE Software, Version 03.16.05.S, terminates the gigabit head end circuit).

The Comcast routers at the satellite and head end look to complete the security exchange and I see encrypts and decrypts...but throughput is horrible. Some stats seen:

----------------------------------------------------------------

DL-WAN-RTR-L14#show macsec mka

MACsec Enabled Interface CR_TX_SC DEL_TX_SC INST_TX_SA CR_RX_SC DEL_RX_SC INST_RX_SA DEL_RX_SA MKA_NOTIFY

---------------------------------------------------------------------------------------------------------------------------

GigabitEthernet0/0/3 : 0 0 0 0 0 0 0 0

GigabitEthernet0/0/3.104 : 3 2 10 3 0 10 9 0

DL-WAN-RTR-L14#show macsec sum

DL-WAN-RTR-L14#show macsec summary

MACsec Capable Interface Extension Installed Rx SC

--------------------------------------------------------------------------

TenGigabitEthernet0/0/0 One tag-in-clear

TenGigabitEthernet0/0/1 One tag-in-clear

GigabitEthernet0/0/0 One tag-in-clear

GigabitEthernet0/0/1 One tag-in-clear

GigabitEthernet0/0/2 One tag-in-clear

GigabitEthernet0/0/3 One tag-in-clear 1

GigabitEthernet0/0/4 One tag-in-clear

GigabitEthernet0/0/5 One tag-in-clear

MACsec Enabled Interface Receive SC VLAN

-----------------------------------------------------

GigabitEthernet0/0/3.104 : 1 104

DL-WAN-RTR-L14#show macsec statis int GigabitEthernet0/0/3.104

MACsec Statistics for GigabitEthernet0/0/3.104

SecY Counters

  Ingress Untag Pkts: 0

  Ingress No Tag Pkts: 12192

  Ingress Bad Tag Pkts: 0

  Ingress Unknown SCI Pkts: 0

  Ingress No SCI Pkts: 0

  Ingress Overrun Pkts: 0

  Ingress Validated Octets: 0

  Ingress Decrypted Octets: 885820397

  Egress Untag Pkts: 0

  Egress Too Long Pkts: 0

  Egress Protected Octets: 0

  Egress Encrypted Octets: 46296751

Controlled Port Counters

  IF In Octets: 34009

  IF In Packets: 35618

  IF In Discard: 12191

  IF In Errors: 0

  IF Out Octets: 5895

  IF Out Packets: 31568

  IF Out Errors: 0

Transmit SC Counters (SCI: E865499564050016)

  Out Pkts Protected: 0

  Out Pkts Encrypted: 293749

Transmit SA Counters (AN 0)

  Out Pkts Protected: 0

  Out Pkts Encrypted: 293753

Receive SC Counters (SCI: ECBD1DF72548000E)

  In Pkts Unchecked: 0

  In Pkts Delayed: 0

  In Pkts OK: 625625

  In Pkts Invalid: 0

  In Pkts Not Valid: 0

  In Pkts Not using SA: 0

  In Pkts Unused SA: 0

  In Pkts Late: 0

Recieve SA Counters (AN 0)

  In Pkts Unchecked: 0

  In Pkts Delayed: 0

  In Pkts OK: 625691

  In Pkts Invalid: 0

  In Pkts Not Valid: 0

  In Pkts Not using SA: 0

  In Pkts Unused SA: 0

  In Pkts Late: 0

---------------------------------------------------------------------------------------------------------------------------------

IBC-MtLaurel-CSI-CMST#sh macsec mka

MACsec Enabled Interface CR_TX_SC DEL_TX_SC INST_TX_SA CR_RX_SC DEL_RX_SC INST_RX_SA DEL_RX_SA MKA_NOTIFY

---------------------------------------------------------------------------------------------------------------------------

GigabitEthernet0/1/0 : 0 0 0 0 0 0 0 0

GigabitEthernet0/1/0.104 : 3 2 8 3 0 12 6 0

IBC-MtLaurel-CSI-CMST#sh macsec sum

MACsec Capable Interface Extension Installed Rx SC

--------------------------------------------------------------------------

GigabitEthernet0/0/0 One tag-in-clear

GigabitEthernet0/0/1 One tag-in-clear

GigabitEthernet0/0/2 One tag-in-clear

GigabitEthernet0/0/3 One tag-in-clear

GigabitEthernet0/1/0 One tag-in-clear 1

GigabitEthernet0/1/1 One tag-in-clear

GigabitEthernet0 One tag-in-clear

MACsec Enabled Interface Receive SC VLAN

-----------------------------------------------------

GigabitEthernet0/1/0.104 : 1 104

IBC-MtLaurel-CSI-CMST#sh macsec statis int GigabitEthernet0/1/0.104

MACsec Statistics for GigabitEthernet0/1/0.104

SecY Counters

  Ingress Untag Pkts: 0

  Ingress No Tag Pkts: 188

  Ingress Bad Tag Pkts: 0

  Ingress Unknown SCI Pkts: 0

  Ingress No SCI Pkts: 0

  Ingress Overrun Pkts: 0

  Ingress Validated Octets: 0

  Ingress Decrypted Octets: 68528633

  Egress Untag Pkts: 0

  Egress Too Long Pkts: 0

  Egress Protected Octets: 0

  Egress Encrypted Octets: 961918032

Controlled Port Counters

  IF In Octets: 73824825

  IF In Packets: 331012

  IF In Discard: 188

  IF In Errors: 0

  IF Out Octets: 972921728

  IF Out Packets: 687731

  IF Out Errors: 0

Transmit SC Counters (SCI: ECBD1DF72548000E)

  Out Pkts Protected: 0

  Out Pkts Encrypted: 687731

Transmit SA Counters (AN 0)

  Out Pkts Protected: 0

  Out Pkts Encrypted: 687731

Receive SC Counters (SCI: E865499564050016)

  In Pkts Unchecked: 0

  In Pkts Delayed: 0

  In Pkts OK: 331013

  In Pkts Invalid: 0

  In Pkts Not Valid: 0

  In Pkts Not using SA: 0

  In Pkts Unused SA: 0

  In Pkts Late: 0

Recieve SA Counters (AN 0)

  In Pkts Unchecked: 0

  In Pkts Delayed: 0

  In Pkts OK: 331013

  In Pkts Invalid: 0

  In Pkts Not Valid: 0

  In Pkts Not using SA: 0

  In Pkts Unused SA: 0

  In Pkts Late: 0

----------------------------------------------------------------

The "IF In Discard" counters seem to correlate with the "Ingress No Tag Pkts" (and is pretty high on the head end side)...and this is one of my concerns.

I am attaching the "show tech" for head end and satellite Comcast routers which *do not include* the MACSEC configs (needed to be removed). The additional MACSEC configs were as follows:

----------------------------------------------------------------

-GLOBAL-

key chain WANKEY macsec

key 01

  cryptographic-algorithm aes-128-cmac

  key-string 7 0204015E0D040A25491F0C1A5216105A09062F2E222A363127420215540054085D

-PHYSICAL INTERFACE-

!interface Gi0/0/3 on head end DL-WAN-RTR-L14

!interface Gi0/1/0 on satellite IBC-MtLaurel-CSI-CMST

macsec dot1q-in-clear 1

macsec access-control should-secure

macsec replay-protection window-size 1000

-SUBINTERFACE FOR CIRCUIT-

!interface Gi0/0/3.104 on head end DL-WAN-RTR-L14

!interface Gi0/1/0.104 on satellite IBC-MtLaurel-CSI-CMST

mka pre-shared-key key-chain WANKEY

macsec

Troubleshooting done:

"platform hardware throughput level 1000000" is set on one router for higher throughput. Attached show techs' for reference.

I was reading the document where the throughput allowed between 500 Mbps to 1 Gbps.

http://www.cisco.com/c/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/datasheet-c78-732542.html

Comcast gave below specifications regarding their limitations on the circuit:

https://business.comcast.com/ethernet/virtual-private-line/virtual-private-line-technical-specifications

Files downloading 3-5MB/s from the datacenter. Once removed MACsec speed back to normal.



Any help would be appreciating.


Regards

Gagan

1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-21-2017 10:03 AM

Would recommend reaching out to tac switching team as ise doesn't control switch port bandwidth

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-21-2017 10:03 AM

Would recommend reaching out to tac switching team as ise doesn't control switch port bandwidth

0 Helpful
Customers Also Viewed These Support Documents