Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3506
Views
0
Helpful
5
Replies

ASR vs ISR router for encrypted traffic

Go to solution
gchevalley
Level 1
Level 1

‎06-03-2015 06:46 AM - edited ‎03-05-2019 01:36 AM

I am looking for a router that can handle up to 1 Gbps of encrypted traffic across a GRE over IPSec connection.  We are currently using a 2951-SEC/K9 that tops out at 80 Mbps @ 70% CPU.  I have been looking at the ISR 3945 but question if an ASR 1001-X would be a better choice for this project.  Does anyone have any insight on ISR vs ASR routers?   Do the 3945's has the same encrypted bandwidth cap that the 2951's have?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Markus Benz
Level 1
Level 1

‎06-03-2015 06:59 AM

Hi,

I can't serve you with measurements or the like at the moment.
But I have done intensive testing in the past with ISR and ASR with crypto.

From my experience, I can tell you that ASR is the much better choice if it comes to crypto and QoS etc. ASR's have pretty good crypto chips on board and you just need to license them (SEC/K9).

I have not used ASR 1001-X so far but only ASR 1006 with the first ESP shipped and I could easily encrypt 1 Gbps. ASR 1001-X has a much stronger ESP with up to 20Gbps troughput and up to 8 Gbps of crypto (license enabled). So you should definitely not run into problems with this device.

Also it is much more future proof since you can license more performance. So if you can afford an ASR, I would definitely go for it.

Regards,
Markus

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Markus Benz
Level 1
Level 1

‎06-03-2015 06:59 AM

Hi,

I can't serve you with measurements or the like at the moment.
But I have done intensive testing in the past with ISR and ASR with crypto.

From my experience, I can tell you that ASR is the much better choice if it comes to crypto and QoS etc. ASR's have pretty good crypto chips on board and you just need to license them (SEC/K9).

I have not used ASR 1001-X so far but only ASR 1006 with the first ESP shipped and I could easily encrypt 1 Gbps. ASR 1001-X has a much stronger ESP with up to 20Gbps troughput and up to 8 Gbps of crypto (license enabled). So you should definitely not run into problems with this device.

Also it is much more future proof since you can license more performance. So if you can afford an ASR, I would definitely go for it.

Regards,
Markus

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎06-03-2015 11:23 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

I don't believe even a 3945E is suitable for gig of encrypted traffic.  I think even the entry model ASR1K can, but if not, you don't have to move up much in that series to support that encrypted bandwidth.

Cisco now has 4400 series ISRs.  Their high end (upgrade) model might be okay with gig of encrypted traffic too.

0 Helpful

Go to solution
Rejohn Cuares
Level 4
Level 4

‎06-03-2015 09:41 PM

I second Joseph and Markus. I would go for ASR for one main reason - scalability.

You should be able to see the big difference between ISR 3900 and ASR 1000 by comparing their data sheets.

 

ISR:

http://www.cisco.com/c/en/us/products/collateral/routers/3900-series-integrated-services-routers-isr/data_sheet_c78_553924.html

 

ASR:

http://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/datasheet-c78-731632.html

 

Please rate replies and mark question as "answered" if applicable.
0 Helpful

Go to solution
gchevalley
Level 1
Level 1

‎06-04-2015 07:18 AM

Thanks for all the feedback.  I certainly looks like the ASR 1001-X is the way to go.  Any suggestions on what licenses are needed to support VPN traffic and encryption?  Suite B would be nice.

0 Helpful

Go to solution
Rejohn Cuares
Level 4
Level 4
In response to gchevalley

‎06-04-2015 03:52 PM

I would go for Advanced Servies License.

************************************************

For fixed platforms Cisco ASR 1001, ASR 1001-X, and ASR 1002-X, one of the following five packages is required:

   Cisco ASR 1001 IOS XE UNIVERSAL - NO ENCRYPTION

   Cisco ASR 1001 IOS XE UNIVERSAL - NO PAYLOAD ENCRYPTION

   Cisco ASR 1001 IOS XE UNIVERSAL

   Cisco ASR 1001 IOS XE UNIVERSAL W/O Lawful Intercept

   Cisco ASR 1001 IOS XE UNIVERSAL - NO PAYLOAD ENCRYPTION W/O Lawful Intercept

To enable a set of required features, one of the following three technology packages is required:

     Cisco ASR 1000 IP Base License

     Cisco ASR 1000 Advanced IP Services License

     Cisco ASR 1000 Advanced Services License

 

 

Please rate replies and mark question as "answered" if applicable.
0 Helpful
Customers Also Viewed These Support Documents