cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1718
Views
8
Helpful
7
Replies

Cisco 7204vxr NPE G2 + VSA

manish arora
Level 6
Level 6

Hello Experts,

I am running into issues with high CPU ( 90-95% ) on Cisco 7204 vxr with NPE G 1 ( 1gb dram ) , The router has around 100 GRE tunnels ( no ipsec protection ) , and there is constant 100 mbps traffic inbound & outbound , all through the tunnels.

so, I was thinking of upgrading the NPE G1 to NPE G2 ( 2GB Dram ) and may be also getting a VSA for the GRE tunnels but I can't find any answer that will this VSA help me out with the GRE encryption/decryption which doesn't need any ipsec protection since all the datasheets mention they help with IKE/IPsec.

So, even after getting a VSA , I don't want that the GRE packets are getting encrypted/decrypted in software rather than using the VSA.

Any suggestions will help a lot.

Manish

3 Accepted Solutions

Accepted Solutions

wzhang
Cisco Employee
Cisco Employee

Hi,

By "GRE encryption/decryption", I think you really meat GRE encapsulation/decapsulation, since GRE by itself does not offer any encryption capability. If you are just running plain GRE without encryption now, then getting a VSA will not help because the VSA is strictly a hardware IPSec accelerator, it does not support GRE acceleration. I hope this helps.

Thanks,

Wen

View solution in original post

Pavol Golis
Cisco Employee
Cisco Employee

Seems to me that CPU load of NPE-G1 is quite high for 100Mb with GRE, however it might be normal as those CPU-based platforms are hit on performance with each feature. Just make sure you don't fragment traffic or doing reassembly or have other odd high cpu intensive tasks executed.

NPE-G2 is double the performance however considering your current load & scale and that traffic & scale will only grow it might not be the long-term solution. I suggest you to consider platform which is performing GRE encapsulation in HW (ASICs/NPs) (Not CPU based platforms like c7200), ideally from ASR1000 family, even entry level ASR1002 should be much more than sufficient. Just compare capex of NPE-G2 vs. ASR1002.

View solution in original post

6500 family is highly modular system, where features & performance depends on what kind of modules you have installed. 6509 is just a chassis, while its end of sale its still supported and all 6500 family modules work in it, so no problem at all. There was just slightly better version of chassis introduced as 6506E and the one is no longer sold.

GRE is supported in HW of 6500 in PFC3-based systems (done on supervisor or DFC linecards, no special hw required), just give us "show module" from your 6500 here (remove serials) and your GRE tunnel template - to see if there is some odd config in GRE.

(http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/intro.html#wp1029188)

View solution in original post

7 Replies 7

wzhang
Cisco Employee
Cisco Employee

Hi,

By "GRE encryption/decryption", I think you really meat GRE encapsulation/decapsulation, since GRE by itself does not offer any encryption capability. If you are just running plain GRE without encryption now, then getting a VSA will not help because the VSA is strictly a hardware IPSec accelerator, it does not support GRE acceleration. I hope this helps.

Thanks,

Wen

Pavol Golis
Cisco Employee
Cisco Employee

Seems to me that CPU load of NPE-G1 is quite high for 100Mb with GRE, however it might be normal as those CPU-based platforms are hit on performance with each feature. Just make sure you don't fragment traffic or doing reassembly or have other odd high cpu intensive tasks executed.

NPE-G2 is double the performance however considering your current load & scale and that traffic & scale will only grow it might not be the long-term solution. I suggest you to consider platform which is performing GRE encapsulation in HW (ASICs/NPs) (Not CPU based platforms like c7200), ideally from ASR1000 family, even entry level ASR1002 should be much more than sufficient. Just compare capex of NPE-G2 vs. ASR1002.

Thank you Guys for your Input.

I have another questions, The senario for this client is that , they have 7204 with npe g1 as you already know connected to a Layer 2 switch and have around 30 servers connected to that switch. There are around a Class B of IP addresses bound to these server and they collect Virus , worm , trojans and spam on all of these ip's ( honey pots ). The client's company is a start-up and is short on money.

is there something lile 6509 switch , that can have a card for hardware processing of GRE encap/decap and can process traffic + hold arp input for that many IP's. I did checked cisco.com and saw that the 6509 is end of sale product. do we have something similar to that avaiable that can handle L3 and L2 and have hardware accelaration features as well.

Any input we will be very useful to me.

Thanks

Manish

6500 family is highly modular system, where features & performance depends on what kind of modules you have installed. 6509 is just a chassis, while its end of sale its still supported and all 6500 family modules work in it, so no problem at all. There was just slightly better version of chassis introduced as 6506E and the one is no longer sold.

GRE is supported in HW of 6500 in PFC3-based systems (done on supervisor or DFC linecards, no special hw required), just give us "show module" from your 6500 here (remove serials) and your GRE tunnel template - to see if there is some odd config in GRE.

(http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/intro.html#wp1029188)

Thanks for your Input, The company is planning to purchase a 6506e with SUP720-3BXL and 48 port switching modules. I hope this will solve the problem with 7204 NPE G1.

Thanks Again

Manish

Hello Manish,

yes the ws-sup720-3bxl will certainly make a huge difference. The Cisco Sup 720-3BXL integrates a high-performance 720-Gbps switch fabric with a new routing and forwarding engine into a single module. The sup720-3bxl provides extensive feature support such as hardware-based generic-routing-encapsulation (GRE) tunneling,

Francisco.

http://www.cisco.com/en/US/products/hw/modules/ps2797/products_data_sheet09186a008033a479.html

Rather go with SUP720-3CXL, its newer revision of forwarding ASICs with more features done by HW. Tips for big scale on 6500 are to avoid GRE keepalives or use non-aggresive timers, avoid fragmentation.

Review Cisco Networking for a $25 gift card