cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4836
Views
5
Helpful
4
Replies

Cisco Routers throughput with Encryption

Dear Experts,

I have a requirement to upgrade the WAN link to 170Mbps on below routers. I require HSEC license which will remove US export limitation for encryption and will allow me below maximum throughput for a single tunnel.

Router Model

Maximum throughput capability with IPSEC (HSEC)

Required license

CISCO3925

212 Mbps with single tunnel

L-FL-39-HSEC-K9

CISCO2921/K9

82 Mbps with single tunnel

L-FL-29-HSEC-K9

CISCO2951/K9

150 Mbps with single tunnel

L-FL-29-HSEC-K9

 

I still require below clarifications.

1: I have 4 tunnels (site to site vpns) on each routers. What throughput, I will be getting. Will it be 212, 82 and 150Mbps for 3925, 2921 and 2951 for each tunnel (means 4tunnels*212 for 3925?)?

 

2: What if I terminate the links directly on Cisco Firewalls Or Cisco Switches (4500) and create site to site vpn. Will I get rid of encrypted bandwidth limitations.

 

3: What other solutions are available for connecting 3 sites with 170Mbps WAN links using 4 vpns tunnels?

4 Replies 4

Joseph W. Doherty
Hall of Fame
Hall of Fame

#1 The encryption throughput would be the aggregate of all encrypted traffic being sent/received by the router.  Cisco recommends less - see attachment's Table 7.

 

#2 If another device is doing the encryption/decryption, then such traffic would have the same impact as any other transit traffic.  (NB: see attachment.)

 

BTW, I recall (?) a Catalyst 4500 can support tunnels, but they might only be non-encrypted tunnels.

 

#3 Other solutions might include other vendor VPN solutions.  (Using a more powerful ISR would be another solution.)

@Joseph W. Doherty  thanks for your response.

the feedback is still not clear. Please provide more details.

 

1: my goal is to connect 170Mbps WAN links on 3 routers with 4 or 5 site to site vpn tunnels on routers 3925, 2921 and 2951. Can I achieve it (170Mbps) with HSEC license?

2: The Cisco SE has provided throughput (212, 82 and 150Mbps for 3925, 2921 and 2951 routers respectively). The document that you have shared has different values e.g. Table 7 shows very less throughput (198, 105 and 114Mbps for 3925, 2921 and 2951 routers respectively) 

 

3: My query#2: Do we have any US export control on the Firewalls and Switches. If yes, please share the throughput document.

your response (#2 If another device is doing the encryption/decryption, then such traffic would have the same impact as any other transit traffic.  (NB: see attachment.)) is not clear. Please elaborate more.

 

Lastly I am disappointed with Cisco equipment with such low throughputs as compared to other vendors.

 

#1 Whether you can obtain 170 Mbps depends on the platforms (and type of traffic and config). You might reach that on the 3925, less likely on the two 29xx models. (The HSEC license removes the 85 Mbps export restriction.)

#2 The Cisco document I provided is recommendations for "real world", which often are lower than what the device might be able to reach. They are often conservative recommendations to insure you can routinely obtain that throughput (under the conditions noted).

#3 Yes, there are export restrictions, to some countries, on encryption technology. I recall the HSEC license, removes those.

Regarding a device passing traffic that's been encrypted by another device, i.e. serving as a transit for such traffic, the device doesn't actually "care" the traffic is encrypted. It forwards the traffic as it does with all other traffic.

"Lastly I am disappointed with Cisco equipment with such low throughputs as compared to other vendors."

Yes, you're not the first with such a disappointment. Cisco's cost, relative to other vendors "like" equipment is often another sore point with buyers. However, what you're are buying with Cisco is often features that other vendors don't provide, further often those features often actually work correctly (and when they don't, Cisco will often actually fix them so that they do).

Leo Laohoo
Hall of Fame
Hall of Fame
ISR 4K has been out for some time. I would not be entertaining ISR G2 due to it's age.
Review Cisco Networking for a $25 gift card