01-26-2017 10:10 PM - edited 03-05-2019 07:55 AM
I have been searching on CCO, but haven't been able to find the information on throughput with encryption on ASR 1002X, ISR 4431, 4351, 4451 router series. One of my requirements is to encrypt traffic from Cisco Nexus ACI Fabric in the DC to remote locations over WAN. Each remote site has an specific throughput requirement with encryption enabled. I reviewed "Compare Model" chart, and describes most of the features except encryption throughput.
Thanks,
Solved! Go to Solution.
01-26-2017 10:47 PM
With regard to the 4000 series; without an HSEC licence the crypto throughput will be limited to 85Mb/s and a maximum of 225 tunnels. Note that is a total of 85 Mb/s, so you can encrypt 40Mb/s in one direction and 45Mb/s to take you to 85Mb/s (for example). So don't forget to sum the total throughput in each direction.
Once you buy the HSEC licence the throughput restriction is removed. With large packets you should be able to encrypt up to the throughout licence you have bought. Small packets might be a bit more challenging. The same issue applies when calculating the total bandwidth as above.
I'm not so sure about the ASR platform. I don't think it has any HSEC licences. I think you get whatever bandwidth you pay for.
01-26-2017 10:47 PM
With regard to the 4000 series; without an HSEC licence the crypto throughput will be limited to 85Mb/s and a maximum of 225 tunnels. Note that is a total of 85 Mb/s, so you can encrypt 40Mb/s in one direction and 45Mb/s to take you to 85Mb/s (for example). So don't forget to sum the total throughput in each direction.
Once you buy the HSEC licence the throughput restriction is removed. With large packets you should be able to encrypt up to the throughout licence you have bought. Small packets might be a bit more challenging. The same issue applies when calculating the total bandwidth as above.
I'm not so sure about the ASR platform. I don't think it has any HSEC licences. I think you get whatever bandwidth you pay for.
01-30-2017 05:24 AM
As a very rough rule of thumb, you probably find routers will offer encryption throughput of about 75% of non-encrypted. Also it can be more or less, including much more or much less.
This assumes the router's hardware can provide encryption/decryption to keep up with the nominal capacity of the router and that you're doing everything "right".
Two main issues with encryption, first encryption overhead is going to consume bandwidth that otherwise would be carrying your payload. Second, often some packets are fragmented, which also consumes additional bandwidth and also adds some to processing cycles.
For an ASR1002-X:
Cisco documents in: http://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/datasheet-c78-731640.html
Table 18. Cisco ASR 1002-X with Integrated 36-Gbps ESP Module and 8-GB Memory
Feature |
Specification |
Performance |
|
Up to 30 Mpps |
Variable forwarding performance, depending on features configured |
Up to 19 Mpps |
For the combination of the following commonly used features: IPv4 forwarding, ACL, QoS, and URPF |
Bandwidth |
|
Up to 36 Gbps |
For the combination of commonly used features later than Firewall or NAT |
Up to 4 Gbps |
For plain IPsec encryption (1400-byte packets) |
As you might note, in the above, encryption bandwidth is only about 11% of non-encrypted and that for 1400b packets!
Sorry, I didn't quickly find similar information for the ISR 4ks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide