Solved: As a very rough rule of thumb

abbasali5 · ‎01-26-2017

I have been searching on CCO, but haven't been able to find the information on throughput with encryption on ASR 1002X, ISR 4431, 4351, 4451 router series. One of my requirements is to encrypt traffic from Cisco Nexus ACI Fabric in the DC to remote locations over WAN. Each remote site has an specific throughput requirement with encryption enabled. I reviewed "Compare Model" chart, and describes most of the features except encryption throughput.

Thanks,

Philip D'Ath · ‎01-26-2017

With regard to the 4000 series; without an HSEC licence the crypto throughput will be limited to 85Mb/s and a maximum of 225 tunnels. Note that is a total of 85 Mb/s, so you can encrypt 40Mb/s in one direction and 45Mb/s to take you to 85Mb/s (for example). So don't forget to sum the total throughput in each direction.

Once you buy the HSEC licence the throughput restriction is removed. With large packets you should be able to encrypt up to the throughout licence you have bought. Small packets might be a bit more challenging. The same issue applies when calculating the total bandwidth as above.

I'm not so sure about the ASR platform. I don't think it has any HSEC licences. I think you get whatever bandwidth you pay for.

View solution in original post

Philip D'Ath · ‎01-26-2017

With regard to the 4000 series; without an HSEC licence the crypto throughput will be limited to 85Mb/s and a maximum of 225 tunnels. Note that is a total of 85 Mb/s, so you can encrypt 40Mb/s in one direction and 45Mb/s to take you to 85Mb/s (for example). So don't forget to sum the total throughput in each direction.

Once you buy the HSEC licence the throughput restriction is removed. With large packets you should be able to encrypt up to the throughout licence you have bought. Small packets might be a bit more challenging. The same issue applies when calculating the total bandwidth as above.

I'm not so sure about the ASR platform. I don't think it has any HSEC licences. I think you get whatever bandwidth you pay for.

Joseph W. Doherty · ‎01-30-2017

As a very rough rule of thumb, you probably find routers will offer encryption throughput of about 75% of non-encrypted. Also it can be more or less, including much more or much less.

This assumes the router's hardware can provide encryption/decryption to keep up with the nominal capacity of the router and that you're doing everything "right".

Two main issues with encryption, first encryption overhead is going to consume bandwidth that otherwise would be carrying your payload. Second, often some packets are fragmented, which also consumes additional bandwidth and also adds some to processing cycles.

For an ASR1002-X:

Cisco documents in: http://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/datasheet-c78-731640.html

Table 18. Cisco ASR 1002-X with Integrated 36-Gbps ESP Module and 8-GB Memory

Feature	Specification
Performance
Up to 30 Mpps	Variable forwarding performance, depending on features configured
Up to 19 Mpps	For the combination of the following commonly used features: IPv4 forwarding, ACL, QoS, and URPF
Bandwidth
Up to 36 Gbps	For the combination of commonly used features later than Firewall or NAT
Up to 4 Gbps	For plain IPsec encryption (1400-byte packets)

As you might note, in the above, encryption bandwidth is only about 11% of non-encrypted and that for 1400b packets!

Sorry, I didn't quickly find similar information for the ISR 4ks.

ISR/ASR Performance Throughput with encryption