Solved: macsec performance

simone.c · ‎08-02-2023

Good day everyone!

I'm investigating the feasibility of adopting MACsec in our network.

Given the attached table, created by Cisco (MACSEC and MKA Configuration Guide, Cisco IOS XE 17), could someone elaborate on 'Aggregate Rate Bits' and 'ESP CPU'? I don't understand what they mean in detail.

Thanks in advance!

Simone

Joseph W. Doherty · ‎08-02-2023

Without seeing your attached table, in its context, cannot say how much it also addresses MACsec performance, as encryption performance usually is referenced in regard to L3, like IPSec. That said, suspect it would, if not be about the same, it would closely track as the same, because the same underlying hardware is very likely used for L2 or L3 encryption.

Anyway, what that table shows is the impact of packet size for throughput and usage of the main device CPU. Often, you get increased throughput and/or decreased CPU consumption as frame/packet sizes increase. iMIX average packet size, can vary bit, depending on the particular iMIX being used, but they seem to usually have a size about 400.

To put things in perspective, for 64 bytes frames, those results show you cannot achieve more than (about) 10 Gbps throughput (because the CPU is almost fully maxed out).

View solution in original post

simone.c · ‎08-02-2023

Thank you Joseph, I think you helped me figure it out. The maximum throughput an

ASR1001-x

is capable of is 20Gbps, so that table is telling me that if I encrypt everything but my traffic is made mainly of 64-bytes frames, the cumulative throughput drops in the region of 10Gbps and the CPU is almost fully used.

At least that's what I think it means ¯\_(ツ)_/¯

View solution in original post

Joseph W. Doherty · ‎08-02-2023

Without seeing your attached table, in its context, cannot say how much it also addresses MACsec performance, as encryption performance usually is referenced in regard to L3, like IPSec. That said, suspect it would, if not be about the same, it would closely track as the same, because the same underlying hardware is very likely used for L2 or L3 encryption.

Anyway, what that table shows is the impact of packet size for throughput and usage of the main device CPU. Often, you get increased throughput and/or decreased CPU consumption as frame/packet sizes increase. iMIX average packet size, can vary bit, depending on the particular iMIX being used, but they seem to usually have a size about 400.

To put things in perspective, for 64 bytes frames, those results show you cannot achieve more than (about) 10 Gbps throughput (because the CPU is almost fully maxed out).

simone.c · ‎08-02-2023

Thank you Joseph, I think you helped me figure it out. The maximum throughput an

ASR1001-x

is capable of is 20Gbps, so that table is telling me that if I encrypt everything but my traffic is made mainly of 64-bytes frames, the cumulative throughput drops in the region of 10Gbps and the CPU is almost fully used.

At least that's what I think it means ¯\_(ツ)_/¯

Joseph W. Doherty · ‎08-03-2023

Laugh, not included in my posted reply, I did reverse the percentages, and came up with the value 20. I didn't know why/where 20, so I left that out. But, believe you may have solved my riddle.

I'm responding from my phone, so unable to look at your attachment, but wrote 10 Mbps and you've responded 10 Gbps. Very possible I miscounted the number of digits in the table, and remembering, I think I did. (EDIT: Now able to, again, look at your attachment. Indeed, bps are gig rates. Corrected my original post.)

Correct, if all the frames were 64 bytes, you would max out. Many platforms PPS rate is impacted by packet's size. That's the bad news, but it's also for the unusual worst case. IMIX would be the usual case.