I'm actually working in a project regarding the upgrade of a GETVPN (GDOI) architecture.
I actually have Cisco 2921 routers with VPN ISM module enhancing crypto performance + HSEC-K9 license to lift the 85 MBPS encryption traffic limit.
We are experiencing some limits with these routers as we reach sometimes 200/300 Mbps peak with a nearly 100% of CPU.
As I'm looking for new routers, I have several model proposed (ASR-920-4SZ-A oo ASR 1001-X).
I would like to have guarantees regarding rate-limite for encrypted traffic and be sure that the router could handle at leat 500Mbps of encrypted traffic without reaching too much CPU.
What would you recommend me ?
Thanks in advance,
short answer ASR 1000 series so ASR 1001-X is fine.
ASR 920 is thought for Carrier ethernet / metro ethernet services I don't think it is a good choice when looking for high IPSec throughput. (500 Mbps)
ASR 1000 have built in or stand alone ESP module and this provides you what you are looking for.
Hope to help
ASR 1001-X provides you a long term solution with capability to grow
ISR 4451-X/K9 may be enough for your current and mid term needs, however you need to consider that for full usage of ISR 4000 devices you need to buy additional licenses that can make the ISR 4451-X/K9 final price not so cheap.
And this is valid also for IPSec performance. (HSEC license ....).
Hope to help