That doesn't make sense. 400,000x64byte packets x 8 = 204Mbps. That is the best case.

What do you mean the best case? For throughput or for PPS?

Routers performance is based PPS, not by size. Therefore the larger the packet the more the throughput.

My response said that the figures were made from a mix of small and large packets, with the average around 1000b

I am sorry, you are correct. Thanks!

I have two 3825s directly connected with gig interfaces and cannot come close to the 179Mbps numbers. I am using the onboard VACs and have tried gre, gre/ipsec, VTI, and ipsec with various mtu and DF bit settings, but can only achieve around 36-38Mbps max throughput using iperf and ftp. Also noticed CPU is max >95% during any of these tests. My question, is are these ballpark numbers for 3825 256M, 12.4(15)T, and would an external VAC greatly improve performance?

If you're not already doing so, you might want to try using the "ip tcp adjust-mss" command. See http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ft_admss.html for more information. Set it such to match the available actual effective minimal MTU.

You should also confirm the hardware, not software, is doing any encryption.

According to http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure09186a00801f0a72_ns125_Networking_Solutions_Brochure.html, the 3825 on board encryption is supposely good for about 170 Mbps.

Thanks, I did try the "ip tcp adjust-mss" command with no luck. Also, I know I'm using onboard hardware encryption because I disabled it on both 3825s and only got around 10-12 Mbps with software ("show crytpo engine brief").

I've read the second link you posted and saw the numbers for on-board vs. external VPN accel. What is that like only a 9% (170/185) increase with an external VPN accel.? Would more memory make any difference?

If you follow this thread:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cbf55a2/2#selected_message

and download the routerperformance.pdf file. It seems to reveal that there is no way you can get close to the published VPN numbers. Especially if a 3825 will only allow 170Mbps of real throughput with no additional services or features (vpn,acls,etc). These would be important numbers to have on the website.

"Would more memory make any difference?" I wouldn't think so, but what's your free memory stat like?

Seems a large delta from the under 40 Mbps you getting vs. the documented 170 Mbps. I'm wondering how much GRE/IPSec vs. pure IPSec might impact performance.

You were right, looks like I've got plenty of free mem (about 20% used/ 80% free).

I agree about the large delta. I will reconfigure for pure ipsec and see what I get. It almost seems like GRE/ipsec or VTI (currently configed) is getting process switched instead of fast/CEF switched. But, disabling onboard encryption brings my numbers down to 10-12 Mbps which agrees with the process switched numbers on the routerperformance.pdf file. Thanks.

I tried pure ipsec with roughly the same numbers for throughput (36-38Mbps). I also tried GRE with no encryption (58-61Mbps) and IP-IP (62-66Mbps). I've got two external VPN encrypters on order and will try to post numbers on those when I have time. Finally, I found this Cisco doc while searching the web the other day and according to page 47, the numbers I'm seeing are what I can expect with onboard VPN module. Sure is a big difference from what the marketing says.

Hi, can you clarify in detail you testing methodology and provide a show interface and show process cpu taken at maximum performance time ?

Seems there is too much difference with the cisco numbers.

Before I do that, let's go back to my original question. What are the "real" throughput numbers for VPN using onboard VAC and pure ipsec, gre/ipsec, and VTI? Also, if I spend $2K on an external VPN module, will these numbers increase and if so, by how much? Finally, can you post a complete configuration that will get the maximum VPN throughput out of two 3825s connect directly together using some form of ipsec (pure ipsec, gre/ipsec, vti)?

My question was related to pure ip routing. There is too much difference in that between your numbers and cisco's ones, and in my experience, during 8 years with them, cisco's numbers are generally genuine.

About the performances with crypto, your numbers matches with cisco's of "pag 47", so I think it's reasonable these are correct ones.

Finally note that a VPN aim is available for the 3845, AIM-VPN/SSL-3, made with the purpose of adding performances and scalability to the onboard one.