Hi Ian

The ipsec is also interesting but right now the problem is our customers have "local" internet access so what we are looking at is a setup where we are running  on a idle router which has a ADSL with 20 mbps down and 10 mbps up - and in the actual case the customer can run a internet based speedtest (http://tdc.dk/hastighedstest - based on ookla's flash-based speedtest-module) where he - when he is behind the router - can get around 10 mbps down and 8 mbps up - and if he removes the router and put his PC directly on the net he is up around the expected numbers ~ 19 mbps down and 9 mbps upload. Is this expected?

We have inspect enabled:

!
ip cef
ip inspect max-incomplete high 1100
ip inspect max-incomplete low 1100
ip inspect one-minute high 1100
ip inspect one-minute low 1100
ip inspect name ourfw tcp
ip inspect name ourfw udp
ip inspect name ourfw cuseeme
ip inspect name ourfw ftp
ip inspect name ourfw h323
ip inspect name ourfw rcmd
ip inspect name ourfw realaudio
ip inspect name ourfw smtp
ip inspect name ourfw streamworks
ip inspect name ourfw vdolive
ip inspect name ourfw sqlnet
ip inspect name ourfw tftp
ip inspect name ourfw rtsp
ip inspect name ourfw netshow
ip inspect name ourfw fragment maximum 256 timeout 1
ip inspect name ourfw http java-list 80

and running a simpel NAT:

ip nat inside source list 175 interface FastEthernet4 overload

where the access-list 175 just defines a few networks denied which is going though a VPN and the rest permitted directly - and here is the Fastethernet4:

interface FastEthernet4
ip address dhcp
ip access-group acl_103 in
ip inspect ourfw out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map cm-our

I'll try to disabled the inspect part to see if this gives us any difference. The white paper looks a bit optimistic to me...

Hi,

871 are able handle 20 Mbps wan link.

Please ask your provider to test the link throughput and also you can do from your side with tool "iperf" which is best tool to test wanlink throughput.

However, here are some general comments:

However, here are some general comments:

• In an ideal world with 1400-byte packets (all packets same size!) and no other services running on your 871 you can get an aggregate performance with IPsec 3DES of up to 30 Mbps theoretically.
  I guess that this is why you think that 18Mbps should be possible.
• If we now move to the much more realistic IMIX packets (typical mix of different packet sizes) then the IPsec 3DES throughput already drops to 8 Mbps based on the Spirent IPSec IMIX definition.
• In the real world you typically run other services on the router as well, like IOS-FW, NAT and ACLs. Your aggregate performance now drops to about 4 Mbps based on IMIX packets.
• Things can even get worse if you use a 871W router with BVI configured. This cuts your aggregate performance down to about 2 Mbps based on IMIX packets.

Please rate the helpfull posts.
Regards,
Naidu.

Hi Naidu

In the actual case the customer has tested the connection without router (eg: A pc re-configured with the IP adresse etc of the WAN I/F of the router and connected there instead of the router)  - and then he can get about 19 mbps in download and 9 mbps upload - on a 20/10 mbps ADSL connection.

Right now it is interesting what we can get through the router when we have the firewall services running with ip inspect enabled  - if I look at a report like

http://www.cisco.com/web/DE/pdfs/verticals/smb/isr-871-teststudie-engl.pdf

I can on page #14 see numbers which look much like what we see here - even though it might be able to handle ipsec etc very fast. Can you confirm these numbers?

best regards /ti

Hi,

Yes.. And as mentioned, It have a great features including default vpn tunnel support, latest DMVPN technology and many more.

Please rate the helpfull posts.
Regards,
Naidu.

hi again

ok - this also means - as far as I can see -  that we should go for a more powerfull router when our customers are upgrading their ADSL connections to 20 mbps downstream or more - even if the 871 technically seen is able to handle a 20 mbps WAN connection - becuase if you load fw and inspect on it your realworld http throughput is going really down then?

best regards /ti

That is true...

Actually the c871 is for small business organization where you can terminate below 10 Mbps wan link and can utilize all its features without any issues.

But if you look at upgrade to morethan 10 Mbps say 20 Mbps then I would suggest go with 2921 router. Of course a 871 can handle at this stage but as a network admin we need to look at other features utilization and also system resources utilization which is more important.

Below are some specs of 2921:

Please rate the all helpfull posts.

Regards,

Naidu.

Well here is another official document from Cisco which suggests the real throughput is much lower:

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf

Yes it's from 2009...even so...I would recommend a different router to maximise the 20mbps throughput of the WAN link.

HTH,

Ian

thanks Ian - had these specifications just been simpler to find...

Tell me about it!! Good job I'm unemployed and have time on my hands

Now to think of a good excuse to tell your clients...

Regards,

Ian