Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4835
Views
20
Helpful
6
Replies

Effects of encryption on bandwidth

Patrick McHenry
Level 3
Level 3

‎08-23-2012 01:01 PM - edited ‎03-07-2019 08:30 AM

  Hi,

generally speaking, will encrypting traffic: esp-aes 256 esp-sha-hmac  across a WAN circuit drop a nics performance by half?

Thanks Pat.

1 person had this problem
Labels:
0 Helpful
6 Replies 6

Leo Laohoo
Hall of Fame
Hall of Fame

‎08-23-2012 03:43 PM

You have two routers at each end and an ISP cloud in the centre.

When you run encryption, it depends if the router has a dedicated encryption card or not.

If you don't then encryption is done on the router's CPU and this will significantly cut down the amount of data being pushed to <50%.

If you have a dedicated encryption card (like most ISR G1 and G2) then it will significantly cut the WAN performance down to about 40-45%.

Because I don't work for Cisco (and I don't have access to internal documents), my rule-of-thumb is to cut the throughput value to 50%, just to be on a safe side.

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎08-23-2012 05:58 PM

Disclaimer


The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

Patrick McHenry wrote:
  Hi, 
generally speaking, will encrypting traffic: esp-aes 256 esp-sha-hmac  across a WAN circuit drop a nics performance by half?
Thanks Pat.

Not necessarily.  It could, it could also be worse, or it might have little effect.  A NIC generally doesn't really care whether a packet is encrypted or not, but there's additional processing required to encrypt/decrypt and encryption adds to bandwidth consumption (it can also cause IP fragmentation).

Patrick McHenry
Level 3
Level 3
In response to Joseph W. Doherty

‎08-24-2012 04:32 AM

Joseph,

Are there any documentation that give specs on this?

Thanks, Pat

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Patrick McHenry

‎08-24-2012 09:28 AM

Disclaimer


The    Author of this posting offers the information contained within this    posting without consideration and with the reader's understanding that    there's no implied or expressed suitability or fitness for any  purpose.   Information provided is for informational purposes only and  should not   be construed as rendering professional advice of any kind.  Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In    no event shall Author be liable for any damages whatsoever  (including,   without limitation, damages for loss of use, data or  profit) arising  out  of the use or inability to use the posting's  information even if  Author  has been advised of the possibility of such  damage.

Posting

Depends what specifically do you want to see?

Cisco has some nice papers on avoiding fragmentation running crypto tunnels between routers.

For example: http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

Patrick McHenry
Level 3
Level 3
In response to Joseph W. Doherty

‎08-24-2012 11:16 AM

Thanks for the doc.

I think I am looking for a list of routers with the expected throughput of each router with or without encryption. Now that I think about it, I might have something like this but, if you have something like this please send it on.

Thanks.

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Patrick McHenry

‎08-24-2012 01:02 PM

Disclaimer


The     Author of this posting offers the information contained within this     posting without consideration and with the reader's understanding  that    there's no implied or expressed suitability or fitness for any   purpose.   Information provided is for informational purposes only and   should not   be construed as rendering professional advice of any kind.   Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In     no event shall Author be liable for any damages whatsoever   (including,   without limitation, damages for loss of use, data or   profit) arising  out  of the use or inability to use the posting's   information even if  Author  has been advised of the possibility of  such  damage.

Posting

For the later ISRs, maybe something like the attachment?

Preview file
351 KB
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card