08-23-2012 01:01 PM - edited 03-07-2019 08:30 AM
Hi,
generally speaking, will encrypting traffic: esp-aes 256 esp-sha-hmac across a WAN circuit drop a nics performance by half?
Thanks Pat.
08-23-2012 03:43 PM
You have two routers at each end and an ISP cloud in the centre.
When you run encryption, it depends if the router has a dedicated encryption card or not.
If you don't then encryption is done on the router's CPU and this will significantly cut down the amount of data being pushed to <50%.
If you have a dedicated encryption card (like most ISR G1 and G2) then it will significantly cut the WAN performance down to about 40-45%.
Because I don't work for Cisco (and I don't have access to internal documents), my rule-of-thumb is to cut the throughput value to 50%, just to be on a safe side.
08-23-2012 05:58 PM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Patrick McHenry wrote:
Hi,
generally speaking, will encrypting traffic: esp-aes 256 esp-sha-hmac across a WAN circuit drop a nics performance by half?
Thanks Pat.
Not necessarily. It could, it could also be worse, or it might have little effect. A NIC generally doesn't really care whether a packet is encrypted or not, but there's additional processing required to encrypt/decrypt and encryption adds to bandwidth consumption (it can also cause IP fragmentation).
08-24-2012 04:32 AM
Joseph,
Are there any documentation that give specs on this?
Thanks, Pat
08-24-2012 09:28 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Depends what specifically do you want to see?
Cisco has some nice papers on avoiding fragmentation running crypto tunnels between routers.
For example: http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
08-24-2012 11:16 AM
Thanks for the doc.
I think I am looking for a list of routers with the expected throughput of each router with or without encryption. Now that I think about it, I might have something like this but, if you have something like this please send it on.
Thanks.
08-24-2012 01:02 PM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
For the later ISRs, maybe something like the attachment?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: