08-19-2013 04:09 PM - edited 02-21-2020 07:06 PM
I can not find IPSec performance on the Cisco 7201 router platform so I am asking in this forums.
Which platform will give better IPSec performance to terminate site-2-site VPN (no dyanmic routing, no NAT, no QoS), just simple site-2-site IPSec VPN?
ISR 3845 with AIM VPN module or Cisco 7201? I have the IPSec performance on the 3845 with AIM (about 145Mbps) but I can't find anything on the 7201 router.
Can someone help me with this?
Thanks in advance.
08-19-2013 04:14 PM
Go here.
The 3845 is rated for 256 Mbps of un-encrypted traffic. Take half down and you'll get a good idea what the appliance is capable of doing when it's encrypted.
In regards to your 7201, it all depends on your NPE.
08-19-2013 04:17 PM
here is the "show version" on the 7201:
c7201>sh ver
Cisco IOS Software, 7200 Software (C7200P-ADVIPSERVICESK9-M), Version 12.4(15)T11, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Thu 29-Oct-09 04:02 by prod_rel_team
ROM: System Bootstrap, Version 12.4(12.2r)T, RELEASE SOFTWARE (fc1)
BOOTLDR: Cisco IOS Software, 7200 Software (C7200P-BOOT-M), Version 12.4(15)T10, RELEASE SOFTWARE (fc3)
KWANKTLRT72001 uptime is 26 weeks, 4 days, 5 hours, 43 minutes
System returned to ROM by power-on
System image file is "bootflash:c7200p-advipservicesk9-mz.124-15.T11.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
Cisco 7201 (c7201) processor (revision B) with 1966080K/65536K bytes of memory.
Processor board ID 78010180
MPC7448 CPU at 1666Mhz, Implementation 0, Rev 2.2
1 slot midplane, Version 2.1
Last reset from power-on
1 FastEthernet interface
4 Gigabit Ethernet interfaces
1 Serial interface
2045K bytes of NVRAM.
65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102
c7201>
Can you tell me the IPSec throughput on the 7201?
thanks in advance
08-19-2013 04:27 PM
I'm out of my depth here, David. Can you post the output to the command "sh inventory"?
08-19-2013 06:21 PM
c7201>show inventory
NAME: "Chassis", DESCR: "Cisco 7201, 1-slot chassis"
PID: CISCO7201 , VID: , SN: 78010180
NAME: "module 1", DESCR: "Serial T3+"
PID: PA-T3+= , VID: , SN: 36986175
NAME: "Power Supply 1", DESCR: "Cisco 7201 AC Power Supply"
PID: PWR-7201-AC , VID: , SN:
NAME: "Power Supply 2", DESCR: "Cisco 7201 AC Power Supply"
PID: PWR-7201-AC , VID: , SN:
NAME: "c7201", DESCR: "Cisco 7201 Network Processing Engine"
PID: CISCO7201 , VID: V02 , SN: JAE1345NGXF
c7201>
08-19-2013 06:36 PM
Cisco IOS Software images dedicated for the Cisco 7201 will have the file names starting with "c7200p", the same as those for the Cisco 7200 NPE-G2 Network Processing Engine.
The above bit was taken from the 7201 Data Sheet. So I guess you are looking at an NPE-G2 line card, which is rated at 1,024 Mbps without any form or encryption. So I would surmiss that your 7201 can push around 600 Mbps of encrypted traffic (one-way only).
08-19-2013 06:44 PM
The above bit was taken from the 7201 Data Sheet. So I guess you are looking at an NPE-G2 line card, which is rated at 1,024 Mbps without any form or encryption. So I would surmiss that your 7201 can push around 600 Mbps of encrypted traffic (one-way only).
Hi Leo,
I am not interested in throughput for "unencrypted" traffics. I am only intersted in throughtput for "encrypted" traffics.
Are you saying that the 7201 can push 600Mbps of "encrypted" AES-256/SHA/DH-5 with PFS group5, based on what you see on my "show inventory" WITHOUT any encryption acceleration card?
My question is a very simple one. with the 7201 that I currently have, how much IPSEC througput can it process for AES-256/SHA/DH-5 with PFS group5?
08-19-2013 07:01 PM
WITHOUT any encryption acceleration card?
Can you post the output to the command "sh crypto eng brief"?
08-19-2013 07:12 PM
c7201>show crypto engine brief
crypto engine name: Cisco VPN Software Implementation
crypto engine type: software
serial number: 04A65744
crypto engine state: installed
crypto engine in slot: N/A
c7201>
so WITHOUT hardware VPN acceleration card, how much IPSec AES-256/SHA/DH group5 with PFS group5 can my 7201 push?
08-19-2013 07:24 PM
so WITHOUT hardware VPN acceleration card, how much IPSec AES-256/SHA/DH group5 with PFS group5 can my 7201 push?
I'm really out of my depth here, David. First time I've seen a router this big without an encryption card.
But if you permit me to make a guess, I'd say 600 Mbps, however, with encryption being done on software and how it affects the CPU of your hardware, I'd say 450 Mbps in a single direction.
Best bet is to raise a TAC Case. Maybe someone like Paolo can chime in.
08-25-2013 05:39 PM
Here is what I've found after some testing:
- Cisco 7201 without encryption card can handle about 95Mbps IPSec with CPU at 99% utilization. @95Mpbs IPSec, the router becomes extremely sluggish,
- Cisco 3845 with AIM card can handle about 146Mbps of IPSec traffics with CPU at 99% utilization. @146Mbps, the router becomes sluggish but not as much as the cisco 7201,
- Cisco 3945 with VPN card will push only 85Mbps without the advanced license.
- ASR 1002 can easily push well above 900Mbps IPSec traffics and the router is extremely fast
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide