02-06-2017 07:31 AM - edited 02-21-2020 09:09 PM
Hi all,
I'm trying to find a device (from those I have already - routers 3945 and 4451) that supports 500 Mb IPsec throughput and couldn't get it so far.
Let me share what I've found:
Router 3945 – even with an additional license it can reach only 170Mb (85Mb in and 85Mb out)
The HSEC-K9 license removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput. HSEC-K9 is available only on the Cisco 2921, Cisco 2951, Cisco 3925, Cisco 3945, Cisco 3925E, and Cisco 3945E. With the HSEC-K9 license, the ISR G2 router can go over the curtailment limit of 225 tunnels maximum for IP Security (IPsec) and encrypted throughput of 85-Mbps unidirectional traffic in or out of the ISR G2 router, with a bidirectional total of 170 Mbps.
Router 4451 - 170Mb only?
That's what I understood here:
But Miercom did achieve 900Mb (and even more) on lab.
http://miercom.com/pdf/reports/20150817.pdf
Slide #92 has a totally different information - http://d2zmdbbm9feqrf.cloudfront.net/2015/usa/pdf/BRKARC-3001.pdf
Cisco 5550 - Up to 425 (OK - it doesn't solve my problem but the info is clear)
Can anyone share some more accurate info or help me getting what I'm missing here?
Regards,
Leandro
Solved! Go to Solution.
02-07-2017 05:12 AM
It should absolutely support more than 170Mbps. The 170 Mbps is just only when you have the SEC license, by default there is an export restriction of 85 Mbps in a single direction - hence the 170 Mbps. When you add the HSEC license, the export restriction is lifted. I believe based on the license level of the hardware, you should see close to 1Gbps of crypto traffic throughput. The 4451 can do at least 2 Gbps of data traffic, so 1Gbps of crypto should be easily achievable, if not more.
If you are a Cisco partner or working with one, I would recommend opening a case with Cisco partner help to get VPN performance information directly from Cisco.
02-06-2017 10:14 AM
The newer ASA models, ASA5500-X, should give you this throughput. Datasheet below:
http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-x-series-next-generation-firewalls/data-sheet-c78-729807.html
ASA5555-X has 700Mbps throughput.
The ASA's you had referenced above were the older generation models.
02-07-2017 01:23 AM
Thank you Rahul, it really does, but I'm still trying to do it with some of the devices available.
I do believe that the 4451 can support it (with an additional license) but I'm not 100% sure yet.
02-07-2017 05:12 AM
It should absolutely support more than 170Mbps. The 170 Mbps is just only when you have the SEC license, by default there is an export restriction of 85 Mbps in a single direction - hence the 170 Mbps. When you add the HSEC license, the export restriction is lifted. I believe based on the license level of the hardware, you should see close to 1Gbps of crypto traffic throughput. The 4451 can do at least 2 Gbps of data traffic, so 1Gbps of crypto should be easily achievable, if not more.
If you are a Cisco partner or working with one, I would recommend opening a case with Cisco partner help to get VPN performance information directly from Cisco.
02-24-2017 02:07 AM
Thank you Rahul,
I did that and the 4451 I have will be enough for this project.
Cheers,
Leandro
02-07-2017 07:05 AM
You need the SEC for doing IPSEC with the 4000 and HSEC to go over the 85mbps limit.
How do you test the performance? A small 5515-X reaches 950mbps with an iperf test.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide