Solved: IPsec throughput

leandro.brito · ‎02-06-2017

Hi all,

I'm trying to find a device (from those I have already - routers 3945 and 4451) that supports 500 Mb IPsec throughput and couldn't get it so far.

Let me share what I've found:

Router 3945 – even with an additional license it can reach only 170Mb (85Mb in and 85Mb out)

The HSEC-K9 license removes the curtailment enforced by the U.S. government export restrictions on the encrypted tunnel count and encrypted throughput. HSEC-K9 is available only on the Cisco 2921, Cisco 2951, Cisco 3925, Cisco 3945, Cisco 3925E, and Cisco 3945E. With the HSEC-K9 license, the ISR G2 router can go over the curtailment limit of 225 tunnels maximum for IP Security (IPsec) and encrypted throughput of 85-Mbps unidirectional traffic in or out of the ISR G2 router, with a bidirectional total of 170 Mbps.

http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/software-activation-on-integrated-services-routers-isr/white_paper_c11_556985.html#wp9001357

Router 4451 - 170Mb only?

That's what I understood here:

http://www.cisco.com/web/partners/downloads/sell/technology/borderless/C67-728261-00_Cisco_4451-X_QA.pdf

But Miercom did achieve 900Mb (and even more) on lab.

http://miercom.com/pdf/reports/20150817.pdf

Slide #92 has a totally different information - http://d2zmdbbm9feqrf.cloudfront.net/2015/usa/pdf/BRKARC-3001.pdf

Cisco 5550 - Up to 425 (OK - it doesn't solve my problem but the info is clear)

http://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation-firewalls/data_sheet_c78-345385.html

Can anyone share some more accurate info or help me getting what I'm missing here?

Regards,

Leandro

Rahul Govindan · ‎02-07-2017

It should absolutely support more than 170Mbps. The 170 Mbps is just only when you have the SEC license, by default there is an export restriction of 85 Mbps in a single direction - hence the 170 Mbps. When you add the HSEC license, the export restriction is lifted. I believe based on the license level of the hardware, you should see close to 1Gbps of crypto traffic throughput. The 4451 can do at least 2 Gbps of data traffic, so 1Gbps of crypto should be easily achievable, if not more.

If you are a Cisco partner or working with one, I would recommend opening a case with Cisco partner help to get VPN performance information directly from Cisco.

View solution in original post

Rahul Govindan · ‎02-06-2017

The newer ASA models, ASA5500-X, should give you this throughput. Datasheet below:

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-x-series-next-generation-firewalls/data-sheet-c78-729807.html

ASA5555-X has 700Mbps throughput.

The ASA's you had referenced above were the older generation models.

leandro.brito · ‎02-07-2017

Thank you Rahul, it really does, but I'm still trying to do it with some of the devices available.

I do believe that the 4451 can support it (with an additional license) but I'm not 100% sure yet.

Rahul Govindan · ‎02-07-2017

It should absolutely support more than 170Mbps. The 170 Mbps is just only when you have the SEC license, by default there is an export restriction of 85 Mbps in a single direction - hence the 170 Mbps. When you add the HSEC license, the export restriction is lifted. I believe based on the license level of the hardware, you should see close to 1Gbps of crypto traffic throughput. The 4451 can do at least 2 Gbps of data traffic, so 1Gbps of crypto should be easily achievable, if not more.

If you are a Cisco partner or working with one, I would recommend opening a case with Cisco partner help to get VPN performance information directly from Cisco.

leandro.brito · ‎02-24-2017

Thank you Rahul,

I did that and the 4451 I have will be enough for this project.

Cheers,

Leandro

Michael Muenz · ‎02-07-2017

You need the SEC for doing IPSEC with the 4000 and HSEC to go over the 85mbps limit.

How do you test the performance? A small 5515-X reaches 950mbps with an iperf test.

Michael Please rate all helpful posts