cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10025
Views
0
Helpful
4
Replies

Max IPSec VPN throughput on C1812 and C2811

bartholomiew
Level 1
Level 1

Hi Everybody

recently we had some performance issues with C2811 which caused us to do some lab testing. For testing we used also C1812. The results were quite surprising for us, as the C1812 appeared to be more efficient than C2811. Below you can see the lab scenario and results.

I'd appreciate very much an answer or any suggestions for 2 questions:

1. Why C2811 is performing worse than C1812?

2. Is there any official Cisco reference stating what are the max VPN throughputs of certain platforms/models? (we consider migration to C2900 platform and would like to choose the right model)

Only thing we found so far is this discussion:

https://supportforums.cisco.com/thread/257204 (which actually doesn't exactly comply with results of our tests)

and such refference:

http://www.cisco.com/en/US/prod/collateral/routers/ps5855/prod_brochure0900aecd8019dc1f.pdf

LAB SCENARIO

as presented on the small diag:

All routers had enabled onboard hw VPN modules and SEC/K9 IOS ver. Configuration was very simple and beside encryption there were also GRE tunnels configured and EIGRP process for routing between "remote LANs". Part of conf responsible for encryption:

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key ......... address ......... no-xauth!
crypto ipsec transform-set SHA-AES256 esp-aes 256 esp-sha-hmac

crypto map VPN 90 ipsec-isakmp
set peer .........
set transform-set SHA-AES256
set pfs group5
match address .........

TEST RESULTS

                                                                                                                                                                                                                          

Cisco 1812Cisco   2811
iperf   generated BW [bps]WAN   if BW (max of 30s avgs) [bps]CPU   usage (max of 5s avgs)WAN   if BW (max of 30s avgs) [bps]CPU   usage (max of 5s avgs)
500k--540k5%
1M1,1M3%1,2M8%
2M2,1M4%2,3M14%
5M5,4M10%5,7M34%
10M10,6M20%11,5M65%
15M15,8M28%17M96%
16M--17,2M99%
25M27M48%--
35M38M64%--
45M48,2M72%--
53M60,8M88%--
59M67M94%--
61M72M97%--

Many thanks

Best Regards!

Bartek

1 Accepted Solution

Accepted Solutions

olpeleri
Cisco Employee
Cisco Employee
  points

Hello Bartlomiej,

About your 2 questions: [ see inline]

1. Why C2811 is performing worse than C1812?

OP> C2811 is supposed to be deployed in single T1/E1 [ 2megs]  environment while a C1811/12 is meant to be deployed in a single xDSL setup [ 4 megs]. That's why you get a better perf.

2. Is there any official Cisco reference stating what are the max VPN throughputs of certain platforms/models? (we consider migration to C2900 platform and would like to choose the right model)

OP> ISR-G2 CCO numbers can be found here:

OP>http://www.cisco.com/en/US/partner/prod/collateral/routers/ps10536/white_paper_c11_595485.pdf

OP> Theses results are based on 1500 bytes perf tests

I had a look at some internal tests this is what I  can share:

Conditions:

  • Single tunnel
  • Minimum amount of enabled feature
  • IPSECIMIX traffic containing a set of small medium large frames in order to simulate a real traffic pattern
  • AES encryption

Platform

Performance @ 75% CPU utilization


C2901

53Mbps

C291161Mpbs
C292172Mpbs
C2951103Mbps

Performance may change depending on:

  • the features that will be enabled.
  • The traffic pattern [ Encryption is done in 1 cycle. Even though the PPS would be more or less the same, the router throughput will be way bigger with 1400 bytes frames than with 64 byte frames]

I hope this answer your questions.

Olivier

CCIE#20306

View solution in original post

4 Replies 4

david.tran
Level 4
Level 4

I have the same setup in my lab environment as you and I have an GRE/IPSec tunnel between 2811 and 1841.  I am not running dynamic routing protocol between the two and I am able to push 50Mbps between the two without any issues.

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key ......... address ......... no-xauth!
crypto ipsec transform-set SHA-AES256 esp-aes 256 esp-sha-hmac

crypto map VPN 90 ipsec-isakmp

set peer .........

set transform-set SHA-AES256

set pfs group5

match address ..

I also test with Iperf as well. In my situation, it is the 1841 that is the limitation factor.  On the 2811, I enabled the on-board AIM encryption card.   On the 2811 at 50Mbps, CPU is running around 50% and that I am running version 12.4(T)24 on the 2811

Hello David,

An ISR 1841 is supposed to be positioned in  a single E1/T1 bandwitdth scenario [ 2 megs/sec].

Looking at the tests I've found internally

Conditions:

  • Single tunnel
  • Traffic pattern is a selection of small - medium - large frames [ IMIX ] in order to simulate real life traffic

PlatformMbps @ 75% CPU utilization
Cisco18417 megs/sec
Cisco281110 megs/sec

Indeed, the 2811 provides more crypto throughput.

In your case with iperf, you are encrypting large frames which are in fact providing the best perfs [ encryption is a one cycle operation - regardless of the packet size ].

Cheers

Olivier

CCIE#20306

olpeleri
Cisco Employee
Cisco Employee
  points

Hello Bartlomiej,

About your 2 questions: [ see inline]

1. Why C2811 is performing worse than C1812?

OP> C2811 is supposed to be deployed in single T1/E1 [ 2megs]  environment while a C1811/12 is meant to be deployed in a single xDSL setup [ 4 megs]. That's why you get a better perf.

2. Is there any official Cisco reference stating what are the max VPN throughputs of certain platforms/models? (we consider migration to C2900 platform and would like to choose the right model)

OP> ISR-G2 CCO numbers can be found here:

OP>http://www.cisco.com/en/US/partner/prod/collateral/routers/ps10536/white_paper_c11_595485.pdf

OP> Theses results are based on 1500 bytes perf tests

I had a look at some internal tests this is what I  can share:

Conditions:

  • Single tunnel
  • Minimum amount of enabled feature
  • IPSECIMIX traffic containing a set of small medium large frames in order to simulate a real traffic pattern
  • AES encryption

Platform

Performance @ 75% CPU utilization


C2901

53Mbps

C291161Mpbs
C292172Mpbs
C2951103Mbps

Performance may change depending on:

  • the features that will be enabled.
  • The traffic pattern [ Encryption is done in 1 cycle. Even though the PPS would be more or less the same, the router throughput will be way bigger with 1400 bytes frames than with 64 byte frames]

I hope this answer your questions.

Olivier

CCIE#20306

Thank you Guys for your answers!

I think, this is what I needed.

Many thanks to Olivier for these valuable data and resources. It's a big support for people who need to decide which router to choose. I placed this whitepaper on this thread as it can also help others and normal access to it is restricted.

best regards!

Bartek