1841 VPN Performance

Answered Question
Feb 5th, 2008

Hi,

I'm wondering if there are some figures available regarding the performance of a standard 1841 with the IOS image :

12.4(18) AdvipserviceK9

I configured 2 1841's it with a simple example (see attachment) but can't get greater speeds than 6 to 11 Mbit trough a tunnel.

I'm testing with default Iperf settings and 2 laptops which can get speeds of 75 up to 81 Mbit without a tunnel.

I'm just wondering what kind of performance one could expext with a setup like this, but I cannot find any figures within the Cisco Online documentation

Router1:

crypto isakmp policy 10

authentication pre-share

!

crypto isakmp key ciscokey address 200.1.1.1

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map myvpn 10 ipsec-isakmp

set peer 200.1.1.1

set transform-set myset

!--- Include the private-network-to-private-network traffic

!--- in the encryption process:

match address 101

!

!

!

interface Ethernet0/0

ip address 172.16.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Ethernet1/0

ip address 100.1.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

crypto map myvpn

!

ip classless

ip route 0.0.0.0 0.0.0.0 100.1.1.254

!

ip http server

no ip http secure-server

!

!--- Except the private network from the NAT process:

ip nat inside source list 175 interface Ethernet1/0 overload

!

!--- Include the private-network-to-private-network traffic

!--- in the encryption process:

access-list 101 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255

!--- Except the private network from the NAT process:

access-list 175 deny ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 175 permit ip 172.16.1.0 0.0.0.255 any

Router2

crypto isakmp policy 10

authentication pre-share

crypto isakmp key ciscokey address 100.1.1.1

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map myvpn 10 ipsec-isakmp

set peer 100.1.1.1

set transform-set myset

!--- Include the private-network-to-private-network traffic

!--- in the encryption process:

match address 101

!

!

!

interface Ethernet0/0

ip address 10.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Ethernet1/0

ip address 200.1.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

crypto map myvpn

!

!

ip classless

ip route 0.0.0.0 0.0.0.0 200.1.1.254

!

no ip http server

no ip http secure-server

!

!--- Except the private network from the NAT process:

ip nat inside source list 122 interface Ethernet1/0 overload

!--- Except the static-NAT traffic from the NAT process if destined

!--- over the encrypted tunnel:

ip nat inside source static 10.1.1.3 200.1.1.25 route-map nonat

!

access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

!--- Except the private network from the NAT process:

access-list 122 deny ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 122 permit ip 10.1.1.0 0.0.0.255 any

!--- Except the static-NAT traffic from the NAT process if destined

!--- over the encrypted tunnel:

access-list 150 deny ip host 10.1.1.3 172.16.1.0 0.0.0.255

access-list 150 permit ip host 10.1.1.3 any

!

route-map nonat permit 10

match ip address 150

I have this problem too.
0 votes
Correct Answer by attrgautam about 8 years 11 months ago

Here is a link on the VPN performance of most of the routers -

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure09186a00801f0a72_ns125_Networking_Solutions_Brochure.html

The throughput effect could be due to a variety of reasons -

a)Fragmentation of packets due to IPSEC and MTU issues

b) Higher ACL processing on the router for Crypto and NAT processes

c) Any other services which may be running.

While 45Mbps is the maximum throughput, our practice is to use 1841 upto 5Mbps of IPSEC only.

Let me know if it helps

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
attrgautam Tue, 02/05/2008 - 05:52

Here is a link on the VPN performance of most of the routers -

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure09186a00801f0a72_ns125_Networking_Solutions_Brochure.html

The throughput effect could be due to a variety of reasons -

a)Fragmentation of packets due to IPSEC and MTU issues

b) Higher ACL processing on the router for Crypto and NAT processes

c) Any other services which may be running.

While 45Mbps is the maximum throughput, our practice is to use 1841 upto 5Mbps of IPSEC only.

Let me know if it helps

cco_heerema Tue, 02/05/2008 - 06:02

thanks .. this certainly helps.

It confirms with my lab test results.

Thank you !

Actions

This Discussion