1841 and 3845 VPN Throughput

Unanswered Question
Aug 26th, 2008

Does anyone know any link to cisco documentation that lists VPN throughput performance of 1841 and 3845 routers with and without the VPN Accelerator module?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (4 ratings)
Loading.
Mark Yeates Tue, 08/26/2008 - 09:00

I agree with collin. If possible use the AIM VPN module. Here are some statistic for the routers you indicated. The AIM module will provide up to 10 times the performance of software-only encryption by offloading encryption processing from the router CPU.

Cisco 1841 W/O AIM- Max tunnels 100 Max throughput 3DES/AES 45 Mbps

Cisco 1841 W AIM-Max tunnels 800 Max throughput 3DES/AES 95 Mbps

Cisco 3845 W/O AIM- Max tunnels 700 Max throughput 3DES/AES 180 Mbps

Cisco 3845 W AIM- Max tunnels 2500 Max throughput 3DES/AES 210 Mbps

HTH,

Mark

Joseph W. Doherty Tue, 08/26/2008 - 15:51

Found this reference:

Q. Where can I find IPsec and SSL VPN performance information?

A. The document at http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns125/netbr09186a00801f0a72.html provides an overview of the Cisco VPN-capable platforms and performance information. The routers are summarized in Table 5, which lists performance with and without VPN modules, tunnel counts, and throughput.

but appears to be a dead link.

For the 1800, found this:

Q. What is the maximum throughput performance for IPSec?

A. The maximum IPSec VPN performance supported by the Cisco 1800 Fixed-Configuration routers is 40 Mbps 3DES @ 1400 byte packets. The IOS firewall performance is 100Mbps @ 1400 byte packets.

also

Q. Does the onboard crypto accelerator of 3800 process all encryption algorithms in hardware?

A. Yes but with a caveat. The simultaneous configuration/use of AH and ESP protocols causes the processing to shift to software only mode. This applies to any combination of ESP & AH transform sets used.

e.g.

• ESP-3DES AH-SHA-HMAC

• ESP-3DES ESP-SHA-HMAC AH-SHA-HMAC

• ESP-AES AH-MD5-HMAC

• ESP-AES ESP-SHA-HMAC AH-MD5-HMAC

Since this lowers the VPN performance of the router significantly, we recommend the use of the encryption AIM-especially if the encryption policy requires the simultaneous use of AH and ESP. This limitation does not apply to the AIM-VPN/EPII-Plus or AIM-VPN/HPII-Plus.

For the 3800, found this:

Q. How many AIMs does the Cisco 3800 Series support?

A. The Cisco 3800 Series has two built-in AIM slots on the motherboard. These slots allow CPU offload with hardware-accelerated VPN (3DES) encryption, with up to 50 percent higher performance levels than provided by the onboard hardware encryption acceleration module. The slots also allow hardware compression and ATM capability, leaving the network module slots available for additional capacity while freeing up CPU resources.

Also see Chaper 4 in: http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008075ea98.pdf

Actions

This Discussion