Real Throughput of the 3825?

Answered Question
Aug 29th, 2006
User Badges:

The performance documents from Cisco say that the 3825 is capable of 350,000 packets per second for a rate of 179Mbps. I know that they are using small packets to establish this. What throughput can I really expect?

Correct Answer by wochanda about 10 years 11 months ago

The 3825 configured for only IP can push around 1Gbps, or 400k PPS. This is based on a mix of small and large packets, representing typical internet traffic.

With services turned on (qos, firewall, vpn, nat, nbar), expect to see anywhere between 100-300Mbps throughput, depending on which service it is, and what combination of services are configured.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
Correct Answer
wochanda Wed, 08/30/2006 - 16:06
User Badges:
  • Silver, 250 points or more

The 3825 configured for only IP can push around 1Gbps, or 400k PPS. This is based on a mix of small and large packets, representing typical internet traffic.

With services turned on (qos, firewall, vpn, nat, nbar), expect to see anywhere between 100-300Mbps throughput, depending on which service it is, and what combination of services are configured.

patrick.hurley Thu, 08/31/2006 - 08:26
User Badges:

That doesn't make sense. 400,000x64byte packets x 8 = 204Mbps. That is the best case.

wochanda Thu, 08/31/2006 - 09:56
User Badges:
  • Silver, 250 points or more

What do you mean the best case? For throughput or for PPS?

Routers performance is based PPS, not by size. Therefore the larger the packet the more the throughput.


My response said that the figures were made from a mix of small and large packets, with the average around 1000b

ajagadee Wed, 08/30/2006 - 19:21
User Badges:
  • Cisco Employee,

Patrick,


One of the best way to test the throughput, is to try and get a 3825 from your sales team and test it in your lab based using a traffic generator using typical packet size in your network.


And also, make sure that you enable the feature that you want and measure the throughput.


Regards,

Arul



ns_speer_08 Tue, 01/29/2008 - 12:22
User Badges:

I have two 3825s directly connected with gig interfaces and cannot come close to the 179Mbps numbers. I am using the onboard VACs and have tried gre, gre/ipsec, VTI, and ipsec with various mtu and DF bit settings, but can only achieve around 36-38Mbps max throughput using iperf and ftp. Also noticed CPU is max >95% during any of these tests. My question, is are these ballpark numbers for 3825 256M, 12.4(15)T, and would an external VAC greatly improve performance?

Joseph W. Doherty Tue, 01/29/2008 - 16:25
User Badges:
  • Super Bronze, 10000 points or more

If you're not already doing so, you might want to try using the "ip tcp adjust-mss" command. See http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ft_admss.html for more information. Set it such to match the available actual effective minimal MTU.


You should also confirm the hardware, not software, is doing any encryption.


According to http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure09186a00801f0a72_ns125_Networking_Solutions_Brochure.html, the 3825 on board encryption is supposely good for about 170 Mbps.

ns_speer_08 Thu, 01/31/2008 - 09:32
User Badges:

Thanks, I did try the "ip tcp adjust-mss" command with no luck. Also, I know I'm using onboard hardware encryption because I disabled it on both 3825s and only got around 10-12 Mbps with software ("show crytpo engine brief").


I've read the second link you posted and saw the numbers for on-board vs. external VPN accel. What is that like only a 9% (170/185) increase with an external VPN accel.? Would more memory make any difference?


If you follow this thread:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cbf55a2/2#selected_message

and download the routerperformance.pdf file. It seems to reveal that there is no way you can get close to the published VPN numbers. Especially if a 3825 will only allow 170Mbps of real throughput with no additional services or features (vpn,acls,etc). These would be important numbers to have on the website.

Joseph W. Doherty Thu, 01/31/2008 - 10:43
User Badges:
  • Super Bronze, 10000 points or more

"Would more memory make any difference?" I wouldn't think so, but what's your free memory stat like?


Seems a large delta from the under 40 Mbps you getting vs. the documented 170 Mbps. I'm wondering how much GRE/IPSec vs. pure IPSec might impact performance.

ns_speer_08 Thu, 01/31/2008 - 11:17
User Badges:

You were right, looks like I've got plenty of free mem (about 20% used/ 80% free).


I agree about the large delta. I will reconfigure for pure ipsec and see what I get. It almost seems like GRE/ipsec or VTI (currently configed) is getting process switched instead of fast/CEF switched. But, disabling onboard encryption brings my numbers down to 10-12 Mbps which agrees with the process switched numbers on the routerperformance.pdf file. Thanks.

ns_speer_08 Tue, 02/12/2008 - 13:16
User Badges:

I tried pure ipsec with roughly the same numbers for throughput (36-38Mbps). I also tried GRE with no encryption (58-61Mbps) and IP-IP (62-66Mbps). I've got two external VPN encrypters on order and will try to post numbers on those when I have time. Finally, I found this Cisco doc while searching the web the other day and according to page 47, the numbers I'm seeing are what I can expect with onboard VPN module. Sure is a big difference from what the marketing says.



Attachment: 
paolo bevilacqua Tue, 02/12/2008 - 14:13
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi, can you clarify in detail you testing methodology and provide a show interface and show process cpu taken at maximum performance time ?

Seems there is too much difference with the cisco numbers.

ns_speer_08 Wed, 02/13/2008 - 07:52
User Badges:

Before I do that, let's go back to my original question. What are the "real" throughput numbers for VPN using onboard VAC and pure ipsec, gre/ipsec, and VTI? Also, if I spend $2K on an external VPN module, will these numbers increase and if so, by how much? Finally, can you post a complete configuration that will get the maximum VPN throughput out of two 3825s connect directly together using some form of ipsec (pure ipsec, gre/ipsec, vti)?

paolo bevilacqua Wed, 02/13/2008 - 08:04
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

My question was related to pure ip routing. There is too much difference in that between your numbers and cisco's ones, and in my experience, during 8 years with them, cisco's numbers are generally genuine.


About the performances with crypto, your numbers matches with cisco's of "pag 47", so I think it's reasonable these are correct ones.


Finally note that a VPN aim is available for the 3845, AIM-VPN/SSL-3, made with the purpose of adding performances and scalability to the onboard one.

ns_speer_08 Wed, 02/13/2008 - 09:17
User Badges:

I would agree my crypto numbers match with that of the ipsecovr.pdf document on page 47. That document took some time to find using google. What could I do to achieve the published 170 Mbps VPN throughput cisco claims in this link?

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure09186a00801f0a72_ns125_Networking_Solutions_Brochure.html


Also, I am aware of the external AIM-VPN/SSL-3 for $2500. This seems to offload encryption processing to a dedicated piece of hardware. Makes sense that this would increase VPN throughput performance. Can you give me an idea of how much performance I can expect for my $2500? This link:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure09186a00801f0a72_ns125_Networking_Solutions_Brochure.html

shows a big increase in maximum tunnels with the AIM-VPN module (from 500 to 2000) and only a 9% increase in VPN throughput (170Mbps vs. 185Mbps). But I cannot seem to achieve the claimed 170 Mbps throughput anyway. More like 36-48 Mbps from the ipsecovr.pdf which you say is correct. Bottom line is I can't believe the marketing brochure's VPN numbers. I would like to increase VPN throughput using a AIM-VPN module. How much increase can I expect after spending $2500?


paolo bevilacqua Wed, 02/13/2008 - 14:32
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi,


I believe that if you can reproduce in first place the "pure ip" scenario in which the 3825 supposedly does 350 kpps / 180 mbps, that would be a start.


Note that if if you're trying to do that with PC-based traffic generators, chances are you will need multiple machines. and then will be difficult anyway to count how much traffic are you receiving. The performance is taken at the point where you have 0% packet loss, but even a small increase in traffic do cause loss.

As for what the AIM module (that is internal to the router, not external) actually buys you, I agree, claimed throughput increase is not much, so I can suppose customers are more interested in scaling the number of tunnels instead.


Nevertheless for such a large number of spokes, many customer would be buying 7200s with the high-end enciphers anyway.

ns_speer_08 Thu, 02/14/2008 - 13:01
User Badges:

To sum up. For "pure ip" I can expect no more that 180Mbps. Using onboard crypto and VPN I can expect 36-48 Mbps. Finally, the AIM module (external to the main 3825 motherboard, internal to the router case) only buys me multiple tunnels not a significant increase in throughput (+9% maybe).


Thanks for your help.

Actions

This Discussion