Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

Bronze

IPSec performance between ISR 3845 with AIM and 7201

I can not find IPSec performance on the Cisco 7201 router platform so I am asking in this forums.

Which platform will give better IPSec performance to terminate site-2-site VPN (no dyanmic routing, no NAT, no QoS), just simple site-2-site IPSec VPN?

ISR 3845 with AIM VPN module or Cisco 7201?  I have the IPSec performance on the 3845 with AIM (about 145Mbps) but I can't find anything on the 7201 router.

Can someone help me with this?

Thanks in advance.

  • VPN
10 REPLIES
Hall of Fame Super Gold

IPSec performance between ISR 3845 with AIM and 7201

Go here.

The 3845 is rated for 256 Mbps of un-encrypted traffic.  Take half down and you'll get a good idea what the appliance is capable of doing when it's encrypted.

In regards to your 7201, it all depends on your NPE.

Bronze

IPSec performance between ISR 3845 with AIM and 7201

here is the "show version" on the 7201:

c7201>sh ver

Cisco IOS Software, 7200 Software (C7200P-ADVIPSERVICESK9-M), Version 12.4(15)T11, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2009 by Cisco Systems, Inc.

Compiled Thu 29-Oct-09 04:02 by prod_rel_team

ROM: System Bootstrap, Version 12.4(12.2r)T, RELEASE SOFTWARE (fc1)

BOOTLDR: Cisco IOS Software, 7200 Software (C7200P-BOOT-M), Version 12.4(15)T10, RELEASE SOFTWARE (fc3)

KWANKTLRT72001 uptime is 26 weeks, 4 days, 5 hours, 43 minutes

System returned to ROM by power-on

System image file is "bootflash:c7200p-advipservicesk9-mz.124-15.T11.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco 7201 (c7201) processor (revision B) with 1966080K/65536K bytes of memory.

Processor board ID 78010180

MPC7448 CPU at 1666Mhz, Implementation 0, Rev 2.2

1 slot midplane, Version 2.1

Last reset from power-on

1 FastEthernet interface

4 Gigabit Ethernet interfaces

1 Serial interface

2045K bytes of NVRAM.

65536K bytes of Flash internal SIMM (Sector size 512K).

Configuration register is 0x2102

c7201>

Can you tell me the IPSec throughput on the 7201?

thanks in advance

Hall of Fame Super Gold

IPSec performance between ISR 3845 with AIM and 7201

I'm out of my depth here, David.  Can you post the output to the command "sh inventory"?

Bronze

IPSec performance between ISR 3845 with AIM and 7201

c7201>show inventory

NAME: "Chassis", DESCR: "Cisco 7201, 1-slot chassis"

PID: CISCO7201         , VID:    , SN: 78010180  

NAME: "module 1", DESCR: "Serial T3+"

PID: PA-T3+=           , VID:    , SN: 36986175  

NAME: "Power Supply 1", DESCR: "Cisco 7201 AC Power Supply"

PID: PWR-7201-AC       , VID:    , SN:           

NAME: "Power Supply 2", DESCR: "Cisco 7201 AC Power Supply"

PID: PWR-7201-AC       , VID:    , SN:           

NAME: "c7201", DESCR: "Cisco 7201 Network Processing Engine"

PID: CISCO7201           , VID: V02 , SN: JAE1345NGXF

c7201>

Hall of Fame Super Gold

Re: IPSec performance between ISR 3845 with AIM and 7201

Cisco IOS Software images dedicated for the Cisco 7201 will have the file names starting with "c7200p", the same as those for the Cisco 7200 NPE-G2 Network Processing Engine.

The above bit was taken from the 7201 Data Sheet.  So I guess you are looking at an NPE-G2 line card, which is rated at 1,024 Mbps without any form or encryption.  So I would surmiss that your 7201 can push around 600 Mbps of encrypted traffic (one-way only).

Bronze

Re: IPSec performance between ISR 3845 with AIM and 7201

The above bit was taken from the 7201 Data Sheet.  So I guess you are looking at an NPE-G2 line card, which is rated at 1,024 Mbps without any form or encryption.  So I would surmiss that your 7201 can push around 600 Mbps of encrypted traffic (one-way only).

Hi Leo,

I am not interested in throughput for "unencrypted" traffics.  I am only intersted in throughtput for "encrypted" traffics.

Are you saying that the 7201 can push 600Mbps of "encrypted" AES-256/SHA/DH-5 with PFS group5, based on what you see on my "show inventory" WITHOUT any encryption acceleration card?

My question is a very simple one.  with the 7201 that I currently have, how much IPSEC througput can it process for AES-256/SHA/DH-5 with PFS group5?

Hall of Fame Super Gold

IPSec performance between ISR 3845 with AIM and 7201

WITHOUT any encryption acceleration card?

Can you post the output to the command "sh crypto eng brief"?

Bronze

IPSec performance between ISR 3845 with AIM and 7201

c7201>show crypto engine brief

        crypto engine name:  Cisco VPN Software Implementation

        crypto engine type:  software

             serial number:  04A65744

       crypto engine state:  installed

     crypto engine in slot:  N/A

c7201>

so WITHOUT hardware VPN acceleration card, how much IPSec AES-256/SHA/DH group5 with PFS group5 can my 7201 push?

Hall of Fame Super Gold

Re: IPSec performance between ISR 3845 with AIM and 7201

so WITHOUT hardware VPN acceleration card, how much IPSec AES-256/SHA/DH group5 with PFS group5 can my 7201 push?

I'm really out of my depth here, David.  First time I've seen a router this big without an encryption card.

But if you permit me to make a guess, I'd say 600 Mbps, however, with encryption being done on software and how it affects the CPU of your hardware, I'd say 450 Mbps in a single direction.


Best bet is to raise a TAC Case.  Maybe someone like Paolo can chime in. 

1015
Views
5
Helpful
10
Replies