According to the datasheets, the 1841 can support up to 800 VPN tunnels with an AIM VPN module, and the 2821 can support up to 1500 tunnels with an AIM VPN module. However, these numbers are maximal numbers and they were determined without having the data actually passing through the VPN, only creating the tunnels so the real number of tunnels with which the router still gives reasonable performance might and will be lower.
The AIM I am talking about is a module that offloads the crypto work from the main processor or the onboard encryption engine. Its datasheet can be found here:
Also consider the encryption throughput of the AIM indicated in the datasheet and take into account that it will be shared among all tunnels. Regarding IOS version, the IPsec VPNs are available in Advanced Security and higher feature sets.
Even without this module, the 1841 and 2821 routers should support a number of tunnels at least in order of tens. However, I do not have any performance data. According to the AIM datasheet, however, the performance of the onboard crypto engine on these platforms can be up to 40% lower than the performance of the AIM.
According to the datasheet, there are slightly different versions of AIM modules for different router series - the AIM-VPN/SSL-1 is intended for 1841 series while the AIM-VPN/SSL-2 is intended for 2800 series including the 2821. The AIM module is plugged in a special socket inside the router (removing of router cover is necessary). It does not go into NM/WIC/HWIC slots.
While I think that the 2821 will support 50 VPN tunnels without AIM module, I cannot say what will be the VPN throughput. My rough estimation is that if the AIM increases the efficiency by 40% and according to the datasheet it is able to provide an encryption speed of 30 Mbps for IPsec IMIX traffic, then the router without AIM should be expected to provide about 21 Mbps of encryption. This will be shared among 50 tunnels so if each tunnel is fully loaded, the throughput for a single tunnel will be about 419 kbps. Somebody correct me here - I do not have first-hand experiences with that. Of course, the real encryption throughput largely depends also on the individual traffic so these are indeed only very rough numbers.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...