On Thu, Nov 18, 2010 at 03:18:04PM -0800, Sam Chesluk wrote:
2) While the IPSec portion is hardware accelerated, the GRE encapsulation is not, unless this is a Cat6500/CISCO7600 router, or 7200VXR with C7200-VSA card. Because of this, the GRE process itself will consume a fairly large amount of CPU, as this is also a per-packet process. The impact is similar to a forwarding decision, so that throughput level is halved again.
I think this is where we're having the issue. It is just shocking that this is occurring in a relatively low kpps situation.
3) Other factors like quantity of tunnels, any routing protocols running, NAT, or other such control protocols all have their own CPU demands too, and can, in aggregate, be a small but significant burden when the router also has to handle the demands of IPSec + GRE.
The number we were given for the 3945 for IMIX 1400 raw IPSec performance was 840Mbps. However, all this extra crypto power is completely useless if the GRE processing is hitting the same limits as it's predecessor, the 3845. We're going to give straight IPSec a go to see if that solves things. -cjp