There are a couple potential issues, that when looked at in whole, add up to a significant performance impact. 1) IPSec + GRE involves two forwarding operations, one to send it to the tunnel interface , and another to send the now-encapsulated packet out the WAN interface. This effectively halves the total forwarding rate before any other considerations. 2) While the IPSec portion is hardware accelerated, the GRE encapsulation is not, unless this is a Cat6500/CISCO7600 router, or 7200VXR with C7200-VSA card. Because of this, the GRE process itself will consume a fairly large amount of CPU, as this is also a per-packet process. The impact is similar to a forwarding decision, so that throughput level is halved again. 3) Other factors like quantity of tunnels, any routing protocols running, NAT, or other such control protocols all have their own CPU demands too, and can, in aggregate, be a small but significant burden when the router also has to handle the demands of IPSec + GRE. For reference, here is a guide to VPN performance: http://www.cisco.com/web/partners/downloads/765/tools/quickreference/vpn _performance_eng.pdf It's slightly old, as it does not have the 39xx routers, but is still useful for raw 3DES/AES performance for the 1800/2800/3800. See Table 5. Sam Chesluk | Team Lead - Key Accounts | Network Hardware Resale | T: 805.690.3718 | M:805.450.7469 | F: 805-690-3713 26 Castilian Dr. Santa Barbara, CA 93117 E: sam@networkhardware.com | www.networkhardware.com - NHR's top global performer 7 years running - World's largest provider of pre-owned/fully-tested and new/sealed Cisco hardware -----Original Message----- From: Seth Mattinen [mailto:sethm@rollernet.us] Sent: Thursday, November 18, 2010 2:48 PM To: nanog@nanog.org Subject: Re: Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2 On 11/18/2010 14:39, Pete Lumbis wrote:
This is probably more appropriate for the cisco-nsp list, but what process is taking up the CPU or is it due to interrupts? To the best of my knowledge the crypto should be hardware accelerated, while everything else is going to be done in software on the 3800.
The ISR series do have onboard hardware crypto, but I don't know offhand if it can handle a full DS3 worth. My first guess is fragment reassembly would probably kill it fast. ~Seth