Do you have the VPN/SSL AIM module? That would offload the crypto work. Supposedly capable of full 100Mbps line rate, I have them in 2811s. Sincerely, Brian A . Rettke RHCT, CCDP, CCNP, CCIP Network Engineer, CableONE Internet Services -----Original Message----- From: Seth Mattinen [mailto:sethm@rollernet.us] Sent: Thursday, November 18, 2010 3:48 PM To: nanog@nanog.org Subject: Re: Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2 On 11/18/2010 14:39, Pete Lumbis wrote:
This is probably more appropriate for the cisco-nsp list, but what process is taking up the CPU or is it due to interrupts? To the best of my knowledge the crypto should be hardware accelerated, while everything else is going to be done in software on the 3800.
The ISR series do have onboard hardware crypto, but I don't know offhand if it can handle a full DS3 worth. My first guess is fragment reassembly would probably kill it fast. ~Seth