[132246] in North American Network Operators' Group
RE: Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2
daemon@ATHENA.MIT.EDU (Rettke, Brian)
Thu Nov 18 17:57:50 2010
From: "Rettke, Brian" <Brian.Rettke@cableone.biz>
To: Seth Mattinen <sethm@rollernet.us>, "nanog@nanog.org" <nanog@nanog.org>
Date: Thu, 18 Nov 2010 15:55:50 -0700
In-Reply-To: <4CE5AD07.1010303@rollernet.us>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Do you have the VPN/SSL AIM module? That would offload the crypto work. Sup=
posedly capable of full 100Mbps line rate, I have them in 2811s.
Sincerely,
Brian A . Rettke
RHCT, CCDP, CCNP, CCIP
Network Engineer, CableONE Internet Services
-----Original Message-----
From: Seth Mattinen [mailto:sethm@rollernet.us]
Sent: Thursday, November 18, 2010 3:48 PM
To: nanog@nanog.org
Subject: Re: Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2
On 11/18/2010 14:39, Pete Lumbis wrote:
> This is probably more appropriate for the cisco-nsp list, but what
> process is taking up the CPU or is it due to interrupts?
> To the best of my knowledge the crypto should be hardware accelerated,
> while everything else is going to be done in software on the 3800.
>
The ISR series do have onboard hardware crypto, but I don't know offhand
if it can handle a full DS3 worth.
My first guess is fragment reassembly would probably kill it fast.
~Seth
