On 2008-12-18 17:59, Spencer Barnes wrote:
It helped reduce utilization on the VPN process by about 20% but I'm still seeing high CPU utilization when uploading from our network and I should have mentioned that the border router with the high CPU utilization is connected to another Cisco 7206 with a lesser NPE-200. All the same traffic flowing through the border router is going through the core so you'd think it would exhibit the high CPU utilization but it never breaks a sweat. This seems important and seems to indicate the border router is having a problem?
For VPNs on 7200 there are SA-VAMs which offload crypto to hardware - it was mentioned already in this and in the past threads. Also, there was a suggestion to do MSS adjust on internal interface accepting the traffic to be encrypted, to minimze chances of hitting fragmentation, which will kill CPU right away. You didn't mentioned it in this mail - were You capable of making this change? The high IP Input process means something is processed in software switching, not CEF switching - so either some of the features (You mention other, smaller NPE doing fine with the traffic, which strongly suggests services are the key), or the 12.4(21) isn't the right choice - and you should stick with 12.3(14)T7. One way or the other - don't do a VPNs on border 7200 without VAMs. And even with them - look for ASA, or ISR with VPN hardware to do the offload without threatening the stability of the border platform. -- "Don't expect me to cry for all the | Łukasz Bromirski reasons you had to die" -- Kurt Cobain | http://lukasz.bromirski.net _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
