Do you have the VPN/SSL AIM module? That would offload the crypto work. Supposedly capable of full 100Mbps line rate, I have them in 2811s.
Sincerely, Brian A . Rettke RHCT, CCDP, CCNP, CCIP Network Engineer, CableONE Internet Services -----Original Message----- From: Seth Mattinen [mailto:se...@rollernet.us] Sent: Thursday, November 18, 2010 3:48 PM To: nanog@nanog.org Subject: Re: Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2 On 11/18/2010 14:39, Pete Lumbis wrote: > This is probably more appropriate for the cisco-nsp list, but what > process is taking up the CPU or is it due to interrupts? > To the best of my knowledge the crypto should be hardware accelerated, > while everything else is going to be done in software on the 3800. > The ISR series do have onboard hardware crypto, but I don't know offhand if it can handle a full DS3 worth. My first guess is fragment reassembly would probably kill it fast. ~Seth