Re: Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2

2010-11-19 Thread Christopher J. Pilkington
On Thu, Nov 18, 2010 at 03:18:04PM -0800, Sam Chesluk wrote: 2) While the IPSec portion is hardware accelerated, the GRE encapsulation is not, unless this is a Cat6500/CISCO7600 router, or 7200VXR with C7200-VSA card. Because of this, the GRE process itself will consume a fairly large amount

Re: Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2

2010-11-19 Thread Christopher J. Pilkington
On Thu, Nov 18, 2010 at 02:47:35PM -0800, Seth Mattinen wrote: The ISR series do have onboard hardware crypto, but I don't know offhand if it can handle a full DS3 worth. My first guess is fragment reassembly would probably kill it fast. We're not seeing fragmentation. The MTU of the

Re: Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2

2010-11-19 Thread Michael Ulitskiy
On Thursday 18 November 2010 18:18:04 Sam Chesluk wrote: There are a couple potential issues, that when looked at in whole, add up to a significant performance impact. 1) IPSec + GRE involves two forwarding operations, one to send it to the tunnel interface , and another to send the

Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2

2010-11-18 Thread Christopher J. Pilkington
We're running GRE/IPSec transport over a point-to-point DS3. We're also doing some QoS. The traffic mix is voice; our average packet size can be as low as 250 bytes at times. We are seeing incredibly high CPU when the traffic levels approach 30Mb/s and around 11kpps in each direction, at times

Re: Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2

2010-11-18 Thread Pete Lumbis
This is probably more appropriate for the cisco-nsp list, but what process is taking up the CPU or is it due to interrupts? To the best of my knowledge the crypto should be hardware accelerated, while everything else is going to be done in software on the 3800. -Pete On Thu, Nov 18, 2010 at

Re: Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2

2010-11-18 Thread Seth Mattinen
On 11/18/2010 14:39, Pete Lumbis wrote: This is probably more appropriate for the cisco-nsp list, but what process is taking up the CPU or is it due to interrupts? To the best of my knowledge the crypto should be hardware accelerated, while everything else is going to be done in software on

RE: Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2

2010-11-18 Thread Rettke, Brian
...@rollernet.us] Sent: Thursday, November 18, 2010 3:48 PM To: nanog@nanog.org Subject: Re: Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2 On 11/18/2010 14:39, Pete Lumbis wrote: This is probably more appropriate for the cisco-nsp list, but what process is taking up the CPU or is it due