Throughput Limits 1

[Bubbalouie]

Hi,

I have a Cisco 1750 with a WIC-1ENET card in it. That card is connected to an ATT Managed router (2801 series) with a bonded 2xT1 setup.

The router is an end point for a site-to-site vpn back to a PIX 506e.

I have a vendor telling my boss that the 3 Mb's of T1 bandwidth is more 'throughput' than the 1750 and WIC-1ENET can handle and that some of our bandwidth is therefore not being used.

The PIX has a similar set up except that the T1's are load balanced. The vendor says we have the same problem there.

I can sit at both sites and do generic speedtests (like on speedtest.net) and get close to 3Mb's on the bonded T1's and 1.5 Mb's on the load-balanced T1's.

I found a Cisco doc that said the throughput on the 506e is 100 Mbps for the firewall and 16Mbps for 3DES traffic.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/ps4336/

I can't find a similar document stating a throughput limit on the 1750/WIC-1ENET combo though. I found some post that mentioned 10 Mbps for the WIC-1ENET and another that states the 1750 can do 8500 pps whatever that is.

Almost all of the traffic between the sites is vpn traffic.

If anyone knows what throughput limits there are on that 1750/WIC-1ENET combo or even better a Cisco doc explaining it I'd be most grateful if you would share with me!

Thanks In Advance!

 

[ISPKing]

Here is The deal, the enet wic Can really only do 8mbits because wic slots are limited to 8mbps on the back plane.

That measurement is also grabbed by using pure packet switching. Meaning they are not taking into account the overhead of slapping on an extra 70-150 bytes of ipsec header info. Or any access list you have applied. The 1750 is very old. And for clarity, it is not bandwidth that it cannot handle. It is throughput.

So in short, you are probably not getting optimum performance out of you what I presume your expensive bonded t1's. Please don't confuse throughput and performance either. Just because you are seeing close to 3mbps when running speed test's those don't accurately judge latency, and you could be hitting the 100+ms with you router while it is trying to encrypt and decrypt data.

CCNP

 

[Minue]

Hello
Router throughput is a though science.But any case the 1750 could be the bottleneck,actually it should be just about able to handle the 3Mbp,but the problem could be the encrypted load and the packetization delay.You can buy a VPN acclerater for the 1750 or try to change to a router that has one.
Here's a link with the performance:

http://www.cisco.com/web/partners/.../routerperformance.pdf

Regards

 

[Bubbalouie]

OK, I picked up a 1700 series VPN module for $50. It looks like there is no configuration to it though. Do I just install the module and it works with my existing configuration?

I'll be replacing the whole router later in the summer when we put in a VoIP solution, but I'd like to get this thing working site's performance working better in the meantime. I can't bear the idea of listening to the users incessant whining for another 5 months.

 

[burtsbees]

So, assuming that this is IPSEC, what sort of encryption transform sets are configured? What type of authentication hash?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[Bubbalouie]

is this the info you are asking me about?
-------------------------------------------------------------
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key fakekey address x.x.x.x no-xauth
!
!
crypto ipsec transform-set faketransset esp-3des esp-md5-hmac
!
crypto map towash 11 ipsec-isakmp
set peer x.x.x.x
set transform-set faketransset
----------------------------------------------------------

also, this document:

http://www.ciscosystems.cd/en/US/docs/ios/12_1t/12_1t2/feature/guide/dt_vpn17.pdf

says not to use ip cef. specifically:

• Do not use Cisco express forwarding (CEF) switching if a VPN module is installed in a Cisco 1700
series router.


seems pretty explicit but currently my router (inherited) has the line 'ip cef' in it. my software is a lot newer though than that referenced in the document which is 12.1. should i still remove the line?

-----------------------sh ver-------------------------------------
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-K9O3SY7-M), Version 12.3(16), RELEASE SOFTWARE (f
c4)
Technical Support:

http://www.cisco.com/techsupport

Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Wed 24-Aug-05 00:28 by ssearch
Image text-base: 0x8000816C, data-base: 0x81094454

ROM: System Bootstrap, Version 12.2(1r)XE1, RELEASE SOFTWARE (fc1)
ROM: C1700 Software (C1700-K9O3SY7-M), Version 12.3(16), RELEASE SOFTWARE (fc4)

Greenwood_1750 uptime is 16 minutes
System returned to ROM by reload
System image file is "flash:c1700-k9o3sy7-mz.123-16.bin"

cisco 1751 (MPC860P) processor (revision 0x600) with 49152K/16384K bytes of memory.
Processor board ID JAD06440A1Q (1071650592), with hardware revision 0000
MPC860P processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
1 Ethernet/IEEE 802.3 interface(s)
1 FastEthernet/IEEE 802.3 interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
----------------------------------------------------------------------------------

Thanks!

 

[burtsbees]

MD5 is not very overwhelming, and 3DES is a bit more, but not much. That accelerator will handle that easily.

As far as CEF is concerned, does anything you have read get specific as to why? I don't think it would make a difference myself...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!