Cisco VPN :: Max IPSec VPN Throughput On C1812 And C2811?
Apr 19, 2012
recently we had some performance issues with C2811 which caused us to do some lab testing. For testing we used also C1812. The results were quite surprising for us, as the C1812 appeared to be more efficient than C2811. Below you can see the lab scenario and results.
1. Why C2811 is performing worse than C1812?
2. Is there any official Cisco reference stating what are the max VPN throughputs of certain platforms/models? (we consider migration to C2900 platform and would like to choose the right model)
[URL]
as presented on the small diag:
All routers had enabled onboard hw VPN modules and SEC/K9 IOS ver. Configuration was very simple and beside encryption there were also GRE tunnels configured and EIGRP process for routing between "remote LANs". Part of conf responsible for encryption:
crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 lifetime 3600crypto isakmp key ......... address ......... no-xauth!crypto ipsec transform-set SHA-AES256 esp-aes 256 esp-sha-hmac
crypto map VPN 90 ipsec-isakmp set peer ......... set transform-set SHA-AES256 set pfs group5 match address .........
TEST RESULTS
Cisco 1812Cisco 2811iperf generated BW [bps]WAN if BW (max of 30s avgs) [bps]CPU usage (max of 5s avgs)WAN if BW (max of 30s avgs) [bps]CPU usage (max of 5s avgs)500k--540k5%1M1,1M3%1,2M8%2M2,1M4%2,3M14%5M5,4M10%5,7M34%10M10,6M20%11,5M65%15M15,8M28%17M96%16M--17,2M99%25M27M48%--35M38M64%--45M48,2M72%--53M60,8M88%--59M67M94%--61M72M97%--
View 4 Replies
ADVERTISEMENT
Feb 25, 2012
I have setup ipsec VPN in my C2811 router but when "show crypto isakmp/ipsec sa" shows nothing. Remote end point is an "ASA5520". Does it indicates that the remote ASA5520 not yet configured?
Code...
View 9 Replies
View Related
Jan 8, 2013
I am experiencing slow throughput on a L2L IPsec tunnel that we have between one of our offices on the west coast (WC) US and another on the east coast (EC) US. The tunnel endpoint on the WC resides on a 5510 and a 5545x on the EC. The DIA circuit speed on the WC is 45 Mbps and 200 Mbps on the EC. The throughput of this IPsec tunnel is maxing out at approx. 4 – 5 Mbps. The utilization of the DIA circuits at both offices is under 5% when running various FTP test transfers. Both devices have low memory and CPU utilization.
We have a 2nd office on the EC (45 Mbps DIA) which I built a tunnel on a 5510 with the WC office and it is experiencing the same slow throughput. In covering all my bases we have a colocation facility on the WC and in building a tunnel between the 2 WC offices I WAS seeing close to full line rate speeds over the tunnel. Additionally, I built a tunnel between the 2 EC offices and I saw full line rate speeds. With the physical distance between the WC & EC offices I would expect some loss in throughput speeds but I would not expect it to drop as low as 4 – 5 Mbps. In thinking something may be up with the 5510 in our WC office we shipped a 5505 to the WC office and we built the same IPsec tunnels on it and it is experiencing the same.
In working with our support vendor to try and solve the WC <-> EC throughput issue they had me change the MTU, TCP mss, DF-bit, types of encryption/hash on the IPsec tunnel but nothing has resolved it. We are not showing fragmentation or PMTU issues on the tunnel. In contacting the ISP of our WC office they mentioned that they do not have any type or rate limiting in place. Our WC ISP had a CCIE review our configurations but nothing was found.
View 1 Replies
View Related
Dec 12, 2012
What is the c1811 isr max throughput when not running ipsec site vpn.
View 1 Replies
View Related
Jun 19, 2012
I have two Routers (C1812 & C1841) each having different version of IOS images. I was wondering if its possible to copy IOS image from flash of one Router and use it to upgrade another.
View 2 Replies
View Related
May 1, 2012
I am going to get some wyse thin clients up and running on our departments. Each department communicate with the main-office through Cisco C1812 routers.
In order to get functionally DHCP up and running, I need to
A - Configure some Dhcp options on the C1812 routers
B - Perform a DHCP relay from each department to the main-office
Option B will cause some additional issues, so is not preferred.
The question is: Does the Cisco DHCP-client have an option for configuring DHCP options? I need to put in among others, an option 161, a string value pointing to a ftp-server. Can this be done? And if it can, what is the right syntax
I have recently started working here, therefore I am not certain of the IOS-version on the router, as I still not have the logon-information, but I will aqquire this shortly.
View 4 Replies
View Related
Mar 20, 2011
I have an office c2811 and it has three Ethernet interfaces(two onboard and one expansion). Faste0/0 is on one isp and faste0/1 is on another. The third is private. I have multiple site ipsec vpn’s terminating on faste0/0. I had a client ipsec vpn on faste0/1. One of the site vpn’s on faste0/0 terminates at a collocation site. Both the site vpn and client vpn need access to the same collocation. When I connect via client vpn, I cannot ping/access collocation subnet. I suspect this is because I have a site vpn already terminating to the collocation. Can I have a site and client ipsec vpn on the same router terminating to same place and still work?
View 1 Replies
View Related
Apr 9, 2012
Required by regulations to implement CoPP on our routers, I installed the following configuration on a C2811 router pair with integrated DSU/CSU cards connecting a point T1. STAC compression(software) is configured on the serial interfaces and the link is often congested.
[code]...
This configuration severely degraded the IP traffic flow and I had to remove it. Not having any practical experince with CoPP.
View 1 Replies
View Related
Apr 14, 2011
I have a 2811 Router with two fast ethernet wic cards installed. I need traffic to go out one interface, but it's received back through another. Both interfaces have public IP's and the same subnet, and are connected directly to satellite modems. One can receive data / the other only send.
View 3 Replies
View Related
Jan 11, 2012
I not able to access cisco 2811 router (AC operated) through console port when I try to access it by selecting COM Port, but I able to access by selecting the TCP/IP option.
View 5 Replies
View Related
Apr 29, 2013
I tried any type of combination and just couldn't make it works. Only PPTP works well. Whether Apple iOS IPSec VPN is supported or not?
View 11 Replies
View Related
Apr 11, 2013
I was looking for document where the VPN throughput of the Cisco886/887 Router is listet.
View 2 Replies
View Related
Jan 18, 2011
I need to provide a router to connect Internet circuit and run IPsec to MPLS network. Circuit is 10Mbps.
What is the max a Cisco 881 can handle if running IPsec?Also, if you are aware of any branch router (1941) which allows connection to future 4G LTE .
View 3 Replies
View Related
Apr 23, 2013
We have a 1841 setup with WAN and LAN subinterfaced(2 WAN connections, 1 internal VLANs) and I am recieving some pretty horrible throughput when traversing the router to the WAN.
I am receiving about 2 MBPS down but around 5 up.Currently there is a ACL on the WAN interface, and as well we are running NAT NVI. It is possible that this might have something to do with it, but I am not sure.
Most of the CPU is going to IP input however I cannot seem to determine the cause. One thing I am thinking is the overload for NVI is using a route-map. Could that cause it to process switch instead of fast/CEF switch?
View 4 Replies
View Related
Mar 17, 2013
My first wireless router, which I still have and works perfectly, was a DIR-601, A1, fw v1.00na. It has always been reliable and worked great, save for being a little weak on the signal range. Back when I got it I knew little about networking period, let alone wireless routers- so I never tweaked anything on it. Now it's almost 4 years later. Being a little more knowledgable, and my family creating A LOT more traffic on my network, I decided some upgrades were in order. First I called COX to upgrade my speed too, which led me to having to purchase a new Motorolla SB6121 modem- and everything was great. However, aside from the same old dead spots in my house, I was starting to realize the limitations of my 601 with regards to handling the traffic load. Since I never had an issue with my 601, I decided to stay loyal to D-Link. After, albeit, a small amount of research... I decided on the 655. It fit the budget, and I read some decent reviews on it regarding gaming. Plus, from what I've read, I didn't really see any benifit to justify a dual band router for what I do. Anyway, my new 655, B1, fw v2.05NA has solved all of my wireless issues and handles our traffic perfectly, except for one slight problem- my wired PS3. I have Cox ultimate, which here in Nevada is up to 150Mbps, and wired my laptop is getting 107Mbps download- pretty consistently with the 655, and around 100 with the 601. My PS3 on the other hand, went from 27 to 32Mbps wired with my 601, to only getting 8 to 15Mbps wired to the 655- and a lot of lag on certain online games. It seems that out of all of our devices, my PS3 is the only one that doesn't like the 655. I really hesitate to DMZ my PS because of the risks, but at this point I'm almost desperate enough to try anything. I hooked the 601 back up for now for the PS3 performance...but we are REALLY missing the wireless and traffic handling performance of the 655!!
View 2 Replies
View Related
Jan 25, 2013
When a physical switchport/routed port has high usage, you can move the link to a higher capacity port, upgrade the port, bond links, etc. What exactly do you do when an SVI has high usage? I guess you could remove some servers from the VLAN, but that doesn't seem like a reasonable solution. What dictates the capacity of an SVI? The backplane of the switch?
View 14 Replies
View Related
Jun 2, 2011
i have gotten a question from a partner in regards to the throughput on both LAN and WAN on the SRP541W. I can't really find that on the datasheet.
View 4 Replies
View Related
Jun 12, 2012
We are looking at providing an ISR 819 for one of our customers using FTTC & 3G for failover .. However, I cant seem to find any recommended throughput guidence for the device? We could be looking at up to 80Mbps via the ethernet interface and I just dont know if the device will cope?
View 4 Replies
View Related
Mar 31, 2011
I have a Cisco 881 (without wifi model) connected to a 100Mb unmanaged switch and a cable modem with a 120Mb down, 10Mb up connection. When I connect the modem directly to my laptop, I can reach the 120Mb/s down and 10Mb/s upload speed. When I connect the modem to the 881, the max download is about 30Mb/s. Upstream 10Mb is no problem. I've been trying to change the duplex and speed settings on the FastEthernet4 interface, but this has only a worsening effect. I should be able to get about 100Mb/s (since switch is only 100) right?
JAAPROUTER_HQ2#sh ruBuilding configuration...
Current configuration : 3515 bytes!version 12.4no service padservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname JAAPROUTER_HQ2!boot-start-markerboot-
[Code].....
View 1 Replies
View Related
Jun 13, 2012
We have multiple sites that have either fiber 20mb d/u or cable 50/10 d/u. Recently we have upgraded our head end router to a 2921 security based router and noticed that no matter if we are sending or receiving the most we can push is 1.6Mb. I would expect this number to be at least 8Mb for uploading and at least 18mb for downloading from other sites.I have included parts of my config and screen shots of bandwidth usage for troubleshooting. [code]
View 3 Replies
View Related
Jan 12, 2011
We've recently moved from using FiberChannel across an OC-48 between two data centers to GigabitEthernet. Data replication throughput has dropped from 700Mbps down to 45Mbps. The telco provider has demonstrated 1Gb throughput via UDP andTCP using T-Berts. However, when we connect two computers or servers, we do not get near the throughput performance.
View 1 Replies
View Related
Jun 18, 2011
The issue was about Cisco ASA5510 Sec Plus.2 Interfaces, LAN and DMZ.Both 1000 FD, no interface errors like CRC or something similar.If I start a data transfer (like FTP) or a data stream test (like Netperf), from DMZ to INSIDE I get a theoughput.If I start the same from INSIDE to DMZ (same hosts), i get a troughput almost ten times slower.If i do the same using netperf in UDP (not TCP) I get the same in both directions.
View 9 Replies
View Related
Nov 22, 2012
we have one OC-24 private line between our data centers. we are looking to get best throughput but we get max. avg throughput of 300Mbps with peaks of 800Mbps throughput. i.e. we transfered 2TB of data over this link and we got average throughput of 300Mbps with peaks of 800Mbps.
we should at least be getting 800Mbps throughput since we have OC-24 (1244Mbps) private line. we contacted our ISP but they said there isn't any problem in private line from ISP side. what can we do to increase average throughput?
View 10 Replies
View Related
Jan 31, 2012
Do some have some realistic performance numbers for a ASA 5505 on a mixed setup with local internet breakout and site to site vpn ( and don't tell me 150 mbps 3des throughput on a 100 mbps ethernet) - what can be expected in a live environment where we f.ex feed it with a 100 mbps internet connection - with a site to site vpn with f.ex 20 office workers running office on a remote terminalserver and mixed local internet breakout.
View 2 Replies
View Related
Feb 10, 2013
We currently are using 2811 router for internet Via IPSEC tunnel.Download speed is 30 Mbps and Upload speed is 6 Mbps.
But we are getting not more than 4 Mbps download speed. We did open Tac case and as per Tac 2811 router is not for 30 Mbps.Can any suggest proper model. We need 2 FastEthernet/Gig and one serial port.
View 2 Replies
View Related
Jan 17, 2013
We have 15 small branches with Cisco 881w in every office, they use VPN site-to-site to vpn- concentrator on V yatta. I launched cacti monitoring of cisco 881's CPU's Errors, Traffics, Non-uni cast, Uni cast. I see that on 10.00 pm in one brunch when nobody works there, CPU load reaches 50% and traffic rises up to 9mbs.
View 10 Replies
View Related
Apr 20, 2012
what is network utilization and throughput ?
View 1 Replies
View Related
Jan 7, 2011
I have two NAS drives directly connected to my router. I am accessing them through my XP laptop's wireless connection. I am trying to copy a large volume of data from one to the other (28Gb).The problem I have is throughput. I am barely getting 250Kb/s from one drive to the other.Is there a way to speed this up?
View 2 Replies
View Related
Nov 1, 2012
What is a backplane throughput of C3925-SPE100, I tried searching in datasheet but could not find
View 3 Replies
View Related
Sep 25, 2012
Any way to test throughput on a routed SG-300. I tried using iperf with netbook on VLAN1 to netbook on routed interface running @ 100mb. I was getting results as low as 40mb upto 200mb (sometimes even 2gb, I assumed these to be flukes). Since implementing it, the throughtput seems worse, I'm getting between 10 - 40mb of throughput. I have about 30 clients behind it routing across a 100mb leased link. I don't see why the SG300 shouldn't be able to do wire speed routing (upto 100 hosts). How to verify the expected throughput consistently?
View 3 Replies
View Related
Mar 3, 2013
I'm new to the Networking world and am trying to establish a base for my network. I'm running ASA 5510 8.4(4), how can I measrue throughput ? In the ASDM, there is a nice feature for CPU, and the command show CLI also provides good info about CPU, but how can I get the throughput on a port basis ?
View 8 Replies
View Related
Mar 15, 2011
I'm looking at replacing a CSS 11506 in a data centre with two Cisco ACE 4710 appliances. One thing that concerns me is the drop in throughput. The 11560 has a maximum throughput of 40Gbps while the ACE we are looking at is only 1Gbps. It seems that the 11506 is able to scale much better?Also, is it possible to run the two 4710s in an active/standby configuration?
View 2 Replies
View Related
Jan 8, 2011
Am looking at purchasing a router that is capable of serving a WAN bearer at up to 1Gbps. The 3945E has had good reviews as a high throughput router but the datasheets suggests performance of 350Mbps. It also states that additional performance can be ensured by adding SPE modules. Whether the 3945E could achieve up to 1Gbps with SPE modules?
If the 3945E can't achieve such performance, The key features I am after are:
IPV4 and IPV6 support
L2tpV3 support
BGP
IP SLA
1Gb Copper Connections on-board with capability of at least 4 Ports
View 2 Replies
View Related
