Cisco → [H/W] Router for 100Mbps/1000Mbps Encrypted

So I might be getting a 100Mbps or 1000Mbps backup connection between three of our locations. I need a router that wont choke when encrypting 100% if that traffic via GETVPN.

I was thinking maybe about a 2821 + AIM-VPN/SSL-2 but it looks like it will only reach 125 Mbps max. »www.cisco.com/en/US/prod ··· eet.html That won't leave much room if we went with 100Mbps now and then decided to increase it to 1000Mbps later. A 7206VXR/NPE400 with SA-VAM2+ can get upwards of 250Mbps.
»www.cisco.com/en/US/docs ··· p1045637

Looks like the only router capable of getting even close to a full 1000Mbps is a 7200VXR/NPE-G2 + VSA. »www.cisco.com/en/US/docs ··· _ov.html

If that's the case then the 7206VXR/NPE400 + SA-VAM2+ might be the best starting point because it could be upgraded later to the NPE-G2 + VSA. Its going to cost a shiny new penny though. Anyone recommend something else that might fit the bill at a lower price?

Those numbers (and honestly the devices you mentioned) are very old, and are marketing numbers so obviously unrealistic.

If you need a ROUTER that does high speed crypto you might try one of the new ISRg2 devices like the 3945, or the step up from that being the ASR1000 series.

I was looking for documentation on the ISR G2s in reguards to encrypted traffic but was unable to find much. The latest product performance sheet does list both ISR and ISR G2 with the G2 having over twice the performance from the first generation but it does not cover encrypted traffic and performance for 64k packets is not really that helpful.

»www.cisco.com/web/partne ··· ance.pdf

Still looking though and found a vague reference to the 3945 being able to handle about 850Mbps IPSEC traffic.

I would seriously doubt that number. In fact for just IP routing with services i wouldnt task it with more than a DS3. After a DS3 we immediately jump to the ASR1k's.

1Gbp ENCRYPTED traffic?! Wow, I wonder what you're shoving across the wire to need that.
I'd have to agree that ASR1K+one of the high end ESPs is probably where you'd want to start.

For 1Gbp unencrypted, about the only things I know of with that level of performance from
cisco are the PIX535(E), the ASA5550, and supposedly a 6500 with the higher end SUPs.

Regards

Hi Hell,
After research and testing, we chopped the esp throughput in half for crypto. An ESP 5 can do ~2gbps of crypto (and those ESP numbers are UNIDIRECTIONAL) so if you need 1gbps send + 1gbps recv, you need an ESP5 that can push the total of 2gbps. Same with the non-crypto numbers. An esp20 can push 10gig in, and 10gig out. or 15 gig in a 5 out. etc. The documentation on the platform is inconsistant regarding bottlenecks and throughput calculations for the marketing numbers. After testing i believe that the SIP10 is 10gig from SPA to SIP, but only 10.2gbps from SIP to ESP, meaning if you need 10gig in and 10gig out, you need TWO SIP's with one SPA in each to reduce bottlenecking.

Some reason I was thinking that de-encryption was easier on the CPU than encryption but this isn't compression so we would really need something capable of 200Mbps or 2000Mbps encrypted traffic.

That rules out the lesser platforms I was originally looking at and leaves pretty much the ASR1002/G5 as the entry point for a fully encrypted 1000Mbps circuit.

So we are just going to go for a router that can do 100Mbps bi-directional encrypted for now. Probably one of these because we are cheap.
ISR3845 + AIM-VPN/SSL-3 = 190-210Mbps
7200VXR/NPE400 + SA-VAM2+ = 251Mbps

@nosx
QFP for the win, huh? Thanks for the numbers and testing. I asked Santa Claus
to bring me one, no questions asked, for Christmas but I console myself with
the thought my wishlist just got lost in the mail...

@yaplej
You can also check out Cisco's portable VPN performance doc, though I wish Cisco'd
updated it recently, especially with the ISR G2's numbers.

Regards