Afternoon all.
As the subject of router performance comes up a lot, I thought I'd add this in, mostly 'cos I was sat at home with a couple of decent laptops hooked up to my lab and an 887 running a bunch of services.
The topology is as follows:
Win7Pro Laptop >>> 2960S Gigabit Switch >>> Cisco 887 >>> Unmanaged SG100 Switch >>> Win7HomePremium Laptop.
Using a bog standard iPerf test with a 64byte packet I was getting 24 - 25Mb/s between the laptops. The 887 was NOT acting as the gateway for either laptop, or any other machine on my network (I change the D/G for my machines in CMD if I need to access resources hanging off the 887).
Same test just via the un-managed SG100 got me 570ish Mb/s.
This was a "LAN to LAN" test so I don't think any of the iPerf traffic hit the ACL's or anything else, but just having them "on" seemed to soak up resources. My WAN was quiet with no updates or other downloads or uploads going on. The only "regular" traffic on the 887 would have been EIGRP Hello messages going down the VPN interfaces. EIGRP had a neighbour but the link was quiet apart from the aforementioned hello's.
Looking to forward to whatever discussion occurs:
887_Router#sho run
Building configuration...
Current configuration : 4118 bytes
!
! No configuration change since last restart
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 887_Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
aaa session-id common
!
memory-size iomem 10
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
crypto pki token default removal timeout 0
!
!
no ip source-route
!
!
ip cef
no ip bootp server
ip domain name mark.home.com
ip name-server 8.8.8.8
ip inspect name FIREWALL tcp router-traffic
ip inspect name FIREWALL udp router-traffic
ip inspect name FIREWALL icmp
ip inspect name FIREWALL ftp
ip inspect name FIREWALL tftp
ip inspect name FIREWALL ntp
ip inspect name FIREWALL https
ip inspect name FIREWALL isakmp
ip inspect name FIREWALL http
ip inspect name FIREWALL router
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn FCZ1620C1A4
!
!
username user privilege 15 password 0 password
!
!
controller VDSL 0
!
!
class-map match-all SCCP
match access-group name SCCP
class-map match-all RTP
match access-group name RTP
!
!
policy-map Voice
class RTP
set dscp ef
class SCCP
set dscp cs3
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key password address x.x.x.x no-xauth
!
!
crypto ipsec transform-set VTI esp-aes esp-md5-hmac
mode transport
!
crypto ipsec profile VTI_Profile
set transform-set VTI
!
!
interface Tunnel1
description VPN Tunnel
ip address x.x.x.x 255.255.255.248
tunnel source Vlan1
tunnel mode ipsec ipv4
tunnel destination x.x.x.x
tunnel checksum
tunnel protection ipsec profile VTI_Profile
service-policy input Voice
service-policy output Voice
!
interface Ethernet0
no ip address
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport mode trunk
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 192.168.0.250 255.255.255.0
ip access-group CBAC in
ip nat outside
ip inspect FIREWALL out
ip virtual-reassembly in
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan30
ip address 192.168.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan99
ip address 192.168.99.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
!
router eigrp 1
network 172.16.2.0 0.0.0.3
network 192.168.0.0
network 192.168.99.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT interface Vlan1 overload
ip nat inside source static udp 192.168.0.250 500 interface Vlan1 500
ip nat inside source static udp 192.168.0.250 4500 interface Vlan1 4500
ip route 0.0.0.0 0.0.0.0 192.168.0.1
!
ip access-list extended CBAC
permit tcp any any eq 22
permit tcp any any eq telnet
permit icmp any any
permit tcp any any eq 2000
permit tcp any any range 16384 32767
permit udp any any range 16384 32767
deny ip any any
ip access-list extended NAT
deny ip 192.168.0.0 0.0.0.255 192.168.150.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended RTP
permit udp any range 16384 32767 any
permit udp any any range 16384 32767
ip access-list extended SCCP
permit tcp any eq 2000 any
permit tcp any any eq 2000
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input all
!
ntp master
ntp server 141.40.103.101
end