dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1311
share rss forum feed

Manta
Premium
join:2003-11-04
UK

[H/W] H/W Performance advice please...?

I'm trying to work out what I can put on the end of my line that isn't going to cap my performance. My line (Virgin Media) is presented as an ethernet bearer (VM Superhub in modem mode) and currently runs at 100/5 Mbps but may soon be upgraded to 120/10 Mbps.
I had got a UC540 on the end as both router and PBX dev box but it limited performance to between 20 and 25Mbps where the CPU topped out.
I just tried an 881W and that makes it all the way to 30Mbps. The CPU only hits about 60-70% but throughput doesn't go higher. It's running some GRE tunnels over 3DES VPNs but traffic over those was idle and performance measured through speedtest.net. Other than that, it's doing NAT and CBAC.

I've come across this link that roughly agrees with the 881 performance:
»www.cisco.com/web/partners/downl ··· ance.pdf
According to that, a 1941W (802.11n is preferable) would give me plenty of headroom at 153Mbps but according to Cisco's datasheet it's only good for 25Mbps: »www.cisco.com/en/US/prod/collate ··· 319.html

Can anyone demystify this at all please?

Manta
Premium
join:2003-11-04
UK
Forgot to mention that a laptop plugged directly into the superhub (in modem mode) gives full bandwidth at 103/4.8 Mbps when tested so the line isn't the limiting factor.


Da Geek Kid

join:2003-10-11
::1
kudos:1
Reviews:
·Callcentric
reply to Manta
1941 is good for around 30+ nothing more. The performance data is captured based on nothing running on the router other than the testing thruput. NAT/ACL/ other features would quickly drop the performance. I am not quite sure what you would need as a feature on your router. UC540 is a Voice system and 1941W has Wireless... Have you thought to split them out? Get a Wireless AP and a SPA122 for example?

nosx

join:2004-12-27
00000
kudos:5
Unrelated thread with router performance information that might be worth reviewing: »Metro Ethernet: 2821 vs. 2921 router

Manta
Premium
join:2003-11-04
UK
reply to Manta
Thanks for that. The ISR to line speed table is helpful. ..although depressing. It seems craziness to run a 3945 for a home office setup. The SPA isn't attractive as I already have the UC540W running (N wireless would be a nice upgrade is all). It's handling the crypto to acceptable speeds because - being point to point links over asymmetric lines - it's restricted by the upstream bandwidth anyway.
Certainly not against breaking things out and running something like an Aironet 1042N but it's getting less neat as a solution the more boxes come into play. Also with only one public IP, it's easier to have one box do firewalling, crypto and routing. Although possibly/probably a luxury I won't be able to afford!
With presentation over ethernet, am I looking at the wrong type of product for the job here?

HELLFIRE
Premium
join:2009-11-25
kudos:19
reply to Manta
As Da Geek Kid mentioned, routerperformance.pdf is a guide to equipment performance "bare metal," ie. no
NAT / ACL / firewall / services. By all means, if you can secure the equipment you want to install for a
short term basis, test it out, but TEST ACCORDING TO YOUR ENVIRONMENT'S NEEDS.

For 100Mbps internet, my personal recommendation has always been an 180x or 181x series device or
an ASA for baseline -- here's some threads showing perf #s of gear forum members have tested out for your
reference.

What kind of setup / config / services would you be looking to run on this Manta? Sounds like you were looking at NAT, CBAC and GRE / 3DES VPN?

Regards

Manta
Premium
join:2003-11-04
UK
reply to Manta
I can get access to an 1841 but based on the numbers in router performance, I'd disregarded it. Will give it a try though.
Looking to run pretty much as you say: NAT, CBAC, GRE over 3DES (monitoring interface up/down and applying rate limits etc is easier when presenting as an interface). UC540W is my phone system dev box so I need time have a SIP trunk reach it from the internet with some vain effort are outbound only QoS. SNMP monitoring. That's about it really. VPNs only really need to handle a max of about 5Mbps as its the upstream bandwidths that restrict that anyway - they're mainly to tie dispersed sites together so SMB, REP, DNS etc. and a spot of VoIP.

Gareth

Manta
Premium
join:2003-11-04
UK
reply to Manta
OK, I managed to get hold of an 1841 and adapted the config from the 881 (interface names changed etc) and ran a speed test. Was a bit disappointed to only get 20Mbps this time....although not massively shocked, admittedly.

Have been turning off some features to see if I can coax some more speed from it. A few such as 'ip flow ingress' and turning off an outbound ACL may have improved it a smidge but it could well have been just the error margin of an online speed test. However, turning off 'ip inspect name internet-cbac http alert on' brought it up to 34Mbps and I don't think I'm using any features that would require http inspection anyway.

The UC540 manages 22.5Mbps or 28Mbps with lower CPU after the same mods.

I was looking at the possibility of an ASA5505 as that ought to be able to firewall, NAT, 3DES and QoS. It won't do GRE but I could have the ASA do 3DES and the UC540W do the GRE tunnels. Anyone see any pitfalls or oversights in that?

Many thanks,

Gareth

HELLFIRE
Premium
join:2009-11-25
kudos:19
reply to Manta
said by Manta:

I can get access to an 1841 but

I was going to say ignore the 1841 completely, and go for an 1801, 1802, 1803, 1805, 1811, or 1812 model.
From various forum members' testing, they'll hit the numbers Cisco publishes and more -- 40Mbps for AES
crypto and ~100Mbps with CBAC / NAT / QOS. The series is by and large EOL'd so you should be able to pull
off ebay for a fairly decent price. The only different between the 180x models and 181x models is the 181x
has 2 routed FE interfaces, so if you ever wanted to do a dual WAN setup in the future.

The ASA can also hand 100Mbps linerate without breaking a sweat, but as you said they don't do GRE -- downside
for that. Also, keep in mind about the licence / user count limitations.

Regards


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
Lack of gige interfaces on the 18xx series is going to hamper your efforts to get above the 100mbit/sec mark though.

Although it might sound somewhat counter-intuitive, I have a Cisco 2821 (two built in gige interfaces), and although its quite a big box, it is surprisingly quiet. Much quieter than my 2811 which screams like a banshee. Most likely due to the larger fans. I once left the 2821 turned on for a couple of days before I forgot about it, and it wasnt bothering me (just a low hum.)

Unless youre after something small, a bigger router might be in order to guarantee the performance.

Alternatively, a Juniper SRX210 would probably yawn at those figures (it has 2x gige and 6x 10/100, all of which can be configured as l2 or l3 ports).


Da Geek Kid

join:2003-10-11
::1
kudos:1
Reviews:
·Callcentric
lol I would have mentioned the junos srx210 as the ultimate but than again, would here believe that I am a juniper employee trying to infiltrate the great forum or call it a troll.

People cringe when they hear juniper. Don't know why, even though you can push 65+ mbps with every feature enabled or push 400+ with just firewall/nat.


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
I thought that since you hadnt done it already I would.

Still waiting for a Juniper forum to show up on this site ...

tdoran
Premium
join:2003-09-27
Ridge, NY
reply to Manta
We were never able to get the 1841 with FULL SECURITY FUNCTIONALITY (IOS IPS, FW et al.) above 30 Mbps.

Now looking at an ASA5512-IPS-K9, with a CISCO stated “Maximum 3DES/AES VPN Throughput” 200 Mbps, and also CISCO stated “Maximum IPS Throughput; Media-Rich (Mbps)” 250 Mbps.

HOWEVER & BUT, NOTE: CISCO states “Maximum IPS Throughput; Transactional (Mbps)” for the ASA5512-IPS-K9 at only 150 Mbps.

And TRANSACTIONAL is the best guide for performance for small businesses, stand-alone non-client server environments. BUT CISCO DOES NOT PROVIDE THIS FOR EVERY SECURITY DEVICE / APPLIANCE, OFTEN JUST STATING THE MUCH HIGHER MEDIA-RICH, CISCO is still locked in to the “branch office” “enterprise” mentality.

We are going to have a choice of either 75/75, or 150/50 shortly via our MSO CMTS provider.