Dynamic Multipoint VPN (DMVPN) Design Guide (Version 1.1)
Scalability Test Results (Unicast Only)
Downloads: This chapterpdf (PDF - 473.0KB) The complete bookPDF (PDF - 2.43MB) | Feedback

Scalability Test Results (Unicast Only)

Table Of Contents

Scalability Test Results (Unicast Only)

Scalability Test Methodology

DMVPN—Hub-and-Spoke Deployment Model

Headend Scalability Test Results

Branch Office Scalability Test Results

DMVPN—Spoke-to-Spoke Deployment Model

AES versus 3DES Scalability Test Results

Software Releases Evaluated


Scalability Test Results (Unicast Only)


This chapter provides Cisco test results to provide design guidance on the scalability of various platforms in DMVPN configurations.


Note IP multicast (IPmc) results are not included.


Figure 4-1 shows the scalability test bed network diagram.

Figure 4-1 DMVPN Hub-And-Spoke Mode Test Bed

Scalability Test Methodology

The headend scalability test bed consists of a number of Cisco branch routers (various types, including the 1700, 2600, 3600, 3700, 1800, 2800, and 3800 Series) homed to various types of headends. For most of the traffic sent through the network, flows are established using the Ixia Chariot testing tool. The bps mix of traffic is approximately 35 percent UDP and 65 percent TCP; application types represented in the mix include the following: VoIP, FTP, DNS, HTTP, POP3, and TN3270. The average packet size is 188 bytes, from headend to branch, and 144 bytes from branch to headend. This relatively small average packet size ensures that the scalability results presented support a converged network design, and tends to be fairly conservative. A network carrying data-only traffic, with a larger average packet size, may achieve better bps performance than that listed here. However, the pps performance given a specific CPU value should be the same.

Some traffic is also generated by the Cisco IP SLA feature in Cisco IOS, formerly known as Cisco Service Assurance Agent (SAA), using the HTTP Get script, with the branch routers making an HTTP Get call to an HTTP server in the core. Testing was conducted without fragmentation occurring in the network by setting the MTU to 1300 bytes on the test endpoints.

The following tables show results for testing with a configuration for the DMVPN tunnel aggregation. The routing protocol used during testing was EIGRP unless otherwise stated. The traffic mix used, as stated earlier, is converged data and g.729 VoIP.

DMVPN—Hub-and-Spoke Deployment Model

Headend Scalability Test Results

Table 4-1 shows results for scalability testing with a configuration for the DMVPN hub-and-spoke deployment model. QoS is not enabled on the DMVPN head-end hub router, but rather on the WAN routers.

Table 4-1 Headend Scalability Results—DMVPN Hub-and-Spoke Model 

Platform
# of Tunnels
# Voice Calls
Throughput (kpps)
Throughput (Mbps)
CPU%

Cisco 7200VXR NPE-G1 Dual SA-VAM2

400 (1 mGRE)

285

47.5

106.3

80%

800 (2 mGRE)

250

45.2

104.3

82%

Cisco 7200VXR NPE-G2 with VPN Services Adapter

600 (1 mGRE)

600

122

416

75%

Cisco ASR 1004 with RP1 and ESP 10

1000 (1 mGRE)

2570

545

1.2 Gbps

N/A

Cisco 7600 Sup720
VPN SPA

1000 (2 mGRE)

4137

515.4

1.09 Gbps

N/A

Cisco 7200VXR/ Cisco 7600

Dual Tier architecture

3000

(1000 p2p GRE tunnels on each of three Cisco 7200VXR with IPsec tunnels on VPN SPA)

est. 4000

601 in total

Up to 203 Kpps on each of three 7200VXR

-

N/A



Note No CPU numbers are reported for the Cisco ASR 1000 and Cisco 7600 because, for these case, encryption is done in hardware and has no impact on the main processor.


Table 4-2 shows results for scalability testing with a configuration for the DMVPN hub-and-spoke deployment model. QoS is enabled on the DMVPN headend hub router on the outside physical interface; a GigEthernet in this test. A shaper is configured per branch, qos pre-classify is enabled on the tunnel interface, and the service policy on the outside physical interface matches on the destination IP address. Each branch is therefore identified by the network address of the inside LAN network address. The shaped rate is 85 percent of 1.54 Mbps, or 1,310,000 bps.

Table 4-2 Headend Scalability Results—DMVPN Hub-and-Spoke Model with per Branch QoS Enabled

Platform
7200VXR NPE G2
Number of IPsec Tunnels
Tunnels w/ active traffic
Tunnels w/ EMIX traffic
Number of G.729 Calls
Throughput (Kpps)
Throughput (Mbps
CPU%

VAM2+

40

25

25

160

26.4

69

74

VSA

40

40

40

280

40

104.6

75


Branch Office Scalability Test Results

Table 4-3 shows results for testing with a configuration for the DMVPN hub-and-spoke deployment model. A single tunnel was configured to the aggregation headend. Cisco IOS-FW and NAT services were also engaged during the test.

Table 4-3 Branch Office Scalability Results—DMVPN Hub-and-Spoke Model 

Platform
HW Encryption
# Voice Calls
Throughput (kpps)
Throughput (Mbps)
CPU%

Cisco 3845 ISR

On-board

187

24.0

48.8

81%

AIM-VPN/HPII-Plus

420

27.1

50.1

80%

Cisco 3825 ISR

On-board

143

18.2

36.6

81%

AIM-VPN/EPII-Plus

156

20.1

42.8

79%

Cisco 2851 ISR

On-board

90

11.4

23.8

79%

AIM-VPN/EPII-Plus

120

14.9

30.8

80%

Cisco 2821 ISR

On-board

45

6.0

13.6

53%

AIM-VPN/EPII-Plus

97

12.3

25.9

78%

Cisco 2811 ISR

On-board

19

2.6

5.8

79%

AIM-VPN/EPII-Plus

27

3.6

8.0

80%

Cisco 2801 ISR

On-board

19

2.6

5.8

83%

AIM-VPN/EPII-Plus

30

3.9

8.4

79%

Cisco 1841 ISR

On-board

19

2.5

5.7

82%

AIM-VPN/BPII-Plus

30

3.9

8.8

80%

Cisco 1811W with no BVI configured

On-board

33

7.6

16.0

81%

Cisco 1811W with BVI configured

On-board

60

4.3

9.3

82%

Cisco 871W with no BVI configured

On-board

8

2.0

4.4

85%

Cisco 871W with BVI configured

On-board

15

1.1

2.4

84%


DMVPN—Spoke-to-Spoke Deployment Model

The spoke scalability test bed is shown in Figure 4-2.

Figure 4-2 DMVPN Spoke-to-Spoke Test Bed

The routers tested range from Cisco 831s to 3845s, and are inserted in turn into the "Device Under Test" spot. Various numbers of "1 through X" spokes are brought into the test bed. These routers each open one IPsec SA (or tunnel) to the next-hop server, which supplies them the NBMA address of the device under test (DUT). Each spoke opens a spoke-to-spoke tunnel to the DUT. Tunnels are kept alive via Cisco IP SLA and Network Time Protocol (NTP). Traffic is then generated through a certain number of these tunnels to assess the DUT router performance in terms of pps and bps, as it maintains what is considered its "safe maximum" number of tunnels. The outside interface (other than the DUT) of each spoke router is shaped to 192 Kbps; it is then known that the DUT is aggregating (192 Kbps x the number of tunnels shown). The traffic profile includes one voice call (G.729 codec) per tunnel. VoIP quality metrics are tracked during the test. Test results are not valid (or displayed) unless adequate VoIP quality is maintained during the tests.

Because spoke routers are exposed to various security risks (especially if they are connected to the Internet), and spoke sites are rarely large enough to justify the installation of dedicated security appliances, a spoke router normally has to perform some scrutiny of the incoming packets. Therefore, in addition to DMVPN, all testing is performed with the following features enabled:

Outbound firewall inspection

Inbound and outbound access control lists

NAT

The new Cisco ISR platforms (1841, 2801, 2811, 2821, 2851, 3825, and 3845) are delivered with integrated encryption hardware, with an option to purchase an encryption/compression Advanced Integration Module (AIM) card for more encryption power. Results for these platforms are shown both ways; with the onboard encryption card and with the AIMs.

Table 4-4 shows the test results for the DMVPN spoke-to-spoke deployment.

Table 4-4 DMVPN Spoke-to-Spoke Deployment Model—Test Results 

Platform
# Tunnels
# Voice Calls
Throughput (kpps)
Throughput (Mbps)
CPU%

Cisco 871W On-Board no BVI configured

1

15

2.0

4.4

85%

5

14

1.6

3.8

82%

9

13

1.9

3.9

85%

Cisco 871W On-Board with BVI configured

1

8

1.1

2.4

84%

5

7

1.0

2.1

84%

9

6

0.9

1.9

81%

Cisco 1811W On-Board no BVI configured

1

60

7.6

16.0

81%

25

49

6.8

14.1

80%

50

44

6.8

13.7

82%

Cisco 1811W On-Board with BVI configured

1

33

4.3

9.3

82%

25

23

3.2

6.9

81%

50

22

3.4

6.9

81%

Cisco 1841
On-Board

1

19

2.5

5.7

82%

25

14

2.2

4.7

81%

50

13

2.1

4.1

79%

Cisco 1841

AIM-VPN/BPII-Plus

1

30

4.0

8.8

80%

25

20

3.1

6.8

79%

50

20

3.1

6.8

79%

Cisco 2801 ISR

On-Board

1

19

2.6

5.8

83%

25

14

2.2

4.7

83%

50

13

2.1

4.5

81%

Cisco 2801 ISR

AIM-VPN/EPII-Plus

1

30

3.9

8.4

79%

25

20

3.1

6.8

79%

50

20

3.1

6.8

81%

Cisco 2811 ISR

On-Board

1

19

2.6

5.8

79%

25

14

2.2

4.8

80%

50

14

2.2

4.8

83%

Cisco 2811 ISR

AIM-VPN/EPII-Plus

1

27

3.6

8.0

80%

25

18

2.8

6.1

79%

50

18

2.8

6.1

82%

Cisco 2821 ISR

On-Board

1

45

6.0

13.6

53%

50

50

7.8

17.0

79%

100

50

7.8

17.0

80%

Cisco 2821 ISR

AIM-VPN/EPII-Plus

1

97

12.3

25.9

78%

100

59

9.2

20.1

80%

200

55

8.8

18.9

80%

Cisco 2851 ISR

On-Board

1

90

11.4

23.8

79%

55

55

8.5

18.6

81%

100

54

8.5

18.5

80%

Cisco 2851 ISR

AIM-VPN/EPII-Plus

1

120

14.9

30.8

80%

100

72

11.2

24.5

80%

200

71

11.2

24.3

87%

Cisco 3825 ISR

On-Board

1

143

18.2

36.6

81%

150

91

14.2

29.0

80%

300

89

14.2

28.8

80%

Cisco 3825 ISR

AIM-VPN/EPII-Plus

1

156

20.1

42.8

79%

150

108

16.8

35.7

80%

300

104

16.5

34.8

80%

Cisco 3845 ISR

On-Board

1

187

24.0

48.8

81%

200

118

18.4

37.7

80%

400

114

18.1

36.7

80%

Cisco 3845 ISR

AIM-VPN/HPII-Plus

1

420

27.1

58.1

80%

200

280

21.7

46.3

80%

400

270

21.4

45.2

80%

Cisco 7200VXR

NPE-G1

Dual SA-VAM2

1

480

30.4

63.1

79%

200

340

26.4

56.2

79%

400

320

25.2

53.3

80%

Cisco 7301

SA-VAM2

1

240

31.0

66.1

80%

200

160

24.7

50.1

79%

400

150

23.6

47.6

79%


AES versus 3DES Scalability Test Results

Both 3DES and AES encryption are available in all products shown here, including hardware-accelerated IPsec. Not every test was executed with both 3DES and AES; however, several snapshot tests were performed to compare performance. As can be seen in the chart in Figure 4-3, results are fairly comparable, with little to no variation in performance, even for AES with wider key lengths.

Figure 4-3 Comparison of 3DES and AES Performance

Software Releases Evaluated

The software releases shown in Table 4-5 were used in the scalability testing:

Table 4-5 Software Releases Evaluated

Cisco Product Family
SW Release

Cisco ASR 1000

12.2(33)XNA

Cisco 7600

IOS 12.2(18)SXE2

Cisco 6500 VPNSM

IOS 12.2(18)SXE2

Cisco 7200VXR

IOS 12.2(11)T2

IOS 12.3(5)

Cisco 7200VXR NPE-G2 with VPN Services Adapter

IOS 124-4.XD-0629

Cisco branch office routers (17xx, 26xx, 36xx, 37xx)

IOS 12.3(8)T5

Cisco branch office ISRs

(1841, 28xx, 38xx)

IOS 12.3(8)T5

IOS 12.3(11)T2

Cisco remote office routers
(831, 871W, and 1811W)

831—IOS 12.3(8)T5
871W—IOS 12.3(8)Y1
1811W—IOS 12.3(14)YT1


As always, before selecting Cisco IOS software, perform the appropriate research. It is also important to have an understanding of issues in those levels of code that may affect other features configured on routers.