Point-to-Point GRE over IPsec Design Guide
Scalability Test Results (Unicast Only)
Downloads: This chapterpdf (PDF - 221.0KB) The complete bookPDF (PDF - 2.25MB) | Feedback

Scalability Test Results (Unicast Only)

Table Of Contents

Scalability Test Results (Unicast Only)

Scalability Test Bed Network Diagram

Scalability Test Methodology

Headend Scalability Test Results—p2p GRE over IPsec

Headend Scalability Test Results—p2p GRE Only

Branch Office Scalability Test Results

AES versus 3DES Scalability Test Results

Failover and Convergence Performance

Software Releases Evaluated


Scalability Test Results (Unicast Only)


This section offers test results from the Cisco test lab, to provide design guidance on the scalability of various platforms in p2p over IPsec VPN designs. IP multicast (IPmc) results are not included.

Scalability Test Bed Network Diagram

Figure 4-1 shows the scalability test bed network diagram.

Figure 4-1 Scalability Test Bed Network

Scalability Test Methodology

The headend scalability test bed consists of a number of Cisco branch routers (various types, including the 1700, 2600, 3600, 3700, 1800, 2800, and 3800 families) homed to various types of headends. For most of the traffic sent through the network, flows are established using the Ixia Chariot testing tool. The bps mix of traffic is approximately 35 percent UDP and 65 percent TCP; application types represented in the mix include the following: VoIP, FTP, DNS, HTTP, POP3, and TN3270. The average packet size is 188 bytes, from headend to branch, and 144 bytes from branch to headend. This relatively small average packet size ensures that the scalability results presented support a converged network design, and tends to be fairly conservative. A network carrying data-only traffic, with a larger average packet size, may achieve better bps performance than that listed here. However, the pps performance given a specific CPU value should be the same.

Some traffic is also generated by the Cisco IP SLA feature in IOS, formerly known as Cisco Service Assurance Agent (SAA), using the HTTP Get script, with the branch routers making an HTTP Get call to an HTTP server in the core. Testing was conducted without fragmentation occurring in the network by setting the MTU to 1300 bytes on the test endpoints.

The following tables show results for testing with a configuration for p2p GRE over IPsec tunnel aggregation. The routing protocol used during testing was EIGRP unless otherwise stated. The traffic mix used, as stated earlier, is converged data and g.729 VoIP.

Headend Scalability Test Results—p2p GRE over IPsec

Table 4-1 shows results for the testing with the configuration for a p2p GRE over IPsec design and no other Cisco IOS features such as IOS Firewall, PAT, ACLs, IPS, or QoS.

Table 4-1 Scalability Test Results—p2p GRE over IPsec Only

Platform
# of Tunnels
# Voice Calls
Throughput (Kpps)
Throughput (Mbps)
CPU %

Cisco 7200VXR with NPE-G1 and dual SA-VAM2

500

240

40.0

82.5

80%

Cisco 7600

Sup720

VPN SPA

1000

(Both p2p GRE tunnels and IPsec tunnels on VPN SPA)

3537

480.0

1050.0

N/A

1000

(p2p GRE tunnels on Sup720 and IPsec tunnels on VPN SPA)

4137

521.0

1110.0

N/A

Cisco 7200VXR and Cisco 7600 Dual Tier Headend Architecture

3000

(1000 p2p GRE tunnels on each of three Cisco 7200VXR with IPsec tunnels on VPN SPA)

est. 4000

601 in total

Up to 203 Kpps on each of three 7200VXR

-

N/A


Note that headend scalability testing did not include an exhaustive evaluation of the maximum number of tunnels that can be terminated to headend devices. In addition, scalability testing of the branch routers was performed with two tunnels per branch. This did not include exhaustive testing of the number of tunnels these various platforms can support.

Headend Scalability Test Results—p2p GRE Only

Table 4-2 shows results for the testing with the configuration for a p2p GRE only design and no other Cisco IOS features such as IOS firewall, PAT, ACLs, IPS, or QoS. The purpose for these results is to provide the reader with the p2p GRE only results for designing a Dual Tier Headend Architecture. The IPsec only results can be found in the IPsec Direct Encapsulation Design Guide at the following URL: http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/Dir_Encap.html.

Table 4-2 Scalability Test Results—p2p GRE Only

Platform
# of Tunnels
# Voice Calls
Throughput (Kpps)
Throughput (Mbps)
CPU %

Cisco 7200VXR with NPE-G1

1000

1377

203.7

414.2

79%

Cisco 7600

Sup7201

1000

4437

665.7

1675.3

N/A

1 These results are limited by the test bed traffic load limitation. This platform is expected to exceed these results.


Branch Office Scalability Test Results

Table 4-3 shows results for testing with a configuration for p2p GRE over IPsec. A single tunnel was configured to the aggregation headend. These results include other integrated Cisco features such as IOS Firewall, PAT, and ACLs, but not QoS or IPS.

Table 4-3 Branch Office Scalability Test Results

Platform
HW Encryption
# Voice Calls
Throughput (Kpps)
Throughput (Mbps)
CPU %

Cisco 3845 ISR

On-board

187

24.0

48.8

81%

AIM-VPN/HPII-Plus

420

27.1

50.1

80%

Cisco 3825 ISR

On-board

143

18.2

36.6

81%

AIM-VPN/EPII-Plus

156

20.1

42.8

79%

Cisco 2851 ISR

On-board

90

11.4

23.8

79%

AIM-VPN/EPII-Plus

120

14.9

30.8

80%

Cisco 2821 ISR

On-board

45

6.0

13.6

53%

AIM-VPN/EPII-Plus

97

12.3

25.9

78%

Cisco 2811 ISR

On-board

19

2.6

5.8

79%

AIM-VPN/EPII-Plus

27

3.6

8.0

80%

Cisco 2801 ISR

On-board

19

2.6

5.8

83%

AIM-VPN/EPII-Plus

30

3.9

8.4

79%

Cisco1841 ISR

On-board

19

2.5

5.7

82%

AIM-VPN/BPII-Plus

30

3.9

8.8

80%

Cisco 1811W with no BVI configured

On-board

33

7.6

16.0

81%

Cisco 1811W with BVI configured

On-board

60

4.3

9.3

82%

Cisco 871W with no BVI configured

On-board

8

2.0

4.4

85%

Cisco 871W with BVI configured

On-board

15

1.1

2.4

84%


AES versus 3DES Scalability Test Results

Both 3DES and AES encryption are available in all products shown here, including hardware-accelerated IPsec. Not every test was executed with both 3DES and AES; however, several snapshot tests were performed to compare performance. As shown in Figure 4-2, results are relatively comparable, with little to no variation in performance, even for AES with wider key lengths.

Figure 4-2 Comparison of 3DES and AES Performance

Failover and Convergence Performance

Customers may have different convergence time requirements. The design principles in this guide were used to perform scalability tests with up to 500 branch offices aggregated to two or three headend routers. See Load Sharing with Failover Headend Resiliency Design, page 2-21 for more details.

The following test was performed by powering off one of the headend devices to simulate a complete headend failure. The network fully converged after a maximum of approximately 32 seconds for all 240 branches. The test scenario is shown in Table 4-4.

Table 4-4 Three Headend Load Sharing with Failover 

 
Headend 1
Headend 2
Headend 3

Cisco 7200VXR NPE-400

Cisco IOS version 12.1(9)E

Cisco IOS version 12.1(9)E

Cisco IOS version 12.1(9)E

Starting condition

27 Mbps

80 branches

32% CPU

28 Mbps

80 branches

32% CPU

44 Mbps

80 branches

37% CPU

During failover

Powered off

41 Mbps

120 branches

46% CPU

56 Mbps

120 branches

50% CPU


The same test was then performed with 500 branch offices aggregated to two headend devices. All 250 branches from the powered-off headend successfully failed over to the single surviving headend. In this test, the network fully converged after approximately 32 seconds.

During the re-convergence, when the powered-off headend was restored, the convergence of each branch took approximately two seconds each, with the total time for re-convergence at about five and one-half minutes. Table 4-5 shows the resulting CPU utilization percentages.

Table 4-5 Two Headend Load Sharing with Failover

 
Headend 1
Headend 2

Cisco 7200VXR NPE-G1

Cisco IOS version 12.2(13)S

Cisco IOS version 12.2(13)S

Starting condition

37.5 Mbps

250 branches

43% CPU

35.6 Mbps

250 branches

43% CPU

During failover

Powered off

45.7 Mbps

500 branches

84% CPU


Because of the normal TCP backoff process, the total traffic levels through the surviving router may be temporarily lower after a failure than the total traffic before failure.

Software Releases Evaluated

Table 4-6 shows the software releases used in the scalability testing.

Table 4-6 Software Releases Evaluated 

Cisco Product Family
SW Release

Cisco 7600 VPN SPA

Cisco IOS 12.2(18)SXE2

Cisco Catalyst 6500 VPNSM

Cisco IOS 12.2(17d)SXB1

Cisco 7200VXR

Cisco IOS 12.2(13)S
Cisco IOS 12.1(9)E
Cisco IOS 12.3(5)

Cisco branch office routers (17xx, 26xx, 36xx, 37xx)

Cisco IOS 12.3(8)T5

Cisco branch office ISRs (1841, 28xx, 38xx)

Cisco IOS 12.3(8)T5
Cisco IOS 12.3(11)T2

Cisco remote office routers (831)

Cisco IOS 12.3(8)T5

Cisco remote office routers (871W and 1811W)

Cisco IOS 12.3(14)YT1


Before selecting Cisco IOS software, perform the appropriate research on cisco.com, and if you have technical questions, consult with Cisco Customer Advocacy (TAC).