Titanium_Sniper
asked on
Increase VPN performance
I have a 7200 with an npe-200, how do I increase my remote access vpn performance since it is currently at 6-7 mbit?
Will an npe-225 help much?
Will an NSE-1 help much?
Will an SA-VAM help more?
Will an npe-225 help much?
Will an NSE-1 help much?
Will an SA-VAM help more?
ASKER
What IOS images support the VAM, or how do I make it work for PPTP VPN, I plugged it in and it didn't do anything besides turn on on.Currently I have an NPE-200 (which is not supported) but I will try on an NPE-225 (which is supported) and see if it works.
I was looking for near T3 performance, and i will upgrade to SA-VAM since it looks like it is what I need to get over 90 mbit, assuming it works.
If the NPE-225 is not enough, is there much difference between the NSE-1 and the NPE-300?
I was looking for near T3 performance, and i will upgrade to SA-VAM since it looks like it is what I need to get over 90 mbit, assuming it works.
If the NPE-225 is not enough, is there much difference between the NSE-1 and the NPE-300?
VAM support was integrated with the stable IOS at 12.3(1) mainline
There are some images in the experimental/technology series that supported the feature in 12.2 and 12.1.
See the 'feature history' section of this document
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_vam_ps6922_TSD_Products_Configuration_Guide_Chapter.html
If the VAM module is operational, there should be a "show pas vam controller " command available.
The NPE-300 / 400 are solid cards..
The NPE-300 is almost the same as the NSE-1, except that the NSE-1 has an additional special processor to support a feature called PXF (Parallel Express Forwarding) that has in the past been unstable, and did not work correctly in most IOS versions...
As far as I know, Cisco abandoned development of the PXF function, issues may remain, and you won't find the feature on newer / higher-end 72xx engines.
In other words, if you use that board, be prepared to try turning off PXF to try and stop your NSE from crashing...
It may not turn out to be an issue at all in your particular situation; I just consider NSE-1 a risky proposition, since i've seen so many problems with them reported.
There are some images in the experimental/technology series that supported the feature in 12.2 and 12.1.
See the 'feature history' section of this document
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_vam_ps6922_TSD_Products_Configuration_Guide_Chapter.html
If the VAM module is operational, there should be a "show pas vam controller " command available.
The NPE-300 / 400 are solid cards..
The NPE-300 is almost the same as the NSE-1, except that the NSE-1 has an additional special processor to support a feature called PXF (Parallel Express Forwarding) that has in the past been unstable, and did not work correctly in most IOS versions...
As far as I know, Cisco abandoned development of the PXF function, issues may remain, and you won't find the feature on newer / higher-end 72xx engines.
In other words, if you use that board, be prepared to try turning off PXF to try and stop your NSE from crashing...
It may not turn out to be an issue at all in your particular situation; I just consider NSE-1 a risky proposition, since i've seen so many problems with them reported.
ASKER
I am using an NPE-225 and SA-VAM, but I did not notice a large increase in performance, it is currently at about 8 meg. Is there a way to see if the SA-VAM is doing anything, or if the packets are being process switched?
At a time of peak usage, run the command
"show process cpu"
and
show process cpu | exclude 0.00% 0.00% 0.00%
a few times
See if CPU usage is close to 100%. And if so, which process is eating it.
If that process happens to be the IP Input process, or similar, then yes, packets might be getting process switched...
If CPU usage is low, then something else is the bottleneck
"show process cpu"
and
show process cpu | exclude 0.00% 0.00% 0.00%
a few times
See if CPU usage is close to 100%. And if so, which process is eating it.
If that process happens to be the IP Input process, or similar, then yes, packets might be getting process switched...
If CPU usage is low, then something else is the bottleneck
ASKER
Heres the sh proc c, the CCP manager is hit when I upload, and the ip input is hit when I am downloading. Is there some guide to redusing the amount of packets that are process switched, I tried putting ip cef in the config but it doesn't help.
Upload:
router#sh proc c | e 0.00% 0.00% 0.00%
CPU utilization for five seconds: 37%/10%; one minute: 21%; five minutes: 5%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
3 15500 51406 301 19.43% 4.93% 1.30% 0 CCP manager
53 40004 37870 1056 6.00% 9.69% 2.49% 0 IP Input
148 9636 32878 293 1.83% 2.50% 0.64% 0 L2X Data Daemon
router#
Download:
router#sh proc c | e 0.00% 0.00% 0.00%
CPU utilization for five seconds: 62%/7%; one minute: 15%; five minutes: 4%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
3 13552 49614 273 3.51% 3.50% 0.92% 0 CCP manager
53 39044 36838 1059 39.11% 6.71% 1.66% 0 IP Input
117 724 391 1851 2.23% 0.69% 0.18% 2 Virtual Exec
148 9216 31503 292 9.27% 1.74% 0.43% 0 L2X Data Daemon
Upload:
router#sh proc c | e 0.00% 0.00% 0.00%
CPU utilization for five seconds: 37%/10%; one minute: 21%; five minutes: 5%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
3 15500 51406 301 19.43% 4.93% 1.30% 0 CCP manager
53 40004 37870 1056 6.00% 9.69% 2.49% 0 IP Input
148 9636 32878 293 1.83% 2.50% 0.64% 0 L2X Data Daemon
router#
Download:
router#sh proc c | e 0.00% 0.00% 0.00%
CPU utilization for five seconds: 62%/7%; one minute: 15%; five minutes: 4%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
3 13552 49614 273 3.51% 3.50% 0.92% 0 CCP manager
53 39044 36838 1059 39.11% 6.71% 1.66% 0 IP Input
117 724 391 1851 2.23% 0.69% 0.18% 2 Virtual Exec
148 9216 31503 292 9.27% 1.74% 0.43% 0 L2X Data Daemon
ASKER
oh, I manually removed everything that was below like a percent to make the post easier to read.
At close to 40% CPU, it would appear something is being process switched.
Is this an IPsec VPN?
If your VPN tunnel is something else such as PPTP/L2P +/ GRE,
config may be forcing process switching.
Check also use of types of ACLs in config and use of any special per-packet
features like policy routing or debugging options.
show crypto eli
^^^^^^^^^^^ should show if IKE/IPsec is going through the VAM
show pas vam interface
^^^^^^^^^^^^^^^^ to see if the VAM is processing packets
Is this an IPsec VPN?
If your VPN tunnel is something else such as PPTP/L2P +/ GRE,
config may be forcing process switching.
Check also use of types of ACLs in config and use of any special per-packet
features like policy routing or debugging options.
show crypto eli
^^^^^^^^^^^ should show if IKE/IPsec is going through the VAM
show pas vam interface
^^^^^^^^^^^^^^^^ to see if the VAM is processing packets
ASKER
I was using PPTP because it was easier, and I do not really care how secure this is.
I can setup L2TP, but I don't think windows can do L2TP without IPSEC, at least I do not see an option for no IPSEC.
I am working on setting up IPSEC, but it is going slow since I have not found any guides other than ones for point to point connections. I will have to keep trying until it works, or install the CISCO VPN Client, which I expect would work.
I can setup L2TP, but I don't think windows can do L2TP without IPSEC, at least I do not see an option for no IPSEC.
I am working on setting up IPSEC, but it is going slow since I have not found any guides other than ones for point to point connections. I will have to keep trying until it works, or install the CISCO VPN Client, which I expect would work.
ASKER
Can a 6500 do PPTP?
I got one coming in the mail soon, assuming it works.
Software is not a problem, so I will have a K9 image on it.
I got one coming in the mail soon, assuming it works.
Software is not a problem, so I will have a K9 image on it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It was only $26 :)
and a sup2 MSFC2 is not terribly expensive, and it seems much more powerful than an NPE-300.
Those SSC-400 w/ SPA-IPSEC-2g are incredibly expensive as are the fwm.
sup32, sup720, and rsp720 are way too expensive also.
Thanks for the link, c6k222-jk9sv-mz.122-14.SY5 looks good to me.
and a sup2 MSFC2 is not terribly expensive, and it seems much more powerful than an NPE-300.
Those SSC-400 w/ SPA-IPSEC-2g are incredibly expensive as are the fwm.
sup32, sup720, and rsp720 are way too expensive also.
Thanks for the link, c6k222-jk9sv-mz.122-14.SY5
Cisco 7200? http://www.cisco.com/en/US/products/hw/routers/ps341/ps348/
The npe-225 has about 30% more CPU power than a npe-200.
I'd be concerned that the npe-200 is end of life at this point, and not officially supported; for that reason it may be best to upgrade the NPE first.
The SA-VAM requires a version of IOS software that supports it..
if you have a version already working that does, then you may be fortunate.
Getting just the right software upgrade from the manufacturer may be painful
if you need one, and if for some reason recent versions have instability or
other issues with the old NPE.
A SA-VAM may be best, actually, if you can make one work. If you don't have a VPN accelerator card, then your routing engine has to perform all encryption operations.
These are done in software, and modern encryption algorithms like 3DES are CPU intensive. It is best to offload these to specialized hardware crypto engines that a VPN accelerator card contains, OR to get a NPE with a lot of CPU power.
But the npe-220 doesn't have a whole lot more CPU power than the 200.
It might be good enough, if you only need 10 megabits of VPN encrypted traffic.
I would not recommend NSE-1.
npe 300 or 400 do have much more CPU power, more than twice as much as a npe-225, but unfortunately, those are only usable with a VXR midplane.
And I believe the NSE1 is even the same