Router throughput

Kevin Romberg
Kevin Romberg used Ask the Experts™
We have a Cisco 2921 ISR connected to a 500Mbps ISP line for Internet.  Also, it is running a DMVPN to the main office.  Both Outside and Inside interfaces are connected Full Duplex, 1Gbps.

People are complaining, at times, of slowness.  When I check the router it doesn't appear to be overloaded.  There are, however, a lot of input errors.

A person at that site mentioned that the router we are using only has a 50Mbps throughput.

I am not sure where he got that information, but when I do a speed test it I get a around 350Mbps download and 100Mbps Upload.

Any ideas on troubleshooting?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Here is one source of the information you want

For a 500 Mbits/sec line, you want higher than that in internal throughput.

Not in the same class as above, but I use a Cisco RV325 VPN router in my home office and it has 900 Mbits/sec internal throughput.

I see Netgear advertising 1 Gigabit routers.  

Look for the newest Cisco models and see if there is one to meet your needs.
Kevin RombergNetwork Administrator


Hello John,

If this router only handles 50Mbps throughput, how can I get a speed test at 300Mbps connected through that router?
Also, the link above mentions WAN.  That is a bit confusing because the router has three GigE ports and I could connect the "WAN" through any of them.  What good is having GigE ports?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Using a speed test, this router will not show you 300 Mbits/sec, just what it can handle.

Faster ports are for faster internal connections passing directly through ports such as using this in a server environment with workstations attached.

You may wish to contact Cisco support for further information.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Kevin RombergNetwork Administrator



I just did a speed test and it did show a download speed of 300Mbps.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

The router may have more advanced firmware than the one I searched for. That could be the reason.
Distinguished Expert 2018

2921 does not have 50Mb limitation, but WAN speed 50Mb recommendation.

For 500Mb and DMVPN you will need better router.

You can see some Cisco testing results in document:
Generally, adding IPsec capability is reducing bandwidth. You can see at the Max  bandwidth for 2921 is 801Mb (for test method that is given), but adding additional options like IPsec drastically reduces bandwidth (to 72Mb with max recommended 400 tunnels & CPU utilization 75%).

Just to add, I was running Cisco 880 and 890 routers in my home. On last diagram on link you can see that WAN speeds are rated as 8Mb and 15Mb.
I don't remember what was download speed with 880, but with NAT (PAT) configured router was able to download at 60Mb rate without any problem. So last diagram with 50Mb for 2921 is a kind of lowest that you may get if router is performing all functions.

If you are running DMVPN you may consider not to terminate tunnels on 2921, but on some other device or to buy better router (depending on your design).
List of devices and encryption type support (with DMVPN support):
Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications Data Sheet

Having Gigabit port does not guaranties Gigabit performances. Router is doing way much more than just routing packets (depending on configuration), but having 1Gb ports is, for sure, limiting bandwidth to max 1Gb (so, no minimum set).
It does seem rather obvious that the more internal work you have the router doing, the slower it will be.  What's not so obvious is what's a "lot" for any particular router (although you've received some pretty good information here).  
One of our firewalls is doing emails antivirus scanning AND web address filtering AND..
Its predecessor ended up unable to keep up with the load.  It actually deteriorated over time while our traffic levels remained low and constant.  The same firewall works fine today with the same load but without the security loads added in.  I presume this was from "improvements" in the security software it had to run.  Of course, that stuff upgrades all the time - just like on a PC.  So, the slowdown should have not been unexpected.
The bottom line is that edge routers of this type are limited in how fast they can run *everything* they are capable of doing.
Ben Personick (Previously QCubed)Lead SaaS Infrastructure Engineer

Thw router internal throughput is going to havs a limit based o. tcp and udp connections.

Basically every interface a traffic flow passes through will  divide traffic by N of the max internal throughput, meaning you should see a base number of 1/2 (2 inrerfaces transited) on flows through the router.

But there will always be some caveats to that.

The internal throughput numbers can vary based on VPNs, ACLs, advanced protocol sxanning, proxy throughput, and there will be differing values for TCP vs UDP and other protocols may as well.

further if the port is acting as a switchport and a router port flows can have further constraints placed upon them

Its also possible that Cisco has purposely dedicated more physical registers to traffic originating from the interfaces designated external than those set to internal.

However in some cases thd limitation is not truely hardware based, as Cisco offered to upsell us to a license for more internal bandwidth on our ASA firewalls.

In my personal oppinion this is a scummy and misleading practice to limit hardware by license, but it has been common place for network hardware for several vendors for years.

For instance our ASA fire walls have a max internal throughput of 1G TCP and 2G UDP, and 400 Mb for VPN floes, but nearly every flow must cross at least 2 interfaces (even SVIs), so automatically our bandwidth is 1/2.

(The exception is traffic directly to and from the device which only crosses one interface)

When flows also cross an additional internal interface, such as a file copy from network A, through network B to network C, (with a server in network B acting as an intermediary) our bandwidth available is 1/4 the stated internal throughput.

Further VPNs flows limit the device to around 400 mb/s throughput.

Its also possible that interface dropping characteristics are comming into play in dropping packets such as the recieve queue and transmit queue processing since you say you are seeing an asymetic performance, or it could be possible for flows to be following different paths when up vs down, such as a proxy with scanning on outbound traffic but which does not process jnbound.
I'd tend to suggest using one device of the DMVPN connections, and "something else" for everything else.
Thomas AamodtNetwork Architect

ASR 1001 is your answer to provide VPN troughput 1gbps .

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial