On Mon, 2013-01-28 at 16:31 -0600, David Ciciora wrote: > Does anyone happen to know the possible throughput of the SA-VAM2+ > module on a 7206VXR? We are using this for our DMVPN hub in our > organization and I'm trying to determine some possible bottlenecks.
With an NPE-G1 og NPE-G2 you should be able to push 222 Mbps with a single VAM2+ doing AES. This is according to: http://www.cisco.com/en/US/customer/docs/security/vpn_modules/vam_vsa/vam2plus/installation/guide/vam2p_ov.html#wp1056043 We're not really pushing ours a lot, but we tested 150 Mbps AES 256 through them with no real problems. Keep in mind that the VAM2+ only does the encryption, so the CPU has to forward everything as usual. And make sure you're using the right software versions. It works fine for us with 12.4(25e) GD. You can check if it generally works with "show crypto engine brief" and you can check if a specific IPSec SA uses it by comparing the "conn id:" from the SA with "show crypto engine connections active": Router# show crypto ipsec sa ... inbound esp sas: spi: 0x10061ECD(268836557) transform: esp-aes esp-sha-hmac , in use settings ={Transport, } ---> conn id: 3006, flow_id: VAM2:6, crypto map: Tunnel1-head-0 sa timing: remaining key lifetime (k/sec): (4538148/194) IV size: 16 bytes replay detection support: Y Status: ACTIVE ... Router# show crypto engine connections active ... ID Interface IP-Address State Algorithm Encrypt Decrypt 3006 Tunnel1 192.0.2.156 set AES+SHA 0 4740 ... -- Peter _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
