Cisco ISR!!!

[imported_Thesis]

Hey guys, this is my 1st post and i'm not a "techie" I am however, somewhat involved in IT and would love to increase my knowledge in the networking arena. I have been hearing a lot of "ISR" and its benefits. In lamens terms, can someone explain to me what it is and why it is so important.

~Thesis

 

[spidey07]

Basically its their new line of routers. The 1800, 2800, 3800 series.

They are called "integrated service routers" because they are powerful enough with processor/memory/hardware to run any service you want on them - voice, encryption, firewalling, securiy, wireless, QoS.

So ISR is really a marketing term for their routers that replace the 1700, 2600, 3600 series.

Welcome to AT networking, lots of helpful folks here.

 

[p0lar]

The crypto on the 3825s, even with a crypto accelerator is far less than stellar -- this is with an EP-II Plus. I've been doing this for a while and I am thoroughly disappointed. ISR, sure... they're extremely flexible. performance? not from what I've seen thus far.

 

[spidey07]

Originally posted by: p0lar
The crypto on the 3825s, even with a crypto accelerator is far less than stellar -- this is with an EP-II Plus. I've been doing this for a while and I am thoroughly disappointed. ISR, sure... they're extremely flexible. performance? not from what I've seen thus far.

Really?

What kind of performance are you seeing? Is it not performing as advertised?

If so I'd get on cisco's butt. The whole marketing spiel with the ISRs is you can run all kinds of services without a performance hit. But I don't use them for encryption so I don't have any experience with the crypto cards.

 

[p0lar]

Originally posted by: spidey07
Really?

What kind of performance are you seeing? Is it not performing as advertised?

If so I'd get on cisco's butt. The whole marketing spiel with the ISRs is you can run all kinds of services without a performance hit. But I don't use them for encryption so I don't have any experience with the crypto cards.

At this very moment:

52% CPU usage
4.2mbit/s, 3700pps ingress on Gi0/0
3.9mbit/s, 3600pps egress on Gi0/0
gi0/1 is shut
5x tunnel{n} interfaces for crypto termination.

About 2/3s of the bandwidth and half of the pps rate is crypto. This is using AES-128 with crypto accelerators on all ends. I will say one thing for it -- there are ZERO errors on those interfaces, which is a good sign it's not overloaded (yet ).

Edit: I just looked at the buffers as well -- major misses across the board (Small, Med, Big, Large, Huge) indicating serious performance degredation.

 

[spidey07]

buffer hits are alright, that's normal - drops are not.

what is full show proc cpu? Is it interrupt or cyrpto process?

Heck, open a case with TAC - let them fix it.

That box is pretty busy for such a light load.

 

[p0lar]

Originally posted by: spidey07
buffer hits are alright, that's normal - drops are not.

what is full show proc cpu? Is it interrupt or cyrpto process?

Heck, open a case with TAC - let them fix it.

That box is pretty busy for such a light load.

Sorry, misses.. not hits -- my error; alas, 3000/hour is still not normal.

The last time I approached TAC with these kinds of problems, they just wanted to turn off crypto or replace hardware.:disgust:

secrtr1#sh proc cpu | inc CPU
CPU utilization for five seconds: 47%/9%; one minute: 51%; five minutes: 53%
secrtr1#sh proc cpu | inc cry
173 88727432 316427790 280 37.09% 39.67% 42.06% 0 encrypt proc
195 16 1219 13 0.00% 0.00% 0.00% 0 crypto engine pr
249 58280 343 169912 0.00% 0.00% 0.00% 0 crypto sw pk pro

To be honest, this is par for the course and only mildly better than their 3725s.

 

[ScottMac]

What flavor of IOS are you running? The 12.3(8) versions had a few issues. Maybe try upping the IOS.

Versions after 12.3(8) added things like parallel engines for the IDS/IPS and some VPN / Crypto enhancements.

Just curious. Everything we've seen here has indicated that they are a killer box (that would be a Good Thing).

Scott

 

[spidey07]

Well that kinda sucks. A Pix is faster than that.

Maybe try cisco's forums.

Let me know. It boggles the mind that crypto would suck up that much with so little traffic with a card in it.

 

[spidey07]

Something is seriously not right...

Cisco is toughting 180 Mbs.

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/netbr09186a00801f0a72.html

Cisco 2801 with Onboard VPN 150
50 Mbps
50 Mbps

Cisco 2801 with AIM-VPN/EPII-PLUS 1500
100 Mbps
100 Mbps

Cisco 2811 with Onboard VPN 200
55 Mbps
55 Mbps

Cisco 2811 with AIM-VPN/EPII-PLUS 1500
130 Mbps
130 Mbps

Cisco 2821 with Onboard VPN 250
56 Mbps
56 Mbps

Cisco 2821 with AIM-VPN/EPII-PLUS 1500
140 Mbps
140 Mbps

Cisco 2851 with Onboard VPN 300
66 Mbps
66 Mbps

Cisco 2851 with AIM-VPN/EPII-PLUS 1500
145 Mbps
145 Mbps

Cisco 3700 with AIM-VPN/HPII-PLUS 2000
190 Mbps
190 Mbps

Cisco 3825 with Onboard VPN 500
170 Mbps
170 Mbps

Cisco 3800 with Onboard VPN 700
180 Mbps
180 Mbps

Cisco 3800 with AIM-VPN/HPII-PLUS 2500
185 Mbps
185 Mbps

Cisco 3825 with AIM-VPN/EPII-PLUS 2000
175 Mbps
175 Mbps

Cisco 3845 with Onboard VPN 700
180 Mbps
180 Mbps

Cisco 3845 with AIM-VPN/HPII-PLUS 2500
185 Mbps
185 Mbps

 

[p0lar]

Originally posted by: ScottMac
What flavor of IOS are you running? The 12.3(8) versions had a few issues. Maybe try upping the IOS.

Versions after 12.3(8) added things like parallel engines for the IDS/IPS and some VPN / Crypto enhancements.

Just curious. Everything we've seen here has indicated that they are a killer box (that would be a Good Thing).

Scott

Cisco IOS Software, 3800 Software (C3825-ADVENTERPRISEK9_IVS-M), Version 12.3(14)T3, RELEASE SOFTWARE (fc2)

The real killer is the pps rate -- not the bandwidth. Processing 1500 bytes of crypto is just as expensive as processing 60 bytes in terms of cpu usage..

If I were running 1500 byte packets, that would be equivalent to ~88mbit/s in one direction, which is a solid performance number for this class of router. (considering I have some overhead left)

 

[p0lar]

Originally posted by: spidey07
Something is seriously not right...

Cisco is toughting 180 Mbs.

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/netbr09186a00801f0a72.html

---8<--- snip snip snip ---8<---

Cisco 3825 with AIM-VPN/EPII-PLUS 2000
175 Mbps
175 Mbps

That's exactly what I'm using.

 

[spidey07]

still, even with 1500 byte packets 175 Mbs = 116000 PPS.

I still say something is wrong (could be platform, could be code, could be bug).

Not that I don't believe you and what you've seen. Just that I have a hard time believing that this should be normal behavior for a pretty powerful box.

I've run pixes 506, 515 with 10+ megs of encryption constantly without too much trouble.

 

[p0lar]

Yeah, it's just a high pps application. Every cisco I've used under this kind of stress takes a beating. I have learned that Cisco's numbers are more marketing hype than gospel. It's been a while, but about the hardest running router I've spent any real time exploring/abusing was a pair of 6500 MSFC2s in HA. (sans crypto)

I ran a PIX515E (quad FE, crypto accelerator (broadcom, not the safexcel)) and it did not stand up well either under much of the same load. The max I was ever able to really pull through on the PIX (6.3(4) - never tried the 7 series releases) was about 30k pps (15k both ways) before it would start to get wonky (random reboots, probably not more than 3-4kpps of crypto). Of course, it really is only 433MHz i586 running a modified Plan9 Unix, so I wasn't expecting great things. It got replaced by a 3750 catalyst on the edge with OpenBSD firewalls for critical services that did not necessitate high pps rates. The 3750 is running full-tilt, but never sees any real duty. Excepting that it doesn't have any security features other than ACLs (and the usual myriad of tricks ), it has serious potential. Perhaps the 3750-metro version would do better, but I suspect there would be performance tradeoffs; besides, I'm 'comfortable' with the setup as it stands (offers redundancy, dynamic routing, PBR, extremely good performance). The 3825 was only brought into the mix for other various services and it is a nice device (these have come a LONG way since the old 3600 builds (RIP)), but I still wouldn't recommend them for hard-core crypto usage (> 100kpps) under any circumstance.

I'm getting ready to do some benchmarking on some old Nokia IP330s, sans crypto accelerator, to see how they stack up with Open/Free/NetBSD (rather than the CPFW1 IPSO that Nokia provides), should be interesting.

I guess the bottom line is that while I can make almost any Cisco dance up and down the street at my whim, I'm not about to succomb to their marketing juggernaut. Does it mean I won't buy their units? Nah.. they serve a specific purpose -- but I won't buy them with impunity.

 

[spidey07]

Oh yeah, marketing is marketing.

I would expect a nokia box to perform better.

Cisco's never been at the top of the performance game (except their leapfrogging with juniper)

 

[p0lar]

Originally posted by: spidey07
Oh yeah, marketing is marketing.

I would expect a nokia box to perform better.

Cisco's never been at the top of the performance game (except their leapfrogging with juniper)

Well, the Nokia is a 400MHz AMD w/256MB of RAM.. but I think the FSB on it is 100MHz instead of 66MHz (PIX). Both used Intel EEPRO chips in the 8255x range. I'll have some interesting benchmarks.. I plan to use one in conjunction with a 2950 at home regardless.

Anyway, Cisco has always been at that point where price/performance/reliability could all be met for business purposes and therein lies much of their strength. I could drone on a while about what they did (are doing) right (and wrong), but .. feh..

 

[n0cmonkey]

If only you could get some of those VIA C3s in a decent motherboard with real NICs (syskonnect).

 

[p0lar]

Originally posted by: n0cmonkey
If only you could get some of those VIA C3s in a decent motherboard with real NICs (syskonnect).

VIA: Already have.. I've done more benchmarking on those than I care to disclose.
They are absolutely wicked performers when it comes to AES and RNG. I'm waiting for the duals to arrive on the scene. I spoke to AMD about some on-die crypto and they all but blew me off, excepting the potential of a RNG on the Geode (whoop-de-doo).

I've not messed with the syskonnects, but I've got an AEI that has quad bge chips on it that runs fairly well (on the right bus).

 

[n0cmonkey]

Originally posted by: p0lar

Originally posted by: n0cmonkey
If only you could get some of those VIA C3s in a decent motherboard with real NICs (syskonnect).

VIA: Already have.. I've done more benchmarking on those than I care to disclose.
They are absolutely wicked performers when it comes to AES and RNG. I'm waiting for the duals to arrive on the scene. I spoke to AMD about some on-die crypto and they all but blew me off, excepting the potential of a RNG on the Geode (whoop-de-doo).

I think their alchemy stuff (mips32 based for embedded platforms) has a bit more encryption stuff built in. Pretty neat, but no matter how much I begged one of their interns he wouldn't steal me one.

The next gen VIA stuff should be great, and I'll be picking up a couple. The duals sound nice, but I don't know if any of the boards will have the other features I'd want. Starting with a couple of decent gigabit NICs. If they happened to use a more current socket, I'd be really happy.

I've not messed with the syskonnects, but I've got an AEI that has quad bge chips on it that runs fairly well (on the right bus).

The OpenBSD guys seem to love their syskonnect cards, but they're kind of hard to find and a bit more expensive.

 

[p0lar]

Originally posted by: n0cmonkey

I think their alchemy stuff (mips32 based for embedded platforms) has a bit more encryption stuff built in. Pretty neat, but no matter how much I begged one of their interns he wouldn't steal me one.

Did you try $$?

The next gen VIA stuff should be great, and I'll be picking up a couple. The duals sound nice, but I don't know if any of the boards will have the other features I'd want. Starting with a couple of decent gigabit NICs. If they happened to use a more current socket, I'd be really happy.

That's what I'm hoping for.. SMP + 64-bit/66MHz PCI slot + 2x10/100/1000 and bootable CF socket -- would make a crazy crypto router.

The OpenBSD guys seem to love their syskonnect cards, but they're kind of hard to find and a bit more expensive.

I might try to scare one up for more testing.. I've got a small arsenal of stuff here I'm always testing for just the right combination.

Somehow, I think we've hijacked this ISR thread though.. d'oh!!

 

[n0cmonkey]

Originally posted by: p0lar
Did you try $$?

I didn't have any.

Somehow, I think we've hijacked this ISR thread though.. d'oh!!

I definitely didn't mean to do that. It was some interesting stuff.

*back to your regularly scheduled thread*

 

[spidey07]

Arghhhh mateys.

Wait, what we're we talking about again?

 

[randal]

I know that the 3825s move up to ~150mbps without issue and with reasonable cpu usage across the board. Had a customer how does backups from one gige int to a box on the other ... runs about 6 minutes and bounces around 150mbps the entire time. Strongly considering going through and replacing a bunch of aging 7202/4s at select spots with 3800s ... I like 'em, but I don't like how they changed the front-cover look ... doesn't match anything else :/

 

[p0lar]

Originally posted by: randal
I know that the 3825s move up to ~150mbps without issue and with reasonable cpu usage across the board. Had a customer how does backups from one gige int to a box on the other ... runs about 6 minutes and bounces around 150mbps the entire time. Strongly considering going through and replacing a bunch of aging 7202/4s at select spots with 3800s ... I like 'em, but I don't like how they changed the front-cover look ... doesn't match anything else :/

*shrug*

I never mount anything with the 'front' facing outwards anyway.

 

[cmetz]

Cisco's marketing performance claims have always been pretty bold with respect to actual reality, critical thinking and general cynicism regarding their numbers is a good idea. Their 180Mb/s claim is probably double-counted performance under perfectly ideal conditions.

Try upgrading to the latest IOS (12.4 whatever), that might help and at least will get you lots of bug fixes. Beyond that, you're probably SOL.