Pages

5/6/10

ASR Crypto Limits

 The ASR 1000 series routers have some fairly stout crypto performance stats, but it can't encrypt traffic at the same rate the ESP can forward traffic.  For example, the ESP-20 can forward 20 gbps of traffic, but only encrypt up to 8 gbps.  While there are a few good ASR troubleshooting documents on CCO, none of them cover crypto over-subscription.  I've put together a couple of pointers to help pinpoint this problem.

The first place to look is the QFP drop statistics:

ESP-20#show platform hardware qfp active statistics drop | exclude _0_
----------------------------------------------------------------
Global Drop Stats                         Packets        Octets
----------------------------------------------------------------
  IpsecTailDrop                       58215473     47329111776



The second place to look is in the buffer, queuing, and scheduling (bqs) stats:

ESP-20#show platform hardware qfp active infrastructure bqs queue output default all | begin crypto
Interface: internal0/0/crypto:0, QFP if_h: 4, Num Queues/Schedules: 2
  Queue specifics:
    Index 0 (Queue ID:0x36, Name: i2l_if_4_cpp_0_prio1)
      Software Control Info:
        (cache) queue id: 0x00000036, wred: 0x88b00342, qlimit (bytes): 73125056
        parent_sid: 0x23c, debug_name: i2l_if_4_cpp_0_prio1
        sw_flags: 0x00000011, sw_state: 0x00000001, port_uidb: 0
        orig_min  : 1170000000          ,      min: 1170000000
        min_qos   : 0                   , min_dflt: 0
        orig_max  : 0                   ,      max: 0
        max_qos   : 0                   , max_dflt: 0
        share     : 1
        plevel: 0, priority: 65535, ref_count: 0
      Statistics:
        tail drops (bytes): 175967720           ,          (packets): 1824004
        total enqs (bytes): 349898922           ,          (packets): 3261519
        queue_depth (bytes): 0
  Queue specifics:
    Index 1 (Queue ID:0x37, Name: i2l_if_4_cpp_0_prio2)
      Software Control Info:
        (cache) queue id: 0x00000037, wred: 0x88b00352, qlimit (bytes): 73125056
        parent_sid: 0x23d, debug_name: i2l_if_4_cpp_0_prio2
        sw_flags: 0x00000011, sw_state: 0x00000001, port_uidb: 0
        orig_min  : 0                   ,      min: 0
        min_qos   : 0                   , min_dflt: 0
        orig_max  : 0                   ,      max: 0
        max_qos   : 0                   , max_dflt: 0
        share     : 0
        plevel: 1, priority: 0, ref_count: 0
      Statistics:
        tail drops (bytes): 0                   ,          (packets): 0
        total enqs (bytes): 0                   ,          (packets): 0
        queue_depth (bytes): 0


As you can see, some of these commands can get fairly long.  An easy solution is to use the alias command so you can execute the command more quickly.  I'd also add those aliases to your config templates.  I set them up as follows:

alias exec showqfpdrop show platform hardware qfp active statistics drop | exclude _0_

alias exec showcryptodrop show platform hardware qfp active infrastructure bqs queue output default all | begin crypto
Posted by Anonymous
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)