Support only got 190mbit from router to router (IE: Not forwarding). I, (And others on the forum) don't see near that performance. I can only get about 20-25mbit full duplex between a CCR1036 and RB1100AHx2 using IPERF TCP, single connection with a 1400MTU GRE tunnel, a few mangle rules and a few queues in queue tree. Connnection tracking off. Same setup replacing the CCR with an RB1100AHx2 nets me 200+Mbit full duplex. If I remove the queues and mangle rules, I get up to around 50mbit full duplex.
If I disable the IPSEC policy on both ends, I get about 400mbit full duplex.
If I don't use GRE and use IPSEC in tunnel mode, I get nearly 400mbit full duplex. But, I can't do this as I need to run PIM, OSPF, and MPLS.
If I run the test using bandwidth test from router to router, I get about 230mbit 1 way (With no mangle or queues) using default 20 connections. If I source the bandwidth test from another CCR on the other side of the CCR doing the encryption, it drops to about 150mbit 1 way.
If I run the test using bandwidth test with 1 TCP connection from router to router, I only get about 100mbit. If I source the bandwidth test from another CCR on the other side of the CCR doing the encryption, it drops to about 50mbit.
So.. In summary. The CCR can only forward a single TCP connection over GRE with ipsec encryption at about 50mbit aggregate throughput. The CCR performance seems to suffer GREATLY when forwarding traffic arriving through an IPSEC encrypted GRE tunnel. Performance is reasonable when not FORWARDING across the routers, but that doesn't really do anyone any good.
Performance seems to drop another 30%+ if you use the queue tree and mangle rules, or even simple queues.
****Show me a functional lab of setup of 2 PCs data being routed through a RB1100AHx2 and a CCR 1036 over a GRE/IPSEC tunnel that runs 800mbit on a single TCP stream. Heck, even multiple TCP streams.****
EDIT: I was using AES128-CBC.
How much do tagged vlans impact the performance of the CCR?