A while back we had a customer colocated vpn router (2911) come in and we put it
on our main vlan for initial set up and testing. Once that was done, I created a
separate VLAN for them and a dot1q subinterface on an older, somewhat overloaded
2811. I set up the IPSec Tunnel, a /30 for each end to have an IP and all the
static routes needed to make this work and it did.
However, a few days later they were complaining of slow speeds...I don't recall,
but maybe something like 5mbs when they needed 20 or so. We had no policing on
that port. After a lot of testing, we tried putting them back on the main, native
vlan and it worked fine...they got the throughput they needed.
So my question is: could the dot1q encapsulation be causing throughput issues on a
2811 that's already doing a lot? I regret that I don't recall what "sh proc cpu"
output was, or if I even ran it at all. It was kind of hectic just to get it
fixed at the time.
Well, a few months later (last week), the chicken came home to roost when their
IPSec tunnel started proxy ARP puking stuff to our side that temporarily took out
parts of our internal LAN. I have requested a 2911 replacement for the 2811
because I have seen the 2811 cpu load max out a few times when passing lots of
traffic. I am hoping it will allow us to go back to this VLAN setup again, but
I've never heard whether dot1q adds any overhead.