Key findings and conclusions:

Cisco ISR G2 platforms delivered 8 times improved

performance compared to previous generation ISRs
Cisco ISR 3945E delivered throughput of up to
398 Mbps with integrated services enabled
Lab Testing ISR G2 platforms support bandwidthoptimized and
scalable video including TelePresence and streaming
Summary Cisco ISR G2 platforms offer Service Ready Engine
Report providing the flexibility to turn on services on demand
EnergyWise allows automatic port shutdown during off
hours (7PM to 7AM) enabling a 50% energy savings
MAY 2010 WAN bandwidth usage decreased 100 times with
Report 091028G integrated Cisco WAAS WAN acceleration module

C
iscos Integrated Services Router Generation 2 platform models
Product Category: 1941W, 2911, 2951 3925E, 3945 and 3945E were evaluated by
Miercom for performance feature validation while being used in
Integrated branch office scenarios. We also evaluated the ASR 1002 Fixed
Router on some of these tests to show upward scalability of the next
Services Router family of routers. The objective was to validate increased levels of
Generation 2 voice, video, security, wireless, mobility and data service integration.
While testing the features and services offered by the ISR G2 branch
routers, performance and throughput was observed, to ascertain if the
Vendor Tested: activated services affected the throughput.
Todays branch routers must have the ability to serve the requirements
of the current branch, and scale to the evolving needs of integrated
services. This includes increased bandwidth requirements, supporting
advanced security features and WAN and VPN technologies, with
multi-media collaboration. (continued next page)
Products Tested:
Cisco 1941W ISR Figure 1: Throughput Compared to Target Branch Bandwidth
Cisco 2911 ISR
Cisco 2951 ISR
Cisco 3925E ISR
Cisco 3945E ISR
Cisco ASR 1002

Source: Miercom, May 2010

Higher throughput was delivered than was needed to meet the bandwidth
requirements for the branches, while integrated services and features including
IPsec and NAT were activated. While maintaining 75% CPU utilization, no frame
loss was observed. Routers are listed in order of progressively increasing
performance and capabilities.
 Figure 2: Throughput Compared to Target Branch Bandwidth
Router models 3925E and
3945E have an enhanced
SPE. The Cisco ASR 1002
Fixed Router is included in
the mix to show upward
migration to the next family
of routers. Higher throughput
was delivered than was
needed to meet the
bandwidth requirements
while integrated services and
features including IPsec and
NAT were activated. While
maintaining 75% CPU
utilization, no frame loss was
observed. Routers are listed
in order of progressive
Source: Miercom, May 2010 performance and capabilities.

The Cisco ISR G2 branch routers - 3925E, 3945E and the Cisco ASR 1002 Fixed Router - delivered
performance throughput values greater than the target positioning bandwidth requirements while
integrated services features were activated. By adding the new Service Performance Engines (SPE-
200 and SPE-250) to the 3925E, we observed 5.5 times increased throughput. When the SPE was
added to the 3945E, we observed 3.5 times increased throughput. All test results observed were
recorded at zero frame loss while maintaining the CPU utilization at 75%.

A solution that provides security, wireless Branch offices are classified as small, medium,
capabilities, UC, and WAN optimization in a large and regional, with unique requirements for
single box, while maintaining existing each category. All test cases described were
performance and throughput is a true integrated based on specific branch requirements. A typical
solution. Integrated network based services are small branch, such as a retail store with 10-25
an effective way to reduce costs, while users, would use the ISR 1941W. A bank with 25-
delivering new services to the end user. The 40 users would use the ISR 2911. A corporate
ISR G2 platforms deliver these services and branch or large branch accommodating 40-75
performance, while deployed in small to large users would use the ISR 2951. While a regional
remote branch office topologies. office with 75-150 users would use the ISR 3945.
Branches with greater bandwidth requirements
Miercom tests the performance and validated
would use 3925E, 3945E or an ASR 1002.
the integrated features of the Cisco ISR G2
platforms. Tests were conducted with feature Performance Tests
intensive branch office deployments, and
Each class of branch routers was tested based on
considered actual branch settings currently
the typical branch configuration of the model with
used by ISR customers.
Dynamic Multipoint Virtual Private Network
Branch Architecture (DMVPN), Zone Based Policy Firewall (ZBF) and
Intrusion Prevention System (IPS), and
The architecture of the ISR G2 platforms
Hierarchical Quality of Service (HQOS) features
enables richer media experience with video,
enabled. We subjected the Cisco ISR G2 router
voice and WAN evolution. Additions to the
platforms, with integrated services and features
services available on the ISR G2 platforms
enabled, to a traffic mix consisting of the data,
include integrated security, unified
voice and/or Telepresence traffic recommended
communications, wireless, and application
for each deployment scenario.
optimization services. Pay-As-You-Grow software
licensing and Cisco IOS software packaging also All of the Cisco ISR G2 branch routers delivered
reduces branch office expenses. throughput which exceeded by 102% to 214% the

Copyright 2010 Miercom ISR G2 Branch Routers Page 2

 Figure 3: Throughput Performance Tests RFC 2544

RFC2544 Small Medium Large Regional Regional Regional

Throughput Branch Branch Branch Office Office Office
Device Under
1941W 2911 2951 3925E 3945 3945E
Test
IPv4 Forwarding
214.06 232.50 384.38 1,148.80 711.30 1,341.65
(Mbps)
packets
64 byte

NAT
31.24 38.28 104.38 248.81 207.02 366.66
(Mbps)
IPsec (AES)
4.67 5.51 5.93 100.95 5.80 135.24
(Mbps)
IPv4 Forwarding
IMIX packets

981.02 1017.18 1713.90 3,816.99 2988.69 3,816.99

(Mbps)
NAT
168.52 174.26 479.72 1,613.29 938.82 1,908.52
(Mbps)
IPsec (AES)
62.36 70.78 149.80 647.11 239.34 848.40
(Mbps)
IPv4 Forwarding
2000.00+ 3,000.00+ 3,000.00+ 4,000.00 3,000.00+ 4,000.00
1518 byte

(Mbps)
packets

NAT
692.18 713.28 1,908.59 4,000.00 2,000.00+ 4,000.00
(Mbps)
IPsec (AES)
146.56 164.84 195.78 1,528.90 739.64 1,542.78
(Mbps)

Note: Significant IPSec performance increase is one characteristic of the greater

performance of the 3925E and 3945E.

test. This methodology is repeated until there is

stated bandwidth requirements of the branch, no frame loss and a Mbps value is found.
while integrated features were activated. See
Figure 1 on page 1. All test results were We noted a vast difference in performance
observed without any frame loss and between the Cisco ISR 3945 and 3945E routers,
maintaining CPU utilization of 75%. attributed to the new Service Performance Engine
RFC 2544 Performance Test (SPE) that was added to the ISR 3900s.
Customers can increase the performance of their
We conducted a series of tests to stress existing ISR 3900s by upgrading the SPE. The
product performance at different packet sizes 3925 can be upgraded to a 3925E by replacing
with various combinations of features enabled the SPE-100 with the SPE-200. Similarly, the ISR
as shown in the above table. 3945 can be upgraded to a 3945E by replacing
RFC2544 is a standard test methodology from the SPE-150 with an SPE-250. When a 3945 is
the Internet Engineering Task Force (IETF) upgraded to a 3945E, performance is increased
that defines a consistent way of testing by as much as 96%.
network equipment. The Throughput test
calculates the maximum number of frames per The above table shows how the addition of the
second that can be transmitted without error. SPE in the 3945E improves performance by
We tested with 64- and 1518-byte sized 95.7% when compared to the standard 3945
packets and IMIX packets, then compared the router when transmitting and receiving 64-byte
number of transmitted and received frames. packets. With IMIX packets, the 3945E exhibited
When frame loss was encountered, the a throughput improvement of 71.8% over the
transmission rate was divided by two and the 3945. When tested with 1518-byte packets, the
test was restarted. If during this test there was Cisco 3945E delivered a 52.1% improved
no frame loss, we increased the transmission performance compared to the ISR 3945 router.
rate by half of the difference from the previous These percentages were calculated by taking the

Copyright 2010 Miercom ISR G2 Branch Routers Page 3

 This feature gives Cisco a competitive edge for
IPsec (AES) throughput in Mbps value of the
Cisco router-based secure UC solutions.
3945 ISR and comparing it to the IPsec (AES)
value of the 3945E to determine overall Unified Survivable Remote Site Telephony
improvement. See Figure 3 on page 3. Call processing redundancy is critical for all
Offensive Security Assessment branch offices. Unified Survivable Remote Site
Telephony (SRST) is an integrated voice feature
We evaluated the effectiveness and accuracy available on all Cisco ISR G2 platforms. When
of the integrated security features of IPS, activated, the Cisco Unified SRST acts as a call
ZBF and DMVPN on the Cisco ISR processing engine for the IP phones located in
G2 platforms. the branch office during a WAN blackout.
The platforms were evaluated as a standalone
Once a WAN link fails, Cisco SRST automatically
security device in an un-tuned IPS
detects the failure in the network and initiates the
deployment. Penetration testing was conducted
SRST services to provide call processing backup
with over 1,450 updated and in the wild attacks.
for the IP phones at the branch office. Once WAN
Loaded with 2,670 signatures, the platforms
connectivity is restored, the system automatically
thwarted the majority of attacks, with IOS IPS
shifts the call processing back to the primary
firing signatures before the network security
Cisco Unified Communications Manager at
could be compromised. In addition, the zone
headquarters.
based policy firewall was resilient against
network and application layer attacks, viruses Video Capability
and worms, adding more flexibility
and granularity to already existing IOS Video call capabilities were evaluated on an ISR
stateful inspection. 2911 using the Cisco Unified Video Advantage
(CUVA). CUVA allows Cisco non-video IP phones
IOS Content Filtering to make video calls to other video endpoints.
Cisco IOS Content Filtering, available on the Connecting the access port of the video-enabled
ISR 1941W and 2911, demonstrated category Cisco Unified IP Phone 7965 to a PC with a USB
blocking to static black and white lists with video camera allowed calls to be placed to the
keyword blocking and security ratings to branch office. These calls were made using
websites requested. This IOS integrated normal phone processes and were displayed
feature offers policy-based web content control successfully with video on the PC without any
to limit exposure to websites that could incur further actions. The ISR 2911 demonstrated the
liability issues or contribute to lost productivity. ability to make video calls using the H.263, H.264
and H.323 protocols.
The Cisco IOS Content filtering utilizes a
subscription-based service using an Internet- Communications Manager Express
based reputation server. Policy-control The Cisco Unified CME (Communications
parameters include keyword blocking, local Manager Express) provides call processing
black- and white-listing of up to 100 URLs, services at the branch office. This integrated
blocking and/or allowing by content categories feature adds call processing functionality at the
by user credentials, and reputation-based Cisco ISR G2 branch router itself for branch
content control. URL filtering was tested by offices. All the necessary files and configurations
selecting a category of permitted and non- for IP phones are stored internally on the ISR G2,
allowed websites. It successfully blocked the providing a single-platform solution.
websites by category as requested. See Figure
2 on page 2. Calls were made using Cisco Unified IP Phones
7965 to test the call processing functionality of the
Unified Communications Trusted Firewall CME. Voice mails were left to demonstrate the
The trusted firewall feature was evaluated to messaging features offered by the CME. Using
verify Unified Communications security. The the VoiceView express feature we could easily
UC firewall uses Trusted Relay Point (TRP), a browse, listen, and manage voicemail from the
software function which authorizes and Cisco IP phone display and soft keys. These
inspects STUN messages. Once all checks are functions were demonstrated on the ISR 2951.
successful, a bidirectional pinhole is opened
through the firewall for data flow. This prevents SIP Trunking
the need to blindly open media port ranges. SIP Trunking capabilities were demonstrated on
Copyright 2010 Miercom ISR G2 Branch Routers Page 4
Figure 4: Content Filtering by Category successfully combines traditional enterprise router
functionality, advanced IP services like VoIP and
security with the mobility capabilities of 3G WAN
access. The integrated HWIC 3G Wireless feature
was tested on the Cisco ISR 1941W for primary
and backup WAN link connectivity as an
integrated feature offering.
As the primary WAN link, 3G WWAN was tested
with IOS security feature DMVPN enabled. To test
for multimedia traffic over the 3G WAN link,
we placed voice calls and monitored the MOS
scores and call quality. Voice could be heard
with clarity, all sessions were maintained and no
calls were dropped.
When configured as a backup link, the failover
time to 3G WWAN was noted to be 15 seconds,
an acceptable failover time. This included time for
the EzVPN tunnel to establish and pings to reply.
URL category blocking message as displayed
in a users Web browser. Wide Area Application Services
the ISR 3945 platform. For this test scenario Cisco Wide Area Application Services (WAAS)
the CME was set and configured as the PBX module, was demonstrated on the ISR 2911,
that will interpret the SIP signal and pass the 2951 and 3945. It provides integrated WAN
traffic. The Spirent Abacus was used to optimization features on the ISR G2 platforms.
simulate SIP Trunking traffic, generating 30 Advanced Data Redundancy Elimination (DRE),
SIP sessions per second. We observed zero Persistent LZ compression, and TCP Flow
RTP packet loss and no out of order packets. Optimization (TFO), were among the WAAS
Stable MOS scores of 4.55 were achieved for functions tested, all of which accelerated
all calls. In addition, RTP jitter values of 0.233 application response times by alleviating WAN
ms and R-factor of 93.2 was achieved, which traffic loads and congestion.
falls in the desirable range for VoIP quality. We used the Spirent Avalanche/Reflector to
generate real world HTTP traffic to traverse over
Wireless LAN the WAN link to the corporate network. Without
Wireless LAN capabilities are available only on the WAAS module providing integrated WAN
the Cisco ISR 1941W which includes a native optimization features, the bandwidth usage was
802.11n access point and security features recorded at 140 Mbps for HTTP traffic. With the
available to support secure mobility. integrated WAAS module, the bandwidth usage
for the same HTTP traffic dropped to 1.4 Mbps
During testing, the ISR 1941W proved to be decreasing it by 100 fold.
able to deploy secure, manageable WLANs,
with fast secure mobility, authentication and Multi Gigabit Fabric
simplified management. The ISR G2 router
extends corporate networks, securing remote The MGF is a new integrated solution added to
sites, allowing access to the applications found the architecture of the ISR G2 platforms allowing
in the corporate offices. The Cisco ISR 1941W high bandwidth module-to-module com-
router meets WLAN needs with a single device, munications at speeds up to 1 Gbps without
offering increased levels of services adding overhead to the router processor. The
integration. traffic between service modules is switched at line
rate to one another without being forwarded to the
3G Wireless WAN router CPU, thereby improving LAN/WAN
performance and scalability.
The Cisco 3G Wireless WAN HWIC (High-
Speed WAN Interface Card) on the ISR 1941W Two 24 port Cisco Enhanced EtherSwitch Service

Copyright 2010 Miercom ISR G2 Branch Routers Page 5

Modules (ESMs) were used for testing, with were applied to extend EnergyWise functionality
Spirent Avalanche/Reflector used to generate to control power to certain ports. Based on this
traffic traversing from one Etherswitch module policy, PoE power to interfaces was set to
to the other. The log file for Cisco ISR 3945 automatically to turn on/off at various times.
recorded CPU utilization as zero, while 1Gbps These time policies could also be applied by
of traffic passed through the Etherswitch device type, device location, priority of device and
modules. The receive bandwidth percentage other settable parameters.
utilization and transmit bandwidth percentage
utilization for the port going to the platform CPU PoE Boost
recorded zero, indicating that router processing When populated with dual power supplies, or a
power was not used. single power supply and Redundant Power
System (RPS), the Cisco ISR G2 routers can
Cisco EnergyWise operate in a PoE boost mode configuration, in
Cisco EnergyWise technology allows users to lieu of redundant power mode. In this PoE boost
measure the power consumption of network configuration, the power capacity of the platform
infrastructure and network attached devices is increased to almost twice the normal power to
(IP phones, PC and access points) and support additional PoE ports. See Figure 5 below.
manage power consumption with specific Figure 5: Power available for PoE Ports in
settable policies. RPS and PoE Boost Mode for an ISR 3900
This IOS feature was demonstrated on the ISR Mode Redundant PoE Boost
3945 platform fitted with two 24 port
Maximum Power 520W 1000W
Etherswitch modules. Power monitoring and
management capabilities of the Cisco Allocated Power 6.3W 6.3W
EnergyWise feature were tested for slots and
interface power management on the router. IOS Software Licensing
With Cisco EnergyWise, the Service modules
could be powered-up or turned-down using With the new licensing and packaging process,
simple commands. Times of day policies Cisco ISR G2 platforms are shipped with a single
were applied to extend EnergyWise universal IOS image, loaded during
functionality to control power to certain ports. manufacturing, and containing all IOS features.
Based on this policy, PoE power to interfaces All integrated service and features are now in four
was set to automatically to turn on/off at various technology packages; previously offered in eight
times. These time policies could also be applied images and requiring a new software image for
by device type, device location, priority of each feature change.
device and other settable parameters. The level of IOS functionality available depends
on the licenses purchased. To unlock or upgrade
Cisco EnergyWise to a suite of IOS functionality, only a new license
Cisco EnergyWise technology allows users to needs to be applied. The four categories of
measure the power consumption of network licenses are: IP Base, Data, Unified
infrastructure and network attached devices (IP Communications and Security (SEC).
phones, PC and access points) and manage Bottom Line
power consumption with specific settable
policies. The value of an integrated solution shows its
worth for enabling integrated services on a single
This IOS feature was demonstrated on the ISR platform, delivering WAN optimization all in one
3945 platform fitted with two 24 port single box, while maintaining existing
Etherswitch modules. Power monitoring and performance and throughput metrics. The Cisco
management capabilities of the Cisco ISR G2 models ISR 1941W, ISR 2911, ISR 2951
EnergyWise feature were tested for slots and and ISR 3945 deliver these services with
interface power management on the router. exceptional performance while deployed in
With Cisco EnergyWise, the Service modules branch office (continued on page 8)
could be powered-up or turned-down using scaling from small branch offices of a few users,
simple commands. Times of day policies to large remote branches with 100 clients. For

Copyright 2010 Miercom ISR G2 Branch Routers Page 6

Table 1: Description of Branch Office Deployment Scenarios and Features Applied

Small Medium Large

Regional Office
Branch Branch Branch
Typical Bank Corporate
Retail store Regional Office, Large Store
Example Branch Branch
Link Speed 25Mbps 35Mbps 75Mbps 150Mbps 200Mbps 350Mbps
Typical NG
1941W 2911 2951 3925E 3945 3945E
ISR
Configuration USB USB USB USB USB USB
Method Console Console Console Console Console Console
Feature Data, Data, UC, Data, UC, Data, UC, Data, UC, Data, UC,
Licenses Security Security Security Security Security Security
Primary Ethernet Ethernet Ethernet Ethernet Ethernet Ethernet
Connectivity WAN WAN WAN WAN WAN WAN
Backup Ethernet Ethernet Ethernet Ethernet Ethernet
3G WAN
Connectivity WAN WAN WAN WAN WAN
Integrated 16 ports 24 ports 48 ports 48 ports 48 ports
8 ports PoE
Switch Ports PoE PoE PoE PoE PoE
5 Class 5 Class 5 Class 5 Class 5 Class 5 Class
QoS
HQoS HQoS HQoS HQoS HQoS HQoS
VPN DMVPN DMVPN DMVPN DMVPN DMVPN DMVPN
Zone-Based Zone-Based Zone-Based Zone-Based Zone-Based Zone-Based
Firewall
FW FW FW FW FW FW
Intrusion
Yes Yes Yes Yes Yes Yes
Prevention
Content
Yes Yes No No No No
Filtering
WAN
No Yes Yes Yes Yes Yes
Acceleration
CME-as- CME
SRST SRST SRST
SRST CUE
Local Voice CUBE + SIP CUBE + SIP CUBE + SIP
NA TDM PSTN VM/IVR
Features Trunk for Trunk for Trunk for
(FXO) Video SIP Trunk PSTN PSTN PSTN
Telephony for PSTN
IP Phones 8 12 50 120 120 120
1 low 1 high 1 high 1 high 1 high
Telepresence No
bandwidth bandwidth bandwidth bandwidth bandwidth
802.11n Corporate &
No No No No No
Wireless Guest SSID

The branch offices have been categorized into small, medium, large and regional categories with unique
requirements for each size office. The configurations shown above represent feature intensive branch
deployments today and are likely to be closer to the norm in the future. All testing and test cases
described in this document w conducted based on the branch office requirements for the respective Cisco
ISR G2 routers.

Copyright 2010 Miercom ISR G2 Branch Routers Page 7

additional details on this testing, contact providers to monitor and troubleshoot a single
Miercom at [email protected]. Ethernet link. Although it was defined for the first-
mile connection to the customer demarcation
Ethernet Operations, Administration, and where most link issues typically occur; IEEE
Maintenance (OAM) 802.3ah is applicable to any point-point IEEE
Cisco Integrated Services Routers Generation 2 802.3 links.
support the tools for Ethernet Operations, The primary benefits of 802.3ah are that it
Administration, and Maintenance (OAM) enables the service provider to monitor a link for
developed in accordance with the leading critical events and then, if necessary, put the
industry-standards organizations. We observed remote device into "loopback" mode in order to
a testing demonstration of the Carrier Ethernet do testing on the link. It also discovers
OAM capabilities while conducting performance unidirectional links, which occur when only one
testing on the routers. We specifically validated direction of transmission fails.
the following features:
Ethernet Local Management Interface (E-LMI)
CFM (Connectivity Fault Management) protocol has benefits to both the service provider
and the end customer because it brings Ethernet
Connectivity Check
manageability from the service provider network
Ping (Loopback) to the customer premises. E-LMI operates
unicast LB between the customer edge (CE) device and the
multicast LB user-facing provider edge (U-PE). It enables the
Autotrace service provider to configure the CE device to
EEM Service Diagnostics match the subscribed service. The CE device will
automatically receive a VLAN-to-EVC mapping
CFM CC-timeout (CFM event based and the corresponding bandwidth profile and
autoscript)
quality of service (QoS) settings.
CFM on-demand (CFM
on-demand script) The IP SLA for Ethernet adds to the performance
CFM Autotrace (CFM Auto Script ) monitoring strengths for Ethernet and are
CFM shut/ unshut (Action script) supported on ISR G2.
OAM Service providers are using increased bandwidth
IPSLA requirements to offer newer and more cost-
Echo probe effective Ethernet services while utilizing the end-
to-end service-assurance capabilities as offered
Jitter probe by standardized Ethernet OAM on Cisco routing
ELMI and switching platforms. Using these capabilities,
Y.1731 (AIS/ LCK / RDI) service providers can deliver both entertainment-
and business-grade services over an Ethernet
These Fault Management and Performance network to meet the expectations of their
Management tools for Ethernet allow service end customers.
providers to manage each customer service
instance individually. A customer service
instance, or Ethernet Virtual Connection (EVC), Figure 6: Cisco Carrier Ethernet OAM
is the service that is sold to a customer and is
designated by the Service-VLAN tag. As a
result, 802.1ag operates on a per-Service-VLAN
(or per-EVC) basis. End-to-end service
management using 802.1ag is a critical aspect
of Ethernet management along with the Y.1731
fault management. It enables the service
provider to know if an EVC has failed, and if so,
provides the tools to rapidly isolate the failure.
Another important area is the link management
provided by IEEE 802.3ah. Ethernet link
This diagram shows the main areas of Ethernet
management (IEEE 802.3ah) enables service Operations, Administration, and Maintenance (OAM).

Copyright 2010 Miercom ISR G2 Branch Routers Page 8

 Test Bed Diagram 1

7206 NPE-G2 Reflector

VoIP IPsec Traffic
Load

Device Under
Test (DUT)
Avalanche
Cisco ISR

Internet

Systems Under Test and Operating System Versions

Cisco Routers:
1941W licensed for: ip base, security, uc, and data ; running IOS version 15.0(1)M
2911 licensed for: ip base, security, uc, and data ; running IOS version 15.0(1)M
2951 licensed for: ip base, security, uc, and data ; running IOS version 15.0(1)M
3945E licensed for: ip base, security, uc, and data ; running IOS version 15.0(1)T
3925E licensed for: ip base, security, uc, and data ; running IOS version 15.0(1)T
ASR 1002 Fixed Router fixed adventerprisek9 version 12.4(X), and IOS-XE 12.2
Mu Test Suite, version 4.5.6.r36499
Avalanche 2.50, Build 4070
Spirent TestCenter, version 2.50.1626.0000

How We Did It
Test Bed 1
Similar network topologies were used for all branch office deployments with variations added to reflect the typical
needs of the different branch sizes. Spirent TestCenter, Spirent Avalanche and Reflector were used for traffic
generation. Spirent TestCenter was used to generate RTP voice traffic. A custom Cisco traffic generation tool was
used to simulate Telepresence sessions. This tool sends actual Telepresence video streams and monitors for any
frame loss, jitter and latency. All traffic used for performance testing of the Cisco ISR G2 Device Under Test (DUT)
were set to meet Service Level Agreement (SLA) of zero frame loss and acceptable latency or jitter values.

To evaluate the effectiveness of the security features of the Cisco ISR G2 platforms, offensive security tests were
conducted using Miercom Offensive Security Testing Suite, the Ixia IxDefend platform (www.ixiacom.com) and the Mu
Dynamics Test Suite (www.mudynamics.com). The Ixia IxDefend advanced security assessment tool analyzed quality,
resiliency, and security exposures across a broad array of protocols and applications. The IxDefend test included 40
protocols from link layer to application protocols. Each protocol in each bundle included thousands of tests. IxDefends
tests provide the deepest possible protocol coverage.

The Mu Test Suite distills information from the most recently discovered root-cause vulnerabilities into test cases that
target the vulnerabilities that lie behind tens of thousands unique exploit vectors. The security assessment was
conducted with Ixias (www.ixiacom.com) IxDefend which was used to generate exploits and attacks. Miercom
recommends customers conduct their own needs analysis and test for the specific environment for product
deployment before making a selection. Contact [email protected] for additional details on the configurations
applied to the system under test and test tools used in this evaluation.

Copyright 2010 Miercom ISR G2 Branch Routers Page 9

 Test Bed Diagram 2
Avalanche Avalanche

Telepresence Telepresence
Simulator Simulator

Device Under Test

(DUT)
C3900E
Abacus Abacus

Test Bed Diagram 3

Avalanche
Avalanche

ASR 1002
HeadEnd

Telepresence Telepresence
Simulator Simulator

Device Under Test

(DUT)
C3900E or ASR
Abacus Abacus

Test Bed 2
The Device Under Test (DUT) is only connected to the different traffic generation tools depicted. Throughput
measurements were taken with and without features enabled such as IPsec VPN and NAT. Tests for throughput
performance of RFC 2544 were conducted primarily using this test scenario.

Test Bed 3
The second test bed has the DUT connected to a HeadEnd router in addition to the traffic generation tools as shown
in Figure 2. This is normally used for those cases, like IPSec, that require a connection to a peer router. The WAN
interface of the ISR G2 DUT utilized a secure VPN connection as well as a backup connection specific to the size of
the branch. For our tests, headquarters was represented by a Cisco 7200 Series router, terminating at the other side
of the VPN connection and providing the core side connections for traffic generation and monitoring. To simulate the
various streams found in a typical branch setting, generic stateful HTTP data traffic consisting of 25K, 30K and 130K
objects, with 10 objects per TCP session, were used. All performance testing was conducted with router CPU
maintained in the 50-70% range, which is the recommended load that allows sufficient overhead and tolerance for
real-world network activity. Tests involving IPsec performance were conducted primarily using this test scenario.

Copyright 2010 Miercom ISR G2 Branch Routers Page 10

Miercom Performance Verified
Based on Miercoms review of the performance during testing, the
Cisco ISR G2 platforms ISR 1941W, ISR 2911, ISR 2951 and
ISR 3945 routers have earned the Performance Verified award.
The Cisco ISR G2 platforms provide security, wireless, UC,
WAN optimization and energy management capabilities all in
one box while meeting branch office performance and
throughput requirements.

ISR 1941W ISR 2911 Cisco Systems, Inc.

170 West Tasman Drive
San Jose, CA 95134
www.cisco.com
1-800-553-6387

ISR 2951 ISR 3925E, 3945 and

3945E

About Miercoms Product Testing Services

Miercom has hundreds of product-comparison analyses
published over the years in such leading network trade
periodicals as Network World, Business
Communications Review - NoJitter, Communications
News, xchange, Internet Telephony and other leading
publications, Miercoms reputation as the leading,
independent product test center is unquestioned.

Miercoms private test services include competitive

product analyses, as well as individual product
evaluations. Miercom features comprehensive
certification and test programs including: Certified
Interoperable, Certified Reliable, Certified Secure and
Certified Green. Products may also be evaluated under
the NetWORKS As Advertised program, the industrys
most thorough and trusted assessment for product
usability and performance.

Report 091028G [email protected] www.miercom.com Before printing, please

consider electronic distribution

Product names or services mentioned in this report are registered trademarks of their respective owners. Miercom makes every effort to ensure that
information contained within our reports is accurate and complete, but is not liable for any errors, inaccuracies or omissions. Miercom is not liable
for damages arising out of or related to the information contained within this report. Consult with professional services such as Miercom Consulting
for specific customer needs analysis.

Copyright 2010 Miercom ISR G2 Branch Routers Page 11