Is there a bandwidth limit for L2 VPN tunnels between AP170 and CVG?

  • 1
  • Question
  • Updated 4 years ago
  • Answered
We have a setup with AP170s tunneling all user traffic via Layer2 tunnel to a central CVG.

We ran some speed tests now, and it appears that the maximum throughput we can get is 10 to 12 Mbps (measured with http://speedtest.net).

The uplink we have for this particular AP170 is 100Mbps via fiber, and that is definitely the lowest link in the chain.

I know that BR100 is defined for 5 - 10Mbps, AP330 should allow 30 - 50Mbps - but I couldn't find anything for AP170?

And is there a way to tweak the performance a bit, e.g. would a different encryption algorithm help?

carsten
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes

Posted 4 years ago

  • 1
Photo of Gregor Vucajnk

Gregor Vucajnk, Official Rep

  • 74 Posts
  • 27 Reply Likes
Hi Carsten, 

AP170 does all the encryption in software so it would be bottlenecked in performance. What is your use case?

Gregor
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Free public hotspots across a City, backbone provided by the town via DOCSIS system. VLAN routing was no option due to limitations of the DOCSIS hardware, so we tunnel all user traffic into a DMZ for central filtering etc.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
HiveOS could get better performance here via a software change if enhanced to use AES-GCM.
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
In this case, as the traffic stays within the boundaries of the provider until routed out to the Internet, we could even imagine to configure phase2 without encryption - which is currently not supported.
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
For the record: I received confirmation from Aerohive support that 10 - 12 Mbps HTTP throughput is expected for Ipsec VPNs with AP170:

The max throughput for the AP 170 VPN tunnel is around 17Mbps. Speednet test may give you a lower values as you have additional TCP headers. So the result that you had seemed to be expected. I am afraid there is nothing you can tweak in order to increase the throughput.
Alternatively you can just use GRE Static Identity-Based-Tunnels. This will allow you to tunnel a user profile to central location without losing any throughput. 

So I followed the advise and configured GRE static Identity-Based tunnels via the user profile, terminated on one L2 CVG. This only drawback is that I had to configure the CVG's ethernet interface directly with a public IP address - which is not a big issue in this case, as it will be inside the same backbone as the Access Points are.

Speedtests are showing good results, and we will go ahead and implement a bigger test scenario now.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
If Aerohive implemented ChaCha20/Poly1305 support for VPNs, performance would go up massively:

http://googleonlinesecurity.blogspot.co.uk/2014/04/speeding-up-and-strengthening-https.html