LANCOM Techpaper Routing Performance

Similar documents
LANCOM Techpaper IEEE n Indoor Performance

LANCOM VPN (CC)

WELCOME TO THE NEW HYPER-INTEGRATED NETWORK MANAGEMENT

Networking interview questions

Parallelizing IPsec: switching SMP to On is not even half the way

LANCOM Release Notes LANtools RU10

Comparing TCP performance of tunneled and non-tunneled traffic using OpenVPN. Berry Hoekstra Damir Musulin OS3 Supervisor: Jan Just Keijser Nikhef

Firewalls, Tunnels, and Network Intrusion Detection

LANCOM Management Cloud

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

LANCOM Techpaper Active Radio Control

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

IP Security. Have a range of application specific security mechanisms

IPsec NAT Transparency

IPsec NAT Transparency

Executive Summary. Introduction. Test Highlights

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

VPN Ports and LAN-to-LAN Tunnels

The OSI Model. Open Systems Interconnection (OSI). Developed by the International Organization for Standardization (ISO).

Scalability Considerations

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

MTA_98-366_Vindicator930

Scalability Considerations

iscsi Technology: A Convergence of Networking and Storage

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

Number: Passing Score: 750 Time Limit: 120 min File Version: 1.0. Microsoft Exam Name: Identity with Windows Server 2016 (beta)

How to Create a TINA VPN Tunnel between F- Series Firewalls

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

USING ISCSI AND VERITAS BACKUP EXEC 9.0 FOR WINDOWS SERVERS BENEFITS AND TEST CONFIGURATION

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Fully managed 28-port Gigabit Ethernet switch for high-performance networks

Websmart 26-port Gigabit Ethernet Switch for cost-effective networks

Service Managed Gateway TM. How to Configure and Debug Generic Routing Encapsulation (GRE)

LANCOM Release Notes LANtools Rel

CSC 6575: Internet Security Fall 2017

LANCOM 1781EF (CC) High-performance VPN router with Gigabit Ethernet and SFP port for high-security site connectivity

VPN2S. Handbook VPN VPN2S. Default Login Details. Firmware V1.12(ABLN.0)b9 Edition 1, 5/ LAN Port IP Address

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Secure Networking with NAT Traversal for Enhanced Mobility

APPENDIX F THE TCP/IP PROTOCOL ARCHITECTURE

NSG100 Nebula Cloud Managed Security Gateway

TOLLY. No March Fortress Technologies, Inc.

Imi :... Data:... Nazwisko:... Stron:...

Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

Application Note How to use Quality of Service

Cisco IP Fragmentation and PMTUD

Cisco VPN Internal Service Module for Cisco ISR G2

Manual Key Configuration for Two SonicWALLs

FAQ about Communication

WiNG 5.x How-To Guide

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

High bandwidth, Long distance. Where is my throughput? Robin Tasker CCLRC, Daresbury Laboratory, UK

Cryptography and Network Security. Sixth Edition by William Stallings

SD-WAN Deployment Guide (CVD)

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

Virtual Private Networks

Configuration of an IPSec VPN Server on RV130 and RV130W

Secure Transmission for Interactive Three-Dimensional Visualization System

Creating VPN s with IPsec

Network Interconnection

Configuring the EN-2000 s VPN Firewall

Network Encryption 3 4/20/17

Cisco ONS Port 10/100 Ethernet Module

LANCOM Techpaper Smart WLAN controlling

Virtual Private Network

LANCOM Techpaper IEEE n Outdoor Performance

IPSec. Overview. Overview. Levente Buttyán

VPN Routers DSR-150/250/500/1000AC. Product Highlights. Features. Overview. Comprehensive Management Capabilities. Web Authentication Capabilities

CSCE 715: Network Systems Security

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Sample excerpt. HP ProCurve Threat Management Services zl Module NPI Technical Training. NPI Technical Training Version: 1.

L2 Bridging Across an L3 Network Configuration Example

NSG50/100/200 Nebula Cloud Managed Security Gateway

Data & Computer Communication

TOLLY. Nortel Networks. Contivity Extranet Switch Test Summary. Fast Ethernet-to-Fast Ethernet Layer 2 Tunneling Protocol Throughput

BCRAN. Section 9. Cable and DSL Technologies

Fully managed 28-port Gigabit Ethernet switch with Power over Ethernet for high-performance networks

Gigabit SSL VPN Security Router

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 8 Networking Essentials

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the SonicWall Firewall.

Pre-Fragmentation for IPSec VPNs

Unified Services Routers

Performance Analysis of iscsi Middleware Optimized for Encryption Processing in a Long-Latency Environment

Intel PRO/1000 PT and PF Quad Port Bypass Server Adapters for In-line Server Appliances

Implementing SES Network Duplication A Best Practices Guide.

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Case 1: VPN direction from Vigor2130 to Vigor2820

Introduction to Open System Interconnection Reference Model

Deployment Scenarios

Virtual Private Networks (VPN)

CS610- Computer Network Solved Subjective From Midterm Papers

Security Quick Sales Guide

Acceleration Performance Tests for IBM Rational ClearCase Remote Client (CCRC)

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

Feature Notes LCOS 9.20 RC2.

USER MANUAL. VIA IT Deployment Guide for Firmware 2.3 MODEL: P/N: Rev 7.

CS519: Computer Networks. Lecture 1 (part 2): Jan 28, 2004 Intro to Computer Networking

Transcription:

LANCOM Techpaper Routing Performance Applications for communications and entertainment are increasingly based on IP networks. In order to ensure that the necessary bandwidth performance can be provided reliably, it is important for the infrastructure s networking components to be tested thoroughly and intensively. In this techpaper, LANCOM Systems presents the methods of measuring routing and VPN performance for central site and VPN gateways as well as the respective results. We have examined a variety of aspects for consideration when measuring the router performance. This includes transmission speeds of connections between the LAN and the Internet (WAN), and the internal data transmission in the network (LAN-LAN). Many business processes rely on secure WAN connections, which is why we have focused on determining the performance of encrypted data connections over VPN. Test System All of the performance values were measured in the LANCOM test laboratory. Tests were conducted with an IXIA test system. IXIA uses so-called test suites, which enable the simulation of different applications. This allows, for example, the investigation of data throughput over automatically established VPN tunnels, or the measurement of pure LAN-WAN routing performance for unidirectional and bidirectional data connections. IXIA is a leading supplier of systems which test IP-based services and infrastructures. Test systems from IXIA are employed all over the world by network component manufacturers and other organizations to help assure the functionality and reliability of complex IP networks, devices, and applications. The measurement of data transmission itself uses either a fixed frame size or a combination of frame sizes which reflects a typical flow of data. These combinations are known as Internet Mix, or IMIX for short. The type of IXIA IXIA IxAutomate IxVPN IxAutomate IxVPN encrypted transmission WAN port LAN port LAN port WAN port ROUTER ROUTER Figure 1: IXIA test system for routing connections and encrypted VPN connections between LAN and WAN 1

10 GE 10 GE PC LAN vrouter LAN / WAN PC 10 GE 10 GE PC LAN vrouter WAN / LAN WAN / LAN vrouter LAN PC Figure 2: Schematic view of the vrouter test system scenarios VPN tunnel if applicable IMIX which is applied significantly affects the test results because packet size has a strong influence on a connection s performance. By selecting the appropriate ports on the router being tested, it is possible to test connections between the LAN and the WAN, and also pure LAN-LAN connections. Two scenarios are used for the vrouter measurements. One is the transmission from a PC in the LAN to a PC in another LAN or WAN by using the vrouter in between. The second scenario adds two vrouters which are connected over WAN and use a VPN tunnel for encrypted data transfer. Firmware on the devices under test is LCOS 10.12 (LCOS 10.20 on /4000 and ) or LCOS 8.70 CC for the LANCOM CC VPN router. vrouter measurements were done with LCOS 10.12. Routing Performance (UDP) The measurement of routing performance involves the determination of the maximum data throughput which can be achieved before a router starts rejecting packets. This measurement uses UDP packets of various sizes in order to simulate the performance with different applications. Ethernet frame sizes range from 64 bytes for the smallest to 1518 bytes for the largest frames. Tests on different router models demonstrate the influence of the different hardware platforms (processor, interfaces). Data transfer WAN Router LAN Figure 3: Schematic view of the test system Measurements initially determine the frame rate, which is a good performance indicator of the tested hardware. With normal routing, the frame rate is fairly constant even with different frame sizes. This is because only the header is inspected during routing, a process which is largely independent of the size of the frames being routed. For this reason, only the average frame rates are given in the tables. The throughput for a certain frame size (or even a mix of sizes, see IMIX on page 4) can be approximately calculated by multiplication with the frame rate. When the frame rate is constant, data throughput depends directly on the frame size because the larger the frames, the larger is the data volume that can be transmitted. The maximum number of frames transmitted per second is limited by the performance of the interfaces and the transmission medium. Measurement of the routing performance relates to the size of the Ethernet frames. To compare packet sizes for parti cular applications, it is necessary to subtract the header. For a frame of 512 bytes, the result is a UDP datagram size of 474 bytes (512 bytes - 14 bytes Ethernet header - 4 bytes FCS trailer - 20 bytes IP header) and, after subtracting the UDP header (8 bytes), the UDP payload is 466 bytes. To investigate routing performance, in this paper two different applications are considered. For WAN-LAN routing, data received from the WAN is forwarded to a peer in the LAN. For LAN-LAN routing, data remains within the localarea network and is passed from one LAN port to another. The measurements show that the throughput increases almost linearly with the frame size until the limit of the Gigabit interface is reached. 2

Routing Performance (TCP) Using UDP, the maximum performance is easily measured. However, a large portion of data transfers utilizes TCP. Therefore, it is important to take a closer look at those scenarios as well. The TCP measurement is accomplished by using iperf, a program used to measure the data throughput between two computers. They are connected to a LANCOM router. One computer acts as a server in the WAN, sending data packets to the other, which acts as a client in the LAN, representing a typical download scenario. The TCP measurement done with iperf did not use NAT since no direct measurement with NAT is possible using iperf. The correlation between the test results and the results seen at a WAN connection including NAT in a live environment is very high. The causes are the differences of the traffic structure of iperf compared to an HTTP download and the LCOS 10.12 firewall which offers a similar performance with NAT or without. Both computers used in the test system have a similar hardware and software: Intel Core i7 CPU Intel PRO/1000 nic Ubuntu 12.04 / Kernel 3.8.0 The measurement was run using iperf 2.05. The TCP window size was set to 256 kb and five sessions were run simultaneously. vrouter measurements were done with the following hardware: PCs: Core i7-6700, Intel X540 10GE interfaces ESXi Server: Dell PowerEdge R330 with Xeon E3-1230v5, 3.4 GHz, Intel X710 10GE interfaces as uplink to the ESXi vswitches vrouter: VMXNET3 with virtual interfaces IPerf was used without window parameter for the vrouter tests. IPSec Routing Performance Other than with pure routing performance, IPSec-VPN routing actually changes the frames which are being passed from one interface to the next. When data is encrypted for the VPN tunnel, the original frame is encapsulated and it is supplemented with additional information. This has two important effects when considering the performance of IPSec routing: Encrypted frames are larger than unencrypted frames. Consequently, any results have to indicate which frame size was observed at which interface, and/or whether frames were encrypted or unencrypted. The values presented here always relate to an un encrypted frame size. An IP packet of 46 bytes is transported unencrypted, e.g. in a frame of 64 bytes. In the event of AES encryption, the frame grows for example to 122 bytes (46 byte IP packet + 14 byte Ethernet + 4 byte FCS + 20 byte IP + 8 byte ESP + 16 byte initialization vector (IV) + 0 byte padding (0-15 byte) + 1 byte padding length + 1 byte next header + 12 byte authentication). The processes of encryption and decryption in the router take up computing time. These processes take place in two steps which, in the case of encryption, must be sequential. With decryption, on the other hand, these steps can be executed in parallel. Router models with VPN hardware acceleration provide significantly better performance with decryption than with encryption. This explains why the results display a significant difference in performance between the decryption and encryption directions. All of the IPSec-routing values given here are for a single VPN tunnel. With up to 1,000 tunnels established under laboratory conditions, the frame rate remained almost constant over all of the active tunnels. However, under actual operating conditions an increasing number of tunnels will cause the frame rate to drop due to the processes running for each tunnel (for example renewal of the key being used). 3

IPSec Routing with Different IMIXs (Decryption and Encryption) As an alternative to measurement with fixed frame sizes, measurements were carried out with varying IMIX patterns. The IMIX patterns simulate true data traffic, which contains varying frame sizes. There are no fixed guidelines for the composition of the frame sizes, and for this reason the measurements supplemented the preset values in the IXIA test system (IMIX 0) with two other common patterns (IMIX 1 and IMIX 2). The patterns use the following frame compositions: IMIX 0: 45% 64 byte, 20% 128 byte, 5% 256 byte, 3% 512 byte, 2% 1024 byte, 1% 1280 byte, 24% 1364 byte. IMIX 1: 7x 64 byte, 4x 570 byte, 1x 1418 byte. IMIX 2: 58% 90 byte, 2% 92 byte, 24% 594 byte, 16% 1418 byte. By assuming 100 byte overhead the maximum encrypted frame size transmittable via Ethernet is 1418 bytes (1518 bytes is the maximum IEEE 802.3 frame size). AES128-SHA encryption was used for the measurements, and the tunnels were established in the LAN-WAN direction. These measurements again show that most commonly data decryption is faster than encryption. Bridging Performance (L2TPv3 Ethernet tunnel) Bridging performance (Table 10) shows, which maximum data throughput is possible via a transparent Ethernet tunnel, which is established over L2TPv3 pseudowire. A measurement with 5 parallel TCP streames using IPerf is performed here through the Ethernet tunnel. vrouter measurements were done with the exact hardware mentioned under Routing Performance (TCP), using a WAN-WAN connection. The rest of the measurements is done via LAN-LAN connection. Table 1: WAN-LAN routing Throughput [Mbps] per frame size [byte] and average frame rate [fps] Device LCOS 64 128 256 512 1024 1280 1518 frame rate W W 10.12 47.4 96.5 189.3 367.8 744.2 861.4 984.4 89305.9-4G -4G 10.12 68.4 137.0 275.9 551.7 977.1 981.6 984.4 99753.7-4G 10.20 68.1 135.9 272.3 543.5 980.8 984.6 * 987.0 * 118358.6 ISG-4000 10.20 93.6 187.1 374.3 746.4 980.8 984.6 * 987.0 * 146803.3 1781EF (CC) 8.70 CC 5.2 10.6 21.3 42.8 85.4 106.4 125.4 10362.2 * Test setup limited to 1 Gbps 4

Table 2: LAN-LAN routing Throughput [Mbps] per frame size [byte] and average frame rate [fps] Device LCOS 64 128 256 512 1024 1280 1518 frame rate W W 10.12 55.0 110.0 202.9 423.1 838.0 981.6 984.4 99477.9-4G -4G 10.12 80.2 161.2 323.2 641.6 977.1 981.6 984.4 132105.9-4G 10.20 82.9 165.8 331.6 664.9 980.8 984.6 * 987.0 * 135035.6 ISG-4000 10.20 113.1 226.9 453.9 904.6 980.8 984.6 * 987.0 * 168874.0 1781EF (CC) 8.70 CC 6.7 13.5 27.2 53.2 101.7 126.3 149.1 12804.0 * Test setup limited to 1 Gbps Table 3: WAN-LAN routing Throughput [Mbps] Device LCOS Throughput 5 TCP sessions W W 10.12 774.7-4G -4G 10.12 909.0-4G 1781EF (CC) 8.70 CC 91.7 5

Table 4: IPSec routing (decryption) Throughput [Mbps] per frame size [byte] and average frame rate [fps] Device LCOS 64 128 256 512 1024 1280 1418 frame rate W W 10.12 21.0 41.5 81.0 168.4 313.1 395.8 416.3 39385.1-4G -4G 10.12 31.2 61.8 125.2 247.8 461.3 613.5 690.5 60011.0-4G 10.20 36.5 72.8 146.0 291.5 580.6 721.1 800.4 70941.7 ISG-4000 10.20 50.3 99.4 193.0 386.7 764.6 914.1 921.2 92541.6 1781EF (CC) 8.70 CC 4.1 9.1 17.5 34.9 67.3 83.6 91.4 8339.9 Table 5: IPSec routing (encryption) Throughput [Mbps] per frame size [byte] and average frame rate [fps] Device LCOS 64 128 256 512 1024 1280 1418 frame rate W W 10.12 27.4 54.0 110.2 215.9 429.8 509.7 560.2 52045.6-4G -4G 10.12 38.2 77.0 153.4 299.2 613.7 777.1 862.3 74941.6-4G 10.20 33.4 66.8 134.6 268.2 535.4 666.8 741.5 65347.6 ISG-4000 10.20 48.7 98.4 197.9 393.3 783.9 >1000 * >1000 * 93590.7 1781EF (CC) 8.70 CC 3.0 6.2 11.5 23.8 46.6 58.5 65.0 5777.6 * Test setup limited to 1 Gbps 6

Table 6: IPSec routing (decryption) Throughput [Mbps] Device LCOS IMIX 0 IMIX 1 IMIX 2 W W 10.12 133.7 104.4 125.9-4G -4G 10.12 193.2 150.2 183.4-4G 10.20 230.3 179.5 219.5 ISG-4000 10.20 319.0 250.7 304.4 1781EF (CC) 8.70 CC 26.4 20.5 24.4 Table 7: IPSec routing (encryption) Throughput [Mbps] Device LCOS IMIX 0 IMIX 1 IMIX 2 W W 10.12 179.5 137.5 169.7-4G -4G 10.12 258.4 200.9 243.8-4G 10.20 292.5 228.2 280.8 ISG-4000 10.20 407.6 318.0 387.1 1781EF (CC) 8.70 CC 21.1 17.2 21.4 Table 8: TCP throughput [Mbps] (see page 2, fig. 2 top) LANCOM Method LCOS Throughput 5 TCP sessions vrouter LAN - WAN (IPoE) routing 10.12 9375 vrouter LAN - LAN routing 10.12 9372 LAN - WAN (IPoE) Routing 10.20 940 * LAN - LAN Routing 10.20 940 * ISG-4000 LAN - WAN (IPoE) Routing 10.20 1948 ISG-4000 LAN - LAN Routing 10.20 3331 * Limited by 1 Gbps ports of the Table 9: TCP throughput [Mbps] with VPN tunnel if applicable (see page 2, fig.2 bottom) LANCOM Method LCOS Throughput 5 TCP sessions vrouter LAN - WAN (IPoE) - LAN routing 10.12 7832 vrouter LAN - WAN (IPSec AES256 SHA256) - LAN routing 10.12 864 vrouter LAN - WAN (IPSec AES256 GCM) - LAN routing 10.12 2569 ISG-4000 LAN - LAN (IPoE) - LAN routing 10.20 1803 ISG-4000 LAN - LAN (IPSec AES256 SHA256) - LAN routing 10.20 1013 ISG-4000 LAN - LAN (IPSec AES256 GCM) - LAN routing 10.20 1028 7

Table 10: L2TPv3 bridging Throughput [Mbps] LANCOM LCOS Throughput 5 TCP sessions 10.20 991 ISG-4000 10.20 1562 vrouter 10.20 5270 LLANCOM, LANCOM Systems and LCOS are registered trademarks. All other names or descriptions used may be trademarks or registered trademarks of their owners. Subject to change without notice. No liability for technical errors and/or omissions. 08/2018 www.lancom-systems.com LANCOM Systems GmbH I Adenauerstr. 20/B2 I 52146 Wuerselen I Germany I E-mail info@lancom.de

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback