This has been a constant source of customer worries – will RRAS performance meet my needs ? How will RRAS compare against other hardware appliances?
Please don’t think me as a sales person promoting RRAS after you read this blog:). I am an engineer and trying to give my fair view here The network performance is a tricky field where there are so many factors and each network vendor may publish only the relevant results where their product is good to impress the customers. As usual, lot of times the main factor that drives CIO decision is to do more (throughput, number of connections) in less (CPU, price). But like security, there is no “one size fit all” solution. The VPN solutions by different vendors have different pros and cons, but my advice is to assess your performance needs holistically – by answering the below questions.
I have categorized the factors that impact the VPN server performance in the following ways:
1) What is the hardware configuration on RRAS box: CPU speed & type ( + number of proceesor, RAM, Cache, Network NIC (speed, drivers, offloading support if any), Offloading cards (like IPSec offload cards).
Impact: As you put higher speed CPUs, you have more horsepower to do more (forward more data, more number of connections). As you put better NICs (which have better drivers, checksum support), you reduce CPU utilization (i.e. more CPU is free).
This factor basically decides how much you are ready to pay to get your work done
2) What is the software configuration on RRAS box?
Impact: Some configuration factors (encryption settings, software compression, number of static filters, NAT enabled/disabled) affects CPU utilization as it gets hit for each packet, whereas some configuration (like authentication algorithm, DHCP server/relay agent, RIP, Radius Server, etc) are doesn’t impact much – as they are control path applications (consumes CPU only at times).
3) What is the Internet link speed you have/need?
Impact: Very important factor that should be considered in your decision. If you have a 45 Mbps T3 link to Internet, you don’t need to buy a product that supports forwarding at 500 Mbps :).
4) How many concurrent client connections you want?
Impact: This will decide the CPU utilization and the Internet connection speed (for example – 100 clients connecting using a DSL speed of 512 Kbps will need 50 Mbps Internet connection speed or a T3 kind of link). It is also useful for deciding other parameters like IP address range and how much RAM you need on VPN server (as each VPN connection consumes some memory – like tables in different protocol stacks).
5) What is the nature of your data transfer application – interactive, bulk data transfer, mix
Impact: Each application generates packets of different sizes at different data rate. The smaller the packet size, the more CPU utilization it will take. For example, typically ten 100 byte packets will hog more CPU compared to one 1000 byte packet.
6) Do you need load balancing – redundancy as well as performance perspective
Impact: NLB based load balancing can be used to have multiple servers running RRAS – if you run short of meeting performance on single machine.
The VPN test results (done by a third party) on a Windows 2000 server running on quad Intel Xeon 550 MHz proc with 1 GB RAM, Intel Pro 100 S cards with IPSec offloading – shows:
1) Throughput test: Single tunnel doing packet forwarding at 70 Mbps for PPTP as well as L2TP/IPSec for 1280 byte packets (common for bulk transfer applications)
2) Max tunnel test: 5000 tunnels (each on a 56 Kbps link doing bursty transfer) with aggregated throughput of 79.7 Mbps for PPTP and 67.2 Mbps for L2TP
3) Sustained tunnel test: 2600 PPTP tunnels and 2000 L2TP/IPSec tunnels (each on a 56 Kbps link doing sustained data transfer)
These 3rd party tests were done in Feb 2000. Now with the advent of better yet cheaper computing speeds (number of processor, high speed processors, 64 bit processors) and better offload cards (scalable networking pack, better IPSec offload cards) – you can achieve much higher number than the above results. I don’t have a third party results done recently to share with, but internal results shows 130-170 Mbps of back-to-back throughput, 5000 concurrent VPN connections should not be an issue on a hardware configuration like 3.6 GHz P4, 2 GB RAM with two Intel Pro 100S NICs.
Lead Program Manager
RRAS, Windows Enterprise Networking
[This posting is provided “AS IS” with no warranties, and confers no rights.]