The Background:
I have a WAN consisting of a hub site at a hosted Data Center with a 75mbps symmetrical Fiber line from Charter, and multiple branches with different internet types - one provided by a major university's network (many GB of bandwidth), several Charter 200/7 and 100/4 Cable Internet, and two HTC DSL (one 80/7, one 20/2). All sites have static addresses. The Data Center has a NetVanta 3448 w/Enhanced Feature Set, all hub sites have NetVanta 3120 w/EFS - except one, which has a NetVanta 3448 w/EFS. Firmware version on all is R11.6 or R11.7.
The branches are all connected to the Data Center using GRE Tunnels with MTU set at 1400. In turn the GRE tunnels are sent through VPN/IPSec encryption.
The Good News:
Everything is working fine. RIPv2 routing across the tunnels works, traffic is passed all around, every branch can communicate with the data center and every other branch. Each Branch location has NAT set up to provide local Internet, but route WAN traffic across the tunnel. The Data Center router does not have NAT turned on, as it routes its Internet out through a content filter, but each VPN/GRE endpoint has a static route entry pointing to the ISP's gateway.
The Bad News:
My problem is that all of the branches using 3120s seem to be limiting incoming bandwidth to 1.4mbps, as shown via MRTG. When transferring data from the Data Center (75mbps outbound) to a branch (100mbps inbound) I'm still only getting 1.4mbps through the tunnel. Non-tunnel traffic, which is to say Internet traffic, is going up to the 100mbps limit imposed by the lack of Gigabit ports on the router - but traffic going through the tunnel is limited to 1.4mbps. I can find nothing in the configuration limiting the bandwidth.
SHOW INTERFACE TUNNEL 40 returns:
tunnel 40 is UP
IP address 10.0.40.2, netmask 255.255.255.0
IP MTU 1400 bytes
BW 100000 Kbit
Description: Downtown Branch
Tunnel mode GRE, keepalive enabled (10 seconds, 3 retries)
Tunnel source <Branch Public IP>, destination <Data Center Public IP>
Key: 40, packet checksumming disabled, sequencing disabled
Last clearing of "show interface" counters: never
2433734 packets input, 1289254400 bytes
1552739 packets output, 315477558 bytes
0 rx broadcast pkts, 0 tx broadcast pkts
The tunnel to the one branch with a 3448 is not so limited and went over 16mbps the first time I put that much load on it.
My Worry:
Is the 3120 just not capable of handling a tunnel at more than 1.4mbps? This would be seriously bad news for me, as we've already purchased 28 of them, and have 8 currently configured for VPN tunnels and 20 standing by for a network reconfiguration from MPLS to Internet/VPN.
Please let me know if you need complete configurations or any other details.
Unfortunately, according to the AOS Feature Matrix - Product Feature Matrix the 3120 is only does 1 Mb/s when doing all IPsec traffic. If you look at the performance statistics it gives all the throughput capabilities of all the products.
Unfortunately, according to the AOS Feature Matrix - Product Feature Matrix the 3120 is only does 1 Mb/s when doing all IPsec traffic. If you look at the performance statistics it gives all the throughput capabilities of all the products.
Yikes. Well, that's disappointing, but not soul-crushing. Just need to see if I can swap the 3120s for 3140s. I looked for something exactly like this document when I was getting ready for this project and couldn't find it. Thanks for your help.