Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7511
Views
10
Helpful
2
Replies

Improving Meraki throughput.

Stephen Carville
Level 1
Level 1

‎09-06-2016 08:56 AM - edited ‎03-08-2019 07:18 AM

A number of Meraki users are complaining about their "speed".  Users always gripe about something but at least one or two seem to have legitimate complaints.  One user reports about 178/11 Mbps when he plugs directly into the cable modem/router.  When using the Meraki, he reports 16/4 Mbps.  These tests were done using the DSL Reports speedtest (http://www.dslreports.com/speedtest?httpsok=0).  The Meraki dashboard reports 15.6 Mbps throughput which is consistent with the speed test.

There are no per-client limits on throughput.

I know that things like encryption overhead, fragmentation and the quality of consumer grade connections will affect the throughput but it seems to me that a 90% reduction is a bit much.

Would it help to reduce the MSS to keep the overall packet size below 1500 octets?  1328 looks good with AES.

Any hints about how to improve the performance or even if it possible are appreciated. 

Labels:
0 Helpful
2 Replies 2

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎09-06-2016 10:18 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

I'm unfamiliar with Meraki, but generally fragmentation is to be avoided as it often very much impacts performance.

ADSL links I believe generally use PPPoE which generates 8 bytes of overhead.

Encryption usually adds 60 to 80 bytes of overhead.  Normally you're "safe" if you set MSS to 100 bytes less than MTU, which if using PPPoE should be set for 1492.

0 Helpful

Stephen Carville
Level 1
Level 1

‎09-07-2016 09:09 AM

Here is how my thinking is going regarding the 1328 octet MSS.

TCP/IP overhead = 40 B

Total IPSEC Overhead = 84 B:

  1. Tunnel Mode Header = 20 B
  2. Authentication Header = 24 B
  3. ESP Header = 40 B


MD5/SHA1 Message Size overhead = 8 B

Sub Total Overhead = 132 B

HMAC Padding identifier = 1 bit (more on that below)

MD5/SHA1 blocksize is 64 B
AES Blocksize 16 B

If the MTU is 1500 octets then the remaining space for data is no more than 1500 - 132 = 1368.

HMAC Blocks
1368/64 = 21.375.  Rounding down, 21*64 = 1344 B

AES Blocks
1368/16 = 85.5.  85*16 = 1360

1344/16 = 84 but that extra HMAC bit above effectively reduces that to 83 blocks so the maximum MSS becomes 83 * 16 = 1328

So

for 1328

AES padding = 0 B
SHA1 message length = 8 B
SHA1 padding = 8 B
IPSEC headers = 84 B
TCP/IP Headers = 40 B

Total MTU = 1468

For 1344

AES padding = 0 B
SHA1 Message Length = 8 B
SHA1 padding = 64 B
IPSEC headers = 84 B
TCP/IP headers = 40 B

Total MTU = 1540

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card