Filter
Top Products
Configuring Rights
Bandwidth Rate Limiting in the 700wl Series system
700wl Series system version 4.0 provides bandwidth rate limiting (or “policing”) on a per-client basis.
Each client may use bandwidth as necessary up to the upstream or downstream limit set by the Access
Policy currently in force for that client. This implementation does not attempt to shape bandwidth usage,
just enforces a per-client cap.
Because bandwidth limits are set in the Access Policy, you can set different limits for different sets of
clients even if they are connecting through the same physical port. The bandwidth limit is imposed per
client—even if there is additional bandwidth available on the specific port, a given client will be limited
to the specified limit, and cannot take advantage of the additional unused bandwidth.
For non-TCP traffic, these bandwidth limits work in a straightforward manner. For TCP traffic, there are
some performance considerations that may limit the throughput to less than the configured limit,
especially if client traffic is being encrypted (using IPSec or PPTP).
If a client is logged onto the 700wl Series system using PPTP or IPSec for encryption, a certain amount of
overhead related to packet encryption may somewhat reduce the actual throughput experienced relative
to the specified throughout. If encrypted traffic is tunneled between Access Controllers due to client
roaming, throughput may be further affected. When a client roams between Access Controllers, existing
client sessions are tunneled through the new Access Controller back to the original Access Controller. For
non-encrypted traffic, new sessions initiated after the roam may be handled directly by the new Access
Controller, but even new sessions involving encrypted traffic are tunneled back to the original Access
Controller. For non-encrypted traffic that is tunneled, bandwidth limits are enforced both on the new
Access Controller (to avoid tunneling packets that should be dropped) and on the original Access
Controller, which makes the actual determination of whether to drop packets. However, with encrypted
packets the new Access Controller cannot determine which packets should be dropped and thus tunnels
all to the original Access Controller.
If the 700wl Series system is used to pass through encrypted traffic and is not the termination of the VPN,
the bandwidth limitation algorithm cannot use the packet contents to help determine which packets to
drop. In this case, it adopts a very conservative algorithm to ensure that throughput will not exceed the
configured limits, and in this case may in fact result in throughput below the configured limits.
In general, when setting bandwidth limits, you may need to adjust your bandwidth settings based on
actual client experience. If clients are experiencing bandwidth significantly below the configured limits,
you may want to increase the limits so that throughput more closely approaches the limits you intend.
Note: If you are measuring throughput at layer 2, the actual bandwidth includes headers,
acknowledgements etc. in addition to the data itself, and these must be taken into account–such as
transferring a 10 megabit file via FTP at 1Mbit/sec. will take more than 10 seconds due to the additional
information involved in the transfer.
The Timeout Tab
On the Timeout tab, you can specify two types of timeouts:
• The Linger Timeout, which specifies how long the 700wl Series system will continue to consider a client
active after the Access Controller has determined that the client is no longer connected and has
disassociated the client.
• A reauthentication timeout, which specifies a time limit on the validity of a user’s authentication, even
if the user has been continuously connected and active.
HP ProCurve Secure Access 700wl Series Management and Configuration Guide 4-59