Filter
Top Products
Using the 700wl Series System
If a client is logged onto the 700wl Series system using PPTP or IPSec encryption, overhead related to
packet encryption can reduce the actual throughput experienced relative to the specified throughput. If
encrypted traffic is tunneled between Access Managers due to client roaming, throughput may be further
affected. When a client roams between Access Managers, existing client sessions are tunneled through the
new Access Manager back to the original Access Manager. For non-encrypted traffic, new sessions
initiated after the roam are handled directly by the new Access Manager, but even new sessions involving
encrypted traffic are tunneled back to the original Access Manager. For non-encrypted traffic that is
tunneled, bandwidth limits are enforced both on the new Access Manager (to avoid tunneling packets
that should be dropped) and on the original Access Manager, which makes the actual determination of
whether to drop packets. However, with encrypted packets the new Access Manager cannot determine
which packets should be dropped and thus tunnels all to the original Access Manager.
If the 700wl Series system is used to pass through encrypted traffic and is not the termination of the
VPN, the bandwidth limitation algorithm cannot use the packet contents to help determine which
packets to drop. In this case, it adopts a very conservative algorithm to ensure that throughput will not
exceed the configured limits, and may in fact result in a throughput that is below the configured limits.
In general, when setting bandwidth limits you may need to adjust your bandwidth settings based on
actual client experience. If clients are experiencing bandwidth significantly below the configured limits,
you may want to increase the limits so that throughput more closely approaches the limits you intend.
Note:
If you are measuring throughput at layer 2, you must take into account headers,
acknowledgements and other overhead, in addition to the data itself. For example, transferring a 10
megabit file via FTP at 1 megabit per second will take more than 10 seconds due to the additional
information involved in the transfer.
Addressing in the 700wl Series System
Clients connected to Access Controller or Integrated Access Manager ports can obtain an IP address in
one of three ways:
• Network Address Translation (NAT) mode: The Access Controller (or Integrated Access Manager)
responds to a DHCP request from a client with a “private” IP address in the subnet configured for
NAT (by default, the 42.0.0.1 subnet). Packets sent by the client have their private IP address and port
replaced with the IP address of the Access Controller and a port number that is unique within the
700wl Series system (NAT and PAT functions). Packets received by an Access Controller from the
network sent in reply to the NAT/PAT packets are relayed to the appropriate client with the
destination IP address and port number rewritten as appropriate. The Access Controller maintains a
connection table to map return packets back to their destination.
• Real IP mode (also known as dynamic IP mode): The client sends a DHCP request for an IP address
to the Access Controller, which the Access Controller passes on to an external DHCP server. By
default, (no port subnetting is configured) this DHCP request obtains an IP address on the Access
Controller's subnet. Subsequent packets received by the Access Controller with that IP address as the
destination are forwarded to the appropriate client. Packets from the client to the network do not
have their source IP address or source port number rewritten.
• Static IP mode: The client uses a pre-assigned IP address, which must be on the Access Controller's
subnet. Packets received by the Access Controller with this static IP address as the destination are
forwarded to the appropriate client. Packets from the client to the network do not have their source IP
address or source port number rewritten.
HP ProCurve Secure Access 700wl Series Management and Configuration Guide 2-21