MPLS speed issue

Reid Cooper

@ambarishrh said:

One question on the SMB transfer. what will be the optimal latency for SMB file transfer access over these network?

SMB is latency sensitive so you'll want it as low as possible. It will "work" over 120ms but it won't be a great experience. NFS is less sensitive to latency.

Reid Cooper

@ambarishrh said:

May be we should look for some products like riverbed which might help us solve this. Still checking on possible solutions

Riverbed cannot fix latency, it helps with bandwidth. It will improve things but the latency will remain an issue. Not a cheap way to solve the problem, those are quite expensive units.

scottalanmiller

We use SMB over a link of roughly 50ms and it works pretty decently. But it is a 100Mb/s link, not 2Mb/s. And we don't use it very heavily.

Reid Cooper

@scottalanmiller said:

We use SMB over a link of roughly 50ms and it works pretty decently. But it is a 100Mb/s link, not 2Mb/s. And we don't use it very heavily.

That's only 40% of the latency of this link with fifty fold the bandwidth. The difference will be very noticeable.

Ambarishrh

@Reid-Cooper Sorry for not explaining the whole situation on my initial post.

We are part of a global company now. Now for maintaining IT, each locations has their own offices which centralises that regions agency/acquired companies. In our case India comes under the IT company of APAC (Asia pacific) which connects to their datacenter in asia and UAE managed by this regions IT company connecting to a different datacenter.
I think we are the first one who has branches of companies which comes under different IT setup/regions. So India users connecting to the asia datacenter on MPLS, same here in UAE connecting to the other datacenter. But the connecting between these two datacenter are not MPLS, but on IPSEC, not sure why this was done this way.

Riverbed, as I've seen from their demo video, caches the files once accessed, so even though it might not fix the latency issue, users will have faster access to the files. We are still in touch with their IT teams to find a possible solution

Reid Cooper

@ambarishrh said:

Riverbed, as I've seen from their demo video, caches the files once accessed, so even though it might not fix the latency issue, users will have faster access to the files. We are still in touch with their IT teams to find a possible solution

You can do that with Windows Branch Cache too.

Reid Cooper

@ambarishrh So you have MPLS to one datacenter, then IPSec between datacenters on the open Internet and then MPLS to the last office? So three legs instead of two? That could easily explain the latency. It's not the IPSec that is likely the issue but that you are doing three hops instead of one. That's not a trivial amount of extra communications and depending on the locations you might have a lot of latency at any given point.

You could pretty easily measure each hop's latency to see where things are a problem.

StrongBad

That is a very complicated setup. Since they have the MPLS, why aren't they using it? MPLS is not a technology for point to point connections but for making a mesh behind the scenes. If they are not using the MPLS to connect all of the points together it sounds like someone in the networking department is confused as to how MPLS works.

Ambarishrh

well no comments on that!

Dashrender

Let me throw a monkey wrench into all of this, are you sure that the IPSec isn't going over the MPLS network?
Showden provided documentation that proved that the NSA was jacked in at the carrier level, so if you aren't encrypting your traffic when it travels over someone else's physical network, even a carriers, expect it to be snooped on. (stepping down).

Anyhow, so the IPSec might be running over the MPLS network.

scottalanmiller

@Dashrender said:

Let me throw a monkey wrench into all of this, are you sure that the IPSec isn't going over the MPLS network?
Showden provided documentation that proved that the NSA was jacked in at the carrier level, so if you aren't encrypting your traffic when it travels over someone else's physical network, even a carriers, expect it to be snooped on. (stepping down).

Anyhow, so the IPSec might be running over the MPLS network.

This isn't in the US.

Dashrender

@scottalanmiller said:

@Dashrender said:

Let me throw a monkey wrench into all of this, are you sure that the IPSec isn't going over the MPLS network?
Showden provided documentation that proved that the NSA was jacked in at the carrier level, so if you aren't encrypting your traffic when it travels over someone else's physical network, even a carriers, expect it to be snooped on. (stepping down).

Anyhow, so the IPSec might be running over the MPLS network.

This isn't in the US.

Like that matter.

Reid Cooper

Have you had a chance to test the individual legs of your connections to see if you can determine between which ones the latency is being introduced? Or perhaps it is coming a little bit from all of them?

scottalanmiller

Ping.

A Former User

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

Let me throw a monkey wrench into all of this, are you sure that the IPSec isn't going over the MPLS network?
Showden provided documentation that proved that the NSA was jacked in at the carrier level, so if you aren't encrypting your traffic when it travels over someone else's physical network, even a carriers, expect it to be snooped on. (stepping down).

Anyhow, so the IPSec might be running over the MPLS network.

This isn't in the US.

Like that matter.

Like they don't have some way to get through your encryption.

We lease a lot of fiber here (all 10Gb) but even with that I still using a VPN over it to encrypt it. Makes me sleep better
But I'm using all Pfsense now here (due to cisco's new costs when I replaced the cisco routers.) And because I'm lazy and hub/spoke for the VPN doesn't work for us I used TINC VPN http://www.tinc-vpn.org/

A Former User

Just a though if you can't upgrade your connection, have you consider DFS?

Also What router are using using the Encryption of the VPN on some routers can slow them down a heck of a lot.

JaredBusch

@thecreativeone91 said:

Also What router are using using the Encryption of the VPN on some routers can slow them down a heck of a lot.

Very true.

OpenVPN is a very poor VPN choice if you want high throughput. IPSEC is pretty much the best choice for that as long as you have some hardware offload for the encryption. Without hardware offload, pretty much everything is going to be the same. The max bandwidth will be directly tied to how much CPU power is available.

scottalanmiller

OpenVPN is about flexibility. Definitely slow. IPSec for speed.

JaredBusch

@scottalanmiller said:

OpenVPN is about flexibility. Definitely slow. IPSec for speed.

Well slow is a relative term in this situation. OpenVPN is slow compared to IPSEC. But an example of OpenVPN on an Ubiquiti EdgeMax LITE router can push ~14mbps. Very little site to site traffic will approach this limit since the general upload bandwidth that SMB in the US have access to is not that high anyway.

scottalanmiller

@JaredBusch VPN speeds are in latency terms. OpenSSL produces a bit more latency than IPsec does.