Meraki

Community

MX Throughput Clarification

Scott_L
Conversationalist
‎Jan 11 2024 1:00 PM
‎Jan 11 2024 1:00 PM

MX Throughput Clarification

Can someone clarify how throughput works on the MXs?  Using an MX67 for example.  Firewall throughput is 600Mbps, VPN throughput is 300Mbps and Security throughput is 300Mbps.  If you simply enable Auto-VPN and no security, does that mean you have capped the device at 300Mbps for ALL traffic weather it traverses a VPN tunnel or not?

0 Kudos
13 Replies 13
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 11 2024 1:05 PM
‎Jan 11 2024 1:05 PM

When all security features are enabled the maximum data rate is 300 Mbps for the MX67, Otherwise consider 600 Mbps  if it is disabled.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 11 2024 1:07 PM
‎Jan 11 2024 1:07 PM

The maximum data rate for traffic that is sent through a VPN tunnel is 300 Mbps for the MX67.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Scott_L
Conversationalist
‎Jan 11 2024 1:09 PM
‎Jan 11 2024 1:09 PM

Unfortunately that's not what supports says.  Are they wrong?

 

"Thank you for contacting Cisco Meraki Technical Support. My name is Joe and I'll be happy to assist you with this!

After checking your network it looks like you have your VPNs enabled, and our data sheet here indicates that speeds will cap at 300 when testing through VPN enabled devices."

0 Kudos
In response to Scott_L
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 11 2024 1:15 PM
‎Jan 11 2024 1:15 PM

Take a look at my last answer.

 

"The maximum data rate for traffic that is sent through a VPN tunnel is 300 Mbps for the MX67."

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Scott_L
Conversationalist
‎Jan 11 2024 1:19 PM
‎Jan 11 2024 1:19 PM

Thanks but I'm not sending traffic through the VPN tunnel.  A simple speed test not traversing the VPN caps out at 300Mbps on a 500Mbps fiber circuit.  I can replicate this in two locations.  That's why I asked in the original post if it caps all traffic.  And support simply says "VPN enabled device".

0 Kudos
In response to Scott_L
ww
Kind of a big deal
Kind of a big deal
‎Jan 11 2024 1:25 PM
‎Jan 11 2024 1:25 PM

Ips and amp are disabled?

No default route in the tunnel?

You have set uplink config to max?

0 Kudos
In response to ww
Scott_L
Conversationalist
‎Jan 11 2024 1:26 PM
‎Jan 11 2024 1:26 PM

Yes

Correct

Set uplink to 500Mbps to match circuit.

0 Kudos
In response to Scott_L
ww
Kind of a big deal
Kind of a big deal
‎Jan 11 2024 1:30 PM
‎Jan 11 2024 1:30 PM

What firmware version are you running?

Did you try speed test with autovpn disabled?

The speedtest is run from a lan client?

0 Kudos
In response to ww
Scott_L
Conversationalist
‎Jan 11 2024 1:36 PM
‎Jan 11 2024 1:36 PM

Firmware is 18.107.2

I did not try with autovpn disabled as I was not in a maintenance window where I could take it down.

Ran speed test from a lan client and used the dashboard test.  Same results both places.

 

I'm bringing another site online tomorrow morning with the exact same config.  I can try a speed test without the MX to verify the circuit.

0 Kudos
In response to Scott_L
Ryan_Miles
Meraki Employee
Meraki Employee
‎Jan 11 2024 1:59 PM
‎Jan 11 2024 1:59 PM

Be aware of this note on the throughput tool in dashboard https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Throughput_test_to...

 

I'm on a 1.2 Gbps connection. The throughput tool never shows more than 700 Mbps for my MX95. Whereas if I use the Insight speed test tool or test directly from a client I can hit the 1.2 Gbps limit (or at least 1 Gbps from a 1 Gbps connected wired client).

 

Without being able to see your config and dashboard/MX it's hard to give anymore direct feedback on what you're experiencing. 

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
ww
Kind of a big deal
Kind of a big deal
‎Jan 11 2024 1:16 PM
‎Jan 11 2024 1:16 PM

its not capped if you stay under the max wan limit configured at the Uplink configuration

 

Its more like the utilization would be on 100%  

For example when using 150Mb vpn you could have like 300Mb local routed traffic

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 11 2024 6:36 PM
‎Jan 11 2024 6:36 PM

I don't know the answer.

 

If you enable AutoVPN and no other security, I believe your AutoVPN throughput would still be 300Mb/s.  I believe this is related to the crypto throughput of the platform.  Hardware instructions are used to do the AES.  Content filtering, IPS and AMP use general CPU capacity.  The crypto functions use dedicated but separate silicon on the CPU.  It is more like a built-in co-processor.

I also believe this is based on maximum 1500 byte packets (probably a little smaller like 1480, not sure).  If you do minimum sized 64 byte packets the VPN throughput would be a lot less.

 

If you are really bored:
https://en.wikipedia.org/wiki/AES_instruction_set#ARM_architecture 

https://developer.arm.com/documentation/ddi0602/2023-12/SVE-Instructions/AESE--AES-single-round-encr... 

 

I could be completely wrong.

cmr
Kind of a big deal
Kind of a big deal
‎Jan 13 2024 11:33 AM
‎Jan 13 2024 11:33 AM

On an MX65 that I used as a spoke on the corporate SD-WAN with split tunnelling, I got 100Mb/s throughput to the datacentre, but 250Mb/s to the internet.  Therefore I'd expect you'd get 300Mb/s over the VPN and 500Mb/s to the internet...  I can't test now as I have moved and only have an 80Mb/s connection... 🙄

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.