To understand the real throughput capacity of NSX IPSec in Softlayer, I built a quick IPSec performance testing environment.
Below are the network topology of my testing environment:
NSX version: 6.2.4
NSX Edge: X-Large (6 vCPUs and 8G Memory), which is the largest size NSX offers. All of Edges in this testing enviroment reside in the same vSphere cluster which include 3 ESXi hosts. Each ESXi host has 64GB DDR4 Memory and 2 processors (2.4GHz Intel Xeon-Haswell (E5-2620-V3-HexCore))
IPerf Client: Redhat 7.1 (2 vCPUs and 4GB Memory)
IPerf Server: Redhat 7.1 (2 vCPUs and 4GB Memory)
IPerf version: IPerf3
2 IPsec tunnels are built as the above diagram. IPSec setting is:
- Encryption: AES-GCM
- Diff-Hellman Group: DH5
- PFS(Perfect forward secrecy): Enabled
- AESNI: Enabled
- Test Case 1: 1 IPerf Client (172.16.31.0/24) to 1 IPerf Server (172.16.32.0/24) via 1 IPsec Tunnel. Result:between 1.4-2Gbit/s.
- Test Case 2: 2 IPerf Clients (172.16.31.0/24) to 2 IPerf Servers (172.16.38.0/24) via 1 IPsec Tunnel. Result: around 1.6-2.3Gbit/s in total
- Test Case 3: 2 IPerf Clients (172.16.31.0/24) to 2 IPerf Servers ( 1st Server in 172.16.32.0/24 network and 2nd Server in 172.16.38.0/24 network) via 2 IPsec Tunnels. Result: around 2.4-2.6Git/s in total
- Firewall function on NSX Edge is disabled in all test cases.
- TCP traffic is used in all 3 test cases. 10 parallel streams are used to push the performance test to the max on each IPerf Client.
- I didn’t see any CPU or Memory contention in all test cases: the CPU utilisation of NSX Edge was less than 40% and memory utilisation is nearly zero.