Management and Configuration Guide (Includes ACM xl) 2005-12
4-58 ProCurve Secure Access 700wl Series Management and Configuration Guide
Configuring Rights
currently in force for that client. This implementation does not attempt to shape bandwidth usage, just
enforces a per-client cap.
Because bandwidth limits are set in the Access Policy, you can set different limits for different sets of
clients even if they are connecting through the same physical port. The bandwidth limit is imposed per
client—even if there is additional bandwidth available on the specific port, a given client will be limited
to the specified limit, and cannot take advantage of the additional unused bandwidth.
For non-TCP traffic, these bandwidth limits work in a straightforward manner. For TCP traffic, there are
some performance considerations that may limit the throughput to less than the configured limit,
especially if client traffic is being encrypted (using IPSec or PPTP).
If a client is logged onto the 700wl Series system using PPTP or IPSec for encryption, a certain amount
of overhead related to packet encryption may somewhat reduce the actual throughput experienced
relative to the specified throughout. If encrypted traffic is tunneled between Access Controllers due to
client roaming, throughput may be further affected. When a client roams between Access Controllers,
existing client sessions are tunneled through the new Access Controller back to the original Access
Controller. For non-encrypted traffic, new sessions initiated after the roam may be handled directly by
the new Access Controller, but even new sessions involving encrypted traffic are tunneled back to the
original Access Controller. For non-encrypted traffic that is tunneled, bandwidth limits are enforced
both on the new Access Controller (to avoid tunneling packets that should be dropped) and on the
original Access Controller, which makes the actual determination of whether to drop packets. However,
with encrypted packets the new Access Controller cannot determine which packets should be dropped
and thus tunnels all to the original Access Controller.
If the 700wl Series system is used to pass through encrypted traffic and is not the termination of the
VPN, the bandwidth limitation algorithm cannot use the packet contents to help determine which
packets to drop. In this case, it adopts a very conservative algorithm to ensure that throughput will not
exceed the configured limits, and in this case may in fact result in throughput below the configured
limits.
In general, when setting bandwidth limits, you may need to adjust your bandwidth settings based on
actual client experience. If clients are experiencing bandwidth significantly below the configured limits,
you may want to increase the limits so that throughput more closely approaches the limits you intend.
Note:
If you are measuring throughput at layer 2, the actual bandwidth includes headers,
acknowledgements etc. in addition to the data itself, and these must be taken into account—such as
transferring a 10 megabit file via FTP at 1Mbit/sec. will take more than 10 seconds due to the additional
information involved in the transfer.
The Timeout Tab
On the Timeout tab, you can specify two types of timeouts:
•The Linger Timeout, which specifies how long the 700wl Series system will continue to consider a
client active after the Access Controller has determined that the client is no longer connected and
has disassociated the client.
• A reauthentication timeout, which specifies a time limit on the validity of a user’s authentication,
even if the user has been continuously connected and active.