Xeon E3 performance…

  • Want to be sure I am making correct assumptions here.

    Im trying to plan out a firewall that might be capable of handling gigabit VPN, and it appears that a Xeon E3 1220L should fit the bill (even without AES-NI).  Im basing that on http://www.servethehome.com/intel-xeon-e3-1220-sandy-bridge-benchmarks-review/, which indicates ~2.4GB/sec AES with hardware acceleration and ~400MB/s without (using an X3440 as a reference).

    Some of the threads seem to be indicating that core2duos (T7200) would have trouble pushing more than 630mbits plaintext, however, which has me wondering if there is more to OpenVPN throughput than simply openssl speed tests and TrueCrypt benchmarks.

    Am I missing something here, or does it sound like the Xeon E3 (3.1ghz) should be able to push real world 2-3gbits of OpenVPN without hardware acceleration, and ~19gbits with?

    And to clarify, Im looking for aggregate multi-gbps performance over a large number of clients, so in theory more cores should multiply the performance, correct?

    Finally, is it a fair bet, if my actual target is the low power version (E3 1220L, 2.2ghz), that I can simply divide the "known" benchmarks by 3.1/2.2 for a ballpark figure?

    A lot of my concern comes from the figures posted by Hacom here:
    and here:
    The second link in particular, as that is a Sandy Bridge i5 which is very similar to the Xeon E3, and they have it only pushing 200mbps IPsec– which seems really hard to believe given the number of cores and whatnot, when you compare it to old P4 performance.

  • Hi,

    I have a couple of Xeon E3-1220 (QuadCore != 1220L DualCore) Dell R210 Server using pfSense. As you see in my Post [1], they aren't able to push 1GB/sec with AES encryption (remember, pfSense don't use the AES-NI extension yet, but hopefully in Version 2.1).

    So without AES-NI or a really good hardware accelerator you have no chance to push multiple gbps  over VPN - even a "more horsepower" CPU wouldn't fix the gap.

    Another point you have to keep in mind is the size of the packets you have to route on your links. It has a huge impact of the CPU Performance at the time you want push multiple GB links.

    [1] http://forum.pfsense.org/index.php/topic,37682.0.html

  • Unless I am misreading your post, it is showing 148,000,000 bytes per second (AES192, which is what I will use due to the timing attacks on 256), which is 1gbit/s.  I was also assuming that the test only used a single core, so if I had 2 clients, I could possibly get 750mbit - 1gbit per client (possibly a little less due to losing turbo when using both cores).  Or am I wrong somewhere?

    Would you be willing / able to do an iPerf test over OpenVPN to test the real world performance?

    And either way, I was looking at crypto cards, and understand the VPN14x1 series to be in popular use.  Is that the one that is often recommended?  What about the Exar DX 1700 series?

Log in to reply