About VPN Tunneling Bandwidth Management Policies
Bandwidth management controls the rate of traffic sent or received on a network interface. Bandwidth management discards excess packets and ensures that a user is allocated a specified amount of bandwidth. Traffic less than or equal to the specified rate is guaranteed to be sent. Traffic exceeding the rate is either dropped or delayed.
The total guaranteed bandwidth and spare bandwidth amounts are tracked and updated as users log in and out. Spare bandwidth is defined as the administrator-configured maximum minus the total guaranteed bandwidth for logged-in users.
Guaranteed bandwidth and maximum bandwidths are defined at the role level. This limit applies to each user in the role and ensures that each user receives at least the guaranteed amount of bandwidth but no more than the configured maximum amount. When users are mapped to multiple roles, the higher limit is used. If you do not define a guaranteed bandwidth to a role, users in that role can still log in, but they are not guaranteed any bandwidth. That is, their guaranteed bandwidth is set to zero.
To ensure the system does not allow more bandwidth than the total available, the ability to start VPN tunnels is restricted. Users can start a VPN tunnel only if the guaranteed bandwidth for their role is available. Once users start a session, they are never dropped due to bandwidth restrictions. A privilege level controls this restriction as shown in the following table.
Privilege Levels and Percent of Maximum Bandwidth
|
Privilege Level |
Percent of Maximum Bandwidth |
|
Low |
Limited to 50% |
|
Medium |
Limited to 75% |
|
High |
Limited to 90% |
|
Maximum |
Limited to 100% |
For example, users assigned to a low privilege level are able to launch a VPN tunnel if the total current bandwidth usage is less than 50% of the configured Maximum Bandwidth. Users assigned to the maximum privilege level are able to launch a VPN tunnel at any time as long as there is any system bandwidth available.
When a user attempts to launch a VPN connection, the sum of the Guaranteed Minimum Bandwidth of all open VPN connections is divided by the configured Total Bandwidth. If the resulting value is less than the configured privilege level of this user, then the user's VPN connection is established. Otherwise, the connection request is denied. For example, if the user's privilege is 75% and the calculated current consumption is 70%, the user's VPN connection is established. If the calculated current consumption is 80%, the user's connection request is denied and the user receives a 23791 error code.
We recommend that average employees be given Low or Medium privilege levels. Higher privilege employees can be assigned the Maximum privilege level to ensure intranet access as long as there is bandwidth available.
If a user does not have the bandwidth to set up any VPN tunnels, the user can still log in but is restricted in what they can do. For example, they may only be able to access web e-mail, etc.
A guaranteed minimum bandwidth is the bandwidth a user gets once a VPN connection is established. If the remaining VPN bandwidth is smaller than the guaranteed minimum bandwidth, the user's VPN connection request is denied and the user receives an 23791 error code. The Guaranteed Minimum Bandwidth must be smaller than the Maximum Bandwidth.
Maximum bandwidth is the bandwidth a user can use through the VPN connection. This is a limit on how much the user can use if there is bandwidth available. For example, if the user's maximum bandwidth is 100 kbps, the user cannot use more than 100 kbps regardless how much available bandwidth.
Statistics for bandwidth management are recorded in the system snapshots.
Before using VPN tunneling bandwidth management policies, you must specify the maximum bandwidth and VPN maximum bandwidth values for the appliance.
User is Mapped to Multiple Roles
The following decision process is made when a user is mapped to multiple roles:
•Calculate the Bandwidth management policies based on the privilege level defined.
•The current used bandwidth percentage is calculated and compared with the privilege levels of the Bandwidth management policy of the mapped roles.
•All bandwidth management polices with the privilege levels that disallow the user to set up VPN tunnels are discarded.
•Compare the matched bandwidth management policies and choose the one with the highest guaranteed minimum bandwidth. If more than one policy with the highest guaranteed minimum bandwidth exists, the policy with the highest maximum bandwidth wins.
For example, a user is mapped to 3 roles and the bandwidth management policy for each role is as follows:
IIf the current total used bandwidth is at 80%:
|
|
Role 1 |
Role 2 |
Role 3 |
|
Minimum guaranteed bandwidth |
100 mbps |
200 mbps |
100 mbps |
|
Maximum guaranteed bandwidth |
500 mbps |
400 mbps |
400 mbps |
|
Privilege level |
Medium |
High |
Maximum |
•Since role 1's privilege is not enough to allow this user to set up a VPN tunnel, role 1's bandwidth management policy is ignored.
•Role 2's policy has higher minimum guaranteed bandwidth than role 3 so role 2 wins. The user receives a 200 mbps minimum guaranteed bandwidth and 400 mpbs maximum guaranteed bandwidth.
However, if the current total used bandwidth is 92%, only role 3's privilege allows the user to set up NC tunnel, so role 3's bandwidth management policy is used. Thus the user has a 100 mbps minimum guaranteed bandwidth and 400 mbps maximum guaranteed bandwidth.
Writing a VPN Tunneling Bandwidth Management Resource Policy
To write a VPN tunneling bandwidth management resource policy:
1.In the admin console, choose Users > Resource Policies > VPN Tunneling > Bandwidth Management.
2.On the Bandwidth Management page, click New Policy.
3.On the New Policy page, enter:
•A name to label this policy.
•A description of the policy (optional).
4.In the Bandwidth Management Settings section, specify:
•Admission Privilege Level - Select the percentage of the maximum bandwidth that allows users to start a VPN session. Only when the bandwidth is below this percentage can users log in.
•Guaranteed Minimum Bandwidth - Specify the user's minimum bandwidth once they start a VPN session.
•Maximum Bandwidth - Specify the user's maximum bandwidth once they start a VPN session.
The maximum bandwidth must be less than or equal to the maximum rated value for the appliance.
5.In the Roles section, specify:
•Policy applies to ALL roles - To apply this policy to all users.
•Policy applies to SELECTED roles - To apply this policy only to users who are mapped to roles in the Selected roles list. Make sure to add roles to this list from the Available roles list.
•Policy applies to all roles OTHER THAN those selected below - To apply this policy to all users except for those who map to the roles in the Selected roles list. Make sure to add roles to this list from the Available roles list.
6.Click Save Changes.