VPN gateway traffic control and shaping

patricktam used Ask the Experts™
We are a sizable organization in the AsiaPac. We have setup a VPN gateway and accepting VPN Client to remotely access the company internal resource. We have around 200 VPN users sharing a 7Mbps internet connections and the bandwidth max-out situation is quite often. As our IT staff networking skill set is relatively low, we would like some advice for any support for traffic control or shaping such that we could limit the bandwidth usage for each VPN session. This will prevent any one user to consume huge amount of bandwidth and jeopardizing the whole internet incoming/outgoing resources.

Your suggestion is very much appreciate.

Thank you
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Exec Consultant
Distinguished Expert 2018
concurrent VPN user and session limiting for managing the users can be effective if the gateway supports. most of the VPN boxes should have it such as
-  traffic shaping (limit the flow of traffic)
- traffic policing (traffic that exceeds the speed limit on the interface is dropped)
e.g. The class-map matches specific traffic to be priortized.  This class-map is then used in the policy-map which specifies the action to take (here it is priortization of the traffic that matches the traffic defined in the class-map).  See some example and figures in the context of outbound itself too. https://supportforums.cisco.com/document/7011/asa-qos

Some boxes can go into adding quality of service to itself specifically defining the bandwidth dedicated to certain applications and enforcing queuing policies. Therefore your critical application could be guaranteed a certain minimum bandwidth and a place in a priority queue. Furthermore, id identity using RADIUS or NAC enforcer is available or interfaced, such traffic could be specifically be limited depending on who the user is or what his job function is.

We do want to segregate those real time streaming or live conference or even into appl filtering that hold persistence session and continuous occupying majority of the bandwidth. This can cause starvation inadvertently. E.g. in some deployment, whereby split tunnel is disabled due to policy, hence all internet access and internal services for user will goes that same VPN tunnel established. If there are no control of the web usage especially to P2P, real time streaming service (internet radio) etc, this can be bottleneck as "bandwidth eater".

So it is more of general as an overview for reviewing with existing devices (it may not be just relying on VPN box though)
- traffic shape the pipe to segregate out VPN traffic from the rest for prioritising in queue;
 (e.g. consider assign priorities/bandwidth constraint (%) on the interface,  traffic groups by subnet, tunnel interface etc)
- police the pipe for VPN on concurrent user and bandwidth (cum burst) for the queue;
 (e.g. consider assign loss priority, burst size and queue depth etc)
- police the pipe for VPN user access to Critical appls (and some may even has geolocation block or timeslot allowed);
 (e.g. consider assign based on application (and/or source/user/location/time) into a different class)
Blue Street TechLast Knight
Distinguished Expert 2018
Hi Patrick,

What make/model equipment do you have?

Of the 200 users how many are concurrent? With 7 Mbps if everyone where to utilize the connection that would leave each user with 35 Kbps! Even if 25% of the users were concurrent that only provide 140 Kbps - it's simply not enough. Regardless of traffic shaping or not you need more bandwidth.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial