VPN gateway traffic control and shaping

We are a sizable organization in the AsiaPac. We have setup a VPN gateway and accepting VPN Client to remotely access the company internal resource. We have around 200 VPN users sharing a 7Mbps internet connections and the bandwidth max-out situation is quite often. As our IT staff networking skill set is relatively low, we would like some advice for any support for traffic control or shaping such that we could limit the bandwidth usage for each VPN session. This will prevent any one user to consume huge amount of bandwidth and jeopardizing the whole internet incoming/outgoing resources.

Your suggestion is very much appreciate.

Thank you
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
concurrent VPN user and session limiting for managing the users can be effective if the gateway supports. most of the VPN boxes should have it such as
-  traffic shaping (limit the flow of traffic)
- traffic policing (traffic that exceeds the speed limit on the interface is dropped)
e.g. The class-map matches specific traffic to be priortized.  This class-map is then used in the policy-map which specifies the action to take (here it is priortization of the traffic that matches the traffic defined in the class-map).  See some example and figures in the context of outbound itself too. https://supportforums.cisco.com/document/7011/asa-qos

Some boxes can go into adding quality of service to itself specifically defining the bandwidth dedicated to certain applications and enforcing queuing policies. Therefore your critical application could be guaranteed a certain minimum bandwidth and a place in a priority queue. Furthermore, id identity using RADIUS or NAC enforcer is available or interfaced, such traffic could be specifically be limited depending on who the user is or what his job function is.

We do want to segregate those real time streaming or live conference or even into appl filtering that hold persistence session and continuous occupying majority of the bandwidth. This can cause starvation inadvertently. E.g. in some deployment, whereby split tunnel is disabled due to policy, hence all internet access and internal services for user will goes that same VPN tunnel established. If there are no control of the web usage especially to P2P, real time streaming service (internet radio) etc, this can be bottleneck as "bandwidth eater".

So it is more of general as an overview for reviewing with existing devices (it may not be just relying on VPN box though)
- traffic shape the pipe to segregate out VPN traffic from the rest for prioritising in queue;
 (e.g. consider assign priorities/bandwidth constraint (%) on the interface,  traffic groups by subnet, tunnel interface etc)
- police the pipe for VPN on concurrent user and bandwidth (cum burst) for the queue;
 (e.g. consider assign loss priority, burst size and queue depth etc)
- police the pipe for VPN user access to Critical appls (and some may even has geolocation block or timeslot allowed);
 (e.g. consider assign based on application (and/or source/user/location/time) into a different class)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Blue Street TechLast KnightCommented:
Hi Patrick,

What make/model equipment do you have?

Of the 200 users how many are concurrent? With 7 Mbps if everyone where to utilize the connection that would leave each user with 35 Kbps! Even if 25% of the users were concurrent that only provide 140 Kbps - it's simply not enough. Regardless of traffic shaping or not you need more bandwidth.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.