Bandwidth Management Policies

Starting with version 3.6.1, the VPN Concentrator enables you to define bandwidth management policies that can be applied for individual groups, LAN-to-LAN sessions, or an entire interface. These policies specify whether the concentrator is to perform traffic policing and traffic reservation. Traffic policing entails limiting members of a VPN session to a defined bandwidth range. Any traffic that exceeds this traffic envelope is dropped. In contrast, bandwidth reservation is used to guarantee a defined amount of bandwidth for a VPN session. By using this tactic, a VPN session can receive a defined amount of bandwidth when the Internet link's bandwidth is being exhausted by multiple sessions. If there are only a few users connected to the concentrator, they share all the bandwidth of the Internet link. As such, bandwidth reservation is useful only when there are too many sessions and the Internet link's bandwidth is consumed.

Bandwidth management policies are a new topic for the 642-511 exam. It goes without saying that because this is a new testable topic, it will appear on the exam. Specifically, it is important to understand bandwidth reservation and bandwidth policing policies and what parameters can be configured for each.

As mentioned before, these policies can be applied to groups so that members of that group inherit that bandwidth policy. When the bandwidth policy is applied to an interface, all sessions that do not have an assigned policy inherit that particular interface's policy. As you will see later in this chapter, LAN-to-LAN tunnels can also utilize this advanced feature when connecting to other concentrators or IPSec-compliant gateways.

Be careful when configuring bandwidth reservation policies that are applied to an interface. If there are already multiple established sessions and the concentrator cannot deliver the reserved bandwidth for any additional sessions, those sessions will not be allowed to connect. One possible solution is to create a reservation policy with a low minimal bandwidth reservation value (for example, 8Kbps) and assign it to the interface. For users who require specific reserved amounts of bandwidth, create a separate reservation policy with a higher bandwidth reservation value and assign the policy to the user's group. The group's policy settings override the policy applied to the interface.

Configuring the concentrator for bandwidth management requires only a few simple steps. Initially, you have to define the policy to specify whether you want to enforce traffic policing, traffic reservation, or both. This policy definition occurs at the Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add or Modify screen, as shown in Figure 6.11. Here, you can define a name for your policy, followed by your bandwidth policy parameters. If you want to implement bandwidth reservation, you need to check the appropriate box and specify the amount of bandwidth you are reserving in this policy. Bandwidth policing, if checked, requires that you specify the bandwidth rate cap this policy is enforcing. Constant sustained traffic that exceeds this rate is dropped; however, the concentrator's bandwidth management enables you to specify a burst limit in bytes for intermittent traffic that has a tendency to burst over the policed rate.

Remember that the Bandwidth Reservation field enables you to define a minimum reserved bandwidth, and Policing fields enable you to specify a policing rate and a normal burst size.

For example, suppose Mr. Ed has a habit of consuming a good portion of the concentrator link's bandwidth to transfer files from the central office to his laptop. To ensure that his transfers do not affect the throughput for the rest of the remote access sessions, the concentrator administrator decided to apply a policing bandwidth policy to Mr. Ed's group, Not-So-Human Resources. As depicted in Figure 6.11, the policing rate configured for Mr. Ed is 64Kbps. Additionally, because file transfer traffic tends to be bursty at times, the transfer is allowed to burst over 64Kbps up to 10,500 bytes before packets begin to drop.

After the policy is created, you must assign it to an interface (typically the public). Recall that any policy that is assigned to the interface is applied to all sessions that do not have a group or LAN-to-LAN policy associated with them. As illustrated in Figure 6.12, you must enable the bandwidth management and define the link bandwidth (default speed assumes link is a T1 with a bandwidth of 1544 Kbps). It is important to note that this bandwidth represents the Internet link speed, and not the bandwidth of the Ethernet interface. After you have accurately defined your link speed, you can assign the defined policy to the interface by selecting it in the drop-down menu.

Notice in the example that the Bandwidth Hog policy was not assigned to the interface. Because a policy must be assigned to the interface when you enable bandwidth management, another policy had to be created so that not all users would get associated with the 64Kbps policing policy. Thus, the Others bandwidth policy was created with a capped rate of 1544Kbps (the entire link speed) for users not belonging to Mr. Ed's group. With this configuration in place, connecting users not associated with Mr. Ed's group will be policed, but at the full link's bandwidth, which is essentially not policing at all. However, when users in Mr. Ed's Not-So-Human Resources group connect to the concentrator, the assigned bandwidth policy to that group will override the interface's policy and those users will be policed at 64Kbps.

To apply the policy to an individual group, select the group in the User Management screen and choose the Bandwidth Assignment button as shown in Figure 6.13.

After you select the interface for this policy, once again, you need to assign a policy; however, this time it is assigned to the individual group. In the example shown in Figure 6.14, the Not-So-Human Resources group is assigned the Bandwidth Hog bandwidth policy. With this policy to the group, users in the Not-So-Human-Resources group will have their sessions policed to 64Kbps. However, users that are not in the group will inherit the Others policy, which caps users on that public interface to the full link speed of 1544Kbps.

Figure 6.14 also displays a field that enables you to define an aggregate bandwidth. This option is a concept similar to bandwidth reservation, except bandwidth aggregation is used to reserve from the total available bandwidth for a specific group. This is useful when you are applying a bandwidth reservation policy to an interface and you want to guarantee bandwidth to a group so its users will not be refused a session. In other words, if you define a value in this field, the bandwidth specified is allocated to that specific group and it cannot be utilized by any other group even if it is not used. Consider an example: If a group has been allotted 64Kbps out of the total link speed of 1544Kbps, its users are guaranteed that bandwidth when connecting. Thus, if the group contains two users and their bandwidth reservation policy is for 32Kbps, they will never be refused a connection. Users that are not members of this group share the remaining available bandwidth of 1480Kbps regardless of whether the users within that group are connected or not.