VPN bandwidth left for vpn tunnels

itdaddyitdaddy Senior MemberMember Posts: 2,089 ■■■■□□□□□□
Hi,
I have no clue that is why I am asking the experts. Say you have an IPSEC tunnel across the to another vpn peer and say the pipe you are running over is say 50 MBPS only not 1/1 but just 50 MBPS. How do you determine the size of the vpn tunnel is throughput and speed? Can you set the size some how or is it wide open depending how much of the main pipe throughput is not being used? How can you calculate this? or set it? or not? thanks for your help.

Comments

  • KrekenKreken Member Posts: 284
    50MBps is a decent size pipe.. 400Mbps.

    Anyway, the tunnel throughput is limited by hardware and in some cases by licenses. If the hardware max throughput is too high for your circuit, you can further limit it by QoS.
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    I mean sorry 50 Mbps not mega bytes I mean mega bits
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    So I can guarantee bandwidth so the other traffic does not squish\decrease the size of the vpn tunnel?
  • kohr-ahkohr-ah Member Posts: 1,277
    I know this is CCIE thread so I am assuming Cisco but also is the equipment being used Cisco? A lot of products have the capabilities of assigning a traffic schema to the tunnel link which you can throttle the max limit as well.
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    yes cisco what else is there hahahh yeah I would think unless you use policies on it guaranteeing pipe size then how can you keep it from getting crushed?
  • BardlebeeBardlebee Member Posts: 264 ■■■□□□□□□□
    itdaddy wrote: »
    Hi,
    I have no clue that is why I am asking the experts. Say you have an IPSEC tunnel across the to another vpn peer and say the pipe you are running over is say 50 MBPS only not 1/1 but just 50 MBPS. How do you determine the size of the vpn tunnel is throughput and speed? Can you set the size some how or is it wide open depending how much of the main pipe throughput is not being used? How can you calculate this? or set it? or not? thanks for your help.

    I could be wrong, been out of the firewall game for awhile. But it comes down to two factors. 1) the speed of the link between the tunnel, in this case you're saying for sake of argument that its 50Mbps and 2) the hardware that is sending data through the VPN.

    Its hard to dictate how fast a VPN can go, there are other factors at play like per-hop speeds and bottlenecks. There is also the hardware limitation of your firewall. You have a 1 gig uplink but that doesn't mean you can send 1 gig of backups through a VPN tunnel, your CPU will max out trying to encapsulate all that data. Same thing for small and frequent packet sizes. The list kind of goes on. A lot of it has to do with the hardware model and how much it can send out.

    So lets say, for sake of argument you have a great firewall, it can handle the uplink you give it, this case 50Mbps, in my mind your limitation will be the uplink, but if we get granular enough (and my QoS is fairly weak forgive me) I believe the majority, but not all of that speed will be given to you, as a small percentage will be saved for control plane. Though I may be wrong on the defaults of QoS and its interaction with a basic interface.

    I'm not aware of a command that will share with you the speeds of the tunnel, because of the per-hop variable I imagine there may not be one. Hopefully I'm wrong and someone can correct me.
  • MowMow Member Posts: 445 ■■■□□□□□□□
    From what I have heard from Cisco reps, a Firepower update later this year is supposed to introduce some pretty comprehensive traffic shaping.
  • netdzgnnetdzgn Registered Users Posts: 2 ■□□□□□□□□□
    I am not familiar with firewalls' but with ISR G2's it's license-limited just as Kreken commented:

    Cisco ISR G2 SEC and HSEC Licensing FAQ - Cisco
  • kohr-ahkohr-ah Member Posts: 1,277
    Otherwise technically yes you are right you can do policies and policing but I dont know how that affects the tunnel depending on if you set the policy to drop traffic when it exceeds what you request.
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    thanks guys for the help. I will keep digging.
  • SimridSimrid Member Posts: 327
    If you are using a GRE tunnel, under the tunnel interface you can set the speed of the interface....Might help?
    Network Engineer | London, UK | Currently working on: CCIE Routing & Switching

    sriddle.co.uk
    uk.linkedin.com/in/simonriddle
  • EricsLearningEricsLearning Member Posts: 15 ■□□□□□□□□□
    If its an ASA you can use QOS to prioritize the tunnel traffic.
Sign In or Register to comment.