VPN bandwidth left for vpn tunnels

itdaddy

Hi,
I have no clue that is why I am asking the experts. Say you have an IPSEC tunnel across the to another vpn peer and say the pipe you are running over is say 50 MBPS only not 1/1 but just 50 MBPS. How do you determine the size of the vpn tunnel is throughput and speed? Can you set the size some how or is it wide open depending how much of the main pipe throughput is not being used? How can you calculate this? or set it? or not? thanks for your help.

Kreken

50MBps is a decent size pipe.. 400Mbps.

Anyway, the tunnel throughput is limited by hardware and in some cases by licenses. If the hardware max throughput is too high for your circuit, you can further limit it by QoS.

itdaddy

I mean sorry 50 Mbps not mega bytes I mean mega bits

itdaddy

So I can guarantee bandwidth so the other traffic does not squish\decrease the size of the vpn tunnel?

kohr-ah

I know this is CCIE thread so I am assuming Cisco but also is the equipment being used Cisco? A lot of products have the capabilities of assigning a traffic schema to the tunnel link which you can throttle the max limit as well.

itdaddy

yes cisco what else is there hahahh yeah I would think unless you use policies on it guaranteeing pipe size then how can you keep it from getting crushed?

Bardlebee

itdaddy wrote: »

Hi,
I have no clue that is why I am asking the experts. Say you have an IPSEC tunnel across the to another vpn peer and say the pipe you are running over is say 50 MBPS only not 1/1 but just 50 MBPS. How do you determine the size of the vpn tunnel is throughput and speed? Can you set the size some how or is it wide open depending how much of the main pipe throughput is not being used? How can you calculate this? or set it? or not? thanks for your help.

I could be wrong, been out of the firewall game for awhile. But it comes down to two factors. 1) the speed of the link between the tunnel, in this case you're saying for sake of argument that its 50Mbps and 2) the hardware that is sending data through the VPN.

Its hard to dictate how fast a VPN can go, there are other factors at play like per-hop speeds and bottlenecks. There is also the hardware limitation of your firewall. You have a 1 gig uplink but that doesn't mean you can send 1 gig of backups through a VPN tunnel, your CPU will max out trying to encapsulate all that data. Same thing for small and frequent packet sizes. The list kind of goes on. A lot of it has to do with the hardware model and how much it can send out.

So lets say, for sake of argument you have a great firewall, it can handle the uplink you give it, this case 50Mbps, in my mind your limitation will be the uplink, but if we get granular enough (and my QoS is fairly weak forgive me) I believe the majority, but not all of that speed will be given to you, as a small percentage will be saved for control plane. Though I may be wrong on the defaults of QoS and its interaction with a basic interface.

I'm not aware of a command that will share with you the speeds of the tunnel, because of the per-hop variable I imagine there may not be one. Hopefully I'm wrong and someone can correct me.

Mow

From what I have heard from Cisco reps, a Firepower update later this year is supposed to introduce some pretty comprehensive traffic shaping.

netdzgn

I am not familiar with firewalls' but with ISR G2's it's license-limited just as Kreken commented:

Cisco ISR G2 SEC and HSEC Licensing FAQ - Cisco

kohr-ah

Otherwise technically yes you are right you can do policies and policing but I dont know how that affects the tunnel depending on if you set the policy to drop traffic when it exceeds what you request.

itdaddy

thanks guys for the help. I will keep digging.

Simrid

If you are using a GRE tunnel, under the tunnel interface you can set the speed of the interface....Might help?

EricsLearning

If its an ASA you can use QOS to prioritize the tunnel traffic.