You are here: Pulse Connect Secure > Pulse Connect Secure Administration Guide > Remote Access > VPN Tunneling > About VPN Tunneling Bandwidth Management Policies

About VPN Tunneling Bandwidth Management Policies

Bandwidth management controls the rate of traffic sent or received on a network interface. Bandwidth management discards excess packets and ensures that a user is allocated a specified amount of bandwidth. Traffic less than or equal to the specified rate is guaranteed to be sent. Traffic exceeding the rate is either dropped or delayed.

The total guaranteed bandwidth and spare bandwidth amounts are tracked and updated as users log in and out. Spare bandwidth is defined as the administrator-configured maximum minus the total guaranteed bandwidth for logged-in users.

Guaranteed bandwidth and maximum bandwidths are defined at the role level. This limit applies to each user in the role and ensures that each user receives at least the guaranteed amount of bandwidth but no more than the configured maximum amount. When users are mapped to multiple roles, the higher limit is used. If you do not define a guaranteed bandwidth to a role, users in that role can still log in, but they are not guaranteed any bandwidth. That is, their guaranteed bandwidth is set to zero.

To ensure the system does not allow more bandwidth than the total available, the ability to start VPN tunnels is restricted. Users can start a VPN tunnel only if the guaranteed bandwidth for their role is available. Once users start a session, they are never dropped due to bandwidth restrictions. A privilege level controls this restriction as shown in Table 97.

Table97: Privilege Levels and Percent of Maximum Bandwidth

Privilege Level

Percent of Maximum Bandwidth

Low

Limited to 50%

Medium

Limited to 75%

High

Limited to 90%

Maximum

Limited to 100%

For example, users assigned to a low privilege level are able to launch a VPN tunnel if the total current bandwidth usage is less than 50% of the configured Maximum Bandwidth. Users assigned to the maximum privilege level are able to launch a VPN tunnel at any time as long as there is any system bandwidth available.

When a user attempts to launch a VPN connection, the sum of the Guaranteed Minimum Bandwidth of all open VPN connections is divided by the configured Total Bandwidth. If the resulting value is less than the configured privilege level of this user, then the user's VPN connection is established. Otherwise, the connection request is denied. For example, if the user's privilege is 75% and the calculated current consumption is 70%, the user's VPN connection is established. If the calculated current consumption is 80%, the user's connection request is denied and the user receives a 23791 error code.

Note: We recommend that average employees be given Low or Medium privilege levels. Higher privilege employees can be assigned the Maximum privilege level to ensure intranet access as long as there is bandwidth available.

If a user does not have the bandwidth to set up any VPN tunnels, the user can still log in but is restricted in what they can do. For example, they may only be able to access web e-mail, etc.

A guaranteed minimum bandwidth is the bandwidth a user gets once a VPN connection is established. If the remaining VPN bandwidth is smaller than the guaranteed minimum bandwidth, the user's VPN connection request is denied and the user receives an 23791 error code. The Guaranteed Minimum Bandwidth must be smaller than the Maximum Bandwidth.

Maximum bandwidth is the bandwidth a user can use through the VPN connection. This is a limit on how much the user can use if there is bandwidth available. For example, if the user's maximum bandwidth is 100 kbps, the user cannot use more than 100 kbps regardless how much available bandwidth.

Statistics for bandwidth management are recorded in the system snapshots.

Note: Before using VPN tunneling bandwidth management policies, you must specify the maximum bandwidth and VPN maximum bandwidth values for the appliance.