In a route based site-to-site VPN, if we would like to limit the VPN bandwidth, should this be done by limiting the bandwidth of the tunnel interface? Is this all we need to do?
Go to Solution.
I've not used this particular approach, but the interface here is pretty much the same as the policer on a per policy basis. This I have used and it works well for keeping bandwidth under control.
Since this is on the interface it would apply to all traffic across your tunnel interface.
The policy based policer restricts based on what specific traffic hits the policy. These you wil see in the advanced tab under policy edit.
All you need to do for the policy is select these numbers.
If you want to use class of service instead then more design and configuraiton is required.
188.8.131.52/24 – bgroup2
Tunnel.3 associated with bgroup2
192.168.2.0/24 – eth0/9
Tunnel.3 associated with eth0/9
So to limit the bandwidth of the tunnel interface, the policy to be created is in Trust to Trust zone, is this correct? Also, should this be created in both sides?
184.108.40.206/24(source) to 192.168.2.0/24(destination) ANY(service) Permit(Action)
192.168.2.0/24(source) to 220.127.116.11/24(destination) ANY(service) Permit(Action)
The policy zones will be based on the interface zones for ingress and egress.
Bgroup2 zone to eth0/9 for traffic from USA to china
And the reverse for China to USA.
The address objects also need to be created in the matching zone to where the traffic is found.
What I am saying is that tunnel interface setting would be one option and the Policy setting would be another option.
You really would pick one or the other.
The tunnel interface will provide a global overall limit.
the policy settings let you choose per policy for more granular control if needed.
Apologies as I dont think I follow. So we have 2 options to limit the VPN tunnel bandwith. Please confirm if below procedures for each option is correct. Thank you very much!
1. By tunnel interface.
a.) Network > Interface > LIst >Edit
b.) Set the Egress abd Ingress limit under Traffic Bandwidth.
2. By Policy.
a.) Policy > Policies > Trust to Trust > New
b.) Bgroup2 zone to eth0/9 ------> (for US firewall)
c.) eth0/9 zone to Bgroup2 ------> (for China firewall)
d.) Then for traffic shaping it will be look like the above screenshot for both firewalls.
Again, sorry as Im kind of confused without asking the steps.
Sorry for the lact of clarity.
Yes, you have this correct. These are the two places you can put in bandwidth limits.
Alright! Thanks Steve. 🙂