Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    About Network Connect Bandwidth Management Policies

    Bandwidth management controls the rate of traffic sent or received on a network interface. Bandwidth management discards excess packets and ensures that a user is allocated a specified amount of bandwidth. Traffic less than or equal to the specified rate is guaranteed to be sent. Traffic exceeding the rate is either dropped or delayed.

    The total guaranteed bandwidth and spare bandwidth amounts are tracked and updated as users log in and out. Spare bandwidth is defined as the administrator-configured maximum minus the total guaranteed bandwidth for logged-in users.

    Guaranteed bandwidth and maximum bandwidths are defined at the role level. This limit applies to each user in the role and ensures that each user receives at least the guaranteed amount of bandwidth but no more than the configured maximum amount. When users are mapped to multiple roles, the higher limit is used. If you do not define a guaranteed bandwidth to a role, users in that role can still log in, but they are not guaranteed any bandwidth. That is, their guaranteed bandwidth is set to zero.

    Bandwidth management also applies to IVS. The administrator configures the total guaranteed bandwidth for each IVS and configures the limits for roles within each IVS. The sum of the total guaranteed bandwidths for every IVS must be less than or equal to the maximum bandwidth of the appliance. The sum of all Network Connect maximum bandwidths of all IVSs must be less than or equal to the Network Connect maximum bandwidth. Be sure to set the bandwidth for both the SA Series Appliance (System > Network > Overview) and the IVS (System > Virtual Systems > root).

    Note: If you use the same VLAN across multiple IVS systems, Bandwidth Management is not supported.

    To ensure the SA Series Appliance does not allow more bandwidth than the total available, the ability to start Network Connect tunnels is restricted. Users can start Network Connect only if the guaranteed bandwidth for their role is available. Once users start a Network Connect session, they are never dropped due to bandwidth restrictions. A privilege level controls this restriction as shown in the following table.

    Table 1: Privilege Levels and Percent of Maximum Bandwidth

    Privilege Level

    Percent of Network Connect Maximum Bandwidth

    Low

    Limited to 50%

    Medium

    Limited to 75%

    High

    Limited to 90%

    Maximum

    Limited to 100%

    For example, users assigned to a low privilege level are able to launch Network Connect if the total current Network Connect bandwidth usage is less than 50% of the configured Network Connect Maximum Bandwidth. Users assigned to the maximum privilege level are able to launch Network Connect at any time as long as there is any SA Series Appliance bandwidth available.

    When a user attempts to launch a Network Connect connection, the sum of the Guaranteed Minimum Bandwidth of all open Network Connect connections is divided by the configured Network Connect Total Bandwidth. If the resulting value is less than the configured privilege level of this user, then the user's Network Connect connection is established. Otherwise, the Network Connect connection request is denied. For example, if the user's privilege is 75% and the calculated current consumption is 70%, the user's Network Connect connection is established. If the calculated current consumption is 80%, the user's Network Connect connection request is denied and the user receives a 23791 error code.

    Note: We recommend that average employees be given Low or Medium privilege levels. Higher privilege employees can be assigned the Maximum privilege level to ensure intranet access as long as there is bandwidth available.

    If a user does not have the bandwidth to set up any Network Connect tunnels, the user can still log in but is restricted in what they can do. For example, they may only be able to access web e-mail, etc.

    A guaranteed minimum bandwidth is the bandwidth a user gets once a Network Connect connection is established. If the remaining Network Connect bandwidth is smaller than the guaranteed minimum bandwidth, the user's Network Connect connection request is denied and the user receives an 23791 error code. The Guaranteed Minimum Bandwidth must be smaller than the SA Series Appliance Network Connect Maximum Bandwidth.

    Maximum bandwidth is the bandwidth a user can use through the Network Connect connection. This is a limit on how much the user can use if there is bandwidth available. For example, if the user's maximum bandwidth is 100kbps, the user can not use more than 100kbps regardless how much available bandwidth.

    Statistics for bandwidth management are recorded in the system snapshots.

    Note: Before using Network Connect bandwidth management policies, you must specify the maximum bandwidth and Network Connect maximum bandwidth values for the appliance.

    User is Mapped to Multiple Roles

    The following decision process is made when a user is mapped to multiple roles:

    • Calculate the Bandwidth management policies based on the privilege level defined.
      • The current used bandwidth percentage is calculated and compared with the privilege levels of the Bandwidth management policy of the mapped roles.
      • All bandwidth management polices with the privilege levels that disallow the user to set up Network Connect tunnels are discarded.
    • Compare the matched bandwidth management policies and choose the one with the highest guaranteed minimum bandwidth. If more than one policy with the highest guaranteed minimum bandwidth exists, the policy with the highest maximum bandwidth wins.

    For example, a user is mapped to 3 roles and the bandwidth management policy for each role is as follows:

     

    Role 1

    Role 2

    Role 3

    Minimum guaranteed bandwidth

    100 mbps

    200 mbps

    100 mbps

    Maximum guaranteed bandwidth

    500 mbps

    400 mbps

    400 mbps

    Privilege level

    Medium

    High

    Maximum

    If the current total used bandwidth is at 80%:

    • Since role 1's privilege is not enough to allow this user to set up a Network Connect tunnel, role1's bandwidth management policy is ignored.
    • Role 2's policy has higher minimum guaranteed bandwidth than role 3 so role 2 wins. The user receives a 200mbps minimum guaranteed bandwidth and 400mpbs maximum guaranteed bandwidth.

    However, if the current total used bandwidth is 92%, only role3's privilege allows the user to set up NC tunnel, so role3's bandwidth management policy is used. Thus the user has a 100mbps minimum guaranteed bandwidth and 400mbps maximum guaranteed bandwidth.

    Limitations

    Bandwidth management may not operate correctly under the following conditions:

    • More than one IVS uses the same SA Series Appliance internal port.
    • More than one IVS has the same VLAN IP.
    • Overlapping Network Connect IPs across IVSs.

    Published: 2011-03-14