-1

At this SME office location, there are two teams that want to share a 2 Mbps Leased line. Team-1 is ok with normal variable speeds, but Team2 needs to connect to remote virtualized secure servers through VPN clients and access remote secure routers providing VPN server.

Team2 (2 to 4 machines) requires dedicated 1 Mbps bandwidth for their server, and VPN to access remote server. What is cheapest switch or router (example) and what minimum features are needed to achieve that split of bandwidth. Our VPN connection to own remote server will provide security and firewall through Juniper-220/Fortinet-100D class enterprise FW/VPN/Router gear at the remote end, so the need here is only to split the bandwidth effectively, from the local internet leased line.

What is best approach:
a) To limit the ports serving Team-1 ;;
b) To dedicate 1Mbps (specially Upload speed) to Team-2 ;;
c) Should we expect such a capability in low end access routers, to dedicate fixed amount of bandwidth, or it can only be done by expensive managed routers?

Thank you.

SusheelJi
  • 7
  • 3
  • I agree with the answer below about using Traffic Shaping, but perhaps built in QoS might be able to accomplish what you need. Basically taking your external traffic and lowering the priority below that of the VPN traffic. It isn't perfect, but it might be a workaround. I prefer this method as neither group is then restricted to the 1Mbps that was allocated to it. Of course that would depend on how you configure traffic shaping. – MikeAWood Mar 24 '14 at 19:37
  • Thank for all for the insights. Have edited to clarify that Team-2 is more concerned about guaranteed UPLOAD speed (means outgoing from client PC, I believe). Either team don't mind if download speed (=incoming to the PC/laptop) varies by up to 10% or so. – SusheelJi Mar 25 '14 at 08:10
  • @MikeAWood: How to find out the lowest cost (access) router that would support suitable way to use higher QoS priority either for all outgoing from a subnet, or at least for VPN traffic identified in some way e.g. domain name or IP address of the VPN server. – SusheelJi Mar 25 '14 at 08:23
  • Shopping questions are not generally ok here. But many home routers (in the U.S.) support some form of QoS. Traffic shaping like ChrisS mentions below is another good option as it tends to be more hardened. What you use will depend on your needs. QoS is nice because it can adjust for when things are less critical, but will have issues because you are simply making some traffic more important than others, which might be an issues for the 2nd group not on the VPN. We do traffic shaping on our Sonicwall E5500s and it works nicely for setups like this. – MikeAWood Mar 25 '14 at 18:28
  • Or put a Linux box in the routing path and use `tc`. – MadHatter Mar 28 '14 at 08:44

1 Answers1

2

You can't control the incoming rate. You can limit what gets sent to your client computers, but that wont stop the external sending system from flooding your 2Mb connection in the first place.

The only way to guarantee 1Mb to both teams at all times would be to get two 1Mb Internet connections. If you just need a 1Mb average over time, then most firewall distributions would work (many different hardware firewalls can do this, or a software solution like pfSense).

Chris S
  • 77,945
  • 11
  • 124
  • 216
  • @ Chris S. Thank you for quick reply. Only Team-2 needs guaranteed 1mbps Upload. Can a low end access router akin to Cisco 2600 or thereabouts perform this function ? Team-1 and Team-2 need not communicate with each other. Team-1 never needs to access the remote server that Team-2 is using. – SusheelJi Mar 24 '14 at 16:13
  • Cisco claims the 2600 can do [traffic shaping](http://www.cisco.com/c/en/us/support/docs/asynchronous-transfer-mode-atm/atm-traffic-management/10529-traffic-shape-3600.html). I haven't tried with that model myself however. – Chris S Mar 24 '14 at 17:07
  • Problem is - you can never do incoming trafffic shaping. FOr that you need a second router in a data center - tons of bandwidth, then only forard allocated bandwidths to the real office. Incoming bandwidth can not be controlled, ever. A cheap MIkrotik (WAY cheaper than the expensive Cisco stuff) can handle it all, but again: incoming is physically impossible. – TomTom Mar 24 '14 at 17:15
  • Sure you can shape incoming traffic. Simply throw away whatever exceeds the allocated bandwidth. TCP flow control will then reduce the data rate appropriately. This is admittedly rather imperfect and will not work for this question's use case (the VPN is unlikely to run on top of TCP; if it does anyway, you have worse problems than bandwidth allocation), but if all you need is mostly-fair distribution of data rates to different departments it's better than nothing. – Matthias Urlichs Mar 24 '14 at 17:35
  • @MatthiasUrlichs Wrong. Really. Ok, you throw away what exceeds the andwidth. How is that - making sure the packets do not enter the download side? Yes, tCP does SORT of help, but it will always lead to high pings and delays. TO do real shaping you MUST shape on the entry. I have been and am doing that stuff all the time - and the only way I found to do reliable shaping is to use a VPN, put the other point into a data centre (hugh bandwidth) and use Traffic shaping on the traffic being sent to the office. Anything else is unreliable like crazy. Because flow control has limits. – TomTom Mar 28 '14 at 08:52
  • @TomTom I don't see any substantial difference between your "TCP does sortof help, BUT" and my "this is rather imperfect". You're right insofar as I shouldn't have called that "shaping" traffic, of course it's more like "crude bandwidth limitation". – Matthias Urlichs Mar 28 '14 at 14:08