It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure Adaptive Bandwidth Protection for VPN Tunnels with SD-WAN

  • Last updated on

Adaptive Bandwidth Protection is used to effectively shape traffic on the VPN transport by using the link quality metrics collected by Dynamic Bandwidth and Latency (Round Trip Time) Detection. This allows the firewall to always shape traffic using, instead of a static number as the bandwidth, a consistently, dynamically updated value that reflects the current state of the transport. Changing link metrics are immediately applied to Adaptive Bandwidth Detection. Traffic shaping uses an internal traffic shaping tree for SD-WAN, distinguishing only between no-delay (VOIP) and standard traffic.

Bandwidth_protection.png

Before You Begin

Create a multi-transport VPN tunnel between two CloudGen Firewalls:

Step 1. Modify Default Shaping Tree

On both VPN endpoints, edit the Internet QoS band to use the STD virtual interface.

  1. Go to CONFIGURATION > Configuration Tree > Box > Traffic Shaping.
  2. Click Lock.
  3. Right click on the QoS profile and click Add new virtual Interface.
  4. Enter STD as the Virtual Interface.

    All other settings of this virtual interface are handled by the SD-WAN features.

  5. Click OK
    sdwan_shaping_01.png
  6. Click on the QoS Band tab.
  7. Right-click and select Add new QoS Band. The QoS Band window opens.
  8. Create the QoS Band for no-delay traffic :
    • ID – Enter an unused ID. E.g., 14
    • Name – Enter NoDelay.
    sdwan_shaping_04.png
  9. Click OK. The QoS Band Rule window opens.
  10. Create the QoS band rule:
    • Priority – Select NoDelay.
    • Virtual Device – Select root. 
    sdwan_shaping_05.png
  11. Click OK.
  12. Create the QoS band:
    • ID – Enter an unused ID.
    • Name – Enter StandardTraffic.
    sdwan_shaping_02.png
  13. Click OK.  The QoS Band Rule window opens.
  14. Create the QoS band rule:
    • Priority – Select class1.
    • Virtual Device – Select STD.
    sdwan_shaping_03.png
  15. Click OK.
  16. (optional) add additional classes to the Standard Traffic QoS band.
  17. Click Send Changes and Activate.

The two QoS band are now listed - VoIP using the root interface and StandardTraffic using the STD virtual interface.

sdwan_shaping_06.png

Step 2. Enable Dynamic Bandwidth and Latency Detection and SD-WAN Bandwidth Protection

On both VPN endpoints, edit the TINA site-to-site VPN tunnel to use the SD-WAN QoS profile and enable Dynamic Bandwidth and Round Trip Time Detection.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > VPN-Service > Site to Site VPN.
  2. Click Lock.
  3. Double-click the TINA VPN tunnel. The TINA Tunnel window opens.
  4. Click the SD-WAN - Bandwidth Protection tab.
  5. From the Dynamic Bandwidth Detection list, select the policy:
    • Active Probing and Passive Monitoring
    • Active Probing Only
    • No Probing - use Estimated Bandwidth
  6. Enter the Estimated Bandwidth bandwidth.
  7. (optional) Select the Consolidated Shaping check box.

    adapt_bandw_protection_01.png

  8. Click OK.
  9. Click Send Changes and Activate.

After completing these changes, go to VPN > Site-to-Site. Right-click the transport and select Monitor Traffic.

Step 3. Set QoS Band for No-Delay Traffic

Set the QoS band for all access rules matching VPN traffic that should be handled as no-delay traffic. No-delay traffic should not make up more than 30% of total traffic.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall.
  2. Click Lock.
  3. Double-click the access rule matching the no-delay traffic.
  4. From the QoS Band (Fwd) list, select NoDelay (ID 14) created in Step 1.
  5. From the QoS Band (Reply) list, select Like-Fwd.
    adapt_bandw_protection_03.png
  6. Click OK.
  7. Click Send Changes and Activate.

Step 4. Set QoS Band for Standard Traffic

All other VPN traffic is classified as standard traffic. Standard traffic can take up to 70% of the bandwidth.

  1. Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall.
  2. Click Lock.
  3. Double-click the access rule matching the standard traffic.
  4. From the QoS Band (Fwd) list, select StandardTraffic (ID 15) created in Step 1.
  5. From the QoS Band (Reply) list, select Like-Fwd.
    adapt_bandw_protection_04.png
  6. Click OK.
  7. Click Send Changes and Activate.

The firewall now protects the no-delay traffic and automatically adjusts shaping to the currently available bandwidth. Shaping down happens continuously as needed; shaping up is detected every couple of minutes. Go to the FIREWALL > Shaping page to see the built-in shaping tree used for the adaptive SD-WAN features.

Bandwidth_protection_Shaping_view.png

Go to VPN > Site-to-Site and enable monitoring on the transport to see the effective bandwidth, drops, Round Trip Time, and a stacked graph for no-delay and standard traffic. Note how the dark blue no-delay traffic is protected even through bandwidth changes.

  • Example monitoring diagram for deteriorating bandwidth:
    probing_monitoring.png
  • Example monitoring diagram adjusting for more available bandwidth:

    Bandwidth_protection.png