IPSec Termination Nodes, Bandwidth Allocation, and Guaranteed Bandwidth
Focus
Focus

IPSec Termination Nodes, Bandwidth Allocation, and Guaranteed Bandwidth

Table of Contents

IPSec Termination Nodes, Bandwidth Allocation, and Guaranteed Bandwidth

Prisma Access divides compute location bandwidth using IPSec Termination Nodes. Each node provides you with a maximum of 500 Mbps of bandwidth. You assign the node to the remote network during remote network onboarding. Each IPSec termination node can provide you with a maxmum of 500 Mbps of bandwidth. If you allocate more than 500 Mbps of bandwidth to a compute location, Prisma Access provides you with additional IPSec termination nodes.
The QoS settings you specify here apply only to outbound traffic for remote networks, and do not affect secure inbound access traffic.
In the following example, you have allocated 800 Mbps bandwidth in the Canada Central compute location, which is the compute location for the Canada Central and Canada East locations.
Since you allocated 800 Mbps for the compute location, Prisma Access gives you two IPSec termination nodes.
You should now determine whether you want to allocate your locations to the same IPSec termination node, or to use separate IPSec termination nodes. If you expect you will add more remote network locations to this compute location, you could leave one IPSec termination node available to onboard more remote networks at a later time.
For this example, you onboarded two remote networks, also known as Remote Network Security Processing Nodes (RN-SPNs), one in Canada East (RN-8) and one in Canada Central (RN-9), using the same IPSec termination node for both locations.
You Enable QoS in the QoS area by selecting PanoramaCloud ServicesConfigurationRemote NetworksSettings, clicking the gear to edit the settings, selecting QoS, and enabling QoS for the Canada Central compute location. See Configure Quality of Service in Prisma Access for the detailed steps.
In this example, you want the compute location to receive a guaranteed bandwidth ratio of 60%; to do so, enter a Guaranteed Bandwidth Ratio of 60% to the Canada Central compute location. This action reserves 480 Mbps (60% of the overall bandwidth allocation) for guaranteed bandwidth.
Prisma Access divides up the guaranteed bandwidth equally between IPSec termination nodes; therefore, each IPSec termination node receives 240 Mbps of guaranteed bandwidth (480 Mbps divided by the total number of IPSec termination nodes). When you select Customize Per Site, you can view the bandwidth that is allocated for each location. By default, the Allocation Ratio is divided equally between all remote networks in an IPSec termination node. In the following example, since there are two remote networks in the IPSec termination node, each remote network receives an Allocation Ratio of 50%.
If you select Customize Per Site and then onboard additional remote networks in the same IPSec termination node, the newly-onboarded sites receive an allocation ratio of 0, and you must manually rebalance the allocation ratio between existing sites and the newly-onboarded site.
If you do not Customize Per Site, the bandwidth percentage automatically rebalances when you add remote networks. For example, if you did not select Customize Per Site and have four remote networks onboarded, each of those remote networks have an allocation ratio of 25%. If you add a fifth remote network, all five sites rebalance and receive a guaranteed bandwidth of 20%.