I have searched with no luck so forgive me if this has been answered before.
I know that the MX device throughput ratings are dependent on what is turn on/off. My question is, when using VPN does the VPN throughput limitation only impact the VPN throughput or the entire bandwidth of the device regardless of whether traffic is being tunneled through VPN? In other words, does turning on VPN in the device for one client effect the traffic device-wide or only the specific VPN traffic?
It's more of an aggregate really.
Let's say we have an MX that is rated for 2Gbps unencrypted traffic, and 1Gbps encrypted. If you were to, say, drive 500Mbps of encrypted traffic through it you would then only be able to get about 1Gbps of unencrypted traffic through it at the same time (not 1.5Gbps).
In our testing we've found that you can use the general rule of thumb of encrypted traffic counting 2x towards the total throughput of the box.
In my situation we would be running a MX64W in a branch and a MX100 at the main location and would VPN from one server at the main location to one client at the branch. The MX64 states that maximum VPN throughput is 100Mbps while firewall throughput is 250Mbps. It sounds like clients connected to the MX device not using VPN would have the full 250Mbps available while the one client connected via VPN would be limited to 100Mbps if I understand this correctly???
It's shared, not dedicated. It's not 100+250. The 100 counts as part of the 250 (at double the hit, so 100Mbps of VPN traffic counts as 200Mbps of non-VPN).
So if you have 1 VPN client that is conducting a 100Mbps file transfer you will nearly max out the MX and leave almost nothing left for anyone else.
OK that helps. The VPN data should be very small and very intermittent. Basically just hitting a database now and then and some light web traffic. I'm mainly concerned with getting my other (non VPN) clients the fastest speed available.
I would recommend using traffic shaping and quality of service as much as possible. That way you can have granularity over what traffic is going to receive what portion of bandwidth.
Regarding the impact, I agree with the guys above and would normally expect encrypted traffic to chew up double the bandwidth normally used. The overhead for VPN is not that much, but the process of encrypting and decrypting traffic can be quite time consuming.