The VPN Gateway will use only a portion of the bandwidth measured (or statically defined) as the actual bandwidth to which the traffic should be shaped. This reduction in bandwidth is to avoid any fluctuations in the bandwidth provided to the VPN Gateway by the ISP and is referred to as a “safety factor”. For example: Cable modems run across a shared infrastructure that may be slower at peak times of the day, but the VPN Gateway may have measured its bandwidth at an optimum performance time. If at any point during the traffic shaping the VPN Gateway shapes to a bandwidth larger than the actual bandwidth available, the traffic shaping will operate as if no shaping had been implemented. In order to avoid such circumstances, the VPN Gateway will only limit traffic to a subset of the bandwidth specified statically or automatically determined by applying the configured safety factor.

Once CoS has been enabled the overall available bandwidth will be shaped, taking into consideration the required safety factor. The customer may as a result experience a slight degradation in their available throughput even during seemingly idle times, where only one application is using the broadband connection. The safety factor percentage can be configured for a CoS Profile in AT&T Administration Server. 13% is considered a reasonable default.

The configuration also allows for a “max safety factor” to be defined. When the available bandwidth increases, the safety factor value in Kbps also increases, so that with a 5Mbps link, and a 13% safety factor, the VPN Gateway would “ignore” 1 Mbps of available bandwidth. This would be a little excessive, so a “max safety factor” can also be defined; the smaller of this value and the calculated safety factor value (based on percentage) will be used.

While a safety factor reduces the likelihood of shaping to the wrong limit, it also artificially limits the bandwidth which can be a problem on low-speed DSL lines. For example, with a 13% safety factor, the VPN Gateway would shape traffic on a 128Kbps line to 102.4Kbps (128 X 0.8). This is too small to support a single G.711 VoIP call using IPSec as that requires closer to 108Kbps. In that case, applying a safety factor in effect kills the capability to support VoIP, thereby negating the reason for a safety factor in the first place. For that reason, CoS Bandwidth Settings in AT&T Administration Server can always be set up with a MINIMUM bandwidth value, and if the remaining percentage of the measured bandwidth (after the safety factor is applied) is smaller than the minimum setting, then the minimum setting value will be used instead of the calculated value.

There are two parameters (burst and cburst) that can be set by CoS Shaper in AT&T Administration Server to control how many bytes can be sent at a time within each CoS Class. If these numbers are too big, then a lot of unwanted jitter in the data can result, especially on low-speed lines. If they are too small it limits overall throughput, which affects performance. These values should be left as zero in the profile, as that has provided the best overall results. With a value of zero, the appropriate values to use are determined internally by the VPN Gateway based on traffic characteristics.

The MTU size on slower DSL and cable broadband connections can affect the latency of real-time applications. For instance, the VoIP application sends small (60 byte) packets with very little time in between each packet. The data stream may only use 90 Kbits/second, but the application is very sensitive to the latency of each packet. If a large data packet were to be scheduled and sent in the middle of the VoIP data stream, between these small, latency-sensitive VoIP packets, they would get delayed beyond their tolerance for latency. Although the overall bandwidth requested by the VoIP data stream would not be affected by this large packet -- because the algorithm would not send enough of them to affect the overall bandwidth calculation -- the latency behind any single large data packet would affect the voice quality of the VoIP conversation.

Tests and calculations show that a 600 byte MTU setting for VoIP-enabled VPN Gateways is a good setting for low-speed upstream links.