cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
2127
Views
10
Helpful
5
Replies

VPN Bandwidth Control

gavin.mckee
Level 1
Level 1

Hi Could someone help with my inexperience here:

What I am trying to do is as follows:

we have a 10Mb connection to the internet and are using this connection as a backup for our dedicated links to sites in London. The VON is working fine and floating static routes allow us to redirect traffic over the VPN when the primary links go down.

I want to limit the amount of bandwidth the VPN can consume, the limit is around 8Mbps. I have written the following config to do this:

ip access-list extended IPSEC

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit esp any any

class-map match-any IPSEC

match access-group name IPSEC

policy-map VPN-BANDWIDTH-CONTROL

class IPSEC

police cir 10485500 bc 8388608

conform-action transmit

exceed-action drop

bandwidth 80

queue-limit 30

Can anyone provide a comment on this configuration, is there a better way to do this. Also do I apply the policy map to the Tunnel interface or do I apply it to the physical interface.

Any help will be rated.

Gavin

5 Replies 5

mheusinger
Level 10
Level 10

Hi,

some comments as you wish ;-)

First, I would use shaping instead of policing if you want a fixed upper bandwidth limit for VPN traffic. A policer will drop packets, whereas a shaper will buffer packets. For most applications dropping of packets is not such a good idea.

Second, the bandwidth specified (10485500) is too high to achieve 8 Mbps. The way you configure things IPSec will use up to 10 Mbps.

Third, you could use queueing to assure your other traffic at least 2 Mbps, which would also limit your IPSec traffic to a max of 8 Mbps, IF there is congestion. In case there is no other traffic but VPN, would you rather have all 10 Mbps be used by VPN traffic, or would you prefer an upper limit of 8 Mbps (leaving 2 Mbps unused)?

Fourth, the policy-map should be applied to the physical interface.

So the config could look like this:

policy-map VPN-BANDWIDTH-CONTROL

class IPSEC

shape average 8000000

class class-default

bandwidth 2000000

And last not least, your traffic description. Consider to use an ACL describing source and destination IPs of your tunnel, so all traffic is classified correctly.

Hope this helps! Please rate all posts.

Regards, Martin

Thanks for your post this is a great help.

Can I ask you how to test this configuration. Is there a show command to detail the shaping?

Regards

Gavin

Hi,

the shaping can be monitored with the command "show policy-map interface ...". It will give you info on how many packets and bytes have been shaped (=delayed).

To test the config you need a lab environment. You could use lower bandwidths - f.e. 128 kbps - in case you can not setup a lab reflecting your environment 1:1. Just scale down the parameters to your test environment.

The final "test" however will be your production environment, because there you will have to deal with application behaviour.

Regards, Martin

Martin,

Here is my new configuration, in the class-default I had to set the limit to 2000 as this is in Kbps, whereas the shape average rate seems to be set in bps. I think this should pretty much cover it, in terms of profiling the traffic with access lists i'm not sure if I need to as all traffic that is using the tunnel should be subject to the traffic shaping. Web traffic will have the remaining 2Mbps when the policy is in effect. Would I need an access list for the web traffic. Thanks for your help :)

ip access-list extended IPSEC

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit esp any any

!

class-map match-any IPSEC

match access-group name IPSEC

!

!

policy-map VPN-BANDWIDTH-CONTROL

class IPSEC

shape average 8000000

class class-default

bandwidth 2000

!

Hi,

you would not need an ACL for the rest of the traffic as class-default is defined as "match any". If you want to separate Web traffic from the other internet traffic (email, dns, ftp, etc.) you would create a separate class for Web and assign resources to it.

The comment about the ACL was only because I do not know, whether the ACL IPSEC will describe all IPSec traffic. I am quite sure, that an ACL specifying source IP of the VPN tunnel and destination IP of the VPN tunnel will match all IPSec traffic. This of course will not be possible for dynamic IP addresses occuring f.e. with Cisco VPN client.

Regards, Martin

Review Cisco Networking for a $25 gift card