VPN Bandwidth Control
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-23-2006 12:44 AM - edited 02-21-2020 01:15 AM
Hi Could someone help with my inexperience here:
What I am trying to do is as follows:
we have a 10Mb connection to the internet and are using this connection as a backup for our dedicated links to sites in London. The VON is working fine and floating static routes allow us to redirect traffic over the VPN when the primary links go down.
I want to limit the amount of bandwidth the VPN can consume, the limit is around 8Mbps. I have written the following config to do this:
ip access-list extended IPSEC
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
class-map match-any IPSEC
match access-group name IPSEC
policy-map VPN-BANDWIDTH-CONTROL
class IPSEC
police cir 10485500 bc 8388608
conform-action transmit
exceed-action drop
bandwidth 80
queue-limit 30
Can anyone provide a comment on this configuration, is there a better way to do this. Also do I apply the policy map to the Tunnel interface or do I apply it to the physical interface.
Any help will be rated.
Gavin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-24-2006 07:39 AM
Hi,
some comments as you wish ;-)
First, I would use shaping instead of policing if you want a fixed upper bandwidth limit for VPN traffic. A policer will drop packets, whereas a shaper will buffer packets. For most applications dropping of packets is not such a good idea.
Second, the bandwidth specified (10485500) is too high to achieve 8 Mbps. The way you configure things IPSec will use up to 10 Mbps.
Third, you could use queueing to assure your other traffic at least 2 Mbps, which would also limit your IPSec traffic to a max of 8 Mbps, IF there is congestion. In case there is no other traffic but VPN, would you rather have all 10 Mbps be used by VPN traffic, or would you prefer an upper limit of 8 Mbps (leaving 2 Mbps unused)?
Fourth, the policy-map should be applied to the physical interface.
So the config could look like this:
policy-map VPN-BANDWIDTH-CONTROL
class IPSEC
shape average 8000000
class class-default
bandwidth 2000000
And last not least, your traffic description. Consider to use an ACL describing source and destination IPs of your tunnel, so all traffic is classified correctly.
Hope this helps! Please rate all posts.
Regards, Martin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-24-2006 11:48 PM
Thanks for your post this is a great help.
Can I ask you how to test this configuration. Is there a show command to detail the shaping?
Regards
Gavin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2006 12:46 AM
Hi,
the shaping can be monitored with the command "show policy-map interface ...". It will give you info on how many packets and bytes have been shaped (=delayed).
To test the config you need a lab environment. You could use lower bandwidths - f.e. 128 kbps - in case you can not setup a lab reflecting your environment 1:1. Just scale down the parameters to your test environment.
The final "test" however will be your production environment, because there you will have to deal with application behaviour.
Regards, Martin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2006 02:02 AM
Martin,
Here is my new configuration, in the class-default I had to set the limit to 2000 as this is in Kbps, whereas the shape average rate seems to be set in bps. I think this should pretty much cover it, in terms of profiling the traffic with access lists i'm not sure if I need to as all traffic that is using the tunnel should be subject to the traffic shaping. Web traffic will have the remaining 2Mbps when the policy is in effect. Would I need an access list for the web traffic. Thanks for your help :)
ip access-list extended IPSEC
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
!
class-map match-any IPSEC
match access-group name IPSEC
!
!
policy-map VPN-BANDWIDTH-CONTROL
class IPSEC
shape average 8000000
class class-default
bandwidth 2000
!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2006 07:00 AM
Hi,
you would not need an ACL for the rest of the traffic as class-default is defined as "match any". If you want to separate Web traffic from the other internet traffic (email, dns, ftp, etc.) you would create a separate class for Web and assign resources to it.
The comment about the ACL was only because I do not know, whether the ACL IPSEC will describe all IPSec traffic. I am quite sure, that an ACL specifying source IP of the VPN tunnel and destination IP of the VPN tunnel will match all IPSec traffic. This of course will not be possible for dynamic IP addresses occuring f.e. with Cisco VPN client.
Regards, Martin
