02-04-2010 01:02 PM - edited 03-04-2019 07:24 AM
Hello
Hub is connecting to 5 Spokes over IPSEC and 3 over IPSEC_GRE
How to get bandwidth usuage for each VPN Site from Hub
(Scenario 1)
Hub connects to Spoke1 over IPSEC
at Hub its a Router and at Spoke its ASA
(Scenario 2)
Hub connects to Spoke2 GRE over IPSEC
at Hub is a Router and at spoke its Router
Hub has 10MB Link, how can I identify with Spoke1 it uses X bandwidth ; similarly with other spokes2,spoke3,spoke4,,,etc.......
Current Hub bandwidth utilization : 6MB for 8 VPN Tunnels.
Please do input
thanks
Nasr
02-04-2010 01:18 PM
Hello Nasr,
if IP addresses of spokes are not dynamic you can use some tools for this:
a Policy-map with one class for each tunnel
for IPSec only tunnel:
define traffic class as ipsec traffic between local and remote public ip address
for IPSEC+GRE tunnel:
again define traffic class as IPsec traffic flow between local public ip address and remote public ip address
you need to know if you use AH or only ESP to define ACLs
access-list 111 permit ah host local-ip host remote-ip1
ESP only , no AH header:
access-list 112 permit esp host local-ip host remote-ip2
this depends on transformation sets.
It is highly probable that GRE over IPSec use only ESP to reduce overhead
class ah-ipsec1
match ip address 111
class esp-ipsec2
match ip address 112
policy-map tunneltraffic
class ah-ipsec1
class esp-ipsec2
le'ts suppose fas0/0 is the public interface on HUB
int fas0/0
service-policy tunneltraffic out
check with
sh policy-map int fas0/0
you will get counters for each class
this will allow also to introduce QoS if needed in the future
another method could be ip accounting
int fa0/0
ip accounting output-packets
check with
sh ip accounting
but it does not provide rates only counters that increase over time
A third method could be egress netflow
Hope to help
Giuseppe
02-04-2010 01:38 PM
Hi Giuseppe, A big thanks for the reply
All spokes have static ip
GRE over IPSec use only ESP
Note clear how can I get bandwidth usuage with each spoke from Hub using policy-map for IPSEC connection ( Without GRE )
I do agree on configuring egress netflow ; I can get bandwidth usuage for spoke having GRE Tunnel over IPSEC
Kindly ellaborate more to understand with needed steps
Thanks
Nasr
02-06-2010 02:37 AM
Hello Nasr,
>> Note clear how can I get bandwidth usuage with each spoke from Hub using policy-map for IPSEC connection ( Without GRE )
the IPSec only tunnels use ESP or AH also?
I think the policy-map could be used also for IPSec only tunnels.
Traffic will be destined to remote peer and if public IP addresses are static you can easily find an access-list definition that matches the desired traffic.
That ACL is then used to define traffic in a class-map.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide