Hello Fadi,

central site router = Core router

NAT is needed  in one place: or you do it on Core router or you do it in each client site/university.

Client site with indipendent internet access will have a static default route pointing to the interface with public IP address instead of pointing to GRE tunnel.

WARNING: my statements are suggestions you need to understand NAT in order to be able to achieve this.

Hope to help

Giuseppe

hello Giuseppe

i hope you are fine

you know i have 25MBPS (Link Speed via VPN) for each university

All universities communicate with each other as  internal  network

25 * 12 = 300 MBPS (INTERNAL TRAFFIC)

and the policy applied to interface that connect all university (GigabitEthernet0/1)

the internet came on interface (GigabitEthernet0/2)

my problem :

i think this policy not working  as I expect (the internal and extenal traffic limited to 34 MBPS )

I need the internal network  working without any problems and without limitation on link speed

the  Internet only limited to each university

i think the policy should applied to interface ---> internet  (GigabitEthernet0/2)

please i need your advise ?

class-map match-all Class_144

match access-group 144

class-map match-all Class_132

match access-group 132

class-map match-all Class_120

match access-group 120

class-map match-all Class_112

match access-group 112

class-map match-all Class_104

match access-group 104

class-map match-all Class_140

match access-group 140

class-map match-all Class_136

match access-group 136

class-map match-all Class_124

match access-group 124

class-map match-all Class_116

match access-group 116

class-map match-all Class_108

match access-group 108

class-map match-all Class_128

match access-group 128

class-map match-all Class_148

match access-group 148

!

!

policy-map All_Class

class Class_104

    bandwidth 2901

class Class_108

    bandwidth 2901

class Class_112

    bandwidth 2901

class Class_116

    bandwidth 2901

class Class_120

    bandwidth 2901

class Class_124

    bandwidth 2901

class Class_128

    bandwidth 2901

class Class_132

    bandwidth 2901

class Class_136

    bandwidth 2901

class Class_140

    bandwidth 2901

class Class_144

    bandwidth 2901

class Class_148

    bandwidth 2901

class class-default

    fair-queue

policy-map Egress

class class-default

    shape average 34816000

  service-policy All_Class

interface GigabitEthernet0/1

mtu 1524

ip address 172.25.90.2 255.255.255.0

service-policy output Egress

access-list 104 permit ip any 172.25.90.4 0.0.0.3

access-list 108 permit ip any 172.25.90.8 0.0.0.3

access-list 112 permit ip any 172.25.90.12 0.0.0.3

access-list 116 permit ip any 172.25.90.16 0.0.0.3

access-list 120 permit ip any 172.25.90.20 0.0.0.3

access-list 124 permit ip any 172.25.90.24 0.0.0.3

access-list 128 permit ip any 172.25.90.28 0.0.0.3

access-list 132 permit ip any 172.25.90.32 0.0.0.3

access-list 136 permit ip any 172.25.90.36 0.0.0.3

access-list 140 permit ip any 172.25.90.40 0.0.0.3

access-list 144 permit ip any 172.25.90.44 0.0.0.3

access-list 148 permit ip any 172.25.90.48 0.0.0.3

Hello Fadi,

I agree that the internet facing interface would be the interface to apply the QoS policy but you control only the upstream direction not the downstream direction.

By applying the policy map to the internet facing interface you would control the upstream direction of traffic from universities to the internet, that is lower in traffic volume and not the traffic from internet to the universities.

Actually the downstream direction is not under your control.

On the other hand, if the policy would be able to discriminate between traffic coming from internet and traffic between universities, it could be applied outbound on the interface towards the universities and would control the downstream direction from the internet.

Traffic between universities travel on GRE tunnels making difficult to discriminate.

There is a special command for these cases that is qos pre-classify to be configured on all tunnel interfaces. It should allow the router to examine the traffic before GRE encapsulation.

http://www.cisco.com/en/US/docs/ios-xml/ios/qos/command/Q_through_R.html#GUID-EF1CD306-949B-4EAB-ACED-EE110558EFE7

The only doubt I have is if the service policy should be applied to each tunnel interface to take advantage of the qos pre-classify command.

A totally different configuration of the policy map would be needed.

At this point a different policy map for each GRE Tunnel would be needed using two traffic classes on each.

Example:

access-list 181 deny  ip 10.0.0.0 0.255.255.255 10.0.k.0 0.0.255.255

access-list 181 permit ip any  10.0.k.0 0.0.255.255

class-map INTERNET-K

match  access-group 181

policy-map  TO-UNI-K

class INTERNET-K

shape average 2900000

class class-default

fair-queue

interface tunnel K

description to university K

qos pre-classify

service-policy output TO-UNI-K

Hope to help

Giuseppe

Hello Giuseppe,

Tired of all this

I Need something simple to apply on my router .

i need to know how ISP COMPANY Limit Traffic ?

you know I have 34meg internet i need to distribute to 12 university without effect internal traffic . (Traffic base idle use  )

BW:

All branch = 34/12 =2.8 MEG

BUT when one branch  not using internet

BW:

All branch = 34/11 =3 MEG

etc...

12 branch  exchange data internaly  with all the line speed (25meg vpn) but when the brancj need to use internet () traffic policy must applied to use the quota .

Best Regards