Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
285
Views
0
Helpful
1
Replies

QoS on internet connection and for IPSEC tunnel

davidbuit
Level 1
Level 1

‎02-24-2009 08:12 PM - edited ‎03-04-2019 03:42 AM

I have a requirement to configure QoS on an internet link that is limited to 1mbps upload speed. There are remote sites connecting to this HO site that have much larger bandwidth limits so i want to control outbound bandwidth from this site.

As an example I have created a sample configuration below. In the example I have assumed that I will be allocating 256kbps to each IPSEC VPN and 256kbps to http and https traffic.

Is this along the right lines and will I need a class-default class for all other traffic?

Many thanks

class-map match-any HTTP

match access-group HTTP

class-map match-any VPN1

match access-group VPN1

class-map match-any VPN2

match access-group VPN2

policy-map output

class HTTP-TRAFFIC

bandwidth 256

class VPN1

bandwidth 256

class VPN2

bandwidth 256

ip access-list extended VPN1

permit esp host x.x.x.x host y.y.y.y (where x.x.x is my router IP address and y.y.y.y is the vpn peer 1)

ip access-list extended VPN2

permit esp host x.x.x.x host z.z.z.z (where x.x.x is my router IP address and z.z.z.z is the vpn peer 2)

ip access-list extended HTTP

permit tcp any any eq 80

permit tcp any any eq 443

permit tcp any eq 80 any

permit tcp any eq 443 any

interface dialer0

service-policy output output

Labels:
0 Helpful
1 Reply 1

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎02-25-2009 04:12 AM

Unless you physical interface is 1 Mbps, you'll want a "parent" policy shaper to match the downstream bandwidth. (E.g. Ethernet handoff to ADSL.)

e.g.

policy-map limit1mbps

class class-default

shape average 1000000 (or 850000 if you need to account for Ethernet overhead)

service-policy output

Then use the parent policy where you would use your existing policy.

Your child policy could be similar to what you've defined, although using a shaper alone or child policy with just a class-default FQ might suffice too.

BTW: there's always a class-default, it's implicit if you don't define it. However, when working with explict classes, I prefer to explicitly define it as FIFO (no FQ) so I can precisely allocate bandwidth for that class.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card