Re: Traffic shaping on cisco 2600

junaid haroon · ‎02-16-2014

i have vpn connectivity between headoffice and branch office.At branch i have 2 mpbs CIR link.On which i want to

1Mbps reserved for VPN only.how i do the policy based traffic shapping.

Please help me out how i do this. below is my router configuration..

Current configuration : 2211 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname rtttt_RTR

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

no logging console

enable password ********************************

!

no aaa new-model

!

dot11 syslog

ip source-route

!

ip cef

!

no ip domain lookup

ip name-server 202.143.124.1

ip name-server 8.8.8.8

no ipv6 cef

!

multilink bundle-name authenticated

!

voice-card 0

!

archive

log config

hidekeys

!

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp key *********************** address 125.119.46.242

!

crypto ipsec transform-set tset esp-des esp-md5-hmac

!

crypto map smap 10 ipsec-isakmp

set peer 124.109.46.242

set transform-set tset

match address 101

!

interface FastEthernet0/0

ip address 203.143.128.154 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map smap

!

interface FastEthernet0/1

ip address 192.168.1.254 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface ATM0/2/0

no ip address

shutdown

no atm ilmi-keepalive

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 202.143.126.154

ip http server

no ip http secure-server

!

ip nat inside source list 111 interface FastEthernet0/0 overload

!

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 111 permit ip 192.168.1.0 0.0.0.255 any

!

route-map nat permit 10

match ip address 111

!

control-plane

!

mgcp fax t38 ecm

!

line con 0

line aux 0

line vty 0 4

********************************

login

!

scheduler allocate 20000 1000

end

paul driver · ‎02-17-2014

Hello

Basic TS

-------------

policy-map Shape

class class-default

shape average 1024000

interface FastEthernet0/0

service-policy output Shape

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

junaid haroon · ‎02-17-2014

Hi,

I apply the following QOS setting.

VPN ACL is 101

NAT ACL is 111

(config)#class-map VPN

RTR(config-cmap)#match access-group 101

RTR(config)#class-map NAT

RTR(config-cmap)#match access-group 111

RTR(config-cmap)#exit

RTR(config)#policy-map multiple_classes

RTR(config-pmap)#class VPN

RTR(config-pmap-c)#shape average 800000

RTR(config-pmap-c)#exit

RTR(config-pmap)#class NAT

RTR(config-pmap-c)#shape average 1200000

RTR(config-pmap-c)#exit

RTR(config)#interface f

RTR(config)#interface fastEthernet 0/0

RTR(config-if)#service-policy output multiple_classes

but when i show its output i things its not applying on VPN traffic you can see the policy map with name of VPN its matchs is zero.Please help me out

#sh policy-map interface fastEthernet 0/0

FastEthernet0/0

Service-policy output: multiple_classes

Class-map: VPN (match-any)

0 packets, 0 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group 101

0 packets, 0 bytes

5 minute rate 0 bps

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 0/0

shape (average) cir 800000, bc 3200, be 3200

target shape rate 800000

Class-map: NAT (match-all)

92041 packets, 6969911 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group 111

Queueing

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/5057/0

(pkts output/bytes output) 86983/6587913

shape (average) cir 1200000, bc 4800, be 4800

target shape rate 1200000

Class-map: class-default (match-any)

758316 packets, 186938379 bytes

5 minute offered rate 57000 bps, drop rate 0 bps

Match: any

queue limit 64 packets

(queue depth/total drops/no-buffer drops) 0/0/0

(pkts output/bytes output) 758321/186940900

paul driver · ‎02-17-2014

Hello

The reason for that is your acls are incorrect, Dont think qos is be able to look at its nattted address as an destination address from an ACL, hence the reason why you DO see a match on the acl111 but not on the 101.

access-list 111 permit ip 192.168.1.0 0.0.0.255 any

Try creating new acls and specify certain host traffic from you lan that you want to shape

access-list 110 permit host 192,168.1.x

access-list 120 permit host 192,168.1.x

class-map VPN
match access-group 110

class-map NAT

match access-group 120

policy-map multiple_classes

class VPN

bandwidth 400

class NAT

bandwidth 600

policy-map Default-Shape
class class-default

shape average 1024000

service-policy multiple_classes

interface fastEthernet 0/0

service-policy output Default-Shape

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

junaid haroon · ‎02-17-2014

Hi Paul,

thanks for help.

What i want to achive is that i want to reserve some of bandwith for VPN traffic and some for NAT.

I want that all host at branch use same bandwith.

Its much difffuclt to creat a sperate ACL for each host i have almost 50 plus employees at branch office.