cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1160
Views
0
Helpful
1
Replies
Highlighted
Beginner

Traffic Shaping VPN Traffic On Cisco 1941

I am new to traffic shaping and traffic policing, so please bear with me.  I have attached a diagram of the network configuration to serve as a visual exhibit.  I have also pasted the configuration of the Cisco 1941 at the DR site.  I have anonymized all information to protect the innocent.

I have two Cisco 1941 routers that provide a secure IPsec VPN tunnel between my production and DR sites.  I am replicating snapshots from my production SAN to the DR SAN located at the DR site.  I am alotted 6Mbps on the Internet circuit at the DR site by my ISP.  However, the ISP does not have anything in place to throttle my bandwidth.  When replication takes place, the replication traffic is peaking at 75Mbps.  This is obviously a problem because the ISP is charging us for the overage.  I have tried to implement simple traffic shaping and traffic policing in an attempt to limit the bandwidth used by the replication traffic, but I have been unsuccessful up to this point.  Can somebody please provide some guidance here?  What is a simple way of limiting the bandwidth on the router located at the DR site?  You will see in the config below my unsuccessful attempt at traffic policing, which I implemented after my unsuccessful attempt at traffic shaping.

-------------------------------------------------------------------------------------------------------------------------------------------------------

router-dr#show run

Building configuration...

!

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname router-dr

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

logging monitor informational

!

aaa new-model

!

!

aaa authentication login default local

!

!

!

!

!

aaa session-id common

!

clock timezone CST -6 0

clock summer-time CDT recurring

!

no ipv6 cef

ip source-route

ip cef   

!

!

!

!

!

ip domain name company.local

!

multilink bundle-name authenticated

!

!

!

!

!

redundancy

!

!

!

!

ip ssh time-out 60

ip ssh rsa keypair-name router-dr.company.local

ip ssh version 2

!

class-map match-all Replication_6Mbps

match access-group name Replication_Traffic

!

!

policy-map Replication_6Mbps_Policy

class Replication_6Mbps

  police 6000000 16000 conform-action drop

!

!

!

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

lifetime 28800

crypto isakmp key *************** address xxx.xxx.xxx.xxx no-xauth

crypto isakmp key *************** address 172.17.1.2 no-xauth

!

!

crypto ipsec transform-set ESP-AES256-SHA256 ah-sha256-hmac esp-aes 256

crypto ipsec transform-set ESP-AES256-SHA ah-sha-hmac esp-aes 256

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec nat-transparency spi-matching

!

crypto identity 172.19.1.2

!

!

crypto map company-ipsec 1 ipsec-isakmp

description VPN with partner

set peer xxx.xxx.xxx.xxx

set security-association lifetime seconds 86400

set transform-set ESP-3DES-MD5

match address partner-vpn

crypto map company-ipsec 2 ipsec-isakmp

description VPN to company HQ

set peer 172.17.1.2

set security-association lifetime seconds 86400

set transform-set ESP-3DES-MD5

match address company-HQ-vpn

!

!

!

!

!

interface Loopback0

ip address 10.15.10.2 255.255.255.0

ip virtual-reassembly in

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0.1

description Data Network

encapsulation dot1Q 1 native

ip address 10.1.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/0.2

description iSCSI Network

encapsulation dot1Q 2

ip address 192.168.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1

description Internet

ip address 172.19.1.2 255.255.255.224

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map company-ipsec

service-policy input Replication_6Mbps_Policy

!

ip forward-protocol nd

!        

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat source list NAT-Inside interface GigabitEthernet0/1 overload

ip nat inside source list NAT-Inside interface GigabitEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 172.19.1.1

!

ip access-list extended Data-network

permit tcp 10.1.20.0 0.0.0.255 any

permit udp 10.1.20.0 0.0.0.255 any

permit icmp 10.1.20.0 0.0.0.255 any

deny   ip any any log

ip access-list extended partner-vpn

permit ip host 10.15.10.2 host 192.168.50.245

permit ip host 10.15.10.2 host 192.168.50.41

permit ip host 10.15.10.2 host 192.168.50.25

permit ip host 10.15.10.2 host 192.168.50.29

permit ip 10.1.20.0 0.0.0.255 host 192.168.50.245

permit ip 10.1.20.0 0.0.0.255 host 192.168.50.41

permit ip 10.1.20.0 0.0.0.255 host 192.168.50.25

permit ip 10.1.20.0 0.0.0.255 host 192.168.50.29

permit ip 192.168.20.0 0.0.0.255 host 192.168.50.245

permit ip 192.168.20.0 0.0.0.255 host 192.168.50.41

permit ip 192.168.20.0 0.0.0.255 host 192.168.50.25

permit ip 192.168.20.0 0.0.0.255 host 192.168.50.29

ip access-list extended NAT-Inside

deny   ip host 10.15.10.2 host 192.168.50.245

deny   ip host 10.15.10.2 host 192.168.50.41

deny   ip host 10.15.10.2 host 192.168.50.25

deny   ip host 10.15.10.2 host 192.168.50.29

deny   ip host 10.15.10.2 host 10.15.10.1

deny   ip host 10.15.10.2 192.168.10.0 0.0.0.255

deny   ip host 10.15.10.2 10.1.10.0 0.0.0.255

deny   ip 10.1.20.0 0.0.0.255 host 192.168.50.245

deny   ip 10.1.20.0 0.0.0.255 host 192.168.50.41

deny   ip 10.1.20.0 0.0.0.255 host 192.168.50.25

deny   ip 10.1.20.0 0.0.0.255 host 192.168.50.29

deny   ip 10.1.20.0 0.0.0.255 host 10.15.10.1

deny   ip 10.1.20.0 0.0.0.255 192.168.10.0 0.0.0.255

deny   ip 10.1.20.0 0.0.0.255 10.1.10.0 0.0.0.255

deny   ip 192.168.20.0 0.0.0.255 host 192.168.50.245

deny   ip 192.168.20.0 0.0.0.255 host 192.168.50.41

deny   ip 192.168.20.0 0.0.0.255 host 192.168.50.25

deny   ip 192.168.20.0 0.0.0.255 host 192.168.50.29

deny   ip 192.168.20.0 0.0.0.255 host 10.15.10.1

deny   ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

deny   ip 192.168.20.0 0.0.0.255 10.1.10.0 0.0.0.255

permit ip any any

ip access-list extended Replication_Traffic

permit ip host 192.168.10.100 host 192.168.20.200

ip access-list extended company-HQ-vpn

permit ip host 10.15.10.2 host 10.15.10.1

permit ip host 10.15.10.2 192.168.10.0 0.0.0.255

permit ip host 10.15.10.2 10.1.10.0 0.0.0.255

permit ip 192.168.20.0 0.0.0.255 host 10.15.10.1

permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip 192.168.20.0 0.0.0.255 10.1.10.0 0.0.0.255

permit ip 10.1.20.0 0.0.0.255 host 10.15.10.1

permit ip 10.1.20.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip 10.1.20.0 0.0.0.255 10.1.10.0 0.0.0.255

ip access-list extended iSCSI-network

permit tcp 192.168.20.0 0.0.0.255 any

permit udp 192.168.20.0 0.0.0.255 any

permit icmp 192.0.0.0 0.255.255.255 any

deny   ip any any log

!

logging trap notifications

logging origin-id hostname

logging source-interface Loopback0

logging host 192.168.50.245 sequence-num-session

!

!

!

!

!

snmp-server community

snmp-server ifindex persist

snmp-server trap-source Loopback0

snmp-server source-interface informs Loopback0

snmp-server location "DR Site"

snmp-server contact System Admin

snmp-server chassis-id router-dr.company.com

!

!

!

control-plane

!

!

!

line con 0

logging synchronous

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

exec-timeout 30 0

privilege level 15

logging synchronous

transport input ssh

line vty 5 15

exec-timeout 30 0

privilege level 15

logging synchronous

transport input ssh

!

scheduler allocate 20000 1000

end

router-dr#

1 REPLY 1
Cisco Employee

Traffic Shaping VPN Traffic On Cisco 1941

Brian,

if I understood the description right, you replicate data from production data to DR site and have policing applied inbound on DR site router.

Applying it inbound in DR site will not help as it will try to drop any traffic beyond the configured rate inbound. Instead try the below,

1. Configure shaping with rate @  6 Mbps.

2. Apply it outbound in production router.

This way, data replicated from production site while reaching the production router will be shaped/buffered and maintained @ 6 Mbps rate. Using shaping will help you not to drop any packet (like policing). Instead will buffer and send across.

HTH,

Nagendra

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards