07-27-2013 11:54 AM - edited 03-04-2019 08:34 PM
I am new to traffic shaping and traffic policing, so please bear with me. I have attached a diagram of the network configuration to serve as a visual exhibit. I have also pasted the configuration of the Cisco 1941 at the DR site. I have anonymized all information to protect the innocent.
I have two Cisco 1941 routers that provide a secure IPsec VPN tunnel between my production and DR sites. I am replicating snapshots from my production SAN to the DR SAN located at the DR site. I am alotted 6Mbps on the Internet circuit at the DR site by my ISP. However, the ISP does not have anything in place to throttle my bandwidth. When replication takes place, the replication traffic is peaking at 75Mbps. This is obviously a problem because the ISP is charging us for the overage. I have tried to implement simple traffic shaping and traffic policing in an attempt to limit the bandwidth used by the replication traffic, but I have been unsuccessful up to this point. Can somebody please provide some guidance here? What is a simple way of limiting the bandwidth on the router located at the DR site? You will see in the config below my unsuccessful attempt at traffic policing, which I implemented after my unsuccessful attempt at traffic shaping.
-------------------------------------------------------------------------------------------------------------------------------------------------------
router-dr#show run
Building configuration...
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router-dr
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
logging monitor informational
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
!
clock timezone CST -6 0
clock summer-time CDT recurring
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip domain name company.local
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
ip ssh time-out 60
ip ssh rsa keypair-name router-dr.company.local
ip ssh version 2
!
class-map match-all Replication_6Mbps
match access-group name Replication_Traffic
!
!
policy-map Replication_6Mbps_Policy
class Replication_6Mbps
police 6000000 16000 conform-action drop
!
!
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key *************** address xxx.xxx.xxx.xxx no-xauth
crypto isakmp key *************** address 172.17.1.2 no-xauth
!
!
crypto ipsec transform-set ESP-AES256-SHA256 ah-sha256-hmac esp-aes 256
crypto ipsec transform-set ESP-AES256-SHA ah-sha-hmac esp-aes 256
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec nat-transparency spi-matching
!
crypto identity 172.19.1.2
!
!
crypto map company-ipsec 1 ipsec-isakmp
description VPN with partner
set peer xxx.xxx.xxx.xxx
set security-association lifetime seconds 86400
set transform-set ESP-3DES-MD5
match address partner-vpn
crypto map company-ipsec 2 ipsec-isakmp
description VPN to company HQ
set peer 172.17.1.2
set security-association lifetime seconds 86400
set transform-set ESP-3DES-MD5
match address company-HQ-vpn
!
!
!
!
!
interface Loopback0
ip address 10.15.10.2 255.255.255.0
ip virtual-reassembly in
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
description Data Network
encapsulation dot1Q 1 native
ip address 10.1.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.2
description iSCSI Network
encapsulation dot1Q 2
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
description Internet
ip address 172.19.1.2 255.255.255.224
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map company-ipsec
service-policy input Replication_6Mbps_Policy
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat source list NAT-Inside interface GigabitEthernet0/1 overload
ip nat inside source list NAT-Inside interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 172.19.1.1
!
ip access-list extended Data-network
permit tcp 10.1.20.0 0.0.0.255 any
permit udp 10.1.20.0 0.0.0.255 any
permit icmp 10.1.20.0 0.0.0.255 any
deny ip any any log
ip access-list extended partner-vpn
permit ip host 10.15.10.2 host 192.168.50.245
permit ip host 10.15.10.2 host 192.168.50.41
permit ip host 10.15.10.2 host 192.168.50.25
permit ip host 10.15.10.2 host 192.168.50.29
permit ip 10.1.20.0 0.0.0.255 host 192.168.50.245
permit ip 10.1.20.0 0.0.0.255 host 192.168.50.41
permit ip 10.1.20.0 0.0.0.255 host 192.168.50.25
permit ip 10.1.20.0 0.0.0.255 host 192.168.50.29
permit ip 192.168.20.0 0.0.0.255 host 192.168.50.245
permit ip 192.168.20.0 0.0.0.255 host 192.168.50.41
permit ip 192.168.20.0 0.0.0.255 host 192.168.50.25
permit ip 192.168.20.0 0.0.0.255 host 192.168.50.29
ip access-list extended NAT-Inside
deny ip host 10.15.10.2 host 192.168.50.245
deny ip host 10.15.10.2 host 192.168.50.41
deny ip host 10.15.10.2 host 192.168.50.25
deny ip host 10.15.10.2 host 192.168.50.29
deny ip host 10.15.10.2 host 10.15.10.1
deny ip host 10.15.10.2 192.168.10.0 0.0.0.255
deny ip host 10.15.10.2 10.1.10.0 0.0.0.255
deny ip 10.1.20.0 0.0.0.255 host 192.168.50.245
deny ip 10.1.20.0 0.0.0.255 host 192.168.50.41
deny ip 10.1.20.0 0.0.0.255 host 192.168.50.25
deny ip 10.1.20.0 0.0.0.255 host 192.168.50.29
deny ip 10.1.20.0 0.0.0.255 host 10.15.10.1
deny ip 10.1.20.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 10.1.20.0 0.0.0.255 10.1.10.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 host 192.168.50.245
deny ip 192.168.20.0 0.0.0.255 host 192.168.50.41
deny ip 192.168.20.0 0.0.0.255 host 192.168.50.25
deny ip 192.168.20.0 0.0.0.255 host 192.168.50.29
deny ip 192.168.20.0 0.0.0.255 host 10.15.10.1
deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 10.1.10.0 0.0.0.255
permit ip any any
ip access-list extended Replication_Traffic
permit ip host 192.168.10.100 host 192.168.20.200
ip access-list extended company-HQ-vpn
permit ip host 10.15.10.2 host 10.15.10.1
permit ip host 10.15.10.2 192.168.10.0 0.0.0.255
permit ip host 10.15.10.2 10.1.10.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 host 10.15.10.1
permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 10.1.10.0 0.0.0.255
permit ip 10.1.20.0 0.0.0.255 host 10.15.10.1
permit ip 10.1.20.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 10.1.20.0 0.0.0.255 10.1.10.0 0.0.0.255
ip access-list extended iSCSI-network
permit tcp 192.168.20.0 0.0.0.255 any
permit udp 192.168.20.0 0.0.0.255 any
permit icmp 192.0.0.0 0.255.255.255 any
deny ip any any log
!
logging trap notifications
logging origin-id hostname
logging source-interface Loopback0
logging host 192.168.50.245 sequence-num-session
!
!
!
!
!
snmp-server community
snmp-server ifindex persist
snmp-server trap-source Loopback0
snmp-server source-interface informs Loopback0
snmp-server location "DR Site"
snmp-server contact System Admin
snmp-server chassis-id router-dr.company.com
!
!
!
control-plane
!
!
!
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 30 0
privilege level 15
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 30 0
privilege level 15
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
end
router-dr#
07-28-2013 01:10 AM
Brian,
if I understood the description right, you replicate data from production data to DR site and have policing applied inbound on DR site router.
Applying it inbound in DR site will not help as it will try to drop any traffic beyond the configured rate inbound. Instead try the below,
1. Configure shaping with rate @ 6 Mbps.
2. Apply it outbound in production router.
This way, data replicated from production site while reaching the production router will be shaped/buffered and maintained @ 6 Mbps rate. Using shaping will help you not to drop any packet (like policing). Instead will buffer and send across.
HTH,
Nagendra
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide