Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
598
Views
8
Helpful
4
Replies

vpn tunnel BW control

asoka
Level 1
Level 1

‎10-11-2009 06:33 PM - edited ‎03-06-2019 08:04 AM

Hi, I need to control traffic thr multiple VPN tunnels to limit BW use by one one single VPN.

Now it is 6MB link shared by 13 p2p vpn tunels and Internet access.

How could I achive this, for axample I need to limit 2MB maximum use by any VPN tunnel during the office hours.

Any advice will be greatly appreciate

Labels:
0 Helpful
4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎10-12-2009 04:36 AM

Hello Ranjit,

an outbound shaping approach is probably the only one that can work.

if for example IPSec is the protocol used you need to define with a class-map the vpn traffic.

class vpn_traffic

match ip address ipsec_traffic

then you define a policy-map

policy-map shape_vpn

class vpn_traffic

shape average 2000000

class class-default

fair-queue

This is the fist part of your question and would apply shaping 24 h/day.

How to do this on day time only?

using time ranges for the ACL as described in the above thread

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&topicID=.ee71a04&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.2cd25e4c/0#selected_message

that is access-list invokes a time range

Hope to help

Giuseppe

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Giuseppe Larosa

‎10-12-2009 05:05 AM

To expand on the information that Giuseppe has provided, you'll likely need to do this on both ends of the VPN tunnels (assuming you want to restrict bandwidth utilization both in and out at your hub site).

Also what Giuseppe shows would shape all VPN traffic, but since you asked about restricting any one VPN tunnel to 2 Mbps, at the hub site you would need a 2 Mbps shaper for each tunnel's traffic.

Do realize that a combination of VPN tunnels traffic could still overwhelm your link.

asoka
Level 1
Level 1
In response to Giuseppe Larosa

‎10-12-2009 06:20 AM

Thank you, and I though, I could handle this the otherway, how to limit the other traffic to use only lets say 30% of the BW and then rest of the BW dedicated to IPSec trafic.

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to asoka

‎10-12-2009 08:55 AM

". . . how to limit the other traffic to use only lets say 30% of the BW and then rest of the BW dedicated to IPSec trafic."

Outbound, you could use a policy to shape non-IPSec traffic to 30%. (BTW, personally, when possible, I prefer not to limit bandwidth, but to set different priorities for obtaining bandwidth, when there's contention. For example, you might set a floor of 70% for IPSec and 30% for non-IPSec but each would be allowed to use unused bandwidth.)

Inbound is a problem unless you control the other side of the Internet link (i.e. the outbound to you). If you can't, which is often the case, you can police inbound traffic and/or shape outbound TCP ACKs. Although perhaps better than nothing, neither approach works 100% as often desired.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card