Unanswered Question
Sep 16th, 2007


Can anyone suggest a link to QOS .

router(tunnel ) ---- internet----router1----(tunnel)pix

My site to site tunnel is terminating on the pix

On the router1 I want to limit traffic through the vpn tunnel to 256 kbps and the rest of the traffic as normal

Plz suggest a suitable config link to implement the same .



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
etienne.basset Sun, 09/16/2007 - 23:25


try something like this


class-map match-any CM-IPSEC

match proto ipsec (assuming it's ipsec tunnel)

policy-map PM-SHAPE-IPSEC

class-map CM-IPSEC

shape average 256000


service-policy outpu PM-SHAPE-IPSEC

rajbhatt Sun, 09/16/2007 - 23:49


Thanks a lot.

I will try and see if this works .

It should only allow 256 kbps of vpn tuneel trafiic.

Normal internet traffic stays as it is .

I dont need QOS behind the LAN.

I dont think I need an extra router in this scenerio.

I have a internet bandwidth of 1mbps.

Out of that I just want to allocate 256 kbps maximum for vpn tunnel anything above that bandwidth should be dropped by the router

If u could plz provide a link for better understanding

Thanks in advance


lgijssel Sun, 09/16/2007 - 23:37

You will need more than one link to adress all issues that are possibly related to your question. How about:

-QoS in the LAN's behind router/pix?

-How to mark the tunneled packets?

-How to ensure that these markings are preserved along the way?

-Limiting QoS traffic in transit will inevitably lead to data loss, hence this is a bad idea.

-A PIX only does fifo, you will need an ASA or perhaps an extra router.

In my opinion, this issue is too complex to be resolved on this forum. My suggestion would be to hire someone with the required knowledge and let him make & build the design.




This Discussion