Cisco 871 IPSEC bandwidth

desmond.liew · ‎09-23-2007

Dear all,

I have setup a Cisco 871 router configured with VPN and Internet service. My line is a 1M line and I am wondering if there is a minimum or maximum bandwidth used for VPN.

When there is no traffic, how much bandwidth does a keep-alive traffic take if it is enabled?

Also, in what order does Cisco matches traffic first?

I have attached a my sample configuration.

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname TEST

!

boot-start-marker

boot-end-marker

!

logging buffered 16384

!

no aaa new-model

ip cef

!

crypto pki trustpoint TP-self-signed-1579893558

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1579893558

revocation-check none

rsakeypair TP-self-signed-1579893558

!

crypto pki certificate chain TP-self-signed-1579893558

certificate self-signed 01

3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

.

C1AB46A9 1B23B635 6781BBDC F24B6518 DAC5EEFB 521CF839 5E553763 C850049B 7F4470

quit

!

username admin privilege 15 secret 5 $1$J5X7$Lza4y093b9CI2eCPj3zN9.

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key jmdgpmwajjtd address <REMOTE_IP_ADDRESS>

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to<REMOTE_IP_ADDRESS>

set peer <REMOTE_IP_ADDRESS>

set transform-set ESP-3DES-SHA

match address 100

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

bandwidth 1024

ip address <ROUTER_IP_ADDRESS> 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Vlan1

ip address 172.30.205.1 255.255.255.0

ip access-group 130 in

ip nat inside

ip virtual-reassembly

!

ip route 0.0.0.0 0.0.0.0 <GATEWAY_IP_ADDRESS>

ip route 133.0.0.0 255.0.0.0 172.30.162.254

ip route 172.30.159.0 255.255.255.0 172.30.162.254

ip route 172.30.160.0 255.255.255.0 172.30.162.254

ip route 172.30.161.0 255.255.255.0 172.30.162.254

ip route 172.30.162.0 255.255.255.0 172.30.162.254

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

!

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 172.30.205.0 0.0.0.255 133.0.0.0 0.255.255.255

access-list 100 permit ip 172.30.205.0 0.0.0.255 172.30.159.0 0.0.0.255

access-list 100 permit ip 172.30.205.0 0.0.0.255 172.30.160.0 0.0.0.255

access-list 100 permit ip 172.30.205.0 0.0.0.255 172.30.161.0 0.0.0.255

access-list 100 permit ip 172.30.205.0 0.0.0.255 172.30.162.0 0.0.0.255

access-list 101 deny ip 172.30.205.0 0.0.0.255 133.0.0.0 0.255.255.255

access-list 101 deny ip 172.30.205.0 0.0.0.255 172.30.159.0 0.0.0.255

access-list 101 deny ip 172.30.205.0 0.0.0.255 172.30.160.0 0.0.0.255

access-list 101 deny ip 172.30.205.0 0.0.0.255 172.30.161.0 0.0.0.255

access-list 101 deny ip 172.30.205.0 0.0.0.255 172.30.162.0 0.0.0.255

access-list 101 permit ip 172.30.205.0 0.0.0.255 any

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

control-plane

!

line con 0

login local

no modem enable

line aux 0

login local

line vty 0 4

login local

transport input ssh

!

scheduler max-task-time 5000

end

irisrios · ‎09-28-2007

With default settings router do not limit the bandwidth allocated for a VPN client. VPN client connection can get as much bandwidth as possible. You have to impose special QOS policies if you want to limit bandwidth.