I have a new customer site behind a T1 that is going to join our company WAN. The plan is to join them to us initially using a VPN tunnel while we "assimilate" them, and them switch them to a higher speed connection. During the assimilation time, the customer requirements are to receive a scheduled FTP push three times daily, which brings any other traffic to it's knees. I want to be able to rate-limit/shape/police this ftp traffic to 50% (768k)until we move them to our private WAN. However, I only have control of the CE Router, not the PE router. My QoS is weak, but I know I can't use shaping on ingress. Can you help me with choosing the best method between rate limiting or policing? There will just be IPSEC site-to-site traffic, and the inbound FTP traffic.
Not a good situation just using Cisco QoS features.
You can police the inbound FTP traffic and/or shape outbound ACKs for that traffic. Either or both techniques do work, but very difficult to regulate inbound congestion precisely. If supporting a very low (perhaps 10% of link) inbound FTP rate is acceptable, these techniques might be useful. (The reason for the low target rate, TCP will still burst across the link and to keep such bursts from adversely impacting other traffic, you need to slow such inbound traffic sooner rather than later.)
More precise inbound traffic regulation can be accomplished by using a device that spoofs receiving host's RWIN while monitoring bandwidth utilization. Don't believe any Cisco product supports this, but believe some 3rd party traffic shaping products do.
Another option might be consideration of installation of a 2nd inexpensive (e.g. ADSL, cable) Internet connection and not mix the exising Internet traffic with the transition VPN tunnel traffic.