vpn tunnel BW control

Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Giuseppe Larosa Mon, 10/12/2009 - 04:36
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Ranjit,

an outbound shaping approach is probably the only one that can work.

if for example IPSec is the protocol used you need to define with a class-map the vpn traffic.

class vpn_traffic

match ip address ipsec_traffic

then you define a policy-map

policy-map shape_vpn

class vpn_traffic

shape average 2000000

class class-default


This is the fist part of your question and would apply shaping 24 h/day.

How to do this on day time only?

using time ranges for the ACL as described in the above thread


that is access-list invokes a time range

Hope to help


Joseph W. Doherty Mon, 10/12/2009 - 05:05
User Badges:
  • Super Bronze, 10000 points or more

To expand on the information that Giuseppe has provided, you'll likely need to do this on both ends of the VPN tunnels (assuming you want to restrict bandwidth utilization both in and out at your hub site).

Also what Giuseppe shows would shape all VPN traffic, but since you asked about restricting any one VPN tunnel to 2 Mbps, at the hub site you would need a 2 Mbps shaper for each tunnel's traffic.

Do realize that a combination of VPN tunnels traffic could still overwhelm your link.

Joseph W. Doherty Mon, 10/12/2009 - 08:55
User Badges:
  • Super Bronze, 10000 points or more

". . . how to limit the other traffic to use only lets say 30% of the BW and then rest of the BW dedicated to IPSec trafic."

Outbound, you could use a policy to shape non-IPSec traffic to 30%. (BTW, personally, when possible, I prefer not to limit bandwidth, but to set different priorities for obtaining bandwidth, when there's contention. For example, you might set a floor of 70% for IPSec and 30% for non-IPSec but each would be allowed to use unused bandwidth.)

Inbound is a problem unless you control the other side of the Internet link (i.e. the outbound to you). If you can't, which is often the case, you can police inbound traffic and/or shape outbound TCP ACKs. Although perhaps better than nothing, neither approach works 100% as often desired.


This Discussion