vpn tunnel BW control

Unanswered Question

Hi, I need to control traffic thr multiple VPN tunnels to limit BW use by one one single VPN.

Now it is 6MB link shared by 13 p2p vpn tunels and Internet access.

How could I achive this, for axample I need to limit 2MB maximum use by any VPN tunnel during the office hours.

Any advice will be greatly appreciate

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Giuseppe Larosa Mon, 10/12/2009 - 04:36

Hello Ranjit,

an outbound shaping approach is probably the only one that can work.

if for example IPSec is the protocol used you need to define with a class-map the vpn traffic.

class vpn_traffic

match ip address ipsec_traffic

then you define a policy-map

policy-map shape_vpn

class vpn_traffic

shape average 2000000

class class-default


This is the fist part of your question and would apply shaping 24 h/day.

How to do this on day time only?

using time ranges for the ACL as described in the above thread


that is access-list invokes a time range

Hope to help


Joseph W. Doherty Mon, 10/12/2009 - 05:05

To expand on the information that Giuseppe has provided, you'll likely need to do this on both ends of the VPN tunnels (assuming you want to restrict bandwidth utilization both in and out at your hub site).

Also what Giuseppe shows would shape all VPN traffic, but since you asked about restricting any one VPN tunnel to 2 Mbps, at the hub site you would need a 2 Mbps shaper for each tunnel's traffic.

Do realize that a combination of VPN tunnels traffic could still overwhelm your link.

Joseph W. Doherty Mon, 10/12/2009 - 08:55

". . . how to limit the other traffic to use only lets say 30% of the BW and then rest of the BW dedicated to IPSec trafic."

Outbound, you could use a policy to shape non-IPSec traffic to 30%. (BTW, personally, when possible, I prefer not to limit bandwidth, but to set different priorities for obtaining bandwidth, when there's contention. For example, you might set a floor of 70% for IPSec and 30% for non-IPSec but each would be allowed to use unused bandwidth.)

Inbound is a problem unless you control the other side of the Internet link (i.e. the outbound to you). If you can't, which is often the case, you can police inbound traffic and/or shape outbound TCP ACKs. Although perhaps better than nothing, neither approach works 100% as often desired.


This Discussion