Bandwidth

Unanswered Question
Feb 4th, 2010

Hello

Hub is connecting to 5 Spokes over IPSEC and 3 over IPSEC_GRE

How to get bandwidth usuage for each VPN Site from Hub

(Scenario 1)

Hub connects to Spoke1 over IPSEC

at Hub its a Router and at Spoke its ASA

(Scenario 2)

Hub connects to Spoke2 GRE over IPSEC

at Hub is a Router and at spoke its Router

Hub has 10MB Link, how can I identify with Spoke1 it uses X bandwidth ; similarly with other spokes2,spoke3,spoke4,,,etc.......

Current Hub bandwidth utilization : 6MB for 8 VPN Tunnels.

Please do input

thanks

Nasr

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Thu, 02/04/2010 - 13:18

Hello Nasr,

if IP addresses of spokes are not dynamic you can use some tools for this:

a Policy-map with one class for each tunnel

for IPSec only tunnel:

define traffic class as ipsec traffic between local and remote public ip address

for IPSEC+GRE tunnel:

again define traffic class as IPsec traffic flow between local public ip address and remote public ip address

you need to know if you use AH or only ESP to define ACLs

access-list 111 permit ah host local-ip host remote-ip1

ESP only , no AH header:

access-list 112 permit esp host local-ip host remote-ip2

this depends on transformation sets.

It is highly probable that GRE over IPSec use only ESP to reduce overhead

class ah-ipsec1

match ip address 111

class esp-ipsec2

match ip address 112

policy-map tunneltraffic

class ah-ipsec1

class esp-ipsec2

le'ts suppose fas0/0 is the public interface on HUB

int fas0/0

service-policy tunneltraffic out

check with

sh policy-map int fas0/0

you will get counters for each class

this will allow also to introduce QoS if needed in the future

another method could be ip accounting

int fa0/0

ip accounting output-packets

check with

sh ip accounting

but it does not provide rates only counters that increase over time

A third method could be egress netflow

Hope to help

Giuseppe

nasr.khan Thu, 02/04/2010 - 13:38

Hi Giuseppe, A big thanks for the reply

All spokes have static ip

GRE over IPSec use only ESP

Note clear how can I get bandwidth usuage with each spoke from Hub using policy-map for IPSEC connection ( Without GRE )

I do agree on configuring  egress netflow ; I can get bandwidth usuage for spoke having GRE Tunnel over IPSEC

Kindly ellaborate more to understand with needed steps

Thanks

Nasr

Giuseppe Larosa Sat, 02/06/2010 - 02:37

Hello Nasr,

>> Note clear how can I get bandwidth usuage with each spoke from Hub using policy-map for IPSEC connection ( Without GRE )

the IPSec only tunnels use ESP or AH also?

I think the policy-map could be used also for IPSec only tunnels.

Traffic will be destined to remote peer and if public IP addresses are static you can easily find an access-list definition that matches the desired traffic.

That ACL is then used to define traffic in a class-map.

Hope to help

Giuseppe

Actions

This Discussion