Bandwidth Allocation for a specific VPN Tunnel - PIX 525 7.2(1)

bernal.ramirez · ‎03-01-2010

Hello,

I have a PIX with a 10 MB internet connection. This PIX has several L2L VPN Tunnels configured: Tunnel1, Tunnel2...TunnelN. I want to be able guarentee 5Mb of the total 10Mb to a specific VPN Tunnel. Is this possible? I have read the following links, however I believe that the configuration guidelines I'm looking for are a combination of several examples shown here:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml#tab4

https://supportforums.cisco.com/docs/DOC-1230

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml#cqos

The tunnel is being defined by the following commands:

crypto map prdmay 20 match address vpn_1

crypto map prdmay 20 set peer 61.172.142.222

crypto map prdmay 20 set transform-set TS

access-list vpn_1 extended permit ip 10.14.102.0 255.255.255.0 any

access-list vpn_1 extended permit ip 10.14.101.0 255.255.255.0 any

tunnel-group 61.172.142.222 type ipsec-l2l

tunnel-group 61.172.142.222 ipsec-attributes

pre-shared-key *

Is the following what I need to do in order to accomplish what I want:

priority-queue outside


class-map vpn_5Mb
match access-list vpn_1
match tunnel-group 61.172.142.222
policy-map police-priority-policy
class vpn_5Mb
police output 5120000

service-policy police-priority-policy interface outside

Thank you for your help.

Panos Kampanakis · ‎03-02-2010

I don't think the ASA will let you match on ACL and tunnel group at the same time.

Just the ACL will do though. The ACL should match local ip addresses (there are usually no-natted for the VPN anyway).

Here is a page with a QoS examples on the ASA for reference https://supportforums.cisco.com/docs/DOC-1230

I hope it helps.

PK