Bandwidth Allocation for a specific VPN Tunnel - PIX 525 7.2(1)

Unanswered Question
Mar 1st, 2010
User Badges:


I have a PIX with a 10 MB internet connection. This PIX has several L2L VPN Tunnels configured: Tunnel1, Tunnel2...TunnelN. I want to be able guarentee 5Mb of the total 10Mb to a specific VPN Tunnel. Is this possible? I have read the following links, however I believe that the configuration guidelines I'm looking for are a combination of several examples shown here:

The tunnel is being defined by the following commands:

crypto map prdmay 20 match address vpn_1

crypto map prdmay 20 set peer

crypto map prdmay 20 set transform-set TS

access-list vpn_1 extended permit ip any

access-list vpn_1 extended permit ip any

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *

Is the following what I need to do in order to accomplish what I want:

priority-queue outside

class-map vpn_5Mb
match access-list vpn_1
match tunnel-group
policy-map police-priority-policy
class vpn_5Mb
police output 5120000

service-policy police-priority-policy interface outside

Thank you for your help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Panos Kampanakis Tue, 03/02/2010 - 07:35
User Badges:
  • Cisco Employee,

I don't think the ASA will let you match on ACL and tunnel group at the same time.

Just the ACL will do though. The ACL should match local ip addresses (there are usually no-natted for the VPN anyway).

Here is a page with a QoS examples on the ASA for reference

I hope it helps.



This Discussion