Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vpn tunnel BW control

Hi, I need to control traffic thr multiple VPN tunnels to limit BW use by one one single VPN.

Now it is 6MB link shared by 13 p2p vpn tunels and Internet access.

How could I achive this, for axample I need to limit 2MB maximum use by any VPN tunnel during the office hours.

Any advice will be greatly appreciate

Hall of Fame Super Silver

Re: vpn tunnel BW control

Hello Ranjit,

an outbound shaping approach is probably the only one that can work.

if for example IPSec is the protocol used you need to define with a class-map the vpn traffic.

class vpn_traffic

match ip address ipsec_traffic

then you define a policy-map

policy-map shape_vpn

class vpn_traffic

shape average 2000000

class class-default


This is the fist part of your question and would apply shaping 24 h/day.

How to do this on day time only?

using time ranges for the ACL as described in the above thread^1%40%40.2cd25e4c/0#selected_message

that is access-list invokes a time range

Hope to help


Super Bronze

Re: vpn tunnel BW control

To expand on the information that Giuseppe has provided, you'll likely need to do this on both ends of the VPN tunnels (assuming you want to restrict bandwidth utilization both in and out at your hub site).

Also what Giuseppe shows would shape all VPN traffic, but since you asked about restricting any one VPN tunnel to 2 Mbps, at the hub site you would need a 2 Mbps shaper for each tunnel's traffic.

Do realize that a combination of VPN tunnels traffic could still overwhelm your link.

New Member

Re: vpn tunnel BW control

Thank you, and I though, I could handle this the otherway, how to limit the other traffic to use only lets say 30% of the BW and then rest of the BW dedicated to IPSec trafic.

Super Bronze

Re: vpn tunnel BW control

". . . how to limit the other traffic to use only lets say 30% of the BW and then rest of the BW dedicated to IPSec trafic."

Outbound, you could use a policy to shape non-IPSec traffic to 30%. (BTW, personally, when possible, I prefer not to limit bandwidth, but to set different priorities for obtaining bandwidth, when there's contention. For example, you might set a floor of 70% for IPSec and 30% for non-IPSec but each would be allowed to use unused bandwidth.)

Inbound is a problem unless you control the other side of the Internet link (i.e. the outbound to you). If you can't, which is often the case, you can police inbound traffic and/or shape outbound TCP ACKs. Although perhaps better than nothing, neither approach works 100% as often desired.