we have a 10Mb connection to the internet and are using this connection as a backup for our dedicated links to sites in London. The VON is working fine and floating static routes allow us to redirect traffic over the VPN when the primary links go down.
I want to limit the amount of bandwidth the VPN can consume, the limit is around 8Mbps. I have written the following config to do this:
ip access-list extended IPSEC
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
class-map match-any IPSEC
match access-group name IPSEC
police cir 10485500 bc 8388608
Can anyone provide a comment on this configuration, is there a better way to do this. Also do I apply the policy map to the Tunnel interface or do I apply it to the physical interface.
First, I would use shaping instead of policing if you want a fixed upper bandwidth limit for VPN traffic. A policer will drop packets, whereas a shaper will buffer packets. For most applications dropping of packets is not such a good idea.
Second, the bandwidth specified (10485500) is too high to achieve 8 Mbps. The way you configure things IPSec will use up to 10 Mbps.
Third, you could use queueing to assure your other traffic at least 2 Mbps, which would also limit your IPSec traffic to a max of 8 Mbps, IF there is congestion. In case there is no other traffic but VPN, would you rather have all 10 Mbps be used by VPN traffic, or would you prefer an upper limit of 8 Mbps (leaving 2 Mbps unused)?
Fourth, the policy-map should be applied to the physical interface.
So the config could look like this:
shape average 8000000
And last not least, your traffic description. Consider to use an ACL describing source and destination IPs of your tunnel, so all traffic is classified correctly.
the shaping can be monitored with the command "show policy-map interface ...". It will give you info on how many packets and bytes have been shaped (=delayed).
To test the config you need a lab environment. You could use lower bandwidths - f.e. 128 kbps - in case you can not setup a lab reflecting your environment 1:1. Just scale down the parameters to your test environment.
The final "test" however will be your production environment, because there you will have to deal with application behaviour.
Here is my new configuration, in the class-default I had to set the limit to 2000 as this is in Kbps, whereas the shape average rate seems to be set in bps. I think this should pretty much cover it, in terms of profiling the traffic with access lists i'm not sure if I need to as all traffic that is using the tunnel should be subject to the traffic shaping. Web traffic will have the remaining 2Mbps when the policy is in effect. Would I need an access list for the web traffic. Thanks for your help :)
you would not need an ACL for the rest of the traffic as class-default is defined as "match any". If you want to separate Web traffic from the other internet traffic (email, dns, ftp, etc.) you would create a separate class for Web and assign resources to it.
The comment about the ACL was only because I do not know, whether the ACL IPSEC will describe all IPSec traffic. I am quite sure, that an ACL specifying source IP of the VPN tunnel and destination IP of the VPN tunnel will match all IPSec traffic. This of course will not be possible for dynamic IP addresses occuring f.e. with Cisco VPN client.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :