Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMVPN and wan connection nat dedicated for FW

Hi

my DMVPN knowledge in relation to spefic nat and bandwidth throttle is kind of rusty so would like some advice.

Request :backup  firewall.  enable NAT on the gigabit interface 9WAN)

to access Internet limit connection speed up/down to 50/50Mbit

Basically request is divide the 100MBs WAN connection into  a 50Mbs Firewall. other 50 Mbs sif for the DMPVN which work perfect no issues.

DMVPN

works and is in production.

WAN connection 100MBs

interface GigabitEthernet0/0

LAN

is a RFC  1918 address /24 subnet

Cisco 2901

IOS: c2900-universalk9-mz.SPA.151-4.M6.bin

Everyone's tags (2)
3 REPLIES
Cisco Employee

Re: DMVPN and wan connection nat dedicated for FW

Hi,

You need to enable NAT on the LAN facing interface and WAN facing interface. For bandwidth throttle, you need apply policy-map shaping for Internet traffic. You can shape to 50M for all traffic except DMVPN packets. This policy-map applies on WAN facing interface outbound direction.

HTH,
Lei Tian

HTH,
Lei Tian

Sent from Cisco Technical Support iPhone App

New Member

DMVPN and wan connection nat dedicated for FW

Hi Lei

Thanks fort the feedback think that I made a error in this configuration mentioned below.

if you have any info in relation to DMPVN and sharing the wan connection, in relation to good Qos (for spoke for their sharred wan connection dmpvn/internet and QoS for our Hub).

c2900-universalk9-mz.SPA.151-4.M6.bin

Cisco 2901 int gi0/0 WAN 100 Mbs

policy-map FW_

class class-default

  police 100000000 conform-action transmit exceed-action drop

  service-policy FW_Anubis

exit

!

class-map FW_Anubis

  bandwidth percent 50

Cisco Employee

Re: DMVPN and wan connection nat dedicated for FW

Hi,

The QoS policy should look similar to

Class-map Internet
match IP access-list Internet
Policy-map QoS
Class Internet
Shape 50m
Class class-default
IP access-list ex Internet
Deny IP DMVPN DMVPN
Permit IP any any

HTH,
Lei Tian

Sent from Cisco Technical Support iPhone App

467
Views
5
Helpful
3
Replies